FOCI
September 30 – October 1, 2024
The National Union Building, Washington, DC
Practical takeaways for managing heightened national security threats for companies under Foreign Operation, Control or Influence.
Keynote Address
Jeffrey P. Spinnanger Director, Information and Acquisition Protection, OUSD(I&S) U.S. Department of Defence
Benchmark with FSOs, Compliance and Legal Executives From:
ъ Avon Protection
ъ BlackBerry Government Solutions
ъ CGI Federal
ъ CHG Group
ъ IDEMIA
ъ Leonardo DRS
ъ Siemens Corporation
ъ Thales Defense & Security
SUPPORTING SPONSOR:
ASSOCIATE SPONSOR:
Conference Co-Chairs
Heather L. Finstuen Partner Covington & Burling LLP
Richard Ray FSO / TCO / ITPSO Eutelsat America Corp.
Engage in Critically Important Discussions on Pressing, High Stakes Issues, Including:
ą Cybersecurity Mitigation and CUI: Preparing for Your CMMC Assessment and How to Demonstrate Compliance
ą Vulnerability Assessments and Self-Inspections: What Can Generate the Best Possible Outcome -and What Has Fallen Short
ą The Nuanced Roles of Outside Directors and Proxy Holders: Balancing Stakeholder and National Security Interests
ą FOCI and Cyber Incident Response: Tailoring Your Incident Response to Mitigation Security Requirements and Corporate Policy
ą Business and Security Leaders Panel: C-Level Executives Discuss Their Roles in FOCI Mitigated Companies
Join Breakout Roundtables for Smaller-Group Discussions
Early Riser FSO Benchmarking: Tackling the Next Wave of Complex, Real-World Challenges
SPEAKER FACULTY
CONFERENCE CO-CHAIRS
Heather L. Finstuen Partner Covington & Burling LLP
Richard Ray FSO / TCO / ITPSO Eutelsat America Corp.
GOVERNMENT SPEAKERS
Stephanie Lutz, CAP, SFPC Risk Management Officer Defense Counterintelligence and Security Agency (DCSA)
Sabrina DeBarge Mission Region Action Officer for Industrial Security, Mid-Atlantic Region Defense Counterintelligence and Security Agency
Jeffrey P. Spinnanger Director, Information and Acquisition Protection, OUSD(I&S) U.S. Department of Defence
DISTINGUISHED SPEAKERS
Robert Benn Chief Security Officer BT Federal Inc.
Stacey Burton Vice President, Deputy General Counsel Elbit Systems of America
Margaret M. Cassidy Managing Attorney Cassidy Law
Curtis H. Chappell, ISP® Vice President, Security Thales Defense & Security, Inc.
Mike Cuendet IT Director CEM Defense Materials LLC
Chris Griner Senior Partner Squire Patton Boggs (US) LLP
Pamela Drew Proxy Holder Eutelsat America Corp. Outside Director QuinetiQ Inc.
Jennifer A. Gabeler Vice President Security and Information Systems CHG Group, Inc.
Jason Garkey Chief Security Officer Momentus Space
Mary Griggs Outside Director
CGI Federal, Integris Composites, Inc., Coalfire Federal, Airbus U.S. Space & Defense
Michelle D. Hertz VP, General Counsel & Corporate Secretary CGI Federal Inc.
Dennis S. Kallelis Chief Security Officer IDEMIA Identity & Security
Maria Keady Principal Compliance Manager / FSO / ITPSO BlackBerry Government Solutions
Jon R. Knight Counsel Baker & Hostetler LLP
Stefan M. Lopatkiewicz Former Corporate Secretary Eutelsat America Corp
Matthew Madalo General Counsel Siemens Corporation
Ernie Magnotti Chief Information Security Officer (CISO) Leonardo DRS
Andrew K. McAllister Partner Holland & Knight LLP
Jill M. McClune U.S. General Counsel Avon Protection/ Team Wendy
Robert Metzger Partner
Rogers Joseph O’Donnell
Norman E. Pashoian III Industrial Security Consultant White & Case LLP
Daniel B. Pickard Shareholder
Buchanan Ingersoll & Rooney PC
Johnathan Rudy Senior Counsel TransUnion
Antonia Tzinova Partner
Holland & Knight LLP
Alex Veneziano Chief Administrative Officer
Airbus U.S. Space and Defense
DAY ONE
MONDAY, SEPTEMBER 30, 2024
8:45
Opening Remarks from the Co-Chairs
microphone-alt Richard Ray, FSO / TCO / ITPSO, Eutelsat America Corp.
Heather L. Finstuen, Partner, Covington & Burling LLP
9:00
Opening Interview: Examining New DCSA Priorities, Initiatives and Review Timelines
• Updates on the roles and responsibilities of newly hired DCSA personnel, and how agency resources are being utilized
• Update on DCSA amendments to forms, such as the Electronic Communications Plan (ECP)
• Key takeaways on the strategies and schemes that the foreign adversaries are using
• Analyzing the kinds of threats that FOCI mitigation is designed to counter, including new, emerging risks
9:15 NEW HYPOTHETICAL SCENARIOS
FOCI and Cybersecurity Breach Action Plan: Tailoring Your Incident Response to Meet Mitigation Security Requirements and Breach Policy
microphone-alt Ernie Magnotti, Chief Information Security Officer (CISO), Leonardo DRS
Robert Metzger, Partner, Rogers Joseph O’Donnell
What happens during a breach? This interactive session will examine the play-by-play of how a FOCI mitigated company will now need to react to a cybersecurity breach under stricter Department of Defense and CMMC safeguards.
• Determining your company’s obligations under NISPOM in the context of a cyber breach
• Ensuring your FOCI company is following its cybersecurity breach policy and implementing checks
• Deciphering which policies kick-in during a cyber breach: Systems Security Plan (SSP) for Controlled Unclassified Information (CUI) and Standard Policies and Procedures (SPP)
• Examining the effect of a breach on a cleared company with classified information
• Analyzing how the breach effects the whole company and who has responsibility
• Determining what the security representative can and can’t tell the parent
• Reconciling the effects on the AOP
10:00 Networking Break
10:30 NEW
Vulnerability Assessments and Self-Inspections: Preparing
and Managing an On-Site Assessmentand What Can Generate the Best Possible Outcome
microphone-alt Margaret M. Cassidy, Managing Attorney, Cassidy Law
Sabrina DeBarge, Mission Region Action Officer for Industrial Security, Mid-Atlantic Region, Defense Counterintelligence and Security Agency
Jason Garkey, Chief Security Officer, Momentus Space
As DCSA is conducting more in-person engagement and onsite security checks, learn the latest lessons on how to prepare for an onsite assessmentand the expected (and unexpected) ramifications of an unfavorable result.
• Ensuring your company’s security policy is robust and being followed for all FOCI locations
• Determining if all FOCI locations are needed, being used and using the security policy
• Examining what can lead to a poor vulnerability assessment
• Itemizing the consequences of a vulnerability assessment and implementing a strategy
» Customer notifications » Remediation
• Exploring what constitutes a security incident-and what doesn’t
• Conducting governance and risk assessments
• Scrutiny of governance models to protect shareholders
• The pitfalls to avoid for internal and self-audits when preparing for a DCSA assessment
11:15
AUDIENCE POLLING & HYPOTHETICAL SCENARIOS
The Nuanced Roles of Outside Directors and Proxy Holders: Balancing Stakeholder and National Security Interests
microphone-alt Mary Griggs, Outside Director, CGI Federal, Integris Composites, Inc., Coalfire Federal, Airbus U.S. Space & Defense
Pamela Drew, Proxy Holder, Eutelsat America Corp, Outside Director, QuinetiQ Inc.
Chris Griner, Senior Partner, Squire Patton Boggs (US) LLP
During this session, speakers will lead delegates through a series of hypothetical scenarios that showcase the nuances of how a FOCI mitigated company can balance the roles of an outside director with its foreign parent. Delegates are encouraged to participate in anonymous live polling for enhanced benchmarking. Key topics will include:
• Approaching the role of an outside director when the FOCI mitigated company has no classified work, but is carrying a clearance for contract
• Balancing the needs and wants of the parent company and the shareholders
• What needs to be reported to the government security committee
• Documenting the government security committee meeting, and justifying how a company is in compliance with the NISPOM
Really appreciated the conference. Very practical information that could be utilized to support our compliance programs or for consideration during the next transaction. Not all FOCI conferences have as much real-world information – so most appreciated.
Jill M. McClune, Avon Protection/Team
Wendy
12:00 NEW AI DEMO & CASE STUDY
How AI is Being Leveraged for FOCI Risk Mitigation
12:30 Networking Luncheon for Speakers and Delegates
1:45 NEW
How DCSA’s FOCI Scope is Expanding Beyond Foreign Owned Companies and Impacting Supply Chain
microphone-alt Richard Ray, FSO / TCO / ITPSO, Eutelsat America Corp.
Jill M. McClune, U.S. General Counsel, Avon Protection/Team Wendy
Proposed changes to the National Defense Authorization Act (NDAA), Section 847 directs the U.S. Department of Defense to reduce reliance on services, supplies, or materials obtained from certain geographic areas, which may be controlled by adversarial countries. The change would also direct DoD to mitigate the risks to national security and the defense supply chain related to such a reliance. Announced in 2022, DoD is due to issue a report to congressional defense committees this year and is currently seeking input.
• Determining which FOCI companies, non-FOCI companies, public trust contracts and third-party contractors are subject to increased scrutiny
• Anticipating DCSA’s expectations and guidance
• Analyzing the need for an Electronic Communication Monitoring Plan, or a Quality Management Plan, or an export license
• Monitoring international suppliers and evaluating supply chain security and resiliency
2:30
CFIUS and Export Controls Interplay: Navigating CFIUS and FOCI Mitigation Agreements – And How to Avoid Hiccups
microphone-alt Antonia Tzinova, Partner, Holland & Knight LLP
Daniel B. Pickard, Shareholder, Buchanan Ingersoll & Rooney PC
Stephanie Lutz, CAP, SFPC, Risk Management Unit, Defense Counterintelligence and Security Agency (DCSA)
• Determining where CFIUS and DSCA align and diverge
• Deciphering when there is a mandatory filing obligation
• Accomplishing DCSA and CFIUS expectations-and overcoming operational challenges
• Dovetailing CFIUS and FOCI mitigation with export compliance and licensing requirements
• Determining the sequencing of CFIUS and FOCI submissions
• Examining what kind of data exports are controlled and need an export license
3:15 Networking Break
3:30 NEW
Cyber Mitigation Case Study
microphone-alt Johnathan Rudy, Senior Counsel, TransUnion
Jon R. Knight, Counsel, Baker & Hostetler LLP
During this session, delegates will delve into the complexities of an acquisition from the lens of cybersecurity. This will include a look at how to vet policy prior to acquisition, ensuring the acquired company has not already been breached, and how to ensure robust safeguards following the acquisition. Topics will include:
• Assessing cyber risk before, during and after acquisition
• Complying with DCSA’s requirements for a robust cybersecurity policy and how to meet expectations in the event of a breach
• Itemizing the mechanics of mitigating against the risk of a cyber breach
• Consolidating operation measures while ensuring high cybersecurity standards among shared electronic services and share technology services
• Examining how ECPs and AOPs could be altered to strengthen cybersecurity standards
4:15
Interactive Roundtable Discussions –Pick your roundtable!
microphone-alt Richard Ray, FSO / TCO / ITPSO, Eutelsat America Corp.
Heather L. Finstuen, Partner, Covington & Burling LLP
Curtis H. Chappell, ISP®, Vice President, Security, Thales Defense & Security, Inc.
Back by popular demand! Delegates are invited to break out into smaller group discussion tables to trade experiences and lessons learned for confronting the challenges of maintaining security standards amid a remote and hybrid workforce. Facilitators will guide the conversation to identify the latest best practices. Delegates are encouraged to choose their preferred table topic, and to move between tables during the discussion.
Table One: Insider Threat: How are you safeguarding access and information?
Table Two: Considerations for safeguarding your supply chain
Table Three: How does cybersecurity fit into a mitigation strategy?
5:00
Conference Adjourns
DAY TWO
TUESDAY, OCTOBER 1, 2024
8:45
Opening
Remarks from the Co-Chairs
9:00 Keynote Address
microphone-alt Jeffrey P. Spinnanger, Director, Information and Acquisition Protection, OUSD(I&S), U.S. Department of Defense
9:30 NEW
Classified Contracts and CUI: What DCSA Now Requires in a FOCI Mitigated Landscape
microphone-alt Mike Cuendet, IT Director, CEM Defense Materials LLC
Stacey Burton, Vice President, Deputy General Counsel, Elbit Systems of America
• Paraphrasing information that is passed to affiliates about classified contracts
• Establishing networking and IT requirements and how to separate the network CUI from affiliate companies
• Determining who has access when a global company has different subsidiaries
• Ensuring continuous auditing and compliance
• Examining who has access to what when employees have dual citizenship
• Reviewing the requirements when your classified documents are off site
10:15 Networking Break
10:30 NEW AUDIENCE POLLING & HYPOTHETICAL SCENARIOS
Cybersecurity Mitigation and CUI: Preparing for Your CMMC Assessment and Demonstrating Compliance
microphone-alt Maria Keady, Principal Compliance Manager / FSO / ITPSO, BlackBerry Government Solutions
Curtis H. Chappell, ISP®, Vice President, Security, Thales Defense & Security, Inc.
Ernie Magnotti, Chief Information Security Officer (CISO), Leonardo DRS
The U.S. Department of Defense issued a proposed rule to implement the Cybersecurity Maturity Model Certification (CMMC) Program (Proposed Rule) in December 2023. The proposed rule is expected to more strictly control how Controlled Unclassified Information (CUI) is safeguarded and disseminated with impacts on FOCI mitigation, contracts, third-party contractors, parent companies and cloud service providers. This session will cover key topics, including:
• Safeguarding the relationship of a foreign entity and the mitigated entity, delineating access to network controls and cyber controls, and updating your company’s Electronic Communication Plans (ECP)
• Managing the rising cost of delineating network access
• Conducting a gap analysis to determine the compliance status of the parent company
• Meeting expectations for more strict safeguarding obligations for storage, processing and transmitting of sensitive DoD information
• Ensuring your FOCI company has the necessary security controls and that you are not relying on the controls of the parent company
• Determining which contractors need assessments and certifications - and whether they are self-assessments or third-party assessments (C3PAO) or by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
• Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)
11:15
Mitigation Strategies: How DCSA is Now Expanding its Scope and Increasing Requirements for Special Board Resolutions
microphone-alt Matthew Madalo, General Counsel, Siemens Corporation
Norman E. Pashoian III, Industrial Security Consultant, White & Case LLP
• Analyzing how DSCA is now reviewing Board Resolutions, how requirements are changing and which types of companies are now affected
• Examining the requirements for a Board Resolution, and when the foreign entity does not own voting stock enough to elect a representative to the company's governing board
• How to handle a cleared subsidiary when the parent company has a small-percentage of foreign ownership
• Determining which tools are (and aren’t) necessary in a mitigation, such as proxies, board resolutions and company service arrangements.
• Addressing when an investor has a right to a board seat, but is not exercising their right, and documenting it for DCSA
11:45 SSA AND PROXY AGREEMENTS
Determining When to Restructure a FOCI Mitigation Agreement: Key Considerations and Processes for SSAs, Proxy and Other Agreements
microphone-alt Michelle D. Hertz, VP, General Counsel & Corporate Secretary, CGI Federal Inc.
Stefan M. Lopatkiewicz, Former Corporate Secretary, Eutelsat America Corp
• Contrasting the differences between an SSA and a Proxy Agreement, and their pros and cons for a company
• How to meet DSCA mitigation expectations when restructuring foreign ownership, control, or influence
• Expected timelines and what can cause delays
• Weighing the pros and cons, and the impact of each type of agreement
• Examining the relationship with the foreign parent, how it differs under a Proxy Agreement, a Special Security Agreement, a Security Control Agreement or other agreement
• Appointing an inside director under a Special Security Agreement following a PA restructuring
The in-person interaction was great - both learning about other's initiatives and creating networking opportunities.
Carl Rhine, Indiana University
12:15 BUSINESS AND SECURITY LEADERS PANEL
The Role of C-Level Executives in FOCI- Mitigated Companies
microphone-alt Dennis S. Kallelis, Chief Security Officer, IDEMIA Identity & Security
Alex Veneziano, Chief Administrative Officer, Airbus US Space and Defense
Moderator: Andrew K. McAllister, Partner, Holland & Knight LLP
• Best Practices for handling FOCI agreements
• The relationship between DCSA and the company, and dos and don’ts of working with DCSA
• CFIUS LOA FOCI Agreement, with controls, restrictions, audits, and penalties
• Becoming FOCI proficient and detecting and handling FOCI concerns in the initial stages
• Implementing a FOCI mitigation agreement with fewer resources
• Budgeting and the business impact of FOCI mitigation on possible delays to company operations
• Utilizing legal counsel and FSO expertise vs. when to hire a consultant
12:45
Closing Remarks from the Co-Chairs Conference Concludes
June 11 – 12, 2024 Brussels
25 – 26,
Stay on for the Post-Conference Workshop
TUESDAY, OCTOBER 1, 2024
1:30 pm–5:00 pm
AOP Working Group: An Updated, Practical Guide to Simplifying and Baselining the Affiliated Operation Plan
Details on the next page.
SUPPORTING SPONSOR
MEDIA PARTNERS
Upcoming Events
September 25 – 26, 2024 DC Bar Association, Washington, DC
November 13 – 14, 2024
POST-CONFERENCE WORKSHOP
TUESDAY, OCTOBER 1, 2024
1:30–5:00 p.m.
AOP Working Group: An Updated, Practical Guide to Simplifying and Baselining the Affiliated Operation Plan
microphone-alt Jennifer A. Gabeler, Vice President Security and Information Systems, CHG Group Inc.
Robert Benn, Chief Security Officer, BT Federal Inc.
• Best practices and pitfalls to avoid when drafting and submitting an AOP, including:
» Describing Services: Who is providing the affiliated operation, to whom, and the costs and benefits
» Implementing Services: How will affiliated operations be implemented and are they mandatory?
» Technology: What is being utilized, who has ownership, types of information being shared, and frequency of interaction
» What to ask your security committees enough
» How the parent companies can manage the financial burden
» Customizing your AOP
• Key strategies for mitigating and managing affiliated operations
» Effective tactics for handling and reducing risks in affiliated operations
» DCSA compliance and enhanced efficiency
• Developing internal steps to ensure you are properly mitigating potential risks, including:
» Review of services: internal steps to ensure compliance with mitigating procedures, and how the FSO and Technology Control Officer (TCO) can work together to ensure compliance
Speakers: Curtis H. Chappell, ISP® Vice President, Security Thales Defense & Security, Inc.
Jill M. McClune US General Counsel Avon Protection/Team Wendy
• Examining emerging cybersecurity challenges affecting FOCI mitigated companies
• Questions you should be asking, whether you are inside or outside
• Certifications, perceptions and who needs certifications
• Where are parent and subsidiaries overlapping with cybersecurity and network controls
• Viewing Classified and Controlled Unclassified Information (CUI) documents through a cybersecurity lens
• Assessing where compliance controls overlap or doesn’t, including GDPR and other privacy
• Assessing adequate Personal Identifiable Information (PII) protection
Continuing Legal Education Credits
Accreditation will be sought in those jurisdictions requested by the registrants which have continuing education requirements. This course is identified as nontransitional for the purposes of CLE accreditation.
ACI certifies this activity has been approved for CLE credit by the New York State Continuing Legal Education Board.
ACI certifies this activity has been approved for CLE credit by the State Bar of California.
ACI has a dedicated team which processes requests for state approval. Please note that event accreditation varies by state and ACI will make every effort to process your request.
For more information on ACI’s CLE process, visit: www.AmericanConference.com/Accreditation/CLE
C5
Book with Confidence!