Download the Code of Federal Regulations in XML.
Text | PDF
Purchase individual CFR titles from the U.S. Government Online Bookstore.
Find issues of the CFR (including issues prior to 1996) at a local Federal depository library.
Electronic Code of Federal Regulations
Title 32: National Defense
PART 117—NATIONAL INDUSTRIAL SECURITY PROGRAM
§117.56 Foreign ownership, control or influence (FOCI).
Authority: Executive Order (E.O.) 12829, January 6, 1993, 58 FR 3479.
Source: 79 FR 19469, Apr. 9, 2014, unless otherwise noted.
Subparts A-B [Reserved]
Subpart C—Procedures for Government Activities Relating to Foreign Ownership, Control or Influence (FOCI)
This part sets forth industrial security procedures and practices related to Foreign Ownership, Control or Influence (FOCI) for the Department of Defense (DoD) Components, as defined in this part and non-DoD Components, as defined in this part, to ensure maximum uniformity and effectiveness in DoD implementation of the National Industrial Security Program (NISP) established by Executive Order (E.O.) 12829 “National Industrial Security Program,” (available at http://www.archives.gov/isoo/policy-documents/eo-12829.html).
(a) This part applies to:
(1) The DoD Components.
(2) The non-DoD Components. When the term Government Contracting Activities (GCAs) is used, it applies to both DoD Components and non-DoD Components.
(b) This part does not:
(1) Limit in any manner the authority of the Secretary of Defense, the Secretaries of the Army, Navy and Air Force; or the Heads of the Components, as defined in this part, to grant access to classified information under the cognizance of their respective department or agency to any individual or entity designated by them. The granting of such access is outside the scope of the NISP and is governed by Executive Order (E.O.) 13526, “Classified National Security Information,” (available at http://www.archives.gov/isoo/pdf/cnsi-eo.pdf) and applicable disclosure policies.
(2) Limit the authority of a GCA to limit, deny, or revoke access to classified information under its statutory, regulatory, or contractual jurisdiction.
(3) Levy requirements on contractors and companies currently in process for facility security clearances (FCLs) as they are subject to the requirements of DoD 5220.22-M, “National Industrial Security Program Operating Manual (NISPOM)” (available at http://www.dtic.mil/whs/directives/corres/pdf/522022m.pdf) and the security requirements of their contracts.
Unless otherwise noted, these terms and their definitions are for the purposes of this part only.
Access. As defined in DoD 5220.22-M.
Affiliate. As defined in DoD 5220.22-M.
Board resolution. A formal, written decision of a company's board of directors, used to draw attention to a single act or board decision, e.g., to approve or adopt a change to a set of rules, a new program or contract.
Carve-out. As defined in DoD Directive 5205.07, “Special Access Program (SAP) Policy,” (available at http://www.dtic.mil/whs/directives/corres/pdf/520507p.pdf).
Classified contract. As defined in DoD 5220.22-M.
Classified information. As defined in Joint Publication 1-02 “DoD Dictionary of Military and Associated Terms” (available at http://www.dtic.mil/doctrine/new_pubs/jp1_02.pdf).
Company. As defined in DoD 5220.22-M.
Components. DoD Components and non-DoD Components for which DoD provides industrial security services in accordance with E.O. 12829.
COMSEC. As defined in Joint Publication 6-0, “Joint Communication System” (available at http://www.dtic.mil/doctrine/new_pubs/jp6_0.pdf).
Contractor. As defined in DoD 5220.22-M.
Counterintelligence. As defined in Joint Publication 1-02.
Covered transaction. As defined in DoD Instruction 2000.25, “DoD Procedures for Reviewing and Monitoring Transactions Filed with the Committee on Foreign Investment in the United States (CFIUS)”. (available at http://www.dtic.mil/whs/directives/corres/pdf/200025p.pdf).
CSA. As defined in DoD 5220.22-M.
Defense articles. As defined in DoD 5220.22-M.
Defense Industrial Base. As defined in Joint Publication 1-02.
Document. As defined in E.O. 13526.
DoD Components. Office of the Secretary of Defense (OSD), the Military Departments, the Office of the Chairman of the Joint Chiefs of Staff and the Joint Staff, the Combatant Commands, the Office of the Inspector General of the Department of Defense, the Defense Agencies, the DoD Field Activities, and all other organizational entities within DoD.
Facility. As defined in DoD 5220.22-M.
Facility security clearance (FCL). As defined in DoD 5220.22-M.
Facility Security Officer (FSO). A U.S. citizen contractor employee, who is cleared as one of the Key Management Personnel required for the FCL, to supervise and direct security measures necessary for implementing applicable requirements set forth in DoD 5220.22-M.
FOCI action plan. For purposes of this part, the methods or agreements that can be applied to mitigate or negate the risk of foreign ownership or control to allow a U.S. contractor to maintain or a U.S. company to be granted an FCL.
FOCI mitigation agreement. For purposes of this part, a signed agreement between a foreign interest and a U.S. contractor or a company in process for an FCL which, based on an assessment of FOCI information, imposes various security measures within an institutionalized set of company practices and procedures. Examples include board resolutions, security control agreements (SCAs) and special security agreements.
FOCI negation agreement. For purposes of this part, a signed agreement between a foreign interest and U.S. contractor or a company in process for an FCL under which the foreign owner relinquishes most ownership rights to U.S. citizens who are approved by the U.S. Government and have been favorably adjudicated for access to classified information based on the results of a personnel security clearance investigation. Examples include voting trust agreements (VTAs) and proxy agreements (PAs).
Foreign government information (FGI). As defined in E.O. 13526.
Foreign interest. As defined in DoD 5220.22-M.
GCA. As defined in DoD 5220.22-M.
Industrial security. As defined in DoD 5220.22-M.
Information. As defined in E.O. 13526.
Limited Access Authorization (LAA). As defined in DoD 5220.22-M.
National interest determination (NID). As defined in 32 CFR part 2004, “National Industrial Security Program Directive No. 1.”
Non-DoD Components. Those USG executive branch departments and agencies identified in DoD 5220.22-M that have entered into agreements with the Secretary of Defense to act as the NISP Cognizant Security Agency (CSA) for, and on their behalf, in rendering security services for the protection of classified information disclosed to or generated by industry pursuant to Section 202 of E.O. 12829.
Personnel security clearance (PCL). As defined in DoD 5220.22-M.
Personnel security clearance assurance (PCLSA). A written certification by USG or applicable foreign government industrial security authorities, which certifies the PCL level or eligibility for a PCL at a specified level for their citizens. The assurance is used, in the case of the United States, to give an LAA to a non-U.S. citizen, provided all other investigative requirements are met.
Prime contract. As defined in DoD 5220.22-M.
Proscribed information. TOP SECRET (TS) information, COMSEC information excluding controlled cryptographic items when unkeyed and utilized with unclassified keys, restricted data (RD), special access program (SAP) information, or sensitive compartmented information (SCI).
Restricted Data (RD). As defined in DoD 5220.22-M.
Sensitive compartmented information (SCI). As defined in Joint Publication 1-02.
Security assurance. A written confirmation, requested by and exchanged between governments, that contains the following elements: Verification of the personnel security clearance (PCL) level of the sponsoring foreign government's citizens or nationals; a statement by a responsible official of the sponsoring foreign government that the recipient of the information is approved by the sponsoring foreign government for access to information of the security classification involved on behalf of the sponsoring government; and an obligation that the sponsoring foreign government will ensure compliance with any security agreement or other use, transfer and security requirements specified by the components. The security assurance usually will be in a request for visit authorization or with courier orders or a transportation plan; but is not related to the PCL security assurance.
Special Access Program (SAP). As defined in E.O. 13526.
Subcontract. As defined in DoD 5220.22-M.
It is DoD policy that DoD FOCI procedures will be used to protect against foreign interests:
(a) Gaining unauthorized access to classified, export-controlled, or all communications security (COMSEC) (classified or unclassified) information in accordance with E.O. 12829 and DoD Instruction 8523.01, “Communications Security” (available at http://www.dtic.mil/whs/directives/corres/pdf/852301p.pdf). DoD FOCI procedures for access to unclassified COMSEC are set forth in National Security Agency Central Security Service (NSA/CSS) Policy Manual 3-16, “Control of Communications Security Material” (available to authorized users of SIPRNET at www.iad.nsa.smil.mil/resources/library/nsa_office_of_policy_section/pdf/NSA_CSS_MAN-3-16_080505.pdf).
(b) Adversely affecting the performance of classified contracts, in accordance with E.O. 12829.
(c) Undermining U.S. security and export controls, in accordance with E.O. 12829.
(a) The Under Secretary of Defense for Intelligence (USD(I)) will, in accordance with DoD Directive 5143.01, “Under Secretary of Defense for Intelligence (USD(I))” (available at http://www.dtic.mil/whs/directives/corres/pdf/514301p.pdf) and DoD Instruction 5220.22, “National Industrial Security Program” (see http://www.dtic.mil/whs/directives/corres/pdf/522022p.pdf):
(1) Oversee policy and management of the NISP, to include FOCI matters.
(2) Direct, administer, and oversee the FOCI provisions of the NISP to ensure that the program is efficient and consistently implemented.
(3) Provide additional guidance regarding FOCI matters by memorandum as needed.
(4) Coordinate with the Under Secretary of Defense for Policy (USD(P)) and the Under Secretary of Defense for Acquisition, Technology and Logistics (USD(AT&L)) on matters under their cognizance that affect the NISP consistent with paragraphs (c) and (d) of this section.
(b) The Director, Defense Security Service (DSS), in addition to the responsibilities in paragraph (d) of this section, under the authority, direction, and control of the USD(I) will in accordance with DoD Instruction 5220.22, “National Industrial Security Program” (available at http://www.dtic.mil/whs/directives/corres/pdf/522022p.pdf).
(1) Make FOCI determinations on a case-by-case basis for U.S. contractors or companies under consideration for an FCL under the NISP.
(2) Collect information necessary to examine the source, nature, and extent of a company's ownership, control, or influence by foreign interests.
(3) Determine, on behalf of the GCAs, whether a U.S. company is under FOCI to such a degree that the granting of an FCL would be inconsistent with the U.S. national security interests.
(4) Determine the security measures necessary to negate or mitigate FOCI and make recommendations to the U.S. company and to those GCAs with a contractual interest or other equity in the matter.
(5) Provide GCAs a guide to clarify their roles and responsibilities with respect to the FOCI process and to national interest determinations (NIDs), in particular. Update the guide, as needed, in coordination with the Office of the Under Secretary of Defense for Intelligence (OUSD(I)) Security Directorate.
(6) Determine a U.S. company's eligibility for an FCL on an initial and continuing basis depending on recurring security reviews and other interactions.
(7) Develop proposed changes to maintain the currency and effectiveness of this part. Forward proposed changes and associated justification to the OUSD(I) Security Directorate for consideration as future changes to this part.
(8) Consider and, as warranted, approve requests for exception to DoD 5220.22-M in consultation with affected GCAs for specific contractors and for specific periods of time (such as, to the completion date of a contract) when a contractor is unable to comply with the requirements of DoD 5220.22-M. Consideration of such requests will include an evaluation of any proposed alternative procedures with supporting justification and coordination as applicable, consistent with paragraph (a)(4) of this section.
(9) Coordinate and receive the concurrence of the OUSD(I) Security Directorate on requests for exception to DoD 5220.22-M and consistent with paragraph (a)(4) of this section when any of the following provisions apply:
(i) The request exceeds the authority of the Director, DSS as defined in this section;
(ii) The proposed exception applies to more than one contractor location; or,
(iii) The exception would be contrary to U.S. national policy or international agreements, including those relating to foreign government information (FGI) and international issues under the cognizance of the USD(P) with coordination as applicable, consistent with paragraph (a)(4) of this section.
(c) The USD(P) will, in accordance with DoD Directive 5111.1, “Under Secretary of Defense for Policy (USD(P))” (available at http://www.dtic.mil/whs/directives/corres/pdf/511101p.pdf), advise the USD(I) and DSS on the foreign relations and international security aspects of FOCI, including FGI, foreign disclosures of U.S. classified information, exports of defense articles and technical data, security arrangements for DoD international programs, North Atlantic Treaty Organization security, and international agreements.
(d) The USD(AT&L) will, in accordance with DoD Directive 5134.01, “Under Secretary of Defense for Acquisition, Technology and Logistics (USD(AT&L))” (available at http://www.dtic.mil/whs/directives/corres/pdf/513401p.pdf):
(1) Advise the USD(I) on the development and implementation of NISP policies, in accordance with DoD Instruction 5220.22.
(2) Ensure that DoD Components establish and maintain a record capturing the current and legitimate need for access to classified information by contractors in the Defense Industrial Base.
(3) Ensure that acquisition elements of DoD Components comply with the applicable provisions of DoD 5220.22-M.
(e) The Director, DoD SAP Central Office (SAPCO) will, in accordance with DoD Directive 5205.07, “Special Access Program (SAP) Policy” (available at http://www.dtic.mil/whs/directives/corres/pdf/520507p.pdf), notify DSS of the existence of SAP equities when DSS considers the acceptability of a contractor's FOCI action plan. In addition, the Director, DoD SAPCO, will develop procedures for the consideration of a NID when a contractor cleared under a Special Security Agreement (SSA) requires access to an unacknowledged Special Access Program (SAP).
(f) The Heads of the Components will:
(1) Oversee compliance by GCA personnel with applicable procedures identified in this subpart.
(2) Designate in writing an individual who is authorized to make decisions and provide a coordinated GCA position on FOCI matters to DSS within timelines established in this part.
(3) Submit proposed changes to DoD 5220.22-M, as deemed appropriate, to the OUSD(I) Security Directorate.
§117.56 Foreign ownership, control or influence (FOCI).
(a) General. This section provides guidance for and establishes procedures concerning the initial or continued FCL eligibility of U.S. companies and U.S. contractors with foreign involvement; provides criteria for determining whether U.S. companies are under FOCI; prescribes responsibilities in FOCI matters; and outlines security measures that DSS may consider to mitigate or negate the effects of FOCI to an acceptable level. As stated in DoD 5220.22-M, and in accordance with E.O. 12829:
(1) The Secretary of Defense serves as the Executive Agent for inspecting and monitoring contractors who require or will require access to, or who store or will store classified information.
(2) The Components reserve the discretionary authority, and have the obligation, to impose any security procedure, safeguard, or restriction they believe necessary to ensure that unauthorized access to classified information is effectively precluded and that performance of classified contracts, as defined in DoD 5220.22-M, is not adversely affected by FOCI.
(b) Procedures — (1) Criteria. A U.S. company is considered to be under FOCI whenever a foreign interest has the power, direct or indirect (whether or not exercised, and whether or not exercisable through the ownership of the U.S. company's securities, by contractual arrangements or other means), to direct or decide matters affecting the management or operations of the company in a manner that may result in unauthorized access to classified information or may adversely affect the performance of classified contracts.
(2) FOCI Analysis. Conducting an analysis of available information on a company to determine the existence, nature, and source of FOCI is a critical aspect of evaluating previously uncleared companies for FCLs and also in determining continued eligibility of contractors for FCLs.
(i) A U.S. company determined to be under FOCI is ineligible for an FCL unless and until security measures have been put in place to mitigate FOCI.
(ii) In making a determination as to whether a company is under FOCI, DSS will consider the information provided by the company or its parent entity on the Standard Form (SF) 328, “Certificate Pertaining to Foreign Interests,” (available at http://www.dtic.mil/whs/directives/infomgt/forms/eforms/sf0328.pdf) and any other relevant information (e.g., filings with the Securities and Exchange Commission (for publicly traded companies), articles of incorporation, by-laws, and loan and shareholder agreements, as well as other publicly available information about the company. Depending on specific circumstances (e.g., extensive minority foreign ownership at a cleared subsidiary in the corporate family), DSS may request one or more of the legal entities that make up a corporate family to submit individual SF 328s and will determine the appropriate FOCI action plan(s) that must be put in place.
(iii) When a contractor has been determined to be under FOCI, the primary consideration will be the safeguarding of classified information. DSS is responsible for taking whatever interim action is necessary to safeguard classified information, in coordination with other affected agencies as appropriate consistent with §117.54.
(iv) When a merger, sale, or acquisition involving a foreign interest and a contractor is finalized prior to having an acceptable FOCI mitigation or negation agreement in place, DSS will invalidate any existing FCL until such time as DSS determines that the contractor has submitted an acceptable FOCI action plan (see DoD 5220.22-M) and has agreed to interim measures that address FOCI concerns pending formal execution of a FOCI mitigation or negation agreement. Invalidation renders the contractor ineligible to receive new classified material or to bid on new classified contracts. If the affected GCA determines that continued access to classified material is required, DSS may continue the FCL in an invalidated status when there is no indication that classified information is at risk of compromise. If classified information remains at risk of compromise due to the FOCI, DSS will take action to impose appropriate security countermeasures or terminate the FCL, in coordination with the affected GCA.
(v) Changed conditions, such as a change in ownership, indebtedness, or a foreign intelligence threat, may justify certain adjustments to the security terms under which a contractor is cleared or, alternatively, require the use of a particular FOCI mitigation or negation agreement. Depending on specific circumstances, DSS may determine that a contractor is no longer under FOCI or, conversely, that a contractor is no longer eligible for an FCL.
(vi) If the contractor determined to be under FOCI does not have possession of classified material and does not have a current or pending requirement for access to classified information, DSS will administratively terminate the FCL.
(3) Assessing the Implications of FOCI. (i) If DSS determines that a company is under FOCI, DSS will assess the extent and manner to which the FOCI may result in unauthorized access to classified information or adverse impact on the performance of classified contracts and the type of actions, if any, that would be necessary to mitigate or negate the associated risks to a level deemed acceptable to DSS. An analysis of some of the FOCI factors may clearly identify risk; while others may result in circumstances that would mitigate or negate risks. Therefore, these factors must be considered in the aggregate with regard to the foreign interest that is the source of the FOCI, the country or countries in which the foreign interest is domiciled and has its principal place of business (if not in the country of domicile), and any other foreign country that is identified by DSS because it is a substantial source of the revenue for, or otherwise has significant ties to, the foreign interest. DSS will consider the following FOCI factors and any other relevant information in the context of threat, vulnerability, and sensitivity of the classified information required for current or prospective contract performance when rendering a risk management assessment and determination of the acceptability of a company's FOCI action plan:
(A) Record of economic and government espionage against U.S. targets.
(B) Record of enforcement and/or engagement in unauthorized technology transfer.
(C) Record of compliance with pertinent U.S. laws, regulations, and contracts.
(D) The type and sensitivity of the information that will be accessed.
(E) The source, nature, and extent of FOCI, including, but not limited to, whether a foreign interest holds a majority or substantial minority position in the company, taking into consideration the immediate, intermediate, and ultimate parent companies of the company or prior relationships between the U.S. company and the foreign interest.
(F) The nature of any relevant bilateral and multilateral security and information exchange agreements, (e.g., the political and military relationship between the United States Government (USG) and the government of the foreign interest).
(G) Ownership or control, in whole or in part, by a foreign government.
(H) Any other factor that indicates or demonstrates a capability on the part of foreign interests to control or influence the operations or management of the business organization concerned.
(ii) As part of its FOCI assessment and evaluation of any FOCI action plan, DSS will also request and consider counterintelligence (CI) and technology transfer risk assessments and any available intelligence from all appropriate USG sources. DSS will request these assessments as soon as practicable, for the company itself and for all business entities in the company's ownership chain.
(iii) If a company disputes a DSS determination that the company is under FOCI, or disputes the DSS determination regarding the types of actions necessary to mitigate or negate the FOCI, the company may appeal in writing those determinations to the Director, DSS, for a final agency decision no later than 30 days after receipt of written notification of the DSS decision. The company must identify the specific relief sought and grounds for that relief in its appeal. In response, the Director, DSS, may request additional information from the company. At a minimum, DSS will respond to appeals within 30 days, either with a decision or an estimate as to when a decision will be rendered. DSS will not release pre-decisional information to the company, its legal counsel, or any of its representatives without the express written approval of the applicable GCAs who own the data and any other USG entities with an interest in the company's FOCI action plan.
(iv) DoD recognizes that FOCI concerns may arise in a variety of other circumstances, all of which cannot be listed in this subpart. In FOCI cases involving any foreign ownership or control, DSS will advise and consult with the appropriate GCAs, including those with special security needs, regarding the required FOCI mitigation or negation method and provide those GCAs with the details of the FOCI factors and any associated risk assessments. DSS and GCAs will meet to discuss the FOCI action plan, when determined necessary by either DSS or the applicable GCAs. When DSS determines that a company may be ineligible for an FCL by virtue of FOCI, or that additional action by the company may be necessary to mitigate the FOCI or associated risks, DSS will promptly notify the company and require it to submit a FOCI action plan to DSS within 30 calendar days of the notification. In addition, DSS will advise company management that failure to submit the requested plan within the prescribed period of time will result in termination of FCL processing or initiation of action to revoke an existing FCL, as applicable.
(v) In instances where the identification of a foreign owner or voting interest of five percent or more cannot be adequately ascertained (e.g., the participating investors in a foreign investment or hedge fund, owning five percent or more of the company, cannot be identified), DSS may determine that the company is not eligible for an FCL.
(vi) DSS will review and consider the FOCI action plan itself, the factors identified in paragraph (b)(3)(i) of this section, and any threat or risk assessments or other relevant information. If an action plan is determined to be unacceptable, DSS can recommend and negotiate an acceptable action plan including, but not limited to, the measures identified in paragraphs (b)(4)(ii) and (b)(4)(iii) of this section. In any event, DSS will provide written feedback to a company or the company's designated representative on the acceptability of the FOCI action plan within 30 calendar days of receipt.
(4) Options To Address FOCI. (i) Under all FOCI action plans, management positions requiring PCLs in conjunction with the FCL must be filled by eligible U.S. citizens residing in the United States in accordance with DoD 5220.22-M.
(ii) When factors related to foreign control or influence are present, but unrelated to ownership, the plan must provide positive measures that assure that the foreign interest can be effectively denied access to classified information and cannot otherwise adversely affect performance on classified contracts. Non-exclusive examples of such measures include:
(A) Adoption of special board resolutions.
(B) Assignment of specific oversight duties and responsibilities to independent board members.
(C) Formulation of special executive-level security committees to consider and oversee matters that affect the performance of classified contracts.
(D) The appointment of a technology control officer.
(E) Modification or termination of loan agreements, contracts, and other understandings with foreign interests.
(F) Diversification or reduction of foreign-source income.
(G) Demonstration of financial viability independent of foreign interests.
(H) Elimination or resolution of problem debt.
(I) Physical or organizational separation of the contractor component performing on classified contracts.
(J) Other actions that negate or mitigate foreign control or influence.
(iii) FOCI concerns related to foreign ownership of a company or corporate family arise when a foreign interest has the ability, either directly or indirectly, whether exercised or exercisable, to control or influence the election or appointment of one or more members to the company's governing board (e.g., Board of Directors, Board of Managers, or Board of Trustees) or its equivalent, by any means. Some methods that may be applied to mitigate the risk of foreign ownership are outlined in DoD 5220.22-M and further described in this section. While these methods are mentioned in relation to specific ownership and control thresholds, these descriptions should not be construed as DoD-sanctioned criteria mandating the selection or acceptance of a certain FOCI action plan. DSS retains the authority to reject or modify any proposed FOCI action plan in consultation with the affected GCAs.
(A) Board Resolution. This method is often used when a foreign interest does not own voting interests sufficient to elect, or otherwise is not entitled to representation on the company's governing board. In such circumstances, the effects of foreign ownership will generally be mitigated by a resolution of the board of directors stating the company recognizes the elements of FOCI and acknowledges its continuing obligations under DD Form 441, “DoD Security Agreement” (available at http://www.dtic.mil/whs/directives/infomgt/forms/eforms/dd0441.pdf). The resolution will identify the foreign shareholders and their representatives (if any) and note the extent of foreign ownership. The resolution will also include a certification that the foreign shareholders and their representatives will not require, will not have, and can be effectively excluded from access to all classified information in the possession of the contractor, and will not be permitted to occupy positions that may enable them to influence the organization's policies and practices in the performance of classified contracts. Copies of such resolutions will be furnished to all board members and principal management officials.
(B) SCA. The SCA is a tailored FOCI mitigation agreement often used when a foreign interest does not effectively own or control a company or corporate family (i.e., the company or corporate family are under U.S. control), but the foreign interest is entitled to representation on the company's board. When an SCA is implemented, a U.S. citizen serves as an outside director, as defined in DoD 5220.22-M. DSS may determine the need for more than one outside director based on the FOCI analysis and risk assessments.
(C) SSA. The SSA is a tailored FOCI mitigation agreement that preserves the foreign owner's right to be represented on the company's board (inside directors) with a direct voice in the business management of the company while denying the foreign owner unauthorized access to classified information. An SSA is based on the analysis of the FOCI factors set forth in paragraph (b)(3) and is often used when a foreign interest effectively owns or controls a company or corporate family. DSS assesses the implications of the FOCI factors in accordance with paragraphs (b)(3) and (b)(4)(iii) of this section. U.S. citizens serve as outside directors in accordance with DoD 5220.22-M.
(1) If a GCA requires a contractor cleared under an SSA to have access to proscribed information, the GCA will initiate action to consider a NID at the pre-contract phase to confirm that disclosure of such information is consistent with the national security interests of the United States.
(2) Proscribed information includes TS; COMSEC material, excluding controlled cryptographic items when unkeyed and utilized with unclassified keys; RD; SAP; and SCI.
(3) Contractor access to proscribed information will not be granted without the approval of the agency with control jurisdiction (i.e., National Security Agency (NSA) for COMSEC, whether the COMSEC is proscribed information or not; the Office of the Director of National Intelligence (ODNI) for SCI; and the Department of Energy (DOE) for RD in accordance with its policies).
(4) In accordance with 32 CFR, part 2004 and the procedures in paragraph (b)(5) of this section, GCAs will forward a request for concurrence to NSA, ODNI, or DOE when a proposed NID involves access to COMSEC, SCI, or RD, respectively, within 30 calendar days of DSS advisement of the NID requirement. NSA, ODNI, and DOE, as appropriate, will then have 30 calendar days to render a decision.
(D) VTA or PA. These FOCI negation agreements may be used when a foreign interest effectively owns or controls a company or corporate family. Under a VTA, PA and associated documentation, the foreign owner relinquishes most rights associated with ownership of the company to cleared U.S. citizens approved by DSS. Both FOCI agreements can effectively negate foreign ownership and control; therefore, neither agreement imposes any restrictions on the company's eligibility to have access to classified information or to compete for classified contracts including contracts with proscribed information. Both FOCI agreements can also effectively negate foreign government control (see paragraph (b)(11) of this section which provides guidance and requirements regarding foreign government ownership or control, including with respect to 10 U.S.C. 2536, “Award of Certain Contracts to Entities Controlled by a Foreign Government Prohibition (available at http://www.gpo.gov/fdsys/granule/USCODE-2010-title10/USCODE-2010-title10-subtitleA-partIV-chap148-subchapV-sec2536/content-detail.html)). DSS retains the authority to deny a proposed VTA or PA.
(iv) When DSS implements a FOCI mitigation or negation agreement at a contractor, the agreement may specify that the entire agreement, or that particular provisions of the agreement (e.g., the provisions restricting unauthorized access to classified information and unclassified export-controlled information and the provisions of the visitation policy) will apply to and will be made binding upon all present and future subsidiaries of the company. If a subsidiary requires and is eligible for an FCL at the TS level, the company executing the FOCI mitigation agreement and any intermediate parents must be formally excluded from TS access unless they have their own requirement and are otherwise eligible for TS access.
(v) DSS will provide a copy of the DSS FOCI assessment, proposed FOCI action plan and any associated risk assessments to the GCAs with an interest in the company or corporate family. In the absence of written objections (signed at the Program Executive Office (PEO) level or higher) from GCAs with an interest in the company or corporate family, DSS may proceed with implementation of what DSS considers in its discretion to be an acceptable FOCI action plan based on available information. Unless other regulatory review processes for mergers or acquisitions have an earlier suspense date, DSS will provide a 30 calendar day period for the GCAs with an interest in the company or corporate family to provide their PEO level or higher written objections.
(vi) DSS will submit to the USD(I) for approval the DSS templates for those FOCI mitigation or negation agreements identified in paragraph (b)(4)(iii) of this section as well as templates for any supplements thereto (e.g., the electronic communications plan (ECP) or technology control plan (TCP)). DSS may propose changes to the contents of these template FOCI mitigation or negation agreements. DSS may tailor non-substantive provisions of the template agreement for any particular FOCI case without further approval from the USD(I), provided DSS notifies the OUSD(I) Security Directorate of the deviation from the template. DSS may provide this notification through the electronic submission of an annotated copy of the modified agreement.
(5) NID. The requirement for a NID to authorize access to proscribed information applies only to those foreign-owned U.S. contractors or companies in process for an FCL under an SSA which is used as a mechanism for FOCI mitigation. A NID does not authorize disclosure of classified information to a foreign government, a non-U.S. citizen or a non-U.S. entity. Timelines for NID decisions are set forth in 32 CFR part 2004 and the provisions of this paragraph. NIDs can be program, project, or contract specific, subject to the concurrence of NSA for COMSEC, ODNI for SCI or DOE for RD. For program and project NIDs, a separate NID is not required for each contract. DSS will inform the DoD SAPCO of NID requirements to allow the SAPCO to advise of awareness of unacknowledged SAPs or any carve-out SAP activity.
(i) A NID is necessary when access to proscribed information is required for:
(A) Pre-contract activities in accordance with paragraph (b)(4)(iii)(C)(1) of this section.
(B) New contracts to be issued to a company in process for an FCL that DSS has determined to be under FOCI when an SSA is anticipated, or a contractor already cleared under an SSA.
(C) Existing contracts when a contractor is acquired by foreign interests and proposes an SSA as the FOCI action plan.
(ii) If a contractor is proposing to use an SSA to mitigate FOCI and requires access to proscribed information:
(A) DSS will:
(1) Request the contractor to provide information on all impacted contracts, both prime and subcontracts, unless the contractor is prohibited by contract from revealing their existence to DSS. In such instances, DSS will request that the contractor notify the government contracting officer and Program Security Officer of the need for a NID.
(2) Provide written notification to the individual designated by the Component, in accordance with paragraph (f) of §117.55 within 30 calendar days of identifying the requirement for a NID.
(3) Provide to appropriate GCAs the contractor's proposed FOCI action plan, any associated risk assessments, and DSS' recommendation for FOCI mitigation.
(4) Ask the GCA to identify all of the GCA's contracts affected by the proposed SSA that require a NID decision, unless the activity is unacknowledged. The cognizant SAPCO will inform the DoD SAPCO of any unacknowledged SAPs affected by the proposed SSA and consequently the NID requirement.
(5) Provide OUSD(I) Security Directorate and the OUSD(AT&L), Deputy Assistant Secretary of Defense for Manufacturing and Industrial Base Policy, a monthly report of pending NID decisions that:
(i) Exceed 30 calendar days from the date of the DSS written notice to the applicable GCA.
(ii) Have been pending for NSA, ODNI, or DOE concurrence for more than 30 calendar days.
(B) OUSD(I) will intervene, as warranted, with GCAs regarding NID decisions pending beyond 30 calendar days from the date of the DSS written notice, as well as with NSA, ODNI, and DOE regarding concurrence decisions that remain pending beyond 30 days from the date of the GCA request.
(C) OUSD(AT&L) will confer, as warranted, with the applicable DoD Service Acquisition Executive or component equivalent about unresolved NID decisions.
(D) The GCA will, upon written notification by DSS of the need for a NID:
(1) Review the FOCI action plan proposed by the uncleared company, in addition to any associated risk assessments and the DSS analysis of the appropriate FOCI mitigation based on the existing FOCI factors.
(2) Consider the FOCI factors noted in paragraph (b)(3) of this section in the aggregate with any associated risk assessments and DSS' analysis to determine whether to issue a NID.
(3) Provide DSS, as appropriate, one of the following within 30 calendar days of the DSS written notification that a NID is required:
(i) A final, documented NID with a copy provided to the contractor. If the NID is not specific to a single program, project, or contract (e.g., a blanket NID), the GCA will also forward a copy of the NID to the OUSD(I) Security Directorate.
(ii) A copy of the GCA's request for NID concurrence sent to NSA, ODNI, or DOE, when access to COMSEC, SCI, or RD is involved. The GCA will request that NSA, ODNI, or DOE respond within 30 calendar days of the date of the GCA's written request directly to DSS with a copy to the GCA.
(iii) A GCA decision that it will not issue a NID.
(4) Contact DSS to determine an alternative method to the proposed SSA when the GCA chooses not to issue a NID (e.g., a contract modification, a contract novation, or a PA or VTA authorized by the Program Executive Officer).
(5) Notify DSS in writing when NSA, ODNI, or DOE renders a decision on a proposed NID involving access to COMSEC, SCI, or RD, respectively. A GCA's NID decision is not final until NSA, ODNI, or DOE, as applicable, respond regarding access to COMSEC, SCI, or RD.
(6) When denying a NID, retain documentation explaining the rationale for the decision.
(6) Government Security Committee (GSC). (i) Under a VTA, PA, SSA, or SCA, DSS will ensure that the contractor establishes a permanent committee of its Board of Directors or similar body known as the GSC.
(A) The members of the GSC are required in accordance with DoD 5220.22-M to ensure that the contractor maintains policies and procedures to safeguard classified and export controlled information entrusted to it, and that violations of those policies and procedures are promptly investigated and reported to the appropriate authority when it has been determined that a violation has occurred.
(B) The GSC will also take the necessary steps in accordance with DoD 5220.22-M to ensure that the contractor complies with U.S. export control laws and regulations and does not take action deemed adverse to performance on classified contracts. This will include the appointment of a Technology Control Officer and the establishment of Technology Control Plan (TCP).
(ii) DSS will provide oversight, advice, and assistance to GSCs. These measures are intended to ensure that GSCs:
(A) Maintain policies and procedures to safeguard classified information and export-controlled unclassified information in the possession of the contractor with no adverse impact on the performance of classified contracts.
(B) Verify contractor compliance with the DD Form 441 or its successor form, the FOCI mitigation agreement or negation agreement and related documents, contract security requirements, USG export control laws, and the NISP.
(iii) In the case of an SSA, DSS will ensure that the number of outside directors exceeds the number of inside directors, as defined in DoD 5220.22-M. DSS will determine if the outside directors should be a majority of the Board of Directors based on an assessment of security risk factors pertaining to the contractor's access to classified information. In the case of an SCA, DSS will require the contractor to have at least one outside director, but may require more than one outside director based on an assessment of security risk factors.
(iv) In the case where a contractor is cleared to the SECRET level under an SSA, and also has a subsidiary with a TS FCL based on an approved NID, some or all of the outside directors of the cleared parent contractor may be sponsored for eligibility for access to TS information with their TS PCLs held by the subsidiary. Access will be at the level necessary for the outside directors to carry out their security or business responsibilities for oversight of the subsidiary company in accordance with DoD 5220.22-M. If the subsidiary has an approved NID for access to SAP or SCI, the applicable GCA may determine that an outside director at the parent contractor requires approved access at the subsidiary.
(7) Technology Control Plans (TCPs). Under a VTA, PA, SSA, SCA, or Limited FCL, DSS will require the contractor to develop and implement a TCP as required in DoD 5220.22-M. DSS will evaluate and, if the plan is adequate, approve the TCP. The TCP must include a description of all security measures required to prevent the unauthorized disclosure of classified or export-controlled information. Although TCPs must be tailored to the specific circumstances of the contractor or corporate family to be effective, DSS may provide examples of TCPs to the contractor to assist plan creation.
(8) Electronic Communication Plan (ECP). Under a VTA, PA, or SSA, DSS will require the contractor to develop and implement an ECP tailored to the contractor's operations. DSS will determine the extent of the ECP and review the plan for adequacy. The ECP must include a detailed network description and configuration diagram that clearly delineates which networks will be shared and which will be protected from access by the foreign parent or its affiliates. The network description will address firewalls, remote administration, monitoring, maintenance, and separate email servers, as appropriate.
(9) Administrative Support Agreement (ASA). There may be circumstances when the parties to a transaction propose in the FOCI action plan that the U.S. contractor provides certain services to the foreign interest, or the foreign interest provides services to the U.S. contractor. The services to be provided must be such that there is no violation of the applicable FOCI mitigation or negation agreement. If approved, the extent of such support and limitations on the support will be fully documented in an ASA.
(10) Annual Review and Certification—(i) Annual Meeting. DSS will meet at least annually with the GSCs of contractor's operating under a VTA, PA, SSA, or SCA to review and discuss the purpose and effectiveness of the FOCI mitigation or negation agreement; establish a common understanding of the operating requirements and their implementation; answer questions from the GSC members; and provide guidance on matters related to FOCI mitigation and industrial security. These meetings will also include an examination by DSS, with the participation of the (FSO) and the GSC members, of:
(A) Compliance with the approved security arrangement, standard rules, and applicable laws and regulations.
(B) Problems regarding the practical application or utility of the security arrangement.
(C) Security controls, practices, or procedures and whether they warrant adjustment.
(ii) Annual Certification. For contractors operating under a VTA, PA, SSA, or SCA, DSS will obtain from the Chair of the GSC an implementation and compliance report one year from the effective date of the agreement and annually thereafter. DSS will review the annual report; address, resolve, or refer issues identified in the report; document the results of this review and any follow-up actions; and keep a copy of the report and documentation of related DSS actions on file for 15 years. The GSC's annual report must include:
(A) A detailed description stating how the contractor is carrying out its obligations under the agreement.
(B) Changes to security procedures, implemented or proposed, and the reasons for those changes.
(C) A detailed description of any acts of noncompliance with FOCI provisions and a discussion of steps taken to prevent such acts from recurring.
(D) Any changes or impending changes of senior management officials or key board members, including the reasons for the change.
(E) Any changes or impending changes in the organizational structure or ownership, including any acquisitions, mergers, or divestitures.
(F) Any other issues that could have a bearing on the effectiveness of the applicable agreement.
(11) Foreign Government Ownership or Control. (i) In accordance with 10 U.S.C. 2536, the DoD cannot award contracts involving access to proscribed information to a company effectively owned or controlled by a foreign government unless a waiver has been issued by the Secretary of Defense or designee.
(ii) A waiver is not required if the company is cleared under a PA or VTA because both agreements effectively negate foreign government control.
(iii) DSS will, after consultation with the GCA, determine if a waiver is needed in accordance with subpart 209.104-1 of the Defense Federal Acquisition Regulation Supplement “Responsible Prospective Contractors, General Standards” (available at http://www.acq.osd.mil/dpap/dars/dfars/pdf/r20090115/209_1.pdf. The GCA will request the waiver from the USD(I) and provide supporting information, to include a copy of the proposed NID.
(iv) Upon receipt of an approved waiver, the GCA will forward the waiver and the NID to DSS.
(v) If the USD(I) does not grant the waiver, the company may propose to DSS an appropriate PA or VTA. Otherwise, the company is not eligible for access to proscribed information.
(12) Changed Conditions. (i) DSS will require contractors to submit timely reports of changes to FOCI by DSS-designated means in accordance with DoD 5220.22-M.
(ii) Upon receipt of changes to the SF 328 from contractors, DSS will assess the changes to determine if they are material; if they require the imposition of new FOCI mitigation or modification of existing FOCI mitigation; or if they warrant the termination of existing FOCI mitigation. DSS will periodically review the definition of material change with regard to FOCI and publish updated guidance as to what constitutes a reportable material change in coordination with OUSD(I) Security Directorate.
(13) Limited FCL. (i) A Limited FCL may be an option for a single, narrowly defined purpose when there is foreign ownership or control of a U.S. company. In that respect, a Limited FCL is similar to an LAA for a non-U.S. citizen. Consideration of a Limited FCL includes a DSS determination that the company is under FOCI and that the company is either unable or unwilling to implement FOCI negation or mitigation. A GCA or a foreign government may sponsor a Limited FCL consistent with the provisions of paragraphs (b)(13)(iii)(A) through (b)(13)(iii)(D) of this section.
(ii) DSS will:
(A) Document the requirements of each Limited FCL, including the limitations of access to classified information.
(B) Verify a Limited FCL only to the sponsoring GCA or foreign government.
(C) Ensure, in accordance with paragraph (b)(7) of this section, that the contractor has and implements a TCP consistent with DoD 5220.22-M.
(D) Process a home office along with a branch or division, when the GCA or foreign government sponsors the branch or division for a Limited FCL and ensure that the limitations of the Limited FCL are applied to the home office as well as the branch or division.
(E) Administratively terminate the Limited FCL when the FCL is no longer required.
(iii) There are four types of Limited FCLs:
(A) A GCA may sponsor a joint venture company established in the United States for the purpose of supporting a cooperative arms program involving DoD. An authorized GCA official, at the PEO level or higher, must certify in writing that the classified information to be provided to the company has been authorized for disclosure to the participating governments in compliance with U.S. National Disclosure Policy NDP-1, “National Policy and Procedures for the Disclosure of Classified Military Information to Foreign Governments and International Organizations,” (available to designated disclosure authorities on a need-to-know basis from the Office of the Deputy Under Secretary of Defense for Policy Integration and Chief of Staff to the Under Secretary of Defense for Policy). Key management personnel (KMPs) and employees may be citizens of the countries of ownership, if DSS is able to obtain security assurances. The non-U.S. citizens retain their foreign government issued personnel security clearances. The company FSO must be a cleared U.S. citizen as set forth in DoD 5220.22-M.
(B) A U.S. subsidiary of a foreign company may be sponsored for a Limited FCL by the government of the foreign parent company when the foreign government desires to award a contract to the U.S. subsidiary involving access to classified information for which the foreign government is the original classification authority (i.e., FGI), and there is no other need for the U.S, subsidiary to have an FCL. The KMPs must all be U.S. citizens. However, if the U.S. subsidiary is to have access to U.S. classified information in the performance of the contract, the U.S. subsidiary must be considered for one of the FOCI agreements set forth in paragraph (b)(4)(iii) of this section.
(C) A foreign owned freight forwarder may be sponsored for a Limited FCL by a foreign government for the purpose of providing services only to the sponsoring government. Access to U.S. classified information or material will be limited to information and material that has been authorized for export to the sponsoring government consistent with an approved direct commercial sale contract or foreign military sales letter of offer and acceptance. KMPs and employees may be citizens of the sponsoring government, if DSS is able to obtain security assurances on the individuals. As non-U.S. citizens, these individuals would not be eligible for a LAA; would be assigned under an extended visit authorization, and would retain their foreign government issued personnel security clearances. The FSO must be a U.S. citizen.
(D) A senior GCA official, consistent with paragraph (f)(3) of §117.55, may sponsor a U.S. company, determined to be under FOCI by DSS, for a Limited FCL when the other FOCI agreements described in paragraph (b)(4)(iii) and paragraphs (b)(13)(iii)(A) through (b)(13)(iii)(D) of this section do not apply, and there is a compelling need for the FCL. The official must fully describe the compelling need and certify in writing that the sponsoring GCA accepts the risk inherent in not negating or mitigating the FOCI. The Limited FCL permits performance only on a classified contract issued by the sponsoring GCA.
(14) Foreign Mergers, Acquisitions, Takeovers and CFIUS. (i) CFIUS is a USG interagency committee chaired by the Treasury Department whose purpose is to review transactions that could result in the control of a U.S. business by a foreign person in order to determine the effect of such transactions on the national security of the United States. The regulations defining the CFIUS process are at 31 CFR part 800, “Regulations Pertaining to Mergers, Acquisitions, and Takeovers by Foreign Persons”.
(ii) DoD is a member of CFIUS. DoD procedures for reviewing and monitoring transactions filed with CFIUS are provided in DoD Instruction 2000.25.
(iii) The CFIUS review and the DSS industrial security review for FOCI are separate processes subject to independent authorities, with different time constraints and considerations. However, CFIUS may not mitigate national security risks that are adequately addressed by other provisions of law.
(iv) If the NISP process has not begun or has not been completed prior to the submission of a CFIUS notice, DSS will review, adjudicate, and mitigate FOCI on a priority basis. DSS will provide all relevant information to the OUSD(I) Security Directorate specifically, for any transaction undergoing concurrent CFIUS and DSS reviews.
(A) By the 10th calendar day after the CFIUS review period begins DSS will advise the OUSD (AT&L) Manufacturing and Industrial Base Policy (MIBP) CFIUS Team electronically, with a copy to the OUSD(I) Security Directorate, of the U.S. company's FCL status (e.g., no FCL, FCL in process, TS/S/C FCL).
(B) For contractors or U.S. companies in process for an FCL, DSS will provide the following input in a signed memorandum with rationale included to the Director, Security, OUSD(I) Security Directorate on or before the suspense date established by the MIBP CFIUS Team:
(1) Basic identification information about the contractor, to include name, address, and commercial and government entity code.
(2) FCL level.
(3) Identification of current classified contracts, to include identification of GCAs and any requirement for access to proscribed information.
(4) The nature and status of any discussions DSS has had with the contractor or the foreign interest regarding proposed FOCI mitigation measures.
(5) Whether DSS requires additional time beyond the established MIBP CFIUS team suspense date to determine and recommend to the OUSD(I) Security Directorate whether the proposed FOCI mitigation is sufficient to address risks within the scope of DSS's FOCI authorities.
(6) Identification of any known security issues (e.g., marginal or unsatisfactory security rating, unresolved counterintelligence concerns, alleged export violations).
(v) If it appears that an agreement cannot be reached on material terms of a FOCI action plan, or if the U.S. company subject to the proposed transaction fails to comply with the FOCI reporting requirements of DoD 5220.22-M, DSS may recommend additional time through the OUSD(I) Security Directorate to resolve any national security issues related to FOCI mitigation.
(vi) If the proposed transaction involves access to proscribed information and the contractor is contemplating the use of an SSA to mitigate FOCI, the GCA will provide DSS with a preliminary determination regarding the acceptability of the proposed FOCI mitigation. The determination must be provided to DSS one day prior to the suspense date established by the MIBP CFIUS Team and must include whether a favorable NID will be provided. If the GCA does not notify DSS, DSS will not delay implementation of a FOCI action plan pending completion of a GCA's NID process as long as there is no indication that the NID will be denied.
(vii) If DSS, under its FOCI authorities, is notified of a transaction with respect to which the parties thereto have not filed a notice with CFIUS, DSS will notify the MIBP CFIUS Team through the OUSD(I) Security Directorate.
(viii) When a merger, sale, or acquisition of a contractor is finalized prior to having an acceptable FOCI mitigation agreement in place, DSS will take actions consistent with paragraph (b)(2)(iv) of this section.