When CFIUS Mitigation Agreements and FOCI Reviews Overlap: A Critical Balancing Act

By: Derrick Kyle, Senior Associate
Date: 01/18/2022

On June 9, 2021, Momentus Inc., a U.S. commercial space company offering in-space transportation and infrastructure services, as a condition to its acquisition by a foreign-owned company, entered into a National Security Agreement with the Department of Defense (“DoD”) and Department of Treasury. Under this agreement, Momentus was required to “implement increased security measures, hire key positions to provide additional oversight and appoint a [Committee on Foreign Investment in the United States (“CFIUS”)]-approved director to its board of directors.”1 In doing so, Momentus agreed to mitigate the national security risks associated with its foreign ownership.

These kinds of agreements are not uncommon during the CFIUS clearance process. In 2020, CFIUS adopted mitigation measures to resolve national security concerns in 16 of 187 covered transactions before the Committee.2 CFIUS approval of a transaction can hinge on fulfilling the obligations outlined in these agreements, and as such it is crucial to understand and to proactively mitigate the risks as set forth by CFIUS. However, an organization may also need to adhere to the foreign-investment requirements of other U.S. Government bodies, creating a complex overlap.

CFIUS Mitigation Measures and Agreements

During the CFIUS review process, prior to a determination of granting clearance, or blocking or unwinding the transaction, CFIUS and the parties may enter into a mitigation agreement (also referred to as a “National Security Agreement”) to resolve outstanding national security risks. The agreements require a negotiation between CFIUS and the parties concerning how the parties must shore-up their conduct or change practices, particularly with regard to the relationship between the parent entity and subsidiary, so that CFIUS deems the transaction acceptable in light of national security concerns.

In its latest Annual Report to Congress, CFIUS provided examples of “specific and verifiable actions” it required of businesses as part of mitigation measures and conditions. (For a more detailed discussion of the contents of the CFIUS Annual Report to Congress, see our previous article Highlights of the 2020 CFIUS Annual Report to Congress.) Examples of such mitigation measures include:

  • prohibiting or limiting the transfer or sharing of certain intellectual property, trade secrets, or technical knowledge;

  • establishing guidelines and terms for handling existing or future U.S. Government contracts, customer information, and other sensitive information;

  • ensuring that only authorized persons have access to certain technology; that only authorized persons have access to U.S. Government, company, or customer information; and that the foreign acquirer not have direct or indirect access to systems that hold such information;

  • establishing a Corporate Security Committee and other mechanisms to ensure compliance with all required actions, including the appointment of a U.S. Government-approved security officer and/or member of the board of directors and requirements for security policies, annual reports, and independent audits;

  • notifying, for approval, security officers or relevant U.S. Government parties in advance of foreign national visits to the U.S. business;

  • security protocols to ensure the integrity of goods or software sold to the U.S. Government;

  • notifying customers regarding the change of ownership;

  • assurances of continuity of supply to the U.S. Government for defined periods, and notification and consultation prior to taking certain business decisions, reserving certain rights for the U.S. Government in the event that the company decides to exit a business line;

  • establishing meetings to discuss business plans that might affect U.S. Government supply or raise national security considerations;

  • exclusion of certain sensitive assets from the transaction;

  • ensuring that only authorized vendors supply certain products or services;

  • prior notification to and approval by relevant U.S. Government parties in connection with any increase in ownership or rights by the foreign acquirer; and

  • divestiture by the foreign acquirer of all or part of the U.S. business.3

As seen from the above list, mitigation actions can span a wide range of a business’s operations, from increasing hardware or internet security restrictions and increased communication with the government, to tightening procurement or supply chain procedures, or even changing ownership structure, in the extreme case.

The Department of Treasury’s Office of Investment Security Monitoring and Enforcement administers regulations “which authorize CFIUS to impose civil monetary penalties for violations of certain CFIUS regulations, orders, and agreements.”4 Monetary penalties for violations of a mitigation agreement may be as much as $250,000, or twice the value of the transaction, whichever is greater, per violation.5

For example, in 2018, a party to a CFIUS mitigation agreement received a $1,000,000 penalty for “repeated breaches of a 2016 CFIUS mitigation agreement, including failure to establish requisite security policies and failure to provide adequate reports to CFIUS.” See our discussion of that case in our previous article U.S. Foreign Investment Watchdog Grows Teeth: Unprecedented $1 Million Penalty May Signal New Era.

Once under a mitigation agreement, CFIUS agencies employ several methods to monitor and enforce compliance by the parties subject to the agreement, including:

  • periodic reporting to U.S. Government agencies by the companies;

  • on-site compliance reviews by U.S. Government agencies;

  • third-party audits or monitors when provided for by the terms of the mitigation measures; and

  • investigations and remedial actions if anomalies or breaches are discovered or suspected, including the imposition of penalties or unilateral initiation of another review of the covered transaction, where appropriate.6

As the above monitoring mechanisms reveal, mitigation agreements are not a static contract. They are an active process, an ongoing relationship between the U.S. Government and the parties. In our experience with CFIUS mitigation agreement compliance, the monitoring agency expects the mitigated company to have detailed procedures (e.g., a Technology Control Plan) to maintain compliance with the various aspects of the mitigation agreement. Additionally, even if not specifically required under the agreement, a third-party audit of compliance procedures is helpful to identify any gaps or risks of inadvertently breaching the agreement requirements.


Relatedly, but distinct nonetheless, DoD’s Defense Counterintelligence and Security Agency (“DCSA,” called Defense Security Service prior to June 20, 2020) is responsible for issuing facility and personnel security clearances. When a defense contractor becomes subject to foreign ownership, control, or influence (“FOCI”), DCSA must review such foreign investment before authorizing or continuing the granting of security clearances. The DCSA review process may overlap with a CFIUS review depending on the subject of review and the foreign investment involved.

A key difference between CFIUS and DCSA is their membership. CFIUS is an interagency committee with members from the Departments of Treasury, Justice, Homeland Security, Commerce, Defense, State, and Energy, and the Offices of the U.S. Trade Representative and Science & Technology Policy. The DCSA, on the other hand, is part of DoD. Other U.S. Government bodies, such as the Department of Energy, may have their own FOCI reviews. Thus, CFIUS has broader policy concerns for which it monitors and may approve or block foreign-ownership transactions compared to Department-specific FOCI reviews.

When CFIUS and FOCI reviews overlap, such as when a foreign-acquired U.S. business requires access to classified information, the reviews “are carried out in parallel, but are separate processes with different time constraints and considerations.”7 As such, it is important to pay careful attention to the requirements of each. In particular, timing is critical. The CFIUS notice review period lasts 45 days, after which, barring an investigation, a determination is made.8 DCSA will have its own deadlines for certain application and filing requirements, complicating the filing to comply with both.

Further, as with CFIUS, there is a list of mitigation measures, as part of a “FOCI action plan,” that ensure that the foreign interest can be effectively denied access to classified information “and cannot otherwise adversely affect performance on classified contracts.”9 Broadly, these can be similar to those recommended by CFIUS – a mitigation plan may cover both CFIUS and DCSA’s FOCI requirements – but, each plan should be case-specific, adhering to the requirements of each program.


Satisfying the requirements of mitigation agreements and measures, under both CFIUS and FOCI programs, may seem like a difficult balancing act, but adequate mitigation is necessary for the U.S. Government to approve covered foreign investment and acquisition transactions. There is no one-size-fits-all agreement or mitigation plan, and as such it is crucial that parties to foreign-ownership transactions plan carefully and approach these various mitigation regimes with caution.

If you require assistance navigating an in-place CFIUS or FOCI mitigation agreement, including the creation or auditing of compliance procedures, or if you are preparing or will need to prepare such an agreement pursuant to foreign acquisition or investment, the attorneys at Torres Law are prepared to assist.

1 Press Release, Stable Road Acquisition Corp. Form 8-K, Ex-99.1, Jun. 9, 2020, SEC Filing, (available at

2 Comm. On Foreign Inv. in the United States [“CFIUS”], Annual Report to Congress CY 2020, (2021) (available at

3 Comm. On Foreign Inv. in the United States [“CFIUS”], Annual Report to Congress CY 2020, 40-41, (2021) (available at

4 CFIUS Monitoring and Investment, U.S. Dep’t of Treasury, available at (last accessed Jan. 5, 2022).

5 31 CFR 800.901(c); 31 CFR 802.901(b).

6 Comm. On Foreign Inv. in the United States [“CFIUS”], Annual Report to Congress CY 2020, 41-42, (2021) (available at

7 32 CFR 117.511(j)(2).

8 31 CFR 800.502.

9 32 CFR 117.11(d)(1)