Skip to main content
August 13, 2018

New Law Expands and Reforms CFIUS Jurisdiction and US Export Controls


President Trump signed into law on August 13, 2018, as part of the National Defense Authorization Act of 2019 (NDAA),1 legislation that enhances the powers of the Committee on Foreign Investment in the United States (CFIUS), as well as modernizes and expands US export controls on dual-use items. The provisions related to CFIUS, entitled the Foreign Investment Risk Review Modernization Act (FIRRMA), considerably expand the jurisdiction of CFIUS, the interagency body charged with reviewing and making national security-based recommendations to the President regarding whether to allow foreign investments in US companies.

While CFIUS previously was authorized to review only transactions that resulted in foreign control over a US business, under FIRRMA, the "covered transactions" subject to CFIUS review also will include foreign non-controlling investments in (1) US critical technology or infrastructure and (2) real estate near US military or other national security-related sites. Additionally, while to date, all notices to CFIUS of covered transactions have been voluntary, under FIRRMA, short notifications, termed "declarations," will be mandatory for certain investments.

FIRRMA reflects increasing concern among Congress and the Executive Branch that foreign investment from strategic rivals, including China in particular, is targeted at capturing access and control over advanced technologies being developed by US businesses. Congress and the Trump Administration view FIRRMA as a critical means to enhance scrutiny of foreign investments motivated by such strategies and thereby protect US national security. President Trump recently announced his support for the expansion of CFIUS's powers under FIRRMA, describing it as a key tool to combat predatory investment practices threatening US critical technology leadership, national security, and future economic prosperity.2

Regarding export controls, in addition to reestablishing the statutory basis for the Commerce Department to regulate exports of dual-use items, the NDAA provisions on export controls, entitled the Export Control Reform Act of 2018 (ECRA), establish a number of new requirements, including: (1) creating an ongoing interagency process to identify "emerging and foundational technologies" and control their export, (2) mandating a review of licensing requirements on countries subject to comprehensive US arms embargoes (such as China), and (3) requiring that the Commerce Department take into account in export licensing the impacts on the US "defense industrial base." These changes are likely to result in additional export restrictions on new types of technology that are seen as critical to US national security, such as cybersecurity, artificial intelligence, and machine learning, particularly in the case of exports to China and certain other countries.

With certain exceptions discussed below, the FIRRMA reforms take effect on the date of the statute's enactment and apply to any covered transaction proposed, pending, or completed on or after that date. The ECRA contains transition provisions that allow the Commerce Department's existing Export Administration Regulations (EAR) to continue in effect according to their terms until modified, because one of the primary goals of the legislation is to provide a statutory underpinning for those regulations following the lapse of the Export Administration Act of 1979 (EAA).

CFIUS Reform Legislation: The FIRRMA

Expanded Scope of Covered Transactions

As noted, the "covered transactions" previously subject to CFIUS's jurisdiction were mergers, acquisitions, or takeovers that could result in foreign "control"3 over a US business. FIRRMA expands the covered transactions subject to CFIUS jurisdiction to include investments in "critical technology" and "critical infrastructure," or in US businesses that maintain "sensitive" personal data of US citizens that could be exploited to threaten national security, even if such investments do not result in control of a US business. "Covered transactions" also include investments in real estate near US military bases and other sensitive sites for reasons relating to national security. Further, under FIRRMA, CFIUS may prescribe by regulation that any other transaction designed to evade or circumvent CFIUS's review is also a covered transaction. The latter grant of authority addresses concerns that companies have in some cases structured non-control deals in a manner that avoids CFIUS jurisdiction, where the deal could result in foreign access to technologies and other assets that would harm national security.

FIRRMA also broadens CFIUS's statutory jurisdiction by changing the definition of US business from an entity "engaged in interstate commerce in the United States, but only to the extent of its activities in interstate commerce"4 to simply "a person engaged in interstate commerce in the United States." The potential practical impact of this change is still unclear, however. CFIUS has interpreted the current definition to cover only businesses that have some form of fixed place of business in the United States, which may be an office or collection of assets. It is possible that CFIUS could consider the same limitations to be appropriate under the new definition. Alternatively, CFIUS could amend its regulations to relax these limitations such that an entity that is merely transacting business in the United States, with no assets or other physical presence there, is a "US business." The latter possibility would result in a significant expansion of CFIUS's jurisdiction over transactions involving acquisitions by foreign persons of businesses organized outside the United States.

Investments in Critical Infrastructure or Critical Technology Companies

CFIUS's broader jurisdiction under FIRRMA includes the review of any "other investment" (i.e., a non-controlling investment) by a foreign person in any US business that (i) owns, operates, manufactures, supplies, or services "critical infrastructure"; (ii) produces, designs, tests, manufactures, fabricates, or develops one or more "critical technologies"; or (iii) maintains or collects sensitive personal data of US citizens that may be exploited in a manner that threatens national security.

FIRRMA defines "critical infrastructure" as systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security. It defines "critical technologies" as including defense articles and defense services controlled under the State Department's United States Munitions List (USML); certain items controlled under the Commerce Department's Commerce Control List (CCL); nuclear facilities, equipment, and material; and emerging and foundational technologies controlled under the ECRA. CFIUS will further define these terms through regulation.

The "other investment" transactions that are "covered transactions" under the FIRRMA include any investment, direct or indirect, that affords the foreign person (i) access to any material non-public technical information in the US business' possession (excluding the US business' financial information); (ii) membership or observer rights on the board of directors or equivalent governing body or the right to nominate an individual to such a position; or (iii) any involvement (other than through voting of shares) in substantive decision-making of the US business regarding the use, development, acquisition, safekeeping, or release of critical technologies or sensitive personal data of US citizens, or regarding the management, operation, manufacture, or supply of critical infrastructure. CFIUS is required to issue regulations providing additional guidance on these types of transactions.

FIRRMA's "other investment" provision could dramatically expand the number of transactions reviewable by CFIUS. It is not uncommon for minority, non-controlling investors to seek representation on a board of directors. And many US companies, particularly those marketing directly to consumers, collect sensitive personal information about US citizens. A typical minority investment in a consumer products firm, as well as minority investments in advanced technology companies or firms involved in critical infrastructure, all could be subject to CFIUS review under FIRRMA. Given the heightened sensitivity to investments from China, parties engaged in transactions involving a Chinese investor should be prepared to consider possible mitigation measures that would preclude the foreign investor's exposure to sensitive information.

During the legislative process, many private equity firms expressed concern that the "other investment" provision of FIRRMA would apply to virtually all of their transactions, because they have foreign investors. The final version of the bill addresses this concern by expressly excluding limited partnership interests in certain circumstances. Specifically, "other investment" under FIRRMA excludes a foreign person's indirect investment through an investment fund that affords the foreign person (or a designee of the foreign person) membership as a limited partner or equivalent on an advisory board or a committee of the fund if: (i) the fund is managed exclusively by a general partner, a managing member, or an equivalent who is a US person; (ii) the advisory board or committee does not have the ability to approve, disapprove, or otherwise control investment decisions of the fund, and the foreign person does not otherwise have the ability to control the fund; and (iii) the foreign person does not have access to material non-public technical information by participating on the advisory board or committee.

Private equity firms that have foreign investors—particularly investments from government-owned sovereign funds—should carefully structure their investment funds to comply with this "safe harbor."

Real Estate Acquisitions in Close Proximity to Military or Sensitive Sites

As noted, FIRRMA authorizes CFIUS to review the purchase or lease by, or a concession to, a foreign person of real estate that is located at an air or maritime port, or that is in close proximity to a US military installation or US facility or property that is sensitive for reasons relating to national security. "Close proximity" in this context will mean limited distances within which the purchase, lease, or concession of real estate could pose a national security risk in connection with US sensitive sites. The legislation excludes from this provision real estate in urbanized areas (as defined by the US Census Bureau).

In practice, CFIUS already considers geographical proximity in its review of covered transactions, but this provision expressly expands CFIUS jurisdiction to review real estate transactions with national security implications outside the context of an acquisition of control of a US business. Given that real estate transactions in urban areas are excluded from this provision, the impact on routine real estate transactions will be relatively circumscribed.

Both these real estate provisions and the "other investment" covered transaction provisions discussed above will take effect on the earlier of 18 months after the enactment date or 30 days after publication in the Federal Register of CFIUS's determination that the regulations, organizational structure, personnel, and other resources necessary to administer the new provisions are in place.

Heightened Vigilance for Investments from Countries of Special Concern

FIRRMA does not identify by name any countries from which investment will be subject to heightened scrutiny. However, the legislation encourages CFIUS, when evaluating national security risks, to consider whether a covered transaction involves a country of special concern that has a demonstrated or declared strategic goal of acquiring a type of critical technology or critical infrastructure that would affect US leadership in areas related to national security.5 The legislation also directs CFIUS to define further the term "foreign person" for purposes of reviews of foreign investments in real estate and investments that are "other investments," so that the scope of such reviews will depend in part on connections the investor may have with particular countries or the governments of such countries, where such connections may affect the national security of the United States.

In addition, FIRRMA requires the Secretary of Commerce to submit a biennial report to Congress and CFIUS on the foreign direct investment transactions by Chinese entities. The report must include detailed breakdowns of those foreign direct investments, a list of US companies purchased through Chinese government investment, and an analysis of Chinese investment practices in the United States.

CFIUS Procedural Changes: Declarations, Filing Fees, and Extended Review Periods

New Dual Filing Process, including Mandatory Filings of "Declarations"

Previously, there was no requirement that the parties to a covered transaction notify CFIUS of the transaction. But because the President has authority not only to block a planned transaction, but also to order divestment of a completed transaction, parties to a covered transaction have often chosen to seek CFIUS approval to avoid those risks and maintain good relationships with US national security agencies. Undergoing a CFIUS review is the only mechanism through which to obtain assurance that the President will not exercise his authority to interfere with the transaction.

The CFIUS regulations currently prescribe the specific content for a notice of a covered transaction. FIRRMA creates an alternative to filing such notices, by authorizing the submission of "declarations," which are to be limited to five pages in length and which CFIUS's regulations may not require to be submitted more than 45 days before the closing of the relevant transaction. FIRRMA mandates filing a declaration for covered transactions that involve acquisition of a substantial interest in a US business by a foreign person in which a foreign government has, directly or indirectly, a "substantial interest." CFIUS is required to define "substantial interest," which does not include a voting interest of less than 10 percent, by considering the means by which a foreign government could influence the actions of a foreign person, including through board membership, ownership interest, or shareholder rights. Further, CFIUS has the discretion to require declarations for additional covered transactions. The declaration process will take effect the earlier of 18 months after FIRRMA's enactment or 30 days after Federal Register publication of CFIUS's determination that the regulations, personnel, and other resources necessary to administer the new provisions are in place.

For routine transactions unlikely to implicate national security concerns, this "declaration" process potentially will allow parties to obtain certainty from CFIUS at a much lower cost and in a shorter period of time than under previous law. Unless they are obligated to file a declaration,6 parties to a covered transaction will have discretion to determine whether to file nothing, a short declaration, or a complete notice as prescribed under the CFIUS rules. While CFIUS must take action within 30 days of receiving a declaration, the action CFIUS takes may be to request the filing of a lengthier written notice, which could delay the review process and increase transactional costs on the parties. Accordingly, for transactions likely to result in a CFIUS request that the parties file a notice, the parties should consider skipping the declaration and proceeding directly to a notice.

Filing Fee & Timing of Review

There previously was no filing fee associated with a CFIUS review, but FIRRMA authorizes CFIUS, for purposes of covering its administrative costs, to assess a filing fee for each covered transaction in an amount to be determined by CFIUS in regulations. The fee may not exceed the lesser of one percent of the transaction value or $300,000 (adjusted for inflation). This filing fee, however, only applies to the filing of a written notice, and not the abbreviated "declaration" allowed by FIRRMA.

The previous statutory framework authorized CFIUS to conduct a 30-day review and an optional, subsequent 45-day investigation. FIRRMA extends the initial review period for a written notice to 45 days, retains the 45-day investigation period, and provides for one 15-day extension for extraordinary circumstances. Thus, the review process could take up to 105 days, instead of the previous 75 days. However, the 15-day extension may permit CFIUS to complete some reviews without requiring parties to withdraw and resubmit their notices and be subject to a second full, review process.

Export Control Reform Act

The United States currently regulates the export, reexport, and in-country transfer abroad of commercial, dual-use, and less sensitive military commodities, software, and technology under the EAR, administered by the Commerce Department's Bureau of Industry and Security (BIS). The ECRA reauthorizes and updates the US export control regime and enhances its control of foreign access to emergent critical technologies.7

The ECRA repeals most of the long-lapsed EAA and establishes a new statutory basis for the EAR. The EAR has remained in effect since the EAA expired in 2001 through annual presidential executive order authorizations under the International Emergency Economic Powers Act (IEEPA). The ECRA provides a permanent statutory basis for the export controls administered by BIS. The ECRA also codifies the legal framework underlying the EAR's anti-boycott provisions that prohibit US persons from complying with foreign boycotts, including the boycott of Israel, that are not supported by the US government.

Further, the ECRA expands the scope of technology under US export control jurisdiction to include emerging technology and foundational technologies. While the ECRA does not identify any specific technologies, these technologies likely will include artificial intelligence, robotics, cybersecurity, and financial technology, based on the legislative history and a recent Defense Department report on China's technology transfer strategy.8

The ECRA requires the President to establish an ongoing, robust interagency process to identify emerging and foundational technologies that are not yet subject to US export control, and implement interim and permanent controls over those technologies. The interagency process includes the Departments of Commerce, Defense, State, and Energy, and other relevant federal agencies and involves reviewing a wide range of information, including information relating to reviews and investigations of transactions by CFIUS, and assessing (i) the development of emerging and foundational technologies in foreign countries; (ii) the effect export controls would have on the development of such technologies in the United States; and (iii) the effectiveness of export controls on limiting the proliferation of emerging and foundational technologies to foreign countries. The process includes a notice and comment period for interested parties to provide input on the proposed designation of emerging and foundational technologies.

The ECRA authorizes the Commerce Department to establish export controls on exports, reexports, and in-country transfers of identified emerging and foundational technologies, and mandates a licensing requirement on such technologies to countries subject to US embargoes, including US arms embargoes, with China included as an arms-embargoed country.

The ECRA also requires the Departments of Commerce, Defense, State, and Energy and other relevant agencies to review the licensing requirements for countries subject to comprehensive US arms embargoes. The review must evaluate (i) the scope of EAR controls that apply for military end uses and military end users in arms-embargoed countries and (ii) items on the CCL that currently do not require a license to such countries. The outcome of this review, which must be completed and implemented within 270 days of the statute's enactment, could result in increased restrictions on transactions with China and other embargoed countries.

In addition, the ECRA requires, as part of the Commerce Department's review of export license applications, an assessment of the impact of a proposed export on the US defense industrial base and mandates the denial of an export license application that would have a significant negative impact on the US defense industrial base. The Commerce Department must consider for this assessment whether there will be a reduction in the availability of items likely to be acquired by federal agencies for US national security purposes, a reduction in US production of items that are the result of research and development related to US national security, or a reduction in the employment of US persons with knowledge and skills necessary for continued US production of items that advance US national security.


This legislation addresses the stated concerns of Congress about transfers of national security related technologies and information to countries and parties of concern. The CFIUS and export control portions of the legislation have to be read together—in the broadest sense, the new provisions focus on transfers of technologies (including emerging technologies), information (including personal and critical infrastructure information), and the use of certain strategies (including board seats and real estate proximity) that could result in a country of concern gaining a security advantage from access to US innovation. These provisions respond to the sense that counties have been taking advantage of gaps in US security measures for over a decade, and something has to change.

Indeed, the legislative changes effected by FIRRMA are the first significant statutory amendments to the CFIUS national security review process in more than a decade and will result in substantial changes in CFIUS authorities, procedures, and decision-making. CFIUS's implementation of these changes, both in its regulations and its practice, could change the landscape for foreign investment in the United States, perhaps most importantly through the exercise of CFIUS's new power to review a broader scope of investments that may now be "covered transactions."

The export control changes similarly create new categories of technologies that will be regulated on transfer out of the United States, giving the US government the ability to block, track, or condition the transfer, as well as regulate which US-based technologies will be available in-country to countries of concern. These CFIUS and export control changes are not trivial, and are not the end of the process. Congress has tasked the implementing agencies with fleshing-out many of the specifics. Companies that may be affected by these new rules may wish to weigh in to try to help shape the future investment environment.

© Arnold & Porter Kaye Scholer LLP 2018 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

  1. NDAA 2019 Conference Report.

  2. Statement from the President Regarding Investment Restrictions, The White House (June 27, 2018).

  3. CFIUS's regulatory definition of "control" includes majority interest in the US business as well as minority interests that confer a significant ability to influence important matters related to the US business. 31 C.F.R. § 800.204.

  4. 31 C.F.R. § 800.226.

  5. In contrast to previous bill versions, the final version of FIRRMA does not instruct the Executive Branch to create either a "black list" or "white list" of bad and good countries and does not define "sensitive transactions involving countries of special concern."

  6. Parties required to file a declaration may elect to file a written notice instead.

  7. Congress considered authorizing CFIUS to review transfers of intellectual property and associated support by US critical technology companies to foreign persons through a joint venture or any other arrangement other than an ordinary customer relationship. Critics, however, argued that would duplicate authorities already in existence under the US export control regime. Congress resolved not to provide CFIUS with those authorities and instead use the ECRA to enhance review of transfers of critical technology to foreign persons.

  8. Defense Innovation Unit Experimental (DIUx), China's Technology Transfer Strategy: How Chinese Investments in Emerging Technology Enable A Strategic Competitor to Access the Crown Jewels of U.S. Innovation (Jan. 2018).