1. Cfius Review and Foreign Investment Defense
National security review by CFIUS applies to any foreign acquisition of a US business that gives the foreign investor access to critical technology, critical infrastructure, or sensitive personal data of US citizens.
How Should Companies Manage Cfius Review to Protect Deal Approval?
A CFIUS review requires the parties to file a voluntary or mandatory notice and respond to the Committee's requests within compressed statutory timelines, and CFIUS and US national security counsel must evaluate whether mandatory filing requirements apply and what national security concerns the combination of foreign investor and US target is likely to raise.
How Should Mitigation Agreements Be Structured to Protect Operations?
When CFIUS conditions its approval on a mitigation agreement that imposes ongoing monitoring, reporting, and operational restrictions, national security counsel negotiating the agreement must evaluate whether the proposed restrictions are narrowly tailored to the specific security concern identified and whether the monitoring provisions give the government adequate visibility without creating an unacceptable operational burden.
2. Export Controls and Sanctions Compliance
National security law imposes strict requirements on the export of goods, software, and technology with potential military or dual-use applications, and violations can result in criminal prosecution and suspension of export privileges.
How Should Companies Classify Products under Ear and Itar?
A company that exports items subject to the Export Administration Regulations or the International Traffic in Arms Regulations must classify each item under the applicable control list and determine whether a license is required, and export control law counsel advising on classification must evaluate whether the company's products fall under the Commerce Control List or the US Munitions List.
What Procedures Protect Companies against Sanctions Violations?
A company that inadvertently transacts with a party on the SDN List or another restricted party list faces potential debarment and significant civil penalties, and economic sanctions compliance counsel must evaluate whether the company's screening procedures cover all relevant restricted party lists and whether its due diligence on foreign distributors and partners is adequate given its geographic risk profile.
3. Defense Contracting and Security Clearances
National security obligations for defense contractors include maintaining personnel and facility security clearances, protecting classified information, and complying with DFARS cybersecurity requirements.
How Should Defense Contractors Manage Security Clearance Requirements?
A defense contractor that requires access to classified information must maintain a facility security clearance and ensure that all employees with access to classified materials hold the appropriate personnel security clearance, and government contracts counsel must evaluate whether the company's facility clearance documentation is current and whether any adverse information about key personnel creates clearance eligibility concerns.
Why Must Defense Contractors Protect Trade Secrets against Theft?
A defense contractor that allows its proprietary technical data, manufacturing processes, or software to be misappropriated loses both the competitive advantage the trade secret represents and potentially the ability to perform on government contracts that depend on it, and trade secret misappropriation counsel must evaluate whether the company's confidentiality agreements and access controls satisfy the reasonable measures standard required for trade secret protection.
4. Cybersecurity and Supply Chain Security
National security compliance in the defense sector requires companies to implement NIST SP 800-171 and CMMC cybersecurity controls and to verify that their supply chains do not include components from entities that pose a national security risk.
How Should Companies Implement Cybersecurity Controls for Defense?
A defense contractor that handles controlled unclassified information must comply with the DFARS cybersecurity requirements, including implementing the 110 security controls in NIST SP 800-171 and reporting incidents within 72 hours, and cybersecurity governance counsel must evaluate whether the company's system security plan accurately describes its current security posture.
When Should Companies Conduct Supply Chain Security Due Diligence?
A company that provides products or services to the US government must ensure that its supply chain does not include components or services from entities identified as posing a national security risk under Section 889 of the FY2019 NDAA or other applicable regulations, and supply chain disruptions counsel advising on supply chain security must evaluate whether the company's supplier qualification procedures include adequate screening for covered telecommunications equipment.
05 Nov, 2025
