Highlights
- The Defense Counterintelligence and Security Agency (DCSA)
hosted its 26th Annual Conference on Foreign Ownership, Control, or
Influence (FOCI) on Aug. 25, 2022. - The conference featured speakers from a variety of DCSA
branches who provided remarks on the agency’s priorities,
relevant statistics and recent changes to its approach to
mitigation, as well as changes to the agency’s security review
process of cleared companies. - This Holland & Knight alert identifies several key insights
from the FOCI Conference for companies holding a U.S. facility
security clearance or interested in operating in the classified
government contracts space.
The Department of Defense’s (DoD) Defense
Counterintelligence and Security Agency (DCSA)1 hosted
its 26th Annual Conference on Foreign Ownership, Control, or
Influence (FOCI Conference) on Aug. 25, 2022, which was attended by
more than 500 industry participants. The FOCI Conference is
designed to educate the industry on the impact of FOCI on facility
security clearances (FCL) and inform about new processes and
policies affecting DCSA’s FOCI mitigation measures. DCSA
officials provided important information on the agency’s
priorities and strategy for the next five years.
Holland & Knight identified three key considerations for
businesses already under FOCI mitigation or those considering the
federal market for classified government contracts.
DCSA’s Priorities
DCSA outlined several priorities for the next five years:
- Developing the National Background Investigation Services
(NBIS) system2, which is fully capable and fully
controlled by DCSA. NBIS is designed to carry all personnel
investigation functions, from the submission of Standard Form 86
(Questionnaire For National Security Positions), all the way to a
potential appeal. NBIS is expected to be fully operational in
Fiscal Year 2024. - Better relationship with the classified contracting community,
especially as it relates to information sharing. DCSA recognizes
this is a challenge, with much of the information remaining
classified. - Better integration across agencies and intra-agency in order to
build a common operating picture and mission integration between
DCSA staff working in field environment, IT, background
investigation and critical technology. - Rightsizing DCSA. DCSA was initially designed for 900
personnel, but is currently employing more than 10,000 people, with
1,000 new positions to be filled in the coming year. DCSA also
expanded by adding the DoD Insider Threat Management and Analysis
Center, which focuses on behavioral psychology and electronic
information. The sheer size of its growth necessitates rethinking
of legacy operational aspects of DCSA.
To accomplish these priorities, as well as its overall mission,
DCSA recognized that it must invest in people (beginning with
attracting talented interns), focus on oversight and compliance to
ensure that all stipulations and mitigating frameworks are adhered
to fully, and invest in cutting-edge technology, including big
data.
Key Statistics on Security Clearance
DCSA also revealed that it currently takes the agency on average
155 days to process a facility security clearance (FCL) for a Tier
1 company (i.e., no FOCI concern), 266 days to clear a Tier 2
company (i.e., some FOCI mitigation required) and 263 days to issue
an FCL to a Tier 3 company (i.e., full FOCI mitigation).
On personnel security clearances (PCL), an applicant may be
granted a Top Secret (TS) level clearance in less than 90 days, or
a Secret level clearance in approximately 60 days. For those who
currently hold a PCL and are transferring from one location to
another, the transfer of the clearance may occur within a period of
days, provided no reportable events have occurred.
Tailored Approach to FOCI Mitigation
As the national security risk landscape changes and threat
vectors continue to evolve, DCSA is moving away from so-called
cookie-cutter FOCI mitigation structures toward the use of tailored
provisions that address specific FOCI circumstances in the context
of template mitigation agreements and documents (e.g., Special
Board Resolutions (SBRs), Security Control Agreements (SCAs)
Special Security Agreements (SSAs), and Proxy Agreements
(PAs)).
While not every cleared company requires mitigation, DCSA
reports that more than 600 facilities operate under some form of
FOCI mitigation triggered by differing FOCI factors, which
consequently require specialized mitigation structures. Some of
these tailored provisions include: Foreign Disclosure Requirements
to the Government Contracting Agency (GCA), including if foreign
technology, products or services are used on a classified contract;
Electronic Communications Monitoring Policies (a lighter version of
the Electronic Communications Plan); Visitation Control Policies;
Foreign Travel Notification Requirements; and requiring that the
company’s senior management official (SMO) and facility
security officer (FSO) are not the same person. The shift toward
these more tailored forms of mitigation are intended to help DCSA
more adequately address threat vectors from adversarial countries
and protect classified information and critical technologies, while
minimizing the impact FOCI mitigation has on the business
operations of cleared companies.
Increased Focus on Foreign “Influence”
DCSA is increasingly focused on the “Influence” aspect
of FOCI. DCSA is witnessing an increased number of potential ways
to influence cleared companies that fall outside of the cleared
company’s formal ownership structure, paying particular
attention to its global touchpoints. This can include the familial,
spousal business relationship in a country of special interest, and
professional relationships of Key Management Personnel (KMP).
Through third-party business relationships and extensive, often
complicated supply chains, cleared entities may have potential
connections all around the world that could be exploited and are
thus viewed by DCSA as high-priority. Academia involved in
classified STEM research and development is particularly vulnerable
due to high levels of foreign travel and contracts throughout the
world. The pressure placed on supply chains due to the COVID-19
pandemic and Russia’s ongoing war in Ukraine has only
heightened this focus. Holland & Knight recommends that cleared
companies and academia conduct thorough due diligence on their
supply chains, third-party business relationships and KMPs to
ensure that any FOCI concerns are identified and discussed
transparently with DCSA to ensure that potential security
vulnerabilities are addressed and not uncovered without proper
foresight in a future security review. DCSA officials repeatedly
referred to the SEAD 3 unofficial foreign travel reporting
requirement,3 which was fully implemented as of Aug. 24,
2022, as one method of improved monitoring of potential
threats.
DCSA also warned of the increased threat posed by China and
other high threat level jurisdictions, particularly as it relates
to gaining influence in critical or classified U.S. technology
(e.g., software, battery technology, drone and quantum computing)
via foreign investment and complicated JV structures.
The Post-COVID Security Review Process Is Ramping Up
DCSA conducts security reviews of cleared contractors within the
National Industrial Security Program (NISP) through an established
security review and rating process. Security reviews intend to
verify that contractors are protecting classified information and
implementing the provisions of the National Industrial Security
Program Operating Manual (NISPOM), identify gaps in security
controls, and rate a facility’s security posture.
Beginning Sept. 1, 2021, DCSA shifted the security review and
rating process from a general conformity approach to a
compliance-first, evidence-based model. Under the new protocol,
cleared contractors will first be evaluated for general conformity
to identify any critical vulnerabilities, with a focus on the
company’s security policies, systemic vulnerabilities (e.g.,
deficiencies in several different areas) or serious security issues
(e.g., issues that are unmitigated or FOCI concerns). Companies
determined to be in general conformity are then assigned a formal
security rating – Satisfactory, Commendable or Superior.
Those contractors that do not meet general conformity requirements
are assigned a coordinated security rating – Satisfactory (in
rare cases), Marginal or Unsatisfactory. Contractors who receive
Marginal or Unsatisfactory security ratings may then face
invalidation of their FCLs. Currently, only 2 percent of cleared
companies have had their FCL invalidated. In general, DCSA will
work with these companies to bring them into compliance. DCSA
observed increased discrepancies during its recent investigations
(which have now resumed to be performed in person), mostly due to
the challenges of operating during the COVID pandemic.
This year’s FOCI Conference provided, for the first time,
data on the outcomes of security reviews under the new model. DCSA
officials remarked that assigned security ratings are consistent
with historical norms assigned under previous rating models.
Notable statistics are as follows:
- Between Sept. 1, 2021, and Aug. 16, 2022, DCSA conducted more
than 2,300 formal security reviews and over 1,700 hybrid security
monitoring actions intended as a supplemental way to communicate
with cleared contractors, evaluate NISPOM compliance and identify
issues that may warrant further engagement. - 98 percent of the conducted reviews resulted in a status of
general conformity. - Contractors under security review received ratings of
Unsatisfactory (1 percent), Marginal (1 percent), Satisfactory (79
percent), Commendable (15 percent) and Superior (4 percent).
Speakers at the FOCI Conference noted that DCSA is working to
effectively and efficiently meet its growing monitoring burden and
actively communicate and share information with the industry. DCSA
emphasized that cleared contractors should communicate frequently
and transparently with agency officials to assist in this process
moving forward. This is especially important for cleared companies
that are being acquired by foreign investors. Failure to timely
report may impact their FCL and has on occasion resulted in
invalidating the FCL.
Conclusion
The Annual FOCI Conference reaffirmed the evolving nature of
national security risks and highlighted DCSA’s shifting
priorities and tailored FOCI mitigation strategies. If you have any
questions on this trade alert or are a company with potential FOCI
interested in pursuing classified government contracting, please
contact an author or another member of Holland & Knight’s
CFIUS and Industrial
Security Team.
Footnotes
1. DCSA was previously known as the Defense Security
Service (DSS).
3. DCSA SEAD Unofficial Foreign Travel Reporting
requirement.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
