Foreign Ownership, Control, or Influence (FOCI) - NCMS

Report
Section Six:
Foreign Ownership, Control, or Influence (FOCI)
Requirements
Note: All classified markings contained within this presentation are for training purposes only.
Foreign Ownership, Control, or Influence (FOCI)
Indicators
•
A U.S. company is under FOCI when
– A foreign interest has the power, whether or not exercised, to direct or
decide matters affecting the management or operations of the
company
 This may result in unauthorized access to classified information or may
adversely affect performance of classified contracts
•
Indicators include
– Substantial foreign holdings of company stock
• > 5 % of the ownership interests
• > 10% of the voting interest
– Existence of foreign subsidiaries
– Foreign corporate officers or board directors
– Contractual agreements with foreign sources
– Foreign debts/income
– Shared corporate officers or board directors
Foreign Ownership, Control, or Influence (FOCI)
Business Impact
•
If a defense contractor is determined to be under FOCI:
– The Defense Security Service (DSS) takes immediate action
to safeguard classified information
– Contractor is not eligible for a new facility clearance until
FOCI review
– Existing facility clearance can continue if DSS sees no risk of
compromise
– Existing facility clearance will be revoked if security
measures inadequate
•
If a contractor does not currently possess, or have a
current/impending requirement for access to classified
information, their facility clearance is administratively
terminated
•
The U.S. Government can impose any security methods it
deems necessary to protect classified information
Foreign Ownership, Control, or Influence (FOCI)
Mitigation Requirements and Objectives
•
Requirements
– U.S. companies that have some degree of foreign ownership or
control must develop and implement a mitigation plan
– FOCI mitigation requires the company to develop a plan to
control or deny access to technical information by the foreign
entity
– The U.S. Government and the contractor have to concur on the
mitigation plan
•
Objectives
– To protect classified and export-controlled information
– To recognize and assess the influence and direction exerted by
the foreign parent (and/or foreign government)
– To develop and to put into effect remedies when foreign
influence may be adverse to U.S. national security interests
Foreign Ownership, Control, or Influence (FOCI)
Mitigation Requirements and Objectives (cont.)
•
Mitigation enables U.S. contractors to perform on
classified programs with provisions in place to
– Negate foreign influence over that company
– Deny the foreign entity access to classified or exportcontrolled data
•
Defense Security Service (DSS) permits mitigation through
one of the following:
– Board Resolution
– Proxy Agreement and Voting Trust Agreement
– Security Control Agreement (SCA) and Special Security
Agreement (SSA)
– Technology Control Plan (TCP) and Electronic Communications
Plan (ECP)
Foreign Ownership, Control, or Influence (FOCI)
Mitigation Instruments
•
Board Resolution
– Used when the foreign entity does not own voting stock sufficient to
elect a representative to the company's governing board
•
Proxy Agreement (PA) and Voting Trust Agreement (VTA)
– Used when a cleared company is owned or controlled by a foreign
entity
• Both agreements are substantially identical whereby the voting rights of
the foreign owned stock are vested in cleared US citizens approved by the
Federal Government (DSS)
• Neither arrangement imposes any restrictions on the company's eligibility
to have access to classified information or to compete for classified
contracts
•
Security Control Agreement (SCA)
– Used when the cleared company is not effectively owned or
controlled by a foreign entity and the foreign interest is entitled to
representation on the company's governing board
• There are no access limitations under an SCA
Foreign Ownership, Control, or Influence (FOCI)
Mitigation Instruments (cont.)
•
Special Security Agreement (SSA)
– Used when a company is effectively owned or controlled by a foreign
entity
– SSA has access limitations
– Allows foreign owned U.S. companies to win and work on classified
contracts
– The SCA and SSA are substantially identical arrangements that:
 Require specific organization of the U.S. company (board, security
committee, etc.)
 Designed to manage contact between the cleared company and its parent
and affiliates
 Grant security clearance to specific sites and employees for classified U.S.
projects
Foreign Ownership, Control, or Influence (FOCI)
Mitigation Instruments (cont.)
•
Technology Control Plan (TCP)
‒
–
A plan developed and implemented to prescribe security measures necessary to
reasonably foreclose the possibility of unauthorized or inadvertent access by
any foreign person to information for which they are not authorized

The documentation that results from the collaborative process of site functions
creating a written plan to manage the presence of foreign nationals in the work place

Reinforces workplace awareness and education

Identification of physical and electronic controls

Established Audits/Checking

Serves as evidence to U.S. Government

Addresses where foreign national can and cannot go, who will escort them, how will
they access information they need, what pre-authorizations are in place
A TCP must be in place when:

When non-U.S. persons are hired as employees in accordance with applicable laws

Visits of three weeks or longer of a non-U.S. person

A program involves non-U.S. customers who frequent or are assigned to a cleared site
Foreign Ownership, Control, or Influence (FOCI)
Mitigation Instruments (cont.)
•
Electronic Communications Plan (ECP)
– Required by DSS for FOCI companies
– Describes the oversight of communications between contractor
personnel and the foreign owner and/or affiliates
– Intended to deter and detect undue influence by the foreign
owner/affiliates over management affairs or unauthorized attempts to
access classified information or export controlled technology
– For non-classified networks
– A network description will be included and contain
•
All electronic communication mediums including but not limited to,
personal/network firewalls, remote administration, monitoring,
maintenance, and separate email servers (as appropriate)
•
The scope will include all communications including telephone,
teleconference, video conferences, facsimile, cell phones, PDAs and all
computer communication including emails and server access
•
Video conferencing shall be treated as a visit under the visitation
requirements of the FOCI mitigation agreement
– Controls will be looked at during your annual DSS Inspection

similar documents