Facility Security Clearances and FOCI Mitigation in Government Contractor M&A: A Practical Guide

Acquisitions of companies holding facility security clearances (FCLs) granted by the Defense Counterintelligence and Security Agency (DCSA) require a layer of regulatory planning that does not exist in commercial M&A. The National Industrial Security Program Operating Manual (NISPOM), implemented through 32 CFR Part 117, governs the conditions under which cleared contractors may access classified information, and it imposes specific obligations on contractors and their owners when a change of ownership occurs. Those obligations include timely reporting to DCSA, potential regranting of the FCL, and, where the acquiring entity has any foreign nexus, a determination of whether foreign ownership, control, or influence (FOCI) exists and what mitigation is required to preserve clearance access.

This sub-article is part of the Government Contractor M&A: Novation, Clearances, and Federal Compliance in Acquisitions guide. It addresses in practical detail how clearance and FOCI considerations are integrated into deal structure and execution: the DCSA and NISPOM regulatory framework; change-of-condition reporting requirements; FCL carryover and invalidation mechanics; personnel clearance portability; what triggers a FOCI determination; the full range of FOCI mitigation instruments and how they operate; coordination between DCSA and CFIUS; the purchase-agreement mechanics that protect both parties against clearance failure; and transition planning and ongoing NISPOM compliance after closing.

Acquisition Stars advises buyers and sellers on government contractor acquisitions involving classified contracts, FCL continuity, and FOCI mitigation. Nothing in this article constitutes legal advice for any specific transaction.

Why Clearances Drive Federal Contractor Deal Structure

A facility security clearance is not a transferable asset in the conventional sense. It is an administrative determination by DCSA that a particular legal entity at a particular location, operated by particular individuals, meets the criteria to access classified information at a specified classification level. When ownership of that entity changes, the predicate for the clearance determination changes, and DCSA must reassess whether the new ownership structure is consistent with continued clearance access.

This creates deal-structuring pressure that is unlike most other regulatory approval processes in M&A. The FCL is not a license that can be assigned or novated to a new owner. The acquiring entity must either inherit the clearance through a structure that DCSA treats as continuous (which is only available in asset acquisitions under certain conditions and in stock acquisitions where the cleared legal entity survives unchanged), or pursue a new or regranted FCL, which takes time and carries the risk of a gap in classified contract performance during the review period. A performance gap on a classified contract can trigger stop-work orders, contract default provisions, and loss of program access that is difficult to recover after the fact.

For deals involving contractors with Top Secret and higher clearances, access to Sensitive Compartmented Information (SCI) programs, or Special Access Programs (SAPs), the stakes are higher still. Those access levels are not managed through the standard FCL system and require separate notifications and approvals from cognizant program authorities that operate on their own timelines. A buyer who understands only the FCL dimension of the clearance picture may be surprised by the additional administrative burden associated with maintaining SCI and SAP program access through a change of ownership.

The practical implication for deal structuring is that the clearance posture of the target must be understood in full before the parties can rationally structure representations, warranties, closing conditions, and post-closing covenants. Buyers who treat clearances as a post-closing integration item rather than a pre-signing diligence priority regularly encounter consequences that were avoidable with earlier engagement.

The DCSA, NISPOM, and 32 CFR Part 117 Framework

The Defense Counterintelligence and Security Agency is the cognizant security authority for most cleared defense contractors. DCSA administers the National Industrial Security Program (NISP), which is the federal framework that governs contractor access to classified information. The NISP is implemented through the National Industrial Security Program Operating Manual (NISPOM), which was incorporated by reference into federal regulation at 32 CFR Part 117 through a 2020 final rule that gave the NISPOM the force of law.

Prior to the 2020 rule, the NISPOM was a contractual requirement incorporated into classified contracts but not a direct regulatory obligation. The incorporation into 32 CFR Part 117 made NISPOM compliance a standalone regulatory requirement enforceable by DCSA independent of any specific contract, which materially expanded DCSA's enforcement authority and the consequences of noncompliance. Contractors are now subject to DCSA's administrative authority as a matter of regulation, not merely by contract.

The NISPOM addresses every aspect of a cleared contractor's security obligations: physical security of classified information, personnel security for individuals accessing classified information, information system security for systems processing classified data, subcontract security requirements, international security requirements for foreign national visits and assignments, and the change-of-condition reporting requirements that are central to any change-of-ownership analysis. The Facility Security Officer (FSO) at a cleared contractor is the primary point of contact with DCSA and bears responsibility for implementing the contractor's NISPOM obligations.

In addition to 32 CFR Part 117, relevant regulatory authority includes the cognizant security agency agreements that govern contractors with classified contracts awarded by agencies other than the Department of Defense, the Director of National Intelligence security standards applicable to contractors with SCI accesses, and the SAP security policy documents applicable to contractors with special access program participation. Each of these frameworks interacts with the standard DCSA FCL process but is administered separately.

Change-of-Condition Reporting Timeline and Content

NISPOM requires cleared contractors to report to DCSA any change in condition that could affect the contractor's ability to maintain its security clearance or that could affect DCSA's prior determinations about the contractor's eligibility. A change in ownership is among the most significant reportable changes, and the NISPOM requires that such changes be reported to DCSA as soon as they are known, in advance of the actual change whenever practicable.

The reporting obligation falls on the cleared contractor (the target), not the acquiring entity. The FSO is responsible for preparing and submitting the report to DCSA, typically through the NISP Contract Classification System (NCCS) or directly to the contractor's assigned DCSA industrial security representative. The report must describe the nature of the proposed change, the identity of the proposed new owners, the ownership structure after closing (including any foreign ownership interests), and the anticipated closing date. DCSA uses this information to assess whether FOCI is implicated and to begin any required review before closing.

The DD Form 441 (Department of Defense Security Agreement) executed by the cleared contractor at the time the FCL was granted requires the contractor to notify DCSA of changes in ownership and to cooperate with DCSA's review. Contractors who fail to notify DCSA in a timely manner or who provide incomplete or inaccurate information risk adverse FCL action, including suspension or termination of the clearance.

The content of the change-of-condition report should be developed in consultation with M&A counsel who understands both the NISPOM reporting obligations and the deal confidentiality constraints. Some information about proposed transactions is material nonpublic information, and care must be taken to ensure that disclosures to DCSA are appropriately scoped and that the contractor's legal obligations to maintain deal confidentiality are preserved to the extent permitted by the regulatory reporting requirements.

FCL Carryover, Invalidation, and Re-Grant

Whether an FCL carries over to a new owner or must be regranted depends primarily on the transaction structure and whether the cleared legal entity continues to exist in its current form after closing. In a stock acquisition where the buyer purchases 100% of the equity in the cleared entity and the entity continues to operate as the same legal person, the FCL is associated with that legal entity and can in theory remain in place while DCSA reviews the change of ownership. This is the most favorable structure from a clearance continuity perspective, subject to FOCI analysis.

In an asset acquisition, the buyer is acquiring a bundle of assets, not equity in the cleared entity. The cleared entity's FCL does not transfer with the assets because the FCL belongs to the entity, not the assets. The buyer must apply for a new FCL for the entity that will employ the cleared employees and perform the classified contracts. This application process takes time, during which the buyer's entity is not authorized to access classified information. The parties must plan for this gap and address it in the purchase agreement through provisions that allow the target entity to continue performing classified work for a defined transition period, subject to contracting officer consent and novation or assignment arrangements.

DCSA may grant a temporary FCL determination allowing a contractor to continue accessing classified information during the pendency of a full clearance review associated with a change of ownership. Temporary determinations are not guaranteed and are subject to DCSA's assessment of the urgency of the contractor's classified performance requirements and the completeness of the information submitted. Where FOCI is identified, DCSA typically will not grant a temporary determination until a FOCI action plan or interim mitigation measure is in place.

FCL invalidation, the formal termination of an FCL, occurs when DCSA determines that the conditions for clearance eligibility are no longer met and that no mitigation instrument is available or adequate to address the disqualifying condition. Invalidation is distinct from voluntary termination and carries implications for the contractor's ability to obtain a new FCL in the future. In a change-of-ownership context, invalidation is a disfavored outcome that experienced counsel works to avoid through early DCSA engagement and proactive mitigation planning.

Personnel Clearance Portability and Adjudication Triggers

Individual personnel clearances (PCLs) are maintained in the Defense Information System for Security (DISS) and are associated with the cleared individual, not the employer. When an employee moves from one cleared contractor to another, the new employer typically can access the individual's existing clearance record and activate the clearance for the new employment without initiating a full re-investigation, provided the clearance is current and no reinvestigation trigger has been activated. This portability feature is important in M&A transactions where cleared employees move to a new entity as part of the deal.

A change of ownership can activate reinvestigation triggers for individuals in certain circumstances. If the ownership change results in the individual being employed by an entity with a materially different FOCI profile than the predecessor, or if the ownership change affects the cleared facility at which the individual is working in ways that DCSA views as requiring reassessment of the individual's access, DCSA may require updated personal history information or initiate a reinvestigation. Reinvestigations take time and can result in interim suspensions of access pending completion.

The Facility Security Officer at the acquiring entity must ensure that all cleared employees who are transferred or retained in connection with the acquisition are properly reported in DISS under the new entity and that any required notifications to DCSA about changes in the cleared workforce are submitted promptly. The FSO is also responsible for ensuring that employees who held clearances under the predecessor entity are properly re-affiliated with the new entity's FCL and that their access authorizations are current.

Key Management Personnel (KMP) whose positions are designated under a FOCI mitigation instrument are subject to additional certification requirements. Each KMP must be a U.S. citizen, must have or be able to obtain a security clearance commensurate with the classified access at the facility, and must certify annually to the mitigation instrument's requirements. Changes in KMP composition must be reported to DCSA, and replacements must be processed and approved before the departing KMP leaves the designated position.

What Counts as FOCI: The Five Factors

FOCI exists when a foreign interest has the capability and intent to exercise influence over a cleared contractor's management or operations in a manner that may be contrary to U.S. national security interests. The NISPOM and DCSA's administrative guidance identify five primary factors that DCSA considers in determining whether FOCI exists: foreign ownership (direct or indirect), foreign control, foreign influence, and the nature and extent of each.

Foreign ownership is the most straightforward trigger. Any foreign person or foreign government entity that holds ownership interests in the cleared contractor or its parent companies is examined. The analysis looks through layers of corporate structure to identify all beneficial owners, which means that a fund with foreign limited partners, a domestic holding company with a foreign parent, or a publicly traded company with significant foreign institutional ownership are all subject to FOCI scrutiny. There is no statutory bright-line threshold below which foreign ownership categorically avoids FOCI, though DCSA's practice gives less weight to diffuse foreign ownership in widely traded public companies.

Foreign control encompasses any foreign person's ability to direct decisions affecting the contractor's management or operations. Board seats held by foreign nationals, veto rights held by foreign investors, management consultation rights in LP agreements or shareholder agreements, and contractual rights allowing a foreign party to approve strategic decisions are all forms of foreign control. Even indirect control, such as the ability to appoint or remove board members, can constitute FOCI if exercised by a foreign person.

Foreign influence is the broadest factor and captures relationships that fall short of direct control but that give a foreign party leverage over the contractor's decisions. Examples include: debt financing from a foreign lender with restrictive covenants; exclusive licensing arrangements with foreign IP holders; technology assistance agreements with foreign companies; and significant dependence on foreign-controlled supply chains or customer relationships. The inquiry is whether the foreign relationship, viewed as a whole, creates a meaningful risk that the contractor's decisions about classified programs could be influenced by foreign interests.

Choosing the Right FOCI Mitigation Instrument

When DCSA determines that FOCI exists, it assesses whether mitigation is possible and, if so, what instrument is required to adequately negate the foreign influence. DCSA has developed a range of mitigation instruments that correspond to the severity of the FOCI condition, the classification levels involved, and the nature of the classified programs at the facility. The instruments, in ascending order of restrictiveness, are: Board Resolution, Special Security Agreement (SSA), Security Control Agreement (SCA), Proxy Agreement, and Voting Trust.

The choice of instrument is not entirely within the parties' control. DCSA makes the determination of which instrument is adequate based on its own analysis of the FOCI condition. However, the parties can influence the outcome by proactively engaging with DCSA early in the process, presenting a thorough and well-organized FOCI mitigation proposal, and demonstrating that the proposed instrument is operationally viable and will genuinely negate the foreign influence. DCSA is more likely to accept a less restrictive instrument when the parties can demonstrate that the foreign ownership is passive, lacks governance rights, and poses minimal risk of influence over the contractor's classified work.

The operational consequences of the mitigation instrument chosen have direct effects on the buyer's ability to integrate the target into its business. A Board Resolution typically imposes few operational constraints beyond the board governance requirements. An SSA requires a government security committee on the board with authority over all classified matters, which limits the parent's ability to direct the subsidiary's classified operations. A Proxy Agreement or Voting Trust effectively transfers operational control of the contractor to U.S. citizen proxies or trustees, which can significantly restrict the buyer's ability to manage the cleared entity as an integrated business unit.

The buyer's business case for the acquisition must be evaluated against the operational constraints imposed by the likely mitigation instrument. A strategic buyer who plans to integrate the target's classified programs into its own operations may find that a Proxy Agreement prevents the integration it expected. A financial buyer who intends to operate the target as a standalone entity may find that an SSA is manageable. The deal rationale and the mitigation instrument must be analyzed together, not sequentially.

Board Resolutions and SSAs in Practice

A Board Resolution is the least restrictive FOCI mitigation instrument and is available when the foreign ownership interest is limited, the foreign owner has no governance rights beyond routine investor protections, and the classification levels at the facility are relatively low. Under a Board Resolution, the contractor's board adopts a resolution acknowledging the NISPOM's requirements and committing that the board will not take any action that would result in a violation of the contractor's security obligations or allow a foreign interest to gain access to classified information. The board resolution is filed with DCSA and becomes part of the contractor's clearance record.

The Board Resolution instrument does not require any changes to the contractor's board composition or governance structure beyond the resolution itself. It is appropriate where the foreign ownership is genuinely passive, the foreign owner does not have board representation or management rights, and the classification profile of the facility does not include Top Secret Sensitive Compartmented Information (TS/SCI) or particularly sensitive SAP programs. DCSA may require annual recertification of compliance with the Board Resolution commitments.

A Special Security Agreement is required when the FOCI condition is more significant than a Board Resolution can adequately address, typically where the foreign owner holds board seats, has management rights, or the facility has higher-level classified programs. Under an SSA, the contractor must establish a Government Security Committee (GSC) consisting of U.S. citizen directors or officers with the authority to oversee all classified work and to take action to prevent unauthorized foreign access to classified information. The GSC members must have or obtain security clearances appropriate to the classification level of the facility.

The SSA specifies the composition and authority of the GSC, the procedures for GSC meetings and decisions, the reporting obligations to DCSA, and the restrictions on the foreign owner's participation in decisions affecting classified operations. Parent company employees who are foreign nationals are excluded from access to the subsidiary's classified operations, and the GSC has authority to override parent company directives that would impair classified contract performance or compromise NISPOM compliance. The operational dynamics of managing a cleared subsidiary under an SSA require careful attention to governance design during the deal process.

Proxy Agreements, Voting Trusts, and SCAs for Controlled Transactions

A Security Control Agreement (SCA) is used when the FOCI condition involves significant foreign ownership combined with the contractor's access to proscribed information categories (such as certain nuclear, chemical, or biological weapons-related classified programs) that require the most stringent mitigation. The SCA combines elements of the SSA with additional restrictions tailored to the specific proscribed information access and requires DCSA approval of any changes to the contractor's business operations that could affect classified program access.

A Proxy Agreement is one of the two most restrictive FOCI mitigation instruments and is required when the foreign ownership interest is substantial enough that an SSA is insufficient to negate the foreign influence. Under a Proxy Agreement, the foreign owner's voting rights over the cleared contractor are assigned to U.S. citizen proxies who exercise those rights independently of the foreign owner. The proxies are approved by DCSA and have fiduciary duties to manage the contractor in a manner consistent with the NISPOM. The foreign owner retains economic ownership but surrenders operational and governance control to the proxies.

A Voting Trust is substantively similar to a Proxy Agreement but is structured as a trust arrangement rather than a proxy authorization. The foreign owner transfers the voting securities into a trust managed by U.S. citizen trustees approved by DCSA. The trustees exercise all voting rights and governance authority over the contractor, and the foreign owner's rights are limited to economic distributions from the trust. Voting Trusts are used in the most sensitive contexts and are frequently required when the foreign owner is a foreign government entity or when the contractor accesses particularly sensitive classified programs.

In practice, Proxy Agreements and Voting Trusts significantly constrain the acquirer's ability to operate the cleared contractor as an integrated subsidiary. The proxies or trustees have independent authority and obligations that cannot be overridden by the foreign owner, which means the buyer effectively cedes operational control of the cleared entity to government-approved U.S. citizens. This structure is workable for financial buyers who intend the cleared entity to operate as a standalone business, but creates real complications for strategic acquirers seeking operational integration.

Coordinating FOCI Review with CFIUS

CFIUS and DCSA are distinct regulatory bodies with different statutory mandates, different legal standards, and different review processes. CFIUS reviews transactions under Section 721 of the Defense Production Act for national security implications of foreign investment, with authority to impose mitigation conditions, unwind transactions, or prohibit them. DCSA reviews cleared contractors for FOCI under NISPOM and 32 CFR Part 117 and has authority to require FOCI mitigation instruments or terminate FCLs.

The two processes interact on transactions where the acquiring entity has a foreign nexus. CFIUS voluntary filings for transactions involving government contractors with classified contracts are strongly advisable even when not technically mandatory, because CFIUS has independent authority to review and potentially require unwinding of non-notified transactions for up to five years after closing. A National Security Agreement negotiated as a CFIUS mitigation condition may address some of the same concerns that DCSA would raise in a FOCI review, and DCSA participates in the CFIUS interagency review process as an agency with subject-matter expertise.

Despite this coordination, a CFIUS approval and a CFIUS National Security Agreement do not satisfy DCSA's FOCI determination and do not substitute for a FOCI mitigation instrument. DCSA must conduct its own analysis and reach its own conclusion about the adequacy of mitigation for NISPOM purposes. In some cases, the FOCI mitigation instrument negotiated with DCSA and the National Security Agreement negotiated with CFIUS are harmonized to avoid conflicting requirements, but this harmonization must be actively managed by counsel coordinating between the two processes.

Deal timelines on transactions involving both CFIUS and DCSA review must account for the possibility that the two processes proceed on different schedules. CFIUS reviews have statutory timelines (30-day initial review, 45-day investigation, 15-day Presidential review period) that can be extended by agreement or by the parties withdrawing and refiling. DCSA FOCI reviews have no fixed statutory timeline and depend on the complexity of the FOCI condition and the adequacy of the information submitted. Buyers should plan for the possibility that DCSA's FOCI process extends well beyond the CFIUS timeline.

Purchase-Agreement Protections Against Clearance Failure

The purchase agreement in a government contractor acquisition must address clearance risk with specificity. Generic representations about regulatory compliance are insufficient in transactions where the FCL is a material business asset. The representations and warranties should specifically represent the current status of each FCL held by the target, identify all classified contracts tied to each clearance level, confirm that no change-of-condition reports are pending, and disclose any prior DCSA adverse determinations, security incidents, or administrative actions that could affect clearance eligibility.

Closing conditions should include a condition requiring that the target's FCL remain in good standing through the closing date, that no DCSA determination adverse to the target has been issued, and (where FOCI is anticipated) that DCSA has accepted the proposed FOCI mitigation instrument or issued a temporary determination adequate to permit classified contract performance after closing. The parties must negotiate what happens if these conditions cannot be satisfied by the outside closing date, including whether the closing date can be extended, whether the buyer can terminate without penalty, and whether there are reduced-price provisions if the clearance situation deteriorates before closing.

Pre-closing covenants should require the target to operate its security program in the ordinary course, to notify DCSA of the pending change of ownership in the required manner and timeframe, to cooperate with DCSA's review, and to refrain from taking any action that would impair the FCL or trigger a DCSA adverse action. The seller's obligation to cooperate with the DCSA review process is particularly important because the target's management, FSO, and legal counsel are the parties with direct relationships with DCSA and are best positioned to manage the DCSA engagement.

Indemnification provisions should address losses arising from clearance failures that had their root cause in pre-closing conduct or pre-closing conditions that were not disclosed. The survival period for clearance-related representations should be long enough to capture losses that manifest after closing as a result of pre-closing conduct, which in the DCSA context may not become apparent until DCSA completes a post-closing review or audit. Clearance-related indemnification caps and baskets should reflect the potential magnitude of losses from a classified contract portfolio that cannot be performed during a clearance gap.

Transition Planning and Ongoing NISPOM Compliance

Post-closing transition planning for a cleared contractor acquisition must address the integration of two distinct security management infrastructures. The acquired entity's security program, procedures, systems, and personnel must be reviewed against the buyer's own security requirements and any new requirements imposed by the FOCI mitigation instrument, and a transition plan must be developed that maintains continuous compliance with NISPOM requirements throughout the integration period.

The FSO function is critical to post-closing transition. The target's FSO may or may not remain with the acquired entity, and the acquiring entity must ensure that a qualified FSO is designated and registered with DCSA before or immediately after closing. DCSA requires that the FSO be trained and knowledgeable about the NISPOM requirements and that the FSO have direct reporting access to the cleared entity's senior management. A gap in FSO coverage after closing creates a compliance risk that DCSA may treat as a reportable security deficiency.

If a FOCI mitigation instrument is in place, the ongoing obligations of the instrument must be incorporated into the acquired entity's governance calendar and management practices. SSAs require regular GSC meetings, annual reports to DCSA, and prompt notification of any changes in KMP, ownership structure, or classified contract portfolio. Proxy Agreements and Voting Trusts require the proxy holders or trustees to exercise their responsibilities independently of the foreign owner and to report regularly to DCSA on the contractor's security posture.

NISPOM compliance is not a one-time closing requirement. It is an ongoing obligation that must be managed as part of the acquired entity's regular operations. DCSA conducts periodic security vulnerability assessments at cleared contractor facilities, during which it reviews compliance with physical security, personnel security, and information system security requirements. Post-closing integration decisions, including changes to facility layouts, IT systems, organizational structures, and third-party subcontracting arrangements, must each be evaluated against NISPOM requirements before implementation.

Frequently Asked Questions