Solid partners. Flexible solutions The Special Security Agreement (“SSA”) Purpose, Governance Structure and Implementing Procedures CATC All Hands – December 8, 2010 National Industrial Security Program (NISP) Guidance • Govt policy: Allow foreign investment consistent with national security interests – Company determined to be under FOCI is ineligible for FCL absent security measures to negate or mitigate FOCI – “FOCI policy . . . is intended to facilitate foreign investment by ensuring that foreign firms cannot undermine U.S. security and export controls to gain unauthorized access to critical technology, classified information, and special classes of classified information.” • Govt reserves right and has obligation to impose any security method, safeguard, or restriction it believes necessary to ensure that . . . – Unauthorized access to classified information is effectively precluded (including ability to leverage others who have access) – Performance of classified contracts is not adversely affected 2 NISP Description of the Special Security Agreement (SSA) • SSA is one of the potential FOCI mitigation measures. The others include a Board Resolution, Security Control Agreement, Voting Trust Agreement and Proxy Agreement) • The SSA imposes various industrial security and export control measures within an institutionalized set of company practices and procedures – Preserves foreign owner’s right to be represented on the Board of Directors. The foreign owner’s member is called an INSIDE DIRECTOR. • Direct voice in business management of the company • While denying unauthorized access to classified and unclassified, export controlled information – NISP limitations on SSA • Provides for GSC – active involvement in security matters by Senior Management and Outside Directors (Inside Director cannot be member. • No access to proscribed information – absent determination that release to company will not harm national security (NID) • Additional company practices and procedures 3 SSA Governance Structure • A legal entity the business of which is managed by a Board of Directors or equivalent Management Group or Committee. – Board composition – Three Outside Directors (Two with DSS authorized exception). Shareholders elect the members of Board of Directors. • At least 1 Inside Director; at least 1 Officer Director • Number of Inside Directors shall not equal or exceed the combined total number of Outside Directors and Officer Directors • Chairman shall not be Inside Director – Actions by majority vote • • • • 1 Inside Director and 1 Outside Director necessary for quorum. Proxy by an Outside Director can only be given to another Outside Director. Contains no tie breaking language. All Directors have normal fiduciary duties of a director: care, loyalty, business judgment, disclosure, confidentiality, risk and compliance oversight – Limitations • Certain actions require prior approval from the Parent • Parent may remove members of Board only in accordance with procedures set forth in SSA 4 Government Security Committee (GSC) • Responsible for ensuring a the requirements of the SSA, NISPOM and export procedures are followed; ensure the protection of classified and unclassified export controlled information. – Composition: all Outside Directors and cleared Officer Directors – Specific GSC duties • Ensure Company maintains policies and procedures to safeguard the classified and controlled information in its possession – Electronic communications – Contacts and visits • Ensure Company complies with . . . – – – – – DoD Security Agreement SSA Appropriate contract provisions regarding security U.S. export laws NISP (NISPOM) 5 Government Security Committee (GSC) – Specific GSC duties (continued) • Oversee activities of Facility Security Officer (FSO) and Technology Control Officer (TCO) • Monitor administrative services being provided by Parent/Affiliates – Ensure does not receive administrative services without DSS approval. DSS usually approves the following shared services: » Insurance benefits » Retirement plans » HR services but usually insists cleared company independently selects is employees without undue influence and control by foreign owners » Payroll services but pay is by cleared company. – Outside Directors ensure administrative services do not allow the Parent or Affiliates to control or influence the management or business of the Company in violation of the SSA • Each member of GSC must exercise best efforts to . . . – Ensure all provisions of SSA are carried out – Ensure Company’s officers, directors and employees comply with SSA – Advise DSS of any known violation of, or attempt to violate, any provision of the SSA, appropriate contract provisions regarding security, export control laws or NISP 6 Foreign Owner Commitements • Parent commits by resolution to . . . – Exclude themselves and Affiliates from access to protected info – Grant the Company independence to safeguard protected info – Refrain from taking any action to control or influence the performance of the Company’s classified contracts or its participation in classified programs 7 Institutionalized Set of Company Practices and Procedures • Visits/meetings. Except for routine business visits, all visits must be approved in advance by one of the Outside Directors – Routine business visits • Made in connection with regular day-to-day business operations • Do not involve classified or controlled unclassified information • Pertain only to the commercial aspects of the business – Certain categories of routine business visits are identified in SSA and implementing procedures. GSC may add “specific categories” and alter categories – with DSS approval • Electronic communications. “All Electronic Communications between Cleared company employees and representatives and the parent and its affiliates (collectively referred to as the Affliates) must be monitored and recorded” – Email: Usually “captured” by software; sampled and reviewed by FSO/GSC. Often establish a firewall to “stop” e-mails or “provide copy to Outside Director(s) for review and sometimes to actually “release” – Phone calls: logged (contact reports) and reviewed by FSO/GSC – Fax: collected and reviewed by FSO/GSC • Training – Initial and ongoing training of personnel – certify as to understanding and commitment to comply – Parent/Affiliate: also need procedures, training and commitment to comply 8 Institutionalized Set of Company Practices and Procedures • Inside Directors – Inside Directors not subject to the visitation restrictions, which apply to other representatives of the Affiliates. • No Outside Director review/approval required for visits by Inside Directors. • Not subject to visit controls if on-site to attend Board meeting (no entry into controlled areas) • However, must be escorted at all times while on-site – if not a U.S. citizen (???) – Emails, calls, etc. to/from Inside Director must be monitored and recorded – as with other Parent/Affiliate personnel – Foreign owner’s voice in management must be exercised through participation on Board of Directors. Inside Directors has equal vote to other Directors. • Board is principal forum for foreign owner’s input regarding business. Inside Director must not take on the role of an “officer”, “Consultant” or “employee” of cleared company. • Input should be consistent with normal Director activity – i.e., generally, it is inappropriate for Inside Director to seek to direct day-to-day business affairs of Company • Inside Director may have additional input – consistent with Visitation Policy and ECP 9 Institutionalized Set of Company Practices and Procedures • Senior officials and Non-Routine Visits – Recent SSA’s usually indicate that visits by Officer(s) and Director(s) are not to be treated as “routine business”. – Most authorities agree that a visit with an Officer or Director of a Parent or Affiliate cannot be characterized as a Routine Visit regardless of whether the purpose of such a visit corresponds to one of the categories of routine visits. – All companies that I am familiar with have visits between cleared company and the Affiliates are processed as non-routine and approved by an Outside Director. 10 The Electronic Communications Plan (ECP) • The ECP is submitted to and approved by DSS. Enter into E-FCL. * All employees, consultants or representatives of the cleared company are briefed on and annually re-briefed on the ECP. Such personnel sign an acknowledge that they received a briefing, understand the briefing and will comply. I recommend you give them a copy of the ECP and during self-inspections check to determine if they have a soft or hard copy readily available. •Other companies post the ECP, TCP and Operating Agreement (SOP) on their web site with other “policies” and “procedures”. 11 The 2012 DSS FOCI Branch FOCI Statistics • Provided by Steve Linquist from the DSS FOCI Branch. • FY 2012, DSS has conducted 8,575 security vulnerability assessments. – 299 of which were FOCI signatories – 398 of which were FOCI non-signatories • FOCI Signatory Compliance Breakdown: – 63.9% rated Satisfactory – 19.1% rated Commendable – 16.1% rated Superior – 1.0% rated Marginal or Unsatisfactory • FOCI Non-Signatory Compliance Breakdown: – 37.7% rated Satisfactory – 32.4% rated Commendable – 28.9% rated Superior – 1.0% rated Marginal or Unsatisfactory 12 The 2012 DSS FOCI Branch FOCI Statistics (non-FOCI) • FY 2012, DSS has conducted 8,575 security vulnerability assessments. – 7,844 of which were non-FOCI facilities • Non-FOCI Compliance Breakdown: – 78.2% rated Satisfactory – 14.9% rated Commendable – 6.5% rated Superior – 0.4% rated Marginal or Unsatisfactory 13 Questions ??