The Special Security


Nov 20, 2013 (5 years and 3 months ago)


CATC All Hands

December 8,

Solid partners.

Flexible solutions

The Special Security
Agreement (“SSA”)

Purpose, Governance Structure
and Implementing Procedures


National Industrial Security Program (NISP) Guidance


policy: Allow foreign investment consistent with national
security interests

Company determined to be under FOCI is ineligible for FCL absent
security measures to negate or mitigate FOCI

“FOCI policy . . . is intended to facilitate foreign investment by ensuring
that foreign firms cannot undermine U.S. security and export controls to
gain unauthorized access to critical technology, classified information,
and special classes of classified information.”


reserves right and has obligation to impose any security
method, safeguard, or restriction it believes necessary to
ensure that . . .

Unauthorized access to classified information is effectively precluded
(including ability to leverage others who have access)

Performance of classified contracts is not adversely affected


NISP Description of the Special Security Agreement (SSA)

SSA is one of the potential FOCI mitigation measures. The
others include a Board Resolution, Security Control
Agreement, Voting Trust Agreement


Proxy Agreement)

The SSA imposes various industrial security and export control
measures within an
institutionalized set of company practices
and procedures

Preserves foreign owner’s right to be represented on the Board of
Directors. The foreign owner’s member is called an INSIDE


Direct voice in business management of the company

While denying unauthorized access to classified
and unclassified, export

NISP limitations on SSA

Provides for GSC

active involvement in security matters by Senior
Management and Outside Directors (Inside Director

cannot be member.

No access to proscribed information

absent determination that release
to company will not harm national security (NID)

Additional company practices and procedures


SSA Governance Structure

A legal entity

the business of which is
managed by a Board of

or equivalent Management Group or Committee.

Board composition

Three Outside Directors (Two with DSS

exception). Shareholders elect the members of Board of Directors.

At least 1 Inside Director; at least 1 Officer Director

Number of Inside Directors shall not equal or exceed the combined total
number of Outside Directors and Officer Directors

Chairman shall not be Inside Director

Actions by majority vote

1 Inside Director and 1 Outside Director necessary for quorum.

Proxy by an Outside Director can only be given to another Outside Director.

Contains no tie breaking language.


Directors have normal fiduciary duties of a director: care, loyalty,
business judgment, disclosure, confidentiality, risk and compliance


Certain actions require prior approval from the Parent

Parent may remove members of Board only in accordance with procedures
set forth in SSA


Government Security Committee (GSC)

Responsible for ensuring
a the requirements of the
NISPOM and export procedures are followed; ensure the
protection of classified and unclassified export controlled

Composition: all Outside Directors and cleared Officer Directors

Specific GSC duties

Ensure Company maintains policies and procedures to safeguard the
classified and controlled information in its possession

Electronic communications

Contacts and visits

Ensure Company complies with . . .


Security Agreement


Appropriate contract provisions regarding security

U.S. export laws



Government Security Committee (GSC)

Specific GSC duties (continued)

Oversee activities of Facility

Security Officer (FSO)

and Technology Control
Officer (TCO)

Monitor administrative services being provided by Parent/Affiliates

Ensure does not receive administrative services without DSS approval. DSS
usually approves the following shared services:

Insurance benefits

Retirement plans

HR services but usually insists cleared company independently selects

employees without undue influence and control by foreign owners

Payroll services but pay is by cleared company.

Outside Directors ensure administrative services do not allow the Parent or
Affiliates to control or influence the management or business of the
Company in violation of the SSA

Each member of GSC must exercise best efforts to . . .

Ensure all provisions of SSA are carried out

Ensure Company’s officers, directors and employees comply with SSA

Advise DSS of any known violation of, or attempt to violate, any provision of
the SSA, appropriate contract provisions regarding security, export control
laws or NISP


Foreign Owner

Parent commits by resolution to . . .

Exclude themselves and Affiliates from access to protected info

Grant the Company independence to safeguard protected info

Refrain from taking any action to control or
influence the performance
of the Company’s classified contracts

or its participation in classified


Institutionalized Set of Company Practices and Procedures

. Except for routine business visits, all visits must be
approved in advance by one of the Outside Directors

Routine business visits

Made in connection with regular day
day business operations

Do not involve classified or controlled unclassified information

Pertain only to the commercial aspects of the business

Certain categories of routine business visits are identified in SSA and
implementing procedures. GSC may add “specific categories” and alter

with DSS approval

Electronic communications
. “All Electronic Communications between
Cleared company

and representatives and the parent and its
affiliates (collectively
referred to as the
must be monitored and

Email: Usually “captured” by software; sampled and reviewed by FSO/GSC.
Often establish a firewall to “stop” e
mails or “provide

copy to Outside
Director(s) for review and sometimes to actually “release”

Phone calls: logged (contact reports) and reviewed by FSO/GSC

Fax: collected and reviewed by FSO/GSC


Initial and ongoing training of personnel

certify as to understanding and
commitment to comply

Parent/Affiliate: also need procedures, training and commitment to comply


Institutionalized Set of Company Practices and Procedures

Inside Directors

Inside Directors not subject to the visitation restrictions, which apply to
other representatives of the Affiliates.

No Outside Director review/approval required for visits by Inside Directors.

Not subject to visit controls if on
site to attend Board meeting (no entry into
controlled areas)

However, must be escorted at all times while on

if not a U.S. citizen (???)

Emails, calls, etc. to/from Inside Director must be monitored and recorded

as with other Parent/Affiliate personnel

Foreign owner’s voice in management must be exercised through
participation on Board of Directors. Inside Directors has equal vote to other

Board is principal forum for foreign owner’s input regarding
business. Inside
Director must not take on the role of an “officer”, “Consultant” or “employee” of
cleared company.

Input should be consistent with normal Director activity

generally, it is
inappropriate for Inside Director to seek to direct day
day business affairs of

Inside Director may have additional input

consistent with Visitation Policy and


Institutionalized Set of Company Practices and Procedures

Senior officials and Non
Routine Visits

Recent SSA’s usually indicate that visits by Officer(s) and Director(s) are not
to be treated as “routine business”.

Most authorities agree that
a visit with an Officer or Director of a Parent or
Affiliate cannot be characterized as a Routine Visit

regardless of whether
the purpose of such a visit corresponds to one of the categories of routine

All companies that I am familiar with have visits between cleared company
and the Affiliates are processed as non
routine and approved by an Outside


The Electronic Communications Plan (ECP)

is submitted to and
by DSS. Enter into E
* All employees, consultants or representatives of the cleared
company are briefed on and annually re
briefed on the ECP. Such
personnel sign an acknowledge that they received a briefing,
understand the briefing and will comply. I recommend you give
them a copy of the ECP and during self
inspections check to
determine if they have a soft or hard copy readily available.

Other companies post the ECP, TCP and Operating Agreement
(SOP) on their web site with other “policies” and “procedures”.


The 2012 DSS FOCI Branch FOCI Statistics

Provided by Steve

from the DSS FOCI Branch.

FY 2012, DSS has conducted 8,575 security vulnerability assessments.

299 of which were FOCI

398 of which were FOCI non

FOCI Signatory Compliance Breakdown:

63.9% rated Satisfactory

19.1% rated Commendable

16.1% rated Superior

1.0% rated Marginal or Unsatisfactory

Signatory Compliance Breakdown:

37.7% rated Satisfactory

32.4% rated Commendable

28.9% rated Superior

1.0% rated Marginal or Unsatisfactory


The 2012 DSS FOCI Branch FOCI Statistics (non

FY 2012, DSS has conducted 8,575 security
vulnerability assessments.

7,844 of which were non
FOCI facilities

FOCI Compliance Breakdown:

78.2% rated Satisfactory

14.9% rated Commendable

6.5% rated Superior

0.4% rated Marginal or Unsatisfactory