FOCI Mitigation

Foreign Ownership Control and Influence (FOCI) Mitigation

Under FOCI, defense contractors adhere to FOCI mitigations to demonstrate NISPOM compliance. FOCI mitigation includes establishing committees, directors, agreements and more. We have experience facilitating and implementing these FOCI mitigations.

Let us manage your FOCI mitigation. We have experience solving tough and interesting FOCI problems. Here’s what we can do:

  • Interpret and implement DCSA requirements
  • Manage your Government Security Council
  • Faciliate the following mitigation plans:
    • Special Security Agreement (SSA)
    • Security Control Agreement (SCA)
    • Voting Trust (VT)
    • Proxy Agreement (PA)
  • Write and inspect effectiveness of:
    • Special Security Agreements or Security Control Agreement
    • Technology Control Plan
    • Affiliate Operation Plan
    • Quality Management Plan
  • Serve as Outside Director and Chair Government Security Council

​​​

Outside Director Appointment

FOCI mitigations are tough to implement. Even tough is appointing an Outside Director as part of the mitigation agreements.

We are capable of serving in an Outside Director capability.

Companies under Foreign Ownership Contral and Influence (FOCI) may be required to appoing an Outside Director to the board of directors. This applies to companies falling under Security Control Agreement (SCA) or Special Security Agreement (SSA).

In either case, the Outside Director is an independent member who focuses on the best interest of national security.

Where required, the number of Outside Directors should equal or exceed the number of Inside Directors for an SCA and must exceed the number of Inside Directors for an SSA.

If you need assistance with fulfilling this requirement, please contact us to see if we are a good fit.  Here are the additional qualifications:

  • U.S. citizen
  • Ensure that the foreign owner/entity can be effectively insulated from the company.
  • Disinterested individual capable of exercising decision-making capability.

Responsibilities include:

  • Enforce the FOCI Agreement in place.
  • Ensure the Facility Security Officer, directors, and employees comply with the  Mitigation Agreement.
  • Attend the quarterly Board and GSC meetings.
  • Emplace a Technology Control Plan (TCP), Electronic Communications Plan (ECP), and Visitation Procedures.
  • Ensure there are no Affiliated Services being provided that have not been approved in advance.
  • Maintain oversight to ensure all Affiliated Services, FLPs, TCPs, ECPs, and Visitation Procedures are fully implemented and effectively mitigate the FOCI.

Export Compliance

 

It’s not enough to be NIST or CMMC compliant or certify information systems for processing export controlled information found in ITAR and CUI requirements. Contractors are still required to identify, mark, document and protect the information that resides on the controlled systems.

That’s our expertise. We have years of experience writing and executing tailored programs for our clients to implement that identify and control ITAR information.

  • Conduct risk based required self-inspections
  • Develop and conduct required training
  • Export Controlled
  • Technology Controls
  • Identify, mark and document sensitive information
  • Define basic / applied research

Protecting Research and Development

NSPM-33

There is an increasing need to protect U.S-funded scientific research from undue foreign influence, including exploitation of the open university research environment and intellectual property theft.

We could assist in a few ways:

  • Develop a program
  • Execute the program
  • Provide training for those who work the program
  • Write policies and procedures

The benefit is that universities would confidently perform government research and do so in a way that foreign students can participate and government information will be protected.

Proposal Specific Protection Plan (PSPP)

SBIRs, BAAs and other efforts require a Proposal Specific Protection Plan (PSPP) as part of a response; no plan, no award. We are experienced in writing protection plans across the DoD and their defense contractors.

Choose us to work with and get your PSPP prepared for submission and fine tuned once awarded.

The following five sections are required to address these requirements, and provide an iterative record of risk management over the program’s lifecycle:

 

  • Introduction, Updates, and Responsible Points of Contact (POCs)
  • Technology Element Identification and Impact Assessment
  • Identified Threats and Vulnerabilities
  • Countermeasures and Risk Mitigation Plan
  • Response, Recovery, and Support

Contact us @ jb@thriveanalysis.com

Our specialty is our capability to interpret requirements and how they should be implemented for your unique situation. We apply program protection, write and tailor processes, procedures and policies so that they will fit within the constraints of your enterprise.

Your enterprise is made up of many moving parts and business units, but none should stand alone. We believe each requirement should be part of the corporate body and not a stove piped solution. We conduct analyses for entity wide application so that burden and opportunities are shared:

  • Corporate Policy
  • Program Protection Planning
  • Supply Chain Risk Management
  • Criticality Analysis
  • OPSEC Analysis
  • Security Classification Guidance
  • NISPOM Compliance

Program Protection Planning

Supply Chain Risk Management (SCRM)

Criticality Analyses

NISPOM Compliance

Processes and Procedures

Cyber-SCRM