Understanding FOCI in Government Contracting:

Regulatory Framework

The primary regulatory body overseeing FOCI issues is the Defense Counterintelligence and Security Agency (DCSA), which operates under the Department of Defense (DoD). The National Industrial Security Program Operating Manual (NISPOM) provides detailed guidance on managing FOCI concerns. Key regulations include:

- NISPOM (which replaced the DoD 5220.22-M): Establishes procedures for safeguarding classified information and outlines FOCI mitigation measures.

- Federal Acquisition Regulation (FAR): Contains clauses that require contractors to disclose FOCI-related information and comply with security requirements.

Mitigation Measures

To mitigate FOCI risks, companies may need to implement specific measures to insulate their operations from foreign influence. These measures include:

Board Resolution: A formal commitment by the company's board to comply with U.S. security requirements.

Security Control Agreement (SCA): Limits foreign owners' ability to influence the management or policies of the company.

Special Security Agreement (SSA): Allows foreign ownership but includes robust oversight and control mechanisms to ensure that national security is not compromised.

Voting Trust Agreement (VTA): Transfers voting rights to U.S. citizens approved by the DCSA, ensuring that foreign owners cannot influence company decisions.

Proxy Agreement (PA): Similar to VTA, but more stringent, often used when the foreign entity has significant control over the company.

Compliance and Monitoring

Once a mitigation plan is approved, the company must comply with ongoing monitoring and reporting requirements to ensure continued adherence to FOCI regulations. This includes regular audits, reporting any changes in ownership or control, and allowing government inspections.

Consequences of Non-Compliance

Failure to comply with FOCI regulations can lead to severe consequences, including:

Revocation of Facility Security Clearance (FCL): Without an FCL, a company cannot access classified information or bid on classified contracts.

Contract Termination: Existing contracts may be terminated, and the company may be disqualified from future contracts.

Legal Penalties: Potential fines and other legal actions for violating national security regulations.

Conclusion

FOCI is a vital consideration in government contracting, especially for contracts involving classified information and national security. Companies must understand and navigate the complexities of FOCI regulations to ensure compliance and protect sensitive information from foreign threats. By implementing appropriate mitigation measures and maintaining rigorous compliance, companies can safeguard their operations and contribute to national security.

Government FOCI Resources

Read more about the NISPOM here.

See what the FAR says about FOCI here.

DPA Title III - Authorities and Priority Areas:

The Defense Production Act (DPA) Title III program plays a vital role in supporting national defense by ensuring the availability of critical domestic industrial capabilities. The program operates under several key authorities and priority areas to achieve its mission.

Authorities:

1. Loan Guarantees (§301 - 50 U.S.C. 4531):

• Extended when credit is not available under reasonable terms to the loan applicant.
• The applicant's prospective earning power and the security pledged to provide a reasonable assurance of repayment.

1. Loans (§302 - 50 U.S.C. 4532):

• Offered when private financing is beyond the commercial market's risk threshold.
• Projected earnings post-loan must be sufficient to cover repayment costs.

1. Sustain Critical Production:

• Purchase Commitments (§303 - 50 U.S.C. 4533): Creates a guaranteed demand to reduce industry investment risks.
• Purchases (§303 - 50 U.S.C. 4533): Provides direct subsidies for production capabilities, including equipment installation, engineering support, and process validation.

Priority Areas:

1. Commercialize Research and Development Efforts:

• Aims to create, maintain, protect, expand, or restore essential domestic industrial capabilities for national defense.
• Focuses on transitioning government-sponsored research to commercial applications and vice versa.

1. Scale Emerging Technologies:

• Promotes the increased use of emerging technologies in security programs.
• Supports the rapid transition of these technologies to enhance national defense capabilities.

The DPA Title III program ensures the U.S. maintains a robust industrial base, ready to meet the demands of national defense through strategic investments and support mechanisms.

For more information, visit OUSD A&S - Industrial Base Policy (businessdefense.gov)

My Network is Secure! Now What?

Under the current cybersecurity model, the NIST SP 800-171, firms are allowed to conduct a self-assessment on their System Security Plan. The total or best score any firm can get would be 110 points, meaning all applicable requirements have been met and are recorded. Any controls that have been implemented will not result in points deducted, any control that is yet to be implemented will be a subtraction of allowed points, and any that are not applicable do not have an effect on the assessment total. Each control has a different amount of points that it corresponds to.

Here is a self-assessment guide with the instructions starting on page 12 - https://www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf.

Under the CMMC 2.0 model, some firms will still be allowed to continue self-assessments, but some will be required to be assessed by a Certified Third-Party Assessment Organization (or C3PAO). The difference will depend on the type on contract those firms are pursuing. If the contract opportunity is determined to have information critical to national security included, those firms will need to have a completed C3PAO assessment conducted and the results recorded by the time of award.

A list of accredited Assessment Organizations can be found here - https://cyberab.org/Catalog#!/c/s/Results/Format/list/Page/1/Size/9/Sort/NameAscending.

If a firm happens to be working on the highest priority contracts, a government-led assessment will be required (but this is a rare case).

When you have determined what kind of assessment you need and you have the results ready, there are two key areas that you need to know in order to take the next steps. One of which is the Supplier Performance Risk System (SPRS) and the other is the Enterprise Mission Assurance Support System (eMASS). For self-assessments, these scores will be uploaded into the SPRS system. For certified assessments, these scores will be uploaded into the eMASS system.

Here is a fact sheet about the new eMASS portal - https://disa.mil/~/media/Files/DISA/Fact-Sheets/eMASS.pdf.

Historically Underutilized Business Zone (HUBZone) Certification:

Looking back, many of us would say the best decade to live through is usually not the current one we live in. For many of the older generations they would say the anytime from 1920-1960 were the golden years. But they would be wrong. My fellow Millennials and Generation Z would have to say it was the 1990s. The world was less chaotic or at least not as heavily recorded and broadcasted. It was a time when the government was working hard to correct the past and the present concerns of many of its citizens. In the 1970s – 1980s, once China and other under-developed countries were being open to the American Business, people flushed those markets with manufacturing and technology jobs. Which caused a lot of places in the United States to become economically destitute. To combat this President Clinton signed it office the HUBZone Act of 1997.

           The Small Business Administration’s (SBA) HUBZone program provides federal contracting preferences to small businesses located in areas designated by the SBA. Known as HUB Zones, SBA designates these areas based on Census data that indicate levels of high poverty, high unemployment, or low income, or if they are in qualified disaster areas, on Indian reservations, at some closed military installations, or in governor-designated places that meet certain criteria.

           The criterion for this certification is as follows:

1.      meet the SBA’s small business size standards.

2.      be at least 51% owned and controlled by U.S. citizens, a community development corporation, an agricultural cooperative, or an Indian tribe (including Alaska Native Corporations and Native Hawaiian Organizations);

3.     maintain a principal office in a HUBZone, where principal office is defined as the location where the greatest number of the firm’s employees at any one location perform their work.

4.     Have at least 35% of its employees reside in a HUBZone; and

5.     Certify that it will “attempt to maintain” having at least 35% of its employees reside in a HUBZone during the performance of any HUBZone contract

(“attempt to maintain” is defined at 13 C.F.R. §126.103, which describes the requirements for firms to document their maintenance efforts and specifies that firms with “less than 20% of [their] total employees residing in a HUBZone during the performance of a HUBZone contract [have] failed to attempt to maintain the HUBZone residency requirement.”)

The program benefits also make it similar to having the Service Disable Veteran Owned Small Business Certification. The government limits competition for certain contracts to businesses in historically underutilized business zones. It also gives preferential consideration to those businesses in full and open competition.

Joining the HUBZone program makes your business eligible to compete for the program’s set-aside contracts. HUBZone-certified businesses also get a 10% price evaluation preference in full and open contract competitions.

HUBZone-certified businesses can still compete for contract awards under other socio-economic programs they qualify for.

Below are some helpful links regarding the process:

https://www.sba.gov/federal-contracting/contracting-assistance-programs/hubzone-program

https://crsreports.congress.gov/product/pdf/IF/IF12428/2#:~:text=105%2D135%2C%20the%20HUBZone%20Act,%2Dveteran%20owned%20small%20businesses

https://maps.certify.sba.gov/hubzone/map#center=44.722800,-103.249700&zoom=4

https://www.sba.gov/sites/default/files/2024-04/hubzone-app-top-tips-508.pdf

https://www.youtube.com/watch?v=Uge4Z5Z6dFA



https://www.youtube.com/watch?v=tTmxH2yelkI

Understanding the SBIR Timeline:

Let's say you have an idea or invention that could really revolutionize the market. But don't really have the funding or means to get off from paper into practice. This is where SBIR (Small Business Innovation Research) plays a pivotal role in bringing funding to innovative new technologies to market. Today we will provide a simplified overview of the steps necessary to apply.

First and foremost, individuals interested in SBIR would need to check their eligibility. The criteria necessary to be eligible for a SBIR grant are as follows you must be a small business with no more than 500 employees. The business must be organized for profit and must be within the US, and contributing to the US economy via taxes products, material or labor.

After you have to find a need or SBIR solicitation that matches your innovation from a participating organization.

You will submit a pitch that describes the innovation you are targeting, the technical objectives and challenges, the market opportunities as well as the company involved with the intended process. This process takes about a month to respond. It's at this point where the majority of the organizational registrations take place, with Sam.gov, Research.gov, and the SBIR company registry through the SBA.

If your pitch is accepted, then you will be invited to submit a full proposal that will outline the technical merit and feasibility of the study, scaling potential, as well as marketability. This will be a peer reviewed process from experts in the field that leads into Phase 1 or fast tracked into a Phase 2 for more commercially viable products. The timeline for this can last from1 to 2 months.

If accepted into the Phase 1, Concept Design, you will be awarded a grant for up to $150,000 to perform the initial study for a period of 6 months. If successful (having shown potential for commercialization), then it one can apply into Phase 2, Prototype Development, for under $1,000,000. This phase lasts about 24 months. This of course would rely heavily on the performance, functionality of the product, and overall performance of the company. The company would have to submit another proposal consisting of a technical narrative, financial and administrative capability review. 

This is a rather simplified version of the overall process, but it outlines the necessary steps involved with participating in SBIR. There are plenty of opportunities for companies interested and willing to be able to bring new technologies to market.

Helpful links -

https://seedfund.nsf.gov/apply/get-started/

https://www.research.gov/research-web/

If you need further information, CTAPEX can assist you with getting the necessary resources.