Foci Mitigation: Defending Security Clearances under Foreign Ownership

DCSA evaluates FOCI conditions using the threat, vulnerability, and risk framework: the foreign owner's country of origin, its relationship to foreign intelligence services, the classified programs the company performs, and the counterintelligence exposure the control position creates. Foreign ownership alone does not disqualify a company from a facility security clearance, but triggers a mandatory NISPOM review, and any change in foreign ownership creating or modifying a FOCI condition must be reported to DCSA within ninety days. Companies experiencing a change in ownership or investment that may create a FOCI condition should immediately seek U.S. national security legal counsel to evaluate the reportability of the transaction and initiate the DCSA disclosure process.

CFIUS reviews of foreign acquisitions frequently intersect with FOCI mitigation when the acquired company holds a facility security clearance or performs classified contracts, and a CFIUS national security agreement may impose governance restrictions that overlap with the FOCI mitigation instrument required by DCSA. Companies must ensure that CFIUS and FOCI obligations are consistent and do not create conflicting governance requirements that impair classified contract performance. Companies that receive a CFIUS notice of investigation for an acquisition of a cleared defense contractor should seek foreign investment compliance legal counsel to coordinate the CFIUS review and the concurrent FOCI mitigation negotiation with DCSA.

Maintaining a facility security clearance requires continuous NISPOM compliance, timely reporting of any FOCI condition change, and submission of a Standard Form 328 Certificate Pertaining to Foreign Interests that identifies all foreign ownership, the degree of control, and proposed mitigation steps. DCSA reviews FOCI status at each clearance application, renewal, and reportable ownership change, and can suspend, revoke, or downgrade the clearance level if the FOCI condition presents an unacceptable risk. Companies undergoing DCSA review in connection with a FOCI condition should seek national security legal counsel to prepare the SF-328 submission, negotiate the mitigation instrument, and manage the DCSA review timeline.

A FOCI condition in a company holding ITAR registrations or EAR export authorizations creates overlapping compliance obligations that must be addressed in both the FOCI mitigation instrument and the company's export compliance program. The International Traffic in Arms Regulations require ITAR-registered companies to notify DDTC of any ownership change that may affect their registration, and the FOCI mitigation instrument must contain controls preventing the foreign owner from accessing export-controlled technology without separate authorization. Companies managing the intersection of FOCI mitigation and ITAR or EAR compliance should seek export control law legal counsel to evaluate registration and license status, identify export control obligations triggered by the foreign ownership change, and design the technology access controls required under both frameworks.

A voting trust requires the foreign owner to transfer all voting rights to U.S. .itizen trustees who exercise complete control over the company's board and classified operations, while a proxy agreement permits the foreign owner to retain economic interest in the company while delegating voting and governance rights to DCSA-approved U.S. .itizen proxy holders who act independently of the foreign owner. DCSA applies the voting trust when the foreign owner poses a higher counterintelligence risk or when the company performs particularly sensitive classified programs that warrant complete governance insulation. Companies with a FOCI condition who seek to maintain a facility security clearance should seek CFIUS and foreign direct investment legal counsel to evaluate whether a voting trust or proxy agreement satisfies DCSA's risk threshold for the company's classified program portfolio.

Under a special security agreement, the company establishes inside directors who are U.S. .itizens cleared to the highest classified program level, who control access to classified information and security-sensitive technology, and who are supported by a government security committee that functions as the operational oversight body for classified programs. The board resolution requirements of an SSA require the inside board to convene separately from the full board on matters affecting classified programs and to maintain records of those meetings. Companies negotiating a special security agreement with DCSA should seek foreign direct investment legal counsel to structure the inside board composition, negotiate the government security committee's authority, and evaluate the governance obligations against the foreign owner's commercial requirements.

A company operating under a FOCI mitigation instrument must submit annual certifications to DCSA confirming that the required governance structure remains in place, that inside directors and proxy holders remain eligible, and that no reportable changes have occurred. The government security committee's annual report must address compliance with each mitigation instrument requirement, identify issues and corrective actions taken, and certify that the inside directors maintained exclusive control over classified program decisions. Companies with active FOCI mitigation instruments should seek ITAR and EAR advisory legal counsel to conduct annual compliance reviews, prepare DCSA certification submissions, and evaluate ownership or governance changes requiring mitigation instrument amendment.

A facility security clearance revocation proceeding for FOCI non-compliance immediately suspends the company's ability to access classified information and perform classified contracts pending resolution of the proceeding. An independent monitoring agreement, which DCSA may require as a condition of reinstating a clearance following a FOCI finding, appoints a third-party monitor with access to the company's operations and classified program activities to verify ongoing compliance. Companies facing a DCSA notice of intent to revoke or suspend a facility security clearance based on FOCI should immediately seek independent monitoring for government contractors legal counsel to respond to the DCSA notice, develop the administrative defense strategy, and negotiate the conditions for clearance reinstatement.