Affiliated Operations Plan

Business functions or teaming arrangement with affiliates of a FOCI mitigated company are not authorized. When a company desires to engage in such arrangements with any affiliate the services must be approved by the GSC and DSS in advance or as set forth in your FOCI Mitigation Agreement. Relationships with the Affiliates requiring advance approval include:

  1. Affiliated Services;
  2. Shared Third-Party Services;
  3. Shared Persons; and
  4. Cooperative Commercial Arrangements.

Instances when DSS identifies an affiliated service occurring without approval may negatively impact a company's Security Rating. DSS developed a template Affiliated Operations Plan (AOP) to assist Industry in requesting DSS review potential FOCI Affiliated Services.

For companies in process for a FOCI Mitigation Agreement, an AOP must be submitted from the Senior Management Official to their DSS Industrial Security Representative. Each service within the AOP must address:

  1. Description of the service, to include:
    1. which entity will provide the service;
    2. which entity is paying for the service;
    3. how the shared service benefits the entities;
    4. specific sub-categories of services;
    5. procedures associated with providing the service;
    6. technology to be utilized, including shared software, information systems and applications;
    7. whether the technology described above is classified or export-controlled; types of information to be exchanged through the service;
    8. whether any Key Management Personnel will be involved in the shared administrative service; and
    9. include any supporting documentation such as examples, screenshots, network configuration diagrams or sample reports as attachments
  2. Associated Risks and Mitigation Procedures; and
  3. Compliance review procedures and documentation.

Companies operating under a FOCI Mitigation Agreement who plan to request affiliated services must have an AOP approved by DSS in advance of deployment of the service. The Government Security Committee is responsible for submitting an AOP to DSS through your Industrial Security Representative.

Companies with previously approved Administrative Services Agreements (ASA) are not required to submit a new AOP. However, any substantive changes made to existing ASAs will require resubmission of an AOP for DSS review and approval, comprised of requested services and any previously approved services.

All AOPs should be submitted to the FOCI Operations Division via the mailbox. Please include in the subject line the company name, CAGE code, and AOP Submission.

Affiliated Operations Plan Template Word icon

Navigating the Affiliated Operations Plan: A Guide for Industry (05/11/2016)