Bottom Line Up Front
On May 13, 2024 the U.S. Department of Defense (DoD) published Instruction 5205.87: Mitigating Risks Related to Foreign Ownership, Control, or Influence for Covered DoD Contractors and Subcontractors (the Instruction), which required DoD agencies to comply with Section 847 of the National Defense Authorization Act for Fiscal Year 2020 (FY20 NDAA). Section 847 of the FY20 NDAA mandated that the DoD evaluate whether covered contractors and subcontractors are under foreign ownership, control, or influence (FOCI). The Defense Counterintelligence and Security Agency (DCSA) conducts this evaluation which previously, was only required for contractors and subcontractors that are performing classified work. The Instruction significantly expands the FOCI review process to all contractors that hold certain contracts in excess of $5 million.
Background
Currently, the United States Government permits foreign investment to the extent that it is compatible and consistent with its national security interests, but government contracts that require access to classified information will not be awarded to companies operating under FOCI unless adequate safeguards are in place to protect national security interests. Generally, a business is considered to be operating under FOCI whenever a foreign interest has the power to direct or decide matters affecting the management or operations in a manner which may result in unauthorized access to classified information.
When determining whether a business is under FOCI, DCSA will consider:
- the foreign interest’s record of economic and government espionage against U.S. targets;
- the foreign interest’s record of enforcement and/or engagement in unauthorized technology transfer;
- the foreign interest’s record of compliance with pertinent U.S. laws, regulations, and contracts;
- the type and sensitivity of the information that will be accessed by the business;
- the source, nature, and extent of FOCI, including, but not limited to, whether a foreign interest holds a majority or substantial minority position in the company;
- the nature of any relevant bilateral and multilateral security and information exchange agreements, (e.g., the political and military relationship between the USG and the government of the foreign interest);
- whether the ownership or control is exercised by a foreign government; and
- any other factor that indicates or demonstrates a capability on the part of foreign interests to control or influence the operations or management of the business organization concerned.
Before the enactment of the FY20 NDAA and the issuance of the Instruction, this process was applicable primarily to businesses that were performing or seeking to perform classified government contracts. However, for the first time, the law and the implementing Instruction now extend foreign ownership reporting requirements to certain unclassified defense research assistance awards and certain unclassified defense contracts.1
Expanded FOCI Definition
The Instruction provides a new definition of FOCI that is applicable to businesses that are not currently performing or seeking to perform classified work. Going forward, a contractor that has not been granted a facility clearance and is not being processed for a facility clearance will be considered to be under FOCI when a foreign interest has the power to direct or decide matters affecting the management or operations in a manner which may result in a (a) risk to national security, (b) potential compromise of sensitive data, systems, or processes or (c) foreign interest controlling or influencing the business in a manner that could adversely affect the performance of the contract. This new definition makes it clear that DoD is focused on the potential for unauthorized disclosure or compromise of national security information or sensitive data, systems, or processes, such as controlled unclassified information (e.g., personally identifiable information), or national security systems.
New Reporting Requirements
The Instruction does three things: (1) it establishes policy and assigns responsibilities across the DoD for the assessment of FOCI during the course of source selections, (2) it provides procedures to determine if a covered contractor or subcontractor is under FOCI, and (3) it sets parameters to ascertain whether such FOCI, when identified, poses a risk to national security or potential risk of compromise. The Instruction also sets forth the procedures the DoD must use to mitigate FOCI risk for a covered contractor or subcontractor, as applicable.
DoD now includes beneficial owners of the business in the expanded FOCI analysis. A beneficial owner is any person who, directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise has the right or shares the right to acquire beneficial ownership of such security within sixty days.2 Businesses that are (i) applying for defense research assistance awards (which include but are not limited to grants, cooperative agreements, and technology investment agreements) or (ii) competing for unclassified DoD contracts (at both the prime and subcontract levels) which will exceed $5 million in value will be impacted, unless the contract is for the provision of commercials goods or services.3
Importantly, this DCSA review is now a part of the source selection decision. Contracting Officers must notify DCSA after proposal evaluation is complete but before a proposal may be considered for award. Upon notification, DCSA must review contractor and subcontractor information with a focus on FOCI matters. Within 25 business days of the initial notification, DCSA is required to provide the contracting officer with a risk indicator report or with a FOCI assessment and proposed risk mitigation strategy.
DCSA risk indicator reports will include a summary statement indicating whether DCSA found FOCI risk indicators, background information on the contractor and its key personnel, and a risk mitigation strategy, if one is appropriate. Alternatively, FOCI assessments will include identification of all risk indicators and triggering events DCSA identified. Further, DCSA’s risk mitigation strategy must include a summary statement indicating whether the covered contractor is under FOCI; a statement indicating whether the risk indicators identified by the FOCI assessment pose a risk or potential risk to national security or potential compromise of sensitive data, systems, or processes, or could otherwise adversely affect the covered contractor’s ability to perform the contract or research assistance award; and whether mitigation is appropriate.
When mitigation is appropriate, DCSA must set forth what mitigation measures are necessary and how those mitigation measures address the risk indicators identified. DCSA is also tasked with overseeing the implementation of, and compliance with, FOCI mitigation measures for a business determined to be under FOCI. Alternatively, if DCSA does not recommend mitigation, it must also provide this information to the contracting officer. In instances where the contracting officer ultimately determines that mitigation cannot be accomplished because the nature or extent of the FOCI risk, the contract or defense research assistance award may not be awarded, amended, or extended.
Finally, the Instruction makes it clear that when DCSA determines mitigation is required for a contract or research assistance award, it will execute final FOCI mitigation measures with the contractor within 90 business days of award. These mitigation measures must remain in place so long as the award is in effect and contractor is under FOCI. As with contractors under FOCI performing classified work, DCSA will be responsible for annually reviewing the contractor’s mitigation efforts and analyzing any subsequent changes to FOCI status. Contractors will report changes to DCSA via submission of the Standard Form (SF) 328 Certificate Pertaining to Foreign Interests.
Takeaways
There are several factors that companies should consider with the implementation of the DoD’s new FOCI reporting requirements applicable to non-classified contracts:
- Companies providing commercial products or services under unclassified contracts can expect to exempted from these reporting requirements, unless the DoD determines that the contract involves a risk or potential risk to national security or potential compromise of sensitive data, systems, or processes such as personally identifiable information, cybersecurity, or national security system. As such, companies should pay close attention to the commercial product or commercial service determination made by the contracting officer in accordance with FAR 2.101 and question requests about beneficial ownership when that determination has been made.
- Companies receiving or seeking DoD funding should become familiar with DCSA and the ways FOCI can be mitigated. Depending on a company’s level of foreign beneficial ownership, DCSA may require different FOCI mitigation agreements. Although most FOCI mitigation agreements are based upon DCSA templates that are readily available on the Agency’s website, DCSA has the authority to, and often will, alter its standard FOCI mitigation arrangements (Special Security Agreement, Proxy Agreement, Voting Trust Agreement, Security Control Agreement, and FOCI board resolutions). That said, with its expanded FOCI review, DCSA may ultimately create new templates that are tailored to mitigating FOCI unrelated to classified contracts.
- Companies receiving or seeking DoD funding need to increase awareness of their own foreign beneficial ownership, if they are not already aware of it, and should start the dialogue about the beneficial ownership of their prime or subcontracting partners to understanding whether ownership exists that may be problematic. Reporting requirements will exist at all levels of the supply chain and the Instruction makes it clear that when the FOCI cannot be mitigated, a contract award or extension cannot be made.
- Companies seeking DoD contracts should read solicitations carefully to understand exactly how a DoD contracting agency plans to use the DCSA information in its ultimate evaluation decision. This is new territory for the DoD and DCSA, but proposals must still be evaluated consistent with solicitation terms and procurement rules applicable to the federal government. If this is not done, the unsuccessful company may have a protest ground related to the use of the DCSA information by the contracting officer and source selection team.
Goodwin’s Government Contracts and Grants Team has significant experience counseling clients on matters involving FOCI considerations that are subject to DCSA’s oversight. These include matters ranging from identifying FOCI issues during due diligence to assisting with the implementation of FOCI mitigation measures and the ongoing compliance obligations. Please contact the authors of this alert if you have questions.
[1] The SBIR and STTR Extension Act of 2022 (Extension Act), Public Law 117–183 (Sep. 30, 2022), amended section 9 of the Act; 15 U.S.C. 638(g)(13)–(17), (o)(17)–(21), and (vv), to required small businesses applying for SBIR or STTR awards to disclose certain information about the applicant’s investment and foreign ties. In response to this law, the Small Business Administration issued a template, based on the statutory language in the Act, to uniformly capture the required disclosures. Per the Extension Act, the term ‘‘foreign country of concern’’ does not include all foreign ownership. The Extension Act requires disclosure of information about ties to the People’s Republic of China, the Democratic People’s Republic of Korea, the Russian Federation, the Islamic Republic of Iran, or any other country determined to be a country of concern by the Secretary of State.
[2] The Instruction refers to 17 C.F.R. 240.13d-3 for the definition of a beneficial owner.
[3] Contractors that provide commercial products or services may still be required to submit beneficial ownership information if the contract involves a “risk or potential risk to national security or potential compromise of sensitive data, systems, or processes such as personally identifiable information, cybersecurity, or national security system.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.
Contacts
- /en/people/t/turner-joshuah
Joshuah Turner
Counsel - /en/people/a/aldrich-jessica
Jessica Aldrich
Senior Associate - /en/people/v/vivona-alexander
Alexander Vivona
Associate - /en/people/d/dee-katerina
Katerina Dee
Associate
