What is FOCI in security?

An overview of Foreign Ownership, Control or Influence and what it means for your cleared facility

Because of the nature of national security, businesses seeking a clearance who have some level of Foreign Ownership, Control or Influence (FOCI) must report it to the government. In most circumstances, this will mean you are required to have some level of mitigation to ensure the data you’re entrusted with remains safe. In some circumstances, FOCI can mean a clearance will be denied outright. In others, you may not be considered under FOCI at all.

How is your level of FOCI determined, and what does it mean to be under FOCI?

Flag of Austria in focus among other European countries flags. Europe marked with table flags 3d rendering

FOCI Overview

A company is considered under FOCI if a foreign interest has either direct or indirect power to make or influence decisions affecting the way the company operates. This could be a foreign national on the company’s board or a foreign company owning a portion of your company.

In order to find out if you are under FOCI and what level, your company’s Senior Management Official (SMO) will complete the SF 328, also known as the Certificate Pertaining to Foreign Interests as part of the initial Facility Clearance (FCL) package. This form contains 10 yes or no questions that will disclose if your company has any relationship with a foreign entity. Any yes answers to the questions on this form indicate that your company is under some level of FOCI. There is also a remarks section where you will explain any yes answers you give.

If you have less than 5% of your company owned by a foreign entity, you are unlikely to be considered under FOCI. This is not a guarantee, however. Particularly, if you have a relationship with a country that the U.S. has a poor diplomatic relationship with—like Russia—this may be a reason for your clearance to be denied outright, regardless of what percentage they own.

If there is a change to your FOCI factors, like if your company is acquired by a foreign entity, your SMO will have to resubmit the SF 328.

Determining FOCI requires specific, specialty knowledge, so your usual DCSA representative will not be the person responsible for that. Instead, a FOCI Action Officer from DCSA Headquarters will be assigned to your case. They will determine what mitigations you need to have in place to respond to your level of FOCI.

FOCI mitigations are not prescriptive, and there is not a clear and simple code you can follow to guess what mitigations the FOCI officer will want you to follow. The office considers many factors: the actual amount of ownership or influence of the foreign entity, whether the facility is possessing or non-possessing, the foreign entity’s relationship to the U.S. and other countries and the diplomatic situation in the country you’re associated with.

Everything needs to be combed through by limited agents, so it can take some time for them to decide what your mitigation needs will be. It’s hard to give a timeline for how long you can expect it to take because it is truly addressed on a case-by-case basis depending on what information your facility handles and what company you have a relationship with.

Once they decide what mitigations you need, there can still be some back and forth between you and the FOCI officer as you try to get your mitigations approved. If they don’t find your mitigations sufficient, you will have to fix the problems, resubmit them and wait again for approval.  In some cases, you may be granted your clearance before all your mitigations are implemented, especially if you are non-possessing, but, again, this isn’t guaranteed.

Common FOCI Mitigations

Many of the mitigations required for facilities under FOCI involve making sure data cannot be accessed by anyone who shouldn’t be able to, especially if your company has people traveling to and from foreign offices or foreign nationals within the company. Here are some mitigations you may be required to have if you’re under FOCI.

Technology Control Plan

The Technology Control Plan (TCP) is your plan for how you will prevent foreign nationals or individuals in a foreign office from accessing information related to your classified contract. These will be customized to your facility and how data within your organization is typically accessed. This will cover items including what information needs to be protected, how your data is transmitted by email and policy for securing hard copies of classified information.

Visitor’s Plan

A visitor’s plan covers how you will keep track of who comes in and out of your facility, especially if you are possessing. This will be more common in companies that have foreign offices and people traveling between locations. This can help prevent an insider threat from accessing classified information without anyone knowing.

A blue and white graphic with an illustration of people standing on a laptop. The laptop has a folder with papers coming out of it. The text advertises a complete FCL guide

Click here to read

Voting Agreements

There are a few mitigations specifically for when a foreign entity has some level of decision-making power within the board. These agreements ensure that foreign shareholders are denied unauthorized access to classified information without losing their representation and voting power. This typically means appointing a proxy who is a U.S. citizen living in the U.S. who can vote on their behalf on issues relating to the classified contract.

If you are an FSO for a facility under FOCI and looking for help meeting mitigation requirements, Adamo can help. Our FSO Support services can assist you in getting your mitigations created and approved by the FOCI office so you can operate securely. If you’re looking for support in this or any of your other FSO duties, contact us today.

PREVIOUS POSTAn Overview of The DD 441 and SF 328
NEXT POSTThe Benefits of a T-SCIF