Key Takeaways
- CFIUS mitigation agreements do not expire automatically. A National Security Agreement or Proxy Agreement entered at closing becomes a permanent compliance obligation that the U.S. business must satisfy for the life of the foreign investment, and termination requires a formal petition demonstrating that the national security risk has been resolved.
- The mitigation instrument selected, whether an NSA, Security Control Agreement, Proxy Agreement, or Voting Trust, determines how much operational control the foreign acquiror retains. A Proxy Agreement effectively removes the acquiror from governance entirely, while an NSA allows control subject to defined restrictions. The choice of instrument reshapes integration planning and synergy realization.
- Breach of a mitigation agreement exposes the parties to civil penalties of up to $250,000 per violation or the value of the transaction, additional mitigation conditions, and in serious cases a Presidential divestiture order. Compliance programs must be designed as board-level governance functions, not administrative compliance tasks.
- For cleared government contractors subject to the National Industrial Security Program, CFIUS mitigation and FOCI mitigation overlap and must be coordinated. A Proxy Agreement or Special Security Agreement governing the facility clearance may be required in addition to the CFIUS mitigation instrument, and the two regimes must be reconciled to avoid conflicting obligations.
CFIUS clearance without conditions is not always available. When the Committee identifies a national security risk arising from a foreign investment that cannot be resolved through an outright prohibition, it negotiates mitigation measures with the parties as a condition of clearance. These measures are memorialized in a legally binding agreement, typically a National Security Agreement or one of its more restrictive variants, that governs the operations of the U.S. business for the duration of the foreign investment.
Mitigation is not a concession CFIUS treats as optional, and the instruments it deploys carry substantial operational weight. An NSA may require the business to segregate personnel and systems, restrict access to sensitive information by foreign employees, implement cybersecurity controls subject to third-party audit, maintain a government security officer, and submit to unannounced site visits by a CFIUS-appointed monitor. A Proxy Agreement goes further, interposing a board of cleared U.S. proxy holders between the foreign acquiror and the business's governance, effectively suspending the acquiror's ability to influence operations, strategy, or personnel decisions.
This sub-article is part of the CFIUS Review in M&A: National Security Clearance for Cross-Border and Foreign-Backed Transactions guide. It covers the full mitigation landscape: the instruments available and when each is appropriate, the core provisions of a National Security Agreement, personnel security and Key Management Personnel requirements, supply chain and sourcing controls, information protection and cybersecurity obligations, monitor and auditor selection, coordination with Foreign Ownership Control or Influence mitigation for cleared contractors, mitigation in joint venture and minority investment structures, breach and enforcement consequences, and the downstream effect of mitigation on deal value and post-closing governance.
Acquisition Stars advises acquirors, sellers, and U.S. businesses in CFIUS mitigation negotiation, compliance program design, and ongoing monitoring obligations. Nothing in this article constitutes legal advice for any specific transaction.
Why the Committee Imposes Mitigation
CFIUS imposes mitigation when a covered transaction presents a national security risk that renders the investment unacceptable without conditions, but where the risk can be adequately managed through defined operational restrictions rather than requiring outright prohibition. The Committee operates under a mandate to balance national security protection with the government's policy of openness to foreign investment, and mitigation is the mechanism that reconciles those objectives in transactions that fall between clearly safe and clearly prohibited.
The triggers for mitigation cover a defined set of risk categories. Transactions involving U.S. businesses that develop, produce, or maintain critical technology, operate covered critical infrastructure, or maintain sensitive personal data of U.S. government personnel or large populations of U.S. persons receive heightened scrutiny. When CFIUS identifies that a foreign acquiror has the technical means, incentive, or government nexus to exploit the U.S. business's capabilities or data in ways that harm national security, it will typically propose mitigation before it will offer clearance.
Mitigation proposals originate in the CFIUS staff review process. After the parties file a notice or declaration, CFIUS conducts a risk assessment that identifies specific threat vectors. The staff then drafts a proposed mitigation term sheet and shares it with the parties during the review period. The parties may negotiate the scope and terms of individual provisions, but CFIUS retains the authority to require conditions it considers necessary and to reject proposed modifications that it views as inadequate. The final mitigation agreement must be executed as a condition of the CFIUS clearance letter, and the transaction cannot close until the agreement is fully signed.
Understanding why CFIUS proposes specific mitigation provisions is essential to negotiating effectively. Each provision maps to an identified risk. Knowing which agency raised the concern and what technical or intelligence basis underlies it allows counsel to propose alternative provisions that address the same risk with less operational disruption. Generic objections to mitigation terms are rarely effective; risk-specific alternatives supported by technical evidence have a better track record of acceptance.
The Mitigation Toolkit: NSA, SCA, Proxy, Voting Trust, and Board Resolution
CFIUS has developed five principal mitigation instruments over the course of its regulatory history, each calibrated to a different severity of national security risk and a different level of operational separation between the foreign acquiror and the U.S. business.
A National Security Agreement is the most commonly used mitigation instrument and applies across a wide range of transaction types. An NSA imposes specific operational restrictions on the U.S. business, including limitations on information sharing with the foreign parent, personnel security requirements, cybersecurity controls, supply chain obligations, government access provisions, and reporting requirements, while allowing the foreign acquiror to retain normal corporate governance rights subject to those restrictions. An NSA is appropriate when the national security risk can be managed by controlling what the foreign parent can access or influence, rather than requiring complete separation of governance.
A Security Control Agreement is similar to an NSA but is specifically designed for transactions involving classified information or classified contracts. An SCA coordinates CFIUS mitigation with the facility clearance requirements administered by the Defense Counterintelligence and Security Agency under the National Industrial Security Program. It addresses the security officer structure, the government customer notification requirements, and the interface between the CFIUS mitigation fence and the classified program access controls, and it is typically entered alongside the CFIUS clearance as a parallel instrument.
A Proxy Agreement establishes a board of cleared U.S. proxy holders who exercise all voting and governance rights on behalf of the foreign shareholder. The Proxy Agreement is required when the national security risk is such that any operational influence by the foreign acquiror over the U.S. business, even through governance structures with NSA-type restrictions, is unacceptable. A Voting Trust is functionally similar to a Proxy Agreement but uses a trust structure rather than a proxy governance framework. Board Resolutions are the least restrictive instrument, typically used for low-risk transactions where a defined governance action (such as a charter amendment or board composition commitment) is sufficient to address the identified concern.
When Each Instrument Is Appropriate
The selection of a mitigation instrument is driven by the specific national security risk CFIUS has identified, the nature of the U.S. business's activities, and the foreign acquiror's national origin and government relationships. CFIUS does not apply mitigation instruments mechanically, and the same transaction structure can result in different instruments depending on the assessed threat level and the agency composition of the CFIUS review team.
An NSA is appropriate when the foreign acquiror's risk arises from its potential access to sensitive information or technology, rather than from its governance control over the business's operations. If CFIUS can define the information and systems that must be segregated, specify who may access them, and verify compliance through a monitor, an NSA can adequately address the risk without requiring governance separation. Transactions involving foreign acquirors from allied nations, or transactions where the U.S. business's sensitive activities are limited to a defined segment of its operations, are frequently resolved with NSA-level mitigation.
A Proxy Agreement or Voting Trust is required when the foreign acquiror's home government is assessed as posing a direct strategic threat to U.S. national security, and when any governance influence by that acquiror over a U.S. business with sensitive capabilities is viewed as creating unacceptable risk regardless of information restrictions. Acquirors from jurisdictions that CFIUS member agencies assess as adversarial, including those subject to enhanced scrutiny under FIRRMA's covered country provisions, are most likely to face Proxy Agreement requirements when they seek to acquire U.S. businesses in defense, intelligence support, critical infrastructure, or advanced technology sectors.
An SCA is applied specifically to transactions where the U.S. business holds or is seeking facility clearances for classified contracts. The SCA coordinates the CFIUS mitigation framework with the DCSA's NISP requirements, which impose their own foreign ownership restrictions and security officer obligations. Where an NSA or Proxy Agreement is entered for CFIUS purposes, the SCA supplements it with the classified program-specific provisions that DCSA requires as a condition of maintaining the facility clearance.
Typical NSA Provisions and Governance Restrictions
A National Security Agreement is a detailed operational contract, often running to dozens of pages with technical annexes. Its core provisions address four categories of concern: information protection, personnel security, supply chain integrity, and government access. Each category maps to a specific risk vector that CFIUS has identified in the transaction.
Information protection provisions define the boundary between the U.S. business and the foreign parent. They specify what categories of information, including technical data, source code, customer information, classified contracts, and export-controlled material, may not be shared with the foreign parent or its employees without prior CFIUS approval. The NSA will require the U.S. business to implement technical controls, including network segmentation, access controls, and audit logging, to enforce this boundary. In most cases, foreign parent employees are prohibited from accessing sensitive systems or facilities without the approval of the security officer and advance notice to CFIUS.
Governance restrictions in an NSA typically include requirements that the board of the U.S. business include a minimum number of independent directors who are U.S. citizens, that certain decisions (such as acquisitions, dispositions, and new government contracts) require advance notice to CFIUS, and that any changes to the mitigation agreement's key terms require CFIUS approval before implementation. The NSA may also restrict the foreign parent's ability to appoint or remove executives in covered Key Management Personnel positions without prior government approval, which effectively limits the acquiror's practical governance control even while it retains formal equity ownership.
Reporting obligations under an NSA are ongoing. The U.S. business must submit annual compliance reports to CFIUS certifying adherence to each material provision of the agreement, report any material breach within a specified period of discovery, notify CFIUS of changes to Key Management Personnel, and provide advance notice of transactions or corporate events that could affect the mitigation framework. These reporting obligations impose a continuous administrative burden that must be managed by dedicated compliance personnel familiar with both the NSA's specific requirements and the broader CFIUS regulatory framework.
Personnel Security and Key Management Personnel Requirements
Personnel security provisions in a CFIUS mitigation agreement address who may hold positions of authority or access within the U.S. business and what security clearance or citizenship credentials they must possess. The concept of Key Management Personnel, or KMP, is central to most NSAs and defines the universe of executive and board positions that are subject to citizenship, clearance, and government approval requirements.
KMP positions typically include the chief executive officer, chief financial officer, chief technology officer, chief information security officer, facility security officer, and any board member with access to classified or sensitive information. The NSA will enumerate covered positions explicitly and require that each be filled by a U.S. citizen who holds or is eligible to hold any government security clearance required by the business's contracts. Changes to KMP positions require advance notice to CFIUS, and in some agreements CFIUS approval is required before a new KMP appointee can assume their role.
The practical consequence of KMP requirements is that the foreign acquiror cannot install its own executives in senior leadership roles at the U.S. business. This limitation disrupts the typical post-acquisition integration playbook, in which the acquiror may seek to place trusted executives in key positions to execute the strategic and operational plan for the combined entity. Under an NSA with KMP restrictions, the U.S. business must be led by independently qualified U.S. citizens whose appointments are subject to CFIUS oversight, and the foreign parent's ability to influence day-to-day operations through personnel placement is sharply constrained.
Foreign national employees of the acquiror who visit or work at the U.S. business's facilities are typically subject to visitor control procedures specified in the NSA. These may require advance notification to the security officer, escort by cleared U.S. personnel during facility visits, prohibition from accessing sensitive areas or systems, and reporting of any unauthorized contact between foreign visitors and sensitive personnel or information. Managing these visitor control obligations requires dedicated administrative infrastructure and clear internal policies that are communicated to both U.S. and foreign parent employees.
Supply Chain Integrity and Sourcing Controls
Supply chain integrity provisions in a CFIUS mitigation agreement address the risk that a foreign acquiror could introduce compromised components, software, or services into the U.S. business's products or operations, creating a vulnerability that could be exploited against U.S. government customers or critical infrastructure. These provisions have become increasingly prominent in NSAs as CFIUS has focused on hardware and software supply chain security in response to documented incidents involving foreign-origin components in sensitive systems.
Supply chain provisions typically require the U.S. business to implement a supply chain risk management program that screens suppliers for foreign-origin components, identifies components sourced from countries of concern or from suppliers with documented security vulnerabilities, and establishes procedures for evaluating and approving alternative sources when a current supplier raises concerns. The NSA may specify prohibited supplier categories by country of origin or by reference to government lists of entities subject to export controls or security restrictions.
For businesses that develop software or provide software-enabled services, supply chain provisions extend to the software development toolchain. The NSA may restrict the use of open-source software components from specified jurisdictions, require code review for foreign-origin libraries, and prohibit the deployment of development tools or cloud services hosted by foreign-controlled providers. These software supply chain requirements can create significant technical debt for businesses that have historically relied on globally distributed development teams or internationally sourced open-source components.
Transition periods for supply chain compliance are a common negotiating point. When the U.S. business has existing supplier relationships that do not satisfy the NSA's requirements, it may be necessary to negotiate a defined transition period during which it can identify compliant alternatives and requalify products or services without triggering a breach. Transition timelines must be realistic: supplier qualification processes in defense and critical infrastructure sectors can take twelve to twenty-four months, and CFIUS should be presented with a credible transition plan as part of the mitigation negotiation.
Information Protection, Cybersecurity, and Audit Rights
Information protection and cybersecurity provisions in a CFIUS mitigation agreement require the U.S. business to implement and maintain technical and administrative controls that prevent unauthorized access to sensitive information by the foreign acquiror or its affiliates. These provisions are among the most technically detailed in any NSA and often reference specific cybersecurity frameworks, such as the NIST Cybersecurity Framework or the Department of Defense's Cybersecurity Maturity Model Certification requirements, as the baseline standard for required controls.
The information boundary defined in the NSA specifies which systems and data repositories are subject to the mitigation fence and prohibits the integration of those systems with the foreign parent's IT infrastructure. This prohibition typically prevents the U.S. business from consolidating onto shared enterprise platforms, cloud infrastructure, or collaboration tools controlled by the foreign parent. Where the acquiror's integration plan depends on migrating the U.S. business to shared systems, the NSA's IT segregation requirements will require a redesign of that plan, often at substantial cost.
Audit rights under the NSA allow CFIUS and its designated agents to inspect the U.S. business's facilities, systems, records, and compliance documentation at any time, with or without advance notice. The U.S. business must cooperate with audits and provide CFIUS with access to any information the Committee determines is necessary to assess compliance with the agreement. Third-party auditors appointed by CFIUS, distinct from the ongoing monitor, may conduct periodic technical audits of cybersecurity controls, personnel access logs, and supply chain documentation to verify adherence to the NSA's requirements.
Cybersecurity incident reporting obligations under the NSA typically require the U.S. business to notify CFIUS within a defined period (often 24 to 72 hours) of discovering any cybersecurity incident that affects systems containing sensitive information or that may have resulted in unauthorized access by foreign persons. This reporting obligation operates in parallel with, and may have shorter deadlines than, the cybersecurity incident reporting requirements applicable under federal law to federal contractors and critical infrastructure operators. Compliance requires incident response procedures that specifically address CFIUS notification requirements as a distinct track.
Monitor and Auditor Selection and Funding
Most CFIUS mitigation agreements require the appointment of an independent monitor, sometimes referred to as a security monitor or compliance monitor, who serves as the primary oversight mechanism between the U.S. business and the government. The monitor is a third-party professional firm, typically with national security, compliance, or security engineering expertise, that is selected by the parties and approved by CFIUS before the agreement takes effect.
The monitor's mandate is defined in the mitigation agreement and typically includes conducting periodic site visits, reviewing compliance documentation, assessing the U.S. business's adherence to NSA provisions, and reporting findings to CFIUS. The frequency of site visits and reporting cycles varies by transaction: higher-risk transactions may require quarterly visits and reports, while lower-risk transactions may require semi-annual or annual oversight. The monitor has access to all facilities, personnel, records, and systems within the scope of the NSA's provisions and reports directly to CFIUS, not to the U.S. business or the foreign acquiror.
The U.S. business bears all costs of the monitor, including the monitor's fees, travel, and associated expenses. Monitor fee structures vary by firm and mandate, and the parties should obtain fee estimates from candidate firms during the CFIUS negotiation so that monitor costs can be factored into the deal economics. For complex, high-oversight transactions, annual monitoring costs can be material. These costs persist for the life of the mitigation agreement and must be modeled as a recurring operating expense, not a one-time transaction cost.
The monitor selection process requires the parties to propose qualified candidates to CFIUS, which then evaluates the candidates' independence, expertise, and security clearances before approving an appointment. Candidates who have prior business relationships with the U.S. business, the foreign acquiror, or their affiliates may be disqualified for lack of independence. The U.S. business and the foreign acquiror should engage in the monitor selection process proactively, rather than waiting for CFIUS to propose its own candidates, because a CFIUS-selected monitor may impose greater scrutiny than one selected collaboratively by the parties from a field of qualified firms.
Coordination with FOCI Mitigation for Cleared Contractors
U.S. businesses that hold facility clearances under the National Industrial Security Program are subject to two overlapping regulatory regimes when a foreign acquiror takes an ownership interest: the CFIUS review process and the DCSA's Foreign Ownership, Control, or Influence process. FOCI mitigation is required by DCSA as a condition of maintaining a facility clearance when a U.S. contractor is owned or controlled by foreign interests, and it operates through instruments that closely parallel CFIUS mitigation instruments: the Special Security Agreement, the Security Control Agreement, the Proxy Agreement, the Voting Trust Agreement, and the Board Resolution.
The CFIUS and FOCI regimes are legally distinct but functionally interrelated. CFIUS mitigation governs the broader investment review outcome and applies to the transaction as a whole. FOCI mitigation governs the facility clearance and is administered by DCSA on behalf of the government customers who rely on the contractor's classified work. When a transaction triggers both CFIUS review and a FOCI determination, the parties must negotiate compatible mitigation instruments under both regimes and ensure that the obligations imposed by each are not in conflict.
The most complex coordination challenge arises when CFIUS requires a Proxy Agreement while DCSA permits a less restrictive Special Security Agreement for the facility clearance, or vice versa. The parties must engage both agencies in parallel, communicate the positions of each agency to the other, and negotiate a unified governance structure that satisfies both regimes without creating conflicting obligations for the proxy holders or the security officer. This coordination requires counsel with experience in both CFIUS and NISP practice areas, because the technical requirements of each regime are distinct and the agencies communicate with each other but do not formally coordinate their positions.
Government customers with classified contracts at the U.S. business must be notified of the foreign acquisition and the FOCI determination in accordance with DCSA's requirements. Customer notifications may trigger reviews by the relevant program security office and, in some cases, contract modification requirements or security plan updates. Managing government customer relationships through the CFIUS and FOCI processes requires early engagement, transparent communication, and a documented compliance plan that customers can evaluate in assessing whether to maintain their contractual relationship with the newly acquired business.
Mitigation in Cross-Border JV and Minority Investment Deals
CFIUS mitigation applies not only to majority acquisitions but also to minority investments and joint ventures that give a foreign person certain defined rights over a TID U.S. business, including access to material non-public technical information, the right to appoint board members, or a role in substantive business decisions. The mitigation framework for minority investments is structurally similar to the framework for majority acquisitions but must be calibrated to the specific governance rights the foreign investor holds rather than to the full ownership model.
In a minority investment with board representation, CFIUS may require mitigation that restricts the foreign board member's access to sensitive information presented at board meetings, prohibits the foreign investor from participating in board discussions or votes on specified categories of decisions, and requires board meeting materials to be reviewed and redacted by the security officer before distribution to the foreign-affiliated director. These restrictions limit the practical value of board representation to the foreign investor and must be disclosed to the foreign investor as part of the deal structuring process.
Joint ventures that involve a U.S. business with CFIUS-jurisdictional activities present a more complex mitigation challenge because the JV structure may not have clear legal separation between the U.S. and foreign partners' contributions to the venture. CFIUS may require mitigation that defines which assets, personnel, and information contributed by the U.S. partner are subject to the mitigation fence, establishes governance procedures that prevent the foreign JV partner from accessing controlled information through the venture's operations, and restricts the JV's activities to defined commercial fields that do not implicate national security concerns. Structuring a JV that satisfies these requirements while remaining commercially viable requires early CFIUS engagement during the deal structuring phase.
Mitigation for minority investments and JVs must also address the governance rights of other investors and partners who are not the foreign person triggering CFIUS jurisdiction. When a minority investment involves a foreign person alongside domestic investors, the mitigation agreement must be structured to impose obligations on the U.S. business without unduly restricting the rights of domestic co-investors who are not subject to the national security concern. Counsel must analyze the full investor group and governance structure before proposing mitigation terms to avoid creating legal conflicts between the NSA's requirements and the rights of non-foreign investors under the investment agreement.
Breach, Enforcement, and Divestiture Consequences
A breach of a CFIUS mitigation agreement is a serious enforcement matter that can result in civil penalties, additional mitigation conditions, operational restrictions, and in extreme cases a Presidential divestiture order. CFIUS monitors compliance with mitigation agreements through the monitor's reports, the U.S. business's annual compliance certifications, government audits, and intelligence reporting from member agencies. CFIUS does not treat mitigation compliance as self-executing; it actively investigates potential breaches identified through any of these channels.
Civil penalties for mitigation breaches are authorized under FIRRMA at up to $250,000 per violation or the value of the transaction, whichever is greater. CFIUS applies a factors-based analysis in assessing penalties that considers the nature and severity of the breach, whether it was willful or negligent, what steps the U.S. business took to remediate the breach after discovery, and the cooperation or lack thereof from the parties in the CFIUS investigation. Voluntary disclosure of a potential breach, prompt remediation, and cooperation with the CFIUS inquiry are the most effective tools for limiting penalty exposure, because CFIUS has enforcement discretion and has reduced penalties for parties who self-report and remediate.
In addition to financial penalties, CFIUS may impose additional mitigation conditions as a consequence of breach. These supplemental conditions may require operational changes, personnel changes, technology modifications, or enhanced monitoring that goes beyond the original NSA requirements. Repeat or severe breaches can result in a CFIUS determination that the mitigation agreement is not adequate to address the national security risk, which can lead to a referral to the President for action under Section 721 of the Defense Production Act.
A Presidential divestiture order requires the foreign acquiror to divest its interest in the U.S. business within a specified period and under conditions specified in the Presidential action. Divestiture orders are relatively rare but are not theoretical: the President has issued divestiture orders in a number of high-profile CFIUS cases, including transactions in telecommunications, semiconductor, and consumer technology sectors. The prospect of a divestiture order underscores why mitigation compliance must be treated as a board-level governance priority for any business subject to a CFIUS mitigation agreement.
Business Impact: Budgeting, Governance, and Post-Closing Execution
CFIUS mitigation reshapes deal economics in ways that must be analyzed during the transaction and reflected in the purchase price, integration budget, and post-closing operating plan. The costs of mitigation compliance, while difficult to estimate precisely before the specific NSA terms are known, are material enough to affect whether a transaction is commercially viable. Acquirors who discount mitigation costs or treat them as administrative overhead rather than structural deal costs risk closing a transaction that is economically impaired before integration begins.
Direct mitigation costs include the ongoing monitor fees, the cost of implementing and maintaining the IT segregation and cybersecurity controls required by the NSA, the compliance officer and security officer personnel costs, legal fees for annual reporting and CFIUS communications, and the cost of any required technology or facility modifications to satisfy the NSA's physical or technical separation requirements. These costs are recurring and increase with the complexity of the business and the scope of the mitigation obligations. They must be modeled over the expected duration of the investment, which in most cases means in perpetuity.
Indirect mitigation costs arise from the governance restrictions that limit the acquiror's ability to realize the synergies that justified the acquisition price. An NSA that prohibits IT system consolidation prevents the cost savings associated with shared infrastructure. KMP restrictions that prevent the acquiror from placing its own executives in leadership roles limit its ability to implement the operational changes it envisioned. Supply chain restrictions that require domestic sourcing may increase the cost of goods or services relative to the globally optimized supply chain the acquiror intended to leverage. These indirect costs reduce the net value of the investment and must be weighed against the strategic rationale for the transaction.
Post-closing execution under a mitigation agreement requires dedicated governance infrastructure: a board committee or management committee responsible for CFIUS compliance, a designated point of contact for government communications, a security officer with the credentials and clearances required by the NSA, and a compliance program that documents adherence to each NSA provision and generates the records needed for the annual compliance certification and monitor reviews. Building this infrastructure before closing, rather than after, reduces the risk of early compliance gaps that can attract CFIUS scrutiny and signals to the government that the acquiror treats its mitigation obligations as a serious governance commitment.
Advising on CFIUS Mitigation Negotiation
Acquisition Stars advises acquirors, sellers, and U.S. businesses in CFIUS mitigation negotiation, compliance program design, and ongoing NSA obligations. Submit your transaction details for an initial assessment.
Frequently Asked Questions
How long does a typical National Security Agreement last?
A National Security Agreement does not have a fixed expiration date and typically remains in effect indefinitely unless CFIUS agrees to modify or terminate it. The Committee may grant termination if the national security risk that prompted the agreement is no longer present, for example because the foreign acquiror has divested its interest, the relevant technology has been declassified or commercialized widely, or the business has fundamentally changed. Parties seeking termination must petition CFIUS, demonstrate that the original risk has abated, and provide supporting evidence. In practice, NSAs for acquisitions in sensitive technology, defense, or critical infrastructure sectors commonly remain operative for the life of the foreign investment. Parties should treat an NSA as a permanent compliance obligation when evaluating deal economics and integration planning.
Who pays for the CFIUS monitor?
The mitigation agreement requires the U.S. business to fund all costs of the CFIUS-appointed monitor, including the monitor's fees, travel, and expenses. The monitor is typically a third-party security professional firm selected by the parties and approved by CFIUS, and its engagement letter is negotiated between the U.S. business and the monitor firm. Monitor fees vary substantially depending on the complexity of the business, the scope of the monitoring mandate, and the frequency of site visits and reporting cycles. Annual monitor costs for a mid-size transaction commonly range from several hundred thousand dollars to over one million dollars. These costs are a recurring operational expense that persists for the life of the mitigation agreement and must be budgeted as a post-closing obligation, not a one-time transaction cost.
Can a CFIUS mitigation agreement ever sunset or be terminated?
Mitigation agreements can be terminated, but there is no automatic sunset provision. Termination requires a formal petition to CFIUS accompanied by evidence that the national security concern underlying the mitigation has been resolved. CFIUS evaluates such petitions on the merits and may consult with member agencies, including the Department of Defense and the Intelligence Community, before approving termination. In transactions where the mitigation was driven by a specific technology or classified program, termination may become feasible if that technology is no longer sensitive or the program ends. In practice, termination petitions are rarely granted for acquisitions in highly sensitive sectors. Parties negotiating mitigation agreements should include provisions addressing what evidence CFIUS requires and what process applies for future modification or termination, even if termination is not expected in the near term.
How is a CFIUS proxy board composed?
A proxy board established under a Proxy Agreement is composed entirely of U.S. citizens who hold or are eligible to hold U.S. government security clearances at the level required by the classified work of the business. Proxy holders are approved by CFIUS and typically include former senior government officials, cleared defense executives, or security professionals with relevant industry experience. The proxy board exercises all voting and governance rights of the foreign shareholder, effectively interposing a cleared U.S. governance layer between the foreign owner and the U.S. operations. Proxy holders have fiduciary obligations to act in the interests of the business consistent with applicable law, while also complying with the Proxy Agreement's national security requirements. The foreign parent retains economic rights (dividends, liquidation proceeds) but exercises no control over business decisions, personnel, or classified operations.
Are there CEO or senior officer citizenship requirements under a National Security Agreement?
Yes. Most National Security Agreements include Key Management Personnel requirements that restrict the CEO and other designated senior officers, board members, and security officers to U.S. citizens and often require those individuals to hold or be eligible to hold specified government security clearances. The NSA will enumerate the covered positions, which typically include the chief executive officer, chief financial officer, chief technology officer, facility security officer, and any board seat with access to classified or controlled information. Changes to KMP require advance notice to and approval from CFIUS. Foreign nationals, dual citizens, and individuals with foreign contacts or foreign financial interests that create security concerns may be disqualified from covered roles. Transitioning incumbent executives who do not satisfy citizenship requirements is a common post-signing integration challenge that must be planned carefully to avoid operational disruption.
Can parties negotiate supply chain carve-outs from a CFIUS mitigation agreement?
Parties can negotiate to narrow the scope of supply chain provisions in a mitigation agreement, but the Committee's willingness to accept carve-outs depends on the specific national security concern. Where the risk is that a foreign-origin component creates a backdoor into a defense or critical infrastructure system, CFIUS will typically require broad sourcing controls with limited exceptions. Carve-outs may be available for commercial off-the-shelf components that are widely available and do not create meaningful security risk, or for components where no acceptable domestic or allied-nation alternative exists. Any proposed carve-out must be substantiated with technical evidence and is subject to review by CFIUS member agencies. Parties should engage CFIUS early in the mitigation negotiation to understand which supply chain concerns are non-negotiable and where flexibility may exist, rather than treating supply chain provisions as boilerplate.
How does CFIUS mitigation interact with commercial integration planning?
Mitigation agreements impose direct constraints on post-closing integration by restricting information sharing, personnel access, IT system consolidation, and governance across the boundary between the U.S. business and the foreign parent. Common integration activities that are restricted or prohibited include consolidating IT infrastructure onto foreign-parent systems, sharing customer data or sensitive technical data across the mitigation boundary, appointing foreign employees to governance roles or positions with access to controlled information, and allowing foreign-parent auditors or compliance personnel to access controlled facilities. Integration planning must be designed from the outset around the mitigation fence, with dedicated systems, networks, and personnel structures that satisfy the NSA's segregation requirements. Acquirors who plan integration without mapping it against the mitigation agreement risk material breach, enforcement action, and remediation costs that can far exceed the original transaction synergy case.
What are the consequences of mitigation agreement failure?
Breach of a CFIUS mitigation agreement can result in civil penalties of up to $250,000 per violation or the value of the transaction, whichever is greater. CFIUS may also impose additional mitigation measures, require remediation of the breach at the company's expense, suspend business activities pending remediation, or refer the matter to the Department of Justice for criminal investigation if the breach involves willful conduct. In severe cases, CFIUS may recommend to the President that the investment be unwound through a divestiture order. A divestiture order requires the foreign acquiror to divest its interest within a specified period under conditions set by CFIUS, and failure to divest on schedule can result in additional penalties and forced sale proceedings. The combination of financial penalties, reputational damage, and potential divestiture makes mitigation compliance a board-level governance priority, not a compliance department administrative task.
Related Reading
Counsel for CFIUS Mitigation Agreements
Acquisition Stars advises acquirors, targets, and U.S. businesses on CFIUS mitigation negotiation, NSA compliance program design, FOCI coordination, and ongoing monitoring obligations. Transactions involving national security review require counsel who understands both the regulatory process and the operational consequences of each mitigation instrument.
Related Practice Areas
Our attorneys handle M&A transactions and securities matters nationwide. Alex Lubyansky leads every engagement personally.