Aerospace and Defense Deal Landscape
The aerospace and defense sector encompasses a wide range of business types, each carrying a distinct regulatory footprint in an M&A transaction. At the top of the supply chain sit the Tier 1 prime contractors, companies that hold direct contractual relationships with the Department of Defense and manage large, complex programs from design through production and sustainment. These entities are the most heavily regulated, typically holding multiple facility security clearances at the Top Secret level and carrying significant obligations under ITAR, DFARS, and CMMC. Acquiring a Tier 1 contractor is a major undertaking that requires a buyer prepared to navigate a multi-agency approval process spanning DCSA, CFIUS, DDTC, and DoD contracting offices simultaneously.
Below the primes, the Tier 2 and Tier 3 subcontractor base represents a far more accessible entry point for strategic acquirers and private equity buyers. These companies supply components, subsystems, manufacturing services, and specialized engineering capabilities to the primes and, in some cases, directly to the government. Their regulatory profiles vary considerably. A Tier 2 manufacturer of precision-machined structural components may hold a Secret-level clearance and handle Controlled Unclassified Information under DFARS, while a Tier 3 software shop supporting a classified program may have a Top Secret clearance and extensive NIST SP 800-171 compliance obligations. Understanding exactly where a target sits in the supply chain, and what it touches in terms of classification level, export-controlled data, and government customer relationships, is the essential first step in any defense M&A legal analysis.
Specialty service providers represent a third category that is growing in transactional volume: companies offering cybersecurity services, intelligence analysis support, logistics and maintenance, simulation and training, and systems integration. These businesses often lack manufacturing assets but carry substantial compliance obligations, particularly around personnel security clearances, classified information systems, and CUI handling. Their value frequently resides in cleared personnel and program relationships rather than physical assets, which creates unique due diligence challenges around workforce retention and clearance portability after a change of ownership.
Deal structures in aerospace and defense are heavily influenced by regulatory constraints. Stock acquisitions are generally preferred because the legal entity holding clearances, contracts, and registrations remains unchanged, avoiding the need to novate contracts or re-apply for facility clearances. Asset acquisitions are structurally simpler in some ways but operationally more complex in defense because virtually every valuable asset, whether a cleared facility, an export-controlled technical data package, or a classified contract, requires separate government action before it can be transferred to the buyer. Counsel must map the deal structure to the specific assets and obligations being acquired from the outset, not after the letter of intent is signed.
ITAR and EAR Export Control Framework in Defense Transactions
The International Traffic in Arms Regulations and the Export Administration Regulations together create the foundational compliance framework that governs what a defense contractor can do with its technical data, hardware, and services, and with whom it can share them. ITAR, administered by the State Department's Directorate of Defense Trade Controls, controls items on the U.S. Munitions List, including virtually all weapons systems, military electronics, spacecraft systems, and their associated technical data and services. EAR, administered by the Commerce Department's Bureau of Industry and Security, controls dual-use items on the Commerce Control List. Most defense contractors with classified programs or weapons system work are primarily subject to ITAR, though many also have EAR-controlled items in their product lines.
In a defense M&A transaction, the ITAR and EAR compliance status of the target must be evaluated at multiple levels. At the entity level, buyers must confirm that the target holds a current ITAR registration with DDTC and that the registration is in good standing, meaning no pending compliance reviews, no consent agreements, and no debarment or denial orders. Registration must be amended within five days of a change of ownership, so the amendment package should be prepared before closing. At the agreement level, buyers must inventory all Technical Assistance Agreements, Manufacturing License Agreements, and export licenses currently in effect, as these authorizations are specific to the registered entity and cannot simply be assumed by the buyer without DDTC approval. At the personnel level, buyers must understand which employees have access to ITAR-controlled technical data and whether any of those employees are foreign persons who are accessing such data under a license or exemption that could be affected by the transaction.
The interaction between ITAR and the deemed export rule is particularly important. A deemed export occurs when controlled technology is released to a foreign national in the United States, because such a release is treated as an export to that person's home country. When a foreign acquirer purchases a U.S. defense contractor, the foreign parent's employees who might access controlled technical data in their new subsidiary are subject to the deemed export rule. This means that even within the four walls of the acquired U.S. entity, access by foreign nationals to ITAR-controlled data requires licensing or an applicable exemption, unless those individuals already hold appropriate authorizations. Buyers must audit the target's workforce and technology access protocols to ensure that post-closing access patterns remain compliant.
Technical Data Transfer and Deemed Export Considerations
Technical data under ITAR is broadly defined to include information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. This definition sweeps in an enormous range of materials that a defense contractor routinely handles: engineering drawings, specifications, design documents, software source code, test data, and manufacturing process documentation. In an M&A context, the transfer of access to this data as part of the buyer's due diligence and post-closing integration activities is itself a regulated export event that requires careful legal structuring.
During due diligence, buyers must avoid receiving ITAR-controlled technical data unless they are themselves ITAR-registered or unless the disclosure falls within an applicable ITAR exemption. The most commonly used exemption in M&A due diligence is the bona fide employee exemption under ITAR 125.4(b)(9), but this exemption has limits and does not apply to foreign persons who would not otherwise be eligible for access. The practical result is that due diligence data rooms handling ITAR technical data must be restricted to U.S. persons, and counsel must structure NDA and data room access protocols accordingly. In transactions involving foreign buyers, even the buyer's U.S.-citizen advisors may be subject to restrictions if they are engaging with data at the direction of a foreign entity that does not yet have authority to receive it.
Post-closing, the integration of an acquired contractor's technical data into the buyer's systems and workflows requires careful analysis of each data element against the ITAR and EAR control lists. Data migration, system consolidation, and cloud hosting decisions all carry compliance implications. Storing ITAR-controlled technical data on servers located outside the United States, or managed by a foreign cloud service provider, constitutes an unauthorized export unless covered by a license or exemption. Defense sector buyers who plan to integrate acquired technical data into global IT infrastructure must work with export control counsel and, in many cases, obtain specific DDTC authorization before proceeding.
Facility Security Clearance and the Defense Counterintelligence and Security Agency
A facility security clearance is the government's authorization for an organization to access, store, and use classified national security information in performance of classified contracts. The Defense Counterintelligence and Security Agency is the primary agency responsible for granting and maintaining facility clearances for contractor facilities supporting DoD and most other federal departments. An FCL is issued at a specific classification level, typically Confidential, Secret, or Top Secret, and is tied to the specific legal entity and physical facility that holds it. It is not a transferable asset in the conventional sense: when ownership of a cleared entity changes, DCSA must be notified and must evaluate whether the clearance remains appropriate in light of the new ownership structure.
In a stock acquisition where the cleared entity's legal structure is unchanged, the FCL nominally continues in place, but the change of ownership triggers a mandatory DCSA notification and review. DCSA will evaluate whether the new parent or controlling entity introduces any FOCI concerns and, if so, what mitigation instrument is required. Until DCSA completes its review and, where necessary, approves a mitigation instrument, the cleared entity operates in a kind of regulatory limbo: it retains its clearance and can continue performing cleared work, but the new parent cannot exercise control over classified operations. Buyers must build this reality into their integration planning and governance documentation from day one of ownership.
In an asset acquisition, the situation is more complicated because the buyer is a new legal entity that does not hold a facility clearance. Before the buyer can perform classified work at an acquired facility, it must obtain its own FCL. This requires sponsorship from a classified contracting authority, typically achieved through continuation of existing classified contracts that are novated to the buyer. The buyer must also demonstrate adequate physical and information security, which means the facility itself, its security containers, its classified information systems, and its Standard Practice and Procedures must all receive DCSA approval before classified work can resume. This process can take months and requires active coordination with DCSA from the pre-closing period.
Foreign Ownership, Control, or Influence Mitigation Options
FOCI exists whenever a foreign interest has the power to direct or decide matters affecting the management or operations of a cleared contractor in a way that could expose classified information to unauthorized access. The standard for FOCI is broad and encompasses not only outright foreign ownership but also contractual relationships, financial dependencies, and the presence of foreign nationals in key management positions. DCSA evaluates FOCI risk using a multi-factor test that considers the nature of the foreign interest, the country of origin, the classification level of the cleared work, and the sensitivity of the programs involved.
When DCSA determines that FOCI exists, the cleared contractor cannot simply continue operating under normal conditions. The parties must negotiate and execute an approved FOCI mitigation instrument that limits the foreign interest's ability to access or influence classified operations. The available instruments are graduated by restrictiveness: the Security Control Agreement is least restrictive, the Special Security Agreement is intermediate, and the Proxy Agreement is most restrictive. Selection of the appropriate instrument depends on the specific facts of the transaction and is ultimately a government decision, though DCSA will consider the parties' proposal. Negotiating a mitigation instrument requires direct engagement with DCSA, preparation of detailed organizational and operational information, and often the participation of the Intelligence Community and other DoD stakeholders in the assessment process.
Buyers who are themselves U.S. entities but who have foreign investors, foreign limited partners, or foreign board members may still trigger FOCI concerns if those foreign interests are positioned to exercise influence over the cleared subsidiary. Private equity transactions have received heightened DCSA scrutiny because fund structures often involve foreign limited partners whose interests could aggregate to a level of FOCI-triggering influence. Counsel must assess not just the direct buyer but the entire ownership chain and governance structure to identify any FOCI exposure before closing.
Defense M&A Legal Counsel
FOCI mitigation, export control compliance, and CFIUS review require coordinated legal strategy from the earliest stage of a defense acquisition. We work with buyers and sellers navigating the full regulatory stack.
Submit Transaction DetailsSpecial Security Agreement, Proxy Agreement, and Security Control Agreement
The Special Security Agreement is the most commonly used FOCI mitigation instrument for commercial acquisitions of cleared defense contractors by foreign-owned companies that have a legitimate business rationale for the acquisition. Under an SSA, the foreign parent retains ownership of the cleared entity but accepts significant restrictions on its governance role over classified operations. The cleared entity must establish a Government Security Committee composed of outside, U.S.-citizen directors who are cleared at the appropriate level and approved by DCSA. The GSC is responsible for all decisions affecting classified information, including the hiring and clearance of personnel with access to classified programs, physical security protocols, and information system security. The foreign parent and its representatives are excluded from all GSC deliberations and from any knowledge of specific classified programs or technical data.
The Proxy Agreement is reserved for the most sensitive cases, typically those involving Top Secret Sensitive Compartmented Information programs, critical nuclear programs, or situations where counterintelligence concerns about the foreign interest are acute. Under a Proxy Agreement, U.S.-citizen proxy holders, who are approved by the government, exercise all ownership rights of the foreign investor, including voting rights, financial control, and board representation. The foreign owner retains only a passive economic interest: the right to receive financial returns but not to exercise any operational or governance influence. Proxy Agreements are burdensome and expensive for all parties, and DCSA will negotiate an SSA whenever it is adequate to protect the national security interests at stake.
The Security Control Agreement is appropriate when the foreign interest is limited in scope, such as a minority foreign investor who lacks control rights, or when the cleared entity only performs work at the Confidential level. The SCA requires the establishment of a Government Security Committee but imposes fewer structural restrictions on foreign influence in non-classified operations. It is the least disruptive instrument from an operational standpoint and is generally achievable in a shorter negotiation period. When a target's cleared work is at the Confidential level only and the foreign interest is passive, the SCA may be sufficient, but buyers should not assume DCSA will agree without a thorough analysis of the program content and the foreign investor's profile.
CFIUS and Part 800 Covered Transactions in Defense Context
The Committee on Foreign Investment in the United States reviews foreign acquisitions of U.S. businesses for national security risk under the authority of the Foreign Investment Risk Review Modernization Act of 2018 and its implementing regulations at 31 CFR Part 800. In the defense sector, CFIUS review is not merely a possibility but a near-certainty in any transaction where a foreign person acquires control or certain non-controlling interests in a business that produces, designs, tests, manufactures, or services items subject to export control, that holds classified contracts, or that owns critical technologies. FIRRMA created a mandatory filing requirement for a subset of these transactions, eliminating the prior voluntary-only regime for the most sensitive categories.
A mandatory CFIUS filing is required when a foreign government-owned entity acquires any interest in a TID U.S. business, defined as a company involved in critical technologies, critical infrastructure, or sensitive personal data. Most defense contractors qualify as TID businesses. Mandatory filing is also required when a foreign person acquires control of a TID U.S. business. Parties who fail to file a mandatory notice before closing risk civil monetary penalties equal to the value of the transaction. Beyond the mandatory categories, voluntary CFIUS filings are strongly advisable whenever a defense contractor is involved, because post-closing CFIUS review without a prior filing can result in an order to unwind the transaction or impose conditions that the buyer did not bargain for.
In defense sector reviews, CFIUS pays particular attention to the access that a foreign acquirer might gain to classified information, to controlled technical data, and to key personnel with knowledge of sensitive programs. The committee also evaluates whether the transaction gives a foreign government or its proxies insights into U.S. military capabilities, supply chain dependencies, or research programs that could be exploited for intelligence or strategic advantage. Mitigation conditions imposed by CFIUS, typically through a National Security Agreement negotiated with Treasury and DoD, often overlap with FOCI mitigation instruments required by DCSA, and counsel must coordinate both tracks to avoid conflicting obligations.
Section 847 and FY 2020 NDAA Foreign Investment Disclosure Requirements
Section 847 of the National Defense Authorization Act for Fiscal Year 2020 amended Title 10 of the U.S. Code to require entities entering into or renewing DoD contracts or subcontracts to disclose certain foreign government contracts and interests. The disclosure obligation applies to the offeror and to its affiliates and is not limited to entities that are themselves foreign-owned. A U.S.-based acquirer with foreign subsidiaries, foreign joint ventures, or foreign government contracts is covered by the requirement. The statutory threshold is contracts or agreements with a foreign government or its agents valued at or above one hundred thousand dollars in the aggregate during the prior fiscal year.
The disclosure is not a clearance requirement and does not automatically disqualify a contractor from DoD awards. Its purpose is informational: to give DoD contracting officials and the intelligence community visibility into foreign government relationships that could affect contractor reliability, create conflict of interest risks, or represent potential counterintelligence vulnerabilities. Contracting officers review disclosures as part of their responsibility determination under FAR 9.1, which assesses whether a prospective contractor has the integrity, business ethics, and organizational capacity necessary to perform a federal contract. A failure to disclose, or a material misrepresentation in the disclosure, is treated as evidence of lack of integrity and can support a non-responsibility determination or, in egregious cases, debarment proceedings.
In the context of an acquisition, the Section 847 disclosure obligation is one of the first post-closing compliance actions that the acquiring entity must manage. Counsel should audit the acquirer's entire family of companies for covered foreign government contracts before closing, prepare the disclosure package, and submit it within thirty days of closing to the relevant DoD contracting office. In transactions involving acquiring entities with complex multinational structures, this audit can be substantive and time-consuming, and it should begin during the pre-closing period rather than be treated as an afterthought.
DoD Novation of Federal Prime Contracts
Federal contracts are not freely assignable under the Anti-Assignment Act, which generally prohibits the transfer of government contract rights without agency consent. FAR Subpart 42.12 establishes the novation agreement as the mechanism by which a successor entity obtains the government's consent to assume the rights and obligations of a predecessor contractor under existing contracts. In a defense M&A context, novation is required whenever the legal entity holding the contracts changes as a result of the transaction, which occurs in virtually all asset acquisitions and in some merger structures where the surviving entity is legally distinct from the original contracting entity.
The novation package must include the executed novation agreement itself, signed by the predecessor, successor, and government; the asset purchase agreement or other transaction document demonstrating the transfer; a list of all affected contracts; evidence that the successor has assumed all liabilities under the contracts; evidence that the predecessor has no remaining interest in the contracts; and in most cases, a legal opinion from contractor's counsel addressing the validity of the transfer. The package is submitted to the cognizant contracting officer, which for DoD contracts may be the Defense Contract Management Agency or the relevant program contracting office. When contracts span multiple agencies or multiple contracting offices within DoD, each administering contracting officer must separately execute the novation agreement.
The practical implication is that in an asset acquisition of a defense contractor with a large contract portfolio, the buyer should expect a period of months to years during which contracts are in various stages of the novation process. During this period, performance obligations remain with the predecessor, and the seller must remain in a position to fulfill those obligations even though the underlying business has been transferred. Transition services agreements and contract administration protocols must be carefully structured to manage this period without creating unauthorized assignments or triggering government termination rights.
Structuring Your Defense Acquisition
From novation package preparation to DCSA FOCI negotiation, the regulatory sequence in defense M&A requires legal counsel with direct experience in the process. We can assess your transaction structure and identify the critical path.
Request Engagement AssessmentCMMC 2.0 Certification Requirements and DFARS 252.204-7012
The Cybersecurity Maturity Model Certification program was developed by the Department of Defense to address persistent concerns about the cybersecurity posture of defense contractors, particularly at the subcontractor level where historical audit findings showed widespread non-compliance with existing DFARS cybersecurity requirements. CMMC 2.0, finalized in late 2024, organizes cybersecurity requirements into three levels and phases in mandatory third-party assessment over a multi-year implementation period. For buyers of defense contractors, CMMC 2.0 creates both a due diligence challenge and a potential post-closing remediation obligation that must be quantified before the purchase price is finalized.
DFARS clause 252.204-7012, which has been in contracts since 2017, already required defense contractors to implement the 110 security controls in NIST SP 800-171 and to submit a System Security Plan and an associated Plan of Action and Milestones to the Supplier Performance Risk System. CMMC 2.0 builds on this foundation by adding a third-party assessment requirement for most contractors handling CUI. The critical distinction between 7012 self-attestation and CMMC third-party assessment is the accountability structure: under 7012, a contractor could self-report a score, even a low one, without immediate consequence. Under CMMC Level 2, a third-party assessor from a C3PAO must affirmatively certify the contractor's compliance before it can bid on covered contracts.
In an acquisition, buyers must determine the target's current CMMC posture, including its SPRS score, the completeness and accuracy of its System Security Plan, and the status of any outstanding Plan of Action and Milestones items. A target with a low SPRS score and numerous open POA&M items is not a disqualifying condition, but it represents a remediation investment that the buyer must budget for and a timeline risk if covered contracts require CMMC certification within a specific period. Buyers should also evaluate whether the target's incumbent third-party assessors, if any, and its managed security service providers are suitable for continued engagement after the acquisition.
NIST SP 800-171 Compliance Inheritance and Gap Analysis
NIST SP 800-171 contains 110 security requirements organized across 14 families covering areas such as access control, incident response, configuration management, risk assessment, and system and communications protection. Compliance with these requirements is mandatory for any contractor that handles Controlled Unclassified Information on non-federal information systems, which in practice means almost every defense subcontractor with any level of classified or sensitive program involvement. The framework is demanding: it requires, among other things, multi-factor authentication, encryption of CUI at rest and in transit, comprehensive audit logging, incident response capability, and regular system security assessments.
When a buyer acquires a defense contractor, it inherits the target's NIST SP 800-171 compliance posture, both the documentation and the underlying technical controls. This inheritance is not automatic in the sense of being complete or transferable: if the target's System Security Plan covers specific information systems and specific personnel, the buyer must evaluate whether those systems and personnel will remain in place post-closing or whether integration activities will alter the compliance boundaries. Migrating CUI to the buyer's own information systems requires that those systems meet NIST SP 800-171 requirements and that the migration itself does not create unauthorized disclosure events.
Gap analysis during due diligence should go beyond reviewing the target's self-reported SPRS score, which is notoriously unreliable as a proxy for actual compliance. Buyers should engage a qualified assessor to independently evaluate the target's technical controls against the 110 NIST SP 800-171 requirements and identify gaps that are material to contract performance or certification timelines. The gap analysis should also evaluate the target's supply chain cybersecurity practices, because DFARS 252.204-7012 flows down to all subcontractors handling CUI, meaning the target's own subcontractors represent a compliance risk that the buyer inherits.
Buy American Act, Trade Agreements Act, and Qualifying Country Status
The Buy American Act, codified at 41 U.S.C. 8301 et seq. and implemented through FAR Part 25, requires that the U.S. government purchase domestic end products and construction materials for use inside the United States unless an exception applies. For defense procurement, the Berry Amendment at 10 U.S.C. 4862 adds a domestic content requirement that is in some respects more demanding than the BAA: it requires that specialty metals, food, clothing, tents, and certain other items used in performance of a defense contract be wholly produced or manufactured in the United States. Unlike the BAA, the Berry Amendment has no de minimis exception and applies regardless of dollar value.
In an M&A transaction, buyers must conduct a thorough review of the target's supply chain to identify any items that are subject to BAA or Berry Amendment requirements and to verify that those items currently comply. Compliance cannot be assumed based on historical representations in the target's contracts. A foreign acquirer that intends to integrate the acquired contractor's supply chain with its global sourcing programs must evaluate each proposed change against the applicable domestic content rules before implementation. Substituting a foreign-sourced specialty metal for a domestically sourced equivalent, even if the foreign metal is technically superior and less expensive, is a potential Berry Amendment violation that can result in contract termination and False Claims Act exposure.
The Trade Agreements Act provides a separate exception to the Buy American Act for products from designated countries that are parties to the WTO Government Procurement Agreement or bilateral free trade agreements with the United States. DoD has also designated certain allies as qualifying countries under 225.872 of the DFARS, meaning that specialty metal and other products from those countries are treated as domestic for Berry Amendment purposes. The qualifying country list includes most NATO allies, Australia, and several other key partners. Buyers with manufacturing operations in qualifying countries may find that supply chain integration is more feasible than it initially appears, though specialty metal traceability documentation requirements remain demanding regardless of country of origin.
Small Business Size Standards and Affiliation After Acquisition
The Small Business Administration's size standards determine whether a contractor qualifies as a small business for purposes of set-aside contracts, small business subcontracting credit, and certain SBA lending programs. Size standards vary by North American Industry Classification System code: for aerospace and defense manufacturing, the standard is typically expressed as a maximum number of employees or, for some service categories, average annual receipts. A company that qualifies as small may hold numerous set-aside prime contracts and may benefit from significant price evaluation preferences in unrestricted competitions.
The SBA's affiliation rules aggregate the size of related entities when determining whether a contractor meets the applicable size standard. Two entities are affiliated when one controls the other or when they are under common control, including through shared management, common investors with minority but influential stakes, or contractual relationships that create economic dependency. When a large business acquires a small business defense contractor, SBA affiliation rules cause the acquired company to measure its size against the combined revenues or employee counts of the entire affiliated group. The result is almost always that the acquired small business exceeds the size standard and loses small business status.
Loss of small business status has immediate and concrete financial consequences in the defense sector. The acquired entity becomes ineligible to receive new awards under set-aside contracts, cannot self-represent as small in responses to small business set-aside solicitations, and must recertify as other than small upon novation of existing contracts and upon response to task orders under multiple-award contracts that require recertification. Buyers must model the revenue impact of this recertification obligation as part of pre-closing diligence and factor it into the acquisition price. In some cases, buyers have structured acquisitions to preserve a controlled affiliate's small business eligibility through careful governance design, but this approach requires close coordination with SBA program requirements and experienced small business counsel.
DPAS Priority Ratings and DoD Emergency Authorities
The Defense Priorities and Allocations System, administered by the Commerce Department under delegated authority from the DoD, gives the federal government the authority to place rated orders with contractors for materials and services that support national defense, homeland security, and emergency preparedness. A rated order carries a priority designation of either DX (highest priority) or DO, and contractors receiving rated orders are legally required to accept them and to give them priority over unrated commercial orders. Rated orders also flow down to suppliers, meaning that a defense contractor with a DX-rated contract must obtain rated orders from its own suppliers to ensure priority access to materials.
In an M&A context, the existence of rated orders in a target's contract portfolio is both a benefit and an obligation. Rated orders ensure priority access to materials in supply-constrained environments, which can be operationally valuable. But they also impose legal obligations on the contractor: it must accept the rated order, schedule production or service delivery to satisfy the order's delivery requirements, and cannot take unilateral actions to deprioritize the rated order in favor of commercial work. A buyer that acquires a contractor with rated orders must understand the prioritization obligations it is inheriting and must build those obligations into its production scheduling and supply chain management protocols.
DoD also holds emergency authorities under the Defense Production Act that can require contractors to accept orders for critical defense items even outside the normal DPAS framework. These authorities are rarely invoked in peacetime commercial transactions, but they represent a background legal obligation that defense sector buyers should understand as context for the government's relationship with cleared contractors. The existence of these authorities reflects the fundamental legal reality of the defense industrial base: private ownership does not eliminate government authority over the contractor's resources in a national security context.
Post-Closing Integration: Security Containers, Classified Workflows, and Badge Continuity
The physical and operational integration of an acquired defense contractor is governed by a web of security requirements that have no parallel in commercial M&A. Every aspect of how classified information is handled, stored, transmitted, and discussed within the acquired facility must comply with the National Industrial Security Program Operating Manual and the specific security requirements of each classified contract. Post-closing integration activities that seem routine in a commercial context, such as moving offices, combining IT systems, rebranding facilities, or reorganizing personnel, can create serious NISPOM compliance issues if not coordinated in advance with the facility security officer and, where necessary, DCSA.
GSA-approved security containers and vaults used to store classified material must remain in place and properly controlled throughout the transition. Any relocation of containers requires DCSA notification and in some cases physical inspection of the new location before classified material can be moved. Sensitive Compartmented Information Facilities, which are specially accredited spaces for handling SCI-level information, require government-accrediting authority approval of any physical modifications, and the accreditation is not automatically portable to a new facility or a new organizational entity. Buyers who plan to consolidate facilities or move classified operations to a different location must initiate the accreditation process well before the planned move date, because accreditation reviews can take six to twelve months.
Personnel security clearances present a distinct integration challenge. Individual clearances are held by the employee, not the employer, and they remain in effect when an employee changes employers, provided the new employer holds an appropriate facility clearance and the employee's access is properly documented in the Joint Personnel Adjudication System. However, cleared employees who lose access to their clearance-sponsoring facility, or whose security files are not properly transferred to the new facility's security officer, may experience gaps in access that affect their ability to perform on classified contracts. The facility security officer must take immediate action upon closing to assume sponsorship of all cleared personnel, update JPAS records to reflect the new employer, and ensure that no cleared employee experiences a gap in their access authorization. Buyers should designate a qualified FSO as part of their pre-closing planning and ensure that the FSO is integrated into the closing process rather than brought in only after problems arise.
Aerospace and Defense M&A: Frequently Asked Questions
When does a buyer need to update ITAR registration after acquiring a defense contractor?
A buyer must notify the Directorate of Defense Trade Controls (DDTC) within five days of closing a transaction that results in a change of ownership or control of an ITAR-registered entity. The notification requirement is found in ITAR Part 122.4, which governs amendments to registration. Practically speaking, counsel should prepare the amendment package before closing so it can be submitted on the day of or immediately following close. The package must identify the new controlling entity, disclose any foreign ownership, and confirm that no new foreign persons have gained unauthorized access to controlled technical data as a result of the transaction. Failure to timely notify DDTC creates significant exposure, including potential civil penalties and debarment from U.S. Munitions List activities. In transactions where the buyer itself holds a separate ITAR registration, counsel must also evaluate whether a merger of registrations or a new standalone registration for the acquired entity is the more appropriate path. DDTC has discretion in how it structures the post-closing registration posture, so early engagement with the agency is advisable in complex situations.
How does DCSA approach FOCI mitigation negotiations and what is the typical timeline?
The Defense Counterintelligence and Security Agency evaluates foreign ownership, control, or influence through a risk-based framework that considers the degree of foreign interest, the sensitivity of the classified work, and the adequacy of proposed mitigation measures. When a transaction involves foreign investment in a cleared U.S. defense contractor, DCSA requires the parties to propose and negotiate a FOCI mitigation instrument before the acquirer can exercise control over the cleared entity. The timeline varies considerably depending on the complexity of the foreign interest and the classification level of the facility security clearance at issue. Relatively straightforward cases involving a passive foreign investor and lower-level clearances may resolve in three to six months. Cases requiring a Special Security Agreement or Proxy Agreement, particularly those involving Top Secret or Special Compartmented Information work, routinely take twelve to twenty-four months or longer, especially when other agencies such as the Department of Defense Consolidated Adjudication Facility participate in the review. Buyers should plan acquisition financing, operational budgets, and management authority structures around the possibility of an extended FOCI negotiation period during which the foreign acquirer cannot exercise control over the cleared entity.
How do parties choose between a Special Security Agreement, a Proxy Agreement, and a Security Control Agreement?
The selection of a FOCI mitigation instrument depends primarily on the degree of foreign influence, the classification level of the facility security clearance, and the operational role of the foreign parent or investor. A Security Control Agreement is the least restrictive instrument and is available when the foreign interest is limited and the cleared entity does not hold classified contracts above the Confidential level. The SCA requires appointment of a Government Security Committee with U.S.-citizen directors and imposes certain board-level reporting obligations, but it does not require insulation of the cleared entity's board from foreign control. A Special Security Agreement permits foreign ownership but requires that a Government Security Committee of outside, DCSA-approved directors exercise oversight over classified operations, and prohibits foreign nationals from accessing classified information. The SSA is the most commonly used instrument for commercial acquisitions of defense contractors where the foreign acquirer has a legitimate business interest. A Proxy Agreement is the most stringent instrument, requiring that U.S.-citizen proxy holders exercise all rights of the foreign shareholder, effectively insulating the foreign investor from any governance role. Proxy Agreements are reserved for highly sensitive programs and are rarely imposed in purely commercial transactions unless the cleared work is extraordinarily sensitive or the foreign investor raises counterintelligence concerns.
How does a buyer determine the required CMMC 2.0 certification level for an acquired contractor?
The required Cybersecurity Maturity Model Certification level flows from the classification and sensitivity of the information the contractor handles under its DoD contracts. CMMC 2.0 organizes requirements into three levels. Level 1 applies to contractors that handle only Federal Contract Information and requires self-attestation to seventeen basic cybersecurity practices derived from NIST SP 800-171. Level 2 applies to contractors that handle Controlled Unclassified Information and requires compliance with all 110 practices in NIST SP 800-171; most Level 2 contractors must obtain a third-party assessment from a Certified Third-Party Assessment Organization, although some low-priority CUI programs may permit self-attestation. Level 3 applies to contractors supporting critical programs or technologies and requires government-led assessments against a subset of NIST SP 800-172 practices. During due diligence, buyers should review all active prime and subcontracts to identify which contain DFARS clause 252.204-7021 or the older 7012, and map each contract's CUI handling requirements to the applicable CMMC level. Gap analysis against the current CMMC level is then necessary to understand the remediation investment required to maintain contract eligibility after closing.
How long does DoD take to review and approve a novation package for a federal prime contract?
DoD review of novation packages under FAR Subpart 42.12 does not follow a fixed statutory timeline, and in practice the review period varies significantly depending on the administering contracting officer, the number of contracts involved, and the complexity of the transaction. For a straightforward stock acquisition where the legal entity holding the contracts does not change, novation is not required because the contractor of record remains the same. Novation becomes necessary in asset acquisitions or mergers where the successor entity is legally distinct from the original contractor. Once a complete novation package is submitted, including the executed novation agreement, organizational documents, evidence of the transaction, and legal opinion letters, the administering contracting office typically acknowledges receipt within thirty days. However, final execution of the novation agreement and recognition of the successor as the contractor of record can take anywhere from sixty days for a single-contract package to eighteen months or longer when hundreds of contracts across multiple contracting offices are involved. Buyers in asset acquisitions should plan for the possibility of extended gaps during which the seller must remain nominally on performance until novation is complete.
What is the Section 847 disclosure obligation and who must file?
Section 847 of the National Defense Authorization Act for Fiscal Year 2020 requires any entity that acquires a business that has a Department of Defense contract or subcontract to disclose certain foreign government contracts and interests as a condition of maintaining eligibility for DoD awards. The disclosure requirement applies to the acquiring entity and its affiliates and must be submitted to the cognizant DoD contracting officer within thirty days of closing. The disclosure covers contracts or agreements with foreign governments, foreign government-owned entities, or foreign political parties, valued at or above one hundred thousand dollars. The obligation is not a clearance requirement and does not trigger automatic disqualification; rather, it is designed to give DoD visibility into foreign entanglements that could affect the contractor's reliability or create counterintelligence risk. Failure to disclose is treated as a potential material misrepresentation in the context of federal procurement, which can support suspension or debarment proceedings. Counsel should conduct a thorough review of the acquiring entity's global contracts and investment portfolio well in advance of closing to ensure the disclosure package is accurate and complete at the time of filing.
How does the Buy American Act apply after a foreign company acquires a U.S. defense contractor?
The Buy American Act, implemented in federal procurement through FAR Part 25, requires that certain end products and construction materials purchased by the U.S. government be manufactured domestically. For defense contractors, the Berry Amendment adds further restrictions requiring that certain items, including specialty metals, food, clothing, and hand or measuring tools, be wholly produced or manufactured in the United States. When a foreign company acquires a U.S. defense contractor, the existing Buy American and Berry Amendment obligations in the acquired entity's contracts do not automatically change, because those obligations attach to the contract and the manufactured item rather than to the corporate owner. However, buyers must assess whether the acquisition changes the supply chain or manufacturing process in ways that could affect compliance. If the foreign parent intends to shift manufacturing, source components from non-qualifying countries, or use foreign-produced specialty metals in covered items, the resulting products may no longer meet the statutory domestic content thresholds. Counsel should also review the Trade Agreements Act and qualifying country determinations, because products from certain allied nations are treated as domestic for TAA purposes even if the manufacturer is foreign-owned.
How do small business size standards and SBA affiliation rules apply after acquiring a small business defense contractor?
The Small Business Administration's affiliation rules create a significant trap in defense acquisitions because a small business defense contractor that is acquired by a large business, or by an entity that is affiliated with a large business, will typically lose its small business status upon closing. Loss of small business status has immediate consequences: the acquired company becomes ineligible to receive new awards under set-aside contracts, to claim small business credit under subcontracting plans, and in some cases to continue performance on existing set-aside awards, depending on the novation status and recertification requirements. Under FAR 19.301-2, contractors are required to recertify their size status when a novation agreement is pending and when they respond to task or delivery orders under multiple-award contracts. A contractor that must recertify after acquisition by a large business will recertify as other than small, foreclosing continued participation in programs reserved for small business concerns. Buyers should carefully map all small business set-aside contracts, their remaining value, and recertification trigger dates before closing, and model the revenue impact of losing set-aside eligibility as part of the acquisition economics.
How do CFIUS and DCSA reviews interact, and should they be coordinated?
CFIUS and DCSA reviews are legally distinct processes with different statutory authorities, review criteria, and agency participants, but they frequently overlap in defense transactions involving foreign investment. CFIUS, operating under FINSA and FIRRMA as implemented by the Part 800 regulations, reviews transactions for national security risk arising from foreign control of U.S. businesses and has authority to impose mitigation conditions or block transactions outright. DCSA reviews foreign ownership, control, or influence specifically as it affects the eligibility of cleared defense contractors to hold and maintain facility security clearances. In practice, CFIUS often coordinates with DCSA because the intelligence community, DoD, and other national security agencies that sit on the CFIUS committee rely on DCSA's threat assessments for defense contractor targets. Mitigation agreements negotiated with CFIUS, such as a National Security Agreement, sometimes reference or incorporate FOCI mitigation instruments negotiated with DCSA, creating an interlocking compliance structure. Parties should plan both processes on parallel tracks from the outset of the transaction, use a single counsel team to manage the interface between them, and expect that the more demanding of the two review timelines will govern the overall deal schedule.
How are classified contracts transitioned to a successor entity after closing?
The transition of classified contracts to a successor entity requires coordination across multiple government stakeholders and cannot be accomplished through private agreement alone. The fundamental prerequisite is that the successor entity hold, or receive, an appropriate facility security clearance at the required level before it can access, store, or perform classified work. When the legal entity holding the clearance is unchanged, as in a stock acquisition, the clearance nominally remains in place, but DCSA must be notified of the change of ownership and must assess whether FOCI mitigation is required. For asset acquisitions, the successor entity must obtain its own facility security clearance, which requires sponsorship by a cleared DoD contract or program office. During the transition period, classified work under in-progress contracts may need to continue performance at the seller's facility under the seller's clearance until the successor's clearance is granted. Classified material, including documents, hardware, and data stored on classified information systems, cannot be physically transferred to the buyer's facility until all clearance and FOCI instruments are in place. Security containers, Sensitive Compartmented Information Facilities, and classified information systems must each receive separate DCSA or accrediting authority approval before use by the successor, and badge and personnel security clearance continuity for key employees must be actively managed to avoid gaps in program coverage.
Related Resources
ITAR Compliance and Export-Controlled Technical Data in M&A
Deep dive into ITAR registration amendments, deemed export analysis, and technical data due diligence protocols.
Security ClearanceDCSA FOCI Mitigation and Special Security Agreement Negotiation
SSA vs. Proxy Agreement selection, Government Security Committee structure, and DCSA engagement strategy.
CybersecurityDFARS Cybersecurity and CMMC Certification in Contractor Acquisitions
NIST SP 800-171 gap analysis, CMMC level determination, and SPRS score assessment in defense M&A.