Foreign Ownership, Control, and Influence (FOCI):

Why it Matters for Government Contractors in 2024

In 2024, the globalized landscape of the defense and national security sectors raises crucial questions about who holds the reins of government contractors. This is where Foreign Ownership, Control, and Influence (FOCI) takes center stage. Understanding FOCI is essential for ensuring national security, protecting sensitive information, and maintaining trustworthy partnerships in the perpetually-evolving landscape of government contracting.

What is the basis of FOCI?

FOCI refers to the potential influence that foreign individuals or entities may have on a government contractor, even if they don't own the majority shares. This influence can be direct, through ownership or investment, or indirect, through contractual agreements or personal relationships.

Why does FOCI matter in 2024?

• Increased reliance on international expertise: Modern technology and defense systems often involve collaboration with global partners. This brings valuable expertise but also necessitates careful vigilance towards potential FOCI risks.
• Evolving cyber threats: The growing sophistication of cyber attacks emphasizes the need for robust security measures across government contractors. Identifying and mitigating FOCI vulnerabilities helps shield sensitive information from malicious actors.
• Geopolitical complexities: The international political climate necessitates strategic partnerships with foreign entities while keeping national security interests paramount. Understanding FOCI risks enables informed decisions about collaboration with specific contractors.

The Consequences of Ignoring FOCI:

• Compromised classified information: Unmitigated FOCI risks can expose classified information and sensitive technologies to unauthorized access, potentially crippling national security initiatives.
• Economic sabotage: Foreign influence can be exploited to manipulate supply chains, disrupt critical infrastructure, and inflict economic damage.
• Eroding public trust: Lack of transparency in FOCI management can create public distrust and raise concerns about accountability within government contracts.

Addressing FOCI in 2024:

• Enhanced screening and monitoring: Implementing robust FOCI mitigation strategies involving thorough background checks, ongoing monitoring, and contractual safeguards is crucial.
• Clear guidelines and communication: Establishing transparent, well-defined FOCI protocols for government agencies and contractors fosters trust and facilitates informed decision-making.
• International collaboration: Sharing FOCI best practices and fostering global cooperation on cyber security and technology transfer minimizes vulnerabilities and strengthens collective defense.

Conclusion:

In today's interconnected world, navigating the complexities of FOCI is vital for responsible government contracting. By proactively addressing FOCI risks, we can safeguard national security, build trustworthy partnerships, and ensure sustainable success in the face of evolving global challenges. Remember, FOCI is not about isolation but about responsible engagement with foreign expertise, prioritizing national security interests in every step of the way.

Learn more: https://www.dcsa.mil/Industrial-Security/Entity-Vetting-Facility-Clearances-FOCI/Foreign-Ownership-Control-or-Influence/

Strengthening America's Microelectronics:

Defense Production Act Title III Presidential Determination

In a significant move to bolster the nation's defense capabilities and enhance economic competitiveness, President Joe Biden recently signed a crucial Presidential Determination (PD) authorizing the use of the Defense Production Act (DPA) Title III. The focus is on supporting the domestic Printed Circuit Boards (PrCB) and Advanced Packaging industrial base, key components in electronics vital to national defense, the economy, environment, energy, and healthcare management sectors.

This PD empowers the Department of Defense (DoD) to leverage DPA Title III authorities, facilitating strategic investments in advanced microelectronics capacity. The aim is to ensure the production of cutting-edge integrated circuits within the United States. This initiative aligns with President Biden's Executive Order 14017 on "America's Supply Chains," emphasizing the imperative to fortify the domestic PrCB and Advanced Packaging industrial base.

The PD allows the DoD's Office of Defense Production Act Investments (DPAI), part of the Office of the Under Secretary of Defense for Acquisition & Sustainment (A&S), to utilize DPA Title III incentives.

This PD represents a crucial step toward securing America's U, fostering innovation, and reinforcing the nation's industrial and defense capabilities.

For assistance with locating DPA Title III opportunities, contact your CT APEX Counselor.

Learn more: Executive Order on America's Supply Chains | The White House

& Federal Register :: America's Supply Chains

Newly Proposed Rule – CMMC 2.0:

The long-awaited update on CMMC rulemaking was finally released by the Department of Defense on December 26, 2023. Here is the summary of what to expect going forward:

CMMC Level 1

For CMMC Level 1, contractors and subcontractors are already required to implement the 15 security requirements currently required by the FAR clause 52.204–21.

The rule for CMMC adds a requirement for contractors and subcontractors to complete a self-assessment to confirm that all applicable security requirements outlined in FAR clause 52.204–21 have been implemented. This self-assessment must be performed annually, and the results must be entered electronically in the Supplier Performance Risk System (SPRS).

Additionally, a senior official from the prime contractor and any subcontractors will be required to report compliance every year. Affirmations are entered electronically in SPRS.

CMMC Level 2

For CMMC Level 2, contractors and subcontractors are already required to implement the 110 security requirements currently required by the DFARS clause 252.204–7012 (per the current NIST SP 800–171 model).

At Level 2, CMMC adds a requirement for contractors and subcontractors to complete a self-assessment to confirm that security requirements outlined in NIST SP 800–171 have been implemented. Depending on the DoD contract, contractors will need to complete either a CMMC Level 2 Self-Assessment or a CMMC Level 2 Certification Assessment. Contractors are allowed to have a Plan of Action and Milestones (POA&M) for requirements that are not yet implemented, but the POA&M must be closed out within 180 days of the assessment. This self-assessment will be good for a 3-year time period and the results must be entered electronically in SPRS. If a certified third-party assessment organization (C3PAO) is required, the third-party will enter the assessment information electronically into the CMMC Enterprise Mission Assurance Support Service (eMASS), that will electronically transmit the assessment results into SPRS.

Again, a senior official from the prime contractor and any subcontractors will be required to report compliance after every assessment, including POA&M closeout, and then every year afterwards. Affirmations are entered electronically in SPRS.

CMMC Level 3

For CMMC Level 3, when CMMC becomes a final rule, contractors and subcontractors will be required to implement the 24 selected security requirements from NIST SP 800–172. CMMC Level 2 is a prerequisite for CMMC Level 3.

At Level 3, CMMC adds a requirement for contractors and subcontractors to verify through DoD assessment and receive certification that all applicable CMMC Level 3 security requirements from NIST SP 800–172 have been implemented. Under limited circumstances, contractors are allowed to have a POA&M that must be closed out within 180 days of the assessment. The final certification will be good for a 3-year time period. The DoD assessor will enter the assessment information electronically into the eMASS, that will electronically transmit the assessment results into SPRS.

And again, a senior official from the prime contractor and any subcontractors will be required to report compliance after every assessment, including POA&M closeout, and then every year afterwards. Affirmations are entered electronically in SPRS.

For questions or concerns related to cybersecurity or the maturity models, please reach out to your CT APEX counselor for assistance.

Referenced FAR/DFARS clauses: https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.

&

https://www.acquisition.gov/far/52.204-21

New rule details: https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program

Jonathan Hart studied at Western Connecticut State University and graduated with his BBA in Management. He also holds an AAS in Intelligence Operations. He has a diverse background, including work as a procurement agent for a Food Manufacturer and has experience with sales, data entry, logistics, intelligence analysis, Foreign Relations, International business, and Apparatus Maintenance. He currently serves in the Army Reserves as a Sergeant and is a Volunteer Firefighter with the rank of Lieutenant. Jonathan will passionately advocates for Veteran and First Responder owned businesses.

Andres David Calvache is a bilingual Ecuadorian native and recent CT resident. Andres's 6-year career in procurement has equipped him with a comprehensive understanding of strategic sourcing, contract negotiation, and supplier management. Andres has demonstrated a keen eye for identifying potential cost efficiencies and implementing innovative procurement strategies. His dedication to excellence and his proactive approach to problem-solving have set him apart as a reliable and resourceful professional. Andres's involvement with CT APEX Accelerators reflects his strong belief in the potential of local businesses and entrepreneurs to drive economic growth and innovation.