Navigating United States' national security requirements under CFIUS


John Lash
Key expert
John Lash


The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) created a new reality for US companies and foreign investors partaking in transactions focused on critical technologies and on September 17, 2019, the Department of Treasury released draft regulations to implement the changes that FIRRMA made to CFIUS’s jurisdiction and processes.

These changes represent a significant expansion of authority and were necessary to address the evolving national security threat environment, particularly the risks inherent in Technology, Infrastructure, and Data (“TID”) US Businesses. While the updates present a more complex regulatory environment, the release of the draft regs provides needed clarity for companies and investors to understand and adjust to the current state of play.

Successful models and deal-making strategies will account for the nuance of an evolved security and technological environment, while recognizing the need to engage early and aggressively to address potential national security concerns.

Control Risks’ unique blend of geopolitical, regulatory, technology and cyber expertise provides us with a distinct advantage to advise on matters of international trade compliance, and foreign direct investment in the US as covered by CFIUS.

Contact us for further details on our CFIUS services

Whether you are in the early stages of exploring a covered transaction under CFIUS jurisdiction, in need of an independent third party to assess compliance with a CFIUS mitigation agreement, or need help complying with regulations including the mitigation of foreign ownership, control or influence (FOCI ), we have the regulatory experience, cybersecurity capabilities and independent standing to support your CFIUS-related needs, including:


Deal risk diligence
  • Evaluate the national security risk(s) inherent in a transaction, including assessments of company operations, subsidiaries, supply chain, corporate security posture, information technology and network architecture, and internal controls.
  • Assist with the evaluation of potential CFIUS mitigation options as well as the cost of development and operationalization of compliance solutions.

Mitigation advisor

Develop governance and compliance models to meet mitigation requirements as set forth by CFIUS or during term sheet negotiations, including assistance with:

  • Compliance optimization
  • Preparing for a CFIUS audit
  • Meeting reporting requirements

Third-party analyst (TPA)
  • Evaluate the risks to national security posed by a transaction and develop a CFIUS monitoring plan that will mitigate the identified risks.
  • Develop and deploy a third-party assessment and monitoring plan (TPA&MP) throughout the enterprise in accordance with CFIUS compliance requirements.

Third-party independent auditor
  • Perform an independent audit to evaluate compliance with stated mitigation terms within a national security agreement (NSA), letter of assurance (LOA), order of divestiture or other stipulated CFIUS mitigation agreement.

Third-party independent monitor (TPM)
  • Serve as an independent CFIUS monitor, providing services to evaluate compliance with stated mitigation terms within an NSA, LOA, order of divestiture or other stipulated mitigation agreement.

Security director / security officer
  • Perform services as the nominated and approved security officer with respect to a CFIUS mitigation agreement, including oversight, monitoring and operational control of compliance requirements throughout the enterprise.

Third-party vendor reviewer (TPVR)
  • Evaluate vendors within components of the global and domestic supply chain to assess the risk to national security.