United States: CFIUS Review

This is an Insight article, written by a selected partner as part of GCR's co-published content. Read more on Insight

United States: national security review

The national security review process in the United States – often referred to as the Exon–Florio or CFIUS1 review process, after the relevant authorising statute and enforcement agency, respectively – has existed for decades. It originally focused, at least in practice, on the acquisition by foreign companies of US businesses directly or indirectly supplying the US Department of Defense, but especially after the 9/11 terrorist attacks, the concept of national security – and therefore the types of transactions subject to review under the regime – was broadened by statute and in practice. National security is an ever-evolving concept, and as cybersecurity concerns increase in the wake of suspected state-sponsored or other cyber attacks, CFIUS is focusing more on such concerns. Today, the national security review process can be an important part of many transactions, even though it remains voluntary. Examples of industries in which notifications under the regime have been submitted include computers, network security, cyber systems, energy (development and transport), semiconductors, aerospace, telecommunications, optics, robotics, mining and natural resources, plastics and rubber, automotive, financial services, coatings and adhesives, chemicals and steel.

The CFIUS review process has also become more time-consuming and intensive, as exemplified by the extensive investigations more regularly being undertaken by CFIUS. For example, about the same number of transactions were subjected to an in-depth investigation in 2008 and 2009 as had been for nearly all of the previous two decades (ie, from 1988, when the relevant statute was enacted, to 2007). For the last three years for which data has been reported (between 2012 and 2014), there were 119 filings per year on average, of which approximately 40 per cent were subject to in-depth investigations.

Although submitting a transaction to CFIUS for a national security review is voluntary, the risk of not submitting a voluntary notification and obtaining a no-action letter can be substantial because of the possibility of remedial action. Furthermore, a filing ensures that government security clearances or licences issued under other federal regulations that are tied to the national security review process are not jeopardised. It may further insulate parties to a transaction from public and political criticism of a decision not to notify a particularly sensitive transaction. Consequently, it is advisable to consider the national security implications of cross-border transactions and to draft appropriate provisions in transaction documents to address, among other things, conditions to closing, cooperation and risk sharing.

Typically, fewer than 200 transactions per year are subject to the US national security review process,2 and only two transactions have ever been subjected to a presidential order to be unwound since the relevant statute was adopted in 1988.3 One of those presidential orders was issued in 2012, when President Obama ordered Ralls Corporation (Ralls), owned by Chinese nationals, to divest interests it had acquired in certain wind farms operating near naval facilities in Oregon. Yet several transactions have garnered significant publicity as a result of US government opposition on national security grounds and have been subjected to delay, restructuring or abandonment, including up to approximately 11 transactions abandoned in 2014.

What is the regulation and who administers it?

The US national security review process is conducted pursuant to the Exon–Florio Amendment to the Defense Production Act of 1950, as amended by the Foreign Investment and National Security Act of 2007 (FINSA) (the Act).4 The Act grants the president the authority to review any transaction by a foreign person or persons that could result in control over a US business (ie, a ‘covered transaction’) and to suspend or prohibit that transaction if it threatens to impair the national security of the United States.

CFIUS is charged with conducting the national security review on behalf of the president pursuant to the Act and, as appropriate, making a recommendation regarding Presidential action. CFIUS is an inter-agency committee consisting of, as chair, the Secretary of the Treasury and, as members, the Secretaries of Commerce, State, Defense, Homeland Security and Energy, as well as the Attorney General, the United States Trade Representative, and the Director of the Office of Science and Technology Policy. The Secretary of Labor and the Director of National Intelligence serve as ex officio members. Other executive branch representatives observe and, as appropriate, participate in the Committee’s activities, including the Chairman of the Council of Economic Advisors, the Director of the Office of Management and Budget, the Assistant to the President for National Security Affairs, the Assistant to the President for Economic Policy, and the Assistant to the President for Homeland Security and Counterterrorism.5

In practice, CFIUS operates both through its official senior-level members and, more frequently, through staff representatives from each of the CFIUS member agencies, although FINSA now requires that only certain specified senior-level members take certain decisions. The Committee reaches decisions by consensus, but any member may seek to have a transaction subjected to in-depth review.

What is national security?

The Act does not define ‘national security’, but requires CFIUS to consider the following factors:

  • domestic production needed for projected national defence requirements;
  • the capability and capacity of domestic industries to meet national defence requirements, including the availability of human resources, products, technology, materials and other supplies and services;
  • the control of domestic industries and commercial activity by foreign citizens as it affects the capability and capacity of the United States to meet the requirements of national security;
  • the potential effects of the proposed or pending transaction on sales of military goods, equipment or technology to any country:
  • identified by the Secretary of State as a country that supports terrorism, is a country ‘of concern’ regarding missile proliferation or the proliferation of chemical and biological weapons, or is listed on the Nuclear Non-Proliferation Special Country List; or
  • that poses a potential regional military threat to the interests of the United States;
  • the potential effects of the proposed or pending transaction on US international technological leadership in areas affecting US national security; and
  • the potential for national security-related effects from the acquisition of US critical technologies and infrastructure, including energy.

Critical technologies are defined by reference to a number of export control regulations, including, among others, the International Traffic in Arms Regulation (ITAR) and the Export Administration Regulation.

Critical infrastructure is defined as those systems and assets, whether physical or virtual, that are so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security.

What is a covered transaction?

The Act applies to any ‘covered transaction’, such as a transaction by or with any foreign person that could result in direct or indirect control of a US business by a foreign person.6 Each of these terms is further defined in the regulations.

A ‘transaction’ includes mergers, acquisitions or takeovers, and can include the acquisition of an ownership interest, the conversion of convertible voting instruments (whether debt or equity) and the formation of a joint venture.

The concept of control is broader than in the US antitrust context, because it is based on function rather than structure. Control turns on the ability to determine, direct or decide matters affecting an entity, and the regulations specifically recognise dominant minority control.7 In practice, CFIUS interprets control very broadly.

Foreign persons include any foreign national, foreign government or foreign entity, or any entity over which control is exercised or exercisable by a foreign national, foreign government or foreign entity.

A US business is one engaged in interstate commerce in the United States and thus is not limited to businesses incorporated in the United States. Accordingly, the Act may be implicated when a foreign entity acquires another foreign entity and indirectly acquires its US subsidiary.

What information is required in a filing?

The notification must include substantial information regarding the nature of the transaction, the nature of the business to be acquired and the identity of the foreign acquiring person. The specific information that must be included is outlined in the regulations.8 With respect to the US business to be acquired, CFIUS requires information about, among other things, its US government contracts, clearances and licences. With respect to the foreign acquiring person, information must be provided regarding its ownership structure, and certain personal identifier information must be provided about its board of directors and executive management to permit background checks to be conducted by the US government.

What is the review period?

The official review process begins with the submission of a voluntary notification by the parties (or on self-initiation by CFIUS). However, the regulations recommend that the parties notify CFIUS at least five business days in advance of formally filing a notification. The regulations do not require the parties to submit a draft notification during the pre-notification period, but because CFIUS has the discretion to reject a notification as incomplete (thereby delaying the start of the review period), parties do submit a draft as a matter of practice.

In practice, CFIUS requires the notification to be submitted jointly (when the transaction is not hostile), and no filing fee is required. Receipt of a properly prepared notice triggers an initial 30-day review of the notified transaction.

By the end of the 30-day period, CFIUS must decide whether to clear the transaction if it perceives no potential threat to national security, or to initiate a more comprehensive 45-day investigation.

During either the 30-day or the 45-day period, CFIUS can request additional information and, under some circumstances, stop the review clock as a result. Furthermore, CFIUS may decide during either the 30-day or the 45-day period to issue a no-action letter or to require the parties to enter into a mitigation agreement to resolve any potential national security concerns. Alternatively, at the end of a 45-day investigation, CFIUS may refer the matter to the president. The president then has 15 days to take any action.

If a transaction is by a foreign government-controlled entity or involves critical infrastructure of or within the United States and could impair US national security if the threat has not been mitigated, the Act requires that a 45-day investigation be undertaken (unless waived by the relevant CFIUS member agencies).

Although 45-day investigations historically have been infrequent, they have recently become more common as previously noted.

What are the powers of the authorities to prohibit or otherwise interfere with a transaction?

The Committee has the authority to review a covered transaction and to impose mitigation measures to address any national security concerns, although in practice such measures typically are negotiated. Mitigation measures may be imposed only after CFIUS has identified a specific threat to US national security and determined that a mitigation measure is reasonably necessary to address that threat. Nonetheless, CFIUS has broad authority to develop mitigation measures, although it uses that authority in only a handful of cases each year. Between 2012 and 2014, only 29 cases (8 per cent) resulted in the use of legally binding mitigation measures. In 2014, mitigation measures were applied to nine different acquisitions in the software, services and technology sectors.9

Mitigation measures vary on a case-by-case basis and have included, for example, commitments with respect to domestic production, cybersecurity measures or government access to assets such as computer servers or telecommunications networks for law enforcement purposes. More invasive mitigation measures that have been adopted include a requirement to establish certain corporate firewall procedures between the US business and its foreign parent or to terminate certain activities of the US business.

While the Committee is charged with reviewing a transaction and imposing mitigation measures, the Act grants the president, and only the president, the authority to suspend or prohibit a covered transaction. The Committee therefore must refer a transaction to the president if the Committee recommends that it be suspended or prohibited and the parties are unwilling to abandon the transaction. The Committee also refers the transaction to the president if the members of the Committee are unable to reach a decision on whether to recommend to the president that the transaction be suspended or prohibited, or if the Committee requests that the president make a final determination with regard to a transaction.

To exercise the authority to suspend or prohibit a transaction, the president must find both that there is credible evidence that a ‘foreign interest exercising control might take action that threatens to impair the national security’, and that other laws do not, in the president’s judgement, ‘provide adequate and appropriate authority’ to protect the national security.

Presidential action is rare, partly because mitigation measures often address national security concerns and partly because parties typically decide to abandon a transaction following a recommendation from CFIUS to the president that the president issue a blocking order. Determinations by CFIUS or the president under the Act are not subject to judicial review. The exemption from judicial review was confirmed by the district court for the District of Columbia in 2013 when Ralls sought to have a presidential order requiring it to divest its interest in certain Oregon wind farms overturned by the court. The district court ruled that the merits of the president’s decision were not subject to judicial review and that a party that completes a covered transaction without clearance assumes the risk of doing so.10 On appeal, the Court of Appeals for the District of Columbia Circuit agreed that the president’s decision was not subject to judicial review but held that the ‘Presidential Order deprived Ralls of constitutionally protected property interests without due process of law’ and instructed that upon remand, Ralls be given access to unclassified evidence in support of the decision.11 On remand, the District Court ordered CFIUS to provide all unclassified information on which it relied for its decision, afford Ralls an opportunity to respond to that information, and provide Ralls’ response to the information along with CFIUS’s updated recommendation to the president.12 The parties ultimately resolved the case via settlement.

Involvement of third parties?

The CFIUS process is confidential and third parties have no right to participate in the process. CFIUS deliberates only among itself, without seeking input from private parties. However, other federal (eg, members of Congress), state (eg, governors) and local government officials (eg, mayors) as well as trade or industry groups often informally contribute to the review process and occasionally take a public position or write to CFIUS regarding the national security implications of specific transactions. This typically occurs in the case of publicly reported transactions, ones that are politically sensitive or ones that may impact a particular congressional district. As a result, it may be prudent to engage public and government relations experts to contact third-party constituencies.

What types of transactions are subject to review?

Because the national security review process is confidential, CFIUS does not disclose information about particular cases under review. However, since 2008, CFIUS has regularly published an annual report of aggregated case statistics. The annual reports show that transactions involving acquiring parties from the UK, Canada, France and Israel historically accounted for a significant percentage of transactions reviewed by CFIUS. In fact, the UK alone typically accounts for 20 to 30 per cent of cases reviewed each year. However, from 2012 to 2014, CFIUS reviewed more transactions involving Chinese acquiring persons than from any other jurisdiction.13 The number of transactions reviewed involving Chinese acquiring persons has grown substantially, from one in 2005 to 24 in 2014.

The reports also provide information at a very general level regarding the industries involved in transactions subject to the CFIUS review. The annual reports show that transactions involving manufacturing typically account for the highest percentage of cases reviewed by CFIUS, with the finance, information and services sector accounting for the second-highest percentage.14 Within the manufacturing sector, transactions involving the acquisition of a manufacturer of computer and electronic products accounted for the largest percentage of transactions reviewed between 2012 and 2014, followed by acquisitions of machinery manufacturers and transportation equipment.15

To file or not to file?

Because the national security regime is voluntary, counsel for the parties to a transaction typically consult with each other with respect to the national security profile of a particular transaction in order to determine whether a filing is warranted. In practice, there can be two-way due diligence: buyer considers target’s US business activity, licences and clearances to determine whether to file; target considers buyer’s track record of compliance with certain laws and national origin as well as track record, if any with CFIUS reviews, to determine the risk buyer poses to clearance (especially in an auction).

As noted above, there is no legal obligation to file, but a filing potentially offers a number of benefits:

  • obtaining a no-action letter provides a safe harbour against future presidential action, provided parties comply with obligations under the Act;
  • filing may ensure that relevant government security clearances and licences are not jeopardised, which would negatively affect the ability to do business;
  • in practice, related regulations involving clearances and licences require parallel notifications (eg, one under the Act and one under the ITAR); and
  • filing and observing the waiting periods may avoid public and political criticism.

Factors that tend to suggest a filing should be made include:

  • Does the target have classified contracts or access to classified information requiring facility or personnel security clearances?
  • Does the target have any non-classified (prime or sub) contracts related to defence or homeland security?
  • Does the target have any technology related to cybersecurity, communication network security, or personal identifier information (eg, for personnel security)?
  • Is the target business in critical infrastructure or technology (eg, energy)?
  • Are the target’s exports (including data) subject to the ITAR or other export restrictions?

Any filing analysis must also consider that CFIUS may proactively contact parties involved in a transaction that CFIUS thinks implicates national security to encourage the parties to notify a transaction, before or after closing. Although this occurs infrequently, it does happen. For instance, in 2011, Huawei Technologies Co abandoned its acquisition of assets from 3Leaf Systems because of CFIUS opposition. Huawei did not initially notify the transaction, but was contacted by CFIUS after closing and asked to submit a notification.16


In cross-border transactions involving the acquisition of a US business, it is important to consider not only the merger control implications but also the potential national security implications of a transaction. As outlined above, the US national security review process covers a variety of industries (and the US process should be considered along with those of other countries that also have national security review regimes, including, for example, Canada, China, France and Germany). If a transaction might implicate US national security issues, it is important to determine whether the issues are significant enough to warrant a filing and, if so, to ensure the relevant transaction document accounts for the process and risk. Furthermore, it is important to engage with CFIUS to try to ensure a timely and efficient review process, as well as, in some cases, applicable third-party constituencies such as customers (eg, if a target company does significant business with the US Department of Defense or a US defence contractor).


  1. The Committee on Foreign Investment in the United States (CFIUS or the Committee).
  2. The number of notices filed each year has varied fairly widely, for example, from 65 in 2009 to 147 in 2014. Committee on Foreign Investment in the United States Annual Report to Congress for CY2014, available https://www.treasury.gov/resource-center/international/foreign-investment/Documents/Annual%20Report%20to%20Congress%20for%20CY2014.pdf (CFIUS CY2014 Annual Report).
  3. President George H W Bush issued an Executive Order in 1990 that directed China National Aero-Technology Import and Export Corporation (CATIC) to divest all interests in the Seattle-based company Mamco, a manufacturer of aircraft components. 55 Fed. Reg. 3935 (1990). President Barack Obama issued an Executive Order in 2012 that directed Ralls Corporation to divest its interests in four wind farms in Oregon. 77 Fed. Reg. 60281 (2012).
  4. 50 USC App 2170.
  5. These members were appointed pursuant to Executive Order 11858 (23 January 2008).
  6. 31 CFR section 800.207.
  7. 31 CFR section 800.204.
  8. 31 CFR section 800.401.
  9. CFIUS CY2014 Annual Report.
  10. Ralls Corporation v Committee on Foreign Investment in the United States, 926 F Supp 2d. 71 (DDC 2013).
  11. Ralls Corporation v Committee on Foreign Investment in the United States, 758 F.3d 296, 325 (DC Cir 2014).
  12. Order, Ralls Corporation v Committee on Foreign Investment in the United States, No. 12-cv-01513-ABJ (DC Cir 13 March 2015) (ECF No. 73).
  13. CFIUS CY2014 Annual Report.
  14. Id.
  15. Id.
  16. See statement issued by the Embassy of the People’s Republic of China in the United States of America, ‘Chinese ministry regrets Huawei’s dropping of deal to buy 3Leaf assets’, available at www.china-embassy.org.

Unlock unlimited access to all Global Competition Review content