US: CFIUS Review

This is an Insight article, written by a selected partner as part of GCR's co-published content. Read more on Insight

United States: national security review

The national security review process in the United States – often referred to as the Exon–Florio or CFIUS1 review process, after the relevant authorising statute and enforcement agency, respectively – has existed for decades. It originally focused, at least in practice, on the acquisition by foreign companies of US businesses directly or indirectly supplying the US Department of Defense, but especially after the 9/11 terrorist attacks, the concept of national security – and therefore the types of transactions subject to review under the regime – was broadened by statute and in practice. Today, the national security review process can be an important part of many transactions, even though it remains voluntary. Examples of industries in which notifications under the regime have been submitted include computers, network security, cyber systems, energy (development and transport), semiconductors, aerospace, telecommunications, optics, robotics, mining and natural resources, plastics and rubber, automotive, financial services, coatings and adhesives, chemicals and steel.

The CFIUS review process has also become more time-­consuming and intensive, as exemplified by the extensive investigations more regularly being undertaken by CFIUS. For example, about the same number of transactions were subjected to an in-depth investigation in 2008 and 2009 as had been for nearly all of the previous two decades (ie, from 1988, when the relevant statute was enacted, to 2007). Between 2010 and 2012, there were 106 filings per year on average, of which approximately 38 per cent were subject to in-depth investigations. This compares to the previous three-year period between 2007 and 2009 when, on average, about 15 per cent of notified transactions were subject to in-depth investigations.

Although submitting a transaction to CFIUS for a national security review is voluntary, the risk of not submitting a voluntary notification and obtaining a no-action letter can be substantial because of the risk of remedial action being taken. Furthermore, a filing ensures that government security clearances or licences issued under other federal regulations that are tied to the national security review process are not jeopardised. It may further insulate parties to a transaction from public and political criticism of a decision not to notify a particularly sensitive transaction. Consequently, it is advisable to consider the national security implications of cross-border transactions and to draft appropriate provisions in transaction documents to address, among other things, conditions to closing, cooperation and risk sharing.

Typically, fewer than 200 transactions are subject to the US national security review process each year,2and only two transactions have ever been subjected to a Presidential Order to be unwound since the relevant statute was adopted in 1988.3 One of those Presidential Orders was issued in 2012, when President Obama ordered Ralls Corporation (Ralls), owned by Chinese nationals, to divest interests it had acquired in certain wind farms operating near naval facilities in Oregon. Yet several transactions have garnered significant publicity as a result of US government opposition on national security grounds and have been subjected to delay, restructuring or abandonment, including approximately 10 transactions abandoned in 2012. For example, Canadian Procon Mining & Tunnelling, indirectly controlled by China National Machinery Industry Corporation, abandoned its minority and financing investment in another Canadian company, Lincoln Mining Corporation, as a result of CFIUS opposition. Lincoln held interests in gold mines in Nevada and California in the United States.4

What is the regulation and who administers it?

The US national security review process is conducted pursuant to the Exon–Florio Amendment to the Defense Production Act of 1950, as amended by the Foreign Investment and National Security Act of 2007 (FINSA) (the Act).5 The Act grants the President the authority to review any transaction by a foreign person or persons that could result in control over a US business (ie, a ‘covered transaction’) and to suspend or prohibit that transaction if it threatens to impair the national security of the United States.

CFIUS is charged with conducting the national security review on behalf of the President pursuant to the Act and, as appropriate, making a recommendation regarding Presidential action. CFIUS is an inter-agency committee consisting of, as chair, the Secretary of the Treasury and, as members, the Secretaries of Commerce, State, Defense, Homeland Security and Energy, as well as the Attorney General, the United States Trade Representative, and the Director of the Office of Science and Technology Policy. The Secretary of Labor and the Director of National Intelligence serve as ex officio members. Other executive branch representatives observe and, as appropriate, participate in the Committee’s activities, including the Chairman of the Council of Economic Advisors, the Director of the Office of Management and Budget, the Assistant to the President for National Security Affairs, the Assistant to the President for Economic Policy, and the Assistant to the President for Homeland Security and Counterterrorism.6

In practice, CFIUS operates through its official senior-level members and, more frequently, through staff representatives from each of the CFIUS member agencies, although FINSA now requires that only certain specified senior-level members take certain decisions. The Committee reaches decisions by consensus, but any member may seek to have a transaction subjected to in-depth review.

What is national security?

The Act does not define ‘national security’, but requires CFIUS to consider the following factors:

  • domestic production needed for projected national defence requirements;
  • the capability and capacity of domestic industries to meet national defence requirements, including the availability of human resources, products, technology, materials and other supplies and services;
  • the control of domestic industries and commercial activity by foreign citizens as it affects the capability and capacity of the United States to meet the requirements of national security;
  • the potential effects of the proposed or pending transaction on sales of military goods, equipment or technology to any country:
    • identified by the Secretary of State as a country that supports terrorism, is a country ‘of concern’ regarding missile proliferation or the proliferation of chemical and biological weapons, or is listed on the Nuclear Non-Proliferation Special Country List; or
    • that poses a potential regional military threat to the interests of the US;
  • the potential effects of the proposed or pending transaction on US international technological leadership in areas affecting US national security; and
  • the potential for national security-related effects from the acquisition of US critical technologies and infrastructure, including energy.

Critical technologies are defined by reference to a number of export control regulations, including, among others, the International Traffic in Arms Regulation and the Export Administration Regulation.

Critical infrastructure is defined as those systems and assets, whether physical or virtual, that are so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security.

What is a covered transaction?

The Act applies to any ‘covered transaction’ (ie, a transaction by or with any foreign person that could result in control of a US business by a foreign person).7 Each of these terms is further defined in the regulations.

A ‘transaction’ includes mergers, acquisitions or takeovers, and can include the acquisition of an ownership interest, the conversion of convertible voting instruments and the formation of a joint venture.

The concept of control is broader than in the US antitrust context because it is based on function rather than structure. Control turns on the ability to determine, direct or decide matters affecting an entity, and the regulations specifically recognise dominant minority control.8 In practice, CFIUS interprets control very broadly.

Foreign persons include any foreign national, foreign government or foreign entity, or any entity over which control is exercised or exercisable by a foreign national, foreign government or foreign entity.

A US business is one engaged in interstate commerce in the United States and is therefore not limited to businesses incorporated in the United States. Accordingly, the Act may be implicated when a foreign entity acquires another foreign entity and indirectly acquires its US subsidiary.

What information is required in a filing?

The notification must include substantial information regarding the nature of the transaction, the nature of the business to be acquired and the identity of the foreign acquiring person. The specific information that must be included is outlined in the regulations.9 With respect to the US business to be acquired, CFIUS requires information about, among other things, its US government contracts, clearances and licences. With respect to the foreign acquiring person, information must be provided regarding its ownership structure, and certain personal identifier information must be provided about its board of directors and executive management to permit background checks to be conducted by the US government.

What is the review period?

The official review process begins with the submission of a voluntary notification by the parties (or on self-initiation by CFIUS). However, the regulations recommend that the parties notify CFIUS at least five business days in advance of formally filing a notification. The regulations do not require the parties to submit a draft notification during the pre-notification period, but because CFIUS has the discretion to reject a notification as incomplete (thereby delaying the start of the review period), parties may want to do so.

In practice, CFIUS requires the notification to be submitted jointly (when the transaction is not hostile), and no filing fee is required. Receipt of a properly prepared notice triggers an initial 30-day review of the notified transaction.

By the end of the 30-day period, CFIUS must decide whether to clear the transaction if it perceives no potential threat to national security or to initiate a more comprehensive 45-day investigation.

During either the 30-day or the 45-day period, CFIUS can request additional information and, under some circumstances, stop the review clock as a result. Furthermore, CFIUS may decide during either the 30-day or the 45-day period to issue a no-action letter or to require the parties to enter into a mitigation agreement to resolve any potential national security concerns. Alternatively, at the end of a 45-day investigation, CFIUS may refer the matter to the President. The President then has 15 days to take any action.

If a transaction is by a foreign government-controlled entity or involves critical infrastructure of or within the United States and could impair US national security if the threat has not been mitigated, the Act requires that a 45-day investigation be undertaken (unless waived by the relevant CFIUS member agencies).

Although 45-day investigations historically have been infrequent, they have recently become more common as previously noted.

What are the powers of the authorities to prohibit or otherwise interfere with a transaction?

The Committee has the authority to review a covered transaction and to impose mitigation measures to address any national security concerns, although in practice such measures typically are negotiated. Mitigation measures may be imposed only after CFIUS has identified a specific threat to US national security and determined that a mitigation measure is reasonably necessary to address that threat. Nonetheless, CFIUS has broad authority to develop mitigation measures, although it uses that authority in only a handful of cases each year. Between 2010 and 2012, only 24 cases resulted in the use of legally binding mitigation measures. In 2012, mitigation measures were applied to acquisitions in the software, information, mining, energy and technology sectors.10

Mitigation measures vary on a case-by-case basis and have included, for example, commitments with respect to domestic production, cyber-security measures or government access to assets such as computer servers or telecommunications networks for law enforcement purposes. More invasive mitigation measures that have been adopted include a requirement to establish certain corporate firewall procedures between the US business and its foreign parent, or to terminate certain activities of the US business.

While the Committee is charged with reviewing a transaction and imposing mitigation measures, the Act grants the President, and only the President, the authority to suspend or prohibit a covered transaction. The Committee must therefore refer a transaction to the President if the Committee recommends that it be suspended or prohibited and the parties are unwilling to abandon the transaction. The Committee also refers the transaction to the President if the members of the Committee are unable to reach a decision on whether to recommend to the President that the transaction be suspended or prohibited, or if the Committee requests that the President make a final determination with regard to a transaction.

To exercise the authority to suspend or prohibit a transaction, the President must find that there is credible evidence that a ‘foreign interest exercising control might take action that threatens to impair the national security’, and that other laws do not, in the President’s judgement, ‘provide adequate and appropriate authority’ to protect the national security.

Presidential action is rare, partly because mitigation measures often address national security concerns and partly because parties typically decide to abandon a transaction following a recommendation from CFIUS to the President that the President issue a blocking order. Determinations by CFIUS or the President under the Act are not subject to judicial review. The exemption from judicial review was confirmed by the district court for the District of Columbia in 2013 when Ralls sought to have a Presidential Order requiring it to divest its interest in certain Oregon wind farms overturned by the court. The district court ruled that the merits of the President’s decision were not subject to judicial review and that a party that completes a covered transaction without clearance assumes the risk of doing so.11 Ralls has appealed the decision.

Involvement of third parties?

The CFIUS process is confidential and third parties have no right to participate in the process. CFIUS deliberates only among itself, without seeking input from private parties. However, other federal (eg, members of Congress), state (eg, governors) and local government officials (eg, mayors) often informally contribute to the review process and occasionally take a public position or write to CFIUS regarding the national security implications of specific transactions. This typically occurs in the case of publicly reported transactions, ones that are politically sensitive or ones that may impact a particular Congressional district. As a result, it may be prudent to engage public and government relations experts to contact third-party constituencies.

What types of transactions are subject to review?

Because the national security review process is confidential, CFIUS does not disclose information about particular cases under review. However, since 2008, CFIUS has regularly published an annual report of aggregated case statistics. The annual reports show that transactions involving acquiring parties from the UK, Canada, France and Israel regularly account for a significant percentage of transactions reviewed by CFIUS. In fact, the UK alone typically accounts for 20 to 30 per cent of cases reviewed each year. However, from 2010 to 2012, CFIUS reviewed transactions involving foreign acquiring persons from approximately 32 different countries, including India, Russia, China, Brazil and the UAE.12 The number of transactions reviewed involving Chinese acquiring persons has grown substantially from one in 2005 to 23 in 2012.

The reports also provide information at a very general level regarding the industries involved in transactions subject to CFIUS review. The annual reports show that transactions involving manufacturing typically account for the highest percentage of cases reviewed by CFIUS, with the finance, information and services sector accounting for the second-highest percentage.13 Within the manufacturing sector, transactions involving the acquisition of a manufacturer of computer and electronic products accounted for the largest percentage of transactions reviewed between 2010 and 2012, followed by acquisitions of machinery manufacturers.14 In the critical infrastructure area, transactions were reviewed with respect to utilities, mining, and oil and gas extraction.

To file or not to file?

Because the national security regime is voluntary, counsel for the parties to a transaction typically consult with each other with respect to the national security profile of a particular transaction in order to determine whether a filing is warranted. In practice, there can be two-way due diligence:

  • the buyer considers the target’s business activity, licences and clearances to determine whether to file; and
  • the target considers the buyer’s track record of compliance with certain laws and national origin to determine the risk buyer poses to clearance (especially in an auction).

As noted above, there is no legal obligation to file, but a filing potentially offers a number of benefits:

  • obtaining a no-action letter provides a safe harbour against future Presidential action, provided parties comply with obligations under the Act;
  • filing may ensure that relevant government security clearances and licences are not jeopardised that would negatively affect the ability to do business;
  • in practice, related regulations involving clearances and licences require parallel notifications (eg, one under the Act and one under the ITAR); and
  • filing and observing the waiting periods may avoid public and political criticism.

Factors that tend to suggest a filing should be made include:

  • Does the target have classified contracts or access to classified information requiring facility or personnel security clearances?
  • Does the target have any non-classified (prime or sub) contracts related to defence or homeland security?
  • Does the target have any technology related to cyber-security, communication network security, or personal identifier information (eg, for personnel security)?
  • Is the target business in critical infrastructure or technology (eg, energy)?
  • Are the target’s exports (including data) subject to the ITAR or other export restrictions?

Any filing analysis must also consider that CFIUS may proactively contact parties involved in a transaction that CFIUS thinks implicates national security to encourage the parties to notify a transaction, before or after closing. Although this occurs infrequently, it does happen. For instance, in 2011, Huawai Technologies Co abandoned its acquisition of assets from 3Leaf Systems because of CFIUS opposition. Huawei did not initially notify the transaction, but was contacted by CFIUS after closing and asked to submit a notification.15


In cross-border transactions involving the acquisition of a US business, it is important to consider not only the merger control implications but also the potential national security implications of a transaction. As outlined above, the US national security review process covers a variety of industries (and the US process should be considered along with those of other countries that also have national security review regimes, including, for example, Canada, China, France and Germany). If a transaction might implicate US national security issues, it is important to determine whether the issues are significant enough to warrant a filing and, if so, to ensure the relevant transaction document accounts for the process and risk. Furthermore, it is important to engage with CFIUS to try to ensure a timely and efficient review process, as well as, in some cases, applicable third-party constituencies such as customers (eg, if a target company does significant business with the US Department of Defense or a US defence contractor).


  1. The Committee on Foreign Investment in the United States (CFIUS or the Committee).
  2. The number of notices filed each year has varied fairly widely; for example, from 65 in 2009 to 155 in 2008. Committee on Foreign Investment in the United States Annual Report to Congress for CY 2012, available at (CFIUS CY2012 Annual Report).
  3. President George H W Bush issued an Executive Order in 1990 that directed China National Aero-Technology Import and Export Corporation to divest all interests in the Seattle-based company MAMCO, a manufacturer of aircraft components. 55 Fed. Reg. 3935 (1990). President Barack Obama issued an Executive Order in 2012 that directed Ralls Corporation to divest its interests in four wind farms in Oregon. 77 Fed. Reg. 60281 (2012).
  4. See statement issued by Lincoln Mining Corporation, ‘Divestment of Procon Investment in Lincoln Mining Required as a Result of US Regulatory Review’, available at (18 June 2013).
  5. 50 USC App 2170.
  6. These members were appointed pursuant to Executive Order 11858 (23 January 2008).
  7. 31 CFR section 800.207.
  8. 31 CFR section 800.204.
  9. 31 CFR section 800.401.
  10. CFIUS CY2012 Annual Report.
  11. Ralls Corporation v Committee on Foreign Investment in the United States, 926 F.Supp.2d. 71 (DDC 2013), on appeal to the Court of Appeals for the District of Columbia.
  12. CFIUS CY2012 Annual Report.
  13. Id.
  14. Id.
  15. See statement issued by the Embassy of the People’s Republic of China in the United States of America, ‘Chinese ministry regrets Huawei’s dropping of deal to buy 3Leaf assets’, available at

Unlock unlimited access to all Global Competition Review content