Solid partners.
Flexible solutions
The Special Security
Agreement (“SSA”)
Purpose, Governance Structure
and Implementing Procedures
CATC All Hands – December 8,
2010
National Industrial Security Program (NISP) Guidance
• Govt policy: Allow foreign investment consistent with national
security interests
– Company determined to be under FOCI is ineligible for FCL absent
security measures to negate or mitigate FOCI
– “FOCI policy . . . is intended to facilitate foreign investment by ensuring
that foreign firms cannot undermine U.S. security and export controls to
gain unauthorized access to critical technology, classified information,
and special classes of classified information.”
• Govt reserves right and has obligation to impose any security
method, safeguard, or restriction it believes necessary to
ensure that . . .
– Unauthorized access to classified information is effectively precluded
(including ability to leverage others who have access)
– Performance of classified contracts is not adversely affected
2
NISP Description of the Special Security Agreement (SSA)
• SSA is one of the potential FOCI mitigation measures. The
others include a Board Resolution, Security Control
Agreement, Voting Trust Agreement and Proxy Agreement)
• The SSA imposes various industrial security and export control
measures within an institutionalized set of company practices
and procedures
– Preserves foreign owner’s right to be represented on the Board of
Directors. The foreign owner’s member is called an INSIDE DIRECTOR.
• Direct voice in business management of the company
• While denying unauthorized access to classified and unclassified, export
controlled information
– NISP limitations on SSA
• Provides for GSC – active involvement in security matters by Senior
Management and Outside Directors (Inside Director cannot be member.
• No access to proscribed information – absent determination that release
to company will not harm national security (NID)
• Additional company practices and procedures
3
SSA Governance Structure
• A legal entity the business of which is managed by a Board of
Directors or equivalent Management Group or Committee.
– Board composition – Three Outside Directors (Two with DSS authorized
exception). Shareholders elect the members of Board of Directors.
• At least 1 Inside Director; at least 1 Officer Director
• Number of Inside Directors shall not equal or exceed the combined total
number of Outside Directors and Officer Directors
• Chairman shall not be Inside Director
– Actions by majority vote
•
•
•
•
1 Inside Director and 1 Outside Director necessary for quorum.
Proxy by an Outside Director can only be given to another Outside Director.
Contains no tie breaking language.
All Directors have normal fiduciary duties of a director: care, loyalty,
business judgment, disclosure, confidentiality, risk and compliance
oversight
– Limitations
• Certain actions require prior approval from the Parent
• Parent may remove members of Board only in accordance with procedures
set forth in SSA
4
Government Security Committee (GSC)
• Responsible for ensuring a the requirements of the SSA,
NISPOM and export procedures are followed; ensure the
protection of classified and unclassified export controlled
information.
– Composition: all Outside Directors and cleared Officer Directors
– Specific GSC duties
• Ensure Company maintains policies and procedures to safeguard the
classified and controlled information in its possession
– Electronic communications
– Contacts and visits
• Ensure Company complies with . . .
–
–
–
–
–
DoD Security Agreement
SSA
Appropriate contract provisions regarding security
U.S. export laws
NISP (NISPOM)
5
Government Security Committee (GSC)
– Specific GSC duties (continued)
• Oversee activities of Facility Security Officer (FSO) and Technology Control
Officer (TCO)
• Monitor administrative services being provided by Parent/Affiliates
– Ensure does not receive administrative services without DSS approval. DSS
usually approves the following shared services:
» Insurance benefits
» Retirement plans
» HR services but usually insists cleared company independently selects is
employees without undue influence and control by foreign owners
» Payroll services but pay is by cleared company.
– Outside Directors ensure administrative services do not allow the Parent or
Affiliates to control or influence the management or business of the
Company in violation of the SSA
• Each member of GSC must exercise best efforts to . . .
– Ensure all provisions of SSA are carried out
– Ensure Company’s officers, directors and employees comply with SSA
– Advise DSS of any known violation of, or attempt to violate, any provision of
the SSA, appropriate contract provisions regarding security, export control
laws or NISP
6
Foreign Owner Commitements
• Parent commits by resolution to . . .
– Exclude themselves and Affiliates from access to protected info
– Grant the Company independence to safeguard protected info
– Refrain from taking any action to control or influence the performance
of the Company’s classified contracts or its participation in classified
programs
7
Institutionalized Set of Company Practices and Procedures
• Visits/meetings. Except for routine business visits, all visits must be
approved in advance by one of the Outside Directors
– Routine business visits
• Made in connection with regular day-to-day business operations
• Do not involve classified or controlled unclassified information
• Pertain only to the commercial aspects of the business
– Certain categories of routine business visits are identified in SSA and
implementing procedures. GSC may add “specific categories” and alter
categories – with DSS approval
• Electronic communications. “All Electronic Communications between
Cleared company employees and representatives and the parent and its
affiliates (collectively referred to as the Affliates) must be monitored and
recorded”
– Email: Usually “captured” by software; sampled and reviewed by FSO/GSC.
Often establish a firewall to “stop” e-mails or “provide copy to Outside
Director(s) for review and sometimes to actually “release”
– Phone calls: logged (contact reports) and reviewed by FSO/GSC
– Fax: collected and reviewed by FSO/GSC
• Training
– Initial and ongoing training of personnel – certify as to understanding and
commitment to comply
– Parent/Affiliate: also need procedures, training and commitment to comply
8
Institutionalized Set of Company Practices and Procedures
• Inside Directors
– Inside Directors not subject to the visitation restrictions, which apply to
other representatives of the Affiliates.
• No Outside Director review/approval required for visits by Inside Directors.
• Not subject to visit controls if on-site to attend Board meeting (no entry into
controlled areas)
• However, must be escorted at all times while on-site – if not a U.S. citizen (???)
– Emails, calls, etc. to/from Inside Director must be monitored and recorded –
as with other Parent/Affiliate personnel
– Foreign owner’s voice in management must be exercised through
participation on Board of Directors. Inside Directors has equal vote to other
Directors.
• Board is principal forum for foreign owner’s input regarding business. Inside
Director must not take on the role of an “officer”, “Consultant” or “employee” of
cleared company.
• Input should be consistent with normal Director activity – i.e., generally, it is
inappropriate for Inside Director to seek to direct day-to-day business affairs of
Company
• Inside Director may have additional input – consistent with Visitation Policy and
ECP
9
Institutionalized Set of Company Practices and Procedures
• Senior officials and Non-Routine Visits
– Recent SSA’s usually indicate that visits by Officer(s) and Director(s) are not
to be treated as “routine business”.
– Most authorities agree that a visit with an Officer or Director of a Parent or
Affiliate cannot be characterized as a Routine Visit regardless of whether
the purpose of such a visit corresponds to one of the categories of routine
visits.
– All companies that I am familiar with have visits between cleared company
and the Affiliates are processed as non-routine and approved by an Outside
Director.
10
The Electronic Communications Plan (ECP)
• The ECP is submitted to and approved by DSS. Enter into E-FCL.
* All employees, consultants or representatives of the cleared
company are briefed on and annually re-briefed on the ECP. Such
personnel sign an acknowledge that they received a briefing,
understand the briefing and will comply. I recommend you give
them a copy of the ECP and during self-inspections check to
determine if they have a soft or hard copy readily available.
•Other companies post the ECP, TCP and Operating Agreement
(SOP) on their web site with other “policies” and “procedures”.
11
The 2012 DSS FOCI Branch FOCI Statistics
•
Provided by Steve Linquist from the DSS FOCI Branch.
•
FY 2012, DSS has conducted 8,575 security vulnerability assessments.
– 299 of which were FOCI signatories
– 398 of which were FOCI non-signatories
•
FOCI Signatory Compliance Breakdown:
– 63.9% rated Satisfactory
– 19.1% rated Commendable
– 16.1% rated Superior
– 1.0% rated Marginal or Unsatisfactory
•
FOCI Non-Signatory Compliance Breakdown:
– 37.7% rated Satisfactory
– 32.4% rated Commendable
– 28.9% rated Superior
– 1.0% rated Marginal or Unsatisfactory
12
The 2012 DSS FOCI Branch FOCI Statistics (non-FOCI)
• FY 2012, DSS has conducted 8,575 security
vulnerability assessments.
– 7,844 of which were non-FOCI facilities
• Non-FOCI Compliance Breakdown:
– 78.2% rated Satisfactory
– 14.9% rated Commendable
– 6.5% rated Superior
– 0.4% rated Marginal or Unsatisfactory
13
Questions
??