Foreign Ownership Control and Influence (FOCI) Cybersecurity Risks
Foreign Ownership, Control, or Influence (FOCI) describes a condition in which a foreign interest holds sufficient power over a U.S. entity to compromise that entity's ability to safeguard classified information or controlled unclassified information (CUI). Within the cybersecurity domain, FOCI creates pathways for unauthorized access, data exfiltration, and systemic subversion of national security systems — making it a central concern for the Defense Counterintelligence and Security Agency (DCSA), the Committee on Foreign Investment in the United States (CFIUS), and facility security officers across the cleared defense industrial base (DIB). This page describes the regulatory structure, operational mechanics, classification criteria, and sector tensions surrounding FOCI cybersecurity risk.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
FOCI is formally defined under the National Industrial Security Program Operating Manual (NISPOM, 32 C.F.R. Part 117) as a condition that exists when a foreign interest has the power — direct or indirect, actual or potential — to direct or decide matters affecting the management or operations of a facility in a manner that could result in unauthorized access to classified information or material. The NISPOM was codified as a federal rule via 32 C.F.R. Part 117, effective February 2021, replacing the legacy DoD 5220.22-M manual format and making FOCI compliance obligations legally enforceable across all facilities holding a Facility Clearance (FCL).
The scope of FOCI extends beyond ownership stakes. It encompasses board representation, executive appointment authority, contractual relationships that create financial dependency, technology licensing agreements that confer veto rights, and debt instruments that impose operational conditions. Foreign governments, state-owned enterprises, and private foreign nationals can all constitute "foreign interests" under the definition. The Department of Defense maintains a classified list of foreign countries of special concern, though DCSA applies FOCI scrutiny universally rather than restricting it to enumerated adversaries.
Cybersecurity risk under FOCI is not limited to active espionage. It includes the structural exposure created by IT infrastructure, supply chain access, managed service relationships, and cloud tenancy arrangements where a foreign-influenced entity controls system administration, encryption key management, or network segmentation decisions.
Core mechanics or structure
FOCI risk materializes through five primary structural vectors within a cleared facility:
Ownership and equity control. Foreign entities holding equity positions — particularly above the 25% threshold commonly cited in CFIUS practice, though no single statutory floor exists — gain fiduciary leverage over capital allocation, acquisition decisions, and personnel policy. Equity ownership in a parent company transmits FOCI downstream to U.S. subsidiaries.
Board and governance authority. Foreign nationals serving on boards of directors, audit committees, or advisory councils have legal standing to access financial disclosures, strategic plans, and sometimes operational briefings. Even non-voting board observer roles have been flagged in CFIUS mitigation agreements as FOCI-relevant.
Technology and IP licensing. When a foreign licensor controls a patent or software platform essential to a cleared facility's operations, that licensor may assert contractual audit rights, demand source code access, or restrict technological evolution — each of which creates an access or influence vector.
Debt and financial dependency. Foreign-held debt instruments with covenant structures that impose operational constraints (e.g., prohibitions on certain contracts, approval requirements for executive hires) represent FOCI even without equity ownership. DCSA reviews financing agreements as part of FCL processing.
Personnel and secondment arrangements. Foreign nationals embedded as employees, contractors, or seconded personnel within a cleared facility can transmit information through routine access. Insider threat programs under NISPOM 32 C.F.R. § 117.8 require cleared facilities to address this vector explicitly.
When FOCI is identified, DCSA may require one of four mitigation instruments: a Board Resolution, a Security Control Agreement (SCA), a Special Security Agreement (SSA), or, in the most restrictive cases, a Proxy Agreement or Voting Trust Agreement (VT). Each instrument imposes different governance constraints, insider threat program requirements, and cybersecurity control obligations.
Causal relationships or drivers
The increase in FOCI cybersecurity risk incidents since 2015 is attributable to three intersecting structural forces.
Globalization of the defense supply chain. U.S. defense prime contractors routinely rely on sub-tier suppliers with foreign parent ownership. A Tier-3 supplier of electronic components may be majority-owned by a foreign holding company without the prime contractor's immediate awareness, creating unmonitored FOCI exposure within the broader program security boundary.
Foreign direct investment in dual-use technology sectors. CFIUS data, as reported in the CFIUS Annual Report to Congress for fiscal year 2022, documented 440 covered transaction notices — a volume driven substantially by foreign investment in semiconductor, artificial intelligence, and cybersecurity sectors. These sectors overlap heavily with the DIB.
Cloud adoption and managed service reliance. Cleared facilities migrating to commercial cloud environments and managed security service providers (MSSPs) face FOCI exposure when those providers are foreign-owned or when foreign nationals in offshore support roles hold privileged access credentials. The DCSA Center for Development of Security Excellence (CDSE) has identified cloud tenancy under foreign-owned infrastructure as an emerging FOCI vector requiring explicit treatment in System Security Plans.
Mergers, acquisitions, and private equity. Private equity buyouts of cleared facilities — particularly when PE funds include sovereign wealth fund limited partners — introduce indirect foreign influence. CFIUS jurisdiction, expanded by the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA, Pub. L. 115-232), now covers non-controlling investments in critical technology, critical infrastructure, and sensitive personal data businesses.
Classification boundaries
FOCI conditions are classified along two primary axes: the nature of the foreign interest and the degree of control or influence.
Nature of the foreign interest:
- Government-directed — a foreign state or state-owned enterprise holds the interest
- Private foreign national — an individual citizen or resident of a foreign country holds the interest
- Foreign commercial entity — a privately held or publicly traded foreign corporation holds the interest
Degree of control or influence:
- Ownership/control — direct ability to direct operations or appoint leadership
- Influence — indirect ability through financial dependency, contractual rights, or cultural/familial pressure without formal legal authority
DCSA distinguishes between FOCI that can be mitigated (allowing an FCL to be granted or maintained with a Security Control Agreement or SSA) and FOCI that cannot be mitigated (requiring denial or revocation of FCL). Factors driving the "cannot be mitigated" determination include the sensitivity of classified programs involved, the foreign country's counterintelligence threat posture, and the structural impossibility of insulating classified operations from foreign-influenced governance layers.
The Intelligence Community Directive 704 addresses FOCI-related suitability and access eligibility determinations for personnel within the IC, distinct from the NISPOM framework governing cleared facilities.
Tradeoffs and tensions
FOCI mitigation creates genuine operational friction within the defense industrial base. Four specific tensions recur across the sector:
Investment access vs. security restriction. Aggressive FOCI mitigation requirements deter foreign capital from U.S. defense-adjacent technology companies. This can slow R&D funding and consolidate cleared work among a smaller set of legacy prime contractors, potentially reducing competition and innovation within the DIB.
SSA governance vs. corporate efficiency. Under an SSA, a Government Security Committee (GSC) composed of cleared U.S. citizens must be interposed between the foreign parent and classified operations. GSC members carry fiduciary responsibility to two parties — the foreign parent corporation and the U.S. government — creating structural conflict-of-interest conditions that courts and DCSA have not fully resolved.
Cloud adoption vs. FOCI exposure. Commercial cloud platforms increasingly underlie cybersecurity infrastructure across the DIB. When those platforms are provided by entities with foreign ownership or foreign-national workforce concentrations in privileged roles, cleared facilities face a binary choice: accept FOCI exposure or forgo cloud efficiencies. The DoD Cloud Computing Security Requirements Guide (SRG) addresses authorized cloud environments but does not resolve the FOCI ownership question for all provider categories.
CFIUS jurisdiction vs. DCSA jurisdiction. CFIUS and DCSA operate under different statutory authorities with different jurisdictional triggers. A transaction that does not require CFIUS review (e.g., a non-controlling investment below mandatory declaration thresholds) can still create FOCI under NISPOM standards. Facility security officers navigating security systems listings must independently assess FOCI even when CFIUS has not flagged a transaction.
Common misconceptions
Misconception: FOCI only applies to majority foreign ownership.
NISPOM explicitly rejects an ownership-percentage floor as the sole criterion. A foreign entity holding a 15% equity stake combined with a board seat and a critical supply agreement may constitute FOCI, while a 49% passive investor with no governance rights may not — depending on the totality of the relationship.
Misconception: CFIUS approval eliminates FOCI concerns.
CFIUS mitigation agreements address national security conditions around a specific transaction. They do not grant a facility clearance, and they do not substitute for DCSA's independent FOCI determination under NISPOM. CFIUS approval and FCL maintenance operate on parallel tracks under separate authorities.
Misconception: FOCI is only relevant at the time of initial FCL application.
FOCI is a continuous condition. Cleared facilities must report changes in ownership, financing, and key management personnel to DCSA under the ongoing reporting obligations in 32 C.F.R. § 117.19. Post-award mergers, secondary equity sales, and debt refinancings all require prompt reporting.
Misconception: Cybersecurity controls alone resolve FOCI risk.
Technical controls — network segmentation, multi-factor authentication, privileged access management — reduce the attack surface but do not eliminate governance-layer FOCI. A foreign board member with legitimate access to financial data does not require a cyberattack to exfiltrate strategically sensitive information about a cleared facility's program portfolio.
For professionals navigating this landscape, the security systems directory purpose and scope provides additional context on how cleared sector resources are structured and indexed.
Checklist or steps (non-advisory)
The following sequence reflects the standard FOCI review and mitigation process as documented by DCSA and NISPOM. This is a descriptive procedural reference, not legal guidance.
-
Identify foreign interests — Review all equity holders, debt instruments, board compositions, licensing agreements, and management service contracts for foreign national or foreign entity involvement.
-
Assess degree of control or influence — Determine whether identified foreign interests have the ability to direct or decide matters affecting classified operations, using the NISPOM totality-of-circumstances standard.
-
Submit SF-328 — Complete the Certificate Pertaining to Foreign Interests (Standard Form 328) and submit to DCSA as part of the FCL application or during required updates.
-
Receive DCSA FOCI determination — DCSA evaluates the SF-328 and supporting documentation to determine whether FOCI exists and whether it is mitigable.
-
Negotiate mitigation instrument — If FOCI is mitigable, DCSA works with the facility to establish the appropriate instrument: Board Resolution, SCA, SSA, Proxy Agreement, or Voting Trust.
-
Establish Government Security Committee (if SSA) — Under an SSA, appoint a GSC composed entirely of cleared U.S. citizens; document charter, membership, and reporting structure.
-
Implement cybersecurity controls aligned to mitigation instrument — Configure IT governance, access controls, and insider threat program elements to enforce the separation requirements of the mitigation instrument.
-
Conduct annual reviews and continuous monitoring — Maintain ongoing compliance with mitigation instrument terms; report material changes within the timeframes specified in 32 C.F.R. § 117.19.
-
Report triggering events promptly — Mergers, acquisitions, executive changes, new foreign financing, and cyber incidents with FOCI nexus all require timely DCSA notification.
The how to use this security systems resource section provides additional orientation for professionals accessing cleared-sector reference materials.
Reference table or matrix
| FOCI Mitigation Instrument | Applicable Condition | Key Governance Requirement | Cybersecurity Implication |
|---|---|---|---|
| Board Resolution | Minimal FOCI; foreign interest is passive and non-controlling | Formal board commitment to NISPOM compliance | Standard FCL cybersecurity baseline |
| Security Control Agreement (SCA) | Foreign parent has corporate control but classified programs are limited | Senior U.S. official with authority over classified operations | Segregated classified network segments; no foreign-national privileged access |
| Special Security Agreement (SSA) | Foreign parent has operational integration with classified programs | Government Security Committee (GSC) of cleared U.S. citizens | Enhanced insider threat program; DCSA-approved technology control plan |
| Proxy Agreement / Voting Trust | Highest-risk FOCI; senior government programs involved | Cleared U.S. proxies or trustees exercise all voting rights on behalf of foreign owner | Full network isolation of classified systems; independent IT infrastructure |
| No Mitigation Available | FOCI cannot be structurally neutralized | FCL denied or revoked | No access to classified programs or CUI systems |
| FOCI Vector | Regulatory Authority | Assessment Mechanism | Reporting Obligation |
|---|---|---|---|
| Equity ownership | DCSA / NISPOM 32 C.F.R. § 117 | SF-328 review | Report within 5 days of change (§ 117.19) |
| Board representation | DCSA / NISPOM | SF-328; corporate documents | Report at any change in board composition |
| Foreign debt instruments | DCSA / NISPOM | Financing agreement review | Report at execution or modification |
| Non-controlling investment in critical tech | CFIUS / FIRRMA (Pub. L. 115-232) | Voluntary or mandatory declaration | Filing required for TID U.S. businesses |
| Cloud provider foreign ownership | DoD SRG / DCSA | Cloud service provider authorization review | Report as material change to IT configuration |
| Foreign employee / secondee access | NISPOM § 117.8 (Insider Threat) | Personnel security review | Report upon hire or assignment |
References
- National Industrial Security Program Operating Manual — 32 C.F.R. Part 117
- Defense Counterintelligence and Security Agency (DCSA)
- Committee on Foreign Investment in the United States (CFIUS) — U.S. Department of the Treasury
- CFIUS Annual Report to Congress (FY 2022)
- [Foreign Investment Risk Review Modernization Act of 2018 (FI