7th National Forum on FOCI - DS

7th National Forum on

FOCI

September 30 – October 1, 2024

The National Union Building, Washington, DC

Practical takeaways for managing heightened national security threats for companies under Foreign Operation, Control or Influence.

Keynote Address

Jeffrey P. Spinnanger Director, Information and Acquisition Protection, OUSD(I&S) U.S. Department of Defence

Benchmark with FSOs, Compliance and Legal Executives From:

ъ Avon Protection

ъ BlackBerry Government Solutions

ъ CGI Federal

ъ CHG Group

ъ IDEMIA

ъ Leonardo DRS

ъ Siemens Corporation

ъ Thales Defense & Security

SUPPORTING SPONSOR:

ASSOCIATE SPONSOR:

Conference Co-Chairs

Heather L. Finstuen Partner Covington & Burling LLP

Richard Ray FSO / TCO / ITPSO Eutelsat America Corp.

Engage in Critically Important Discussions on Pressing, High Stakes Issues, Including:

ą Cybersecurity Mitigation and CUI: Preparing for Your CMMC Assessment and How to Demonstrate Compliance

ą Vulnerability Assessments and Self-Inspections: What Can Generate the Best Possible Outcome -and What Has Fallen Short

ą The Nuanced Roles of Outside Directors and Proxy Holders: Balancing Stakeholder and National Security Interests

ą FOCI and Cyber Incident Response: Tailoring Your Incident Response to Mitigation Security Requirements and Corporate Policy

ą Business and Security Leaders Panel: C-Level Executives Discuss Their Roles in FOCI Mitigated Companies

Join Breakout Roundtables for Smaller-Group Discussions

Early Riser FSO Benchmarking: Tackling the Next Wave of Complex, Real-World Challenges

SPEAKER FACULTY

CONFERENCE CO-CHAIRS

Heather L. Finstuen Partner

Covington & Burling LLP

Richard Ray FSO / TCO / ITPSO

Eutelsat America Corp.

GOVERNMENT SPEAKERS

Wayne Chin Chief, Risk Management Unit Defense Counterintelligence and Security Agency

Sabrina DeBarge Mission Region Action Officer for Industrial Security, Mid-Atlantic Region Defense Counterintelligence and Security Agency

Jeffrey P. Spinnanger Director, Information and Acquisition Protection, OUSD(I&S) U.S. Department of Defence

DISTINGUISHED SPEAKERS

Robert Benn Chief Security Officer BT Federal Inc.

Margaret M. Cassidy Managing Attorney Cassidy Law

Curtis H. Chappell, ISP® Vice President, Security Thales Defense & Security, Inc.

Chris Griner

Senior Partner

Squire Patton Boggs (US) LLP

Pamela Drew Proxy Holder

Eutelsat America Corp.

Outside Director

QuinetiQ Inc.

Erin Estevez Partner

Holland & Knight LLP

Jennifer A. Gabeler Vice President Security and Information Systems CHG Group, Inc.

Jason Garkey Chief Security Officer Momentus Space

Mary Griggs Outside Director

CGI Federal, Integris Composites, Inc., Coalfire Federal, Airbus U.S. Space & Defense

Michelle D. Hertz VP, General Counsel & Corporate Secretary CGI Federal Inc.

Dennis S. Kallelis Chief Security Officer IDEMIA Identity & Security

Maria Keady Principal Compliance Manager / FSO / ITPSO BlackBerry Government Solutions

Stefan Lopatkiewicz General Counsel

Eutelsat America Corp

Matthew Madalo General Counsel

Siemens Corporation

Ernie Magnotti Chief Information Security Officer (CISO) Leonardo DRS

Jill M. McClune U.S. General Counsel Avon Protection/ Team Wendy

Robert Metzger Partner

Rogers Joseph O’Donnell

Norman E. Pashoian III Industrial Security Consultant White & Case LLP

Daniel B. Pickard Shareholder Buchanan Ingersoll & Rooney PC

Johnathan Rudy Senior Counsel TransUnion

Antonia Tzinova Partner Holland & Knight LLP

Alex Veneziano Chief Administrative Officer

Airbus U.S. Space and Defense

DAY ONE

MONDAY, SEPTEMBER 30, 2024

8:45

Opening Remarks from the Co-Chairs

microphone-alt Richard Ray, FSO / TCO / ITPSO, Eutelsat America Corp.

Heather L. Finstuen, Partner, Covington & Burling LLP

9:00

Opening Interview: Examining New DCSA Priorities, Initiatives and Review Timelines

• Updates on the roles and responsibilities of newly hired DCSA personnel, and how agency resources are being utilized

• Update on DCSA amendments to forms, such as the Electronic Communications Plan (ECP)

• Key takeaways on the strategies and schemes that the foreign adversaries are using

• Analyzing the kinds of threats that FOCI mitigation is designed to counter, including new, emerging risks

9:30 NEW AUDIENCE POLLING & HYPOTHETICAL SCENARIOS

Cybersecurity Mitigation and CUI: Preparing for Your CMMC Assessment and Demonstrating Compliance

microphone-alt Maria Keady, Principal Compliance Manager / FSO / ITPSO, BlackBerry Government Solutions

Curtis H. Chappell, ISP®, Vice President, Security, Thales Defense & Security, Inc.

Ernie Magnotti, Chief Information Security Officer (CISO), Leonardo DRS

The U.S. Department of Defense issued a proposed rule to implement the Cybersecurity Maturity Model Certification (CMMC) Program (Proposed Rule) in December 2023. The proposed rule is expected to more strictly control how Controlled Unclassified Information (CUI) is safeguarded and disseminated with impacts on FOCI mitigation, contracts, third-party contractors, parent companies and cloud service providers. This session will cover key topics, including:

• Safeguarding the relationship of a foreign entity and the mitigated entity, delineating access to network controls and cyber controls, and updating your company’s Electronic Communication Plans (ECP)

• Managing the rising cost of delineating network access

• Conducting a gap analysis to determine the compliance status of the parent company

• Meeting expectations for more strict safeguarding obligations for storage, processing and transmitting of sensitive DoD information

• Ensuring your FOCI company has the necessary security controls and that you are not relying on the controls of the parent company

• Determining which contractors need assessments and certifications - and whether they are self-assessments or third-party assessments (C3PAO) or by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

• Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)

10:15 Networking Break

10:30 NEW

Vulnerability Assessments and Self-Inspections: Preparing and Managing an On-Site Assessmentand What Can Generate the Best Possible Outcome

microphone-alt

Margaret M. Cassidy, Managing Attorney, Cassidy Law

Sabrina DeBarge, Mission Region Action Officer for Industrial Security, Mid-Atlantic Region, Defense Counterintelligence and Security Agency

Jason Garkey, Chief Security Officer, Momentus Space

As DCSA is conducting more in-person engagement and onsite security checks, learn the latest lessons on how to prepare for an onsite assessmentand the expected (and unexpected) ramifications of an unfavorable result.

• Ensuring your company’s security policy is robust and being followed for all FOCI locations

• Determining if all FOCI locations are needed, being used and using the security policy

• Examining what can lead to a poor vulnerability assessment

• Itemizing the consequences of a vulnerability assessment and implementing a strategy

» Customer notifications » Remediation

• Exploring what constitutes a security incident-and what doesn’t

• Conducting governance and risk assessments

• Scrutiny of governance models to protect shareholders

• The pitfalls to avoid for internal and self-audits when preparing for a DCSA assessment

11:15 AUDIENCE POLLING & HYPOTHETICAL SCENARIOS

The Nuanced Roles of Outside Directors and Proxy Holders: Balancing Stakeholder and National Security Interests

microphone-alt Mary Griggs, Outside Director, CGI Federal, Integris Composites, Inc., Coalfire Federal, Airbus U.S. Space & Defense

Pamela Drew, Proxy Holder, Eutelsat America Corp, Outside Director, QuinetiQ Inc.

Chris Griner, Senior Partner, Squire Patton Boggs (US) LLP

During this session, speakers will lead delegates through a series of hypothetical scenarios that showcase the nuances of how a FOCI mitigated company can balance the roles of an outside director with its foreign parent. Delegates are encouraged to participate in anonymous live polling for enhanced benchmarking. Key topics will include:

• Approaching the role of an outside director when the FOCI mitigated company has no classified work, but is carrying a clearance for contract

• Balancing the needs and wants of the parent company and the shareholders

• What needs to be reported to the government security committee

• Documenting the government security committee meeting, and justifying how a company is in compliance with the NISPOM

Really

12:00 NEW AI DEMO & CASE STUDY

How AI is Being Leveraged for FOCI Risk Mitigation

12:30 Networking Luncheon for Speakers and Delegates

1:45 NEW

How DCSA’s FOCI Scope is Expanding

Beyond Foreign Owned Companies and Impacting Supply Chain

microphone-alt Richard Ray, FSO / TCO / ITPSO, Eutelsat America Corp.

Jill M. McClune, U.S. General Counsel, Avon Protection/Team Wendy

Proposed changes to the National Defense Authorization Act (NDAA), Section 847 directs the U.S. Department of Defense to reduce reliance on services, supplies, or materials obtained from certain geographic areas, which may be controlled by adversarial countries. The change would also direct DoD to mitigate the risks to national security and the defense supply chain related to such a reliance. Announced in 2022, DoD is due to issue a report to congressional defense committees this year and is currently seeking input.

• Determining which FOCI companies, non-FOCI companies, public trust contracts and third-party contractors are subject to increased scrutiny

• Anticipating DCSA’s expectations and guidance

• Analyzing the need for an Electronic Communication Monitoring Plan, or a Quality Management Plan, or an export license

• Monitoring international suppliers and evaluating supply chain security and resiliency

2:30

CFIUS and Export Controls Interplay: Navigating CFIUS and FOCI Mitigation Agreements – And How to Avoid Hiccups

microphone-alt Antonia Tzinova, Partner, Holland & Knight LLP

Daniel B. Pickard, Shareholder, Buchanan Ingersoll & Rooney PC

Wayne Chin, Chief, Risk Management Unit, Defense Counterintelligence and Security Agency

• Determining where CFIUS and DSCA align and diverge

• Deciphering when there is a mandatory filing obligation

• Accomplishing DCSA and CFIUS expectations-and overcoming operational challenges

• Dovetailing CFIUS and FOCI mitigation with export compliance and licensing requirements

• Determining the sequencing of CFIUS and FOCI submissions

• Examining what kind of data exports are controlled and need an export license

3:15

Networking Break

3:30 NEW

Cyber Mitigation Case Study

microphone-alt Johnathan Rudy, Senior Counsel, TransUnion

During this session, delegates will delve into the complexities of an acquisition from the lens of cybersecurity. This will include a look at how to vet policy prior to acquisition, ensuring the acquired company has not already been breached, and how to ensure robust safeguards following the acquisition. Topics will include:

• Assessing cyber risk before, during and after acquisition

• Complying with DCSA’s requirements for a robust cybersecurity policy and how to meet expectations in the event of a breach

• Itemizing the mechanics of mitigating against the risk of a cyber breach

• Consolidating operation measures while ensuring high cybersecurity standards among shared electronic services and share technology services

• Examining how ECPs and AOPs could be altered to strengthen cybersecurity standards

4:15

Interactive Roundtable Discussions –Pick your roundtable!

Back by popular demand! Delegates are invited to break out into smaller group discussion tables to trade experiences and lessons learned for confronting the challenges of maintaining security standards amid a remote and hybrid workforce. Facilitators will guide the conversation to identify the latest best practices. Delegates are encouraged to choose their preferred table topic, and to move between tables during the discussion.

Table One: Insider Threat: How are you safeguarding access and information?

Table Two: How is the government vetting your employee’s online social footprint?

Table Three: How does cybersecurity fit into a mitigation strategy?

Table Four: Considerations for safeguarding your supply chain

5:00

Conference Adjourns

DAY TWO

TUESDAY, OCTOBER 1, 2024

8:00 EARLY RISER FSO Benchmarking: Tackling the Next Wave of Complex, Real-World Challenges (by invitation only)

Join this early riser, smaller-group session to share the top-of-mind concerns affecting FSOs and how to meet the evolving demands of the job.

8:45

Opening Remarks from the Co-Chairs

9:00

Keynote Address

microphone-alt Jeffrey P. Spinnanger, Director, Information and Acquisition Protection, OUSD(I&S), U.S. Department of Defense

9:30 NEW

Classified Contracts and CUI: What DCSA Now Requires in a FOCI Mitigated Landscape

• Paraphrasing information that is passed to affiliates about classified contracts

• Establishing networking and IT requirements and how to separate the network CUI from affiliate companies

• Determining who has access when a global company has different subsidiaries

• Ensuring continuous auditing and compliance

• Examining who has access to what when employees have dual citizenship

• Reviewing the requirements when your classified documents are off site

10:15 Networking Break

10:30 NEW HYPOTHETICAL SCENARIOS FOCI and Cybersecurity Breach Action Plan: Tailoring Your Incident Response to Meet Mitigation Security Requirements and Breach Policy

microphone-alt Ernie Magnotti, Chief Information Security Officer (CISO), Leonardo DRS

Robert Metzger, Partner, Rogers Joseph O’Donnell

What happens during a breach? This interactive session will examine the play-by-play of how a FOCI mitigated company will now need to react to a cybersecurity breach under stricter Department of Defense and CMMC safeguards.

• Determining your company’s obligations under NISPOM in the context of a cyber breach

• Ensuring your FOCI company is following its cybersecurity breach policy and implementing checks

• Deciphering which policies kick-in during a cyber breach: Systems Security Plan (SSP) for Controlled Unclassified Information (CUI) and Standard Policies and Procedures (SPP)

• Examining the effect of a breach on a cleared company with classified information

• Analyzing how the breach effects the whole company and who has responsibility

• Determining what the security representative can and can’t tell the parent

• Reconciling the effects on the AOP

11:15

Mitigation

Strategies: How DCSA

is Now Expanding its Scope and Increasing Requirements for Special Board Resolutions

microphone-alt Matthew Madalo, General Counsel, Siemens Corporation

Norman E. Pashoian III, Industrial Security Consultant, White & Case LLP

• Analyzing how DSCA is now reviewing Board Resolutions, how requirements are changing and which types of companies are now affected

• Examining the requirements for a Board Resolution, and when the foreign entity does not own voting stock enough to elect a representative to the company's governing board

• How to handle a cleared subsidiary when the parent company has a small-percentage of foreign ownership

• Determining which tools are (and aren’t) necessary in a mitigation, such as proxies, board resolutions and company service arrangements.

• Addressing when an investor has a right to a board seat, but is not exercising their right, and documenting it for DCSA

11:45 SSA AND PROXY AGREEMENTS

Determining When to Restructure a FOCI Mitigation Agreement: Key Considerations and Processes for SSAs, Proxy and Other Agreements

microphone-alt Michelle D. Hertz, VP, General Counsel & Corporate Secretary, CGI Federal Inc.

Stefan Lopatkiewicz, General Counsel, Eutelsat America Corp

• Contrasting the differences between an SSA and a Proxy Agreement, and their pros and cons for a company

• How to meet DSCA mitigation expectations when restructuring foreign ownership, control, or influence

• Expected timelines and what can cause delays

• Weighing the pros and cons, and the impact of each type of agreement

• Examining the relationship with the foreign parent, how it differs under a Proxy Agreement, a Special Security Agreement, a Security Control Agreement or other agreement

• Appointing an inside director under a Special Security Agreement following a PA restructuring

The in-person interaction was great - both learning about other's initiatives and creating networking opportunities.

Carl Rhine, Indiana University

12:15 BUSINESS AND SECURITY LEADERS PANEL

The Role of C-Level Executives in FOCI- Mitigated Companies

microphone-alt Dennis S. Kallelis, Chief Security Officer, IDEMIA Identity & Security

Alex Veneziano, Chief Administrative Officer, Airbus US Space and Defense

Moderator: Erin Estevez, Partner, Holland & Knight LLP

• Best Practices for handling FOCI agreements

• The relationship between DCSA and the company, and dos and don’ts of working with DCSA

• CFIUS LOA FOCI Agreement, with controls, restrictions, audits, and penalties

• Becoming FOCI proficient and detecting and handling FOCI concerns in the initial stages

• Implementing a FOCI mitigation agreement with fewer resources

• Budgeting and the business impact of FOCI mitigation on possible delays to company operations

• Utilizing legal counsel and FSO expertise vs. when to hire a consultant

12:45

Closing Remarks from the Co-Chairs Conference Concludes

Stay on for the Post-Conference Workshop

TUESDAY, OCTOBER 1, 2024

1:30 pm–5:00 pm

AOP Working Group: An Updated, Practical Guide to Simplifying and Baselining the Affiliated Operation Plan

Details on the next page.

Upcoming Events

POST-CONFERENCE WORKSHOP

TUESDAY, OCTOBER 1, 2024

1:30–5:00 p.m.

AOP

Working Group: An Updated, Practical Guide to Simplifying and Baselining the Affiliated Operation Plan

microphone-alt Jennifer A. Gabeler, Vice President Security and Information Systems, CHG Group Inc.

Robert Benn, Chief Security Officer, BT Federal Inc.

• Best practices and pitfalls to avoid when drafting and submitting an AOP, including:

» Describing Services: Who is providing the affiliated operation, to whom, and the costs and benefits

» Implementing Services: How will affiliated operations be implemented and are they mandatory?

» Technology: What is being utilized, who has ownership, types of information being shared, and frequency of interaction

» What to ask your security committees enough

» How the parent companies can manage the financial burden

» Customizing your AOP

• Key strategies for mitigating and managing affiliated operations

» Effective tactics for handling and reducing risks in affiliated operations

» DCSA compliance and enhanced efficiency

• Developing internal steps to ensure you are properly mitigating potential risks, including:

» Review of services: internal steps to ensure compliance with mitigating procedures, and how the FSO and Technology Control Officer (TCO) can work together to ensure compliance

COMPLIMENTARY WEBINAR

FOCI and Cybersecurity – What Should Be on Your Radar

Speakers:

Curtis H. Chappell, ISP® Vice President, Security Thales Defense & Security, Inc.

Jill M. McClune US General Counsel Avon Protection/Team Wendy

• Examining emerging cybersecurity challenges affecting FOCI mitigated companies

• Questions you should be asking, whether you are inside or outside

• Certifications, perceptions and who needs certifications

• Where are parent and subsidiaries overlapping with cybersecurity and network controls

• Viewing Classified and Controlled Unclassified Information (CUI) documents through a cybersecurity lens

• Assessing where compliance controls overlap or doesn’t, including GDPR and other privacy

• Assessing adequate Personal Identifiable Information (PII) protection

Continuing Legal Education Credits

Accreditation will be sought in those jurisdictions requested by the registrants which have continuing education requirements. This course is identified as nontransitional for the purposes of CLE accreditation.

ACI certifies this activity has been approved for CLE credit by the New York State Continuing Legal Education Board.

ACI certifies this activity has been approved for CLE credit by the State Bar of California.

ACI has a dedicated team which processes requests for state approval. Please note that event accreditation varies by state and ACI will make every effort to process your request.

For more information on ACI’s CLE process, visit: www.AmericanConference.com/Accreditation/CLE

C5

Book with Confidence!

If