Continuing Increase in U.S. Regulation of Foreign Direct Investment

Impacts of Encryption Regulation and Strategic Competition Act on CFIUS

The last two years have seen the passage and expedited implementation of the Foreign Investment Risk Review Modernization Act (FIRRMA) – arguably the largest change in U.S. regulation of foreign investment since the 1975 creation of the Committee on Foreign Investment in the U.S. (CFIUS).

Significant changes to U.S. Foreign Direct Investment (FDI) related laws and regulations continue. Recent changes by the U.S. Department of Commerce, Bureau of Industry & Security (BIS) should remove open source and mass market encryption as “emerging” technologies subject to CFIUS review under FIRRMA. Conversely, the Strategic Competition Act of 2021 (“SCA”), passed by the Senate and headed to the House, will expand CFIUS coverage to U.S. universities, colleges, and research institutes.

A March 29, 2021 BIS amendment to the Export Administration Regulations (EAR) will eliminate most reporting requirements related to open source encryption software and certain mass market encryption items. The amendments modify several Export Control Classification Numbers (ECCNs) in CCL Categories related to encryption, namely Categories 0-3, 5 (Part 2), 6, and 9. The collateral effect of these changes will be to likely remove such items from the scope of CFIUS review under Part 801, as no longer being an “emerging” technology. It will also reduce the export control requirements on businesses wishing to export such technologies.

If passed into law, the SCA will have the opposite effect and will increase the scope of coverage and authority of CFIUS over certain U.S. universities, colleges, and research institutes.

As background for these changes, CFIUS was historically limited to technologies, industries and infrastructure directly involving national security. It was also a voluntary filing. FIRRMA expanded CFIUS to cover U.S. businesses involved with emerging technologies, critical infrastructure, or sensitive personal data — referred to as “Technology, Infrastructure and Data” or simply “TID.”

FIRRMA requires that a U.S. business engaged in emerging technologies be analyzed to determine whether a particular transaction will trigger a CFIUS declaration. More specifically, FIRRMA Part 801 dictates the application of CFIUS based on whether U.S. export licenses would be required to export, reexport, or transfer critical technologies produced, designed, tested, manufactured, fabricated, or developed in the U.S. As a result, TID diligence became an integral part of any FDI transaction following the passage of FIRMMA.

FIRRMA Section 800.401 requires an analysis to determine if an investor is a “foreign investor,” based principally on the following criteria:

  • Foreign control transaction investors are those that can directly control the covered U.S. business, or a change in rights of foreign investors where such change can result in a control transaction or a covered investment.
  • Foreign covered investment investors are those that directly acquire an equity interest in the covered U.S. business and that obtain access to any “material nonpublic technical information;” membership, participation, or nomination rights to the board of directors or equivalent governing body; and/or “involvement” or participation in “substantive decision making” regarding the use, development, manufacture, supply, acquisition, storage or release of TID.

If the SCA passes the House and is signed into law, it would expand the jurisdiction of CFIUS to include “institutions of higher education” if they receive $1 million or more in funding or contracts from a foreign person or entity, 1) which relates to research, development, or production of critical technologies, and provides the foreign person potential access to any material nonpublic technical information in the possession of the institution; or 2) is a restricted or conditional gift or contract that establishes control as defined by the Higher Education Act of 1965.

The SCA defines ‘institution of higher education’ as any institution, public or private in any State that 1) is legally authorized to provide education beyond secondary school, 2)  awards a bachelors or advanced degree, and 3) is accredited by a nationally recognized accrediting agency or association; and obtains Federal financial assistance, or receives support from Federal financial assistance. The definition will necessarily cover most U.S. colleges, universities, and research institutes.

The implications of the recent BIS encryption changes and proposed  Strategic Competition Act evidence the need to remain up-to-date on changing FDI requirements for mergers, acquisitions, and changes in foreign ownership, control or influence, and to timely file any resulting FDI disclosures.


Expansion of Premisis Liability for Construction OwnersA property owner is generally liable for hazards on the property that injure others. On construction projects, this presents a significant risk for owners because there are always multiple hazards present, and the owner, generally, has very little control or knowledge of all the work being performed. Chapter 95 of the Texas Civil Practice and Remedies Code alleviates some of this risk by limiting a commercial property owner’s liability for personal injury claims by contractors and subcontractors under specific circumstances. The Texas Supreme Court’s recent decision in Los Compadres Pescadores, L.L.C. v. Juan G. Valdez and Alfredo Teran expands the applicability of Chapter 95 for the benefit of owners.

Chapter 95 requires an injured contractor or subcontractor to prove the owner had control over the work and actual knowledge of the hazardous condition causing the injury. This is a greater burden than under Texas common law, which imposes liability on a property owner who “reasonably should have known” of a condition or danger. However, Chapter 95 is limited in scope and only applies to claims that “arise from the condition or use of an improvement to real property where the contractor or subcontractor constructs, repairs, renovates, or modifies the improvement.”

The purpose of Chapter 95 is to shift risk back to the contractor for hazards that would normally be encountered during its work unless the owner exercises control and has knowledge of the hazard. However, Texas courts have grappled with determining the scope of Chapter 95 over the years. The Texas Supreme Court previously held the contractor’s injury must result “from a condition or use of the same improvement on which the contractor (or its employee) is working when the injury occurs.” Courts then had difficulty determining the breadth of the term “improvement.” One court held Chapter 95 did not apply to a repairman who was injured when he fell through a roof while working on an air conditioner unit because the roof was not part of the air conditioner (i.e., the “improvement”) on which the repairman was hired to work. In another case, Chapter 95 applied to a contractor hired to repair a furnace in a petrochemical plant even though he was injured when a valve burst in a different furnace nearby. Even though there were separate furnaces, the court stated that they were all connected as part of a single process system within the plant and, as such, were part of the same improvement.

In Los Compadres Pescadores, the Texas Supreme Court provided further clarification to Chapter 95’s application. In that case, the owner was building a condominium in South Padre Island. The owner hired a contractor to construct the pilings for the foundation. The pilings were drilled and pumped full of concrete using a crane. The contractor would then insert 20’ pieces of rebar into the pilings. The contractor notified the owner that there was a high-voltage powerline running about 20’ above the property line. The owner told the contractor that the line could not be de-energized or moved and instructed the contractor to finish the work. While working on a piling about 10’ from the powerline, the plaintiffs were electrocuted when the rebar they were installing touched the powerline.

The court first sought to define the “improvement” in this situation. The court rejected the owner’s argument that the entire condominium project was the improvement because “a workplace may include several different improvements, and each improvement may possess numerous conditions.” While the pilings were part of the foundation, which was in turn part of the condominium building, the court held that the “improvement” in this case should be defined narrowly to just the pilings, since that is all the contractor was hired to perform.

Under prior decisions, since the powerline was not part of the pilings (i.e., the “improvement”) Chapter 95 should not have been applicable. But the court expanded the scope of Chapter 95 in this case by focusing on whether the powerline could be a “condition… of an improvement.” If the dangerous condition “creates a probability of harm” due to its proximity to the improvement, then it is a “condition of the improvement” for purposes of Chapter 95. The court noted that if the building were on a large tract and the powerline were hundreds of yards away, then it wouldn’t be a “condition” of the pilings. Since it was nearby, its proximity made it a condition of the work being done such that Chapter 95 would apply.

The decision in Los Compadres Pescadores provides some clarification and gives courts the flexibility to apply Chapter 95 as it was intended. It certainly broadens the current scope of Chapter 95 to limit an owner’s liability for hazards that are likely to be encountered by the contractor. Even so, owners in Texas must still be aware that they could face liability despite the limitation in Chapter 95 if they exert control over the work being performed.

NISPOM Codified as Regulation; JPAS Retiring SoonIf your business holds a U.S. security clearance — or is in the process of applying for one — take note of two big changes at the Defense Counterintelligence and Security Agency (DCSA). First, after more than 25 years, the National Industrial Security Program Operating Manual (NISPOM) is now being codified in the Code of Federal Regulations. Second, DCSA is replacing the Joint Personnel Adjudications System (JPAS) with the new Defense Information Security System (DISS).

NISPOM is now effective as a codified regulation.

In January 1995 — pursuant to Executive Order 12829 (Jan. 6, 1993) — the National Industrial Security Program (NISP) published the information-security manual that has guided the defense industry for the last quarter century. The NISPOM establishes standard procedures for securing classified information. With ever-increasing focus by the Department of Defense (DoD) on hardening the information security of its supply chain, the NISPOM has now been fully codified as a regulation.

A Final Rule codifying the NISPOM at 32 C.F.R. Part 117 took effect on February 24, 2021. Contractors must come into compliance by August 24, 2021. An upcoming Industrial Security Letter (ISL) will provide guidance on the Final Rule’s implementation.

The NISPOM outlines protections for classified information that is either disclosed to or developed by contractors, licensees, grantees, and certificate holders. The goal, of course, is to prevent unauthorized disclosure. Some of the key changes to the NISPOM, accompanying its codification, are:

  • Reporting requirements – Cleared contractors must submit reports under Security Executive Agent Directive (SEAD) 3 and cognizant security agency (CSA) guidance.
  • Limited facility clearance – Two new types of limited facility clearance (FCL) are available: limited entity eligibility for both (1) FOCI entities and (2) non-FOCI entities.
  • NIDs – National Interest Determinations (NIDs) are not required for certain covered contractors operating under a Special Security Agreement (SSA) —those with ownership in countries of the National Technology and Industrial Base (NTIB) (United Kingdom, Canada or Australia).
  • Top secret accountability – A CSA may make specific determinations on requirements for top secret accountability.
  • IDSs – An Occupational Safety and Health Administration (OSHA) Nationally Recognized Testing Laboratory (NRTL) may certify intrusion detection systems as meeting UL-2050 standards.
  • Safeguards – Cleared contractors should look to 32 C.F.R. Part 2001 for guidance on protecting classified national security information (CNSI).
  • SMOs – The Final Rule clarifies the responsibilities of a Senior Management Official (SMO).
  • Retention – On completion of a classified contract, contractors must return all government-provided or government-deliverable information to the custody of the government.

The DCSA is currently reviewing existing ISLs to determine those that will be retained, re-issued, and/or rescinded. DCSA will revise some NISP-related forms, including the SF-328 (Certificate Pertaining to Foreign Interests); DD Form 441 (Security Agreement); and DD Form 441-1 (Security Agreement Appendage).

JPAS retires on March 31, 2021.

JPAS is being replaced by the Defense Information Security System (DISS). This move is part of the new National Background Investigation Services (NBIS) system. DISS also implements the Trusted Workforce 2.0 continuous vetting policy. JPAS transitioned to a read-only mode on March 15, 2021, and will be fully retired on March 31, 2021.

Check back for here for updates.

These are both significant changes. Cleared contractors should work with their SMO, DCSA representative, and counsel to gain an understanding of and to achieve compliance with the requirements of NISPOM and DISS. We expect that DCSA will soon supplement these changes with additional guidance. We will continue to keep you updated.