Most cleared companies operating under formal agreements to mitigate or negate foreign ownership, control or influence ("FOCI") are familiar with the Affiliated Operations Plan ("AOP") or its predecessor, the Administrative Services Agreement ("ASA"). These plans allow cleared companies and their affiliates operating outside the agreement to share services that would otherwise be prohibited.

Prior to 2013, cleared companies submitted draft ASAs to the Defense Security Service ("DSS") (or other Cognizant Security Agencies) for approval of shared services, such as payroll processing, health insurance, 401K administration, certain human resources functions, and even legal services. In practice, ASAs were as varied as the companies that implemented them.

In 2013, hoping to bring uniformity to ASAs, DSS required new requests for shared services to be made in the form of an AOP.1 The AOP template requires advance DSS approval for shared (1) administrative services, (2) third-party services,2 (3) employees, and (4) cooperative commercial arrangements3 ("CCAs").

Since the announcement of the AOP policy in 2013, however, there have been several important changes to the review and approval process for AOPs, and the AOP template itself has changed in response to contractor and DSS concerns. Companies operating under FOCI mitigation or negation agreements are well advised to take a hard look at these changes.

AOP Changes

In recent mitigation agreements, DSS has modified the approval process for both CCAs and third-party services.4 Recently-approved agreements now permit CCA approval by the company's Government Security Committee ("GSC"), requiring only notice to DSS. Although CCAs must still be identified in AOP updates to DSS, the new policy greatly streamlines the approval process. Also, current policy now permits the GSC to approve third-party services (again with notice to DSS) if the GSC determines that the service (a) presents no conflicts of interest and (b) will not adversely affect the company's ability to comply with its FOCI mitigation or negation agreement. In all cases, however, DSS retains the unilateral right to require the GSC to rescind its approval. Nevertheless, companies that anticipate changes in CCAs or third-party services – or that merely want added flexibility to make such changes in the future – should seek DSS approval to amend older agreements to allow the GSC (acting alone) to sign off on CCAs and third-party services.

AOP Review

In a recent meeting of the FOCI Working Group (a private sector advisory group largely composed of Facility Security Officers and other security professionals), a senior DSS representative noted that DSS may view the following issues as "red flags" in security vulnerability assessments:

  1. sharing services or operations that require advance DSS approval – before DSS approval is obtained; and
  2. failing to implement an approved AOP according to its terms (e.g., failure to abide by risk mitigation procedures during annual shareholder audits).

Mistakes happen. Over time, bad habits may become engrained, key staff can change, and the terms and conditions that were important to approval of a shared service may be forgotten. Red flags, however, may prevent a company from securing "enhancement points" in security vulnerability assessments. Without enhancement points, a company will not receive a security rating higher than "Satisfactory."

Vulnerability assessments rarely find perfection – and when "Satisfactory" becomes the best rating possible, a DSS review that identifies multiple vulnerabilities could jeopardize a company's clearance. Therefore, it is important to review intercompany agreements periodically against the AOP or ASA to ensure that:

  1. the agreement is consistent with the approved AOP or ASA; and
  2. the company is in compliance with the terms and conditions that attach to the AOP or ASA.

Failure to abide by the terms of an AOP or ASA not only can result in lower security ratings, but also can threaten the company's continued participation in a shared service or CCA. Either event can result in significant costs, put future government contracts at risk, and hurt a company's bidding position for new work.

Footnotes

1 DSS clarified that companies with current ASAs do not need to switch to AOPs unless they propose new services or other changes to their current ASAs.

2 "[A] professional service (such as accounting, legal, tax, information technology, or business consulting) where the Company has a reasonable expectation that the service will be provided to both a member of the Affiliates and the Mitigated Group by the same service provider." DSS Affiliated Operations Plan Template.

3 "[T]he exchange of a valuable product or service through an Arm's Length Transaction whether by contract, subcontract, or joint research, development, marketing or other type of teaming arrangement between any of the Mitigated Group and any of the Affiliates." DSS Affiliated Operations Plan Template. For example, subcontracts issued by the cleared company to an affiliate in support of an unclassified prime contract.

4 See Defense Security Service. (2014, February). Outside Director and Proxy Holder Training: Module 2: Managing Foreign Ownership, Control, or Influence (FOCI) Mitigation. Retrieved from http://www.dss.mil/documents/isp/OD_PH_Training_Module_2.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.