CFIUS: Compliance with a National Security Agreement

Compliance/Regulatory Services

This is the second article in a three-part series on complying with the new FIRRMA law on direct foreign investment in the U.S. In this article, National Security Agreements (NSAs) are discussed. NSAs are the contractual outcome of the rigorous process for having direct foreign investment transactions approved by the U.S. Click here to read the first article in the series, CFIUS and FIRRMA: Protecting Technology and Intellectual Property.

The Committee on Foreign Investment in the United States (CFIUS or the Committee) reviews transactions of direct foreign investment in a U.S. entity for national security risks. This review addresses the risk that technology or intellectual property might be transferred outside of the U.S. as a result of investment by a foreign entity. Broad and modern powers were granted to CFIUS under the Foreign Investment Risk Review Modernization Act of 2018¹ (FIRRMA or the Act). It expanded CFIUS oversight, nearly doubling the list of national security factors for CFIUS to consider in its risk reviews.

As a result, U.S. companies considering investments from foreign entities and foreign corporations looking to invest in the U.S. should prepare for a significant CFIUS review process. A pilot program became effective on November 10, 2018, specifying North American Industry Classification System (NAICS) codes, industries, and technologies for some transactions dealing with critical technologies. The pilot program does not address critical infrastructure or assembled personal information. It is generally expected that CFIUS annual filings will multiply from hundreds to over a thousand in 2019.

Beyond the 27 industries called out in the Act's pilot program, many other companies may be affected:

  • Investment funds that invest capital and have a degree of oversight and control.
  • Real estate companies and funds that may have critical infrastruc­ture — including government offices — in their portfolios.
  • Financial institutions and data processing companies that hold assembled personal data on U.S. citizens.
  • Autonomous vehicle manufacturers, designers, and component suppliers.

National Security Agreements

If an intended foreign acquisition or investment in a U.S. business presents a national security risk, the acquirer, acquiree, and CFIUS will discuss national security risks. They will negotiate and sign an NSA that lays out provisions to ensure that security risks will be addressed. The NSA will include a risk mitigation plan to protect matters of national security. The NSA sets out the terms on which the covered transaction will be permitted. It includes restrictions and controls that CFIUS imposes as a condition of consenting to the transaction.

The NSA can be broad and include a wide range of conditions. The security risk being mitigated depends on variables such as the importance of the acquisition from a national security and/or critical infrastructure perspective; critical technologies; real estate and the proximity to a government installation; and whether the acquiree performs any classified or sensitive work for the U.S. government, particularly in the areas of defense, law enforcement, and national security.

Examples of some provisions that have been included in NSAs are:

  • Communications infrastructure must be located largely or exclusively in the U.S.
  • Transaction data related to domestic communications is stored largely or exclusively in the U.S.
  • U.S. government or U.S. customers' records and data are stored largely or exclusively in the U.S.
  • Outsourcing to non-U.S. entities is restricted or prohibited.
  • Guarantee that any third-party contractor performing a function covered by the NSA will comply with its terms.
  • U.S. government inspections of U.S.-based facilities.
  • U.S. government interviews of U.S.-based personnel on very short notice.
  • Control of acquiree must be maintained by the acquiring company.
  • Critical technologies and intellectual property must be maintained in the U.S.
  • Appointment of a third-party auditor or monitor. 

Complying with National Security Agreements

The acquirer and acquiree agree with CFIUS to design, implement and operate certain compliance policies, procedures and controls responsive to mitigating the risks — a mitigation plan. In other words, the NSA defines how the threat to U.S. national security will be mitigated, the parties agree through the NSA to do so, and an independent compliance function validates that a mitigation plan has been implemented and is operating effectively. To ensure compliance, the Committee explicitly allows a third party to be engaged to review compliance with the NSA and validate agreed-upon milestones during the life of the agreement, usually on an annual basis. This provision is designed to identify and enforce compliance where CFIUS defines a precondition to allowing the transaction.

Mitigation provisions depend on the transaction. These may include limitations on access to parts of the target's business, information, data, technology, or products. Provisions may also include restrictions on governance, delivery to U.S. government customers, access to U.S. government agencies, and periodic reporting/meeting requirements. In addition, CFIUS may require that the purchaser strengthen governance by placing the acquired assets into a voting trust or proxy structure, which would be managed by independent parties, eliminating the purchaser's access.

Ongoing Compliance

Compliance does not stop when the NSA is signed. It is ongoing for the duration of the agreement. Fines and investigations remain a possibility at any time. After a transaction is approved, an independent third-party monitor or auditor may be required under the terms of the NSA to prepare an annual report of compliance with the terms of the agreement. Ongoing compliance processes require ongoing investments by the company, including information technology needs and the cost of the independent monitor.

Avoiding a National Security Agreement

During the review process, the acquiring company can negotiate with CFIUS. If changes have been incorporated into the acquisition agreement and the resulting entity's operational policies, there is a small chance that an NSA can be avoided. But the process is becoming more formalized as time goes by, and this possibility is less often seen. Also, it is important in the due diligence stages, or before, that a risk assessment is performed to identify the risks to the transactions and consider whether alternate structuring of the transaction is advisable.


Foreign entities considering an investment in U.S. companies and U.S. companies seeking direct foreign investment should understand the full CFIUS process before entering into a transaction. They should have a plan for evaluating and mitigating U.S. national security issues, and a plan for documenting their compliance with the NSA for the agreement's duration.


  • National Security Agreements (NSA) are an expected outcome of the Committee on Foreign Investment in the United States (CFIUS) process.
  • Compliance begins when the NSA is signed and continues for the duration of the agreement.
  • The acquirer and acquiree can be required to have a monitor provide an annual report to verify compliance with the provisions of the NSA.
  • NSAs may be avoided through negotiation with CFIUS, but this is unlikely.
  • Preparation will pave the way for a smoother review process and a sustainable plan for evaluating processes, mitigating risk, and complying with the NSA.

In our third article, we will outline how a sustainable CFIUS compliance function might be established using the Three Lines of Defense model.

Michael Rose, Partner at Grant Thornton LLP, also contributed to this Alert, which appeared as an article in the February 2019 issue of Compliance & Ethics Professional Magazine.

¹ U.S. Department of the Treasury, "The Committee on Foreign Investment in the United States (CFIUS)" August 2018, 

For more updates and alerts, visit the News section of