Top Insights from DCSA's Annual FOCI Conference
- The Defense Counterintelligence and Security Agency (DCSA) hosted its 26th Annual Conference on Foreign Ownership, Control, or Influence (FOCI) on Aug. 25, 2022.
- The conference featured speakers from a variety of DCSA branches who provided remarks on the agency's priorities, relevant statistics and recent changes to its approach to mitigation, as well as changes to the agency's security review process of cleared companies.
- This Holland & Knight alert identifies several key insights from the FOCI Conference for companies holding a U.S. facility security clearance or interested in operating in the classified government contracts space.
The Department of Defense's (DoD) Defense Counterintelligence and Security Agency (DCSA)1 hosted its 26th Annual Conference on Foreign Ownership, Control, or Influence (FOCI Conference) on Aug. 25, 2022, which was attended by more than 500 industry participants. The FOCI Conference is designed to educate the industry on the impact of FOCI on facility security clearances (FCL) and inform about new processes and policies affecting DCSA's FOCI mitigation measures. DCSA officials provided important information on the agency's priorities and strategy for the next five years.
Holland & Knight identified three key considerations for businesses already under FOCI mitigation or those considering the federal market for classified government contracts.
DCSA outlined several priorities for the next five years:
- Developing the National Background Investigation Services (NBIS) system2, which is fully capable and fully controlled by DCSA. NBIS is designed to carry all personnel investigation functions, from the submission of Standard Form 86 (Questionnaire For National Security Positions), all the way to a potential appeal. NBIS is expected to be fully operational in Fiscal Year 2024.
- Better relationship with the classified contracting community, especially as it relates to information sharing. DCSA recognizes this is a challenge, with much of the information remaining classified.
- Better integration across agencies and intra-agency in order to build a common operating picture and mission integration between DCSA staff working in field environment, IT, background investigation and critical technology.
- Rightsizing DCSA. DCSA was initially designed for 900 personnel, but is currently employing more than 10,000 people, with 1,000 new positions to be filled in the coming year. DCSA also expanded by adding the DoD Insider Threat Management and Analysis Center, which focuses on behavioral psychology and electronic information. The sheer size of its growth necessitates rethinking of legacy operational aspects of DCSA.
To accomplish these priorities, as well as its overall mission, DCSA recognized that it must invest in people (beginning with attracting talented interns), focus on oversight and compliance to ensure that all stipulations and mitigating frameworks are adhered to fully, and invest in cutting-edge technology, including big data.
Key Statistics on Security Clearance
DCSA also revealed that it currently takes the agency on average 155 days to process a facility security clearance (FCL) for a Tier 1 company (i.e., no FOCI concern), 266 days to clear a Tier 2 company (i.e., some FOCI mitigation required) and 263 days to issue an FCL to a Tier 3 company (i.e., full FOCI mitigation).
On personnel security clearances (PCL), an applicant may be granted a Top Secret (TS) level clearance in less than 90 days, or a Secret level clearance in approximately 60 days. For those who currently hold a PCL and are transferring from one location to another, the transfer of the clearance may occur within a period of days, provided no reportable events have occurred.
Tailored Approach to FOCI Mitigation
As the national security risk landscape changes and threat vectors continue to evolve, DCSA is moving away from so-called cookie-cutter FOCI mitigation structures toward the use of tailored provisions that address specific FOCI circumstances in the context of template mitigation agreements and documents (e.g., Special Board Resolutions (SBRs), Security Control Agreements (SCAs) Special Security Agreements (SSAs), and Proxy Agreements (PAs)).
While not every cleared company requires mitigation, DCSA reports that more than 600 facilities operate under some form of FOCI mitigation triggered by differing FOCI factors, which consequently require specialized mitigation structures. Some of these tailored provisions include: Foreign Disclosure Requirements to the Government Contracting Agency (GCA), including if foreign technology, products or services are used on a classified contract; Electronic Communications Monitoring Policies (a lighter version of the Electronic Communications Plan); Visitation Control Policies; Foreign Travel Notification Requirements; and requiring that the company's senior management official (SMO) and facility security officer (FSO) are not the same person. The shift toward these more tailored forms of mitigation are intended to help DCSA more adequately address threat vectors from adversarial countries and protect classified information and critical technologies, while minimizing the impact FOCI mitigation has on the business operations of cleared companies.
Increased Focus on Foreign "Influence"
DCSA is increasingly focused on the "Influence" aspect of FOCI. DCSA is witnessing an increased number of potential ways to influence cleared companies that fall outside of the cleared company's formal ownership structure, paying particular attention to its global touchpoints. This can include the familial, spousal business relationship in a country of special interest, and professional relationships of Key Management Personnel (KMP). Through third-party business relationships and extensive, often complicated supply chains, cleared entities may have potential connections all around the world that could be exploited and are thus viewed by DCSA as high-priority. Academia involved in classified STEM research and development is particularly vulnerable due to high levels of foreign travel and contracts throughout the world. The pressure placed on supply chains due to the COVID-19 pandemic and Russia's ongoing war in Ukraine has only heightened this focus. Holland & Knight recommends that cleared companies and academia conduct thorough due diligence on their supply chains, third-party business relationships and KMPs to ensure that any FOCI concerns are identified and discussed transparently with DCSA to ensure that potential security vulnerabilities are addressed and not uncovered without proper foresight in a future security review. DCSA officials repeatedly referred to the SEAD 3 unofficial foreign travel reporting requirement,3 which was fully implemented as of Aug. 24, 2022, as one method of improved monitoring of potential threats.
DCSA also warned of the increased threat posed by China and other high threat level jurisdictions, particularly as it relates to gaining influence in critical or classified U.S. technology (e.g., software, battery technology, drone and quantum computing) via foreign investment and complicated JV structures.
The Post-COVID Security Review Process Is Ramping Up
DCSA conducts security reviews of cleared contractors within the National Industrial Security Program (NISP) through an established security review and rating process. Security reviews intend to verify that contractors are protecting classified information and implementing the provisions of the National Industrial Security Program Operating Manual (NISPOM), identify gaps in security controls, and rate a facility's security posture.
Beginning Sept. 1, 2021, DCSA shifted the security review and rating process from a general conformity approach to a compliance-first, evidence-based model. Under the new protocol, cleared contractors will first be evaluated for general conformity to identify any critical vulnerabilities, with a focus on the company's security policies, systemic vulnerabilities (e.g., deficiencies in several different areas) or serious security issues (e.g., issues that are unmitigated or FOCI concerns). Companies determined to be in general conformity are then assigned a formal security rating – Satisfactory, Commendable or Superior. Those contractors that do not meet general conformity requirements are assigned a coordinated security rating – Satisfactory (in rare cases), Marginal or Unsatisfactory. Contractors who receive Marginal or Unsatisfactory security ratings may then face invalidation of their FCLs. Currently, only 2 percent of cleared companies have had their FCL invalidated. In general, DCSA will work with these companies to bring them into compliance. DCSA observed increased discrepancies during its recent investigations (which have now resumed to be performed in person), mostly due to the challenges of operating during the COVID pandemic.
This year's FOCI Conference provided, for the first time, data on the outcomes of security reviews under the new model. DCSA officials remarked that assigned security ratings are consistent with historical norms assigned under previous rating models. Notable statistics are as follows:
- Between Sept. 1, 2021, and Aug. 16, 2022, DCSA conducted more than 2,300 formal security reviews and over 1,700 hybrid security monitoring actions intended as a supplemental way to communicate with cleared contractors, evaluate NISPOM compliance and identify issues that may warrant further engagement.
- 98 percent of the conducted reviews resulted in a status of general conformity.
- Contractors under security review received ratings of Unsatisfactory (1 percent), Marginal (1 percent), Satisfactory (79 percent), Commendable (15 percent) and Superior (4 percent).
Speakers at the FOCI Conference noted that DCSA is working to effectively and efficiently meet its growing monitoring burden and actively communicate and share information with the industry. DCSA emphasized that cleared contractors should communicate frequently and transparently with agency officials to assist in this process moving forward. This is especially important for cleared companies that are being acquired by foreign investors. Failure to timely report may impact their FCL and has on occasion resulted in invalidating the FCL.
The Annual FOCI Conference reaffirmed the evolving nature of national security risks and highlighted DCSA's shifting priorities and tailored FOCI mitigation strategies. If you have any questions on this trade alert or are a company with potential FOCI interested in pursuing classified government contracting, please contact an author or another member of Holland & Knight's CFIUS and Industrial Security Team.
1 DCSA was previously known as the Defense Security Service (DSS).
3 DCSA SEAD Unofficial Foreign Travel Reporting requirement.