National Security Alert: Considerations for FOCI-Mitigated Companies: Leveraging ERP Systems

Summary: Many global corporate groups deploy Enterprise Resource Planning (ERP) systems to manage the business operations of their subsidiaries and business lines, improve efficiencies and reduce costs. Foreign-owned US companies holding facility security clearances and operating under foreign ownership, control or influence (FOCI) mitigation arrangements face national-security policy challenges in participating in their group’s ERP systems. ERP issues most frequently arise in the context of cleared companies with majority FOCI operating under Special Security Agreements (SSA) or Proxy Agreements, though ERP can also be relevant to companies operating under Security Control Agreements and (although not frequently used) Voting Trust Agreements. The US Department of Defense’s Defense Security Service (DSS) generally prohibits standard information technology (IT) connections between such FOCI-mitigated companies and their non-mitigated parents and affiliates (Affiliates). Nonetheless, in certain cases—and subject to additional security measures—DSS has permitted FOCI-mitigated companies to participate in corporate group ERP systems. This alert discusses key issues related to a FOCI-mitigated company’s involvement with its corporate group’s ERP systems, as well as measures that can be implemented to maximize the chances of such arrangements being approved.