/

Enclosure 2

• Established in 1972

• Headquartered in Quantico, Virginia

• A federal agency of the Department of Defense (DoD}

• The Under Secretary of Defense for Intelligence provides

authority, direction, and control over DSS

• Originally known as the Defense Investigative Service until 1999

• Oversees the protection of U.S. and foreign classified information and technologies in the hands of cleared industry under the National Industrial Security Program (NISP}

• The NISP was established in 1993 by E.O. 12828; intended to safeguard classified information entrusted to contractors

• Serves as the DoD Functional Manager responsible for the execution and maintenance of DoD security education, training, and certification

• Provides support to 32 federal agencies --~----~-------------- -­and approximately 13,500 cleared contractor facilities

2

lo•

\ ~._ ......• - \ '"'\ ---....

~ ~~---

_ _..----Le-, _ , .,~ ~ ---

• I • • / ·-~IIMOTA

. - - - ---~~-f ·----.._souTHDMOTA

: -- , -·---t· . ~~---""""·,.,,

,~~----

~ •

•

~ ,1 • • -----..___ @ --a-

• • • G ll I f o f

• !l I -------

M exico ' (!,

\ •

10,000 + cleared companies at over 13,500 locations

FOCI I Defense Security service DSS Locations: 4 Regions, 45 locations, 26 Field Offices

..

3

• Interprets policy & provides guidance for the NISP

• Manages enterprise operations through EMMC

• Supports CFIUS process

• Manages NID program

• Assesses and mitigates FOCI for companies in the NISP

• Ensures the protection and oversight of secured international transfers of classified information

• Manages the security oversight functions of DSS's direct and indirect support to the Special Access Program community

4

EMMC Mission Set 1. CFIUS 2. DiT Phase 1 Implementation 3. NIDs 4. FCL review (initial, changed) 5. FOCI 6. Referral

Findings?

Findings?

Acceptable~

5

Case Type Priority 1 Identified Risk to Classified

2 CFIUS, Unmitigated FOCI, Medium-High Special Interest

3 DSS in Transition Cases Medium-High

4 National Interest Medium-Low Determinations

5 In-process FCL's [ Low ] 6 Changed Condition FCL, In-

process FOCI, Company Engagement I

Low

I • Initial case priorities are based upon the levels indicated

in this chart but can elevated using the EMMC's priority elevation factors

• The EMMC's list of elevation factors are constantly evolving to meet the needs of our customers

FOCI I Defense Security Service

6

(@External Input: U.S. Government requests NID or CFIUS Input

CFIUS: CFIUS lead requires input on JVN

submission ~ughemai\

lnP-Ut o days

NID: External c,1t agency requests

· support for a NID through email

Control 1 day

Create foundational

analysis document as ::1 required

__ ___,T1....r------lt-l -

CFIUS: Specialist adds case to ~ production ~

tracker

NID: Specialist confirms case submission is complete

Return to sende with 30-day

suspense if case is missing

documents

Close case if DSS has no equities; update parties as appropriate

Closing 1-2 days

Send to EM for next action

or further analysis

7

'11 0 (")

8

• FOCI = Foreign Ownership, Control, or Influence

• "A U.S. company is considered under FOCI whenever a foreign interest has the power, direct or indirect, whether or not exercised, and whether or not exercisable through the ownership of the US company's securities, by contractual arrangements or other means, to direct or decide matters affecting the management or operations of that company in a manner which may result in unauthorized access to classified information or may adversely affect the performance of classified contracts."

• "A U.S. Company determined to be under FOCI is ineligible for a FCL unless and until security measures have been put in place to mitigate FOCI ... "

- NISPOM 2-300

9

The following eight factors are considered, in aggregate, to determine a company's FOCI exposure:

1) Record of economic and government espionage against the U.S.

2) History of cooperation on technology transfer

3) Type and sensitivity of information that will be accessed

4) Source, nature and extent of FOCI

5) Company's record of compliance with U.S. laws, regulations, and contracts

6) Nature of bilateral or multilateral security agreements with foreign governments

7) Foreign government ownership or control

8) Any other factor indicating or demonstrating a capability on the

part of the foreign interests to control or influence the

operations or management of the business

- DoD Manual 5220.22, Volume 3

FOCI I Defense Security Service

10

• Foundational Analysis: - Triage and limited scope first-touch

analysis of analytic requests - Goal: identify risk/threats associated

with FOCI; security; intelligence; criminal activities; and complex business structures.

- Significant findings 7 coordination with other analytical elements

• Advanced Analytics: - Comprehensive deep-dive analysis,

leveraging supplemental products with technology or industry insights; expanded financial information; or collateral risk issues

- Products may make recommendations for enterprise mitigation of identified risk

@ FOCI I Defense Security Service

11

• Owners • Organizational Structure • Control & Management C WHY? • Lawful Activity • Influencers • Affiliates / Partners / Associations • Customers • NISP Compliance 0 • Suppliers/Supply Chain 0 • Industry (sole source) • Financial Viability • Foreign Debt/Reliance • Foreign Targeting • Foreign Subsidiaries • Program / Asset Importance • Technology • Security Posture/NISP Compliance

12

• Mitigation Strategy Unit identifies, mitigates, and oversees FOCI risks in NISP - Negotiates and emplaces contractual agreements that require FOCI

companies to acknowledge risks and mitigate them - Risk mitigation measures could include:

• reorganizing corporate boards • reviewing electronic communications • physically separating from FOCI affiliates • training employees on FOCI and national security issues

@ FOCI I Defense Security Service

13

MITIGATION OWNERSHIP CONTROL DETAILS

Board Minority AND No Control . Foreign interest has minority ownership insufficient to

Resolution (BR) Ownership control the cleared company, e.g. by appointing Directors

(< 50%) to the Board or making managerial decisions.

Security Minority AND Right to . Foreign interest has minority ownership sufficient to control

Control Ownership representation, . Requires nomination of disinterested, cleared, U.S. citizen

Agreement (< 50%) whether or not Outside Directors, to be approved by DSS

(SCA) exercised

Special Majority OR Effective control . Foreign interest has majority ownership and/or effectively

Security Ownership controls

Agreement (> 50.1 %) . Requires disinterested, cleared, U.S. citizen Outside

Directors (SSA) . Access limitations . Allows for Inside Directors

Proxy Majority OR Effective control . Requires foreign interest to convey most voting rights

Agreement Ownership . Requires complete independence from foreign interest

(PA) (> 50.1%) . Requires cleared, disinterested, U.S. citizen proxy holders . Does not allow Inside Directors

Voting Trust Majority OR Effective control . Requires foreign interest to convey legal title,

Agreement Ownership independence

(VTA) (> 50.1 %) . Requires cleared, disinterested, U.S. citizen trustees

(No NID)

14

Supplement Type

Visitation Restrictions

Financial Reporting Formats

Electronic Communications Plan (ECP)

Technology Control Plan (TCP)

Affiliated Operations Plan (AOP)

Facility Locations Plan (FLP)

Security Provisions For ...

Foreign visitors

Financial reviews

Communications monitoring

Export control compliance

Affiliated operations/shared services

Collocation

NISPOM 2-300(f) - The Federal Government reserves the right and has the obligation to impose any security method, safeguard, or restriction it believes necessary to ensure that unauthorized access to classified information is effectively precluded and that performance of classified contracts is not adversely affected.

15

• Inside Directors - Optional for SCA's, SSA; representatives of the ultimate foreign

parent who may serve on the Board, provided that they are formally excluded from

access to classified information at the cleared company.

• Government Security Committee (GSC) - Required for SCA's, SSA, PA, and VTA; a

permanent subcommittee of cleared U.S. citizens who serve as Directors on the

cleared company's Board. Inside Directors may not serve on the GSC.

• Compensation Committee (CC) - Required for SCA's, SSA, PA, and VTA; a

permanent subcommittee of the cleared company's Board responsible for setting

compensation policy for the cleared company. Inside Directors may serve on the

CC, provided that an equal number of Outside Directors participate as well.

16

Continuous Monitoring ~

(Change Condition/ Amendment/ Renewal)

• E-FCL Package Completed • QA Performed

Mitigation Oversight )

• Conduct Comprehensive f Security Reviews • Continuous Monitoring &

Oversight

FOCI Program Identify & Assess

Negotiate Mitigate

Implement Oversee

Mitigation Implementation

} Identification & Assessment

• Mitigation and Adjudication Recommendations

• FOCI Assessment Completed

l Mitigation Negotiations

• Review / Negotiate Draft Agreement

• Request Outside Directors / Proxy Holders/Voting Trustees

• Obtain Approvals for Mitigation, ECP, TCP, AOP, FLP and Outside Directors/ Proxy Holders 16\ • Schedule and Hold Initial Meeting 'WI' FOCI I Defense Security Service

17

Countrv II Num. 11 Pct. United Kingdom 54 30.68%

Canada 23 13.07%

France

Germany

Japan

Sweden

Italy

Netherlands

Singapore

Denmark

Ireland

13 7.39%

12 6.82%

10 5.68%

7

7

7

7

4

4

Australia 4

3.98%

3.98%

3.98%

3.98%

2.27%

2.27%

2.27%

1.70%

1.70%

1.70%

1.14%

1.14%

1.14%

1.13%

4.55%

Cayman Islands 3

Luxembourg 3

Israel

Norway

Virgin Islands

Lithuania

India

Other

3

2

2

2

2

8

" FOCI I Defense Security Service

68% FOCI Countries are in Euro~e ----,

~

18

• Visit DSS at www.dss.mil . - ---- ~·-· . - . . ..

• Review NISPOM Section 2-300 LEARN • Review DoD Manual Number 5220.22, Volume 3 MORE! • Review ISL 2009-03 (Material Changes)

• Attend DSS-hosted Annual FOCI Conference

• Work closely with your Industrial Security Representative

• Work closely with your Mitigation Strategies Action Officer

• Visit the Center for Development of Security Excellence (COSE) at:

http://www.cdse.edu/stepp/index.html

@ FOCI I Defense Security Service

19

~

QUESTIONS?

Business Analysis and Mitigation Strategy Division (BAMS) Industrial Security Integration and Applications Directorate (IP)

DSS - QUANTICO VIRGINIA

20