Professional Documents
Culture Documents
Counterintelligence
and Security Agency
(DCSA) and Foreign
Ownership, Control
or Influence (FOCI)
Handbook
The Defense Counterintelligence and Security Agency (DCSA) and
Foreign Ownership, Control or Influence (FOCI) Handbook
TABLE OF CONTENTS
INTRODUCTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Defense Counterintelligence and Security Agency (DCSA)
Foreign Ownership, Control or Influence (FOCI)
COMPLIANCE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Due Diligence
Avoiding Potential Pitfalls
Reporting and Investigating Security Breaches
CONTACT US. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
ii ©2020 Wiley Rein LLP
The Defense Counterintelligence and Security Agency (DCSA) and
Foreign Ownership, Control or Influence (FOCI) Handbook
INTRODUCTION
The National Industrial Security Program (NISP) compliance regime to an intelligence-based,
was established in 1993 by Executive Order 12829 threat-driven methodology.
to ensure that persons and entities with access
Central to this reform is the Defense Counterin-
to classified or sensitive information comply with
telligence and Security Agency (DCSA). Until June
industry safeguards equivalent to those within
2019, the Defense Security Service (DSS) served
the U.S. government for protecting such infor-
as the Cognizant Security Office for the DOD
mation. Issued in accordance with the NISP, the
responsible for administering and implementing
National Industrial Security Program Operating
the NISP and regulatory control over classi-
Manual (NISPOM) sets forth the requirements,
fied information. On June 20, 2019, the DSS was
restrictions, and other safeguards to prevent the
renamed DCSA.
unauthorized disclosure of classified information.
The NISPOM also prescribes procedures for the As a continuation of the former DSS, DCSA
authorized disclosure of such information by the maintains industrial security responsibilities;
U.S. government to its contractors. The NISPOM however, the name change reflects DCSA’s new
is periodically updated to reflect changes and role as administrator of personnel vetting and
updates in industrial security matters. security clearance responsibilities for the entire
federal government. Accordingly, federal security
U.S. government contracts that require access
clearance entities are being merged into DCSA.
to classified information will not be awarded to
The National Background Investigations Bureau
companies operating under foreign ownership,
(NBIB) was transferred from the U.S. Office of
control or influence (FOCI) unless adequate
Personnel Management (OPM) to the DCSA
safeguards are in place to protect national
on September 29, 2019. The DOD Consolidated
security interests. U.S. contractors must take
Adjudications Facility (CAF)—which determines
specific measures to mitigate or negate FOCI
security clearance eligibility of non-intelligence
concerns in order to obtain and maintain classi-
agency DOD personnel occupying sensi-
fied contracts. The U.S. Department of Defense’s
tive positions or requiring access to classified
(DOD) FOCI policy is premised, in part, on the
material—merged into DCSA on October 1, 2019.
notion that foreign investment in the U.S. defense
This consolidation of federal security clearance
industry serves national security interests and
operations will be complete once the DCSA takes
is encouraged; however, adequate safeguards
over certain functions of the Defense Informa-
must be in place to ensure that national security
tion Systems Agency (DISA) and the Defense
interests are protected.
Manpower Data Center (DMDC), which are to be
Defense Counterintelligence and transferred to DCSA by October 1, 2020.
Security Agency (DCSA) DCSA’s current mission includes vetting and
The DOD is fundamentally changing its approach maintaining a trusted workforce, protecting
to administering the NISP on behalf of all Execu- critical technology, and providing professional
tive branch departments and agencies. Through security education. DCSA’s primary functions
this initiative, the DOD is transitioning its security are clearing industrial facilities, personnel, and
oversight approach from a schedule-driven
2 ©2020 Wiley Rein LLP
The Defense Counterintelligence and Security Agency (DCSA) and
Foreign Ownership, Control or Influence (FOCI) Handbook
3 ©2020 Wiley Rein LLP
The Defense Counterintelligence and Security Agency (DCSA) and
Foreign Ownership, Control or Influence (FOCI) Handbook
to control or cause the direction of other deci- officials hold any positions with, or serve as
sions or activities of your organization? consultants for, any foreign person(s)?
■ Does your organization have any contracts, ■ Is there any other factor(s) that indicates
agreements, understandings or arrangements or demonstrates a capability on the part of
with a foreign person(s)? foreign persons to control or influence the op-
erations or management of your organization?
■ Does your organization, whether as borrower,
surety, guarantor or otherwise, have any A company must provide corporate documenta-
indebtedness, liabilities or obligations to a tion to clarify the nature and extent of the foreign
foreign person(s)? interest for any “yes” answer to a question on the
■ During your last fiscal year, did your organiza- SF 328.
tion derive: (a) 5% or more of its total revenues Importantly, a company’s FOCI factors are not
or net income from any single foreign person? only reviewed as part of the initial facility clear-
(b) In the aggregate, 30% or more of its rev- ance process, they are continuously revisited
enues or net income from foreign persons? throughout the life of the FCL in order to address
■ Is 10% or more of any class of your organiza- any changes that have occurred since the
tion’s voting securities held in “nominee” receipt of the clearance. For this reason, when a
shares, in “street names” or in some other company with an FCL enters into negotiations for
method which does not identify the beneficial a proposed merger, acquisition, or takeover by a
owner? foreign entity, the cleared entity must notify DCSA
and inform DCSA of the type of transactions under
■ Do any of the members of your organization’s
negotiation (stock purchase, asset purchase, etc.),
board of directors (or similar governing body),
the identity of the potential foreign investor, and
officers, executive personnel, general part-
plans to mitigate/negate FOCI.
ners, regents, trustees or senior management
4 ©2020 Wiley Rein LLP
The Defense Counterintelligence and Security Agency (DCSA) and
Foreign Ownership, Control or Influence (FOCI) Handbook
5 ©2020 Wiley Rein LLP
The Defense Counterintelligence and Security Agency (DCSA) and
Foreign Ownership, Control or Influence (FOCI) Handbook
by industry and recently enacted legislation. For Voting Trust Agreements and Proxy
example, the John S. McCain National Defense Agreements
Authorization Act for Fiscal Year 2019 eliminated Voting Trust Agreements (VTAs) and Proxy Agree-
the NID requirement effective October 1, 2020, ments (PAs) are the most restrictive mitigation
for companies that are operating under FOCI instruments. They are typically used to mitigate
and the parent company is within the National FOCI concerns where a foreign shareholder is in
Technology and Industrial Base—which includes a position to control a U.S. company and the U.S.
Australia, Canada, and the United Kingdom. company is handling very sensitive information,
A Security Control Agreement (SCA) is used usually at the Top Secret level. VTAs and PAs are
when a cleared company is not effectively owned substantially identical arrangements in which
or controlled by a foreign entity, but the foreign the voting rights of the foreign-owned stock are
interest is nonetheless entitled to representa- vested in Trustees (for VTAs) or Proxy Holders (for
tion on the company’s governing board. The PAs), who are cleared U.S. citizens approved by
SCA is substantially identical to the SSA with DCSA.
a few notable differences. Because the SCA is Under such agreements, the company must
used when a company is not effectively owned establish that it is organized and financed in
or controlled by the foreign interest, the SCA a manner that allows it to be a viable business
imposes fewer restrictions on the company for entity that is entirely independent from the foreign
the protection of classified information. shareholder. Accordingly, the Trustees and Proxy
Companies operating under either an SSA or SCA Holders act with all the prerogatives of stock
must implement an approved Technology Control ownership and have freedom to act independently
Plan (TCP). The TCP must establish “security from the foreign stockholders. Indeed, they are
measures determined necessary to reasonably tasked with exercising management functions
foreclose the possibility of inadvertent access over the company in order to effectively insulate
by non-U.S. citizen employees and visitors to the company from the foreign stockholders.
information for which they are not authorized.” However, the Trustee or Proxy Holder may be
In addition, the TCP must set forth measures required to obtain the approval of the foreign
designed to ensure “that access by non-U.S. stockholder with respect to the following business
citizens is strictly limited to only that specific activities: the sale or disposal of the corporation’s
information for which appropriate Federal assets or a substantial part thereof; pledges,
Government disclosure authorization has been mortgages or other encumbrances on the capital
obtained[.]” stock; corporate mergers, consolidations or
reorganizations; the dissolution of the corporation;
Companies operating under an SSA or SCA
and the filing of a bankruptcy petition. Given
must also develop and implement an Electronic
that VTAs and PAs require foreign investors to
Communications Plan (ECP). The ECP must
relinquish control over the company, investors
include adequate procedures for internet, email,
tend to disfavor these mitigation instruments.
phone use, etc., to ensure that no classified or
export-controlled information is improperly As with the SSA and SCA, both the VTA and PA
disseminated through electronic communi- require the establishment of a GSC, which ensures
cations. Importantly, companies/contractors that the company maintains and complies with
operating under these agreements are subject to policies and procedures to protect classified and
annual review and certification requirements. export-controlled information.
6 ©2020 Wiley Rein LLP
The Defense Counterintelligence and Security Agency (DCSA) and
Foreign Ownership, Control or Influence (FOCI) Handbook
Under a VTA and PA, the GSC is composed of ■ Assigning specific oversight duties and re-
Proxy Holders or Trustee Directors and those sponsibilities to independent board members;
officers of the company who hold adequate ■ Formulating special executive-level security
security clearances. Further, both the VTA and committees to consider and oversee matters
PA require the establishment of a TCP and ECP. that affect the performance of classified
In addition, contractors operating under these contracts;
agreements are subject to annual review and
certification requirements. ■ Appointing a technology control officer;
■ Modifying or terminating loan agreements,
In contrast to PAs, VTAs are rarely, if ever,
contracts, and other understandings with
employed as a FOCI mitigation mechanism.
foreign interests;
Foreign Control or Influence
■ Diversifying or reducing foreign-source
When foreign control or influence factors are income;
present, but are unrelated to ownership, a mitiga-
■ Demonstrating financial viability independent
tion plan must contain positive measures to effec-
of foreign interests;
tively deny the foreign interest access to classified
information and assure that the foreign interest ■ Eliminating or resolving problem debt;
cannot otherwise adversely affect the company’s ■ Separating, physically or organizationally, the
performance on classified contracts. For example, contractor component performing on classi-
the DCSA has recognized the following measures: fied contracts.
■ Adopting Special Board Resolutions;
7 ©2020 Wiley Rein LLP
The Defense Counterintelligence and Security Agency (DCSA) and
Foreign Ownership, Control or Influence (FOCI) Handbook
8 ©2020 Wiley Rein LLP
The Defense Counterintelligence and Security Agency (DCSA) and
Foreign Ownership, Control or Influence (FOCI) Handbook
Enhanced SVAs are rated under the old rating DCSA currently uses three engagement types
model and closely follow the traditional security as part of the RISO methodology: Targeted,
review format. Horizontal, and Vertical. Targeted engage-
ment focuses on classes of critical technology
Under the traditional ratings process, the Vulner-
at highest risk. Horizontal engagement focuses
ability Assessment Rating Matrix, DCSA assigns
broadly on the business networks surrounding
all facilities a Starting Score of 700 points. Points
a classified contract, including end-to-end
are added to this score for NISP enhancements,
supply chain security. Vertical engagement has a
which are actions a company takes to protect
programmatic focus from the government-client
classified information that extend beyond what is
perspective and addresses the integrity of a given
required under the NISPOM. Following the 2016
program across a team of contractors.
NISPOM update, there were 10 NISP enhance-
ment categories, including: information systems, Comparing Old and New Approaches to
active security organization membership, and Cleared Facility Oversight
physical security. Points are subtracted for viola- Old Approach:
tions based on NISPOM reference and not based
on the number of violation occurrences. The tradi- ■ Scheduling: Security reviews are scheduled on
tional security ratings process accounts for both a 90-day plan, prioritizing facilities with FOCI
the size and complexity of a facility in arriving at mitigation agreements and those with classi-
the final security rating. fied information systems. Facilities with FOCI
have security reviews 30 to 60 days before
As part of the RISO rollout, DCSA conducted on-site their mandatory annual meeting.
security reviews at facilities selected through its
■ Monitoring: Security reviews are focused on a
internal prioritization process, and some facili-
contractor’s compliance with NISPOM require-
ties did not receive an on-site review. DCSA field
ments and result in a security rating within the
offices engaged the contractors not receiving an
Vulnerability Assessment Rating Matrix.
enhanced review to assess the facility’s security
posture and discuss counterintelligence. New RISO Approach:
DCSA recently announced that it is developing ■ Scheduling: DCSA security reviews are priori-
a new industry rating model called the Security tized based on a facility’s assets and threats to
Rating Score (SRS). DCSA has engaged select those assets as determined by national intelli-
industry partners to conduct dry runs and a gence and the DOD’s critical technologies and
limited pilot of the SRS; however, the agency has programs list. Contractors and government
not yet made public the content of the SRS model officials work together to identify assets at
or the implementation’s details. each facility and develop a Tailored Security
Plan. Security reviews are scheduled in light of
DCSA Engagement with Cleared Industry
each facility’s Tailored Security Plan.
As DCSA shifts its focus from NISPOM compliance
■ Monitoring: DCSA conducts a comprehen-
to tailored critical technology protection, cleared
sive security review to establish a Tailored
industry must do the same. Contractors will need
Security Plan. Subsequent reviews assess the
to identify critical assets at their facility and the
implementation and adequacy of the Tailored
security controls in place, document business
Security Plan. DCSA is currently developing a
processes and supply chains, and develop and
new rating system—the SRS—to complement
monitor the effectiveness of Tailored Security
the Tailored Security Plan.
Plans.
9 ©2020 Wiley Rein LLP
The Defense Counterintelligence and Security Agency (DCSA) and
Foreign Ownership, Control or Influence (FOCI) Handbook
10 ©2020 Wiley Rein LLP
The Defense Counterintelligence and Security Agency (DCSA) and
Foreign Ownership, Control or Influence (FOCI) Handbook
most targeted category of aeronautics systems, operation was request for information/solicita-
and unmanned or independent systems were tion, which involves directly or indirectly asking or
commonly targeted across technology sectors. eliciting personnel for protected information and
More than 40% of the SCRs identified East Asia and technology.
the Pacific as the source of the suspicious activity.
In FY 2018, email was the method of contact
The Near East was the second most common
foreign actors most commonly used to reach
source of unauthorized collection attempts in FY
a target. The basic email method of contact
2018, as that region was associated with 13% of
includes unsolicited requests for information or
the suspicious contacts.
purchase requests. The second most common
Foreign actors utilize a variety of methods to obtain method of contact in FY 2018 was also through
sensitive or classified information and technology, email, but in the form of a phishing operation
but most frequently used the “attempted acquisi- in which malicious content or attachments were
tion of technology” method. This method includes embedded within the email for the purpose of
attempts to acquire protected information in the compromising a network. Foreign actors are likely
form of controlled technologies through front to continue to employ these methods of operation
companies, third countries, or a direct purchase and contact in the future.
of firms. The second most common method of
COMPLIANCE
Due Diligence Avoiding Potential Pitfalls
Contractors should be aware of the potential All cleared contractors are subject to DCSA
consequences of security breaches, including inspection and review. Companies are also
criminal prosecution of the corporation and/ responsible for conducting internal reviews of
or responsible individuals; transfer of classified their security systems to ensure the protection
contracts to another contractor; revocation of the of classified information. DCSA has identified
contractor’s FCL; and/or suspension or debar- several violations that often result in poor security
ment from all federal government contracts. ratings. These include the following:
11 ©2020 Wiley Rein LLP
The Defense Counterintelligence and Security Agency (DCSA) and
Foreign Ownership, Control or Influence (FOCI) Handbook
12 ©2020 Wiley Rein LLP
The Defense Counterintelligence and Security Agency (DCSA) and
Foreign Ownership, Control or Influence (FOCI) Handbook
Wiley attorneys help clients navigate the policies Our FOCI experts collaborate with the firm’s
and regulations governing the international preeminent Government Contracts Practice
economy, allowing us to provide comprehen- to provide specialized advice to government
sive advice to FOCI clients in related fields. contractors. Wiley is among the leaders in this
Our industry-leading export controls attor- area, consistently ranked by Chambers USA
neys routinely help U.S. companies and foreign as one of only a few firms in the top tier of the
businesses with U.S. affiliates and subsidiaries nation’s government contracts practices.
to navigate the complex requirements of the
CONTACT US
13 ©2020 Wiley Rein LLP
©2020 Wiley Rein LLP | 1776 K Street NW | Washington, DC 20006