Download this commentary (PDF)
Foreign investment and acquisition in U.S. firms involved in critical technologies, critical infrastructure, and sensitive data represent an ongoing threat to U.S. national security. To address these concerns, the interagency Committee on Foreign Investment in the United States (CFIUS) conducts case-by-case adjudication of foreign investments in U.S. firms to evaluate if a transaction will be harmful to U.S. national security. The number of declarations filed seems to be increasing in the last several years. For example, 19 declarations were filed in 2018, according to CFIUS’s 2021 Annual Report to Congress. However, filings increased 763 percent between 2018 and 2021. This commentary reviews the role CFIUS plays in reviewing potential threats from foreign investment, and recent developments, such as changes in its authority, that have led to this surge in filings. As technology advances and national security concerns increase, modernization of CFIUS’s jurisdiction and review processes is essential for strengthening U.S. national security and keeping pace with technological innovation.
Creation and Members
Executive Order 11858, “Foreign Investment in the United States,” created CFIUS in 1975 to evaluate the impact of foreign investments and advise the president on these transactions. The directive also authorized the Committee to coordinate the implementation of foreign investment policies. CFIUS is chaired by the Secretary of the Treasury and includes 16 members from federal departments and agencies that assist in the CFIUS review process. On an ad-hoc basis, CFIUS involves other federal agencies in their reviews, such as the Departments of Transportation and Agriculture and the Nuclear Regulatory Commission, to evaluate the national security effects within its jurisdiction—i.e., covered transactions. A covered transaction is defined as a proposed or pending transaction, such as a merger, acquisition, joint venture, lease, or other investment, that could result in control of a U.S. business by a foreign person, entity, or government.
Figure 1 Author's Illustration, based on CFIUS Overview
Steps toward Modernization
In 1975, when CFIUS was established, national security primarily focused on physical and environmental security. However, through the digital revolution and technological advancements, national security now involves protecting critical technologies, critical infrastructure, and sensitive data. Thus, as foreign adversaries pose new national security threats, Congress and the executive branch have taken actions to reform CFIUS over the years (see Figure 2). Recent actions, such as the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) and Executive Order (EO) 14083, have expanded CFIUS’s jurisdiction and scope to evaluate the impacts of foreign investment and acquisition of U.S. firms more adequately.
More specifically, Congress enacted FIRRMA to address foreign exploitation of investment concerns that have traditionally fallen outside of CFIUS’s jurisdiction. FIRRMA, enacted in August 2018 and effective February 2020, was created to modernize CFIUS’s review processes, increase effectiveness, and increase the length of covered transaction reviews. Moreover, FIRRMA expanded the scope of CFIUS jurisdiction by more broadly defining a covered transaction. Formerly, a covered transaction was one that may result in foreign control of a U.S. business. Under FIRRMA, certain non-controlling transactions and real estate transactions are also within scope. FIRRMA also extended the review period from 30 to 45 days, with an allowance for a 15-day extension in extraordinary circumstances; authorized special hiring authority and funding; and increased requirements on the use of mitigation agreements (see Figure 3).
Figure 2 Author illustration, CFIUS Regulatory Timeline
Figure 3 Author’s Illustration, based on Summary of FIRRMA 2018
Prior to the enactment of FIRRMA, CFIUS was last updated over 30 years ago when the Exon-Florio Amendment created Section 721 of the Defense Production Act of 1950, which is the statutory foundation of CFIUS. President Biden’s EO 14083, “Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United State,” is the latest addition to CFIUS guidelines, and also seeks to modernize CFIUS. President Biden’s 2022 directive “does not change CFIUS’s processes or legal jurisdiction,” but rather directs the Committee to consider five factors to safeguard national security. These factors include the following:
- “A given transaction’s effect on the resilience of critical U.S. supply chains that may have national security implications, including those outside of the defense industrial base.”
- “A given transaction’s effect on U.S. technological leadership in areas affecting U.S. national security, including but not limited to microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, and climate adaptation technologies.”
- “Industry investment trends that may have consequences for a given transaction’s impact on U.S. national security.”
- “Cybersecurity risks that threaten to impair national security.”
- “Risks to U.S. persons’ sensitive data.”
Current CFIUS Process
The CFIUS filing process is mainly voluntary. Parties can submit a declaration that notifies CFIUS of a covered transaction to receive a Safe Harbor letter, which limits CFIUS from initiating an additional review of a transaction, unless there are extenuating circumstances. However, in some cases, filing a declaration is mandatory, when a foreign government seeks to acquire a “substantial interest” in “TID businesses.” TID is an abbreviation for technology, infrastructure, and data. Under FIRRMA, a TID Business is defined as any U.S. Business that: 1) produces, designs, tests, manufactures, fabricates, or develops one more critical technologies; performs functions that deal with critical infrastructure; and maintains or collects sensitive personal data of U.S. Citizens. CFIUS’s expanded scope coupled with the inclusion of TID business have led to an increase in requests for CFIUS review (see Figure 4).
Figure 4 Author’s Illustration, based on 2021 CFIUS Report
There are three key periods in the review process. First, during the Notice Review Period, which can last 45 days, CFIUS staff disseminates the notice to all CFIUS agencies after all requirements are met. Next, in the Notice Investigation Period, CFIUS can initiate a subsequent investigation, which must be completed within 45 days. Third, CFIUS can refer a transaction to the president for a decision in the Presidential Review Period, and the president is required to announce a decision within 15 days. Figure 5 outlines the complete CFIUS review process.
Figure 5: Author’s illustration based on CFIUS Process
As technology advances and national security concerns evolve, existing policies will need to be restructured to efficiently address new challenges. Recent actions to improve CFIUS’s review processes and jurisdiction will help the United States address ongoing national security concerns, while keeping pace with technological innovation.