National Security: How Businesses Protect Transactions and Technology

A CFIUS review requires the parties to file a voluntary or mandatory notice and respond to the Committee's requests within compressed statutory timelines, and CFIUS and US national security counsel must evaluate whether mandatory filing requirements apply and what national security concerns the combination of foreign investor and US target is likely to raise.

When CFIUS conditions its approval on a mitigation agreement that imposes ongoing monitoring, reporting, and operational restrictions, national security counsel negotiating the agreement must evaluate whether the proposed restrictions are narrowly tailored to the specific security concern identified and whether the monitoring provisions give the government adequate visibility without creating an unacceptable operational burden.

A company that exports items subject to the Export Administration Regulations or the International Traffic in Arms Regulations must classify each item under the applicable control list and determine whether a license is required, and export control law counsel advising on classification must evaluate whether the company's products fall under the Commerce Control List or the US Munitions List.

A company that inadvertently transacts with a party on the SDN List or another restricted party list faces potential debarment and significant civil penalties, and economic sanctions compliance counsel must evaluate whether the company's screening procedures cover all relevant restricted party lists and whether its due diligence on foreign distributors and partners is adequate given its geographic risk profile.

A defense contractor that requires access to classified information must maintain a facility security clearance and ensure that all employees with access to classified materials hold the appropriate personnel security clearance, and government contracts counsel must evaluate whether the company's facility clearance documentation is current and whether any adverse information about key personnel creates clearance eligibility concerns.

A defense contractor that allows its proprietary technical data, manufacturing processes, or software to be misappropriated loses both the competitive advantage the trade secret represents and potentially the ability to perform on government contracts that depend on it, and trade secret misappropriation counsel must evaluate whether the company's confidentiality agreements and access controls satisfy the reasonable measures standard required for trade secret protection.

A defense contractor that handles controlled unclassified information must comply with the DFARS cybersecurity requirements, including implementing the 110 security controls in NIST SP 800-171 and reporting incidents within 72 hours, and cybersecurity governance counsel must evaluate whether the company's system security plan accurately describes its current security posture.

A company that provides products or services to the US government must ensure that its supply chain does not include components or services from entities identified as posing a national security risk under Section 889 of the FY2019 NDAA or other applicable regulations, and supply chain disruptions counsel advising on supply chain security must evaluate whether the company's supplier qualification procedures include adequate screening for covered telecommunications equipment.