Agenda
Day 1
September 29, 2025
Registration and Continental Breakfast
Pre-Conference Primer
An Updated, Practical Guide to ECMPs and QMPs: Practical Implementation Best-Practices to Ensure Compliance
Part 1: Quality Management Plans (QMP): The focus of the QMP is speak to the policies and procedures a company is selling into the Defense Industrial Base (DIB) and how their products and or services contain materials which come from outside of the US. The areas of concern involve, but are not limited to the following areas of foreign sources materials:
- Source code
- Software
- Hardware
- R&D
Part II: Electronic Communications Monitoring Plan (ECMP): Simplifying and Baselining the Electronic Communications Monitoring Plan (ECMP)
An Electronic Communications Monitoring Plan (ECMP) may be required by DCSA for those companies who are operating under a Board Resolution (BR) or Special Board Resolution (SBR) to mitigated lower-level thresholds of for Foreign Ownership, Control, or Influence (FOCI). For companies operating under a BR or SBR for their FOCI mitigation the ECMP is a crucial document for companies working with the Department of Defense to demonstrate the effective review, mitigation and auditing procedures being utilized to ensure secure communication and preventing unauthorized access to sensitive information by a foreign investor(s). This strategy session will provide practical implementation best-practices to ensure the associated risks of electronic communications with lower-level FOCI concerns is effectively mitigated.
- Teleconference and Video Teleconference requirements
- Email review thresholds and processes
- Monitoring configuration changes and defining which ECMP changes require prior approval by DCSA
- Instant messaging and texting: Monitoring procedures
- Social networking, web-based email, file sharing, collaboration tools
- Training senior leadership and employees around the purpose of the ECMP and their responsibilities under the plan
Close of Pre-Conference Primer
Main Conference
Co-Chairs’ Opening Remarks
INTERVIEW
Current DCSA Expectations: The 5-Year Strategic Plan for 2025-2030 and 3 Tactical Priorities
Navigating Proposed 847 Revisions: Creating Processes and Protocols for Expanded Reporting Requirements
The Defense Counterintelligence and Security Agency (DCSA) FOCI evaluation which previously, was only required for contractors and subcontractors that are performing classified work, has expanded to all contractors that hold certain contracts more than $5 million. There are several factors that companies should consider with the proposed implementation of the DoD’s new FOCI reporting requirements applicable to non-classified contracts.
- Understanding commercial product or commercial service determination made by the contracting officer in accordance with FAR 2.101 and question requests about beneficial ownership when that determination has been made
- With its expanded FOCI review, when will DCSA create new templates that are tailored to mitigating FOCI unrelated to classified contracts
- Determining which FOCI companies, non-FOCI companies, public trust contracts and third-party contractors are subject to increased scrutiny
- Anticipating DCSA’s expectations and guidance
- Analyzing the need for an Electronic Communication Monitoring Plan, or a Quality Management Plan, or an export license
- Monitoring international suppliers and evaluating supply chain security and resiliency
Networking Break
Mitigation Strategies: How DCSA is Now Expanding its Scope and Increasing Requirements for Special Board Resolutions
- Analyzing how DSCA is now reviewing Board Resolutions, how requirements are changing and which types of companies are now affected
- Examining the requirements for a Board Resolution, and when the foreign entity does not own voting stock enough to elect a representative to the company’s governing board
- How to handle a cleared subsidiary when the parent company has a small-percentage of foreign ownership
- Determining which tools are (and aren’t) necessary in a mitigation, such as proxies, board resolutions and company service arrangements
- Addressing when an investor has a right to a board seat, but is not exercising their right, and documenting it for DCSA
Back by popular demand! Delegates are invited to break out into smaller group discussion tables to trade experiences and lessons learned for confronting the challenges of maintaining security standards amid a remote and hybrid workforce. Facilitators will guide the conversation to identify the latest best practices. Delegates are encouraged to choose their preferred table topic, and to move between tables during the discussion.
Table One: CUI How to Prepare for DCSA Assessments-Documentation, policies and preparation procedures
Table Two: ECPs and TCPs-The latest on how systems are protected, including firewalls, system architecture and passwords
Table Three: TBD
Close of Day One
Day 2
September 30, 2025
Registration and Continental Breakfast
Co-Chairs’ Opening Remark
Parent Company Perspectives: How Investors and FOCI Mitigated Partners Successfully Operate Under FOCI Mitigation Arrangements
- Implications of the FOCI mitigation arrangement in relation to the cleared subsidiary’s business operations
- Parent/affiliate relationships with Outside Directors or Proxy Holders and cleared subsidiary C-suite
- Balancing group business goals/strategy/procedures versus FOCI mitigation requirements
The Increasing Overlap of CFIUS and DCSA Jurisdictions: Special Considerations for Filing, Reviewing and Transaction Due Diligence
- Examining new forms, commitment notices, and processes for both CFIUS and DCSA
- How does CFIUS involvement affect DCSA timelines
- Assessing the key provisions of the recent CFIUS reform (FIRRMA)
- Understanding how FOCI blends into the CFIUS review process, and the risks of undue transaction delays
- Identifying and addressing FOCI issues during due diligence and in transaction documents
- Analyzing the effects that FIRRMA has on companies at varying points in the FOCI mitigation and CFIUS approval processes
- Developing a strategy for managing the FOCI and CFIUS processes in tandem
- Best practices for coordinating with government, transaction parties, and outside counsel
Networking Break
The Evolving Role of General Counsel in FOCI-Mitigated Companies: First-Hand Insights into the Bigger Picture of FOCI Mitigation
- The relationship between DCSA and the company, and dos and don’ts of working with DCSA
- CFIUS LOA FOCI Agreement, with controls, restrictions, audits, and penalties
- Becoming FOCI proficient and detecting and handling FOCI concerns in the initial stages
- Implementing a FOCI mitigation agreement with fewer resources
- Budgeting and the business impact of FOCI mitigation on possible delays to company operations
- Utilizing legal counsel and FSO expertise vs. when to hire a consultant
AI DEMO AND CASE STUDY
How AI is Being Leveraged for FOCI Risk Mitigation: A Real-World Example TBD
Networking Luncheon
Simplifying and Baselining Your Affiliated Operation Plan (AOP): Practical Takeaways for Mitigating and Managing Affiliated Operations
- Best practices and pitfalls to avoid when drafting and submitting an AOP, including:
- Describing services: Who is providing the affiliated operation, to whom, and the costs and benefits
- Implementing services: How will affiliated operations be implemented and are they mandatory?
- Technology: What is being utilized, who has ownership, types of information being shared, and frequency of interaction
- What to ask your security committees
- How companies can manage the financial burden
- Customizing your AOP
- Key strategies for mitigating and managing affiliated operations
- Effective tactics for handling and reducing risks in affiliated operations
- DCSA compliance and enhanced efficiency
- Developing internal steps to ensure you are properly mitigating potential risks, including:
- Review of services: internal steps to ensure compliance with mitigating procedures, and how the FSO and Technology Control Officer (TCO) can work together to ensure compliance
Perspectives from Outside Directors and Proxy Holders: How Outside Directors Are Now Approaching Their Roles to Meet DCSA Expectations
- Discussing what qualifications or criteria make for a good outside director and proxy holder
- How to meet government expectations and annual reporting standards
- Meeting expectations for site visits and how DCSA now supervises compliance
- How to support your FSO in ascertaining priorities
- Knowing when your company is a target for a security threat
- How (and how not) to address compliance concerns and issues as they arise
Networking Break
- Paraphrasing information that is passed to affiliates about classified contracts
- Establishing networking and IT requirements and how to separate the network CUI from affiliate companies
- Determining who has access when a global company has different subsidiaries
- Ensuring continuous auditing and compliance
- Examining who has access to what when employees have dual citizenship
- Reviewing the requirements when your classified documents are off site
The Nuanced Role of the National Interest Determination (NID): How Companies are Now Structuring and Implementing Mitigation Agreements and Addressing Expected (and Unexpected) Challenges
- Determining when a NID’s required
- What is a NID?
- When is it required: Accessing classified information under a US Government contract
- Procedures For obtaining a NID
- Initiating the NID through a Government Contracting Activity (GCA)
- Coordinating with DCSA NID requests from contracting officers, program managers, etc.
- Getting entities controlling the classified information to participate in the decision making
- Defining the procedures around who makes the decision based on the information to be shared
- Determining if the NID covers a program, a project or be contracts specific
- Understanding that a NID is not the tool for disclosing classified information to a foreign government but to a US Government contractor
- Going over step by step the procedural path
- Working with your GCA to put a complete package together
- What does a package require?
- How to prepare an effective package