What is Foreign Ownership, Control, or Influence (FOCI) & How Does it Impact Security Compliance?
Foreign Ownership, Control, or Influence (FOCI) is a status or situation in which a contractor with access to classified information has some foreign investment or association with foreign interest. It’s used by the Defense Counterintelligence and Security Agency (DCSA) to manage our national security interests without denying defense contractors, specifically those with foreign interests, access to contract opportunities and Facility Security Clearances (FCL).
FOCI helps protect the United States, its sensitive information, and classified contracts from potentially malicious entities and foreign adversaries. Those that fall under FOCI must follow action plans and processes to mitigate against risks that come with a foreign stake, such as political and military espionage or insider trading. Without resolving the risk factors involved in FOCI, defense contractors cannot receive an FCL and consequently — win defense contracts.
So what are the analysis factors of FOCI and how do you manage its compliance?
Factors of FOCI
As clarified by the National Industrial Security Program Operating Manual (NISPOM), the following factors involving the contractor and its foreign interest determine whether a company falls under FOCI status:
- Record of the contractor of espionage against entities in the U.S.
- Contractor history of conducting unauthorized technology transfers
- The information type and sensitivity that the contractor would access
- The source and extent to which FOCI applies to the contractor
- The compliance history of the contractor with U.S laws and regulations
- The scope of any bilateral and multilateral information exchange agreements that apply to the contractor
- The degree of ownership and management control of the contractor by a foreign government
Upon evaluation, in addition to determining whether or not FOCI applies, these factors are also used as determinants for the next steps in the compliance process the contractor will have to follow.
The FOCI Process
To be evaluated for foreign ownership or interest, contractors must submit Standard Form 328 (SF 328), commonly known as the Certificate Pertaining to Foreign Interests. This form not only identifies the scope of FOCI within a particular company but also helps analyze the types of agreements and other mitigation methods the firm can use to reduce its own risk.
The entire FOCI process consists of four major parts used by DCSA:
- Identification: FOCI status is discovered per information sent on the SF 328 form.
- Adjudication: Security measures to obtain an FCL are determined based on the degree and scope a firm falls under FOCI.
- Mitigation: The contractor puts specific agreements and controls in place to reduce FOCI-related risks.
- Review: The contractor is evaluated to ensure compliance with the mitigation measures.
Managing FOCI Compliance
Implementing mitigation instruments is one of the most essential components of managing foreign investment or control risks. These are legal security agreements imposed on contractors based on their FOCI status. Depending on the severity of foreign interest, one of five types of arrangements may apply:
- Board Resolution (BR): Agreement where foreign investors with no governing control are denied access to classified information.
- Security Control Agreement (SCA): Agreement where (minority) foreign owner(s) maintains ownership and control through an inside director BUT denied access to classified information.
- Special Security Agreement (SSA): Most common agreement where (majority) foreign owner(s) can maintain ownership and voting rights BUT through an inside director.
- Proxy Agreement (PA): Agreement where the foreign owner(s) can keep ownership of the business BUT must transfer voting rights to impartial individuals with no prior connection to either the owner or company.
- Voting Trust Agreement (VTA): Agreement in which a business’s foreign owner(s) must transfer ownership of the company to voting trustees.
In addition to the agreements, FOCI contractors must develop and implement technology control plans (TCPs). These address data security and access controls of classified information per the mitigation agreement. A TCP, typically managed by a Facility Security Officer (FSO), will outline solutions for physical, network, and online access to their systems.
Stay FOCI Compliant with MathCraft
The FOCI foreign ownership process is a necessity to protect our national security interests and allow contractors with all governance structures, both foreign and domestic, to obtain an FCL. Our integrated solutions can help you maintain a robust technology control plan to comply with a FOCI status.
Contact us today to learn more about how our suite of access, visitor, and portal management software help FSOs automate and organize their industrial-security compliance requirements to support NISPOM and FOCI requirements.