WIXLIB

rmajette on DSK3VPTVN1PROD with CFR§ 117.5532 CFR Ch. I (7–1–14 Edition)to such a degree that the granting ofan FCL would be inconsistent with theU.S. national security interests.(4) Determine the security measuresnecessary to negate or mitigate FOCIand make recommendations to the U.S.company and to those GCAs with acontractual interest or other equity inthe matter.(5) Provide GCAs a guide to clarifytheir roles and responsibilities with respect to the FOCI process and to national interest determinations (NIDs),in particular. Update the guide, asneeded, in coordination with the Officeof the Under Secretary of Defense forIntelligence (OUSD(I)) Security Directorate.(6) Determine a U.S. company’s eligibility for an FCL on an initial and continuing basis depending on recurringsecurity reviews and other interactions.(7) Develop proposed changes tomaintain the currency and effectiveness of this part. Forward proposedchanges and associated justification tothe OUSD(I) Security Directorate forconsideration as future changes to thispart.(8) Consider and, as warranted, approve requests for exception to DoD5220.22–M in consultation with affectedGCAs for specific contractors and forspecific periods of time (such as, to thecompletion date of a contract) when acontractor is unable to comply withthe requirements of DoD 5220.22–M.Consideration of such requests will include an evaluation of any proposed alternative procedures with supportingjustification and coordination as applicable, consistent with paragraph (a)(4)of this section.(9) Coordinate and receive the concurrence of the OUSD(I) Security Directorate on requests for exception toDoD 5220.22–M and consistent withparagraph (a)(4) of this section whenany of the following provisions apply:(i) The request exceeds the authorityof the Director, DSS as defined in thissection;(ii) The proposed exception applies tomore than one contractor location; or,(iii) The exception would be contraryto U.S. national policy or internationalagreements, including those relating toforeign government information (FGI)and international issues under the cognizance of the USD(P) with coordination as applicable, consistent withparagraph (a)(4) of this section.(c) The USD(P) will, in accordancewith DoD Directive 5111.1, ‘‘Under Secretary of Defense for Policy (USD(P))’’(available at 01p.pdf),advisethe USD(I) and DSS on the foreign relations and international security aspects of FOCI, including FGI, foreigndisclosures of U.S. classified information, exports of defense articles andtechnical data, security arrangementsfor DoD international programs, NorthAtlantic Treaty Organization security,and international agreements.(d) The USD(AT&L) will, in accordance with DoD Directive 5134.01,‘‘Under Secretary of Defense for � (available at 01p.pdf):(1) Advise the USD(I) on the development and implementation of NISPpolicies, in accordance with DoD Instruction 5220.22.(2) Ensure that DoD Components establish and maintain a record capturing the current and legitimate needfor access to classified information bycontractors in the Defense IndustrialBase.(3) Ensure that acquisition elementsof DoD Components comply with theapplicable provisions of DoD 5220.22–M.(e) The Director, DoD SAP CentralOffice (SAPCO) will, in accordancewith DoD Directive 5205.07, ‘‘SpecialAccess Program (SAP) Policy’’ (available at 07p.pdf), notify DSS of theexistence of SAP equities when DSSconsiders the acceptability of a contractor’s FOCI action plan. In addition,the Director, DoD SAPCO, will developprocedures for the consideration of aNID when a contractor cleared under aSpecial Security Agreement (SSA) requires access to an unacknowledgedSpecial Access Program (SAP).(f) The Heads of the Components will:(1) Oversee compliance by GCA personnel with applicable procedures identified in this subpart.(2) Designate in writing an individualwho is authorized to make decisions672VerDate Sep 11 201413:30 Oct 08, 2014Jkt 232129PO 00000Frm 00682Fmt 8010Sfmt 8010Y:\SGML\232129.XXX232129

Office of the Secretary of Defense§ 117.56rmajette on DSK3VPTVN1PROD with CFRand provide a coordinated GCA position on FOCI matters to DSS withintimelines established in this part.(3) Submit proposed changes to DoD5220.22–M, as deemed appropriate, tothe OUSD(I) Security Directorate.§ 117.56 Foreign ownership, control orinfluence (FOCI).(a) General. This section providesguidance for and establishes proceduresconcerning the initial or continuedFCL eligibility of U.S. companies andU.S. contractors with foreign involvement; provides criteria for determiningwhether U.S. companies are underFOCI; prescribes responsibilities inFOCI matters; and outlines securitymeasures that DSS may consider tomitigate or negate the effects of FOCIto an acceptable level. As stated inDoD 5220.22–M, and in accordance withE.O. 12829:(1) The Secretary of Defense serves asthe Executive Agent for inspecting andmonitoring contractors who require orwill require access to, or who store orwill store classified information.(2) The Components reserve the discretionary authority, and have the obligation, to impose any security procedure, safeguard, or restriction they believe necessary to ensure that unauthorized access to classified information is effectively precluded and thatperformance of classified contracts, asdefined in DoD 5220.22–M, is not adversely affected by FOCI.(b) Procedures — (1) Criteria. A U.S.company is considered to be underFOCI whenever a foreign interest hasthe power, direct or indirect (whetheror not exercised, and whether or notexercisable through the ownership ofthe U.S. company’s securities, by contractualarrangementsorothermeans), to direct or decide matters affecting the management or operationsof the company in a manner that mayresult in unauthorized access to classified information or may adversely affect the performance of classified contracts.(2) FOCI Analysis. Conducting ananalysis of available information on acompany to determine the existence,nature, and source of FOCI is a criticalaspectofevaluatingpreviouslyuncleared companies for FCLs and alsoin determining continued eligibility ofcontractors for FCLs.(i) A U.S. company determined to beunder FOCI is ineligible for an FCL unless and until security measures havebeen put in place to mitigate FOCI.(ii) In making a determination as towhether a company is under FOCI, DSSwill consider the information providedby the company or its parent entity onthe Standard Form (SF) 328, ‘‘Certificate Pertaining to Foreign Interests,’’(available at forms/sf0328.pdf)and any other relevant information(e.g., filings with the Securities andExchange Commission (for publiclytraded companies), articles of incorporation, by-laws, and loan and shareholder agreements, as well as otherpublicly available information aboutthe company. Depending on specificcircumstances (e.g., extensive minorityforeign ownership at a cleared subsidiary in the corporate family), DSSmay request one or more of the legalentities that make up a corporate family to submit individual SF 328s andwill determine the appropriate FOCIaction plan(s) that must be put inplace.(iii) When a contractor has been determined to be under FOCI, the primary consideration will be the safeguarding of classified information. DSSis responsible for taking whatever interim action is necessary to safeguardclassified information, in coordinationwith other affected agencies as appropriate consistent with § 117.54.(iv) When a merger, sale, or acquisition involving a foreign interest and acontractor is finalized prior to havingan acceptable FOCI mitigation or negation agreement in place, DSS will invalidate any existing FCL until suchtime as DSS determines that the contractor has submitted an acceptableFOCI action plan (see DoD 5220.22–M)and has agreed to interim measuresthat address FOCI concerns pendingformal execution of a FOCI mitigationor negation agreement. Invalidationrenders the contractor ineligible to receive new classified material or to bidon new classified contracts. If the affected GCA determines that continuedaccess to classified material is required, DSS may continue the FCL in673VerDate Sep 11 201413:30 Oct 08, 2014Jkt 232129PO 00000Frm 00683Fmt 8010Sfmt 8010Y:\SGML\232129.XXX232129

rmajette on DSK3VPTVN1PROD with CFR§ 117.5632 CFR Ch. I (7–1–14 Edition)an invalidated status when there is noindication that classified informationis at risk of compromise. If classifiedinformation remains at risk of compromise due to the FOCI, DSS will takeaction to impose appropriate securitycountermeasures or terminate theFCL, in coordination with the affectedGCA.(v) Changed conditions, such as achange in ownership, indebtedness, or aforeign intelligence threat, may justifycertain adjustments to the securityterms under which a contractor iscleared or, alternatively, require theuse of a particular FOCI mitigation ornegation agreement. Depending on specific circumstances, DSS may determine that a contractor is no longerunder FOCI or, conversely, that a contractor is no longer eligible for an FCL.(vi) If the contractor determined tobe under FOCI does not have possessionof classified material and does not havea current or pending requirement foraccess to classified information, DSSwill administratively terminate theFCL.(3) Assessing the Implications of FOCI.(i) If DSS determines that a companyis under FOCI, DSS will assess the extent and manner to which the FOCImay result in unauthorized access toclassified information or adverse impact on the performance of classifiedcontracts and the type of actions, ifany, that would be necessary to mitigate or negate the associated risks to alevel deemed acceptable to DSS. Ananalysis of some of the FOCI factorsmay clearly identify risk; while othersmay result in circumstances thatwould mitigate or negate risks. Therefore, these factors must be consideredin the aggregate with regard to the foreign interest that is the source of theFOCI, the country or countries inwhich the foreign interest is domiciledand has its principal place of business(if not in the country of domicile), andany other foreign country that is identified by DSS because it is a substantial source of the revenue for, or otherwise has significant ties to, the foreigninterest. DSS will consider the following FOCI factors and any other relevant information in the context ofthreat, vulnerability, and sensitivity ofthe classified information required forcurrent or prospective contract performance when rendering a risk management assessment and determinationof the acceptability of a company’sFOCI action plan:(A) Record of economic and government espionage against U.S. targets.(B) Record of enforcement and/or engagement in unauthorized technologytransfer.(C) Record of compliance with pertinent U.S. laws, regulations, and contracts.(D) The type and sensitivity of theinformation that will be accessed.(E) The source, nature, and extent ofFOCI, including, but not limited to,whether a foreign interest holds a majority or substantial minority positionin the company, taking into consideration the immediate, intermediate, andultimate parent companies of the company or prior relationships between theU.S. company and the foreign interest.(F) The nature of any relevant bilateral and multilateral security and information exchange agreements, (e.g.,the political and military relationshipbetween the United States Government(USG) and the government of the foreign interest).(G) Ownership or control, in whole orin part, by a foreign government.(H) Any other factor that indicatesor demonstrates a capability on thepart of foreign interests to control orinfluence the operations or management of the business organization concerned.(ii) As part of its FOCI assessmentand evaluation of any FOCI actionplan, DSS will also request and consider counterintelligence (CI) and technology transfer risk assessments andany available intelligence from all appropriate USG sources. DSS will request these assessments as soon aspracticable, for the company itself andfor all business entities in the company’s ownership chain.(iii) If a company disputes a DSS determination that the company is underFOCI, or disputes the DSS determination regarding the types of actions necessary to mitigate or negate the FOCI,the company may appeal in writingthose determinations to the Director,DSS, for a final agency decision no674VerDate Sep 11 201413:30 Oct 08, 2014Jkt 232129PO 00000Frm 00684Fmt 8010Sfmt 8010Y:\SGML\232129.XXX232129

rmajette on DSK3VPTVN1PROD with CFROffice of the Secretary of Defense§ 117.56later than 30 days after receipt of written notification of the DSS decision.The company must identify the specific relief sought and grounds for thatrelief in its appeal. In response, the Director, DSS, may request additional information from the company. At aminimum, DSS will respond to appealswithin 30 days, either with a decisionor an estimate as to when a decisionwill be rendered. DSS will not releasepre-decisional information to the company, its legal counsel, or any of itsrepresentatives without the expresswritten approval of the applicableGCAs who own the data and any otherUSG entities with an interest in thecompany’s FOCI action plan.(iv) DoD recognizes that FOCI concerns may arise in a variety of othercircumstances, all of which cannot belisted in this subpart. In FOCI cases involving any foreign ownership or control, DSS will advise and consult withthe appropriate GCAs, including thosewith special security needs, regardingthe required FOCI mitigation or negation method and provide those GCAswith the details of the FOCI factorsand any associated risk assessments.DSS and GCAs will meet to discuss theFOCI action plan, when determinednecessary by either DSS or the applicable GCAs. When DSS determines that acompany may be ineligible for an FCLby virtue of FOCI, or that additionalaction by the company may be necessary to mitigate the FOCI or associated risks, DSS will promptly notifythe company and require it to submit aFOCI action plan to DSS within 30 calendar days of the notification. In addition, DSS will advise company management that failure to submit the requested plan within the prescribed period of time will result in terminationof FCL processing or initiation of action to revoke an existing FCL, as applicable.(v) In instances where the identification of a foreign owner or voting interest of five percent or more cannot beadequately ascertained (e.g., the participating investors in a foreign investment or hedge fund, owning five percent or more of the company, cannotbe identified), DSS may determine thatthe company is not eligible for an FCL.(vi) DSS will review and consider theFOCI action plan itself, the factorsidentified in paragraph (b)(3)(i) of thissection, and any threat or risk assessments or other relevant information. Ifan action plan is determined to be unacceptable, DSS can recommend andnegotiate an acceptable action plan including, but not limited to, the measures identified in paragraphs (b)(4)(ii)and (b)(4)(iii) of this section. In anyevent, DSS will provide written feedback to a company or the company’sdesignated representative on the acceptability of the FOCI action planwithin 30 calendar days of receipt.(4) Options To Address FOCI. (i) Underall FOCI action plans, management positions requiring PCLs in conjunctionwith the FCL must be filled by eligibleU.S. citizens residing in the UnitedStates in accordance with DoD 5220.22–M.(ii) When factors related to foreigncontrol or influence are present, butunrelated to ownership, the plan mustprovide positive measures that assurethat the foreign interest can be effectively denied access to classified information and cannot otherwise adverselyaffect performance on classified contracts. Non-exclusive examples of suchmeasures include:(A) Adoption of special board resolutions.(B) Assignment of specific oversightduties and responsibilities to independent board members.(C) Formulation of special executivelevel security committees to considerand oversee matters that affect theperformance of classified contracts.(D) The appointment of a technologycontrol officer.(E) Modification or termination ofloan agreements, contracts, and otherunderstandings with foreign interests.(F) Diversification or reduction offoreign-source income.(G) Demonstration of financial viability independent of foreign interests.(H) Elimination or resolution of problem debt.(I) Physical or organizational separation of the contractor component performing on classified contracts.(J) Other actions that negate or mitigate foreign control or influence.675VerDate Sep 11 201413:30 Oct 08, 2014Jkt 232129PO 00000Frm 00685Fmt 8010Sfmt 8010Y:\SGML\232129.XXX232129

rmajette on DSK3VPTVN1PROD with CFR§ 117.5632 CFR Ch. I (7–1–14 Edition)(iii) FOCI concerns related to foreignownership of a company or corporatefamily arise when a foreign interesthas the ability, either directly or indirectly, whether exercised or exercisable, to control or influence theelection or appointment of one or moremembers to the company’s governingboard (e.g., Board of Directors, Boardof Managers, or Board of Trustees) orits equivalent, by any means. Somemethods that may be applied to mitigate the risk of foreign ownership areoutlined in DoD 5220.22–M and furtherdescribed in this section. While thesemethods are mentioned in relation tospecific ownership and control thresholds, these descriptions should not beconstrued as DoD-sanctioned criteriamandating the selection or acceptanceof a certain FOCI action plan. DSS retains the authority to reject or modifyany proposed FOCI action plan in consultation with the affected GCAs.(A) Board Resolution. This method isoften used when a foreign interest doesnot own voting interests sufficient toelect, or otherwise is not entitled torepresentation on the company’s governing board. In such circumstances,the effects of foreign ownership willgenerally be mitigated by a resolutionof the board of directors stating thecompany recognizes the elements ofFOCI and acknowledges its continuingobligations

PART 117—NATIONAL INDUSTRIAL SECURITY PROGRAM Subparts A-B [Reserved] Subpart C—Procedures for Government Activities Relating to Foreign Owner-ship, Control or Influence (FOCI) Sec. 117.51 Purpose. 117.52 Applicability. 117.53 Definitions. 117.54 Policy. 117.55 Responsibilities. 117.56 Foreign ownership, control or influ-ence (FOCI).