Section Six: Foreign Ownership, Control, or Influence (FOCI) Requirements Note: All classified markings contained within this presentation are for training purposes only. Foreign Ownership, Control, or Influence (FOCI) Indicators • A U.S. company is under FOCI when – A foreign interest has the power, whether or not exercised, to direct or decide matters affecting the management or operations of the company This may result in unauthorized access to classified information or may adversely affect performance of classified contracts • Indicators include – Substantial foreign holdings of company stock • > 5 % of the ownership interests • > 10% of the voting interest – Existence of foreign subsidiaries – Foreign corporate officers or board directors – Contractual agreements with foreign sources – Foreign debts/income – Shared corporate officers or board directors Foreign Ownership, Control, or Influence (FOCI) Business Impact • If a defense contractor is determined to be under FOCI: – The Defense Security Service (DSS) takes immediate action to safeguard classified information – Contractor is not eligible for a new facility clearance until FOCI review – Existing facility clearance can continue if DSS sees no risk of compromise – Existing facility clearance will be revoked if security measures inadequate • If a contractor does not currently possess, or have a current/impending requirement for access to classified information, their facility clearance is administratively terminated • The U.S. Government can impose any security methods it deems necessary to protect classified information Foreign Ownership, Control, or Influence (FOCI) Mitigation Requirements and Objectives • Requirements – U.S. companies that have some degree of foreign ownership or control must develop and implement a mitigation plan – FOCI mitigation requires the company to develop a plan to control or deny access to technical information by the foreign entity – The U.S. Government and the contractor have to concur on the mitigation plan • Objectives – To protect classified and export-controlled information – To recognize and assess the influence and direction exerted by the foreign parent (and/or foreign government) – To develop and to put into effect remedies when foreign influence may be adverse to U.S. national security interests Foreign Ownership, Control, or Influence (FOCI) Mitigation Requirements and Objectives (cont.) • Mitigation enables U.S. contractors to perform on classified programs with provisions in place to – Negate foreign influence over that company – Deny the foreign entity access to classified or exportcontrolled data • Defense Security Service (DSS) permits mitigation through one of the following: – Board Resolution – Proxy Agreement and Voting Trust Agreement – Security Control Agreement (SCA) and Special Security Agreement (SSA) – Technology Control Plan (TCP) and Electronic Communications Plan (ECP) Foreign Ownership, Control, or Influence (FOCI) Mitigation Instruments • Board Resolution – Used when the foreign entity does not own voting stock sufficient to elect a representative to the company's governing board • Proxy Agreement (PA) and Voting Trust Agreement (VTA) – Used when a cleared company is owned or controlled by a foreign entity • Both agreements are substantially identical whereby the voting rights of the foreign owned stock are vested in cleared US citizens approved by the Federal Government (DSS) • Neither arrangement imposes any restrictions on the company's eligibility to have access to classified information or to compete for classified contracts • Security Control Agreement (SCA) – Used when the cleared company is not effectively owned or controlled by a foreign entity and the foreign interest is entitled to representation on the company's governing board • There are no access limitations under an SCA Foreign Ownership, Control, or Influence (FOCI) Mitigation Instruments (cont.) • Special Security Agreement (SSA) – Used when a company is effectively owned or controlled by a foreign entity – SSA has access limitations – Allows foreign owned U.S. companies to win and work on classified contracts – The SCA and SSA are substantially identical arrangements that: Require specific organization of the U.S. company (board, security committee, etc.) Designed to manage contact between the cleared company and its parent and affiliates Grant security clearance to specific sites and employees for classified U.S. projects Foreign Ownership, Control, or Influence (FOCI) Mitigation Instruments (cont.) • Technology Control Plan (TCP) ‒ – A plan developed and implemented to prescribe security measures necessary to reasonably foreclose the possibility of unauthorized or inadvertent access by any foreign person to information for which they are not authorized The documentation that results from the collaborative process of site functions creating a written plan to manage the presence of foreign nationals in the work place Reinforces workplace awareness and education Identification of physical and electronic controls Established Audits/Checking Serves as evidence to U.S. Government Addresses where foreign national can and cannot go, who will escort them, how will they access information they need, what pre-authorizations are in place A TCP must be in place when: When non-U.S. persons are hired as employees in accordance with applicable laws Visits of three weeks or longer of a non-U.S. person A program involves non-U.S. customers who frequent or are assigned to a cleared site Foreign Ownership, Control, or Influence (FOCI) Mitigation Instruments (cont.) • Electronic Communications Plan (ECP) – Required by DSS for FOCI companies – Describes the oversight of communications between contractor personnel and the foreign owner and/or affiliates – Intended to deter and detect undue influence by the foreign owner/affiliates over management affairs or unauthorized attempts to access classified information or export controlled technology – For non-classified networks – A network description will be included and contain • All electronic communication mediums including but not limited to, personal/network firewalls, remote administration, monitoring, maintenance, and separate email servers (as appropriate) • The scope will include all communications including telephone, teleconference, video conferences, facsimile, cell phones, PDAs and all computer communication including emails and server access • Video conferencing shall be treated as a visit under the visitation requirements of the FOCI mitigation agreement – Controls will be looked at during your annual DSS Inspection