A company operating under FOCI mitigation agreements (Voting Trust Agreement, Proxy Agreement, Special Security Agreement and Security Control Agreement) may be required to develop additional procedures to ensure their FOCI is effectively mitigated.
Business functions or teaming arrangement with affiliates of a FOCI mitigated company are not authorized. When a company desires to engage in such arrangements with any affiliate the services must be approved by the GSC and DSS in advance or as set forth in your FOCI Mitigation Agreement. Relationships with the Affiliates requiring advance approval include:
Instances when DSS identifies an affiliated service occurring without approval may negatively impact a company's Security Rating. DSS developed a template Affiliated Operations Plan (AOP) to assist Industry in requesting DSS review potential FOCI Affiliated Services.
For companies in process for a FOCI Mitigation Agreement, an AOP must be submitted from the Senior Management Official to their DSS Industrial Security Representative. Each service within the AOP must address:
Companies operating under a FOCI Mitigation Agreement who plan to request affiliated services must have an AOP approved by DSS in advance of deployment of the service. The Government Security Committee is responsible for submitting an AOP to DSS through your Industrial Security Representative.
Companies with previously approved Administrative Services Agreements (ASA) are not required to submit a new AOP. However, any substantive changes made to existing ASAs will require resubmission of an AOP for DSS review and approval, comprised of requested services and any previously approved services.
All AOPs should be submitted to the FOCI Operations Division via the firstname.lastname@example.org mailbox. Please include in the subject line the company name, CAGE code, and AOP Submission.
Affiliated Operations Plan Template
Navigating the Affiliated Operations Plan: A Guide for Industry (05/11/2016)
A Technology Control Plan (TCP) approved by DSS shall be developed and implemented by those companies cleared under a Voting Trust Agreement, Proxy Agreement, Special Security Agreement, or Security Control Agreement. DSS may also require a TCP be developed in other situations in its sole discretion.
The TCP shall prescribe all security measures determined necessary to reasonably foreclose the possibility of unauthorized access to classified or export controlled information by non-U.S. citizen employees or visitors, or affiliates, as defined by the FOCI mitigation agreement. The TCP shall also establish measures to assure that access by non-U.S. citizens and the foreign affiliates is strictly limited to only the information for which appropriate Federal Government disclosure authorization has been obtained.
Sample Technology Control Plan (TCP)
An Electronic Communications Plan (ECP) is required for Security Control Agreements, Special Security Agreements, Proxy Agreements, and Voting Trusts. Within the ECP the Government Security Committee (GSC) establishes written policies and procedures assuring electronic communications between the FOCI Company and its subsidiaries and the Affiliates do not disclose classified information or export controlled information without proper authorization. The ECP also ensures that the Affiliates cannot exert influence or control over the FOCI Company's business or management in a manner that could adversely affect the performance of classified contracts.
A completed ECP consistent with the DSS Template ECP must be submitted to DSS within 45 days of the execution of the mitigation agreement. Failure to submit this document within the requisite 45 days may negatively impact a FOCI company's Facility Security Clearance (FCL).
DSS released an updated ECP template for use by facilities under foreign ownership, control or influence (FOCI) mitigation. DSS has updated the ECP Template based on an internal review of the document; feedback from Outside Directors/Proxy Holders; and feedback from Industry. This version replaces the previous ECP template released on 6/28/10.
ECP Summary of Changes:
Removal of Phone Log Requirement Memo
Electronic Communications Plan Template
Electronic Communications Plan Sample
All ECPs should be submitted to the FOCI Operations Division via the email@example.com mailbox. Please include in the subject line the company name, CAGE code, and ECP Submission.
FOCI Mitigation Agreements (SCA, SSA, Proxy, and VT) establish requirements for visitation between the FOCI Company and their Affiliates. Any deviations from the requirements in the FOCI mitigation agreements must be approved prior to implementation by DSS.
Many SSAs and Proxy Agreements require seven (7) days of advance notice for Outside Director or Proxy Holder visit approvals unless precluded by unforeseen exigencies. DSS requires advance approval of visits; however, defers to the Government Security Committee (GSC) to determine the appropriate advance notice required. Once the GSC has determined the suitable advance notice period for visit requests it must be formalized in writing to DSS. Furthermore DSS defers to the GSC on what constitutes an unforeseen exigency, so long as visits are reviewed and approved after the event.
For FOCI mitigation purposes, collocation is a concern when a FOCI-mitigated company is located within the proximity of an affiliate, as defined within the FOCI mitigation agreement, which would reasonably inhibit the company's ability to comply with the FOCI agreement. Such scenarios may include being located in the same building, campus, or adjoined buildings with an Affiliate.
FOCI collocation is not authorized, and DSS will determine when a company is collocated in its sole discretion. When a company is located within close proximity to its foreign parent or an affiliate a Facilities Location Plan (FLP) must be approved by DSS in advance. Instances when DSS identifies a FOCI collocation without an approved FLP or previously approved DSS Collocation Plan may negatively impact the Security Rating. DSS developed a template FLP to assist Industry in requesting DSS review potential FOCI collocations.
For companies in process for a FOCI Mitigation Agreement, who are located closely with an Affiliate, a Facilities Location Plan must be submitted from the Senior Management Official to their DSS Industrial Security Representative.
Companies operating under a FOCI Mitigation Agreement, who plan to relocate to an area within close proximity to an Affiliate, must have a FLP approved by DSS in advance of relocation. The Government Security Committee is responsible for submitting a FLP to DSS.
Companies with previously approved Collocation Plans by DSS are not required to submit a new FLP. However, any substantive changes made to existing Collocation Plans will require resubmission of a FLP for DSS review and approval.
All FLPs should be submitted to the FOCI Operations Division via the firstname.lastname@example.org mailbox. Please include in the subject line the company name, CAGE code, and FLP Submission.
Download the Facilities Location Plan Template.