CFIUS Review in M&A:
National Security Clearance for Cross-Border and Foreign-Backed Transactions

1. Why CFIUS Sits Alongside Antitrust on Every Cross-Border Deal

Every cross-border M&A transaction with a U.S. nexus now runs on two parallel regulatory tracks. The first is antitrust, governed by Hart-Scott-Rodino thresholds, merger guidelines, and the competitive effects analysis of the reviewing agency. The second is CFIUS, governed by the Foreign Investment Risk Review Modernization Act of 2018 and the regulations at 31 CFR Parts 800 and 802. These two tracks are independent. A transaction can pass antitrust clearance without difficulty and still be blocked by the President on CFIUS grounds. They can also overlap in timing, and managing both calendars simultaneously is one of the core logistics challenges in cross-border M&A.

The analogy to antitrust is instructive but imperfect. Antitrust review focuses on competitive harm that can be measured, modeled, and sometimes remedied by divestiture of overlapping product lines. CFIUS review focuses on national security risk, which is assessed by reference to classified and unclassified intelligence, executive branch policy priorities, and the Committee's view of how a foreign person's access to technology, infrastructure, data, or real estate could threaten U.S. security. That assessment is not subject to judicial review on the merits, which is why CFIUS clearance or mitigation is the only available path when the Committee has concerns.

Deal counsel managing both tracks must synchronize the timelines, coordinate the information sharing protocols between the two review processes, and ensure that representations and disclosures made to one regulator are consistent with those made to the other. In transactions requiring both HSR and CFIUS filings, parties typically file CFIUS concurrently with or shortly after the HSR filing, so that the review periods run in parallel rather than in sequence. Any slippage in either process affects the outside date calculus for both parties, and the deal agreement must contemplate both risks with precision.

The broader strategic point is that CFIUS is no longer an afterthought for cross-border transactions in specialized sectors. The Committee's jurisdiction expanded materially with FIRRMA, its monitoring and enforcement capacity has grown, and the political salience of foreign investment in sensitive U.S. industries has increased across multiple administrations and Congresses. Buyers and targets that treat CFIUS as a checkbox rather than a substantive risk management exercise tend to encounter delays, mitigation demands, or outcomes they did not model into the deal.

2. The FIRRMA Framework and the Modern CFIUS

The Foreign Investment Risk Review Modernization Act of 2018, enacted as part of the National Defense Authorization Act, fundamentally restructured the Committee on Foreign Investment in the United States. Before FIRRMA, CFIUS jurisdiction was limited to transactions that could result in foreign control of a U.S. business. FIRRMA expanded that jurisdiction in three significant directions: it added covered investments that fall short of control but involve TID businesses, it added real estate transactions as a standalone covered transaction category, and it established a mandatory filing regime for certain transactions that had previously been subject only to voluntary filing.

FIRRMA also codified and expanded the Committee's composition and authority. CFIUS is chaired by the Treasury Department and includes the Departments of State, Defense, Justice, Commerce, Energy, Homeland Security, and the Office of the United States Trade Representative, among others. Each member agency brings its own equities to the review, and transactions that implicate the concerns of multiple agencies are subject to interagency deliberation that can extend the review period and produce mitigation conditions reflecting the priorities of agencies with significant interests in the outcome.

The implementing regulations were finalized in 2020 after a multi-year rulemaking process and codified at 31 CFR Part 800 (general rules for control transactions and covered investments) and 31 CFR Part 802 (real estate transactions). These regulations define the key terms that determine CFIUS jurisdiction: foreign person, foreign government, control, covered transaction, TID business, covered investment, excepted investor, and excepted real estate investor. Understanding each definition as a matter of regulatory text, rather than as a general concept, is essential because the jurisdictional analysis is a term-by-term exercise that cannot be shortcut with general impressions.

Since 2020, CFIUS has published annual reports to Congress summarizing filing trends, agency composition, and general characteristics of reviewed transactions. Those reports do not identify specific transactions but provide useful benchmarks on the volume and disposition of filings across sectors. The reports consistently show technology, financial services, and manufacturing as the most active sectors, and China as the foreign acquirer nationality drawing the highest level of scrutiny. The data confirms that CFIUS review is a routine feature of cross-border deal activity at scale, not an exceptional event affecting only defense contractors.

3. Covered Transactions: Control Acquisitions and Covered Investments

CFIUS jurisdiction under Part 800 attaches to two categories of transactions. The first is control transactions: any acquisition by a foreign person of any amount of ownership interest in a U.S. business that affords the foreign person control over the business. Control under the CFIUS regulations is defined broadly and does not require majority ownership or board control. A foreign person exercises control if it has the power, directly or indirectly, to determine, direct, or decide important matters affecting a business, whether through board representation, contractual veto rights, operational authority, or other means.

The second category is covered investments: acquisitions by a foreign person of a noncontrolling interest in a TID business that give the foreign person board membership or observer rights, access to material nonpublic technical information of the U.S. business, or involvement in substantive decision-making about the use, development, acquisition, safekeeping, or release of sensitive personal data or critical technology. A foreign person acquiring a 5 percent minority stake with a board observer seat in a company that qualifies as a TID business has made a covered investment subject to CFIUS jurisdiction, even though the stake is clearly noncontrolling.

The covered investment concept is the most significant post-FIRRMA expansion of CFIUS authority for the venture and private equity markets. Before FIRRMA, a foreign venture capital fund taking a 10 percent stake in a Series B round was not subject to CFIUS review as long as the fund was not acquiring control. After FIRRMA, the same investment may be a covered investment if the portfolio company qualifies as a TID business and the investment terms give the fund any of the three enumerated rights. This has required fund counsel to revise standard term sheets, side letters, and LP agreements to evaluate and, where appropriate, contractually limit foreign investor rights.

Deal structures that might otherwise appear to avoid CFIUS jurisdiction frequently trigger it on closer analysis. Transactions involving indirect acquisition through a holding company, voting trust arrangements, convertible notes with board rights, or phased acquisitions structured as a series of minority investments should each be analyzed against the control and covered investment definitions before counsel advises on filing obligations. The definition of control in particular is broad enough to capture governance arrangements that do not map neatly to traditional equity ownership.

4. Identifying a TID Business: Critical Technology, Infrastructure, and Data

A TID business is a U.S. business that produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies; performs the functions as set forth in the list of covered investment critical infrastructure with respect to covered investment critical infrastructure; or maintains or collects, directly or indirectly, sensitive personal data of U.S. citizens. The acronym TID stands for technology, infrastructure, and data, and each category has a distinct definition that requires separate analysis.

Critical infrastructure under the covered investment rules includes 28 specific sectors and subsectors drawn from presidential policy directives and DHS sector risk management frameworks: internet exchange points, telecommunications carriers, certain financial market utilities, oil and gas pipeline systems, electric generation and transmission facilities, water systems serving large populations, and others. The regulations specify both the type of infrastructure and the ownership or operational function a U.S. business must perform with respect to that infrastructure for the TID business designation to apply. Owning a building connected to a fiber backbone is not the same as operating a telecommunications carrier, and the factual characterization matters.

The sensitive personal data category covers U.S. citizens' health data, financial data, geolocation data, biometric enrollment data, data that could be used to analyze or determine individual behavior or characteristics, data on U.S. government employees or contractors with access to classified or sensitive information, and data aggregated across the defined categories. The definition reaches businesses that maintain this data on more than one million individuals, or that have a demonstrated business objective to maintain data on more than one million individuals. Consumer-facing applications, healthcare platforms, financial services apps, and fleet tracking businesses routinely qualify.

For target companies in the technology, data, and infrastructure sectors, determining whether the business qualifies as a TID business is one of the first analytical steps in any inbound foreign investment, and should be completed well before the deal reaches the letter of intent stage. The TID business analysis informs both the filing obligation assessment and the risk profile of the transaction from the buyer's perspective.

5. Mandatory Filings and the Two Trigger Regimes

FIRRMA established two independent mandatory filing triggers, each of which requires submission of a declaration at least 30 business days before the anticipated closing of the covered transaction. The mandatory filing obligation is not optional and does not depend on whether the parties believe the transaction raises national security concerns. It is triggered by the structural characteristics of the transaction and the nature of the target business.

The first trigger applies when a foreign government holds a substantial interest in a foreign person that is acquiring a substantial interest in a TID business. Substantial interest means a direct or indirect voting interest, board representation, or equity interest of 25 percent or more. This trigger is aimed at transactions in which sovereign wealth funds, state-owned enterprises, or companies with significant government shareholding are acquiring meaningful stakes in sensitive U.S. businesses. The government ownership threshold is measured at the foreign person level, not at the ultimate beneficial owner level, and a single government-controlled entity in a complex ownership chain can satisfy the test.

The second trigger applies regardless of government ownership when a foreign person is acquiring a direct or indirect interest in a TID business that produces, designs, tests, manufactures, fabricates, or develops critical technology that requires an export license or other approval under the Export Administration Regulations (EAR) or the International Traffic in Arms Regulations (ITAR) for export to the country of the foreign acquirer. This trigger makes the export control classification of the target's technology directly relevant to CFIUS jurisdiction. If exporting the target's product to the buyer's home country would require an EAR or ITAR license, a mandatory CFIUS declaration is required.

Civil monetary penalties for failure to submit a mandatory filing are assessed by the Secretary of the Treasury and can be as large as the value of the transaction. CFIUS also retains jurisdiction to review the transaction post-closing and can require divestiture even after penalties have been assessed. The combination of financial penalty and divestiture risk makes mandatory filing compliance a non-negotiable baseline. Counsel should conduct the mandatory filing analysis early in diligence and document the conclusion regardless of which way it resolves.

6. Voluntary Filings and Why Sophisticated Parties Still File

Most CFIUS filings are voluntary. A transaction that does not trigger mandatory filing obligations may nonetheless present national security considerations that make voluntary filing the prudent course. Voluntary filing provides the only reliable mechanism for parties to obtain CFIUS clearance or mitigation before closing, and cleared transactions receive protection from subsequent CFIUS review absent misrepresentation in the filing.

Sophisticated deal parties choose to file voluntarily when the target operates in a sector with heightened national security sensitivity even if no mandatory trigger technically applies, when the foreign acquirer has a nationality that historically draws CFIUS scrutiny, when the transaction involves technology that is close to the critical technology definition even if not squarely within it, or when the post-closing risk of CFIUS review would create unacceptable operational uncertainty. For a strategic acquirer planning to integrate the target's technology into its global operations, the prospect of a forced divestiture two years after closing is a deal-ending risk.

The voluntary filing decision is also commercially relevant. Sellers evaluating competing offers frequently view the CFIUS risk profile of a foreign buyer as a deal-certainty factor, and a foreign buyer that commits in the purchase agreement to file voluntarily and pursue CFIUS clearance demonstrates seriousness about closing. Lenders and financing sources in leveraged buyouts with foreign equity co-investors also increasingly require CFIUS analysis as a condition of credit committee approval, making voluntary filing not just a legal recommendation but a commercial prerequisite.

A party's decision not to file voluntarily when no mandatory trigger applies is a risk management decision, not a compliance decision. The calculus involves weighing the cost and delay of the review process against the risk that CFIUS will initiate a non-notified review post-closing and impose retroactive conditions or divestiture. In transactions involving TID businesses or real estate proximate to sensitive facilities, the post-closing review risk is real enough that the voluntary filing process is generally the lower-risk path, even when no filing is technically required.

7. Declarations vs Full Notices: Timing and Trade-offs

FIRRMA established two submission options for voluntary and mandatory filings: the short-form declaration and the full notice. Each has distinct procedural requirements, review timelines, and strategic implications. Choosing the correct submission type is one of the most consequential early decisions in the CFIUS process.

A declaration is a summary submission reviewed by CFIUS within 30 business days. At the end of the declaration review period, CFIUS may take one of four actions: clear the transaction, request that the parties file a full notice, initiate a unilateral review without a notice, or take no action. Critically, a "no action" outcome is not a clearance. CFIUS retains jurisdiction to review the transaction in the future under the non-notified framework, meaning that parties who receive a "no action" letter on a declaration do not receive the same protection from subsequent review that a cleared full notice provides.

A full notice is a more comprehensive submission that initiates a 45-calendar-day review period. The notice must include detailed information about the parties, their ownership structures, the transaction terms, the target business's operations, its relationship to customers in sensitive sectors, its export control classification of products and technology, and proposed mitigation measures if applicable. Following the 45-day review, CFIUS may clear the transaction, send it into a 45-day investigation period, or accept a withdrawal and refile by the parties. The investigation period can be extended by an additional 15 days in exceptional circumstances requiring Presidential action. A clearance issued after a full notice process bars future CFIUS review of the same transaction absent misrepresentation.

The declaration pathway is appropriate for transactions with limited national security sensitivity, straightforward ownership structures, and sufficient time in the deal calendar to absorb the possibility that CFIUS converts the declaration to a full notice. The full notice pathway is appropriate when parties require the certainty of a definitive clearance, when the transaction complexity warrants a comprehensive submission, or when the deal timeline cannot absorb the uncertainty of a declaration outcome. In practice, transactions in sensitive sectors with sophisticated foreign acquirers typically proceed by full notice.

8. Foreign Person Definition and Excepted Investor Eligibility

CFIUS jurisdiction applies only to transactions involving a foreign person. Under 31 CFR Part 800, a foreign person is any foreign national, foreign government, or foreign entity, and any entity in which foreign nationals, governments, or entities hold a direct or indirect aggregate interest of 50 percent or more. The definition captures both direct foreign acquirers and domestic entities that are ultimately controlled by foreign persons. A Delaware LLC whose sole member is a Cayman Islands fund whose limited partners are predominantly foreign nationals is a foreign person for CFIUS purposes, regardless of where the LLC is organized.

FIRRMA introduced the excepted investor category, which exempts certain investors from the covered investment filing obligations (though not from control transaction analysis) when they qualify under the excepted foreign state and excepted investor criteria. The current excepted foreign states are Australia, Canada, New Zealand, and the United Kingdom. These states were designated by CFIUS based on treaty relationships, intelligence-sharing arrangements, and the depth of bilateral security cooperation.

Qualifying as an excepted investor requires meeting a multi-factor test at the entity, parent, and beneficial owner levels. The investor entity must be organized in an excepted foreign state or the United States. Each general partner, managing member, or equivalent must be a national of an excepted foreign state or the United States or an entity organized in an excepted foreign state. Each person with a direct or indirect ownership interest of 10 percent or more must be a national of an excepted foreign state or the United States. And the investor must not have been party to a CFIUS mitigation agreement or order within the preceding five years.

The excepted investor analysis requires reviewing the full ownership structure of the investment entity, not merely the entity presenting as the buyer or investor. A fund with one Canadian GP and multiple foreign LPs from non-excepted states may not qualify as an excepted investor if any LP holds a 10 percent or greater interest and is not a national of an excepted state. Fund managers should conduct this analysis at fund formation, update it before each portfolio company transaction, and document the conclusion in writing.

9. Limited Partnership Structures and Passive Investment Exemptions

The CFIUS regulations provide a passive investment exemption for foreign limited partners in investment funds. The exemption applies when the foreign LP's investment is solely through a limited partnership interest, the foreign LP is not the GP, managing member, or equivalent, and the foreign LP does not have the ability to control the fund's investment decisions or access the fund's material nonpublic technical information about portfolio companies. If all of these conditions are met, the foreign LP's participation in the fund does not independently constitute a covered investment, and the fund-level investment is analyzed based on the identity and rights of the fund itself rather than the individual LP.

The passive exemption is narrower than many fund managers initially assume. Standard LP agreement terms that grant foreign LPs access to portfolio company information packages, key person provisions that give LPs consent rights over investment decisions, advisory committee membership, or co-investment rights with separate governance may each independently destroy the passive exemption for that LP. The analysis is fact-specific and depends on the actual terms of the LP agreement and any side letters in effect.

Funds that have accepted foreign LPs without conducting CFIUS analysis at fund close face a more complicated situation when they later make investments in TID businesses. At that point, the fund must assess whether any foreign LP's rights under the LP agreement or any side letter converts what was assumed to be a passive investment into a covered investment requiring analysis. If the fund has already made investments in TID businesses before conducting this analysis, the retroactive coverage issue arises. Proactive LP-level diligence at fund formation is substantially preferable to addressing the question after the portfolio has been assembled.

For new fund formations, counsel should draft LP agreement terms and side letter provisions with the passive exemption parameters in mind. Information rights provisions should exclude material nonpublic technical information of individual portfolio companies. Advisory committee composition should exclude foreign LPs from non-excepted states. Co-investment side letters should not grant foreign LPs governance rights in co-investment vehicles that would not be available at the fund level. These structural choices made at fund close significantly reduce CFIUS exposure across the fund's investment life.

10. 31 CFR Part 802: Real Estate Covered by CFIUS

FIRRMA added a standalone real estate jurisdiction category to CFIUS, implemented at 31 CFR Part 802. Before FIRRMA, real estate transactions were covered by CFIUS only when they were part of a broader business acquisition that constituted a control transaction. After FIRRMA, CFIUS has independent jurisdiction over foreign person acquisitions of covered real estate, defined as real estate at or near specific sensitive government facilities regardless of whether an operating business is being acquired.

Covered real estate is real property in the United States that is, or is located within, close proximity to airports and maritime ports; within a defined distance of certain military installations, government facilities, and sensitive facilities listed in Appendix A to Part 802; or within a one-mile radius of military installations listed in Appendix A at the closest distance tier. The regulations identify facility-specific distance thresholds that vary based on the sensitivity of the installation. For some facilities, the relevant radius is one mile; for others it extends to 100 miles or encompasses specific counties or states.

The Part 802 rules apply to purchases, leases, and concessions, not just outright acquisitions. A foreign person taking a 30-year ground lease on commercial property within one mile of a sensitive military installation has entered into a covered real estate transaction subject to CFIUS voluntary filing. The rules extend to residential as well as commercial property, making them relevant to foreign nationals acquiring homes, vacation properties, and residential developments in proximity to sensitive facilities.

Counsel representing foreign persons in any U.S. real estate transaction should conduct a Part 802 proximity analysis as a routine step in diligence. The CFIUS mapping tool and Appendix A facility list provide the necessary reference data. Several states have enacted their own restrictions on foreign person real property ownership near military installations, creating a parallel state-law compliance obligation that overlaps with but is distinct from the federal CFIUS framework. The state statutes vary widely in scope and enforcement mechanism.

11. Risk Factors the Committee Weighs

CFIUS evaluates national security risk along several dimensions that are identified in the statutory text and elaborated in the Committee's public guidance, annual reports, and non-public review practice. Understanding the risk framework helps parties assess the probability of mitigation demands and structure voluntary disclosures that proactively address the concerns most likely to arise in the specific transaction.

The primary risk factors include the nationality of the foreign acquirer and the extent of foreign government involvement in its ownership or control; the nature of the target business's technology and whether it has dual-use or inherently military applications; the target's existing relationships with U.S. government customers and the classification level of information to which the target has access; the target's export control compliance history and the sensitivity of its export-controlled items; the sensitivity and volume of personal data the target collects; the target's proximity to sensitive military, intelligence, or critical infrastructure facilities; and the degree to which the transaction would give the foreign person access to supply chains that the U.S. government relies upon.

Country-of-origin risk is significant. CFIUS historically devotes the most intensive scrutiny to transactions involving persons from China, Russia, Iran, North Korea, Cuba, and Venezuela, reflecting executive branch designations and statutory provisions. Transactions with European or allied-nation acquirers that do not have government ownership receive lighter scrutiny as a general matter, though individual deal characteristics can change that calculus regardless of acquirer nationality.

The Committee also weighs aggregate effects. A foreign person that has made multiple minority investments in related U.S. businesses may be evaluated on a portfolio basis if the combined investments provide a comprehensive view of a sensitive technology sector or supply chain, even if each individual investment was non-controlling and below mandatory filing thresholds. This pattern-of-investment analysis is reflected in CFIUS's annual reporting and in publicly available enforcement actions.

12. Mitigation: National Security Agreements, Proxy Boards, Firewalls

When CFIUS identifies national security concerns but does not recommend blocking a transaction, it typically conditions clearance on the execution of a mitigation agreement. Mitigation agreements are binding contracts between the parties (or sometimes unilaterally imposed on the parties by the Committee) that establish ongoing obligations designed to address the identified security risks. The most common forms are National Security Agreements, proxy board or Special Security Agreement arrangements, and facility-level security plans or operating procedures.

A National Security Agreement is a comprehensive agreement signed by CFIUS, the U.S. business, and typically the foreign acquirer, imposing obligations in areas such as: limiting foreign person access to the target's facilities, personnel, technology, and information systems; requiring security plans for the protection of sensitive technology; maintaining the U.S. business as a going concern with U.S. citizen personnel in key positions; providing annual compliance certifications to CFIUS; and submitting to audit by CFIUS-appointed security monitors. NSAs address situations where the foreign person retains control of the U.S. business but CFIUS requires structural constraints on that control to protect national security.

A proxy board or Special Security Agreement is a more intensive mitigation structure used when the target holds classified government contracts or accesses particularly sensitive technology. Under a proxy board arrangement, an independent board composed entirely of cleared U.S. citizens exercises all governance authority over the U.S. business, effectively interposing a firewall between the foreign acquirer and the cleared operations. The proxy board members owe fiduciary duties to CFIUS and to the government customers rather than to the foreign owner, and the foreign acquirer's governance rights are reduced to residual economic interests. DSS (now DCSA) administers proxy board arrangements for companies that hold facility security clearances.

Parties entering mitigation negotiations should approach the process with a clear understanding of the operational and financial costs of proposed mitigation measures. An NSA requiring dedicated secure facilities, U.S.-only technical personnel, and annual third-party security audits imposes material ongoing costs that affect the economics of the acquisition. Mitigation terms that are operationally incompatible with the target's business model can effectively negate the strategic rationale for the transaction, which is why experienced CFIUS counsel engages in mitigation negotiations before the Committee formalizes its position.

13. Integration with FOCI Mitigation for Cleared Contractors

Foreign Ownership, Control, or Influence, known as FOCI, is the national industrial security framework administered by the Defense Counterintelligence and Security Agency that applies to U.S. government contractors holding facility security clearances. A company subject to FOCI, meaning it is owned or controlled by a foreign person or subject to foreign influence, may not hold a facility security clearance in the cleared state without an approved FOCI mitigation agreement. The interplay between CFIUS and FOCI is one of the most complex regulatory overlaps in cross-border M&A involving defense contractors.

CFIUS review of a transaction involving a cleared contractor triggers parallel FOCI review by DCSA. The two processes are related but not identical. CFIUS evaluates the transaction from a national security investment perspective and may impose mitigation conditions on the parties as a condition of clearance. DCSA evaluates whether the post-closing ownership structure is consistent with the company maintaining its facility security clearance and may require a FOCI mitigation agreement as a condition of clearance continuity. The FOCI mitigation agreement, typically a Board Resolution, Security Control Agreement, Special Security Agreement, or proxy board, must be approved by DCSA before the transaction can close if the target holds classified contracts.

The CFIUS mitigation agreement and the FOCI mitigation agreement are negotiated with different agencies on different timelines, but the substantive terms are related and sometimes duplicative. A proxy board required by DCSA to maintain facility security clearance continuity is also the form of mitigation CFIUS typically imposes on transactions involving classified operations. The practical challenge is coordinating the two approval processes so that both agreements are finalized before closing without one becoming a condition that delays the other. Counsel handling both processes simultaneously must maintain clear communication lines with Treasury, DCSA, and the classified customer program offices that have independent equities in the outcome.

Companies that do not currently hold facility security clearances but operate in proximity to the cleared defense industrial base should assess whether their technology, personnel, or operational relationships would trigger FOCI concerns if a foreign acquirer entered the ownership structure. The analysis is not limited to formal clearance holders. Contractors with access to unclassified controlled technical information, or that subcontract to cleared primes, may face FOCI considerations that affect the CFIUS risk profile of a transaction even without a formal facility clearance on the target's DD Form 254.

14. Abandonment, Divestiture, and Presidential Action Authority

CFIUS does not itself have authority to block a transaction or order a divestiture. The Committee may recommend action to the President, and the President has authority under Section 721 of the Defense Production Act to prohibit or suspend any covered transaction that threatens to impair national security and for which no mitigation can adequately address the risk. Presidential action may take the form of a prohibition order before closing, a suspension order during the review period, or a divestiture order requiring a foreign person to unwind a previously completed acquisition.

In practice, CFIUS uses the threat of referral to the President as leverage to obtain mitigation agreements or to induce the parties to abandon transactions voluntarily. When CFIUS staff inform the parties that the Committee is prepared to recommend Presidential action, the parties must decide whether to accept proposed mitigation conditions, restructure the transaction, or withdraw the filing and abandon the deal. Most contested transactions resolve through mitigation or abandonment rather than formal Presidential action, because a Presidential order creates legal and reputational complications that both parties generally prefer to avoid.

The Ralls Corporation case, decided by the D.C. Circuit in 2014, established that a party subject to a Presidential divestiture order has constitutional due process rights: the right to notice of the unclassified basis for the order and a meaningful opportunity to respond. The decision did not give courts authority to second-guess the substantive merits of a Presidential national security determination, but it imposed procedural requirements on the process leading to the order. Post-Ralls, CFIUS practice in contested transactions includes more structured notice-and-comment procedures before the President acts.

From a deal-structuring perspective, Presidential action authority is the reason CFIUS conditions in purchase agreements must be carefully drafted. The agreement should address the outside date for CFIUS clearance, the obligations of the parties to cooperate with CFIUS, the circumstances under which either party may exercise a CFIUS termination right, and the reverse termination fee payable if the buyer's CFIUS risk causes the deal to fail. Sellers negotiating with foreign acquirers in sensitive sectors should insist on a reverse termination fee structure that provides adequate compensation if CFIUS blocks the transaction, because deal failure attributable to the buyer's foreign status is a risk the seller has accepted by choosing that buyer.

15. Non-Notified Transactions and the Retroactive Review Risk

CFIUS has authority to review any covered transaction at any time, including transactions that closed without a filing. This retroactive jurisdiction is one of the most significant risk factors for foreign persons that have made acquisitions of or investments in U.S. businesses without conducting CFIUS analysis or filing voluntarily. The non-notified transaction program is CFIUS's mechanism for identifying, reviewing, and taking action on covered transactions that were never submitted to the Committee.

CFIUS identifies potential non-notified transactions through multiple channels: reviews of public records including SEC filings, state business registrations, patent records, and government contract databases; referrals from member agencies that become aware of concerning foreign investments through other regulatory or national security processes; tips from industry participants and intelligence sources; and systematic review of news and commercial data sources covering investment activity in sensitive sectors. The program is more active than it was before FIRRMA, and CFIUS has publicly noted its expanded resources for non-notified transaction monitoring.

When CFIUS initiates a non-notified review, it sends a letter to the parties requesting information about the transaction. The parties must respond within the specified timeframe and may be required to submit a formal notice. The review then proceeds as a standard notice review, but the parties are disadvantaged by not having shaped the record from the outset. Retroactive divestiture orders, while relatively rare, have been issued in notable cases involving real estate near military installations and technology transactions that were not filed at the time of closing.

Foreign persons conducting portfolio reviews of existing U.S. investments should assess whether any holdings constitute covered transactions that were not filed and whether the business operations have expanded in ways that would heighten CFIUS concern since the time of acquisition. Proactive voluntary filing for a non-notified transaction, while uncommon, is sometimes advisable when a party identifies a high-risk situation and prefers to engage with CFIUS on its own terms rather than await a government-initiated review.

16. Interplay with Export Controls (ITAR and EAR)

Export controls and CFIUS are distinct legal regimes administered by different agencies, but they intersect in ways that make simultaneous compliance analysis essential for any cross-border transaction involving technology products, software, or services. The State Department administers the International Traffic in Arms Regulations (ITAR) under the Arms Export Control Act, governing defense articles and defense services on the United States Munitions List. The Commerce Department administers the Export Administration Regulations (EAR) under the Export Control Reform Act, governing dual-use items on the Commerce Control List.

The CFIUS mandatory filing trigger for critical technology expressly incorporates the export control frameworks. If a target's products or technology require a State Department license for export to the foreign acquirer's home country under ITAR, or require a Commerce Department license under EAR based on the acquirer's country of destination and the Export Control Classification Number of the item, the acquisition is likely a critical technology covered transaction subject to mandatory CFIUS filing. This means that a target company's export control classification directly determines its CFIUS filing obligations.

Beyond the filing trigger, the transaction itself may constitute an export under the deemed export rules. When a foreign national gains access to technology or software that is subject to EAR or ITAR controls, that access may constitute a deemed export to the foreign national's country of citizenship, regardless of whether the technology physically crosses a border. A foreign acquirer who gains access to the target's controlled technology as a result of the acquisition may need to obtain an export license or establish an approved technology control plan before accessing the controlled items. This deemed export analysis should be conducted as part of the CFIUS jurisdictional analysis, not separately after CFIUS clearance.

Transactions involving ITAR-controlled items present heightened complexity because ITAR requires State Department review of certain proposed changes in foreign ownership or control of ITAR-registered companies. The State Department's Directorate of Defense Trade Controls may require notification or approval of the transaction independent of CFIUS review. Counsel should therefore map the regulatory approvals required: CFIUS, DDTC notification or approval, EAR deemed export analysis, and any DCSA FOCI mitigation for cleared contractors, and sequence them appropriately in the deal calendar.

17. Deal-Agreement Mechanics: Outside Date, Reverse Termination Fee, Efforts

The CFIUS condition in a purchase agreement requires careful drafting that accounts for the unpredictability of the review timeline, the range of possible outcomes, and the allocation of CFIUS-failure risk between buyer and seller. The three core drafting issues are the outside date for CFIUS clearance, the buyer's obligations to pursue clearance (the efforts standard), and the reverse termination fee payable if the transaction fails due to CFIUS.

The outside date must be set realistically given the potential timeline of the applicable filing type. A full notice process can run 45 days plus a 45-day investigation plus 15 days plus any mitigation negotiation period, meaning that from filing to clearance, 6 to 9 months is a realistic planning horizon for complex transactions. The purchase agreement should include automatic outside date extension provisions tied to the pendency of active CFIUS review, so that a transaction does not lapse simply because the regulatory process runs longer than initially anticipated. Outside dates that are too short relative to the CFIUS timeline create leverage problems for sellers and may force parties into renegotiation during the review period.

The efforts standard applicable to CFIUS obligations is often more heavily negotiated than the outside date itself. Sellers typically seek best efforts or hell-or-high-water commitments from buyers to pursue CFIUS clearance, including accepting mitigation conditions, providing required information, and not abandoning the filing. Buyers resist obligations that would require them to accept mitigation conditions that make the acquisition economically unattractive, such as accepting a proxy board that removes all foreign governance rights over the acquired business. The negotiated compromise typically involves a qualified efforts standard that obliges the buyer to accept mitigation conditions up to a defined threshold, with termination rights if CFIUS demands conditions beyond that threshold.

Reverse termination fees in CFIUS-risk transactions serve a different function than the reverse termination fees used in financing-risk transactions. A CFIUS reverse termination fee compensates the seller for deal failure attributable to the foreign buyer's CFIUS risk profile, which the seller accepted when it chose to enter into an agreement with that buyer. The fee should be calibrated to the probability and magnitude of CFIUS failure, the seller's opportunity cost of taking the business off the market during the review period, and the cost to the seller of any interim operating covenant restrictions during the review process.

18. Interim Operating Covenants During Review

The period between signing and CFIUS clearance requires the target business to operate in a manner that preserves the transaction's value and maintains compliance with any pre-closing conditions imposed by CFIUS, the purchase agreement, or applicable law. Interim operating covenants are the contractual mechanism for managing this period. They obligate the seller to maintain the target business in ordinary course, restrict certain actions without buyer consent, and in the CFIUS context, may impose additional restrictions specific to the national security review.

CFIUS sometimes imposes pre-closing interim conditions as a component of the review process, particularly for transactions with elevated national security sensitivity. These conditions may require the parties to maintain separation between the target's sensitive operations and the foreign buyer's personnel, limit the foreign buyer's access to the target's facilities and information systems pending clearance, and ensure that changes to the target's export-controlled technology, government contracts, or security clearances do not occur without CFIUS awareness. These interim conditions operate alongside the contractual interim covenants and must be coordinated with them.

For targets with government contracts, the interim period also requires management of customer notification obligations. Certain government contracts require the contractor to notify the contracting officer of a change in ownership or control above defined thresholds. The notification obligation may arise before CFIUS clearance, and managing the timing and content of customer notifications to avoid disrupting CFIUS review requires coordination between M&A counsel, government contracts counsel, and in some cases the relevant program offices of the government customer.

Sellers negotiating interim covenants for CFIUS-reviewed transactions should account for the fact that the review period may be substantially longer than in a domestic transaction. Ordinary course covenants drafted for a 60-day domestic transaction timeline may create operational constraints if the CFIUS review extends to 6 months. Carve-outs for emergency actions, regulatory compliance, and responses to government customer requirements should be drafted with sufficient flexibility to accommodate the extended review horizon that CFIUS transactions often require.

19. Outbound Investment Review and Newer Executive Order Regimes

CFIUS governs inbound foreign investment into the United States. A distinct but related regulatory development addresses the opposite concern: U.S. investment flowing outward into foreign companies operating in sectors with national security implications. Executive Order 14105, signed in August 2023, directed the Treasury Department to establish a program regulating outbound U.S. investments in Chinese entities in three designated sectors: semiconductors and microelectronics, quantum information technologies, and artificial intelligence systems.

The outbound investment regulations, implemented through Treasury final rules effective January 2025, establish two categories of covered transactions. Prohibited transactions are investments by U.S. persons in Chinese entities involved in specified activities within the three covered sectors, such as developing advanced integrated circuits above defined node thresholds, developing quantum computers, or training AI models using defined computing thresholds for certain military or surveillance applications. Notifiable transactions are investments in covered sectors that fall below the prohibition threshold but above a notification floor. U.S. persons making notifiable transactions must file a notification with Treasury within 30 days of closing.

The outbound investment program applies to U.S. persons, defined broadly to include U.S. citizens, lawful permanent residents, entities organized under U.S. law, and persons in the United States. U.S.-organized private equity funds and venture capital funds are U.S. persons for this purpose, regardless of where their capital or LP base originates. A U.S. fund making a covered investment in a Chinese semiconductor company may be required to notify Treasury or may be prohibited from making the investment entirely, depending on the nature of the Chinese company's activities.

The outbound investment program represents a significant expansion of the national security framework beyond CFIUS's traditional inbound jurisdiction. Counsel advising U.S. investment funds with Asia-Pacific mandates should treat outbound investment compliance as a standing diligence obligation, not a one-time analysis. The covered sector definitions are detailed and require fact-specific application to each proposed portfolio company investment, and the prohibited transaction categories include covered transactions structured through third-country entities or funds when the economic exposure ultimately flows to a Chinese covered national entity.

20. Post-Closing Compliance and Monitor Engagement

CFIUS clearance through a mitigation agreement is not a final resolution of the regulatory relationship between the parties and the Committee. National Security Agreements and comparable mitigation instruments impose ongoing obligations that continue for the life of the agreement, which typically runs until CFIUS determines that the underlying national security concerns no longer exist or that the foreign person has divested its interest in the U.S. business. Post-closing compliance with NSA obligations is monitored by CFIUS through self-reporting mechanisms, independent security monitors, and CFIUS-conducted site visits.

Annual compliance certifications are a standard requirement in NSAs. The U.S. business and often the foreign acquirer must submit annual certifications to CFIUS confirming that each obligation under the NSA has been met during the preceding year. The certification process requires the business to conduct an internal compliance review, document the status of each obligation, and identify any known violations or near-misses for disclosure. Material violations of NSA obligations can result in civil penalties, additional mitigation conditions, or in extreme cases, referral to the President for divestiture action.

Security monitors appointed under NSAs are independent third parties, typically former senior government officials or cleared professionals with national security expertise, who are authorized to review the U.S. business's compliance with NSA obligations, access the business's facilities and records, and report to CFIUS on the business's compliance status. The cost of monitor engagement is borne by the parties, not the government, and for complex NSAs with intensive monitoring requirements, this cost can be substantial on an ongoing basis. Parties should model monitor costs into the post-closing economics of the transaction before accepting monitoring obligations as mitigation conditions.

Changes in the business after closing can reopen CFIUS engagement even for previously cleared transactions. If the U.S. business expands into new technology areas, acquires a new company, changes its ownership structure, adds new government contracts at sensitive classification levels, or experiences a cybersecurity incident affecting data covered by the NSA, the business should assess whether the change requires notification to or approval by CFIUS under the terms of the mitigation agreement. NSAs typically include a change-of-control provision requiring prior CFIUS approval of any further transfer of the U.S. business to another foreign person, meaning that secondary transactions in the cleared company are also subject to CFIUS oversight.

Frequently Asked Questions