FOCI Action Planning & Implementation

A company operating under FOCI mitigation agreements (Voting Trust Agreement, Proxy Agreement, Special Security Agreement and Security Control Agreement) may be required to develop additional procedures to ensure their FOCI is effectively mitigated.

Affiliated Operations Plan (AOP) are required by FOCI-mitigated companies when they enter into operational relationships with their affiliates.

Business functions or teaming arrangement with affiliates of a FOCI mitigated company are not authorized. When a company desires to engage in such arrangements with any affiliate the services must be approved by the GSC and DCSA in advance or as set forth in your FOCI Mitigation Agreement. Relationships with the Affiliates requiring advance approval include:

  1. Affiliated Services;

  2. Shared Third-Party Services;

  3. Shared Persons; and

  4. Cooperative Commercial Arrangements.

Instances when DCSA identifies an affiliated service occurring without approval may negatively impact a company's Security Rating. DCSA developed a template Affiliated Operations Plan (AOP) to assist Industry in requesting DCSA review potential FOCI Affiliated Services.

For companies in process for a FOCI Mitigation Agreement, an AOP must be submitted from the Senior Management Official to their DCSA Industrial Security Representative. Each service within the AOP must address:

  1. Description of the service, to include:

    • which entity will provide the service;

    • which entity is paying for the service;

    • how the shared service benefits the entities;

    • specific sub-categories of services;

    • procedures associated with providing the service;

    • technology to be utilized, including shared software, information systems and applications;

    • whether the technology described above is classified or export-controlled; types of information to be exchanged through the service;

    • include any supporting documentation such as examples, screenshots, network configuration diagrams or sample reports as attachments
       

  2. Associated Risks and Mitigation Procedures; and
     

  3. Compliance review procedures and documentation.

Companies operating under a FOCI Mitigation Agreement who plan to request affiliated services must have an AOP approved by DCSA in advance of deployment of the service. The Government Security Committee is responsible for submitting an AOP to DCSA through your Industrial Security Representative.

Companies with previously approved Administrative Services Agreements (ASA) are not required to submit a new AOP. However, any substantive changes made to existing ASAs will require resubmission of an AOP for DCSA review and approval, comprised of requested services and any previously approved services.

All AOPs should be submitted to the FOCI Operations Division via the DCSA.quantico.DCSA-hq.mbx.foci-hq@mail.mil mailbox. Please include in the subject line the company name, CAGE code, and AOP Submission.
 

Affiliated Operations Plan Template Navigating the Affiliated Operations Plan: A Guide for Industry (05/11/2016)

A Technology Control Plan (TCP) is a facility specific requirement for FOCI-mitigated companies outlining how they will provide physical protection to classified and export-controlled information.

A TCP approved by DCSA shall be developed and implemented by those companies cleared under a Voting Trust Agreement, Proxy Agreement, Special Security Agreement, or Security Control Agreement. DCSA may also require a TCP be developed in other situations in its sole discretion.

The TCP shall prescribe all security measures determined necessary to reasonably foreclose the possibility of unauthorized access to classified or export controlled information by non-U.S. citizen employees or visitors, or affiliates, as defined by the FOCI mitigation agreement. The TCP shall also establish measures to assure that access by non-U.S. citizens and the foreign affiliates is strictly limited to only the information for which appropriate Federal Government disclosure authorization has been obtained.

A TCP is required in cases where there are foreign board members or in cases where additional security measures are required to protect national security interests.

Sample Technology Control Plan

An Electronic Communications Plan (ECP) is a requirement for FOCI-mitigated companies to ensure effective oversight by the Government Security Committee of electronic communications and networks between the cleared company and its Affiliates.

An ECP is required for Security Control Agreements, Special Security Agreements, Proxy Agreements, and Voting Trusts. Within the ECP the Government Security Committee (GSC) establishes written policies and procedures assuring electronic communications between the FOCI Company and its subsidiaries and the Affiliates do not disclose classified information or export controlled information without proper authorization. The ECP also ensures that the Affiliates cannot exert influence or control over the FOCI Company's business or management in a manner that could adversely affect the performance of classified contracts.

A completed ECP consistent with the DCSA Template ECP must be submitted to DCSA within 45 days of the execution of the mitigation agreement. Failure to submit this document within the requisite 45 days may negatively impact a FOCI company's Facility Security Clearance (FCL).

DCSA released an updated ECP template for use by facilities under foreign ownership, control or influence (FOCI) mitigation. DCSA has updated the ECP Template based on an internal review of the document; feedback from Outside Directors/Proxy Holders; and feedback from Industry. This version replaces the previous ECP template released on 6/28/10.

ECP Summary of Changes:

  • Clarification on Teleconference and Video Teleconference requirements (See sections 1, 17.1, and 17.3 of the ECP Template).

  • Monitoring configuration changes and defining which ECP changes require prior approval by DCSA (See section 8.1 and the addition of attachment 4 "ECP Revision Log").

  • Export Control Procedures (Section 16). The addition of the sentence: "If a third-party provider is administering the Company's network, please describe the Company's procedures in place to ensure that export control violations do not occur with respect to the third-party provider's administration of the Company's network."

  • Attachment 3 - The User Acknowledgement language has been revised to reflect that employees must be briefed on the purpose of the ECP and their responsibilities under the plan.

All ECPs should be submitted to the FOCI Operations Division via the DCSA.quantico.DCSA-hq.mbx.foci-hq@mail.mil mailbox. Please include in the subject line the company name, CAGE code, and ECP Submission.

Removal of Phone Log Requirement Memo
Electronic Communications Plan Template
Electronic Communications Plan Sample

A Visitation Plan is a requirement for FOCI-mitigated companies to ensure visitation with the Affiliates are controlled as required by the FOCI mitigation agreement.

FOCI Mitigation Agreements (SCA, SSA, Proxy, and VT) establish requirements for visitation between the FOCI Company and their Affiliates. Any deviations from the requirements in the FOCI mitigation agreements must be approved prior to implementation by DCSA.

Many SSAs and Proxy Agreements require seven (7) days of advance notice for Outside Director or Proxy Holder visit approvals unless precluded by unforeseen exigencies. DCSA requires advance approval of visits; however, defers to the Government Security Committee (GSC) to determine the appropriate advance notice required. Once the GSC has determined the suitable advance notice period for visit requests it must be formalized in writing to DCSA. Furthermore, DCSA defers to the GSC on what constitutes an unforeseen exigency, so long as visits are reviewed and approved after the event.

A Facilities Location Plan (FLP) is required when a FOCI-mitigated company is located within the proximity of an Affiliate that would reasonably inhibit the cleared company's ability to comply with the FOCI agreement.

For FOCI mitigation purposes, collocation is a concern when a FOCI-mitigated company is located within the proximity of an affiliate, as defined within the FOCI mitigation agreement, which would reasonably inhibit the company's ability to comply with the FOCI agreement. Such scenarios may include being in the same building, campus, or adjoined buildings with an Affiliate.

FOCI collocation is not authorized, and DCSA will determine when a company is collocated in its sole discretion. When a company is located within close proximity to its foreign parent or an affiliate a Facilities Location Plan (FLP) must be approved by DCSA in advance. Instances when DCSA identifies a FOCI collocation without an approved FLP or previously approved DCSA Collocation Plan may negatively impact the Security Rating. DCSA developed a template FLP to assist Industry in requesting DCSA review potential FOCI collocations.

For companies in process for a FOCI Mitigation Agreement, who are located closely with an Affiliate, a Facilities Location Plan must be submitted from the Senior Management Official to their DCSA Industrial Security Representative.

Companies operating under a FOCI Mitigation Agreement, who plan to relocate to an area within close proximity to an Affiliate, must have a FLP approved by DCSA in advance of relocation. The Government Security Committee is responsible for submitting a FLP to DCSA.

Companies with previously approved Collocation Plans by DCSA are not required to submit a new FLP. However, any substantive changes made to existing Collocation Plans will require resubmission of a FLP for DCSA review and approval.

All FLPs should be submitted to the FOCI Operations Division via the DCSA.quantico.DCSA-hq.mbx.foci-hq@mail.mil mailbox. Please include in the subject line the company name, CAGE code, and FLP Submission. 

Download the Facilities Location Plan Template