top of page

Does Your Company Need FOCI Mitigation?

By Frank Bennett, Kentucky APEX Accelerator Procurement Consultant

 

This article was originally published in our monthly Kentucky APEX Accelerator Newsletter. If you have any questions about this topic, your regional procurement consultant is here to help! Not a client? Sign up here.



Suppose your company is owned, controlled or influenced by foreign ownership. In that case, you may need to operate under Foreign Ownership, Control, or Influence (FOCI) regulations to be eligible for facility security clearance or other clearances required to perform some government contracts. This article will discuss how FOCI is defined and the process for identifying whether your organization should have FOCI mitigation process.


By definition, a company needs to operate under FOCI whenever a foreign interest has the power – whether direct or indirect, whether or not exercised, and whether or not exercisable – to direct or decide matters affecting the management or operations of that company in a manner that may result in unauthorized access to classified information or may adversely affect the performance of classified contracts. When this occurs, the government will often determine that space needs to exist between the foreign owner and the U.S.-based entity whose performance of a federal contract puts them in contact with information deemed classified.



Factors Considered When Determining FOCI Status

The Defense Counterintelligence Security Agency (DCSA) uses the following factors relating to (1) a U.S. company performing a government contract, (2) the foreign interest with influence over the company in item one and (3) the government of the foreign interest reviewed in the aggregate in determining whether a company should be FOCI mitigated.


  • Foreign company’s record of economic and government espionage against U.S. targets.

  • Record of enforcement and/or engagement in unauthorized technology transfer.

  • The type and sensitivity of the information that shall be accessed.

  • The source, nature and extent of foreign ownership, control or influence.

  • Record of compliance with pertinent U.S. laws, regulations and contracts.

  • The nature of any bilateral and multilateral security and information exchange agreements that may pertain.

  • Ownership or control, either in whole or in part, by a foreign government.



Four-Phase Process of Evaluation

The DCSA will follow a four-phase process in determining whether a company should operate under FOCI mitigation. The process is outlined below.  


  1. Identification: The first phase of the FOCI process involves identifying potential instances of foreign ownership, control or influence within a domestic company. This may include conducting thorough due diligence to assess the ownership structure; identifying major shareholders, directors or officers with ties to foreign entities; and evaluating their influence over corporate decision-making processes. Government agencies, regulatory authorities and internal compliance teams will play key roles in identifying and assessing FOCI risks during this phase.

  2. Adjudication: Once potential instances of FOCI have been identified, the next phase involves adjudicating the risks and determining the appropriate mitigation measures. This may include conducting risk assessments, evaluating the severity of FOCI risks and determining the potential impact on national security interests.

  3. Mitigation: With FOCI risks adjudicated, the next phase involves implementing mitigation measures to address identified vulnerabilities and safeguard classified information assets.

  4. Review: The final phase of the FOCI process involves regular review and monitoring to ensure ongoing compliance with security protocols and the effectiveness of mitigation measures. This may include conducting regular security assessments, audits and inspections to verify compliance, identify any emerging risks or vulnerabilities and take proactive steps to address them promptly. 



Mitigation Process

Based on the evaluation results, the government will determine the mitigation level for the company to retain its security clearance. In most cases, a mitigation agreement will be implemented, establishing security protocols, restricting access to classified information and ensuring that foreign interests do not compromise security protocols. Depending on the level of ownership and control, some of those protocols can be: 


  1. Security Control Agreement (SCA) – This is the minimum level of mitigation that is imposed if a foreign shareholder is a member of the governing body or has the right to representation with the governing body.

  2. Special Security Agreement (SSA) – This is currently the most common method for mitigating foreign ownership or control. An SSA is the minimum-security agreement that may be imposed in cases of majority foreign ownership, and thus has more security restrictions than an SCA.

  3. Proxy Agreement (PA) - When the Defense Counterintelligence and Security Agency (DCSA) imposes a Proxy Agreement, or PA, as the FOCI action plan, the foreign owner maintains ownership of the company but relinquishes most of his or her rights of ownership.

  4. Voting Trust Agreement (VTA) - This is the most restrictive agreement in terms of the security measures imposed on the facility applying for a Facility Clearance (FCL). A VTA is similar in effect to a PA, but it goes beyond the transfer voting rights. In a VTA, the foreign owner transfers the actual ownership of the company rather than the controlling interest. The individuals to which ownership is transferred are referred to as Voting Trustees and must be approved by the U.S. government.



To learn more about FOCI rules and regulations, contact your Kentucky APEX Accelerator procurement consultant and use the resources below. You can request assistance from our team by contacting us at kyapex@kstc.com or registering as a client on our website



Resources:

Comments


bottom of page