ML19115A273
| ML19115A273 | |
| Person / Time | |
|---|---|
| Site: | 07007016 |
| Issue date: | 05/30/2019 |
| From: | Defense Security Service |
| To: | Office of Nuclear Material Safety and Safeguards |
| Bartlett M | |
| Shared Package | |
| ML18115A264 | List: |
| References | |
| Download: ML19115A273 (20) | |
Text
/
Established in 1972 Headquartered in Quantico, Virginia A federal agency of the Department of Defense (DoD}
The Under Secretary of Defense for Intelligence provides authority, direction, and control over DSS Originally known as the Defense Investigative Service until 1999 Oversees the protection of U.S. and foreign classified information and technologies in the hands of cleared industry under the National Industrial Security Program (NISP}
The NISP was established in 1993 by E.O. 12828; intended to safeguard classified information entrusted to contractors Serves as the DoD Functional Manager responsible for the execution and maintenance of DoD security education, training, and certification Provides support to 32 federal agencies--~----~-------------- --
and approximately 13,500 cleared contractor facilities 2
lo*
\\ ~._
......* - \\ '"'\\ ---....
~ ~~---
_ _..----Le-, _,.,~ ~
I * *
/
- -~IIMOTA
. - -----~~-
f *----.._souTHDMOTA t*. ~~---""""*,.,,
,~~----
~
- ~,1
--a-G ll I
f o
f
- !l I -------
M exico
(!,
\\
10,000 + cleared companies at over 13,500 locations FOCI I Defense Security service DSS Locations: 4 Regions, 45 locations, 26 Field Offices 3
- Interprets policy & provides guidance for the NISP
- Manages enterprise operations through EMMC
- Supports CFIUS process
- Manages NID program
- Assesses and mitigates FOCI for companies in the NISP
- Ensures the protection and oversight of secured international transfers of classified information
- Manages the security oversight functions of DSS's direct and indirect support to the Special Access Program community 4
EMMC Mission Set
- 1. CFIUS
- 2. DiT Phase 1 Implementation
- 3. NIDs
- 4. FCL review (initial, changed)
- 5. FOCI
- 6. Referral Findings?
Findings?
Acceptable~
5
Case Type Priority 1
Identified Risk to Classified 2
CFIUS, Unmitigated FOCI, Medium-High Special Interest 3
DSS in Transition Cases Medium-High 4
National Interest Medium-Low Determinations 5
In-process FCL's
[
Low
]
6 Changed Condition FCL, In-process FOCI, Company Engagement I
Low I
- Initial case priorities are based upon the levels indicated in this chart but can elevated using the EMMC's priority elevation factors
- The EMMC's list of elevation factors are constantly evolving to meet the needs of our customers FOCI I Defense Security Service 6
(@External Input: U.S. Government requests NID or CFIUS Input CFIUS: CFIUS lead requires input on JVN submission
~ughemai\\
lnP-Ut o days NID: External c,1t agency requests
- support for a NID through email Control 1 day Create foundational analysis document as
- 1 required
__ ___,T1....r------
lt-l -
CFIUS: Specialist adds case to ~
production
~
tracker NID: Specialist confirms case submission is complete Return to sende with 30-day suspense if case is missing documents Close case if DSS has no equities; update parties as appropriate Closing 1-2 days Send to EM for next action or further analysis 7
'11 0
(")
8
- FOCI = Foreign Ownership, Control, or Influence "A U.S. company is considered under FOCI whenever a foreign interest has the power, direct or indirect, whether or not exercised, and whether or not exercisable through the ownership of the US company's securities, by contractual arrangements or other means, to direct or decide matters affecting the management or operations of that company in a manner which may result in unauthorized access to classified information or may adversely affect the performance of classified contracts."
"A U.S. Company determined to be under FOCI is ineligible for a FCL unless and until security measures have been put in place to mitigate FOCI... "
- NISPOM 2-300 9
The following eight factors are considered, in aggregate, to determine a company's FOCI exposure:
- 1)
Record of economic and government espionage against the U.S.
- 2)
History of cooperation on technology transfer
- 3)
Type and sensitivity of information that will be accessed
- 4)
Source, nature and extent of FOCI
- 5)
Company's record of compliance with U.S. laws, regulations, and contracts
- 6)
Nature of bilateral or multilateral security agreements with foreign governments
- 7)
Foreign government ownership or control
- 8)
Any other factor indicating or demonstrating a capability on the part of the foreign interests to control or influence the operations or management of the business
- DoD Manual 5220.22, Volume 3 FOCI I Defense Security Service 10
Foundational Analysis:
Triage and limited scope first-touch analysis of analytic requests Goal: identify risk/threats associated with FOCI; security; intelligence; criminal activities; and complex business structures.
Significant findings 7 coordination with other analytical elements Advanced Analytics:
Comprehensive deep-dive analysis, leveraging supplemental products with technology or industry insights; expanded financial information; or collateral risk issues Products may make recommendations for enterprise mitigation of identified risk
@ FOCI I Defense Security Service 11
Owners Organizational Structure Control & Management C WHY?
Lawful Activity Influencers Affiliates / Partners / Associations Customers NISP Compliance 0
Suppliers/Supply Chain 0
Industry (sole source)
Financial Viability Foreign Debt/Reliance Foreign Targeting Foreign Subsidiaries Program / Asset Importance Technology Security Posture/NISP Compliance 12
Mitigation Strategy Unit identifies, mitigates, and oversees FOCI risks in NISP Negotiates and emplaces contractual agreements that require FOCI companies to acknowledge risks and mitigate them Risk mitigation measures could include:
- reorganizing corporate boards
- reviewing electronic communications
- physically separating from FOCI affiliates
- training employees on FOCI and national security issues
@ FOCI I Defense Security Service 13
MITIGATION OWNERSHIP CONTROL DETAILS Board Minority AND No Control
. Foreign interest has minority ownership insufficient to Resolution (BR)
Ownership control the cleared company, e.g. by appointing Directors
(< 50%)
to the Board or making managerial decisions.
Security Minority AND Right to
. Foreign interest has minority ownership sufficient to control Control Ownership representation,
. Requires nomination of disinterested, cleared, U.S. citizen Agreement
(< 50%)
whether or not Outside Directors, to be approved by DSS (SCA) exercised Special Majority OR Effective control
. Foreign interest has majority ownership and/or effectively Security Ownership controls Agreement
(> 50.1 %)
. Requires disinterested, cleared, U.S. citizen Outside Directors (SSA)
. Access limitations
. Allows for Inside Directors Proxy Majority OR Effective control
. Requires foreign interest to convey most voting rights Agreement Ownership
. Requires complete independence from foreign interest (PA)
(> 50.1%)
. Requires cleared, disinterested, U.S. citizen proxy holders
. Does not allow Inside Directors Voting Trust Majority OR Effective control
. Requires foreign interest to convey legal title, Agreement Ownership independence (VTA)
(> 50.1 %)
. Requires cleared, disinterested, U.S. citizen trustees (No NID) 14
Supplement Type Visitation Restrictions Financial Reporting Formats Electronic Communications Plan (ECP)
Technology Control Plan (TCP)
Affiliated Operations Plan (AOP)
Facility Locations Plan (FLP)
Security Provisions For...
Foreign visitors Financial reviews Communications monitoring Export control compliance Affiliated operations/shared services Collocation NISPOM 2-300(f) - The Federal Government reserves the right and has the obligation to impose any security method, safeguard, or restriction it believes necessary to ensure that unauthorized access to classified information is effectively precluded and that performance of classified contracts is not adversely affected.
15
Inside Directors - Optional for SCA's, SSA; representatives of the ultimate foreign parent who may serve on the Board, provided that they are formally excluded from access to classified information at the cleared company.
Government Security Committee (GSC) - Required for SCA's, SSA, PA, and VTA; a permanent subcommittee of cleared U.S. citizens who serve as Directors on the cleared company's Board. Inside Directors may not serve on the GSC.
Compensation Committee (CC) - Required for SCA's, SSA, PA, and VTA; a permanent subcommittee of the cleared company's Board responsible for setting compensation policy for the cleared company. Inside Directors may serve on the CC, provided that an equal number of Outside Directors participate as well.
16
Continuous Monitoring
~
(Change Condition/ Amendment/
Renewal)
- E-FCL Package Completed
- QA Performed Mitigation Oversight
)
- Conduct Comprehensive f
Security Reviews
- Continuous Monitoring &
Oversight FOCI Program Identify & Assess Negotiate Mitigate Implement Oversee Mitigation Implementation
}
Identification & Assessment
- Mitigation and Adjudication Recommendations
- FOCI Assessment Completed l Mitigation Negotiations
- Review / Negotiate Draft Agreement
- Request Outside Directors /
Proxy Holders/Voting Trustees
- Schedule and Hold Initial Meeting
'WI' FOCI I Defense Security Service 17
Countrv IINum. 11 Pct.
United Kingdom 54 30.68%
Canada 23 13.07%
France Germany Japan Sweden Italy Netherlands Singapore Denmark Ireland 13 7.39%
12 6.82%
10 5.68%
7 7
7 7
4 4
Australia 4
3.98%
3.98%
3.98%
3.98%
2.27%
2.27%
2.27%
1.70%
1.70%
1.70%
1.14%
1.14%
1.14%
1.13%
4.55%
Cayman Islands 3
Luxembourg 3
Israel Norway Virgin Islands Lithuania India Other 3
2 2
2 2
8
" FOCI I Defense Security Service 68% FOCI Countries are in Euro~e
~
18
Visit DSS at www.dss.mil
- ---- ~*-*
Review NISPOM Section 2-300 LEARN Review DoD Manual Number 5220.22, Volume 3 MORE!
Review ISL 2009-03 (Material Changes)
Attend DSS-hosted Annual FOCI Conference Work closely with your Industrial Security Representative Work closely with your Mitigation Strategies Action Officer Visit the Center for Development of Security Excellence (COSE) at:
http://www.cdse.edu/stepp/index.html
@ FOCI I Defense Security Service 19
~
QUESTIONS?
Business Analysis and Mitigation Strategy Division (BAMS)
Industrial Security Integration and Applications Directorate (IP)