Journal of Political Risk, Vol. 9, No. 7, July 2021
By Randall Cook, Alan Levesque, and Waqas Shahid
This paper describes the role, value proposition, and optimal approach of the independent Third Party Monitor (“TPM”) in National Security Agreements (“NSAs”) between transaction parties and the Committee on Foreign Investment in the United States (“CFIUS”). When effectively scoped and executed, TPMs provide tailored, adaptive mitigation oversight capabilities that are a critical enabler for the dual imperatives of protecting U.S. national security interests and ensuring that U.S. enterprise and innovation continue to have access to the fuel of global capital. The TPMs persistent presence, programmatic monitoring, and deployment of industry-specific technical expertise, among other capabilities, uniquely facilitate verified, real-time, and efficient operationalization of NSA requirements; CFIUS assurance that foreign investment risks to U.S. national security are effectively and proactively mitigated; and transaction parties’ ability to operate a business that is both successful and NSA-compliant. An effective TPM approach is necessarily collaborative and adaptive, enabling a trust-based environment where all NSA stakeholder goals can be achieved through iterative, practical interaction and improvement.
The paper is based on the authors’ extensive experience as TPMs, former in-house executives, former U.S. Government leaders, and expertise in the CFIUS and national security field. The paper is organized as follows:
- Background on CFIUS Mitigation and TPMs
- TPM Roles and Value Proposition
- What Quality TPMs Do
- TPM Activities for Specific, Critical Areas
- Key TPM Characteristics, Capabilities, and Qualifications
- When to Use a TPM
1. Background on CFIUS Mitigation and TPMs
As background for the uninitiated, CFIUS is an inter-agency committee, headed by the U.S. Department of Treasury, which reviews non-U.S. investment in the U.S. economy for national security risks. CFIUS is statutorily obligated to require that transaction parties implement measures to mitigate any identified national security risks. In recent years, concerns with geopolitical competition, accelerating and converging technologies, digitization and exploitation of massed data, and industrial and supply chain security (among other items) have driven statutory, regulatory, and policy changes that resulted in a significant increase in the number of transactions that require CFIUS mitigation. The chart below demonstrates the growth in CFIUS mitigation cases over the past decade, with a three-fold increase between 2015 and 2019.
Anecdotally, this trend continued in 2020 and into 2021, notwithstanding the impact of Covid-19 and a cooling Foreign Direct Investment (“FDI”) transaction market. The pace of new mitigation agreements appeared to slow somewhat in the final months of the Trump Administration and during the transition to the Biden Administration, but recent statements by CFIUS and industry leaders indicate that the overall trend of increased CFIUS (and corresponding Team Telecom) activity and corresponding mitigation requirements will continue or even escalate in coming years. As John C. Demers, previously the Assistant Attorney General for National Security, noted in a keynote address delivered at the ACI Sixth National Conference on CFIUS in July 2020, “Without effective mitigation monitoring by both the government and the parties themselves, the number of reviewed transactions able to clear CFIUS and Team Telecom would be far fewer.”
2. TPM Role and Value Proposition
Boiled down, the TPM’s role is to facilitate realization of the CFIUS Monitoring Agencies (“CMAs”) and transaction parties’ reasonable expectations under the NSA as efficiently (i.e., with as economical expenditure of organizational, financial, and emotional capital) as possible. When appropriately integrated within a program of well-designed CFIUS mitigation controls, an effective TPM provides critical oversight capabilities that substantially benefit all of the parties to a CFIUS mitigation agreement, including:
- Persistent, real-time mitigation oversight: TPMs are able to engage with and provide oversight of mitigated parties and their agents in a more integrated and persistent way than is possible for CMAs or third party auditors (“TPAs”). As CMA fiduciaries embedded with the mitigated company, TPMs are in position to directly access, report on, and provide course correction in real time for mitigated systems, activities, and controls.
- Tailored technical capabilities: As private professional service organizations, TPMs are able (and should, in part, be selected on the basis of their ability) to deliver teams that integrate tailored technical expertise and capabilities appropriate to effectively test and assure the performance and reliability of controls implemented to address mitigation requirements (e.g., cybersecurity; penetration testing; vulnerability testing; source code review; technology classification; incident response, investigation, and reporting; identified industry security standards).
- Industry perspective: TPMs are able to bring to bear (and should, in part, be selected on the basis of their ability to provide) expertise tailored to the mitigated organization’s industry. To effectively and sustainably mitigate national security risks, NSA controls have to enable the organization and its people to operate successfully. An effective TPM is able to understand the challenges of compliance from the industry’s perspective and work with the mitigated organization’s leaders and operations teams to integrate compliance into the organization’s systems, processes, and culture. An industry-aware TPM also is able to work with mitigated companies to leverage industry best practices and related compliance requirements to facilitate NSA compliance.
- Mediation and facilitation: TPMs are situated to act as “honest brokers” between the CMAs and transaction parties by facilitating:
- Consistent, recurring, and transparent communications and reporting;
- Definition and alignment of expectations;
- Identification and pragmatic resolution of difficult issues and pain points;
- CMA understanding of the internal dynamics and equities of the mitigated organization;
- Reduced risk of unexpected developments or misunderstandings; and
- A collaborative, success-focused, and trust-based interaction environment.
- Organizational counseling and coaching: TPMs are able to provide authoritative and independent, but also pragmatic advice, guidance, and perspective to mitigated companies regarding operationalizing the systems, processes, and controls that are necessary to achieve compliance in a way that supports the organization’s objectives. Often, this role involves serving as an expert benchmark, and source for mitigation best practices and template policies and procedures. The TPM also frequently serves as a sounding board for the Security Officer (“SO”) and organization key leaders, and can help to “drive home” with company leadership hard or complex issues and tasks, and/or ensure the organization maintains appropriate focus on the most significant risks.
- CMA Fiduciary: The TPM typically is contractually and equitably responsible to actively represent the CMA’s expectations and perspective during operationalization of the NSA compliance program. By using a TPM, the transaction parties get a full-time representative in place with the perspective and integrity to constantly return to and apply the standard: “what would the CMAs expect to see or happen if they were directly engaged in this interaction.” Because the TPM has an independent, trusted perspective, it also has a unique ability (where relevant conditions and equities are appropriate) to advocate the monitored organization’s preferred outcome on particular NSA-related issues with the CMAs. This role may be particularly important, for example, when the transaction parties desire to adapt their approach to material NSA or Security Policy provisions.
- Independent investigation, assessment, and analysis: TPMs provide as-needed independent identification, investigation, review, and/or analysis of sensitive and complex issues, including potential NSA breaches. This role most often involves providing independent assessment of issues identified and investigated by the SO under organizational processes. But where the mitigated company identifies a need for additional investigative or assessment capabilities, where the TPM or CMA independently identifies an issue that cannot or (for prudential reasons) should not be addressed by the SO, or where the organization declines to execute an investigation, assessment, and/or report that the TPM or CMA believes is required by the NSA, a quality TPM is able to expertly execute investigations, including (where necessary) forensic and technical collection and preservation capabilities.
- Force multiplication and cost sharing: It will be difficult for the CMAs to effectively, directly monitor the anticipated escalation in NSA volume, absent additional substantial increase in manning and/or a transition to a highly technical, rigid, and templated approach to compliance reporting. As contemplated by FIRRMA, TPMs play a key role in expanding the CMAs mitigation bandwidth, enabling CFIUS to scale tailored, sophisticated resources to monitor numerous NSAs, while maintaining focus on enforcement and other high-risk priorities. In practical terms, the TPM vehicle substantially shifts the financial cost of monitoring compliance from the CMAs to the parties being monitored. Even if only a fraction of mitigated transactions result in use of a monitorship, the day-to-day responsibilities of a monitorship, including issue tracking and implementation guidance, would require expenditure of public resources that could be otherwise allocated to other pressing policy and oversight challenges.
- Verification-based trust: TPMs help create the conditions necessary for effective, persistent NSAs: alignment of expectations between the CMAs and parties, substantiated by the CMAs evidence-based confidence that the mitigated company will consistently execute in accordance with those expectations or report when it fails to do so. A good TPM facilitates these conditions through programmatic combination, documentation, and delivery of each of the value propositions described above.
3. What Quality TPMs Do
This section describes the specific tactics, techniques, and procedures (“TTPs”) that quality TPMs employ to achieve the value proposition effects described above, including (among other items) the following, which are discussed in more detail below:
- Pragmatic, Risk-Based Approach;
- Deliberate TPM Initiation;
- Tailored, Detailed TPM Program Build-out;
- Execution of Monitoring Activities;
- Effective Program and Project Management;
- Recurring, Risk-Focused NSA Stakeholder Engagement;
- Investigations and Reporting; and
- Addressing Substantive Requirements Specific to the Particular NSA.
As discussed in previous sections, the “right” program of mitigation controls, including the particular duties and responsibilities of the TPM, is fundamentally dependent on the circumstances of the specific transaction. Moreover, the circumstances are themselves dynamic across the lifecycle of a mitigation program. Accordingly, a quality TPM must continuously assess and adapt to practical conditions in order to achieve optimal effects. All of the TTPs described in this section (indeed, all of the recommendations in this paper) are subject to experience-based, iterative adaptation.
While rigidity is to be avoided, core TPM approach elements or commitments are appropriately applied to every CFIUS engagement. These core commitments establish a foundation for trust among the stakeholders and successful CFIUS TPM execution and include those elements below.
Deliberate TPM Initiation
It is critical to promptly identify and engage all of a mitigated company’s key stakeholders in a “Common Operating Picture” and shared ownership of the NSA. Upon selection for the engagement, a quality TPM will promptly schedule a kick-off meeting with all stakeholders to initiate collaborative development of strategy and logistics for initiating the TPM work, engage key stakeholders, clearly establish the current state and the projected future state of the company’s NSA compliance program, collaboratively define timelines for any necessary or valuable control enhancements, identify high risk and priority issues, and define initial requests for information. In practice, with a complex and/or global mitigated company, this initiation activity usually involves a series of increasingly detailed collaboration meetings with, sequentially, the SO and senior leadership, key functional areas (e.g., IT Security, Compliance, IT Infrastructure, Technology/R&D, HR, Facilities, etc.), and stakeholder business and program areas.
Tailored, Detailed TPM Program Build-Out
In subsequent weeks and months, the TPM works collaboratively and iteratively with the SO and other NSA stakeholders to systematically define, design, and implement a TPM program that provides effective oversight and monitoring of the NSA’s particular requirements. This TPM program plan is intended to complement and be developed in concert with the SO and mitigated company’s own NSA compliance plan. Indeed, this collaborative process of building out the TPM and SO compliance plans is the context where much of the substantive and detailed interaction regarding alignment of expectations and identification of critical issues and priorities occurs.
An effective TPM monitoring plan generally focuses on two core concepts: efficacy and breadth. Efficacy is the plan’s focus on assisting the monitored company in identifying the most appropriate controls for meeting NSA requirements, and different means to independently test and verify that such controls are operating as they are intended and are, in fact, assuring compliance with NSA requirements (i.e., security in the application). Breadth is the plan’s focus on making sure that controls apply broadly enough to address all potential circumstances that, if left uncontrolled, could result in an NSA breach (i.e., security at the margins).
A model method for building out a fully-developed TPM program is summarized in the diagram below. As noted above in Section A, the application of this model necessarily will be adapted depending on the particular characteristics of the NSA and expectations of the parties.
At each step of this method, an effective TPM should seek to work with the mitigated organization to align on and systematically document expectations and corresponding activities in a matrix-based, objectively testable, and readily-reportable way.
Execution of Monitoring Activities
Concurrently with building out the documented TPM program described above, the TPM should initiate execution of specific monitoring activities, with iterative improvement as the TPM program matures. For complex, detailed, or technical NSA requirements, the TPM may designate subject matter expert individuals or teams to act as a proponent for defining and executing oversight of the relevant controls.
To facilitate a consistent approach to defining and monitoring controls, the model below defines monitored controls in terms of five categories. Each control category has associated compliance standards, as illustrated below:
Each control is assigned a monitoring frequency, reflecting how often the control will be reviewed by the TPM. For most NSAs, the cadence of testing is one time, weekly, monthly, quarterly, or annually.
To execute the monitoring in each period, the TPM engages with the SO to coordinate on controls that will be reviewed, obtains access to the relevant evidence, and makes documented observations regarding the effectiveness of reviewed controls. This approach facilitates TPM certification and/or reporting to the CMA regarding the fulfilment of monitoring responsibilities.
Effective Program and Project Management
The systematic approach to building a TPM program described above is enabled by disciplined program management. Among other techniques, the TPM should consider the following techniques to execute engagements timely, efficiently, and accountably:
- A team-based approach to ensure each monitoring engagement is consistently supported by right-sized monitoring capabilities;
- A designated TPM Engagement Leader and Program Manager to assure responsiveness, consistency, and personal engagement and accountability;
- Detailed, accountable, and pragmatic TPM compliance plan and schedule;
- An internal library of templates for commonly-used security policies and processes pursuant to NSA requirements to facilitate reference and benchmarking;
- Documented tracking and reporting of progress and findings under the detailed TPM compliance project plan;
- Organized, detailed collection and maintenance of artifacts and records demonstrating fulfilment of TPM monitoring activities;
- Status reports at appropriate cadences to brief the mitigated company on the TPM program and compliance plan status, findings, schedule issues, and upcoming action items;
- Standardized communication, assessment and reporting processes, tools, and templates;
- Metrics-based compliance monitoring; and
- TPM Team internal meetings and continuous improvement.
Recurring, Risk-Focused NSA Stakeholder Engagement
Alongside deliberate compliance program building and execution described above, a quality TPM engages in a cadence of scheduled and event-driven interactions with the SO and other NSA stakeholders to address operational and emergent compliance items and risks, concerns, and reporting. These interactions are documented and generally focus on a recurring agenda that includes, among other items:
- New priority issues, risks, and concerns;
- Review of accountable action items;
- Review of open issues, risks, concerns, and potential breaches; and
- Other items
These recurring interactions are where significant coaching, facilitation, and real-time issue identification and resolution occur.
Further, where an NSA requires the monitored entities to submit an Implementation Plan to the CMAs, the TPM should meet regularly with the monitored entity to review the status of Implementation Plan items to track performance to schedule. If the implementation of specific tasks will be delayed, the TPM should work with the enterprise to get such actions back on track or, if that’s not possible, help the company identify alternative risk mitigation measures and informs the CMAs of any such material delays.
Investigations and Reporting
As required by the NSA and as otherwise appropriate, a good TPM needs to be adept at engaging NSA stakeholders to identify, credibly address, and report any incidents or high-risk items. TPM team professionals should be expert at issue definition and scoping, breach containment, evidence and data collection and analysis, root cause analysis, and corrective action development and implementation. Similarly, the TPM team needs to work collaboratively with stakeholders to provide timely, high quality, and detailed TPM reports satisfying all relevant NSA requirements. Finally, the TPM needs to be continuously responsive to competently, fluently, and credibly address any CMA requests or concerns related to the monitored entity. A model approach to a deliberate and disciplined investigation and reporting process is summarized below:
4. TPM Activities for Specific, Critical Areas
Alongside the TTPs described above, which generally are applicable to all TPM engagements, some NSAs include specific compliance activities addressed to sensitive data, technology controls, access or proximity concerns, or other transaction-specific technical controls. Below, we describe and provide a few examples of such technical activities that TPMs may be specifically assigned in an NSA and/or may develop in the course of an engagement to assist monitored entities fulfil NSA expectations.
|Issue Area||Assistance Examples|
- Key TPM Characteristics, Capabilities, and Qualifications
To effectively provide the complex value proposition and multidisciplinary capabilities described above, TPMs require on-point experience, technical and industry expertise, and trusted perspective. Particularly in the context of the complex technologies, operating environments, and transactions subject to NSAs, a quality TPM usually requires a “professional team” composition, rather than a personality-based, individual monitor. The following are attributes of a high quality TPM team:
- Multi-Disciplinary Experience: A TPM needs to understand the relationship between the NSA’s requirements and the equities of the CMA(s) and transaction parties. Thus, a TPM team should integrate professionals with relevant multidisciplinary competencies, usually including experience as national security, military, intelligence, and law enforcement professionals; monitors, investigators, and auditors; executives, compliance professionals, and program leaders in complex organizations; and technical experts with demonstrated ability to evaluate and implement security and oversight solutions. The TPM team should also be able to demonstrate a record of on-point, hands‐on experience leading, designing, and monitoring compliance programs in the national security space that help complex organizations successfully operationalize and sustain compliance requirements.
- Technical Capability: A TPM needs to be able to provide hands-on guidance and assistance to the monitored company as it works through the practical problems of implementing and integrating mitigation controls. The TPM must also intrinsically understand the relevant technical standards and related system performance expectations of the CMA. And the TPM needs to be able to execute specified technical testing and processes competently. Required technical competencies may include:
- Cybersecurity assessment and incident response;
- Data and privacy management and security;
- Relevant regulatory and security standards expertise (e.g., NIST SP 800-171);
- Product integrity testing and source code review;
- Corporate governance and restructuring;
- Data analytics;
- Business process improvement, re-engineering and automation;
- Internal and forensic investigations and functional root cause analysis; and
- National security regulatory expertise (e.g., export controls and sanctions).
- Industry Competence: By definition, the original impetus for a CFIUS-reviewed transaction is an underlying business proposition in a particular industry and company context. NSA compliance requirements need to be operationally integrated with business systems and processes in order to be persistent and sustainable. Moreover, in order to be truly effective, identified compliance controls need to enable the company and its people to successfully operate while addressing national security equities (i.e., whenever possible, a well-designed control should avoid “jamming the gears”). Accordingly, the TPM needs to have a good understanding of the business’s operations and its commitments, and a pragmatic approach that assures achievement of the NSA’s purposes, but does not unnecessarily exercise the business or CMAs.
- Corporate Compliance Leadership Experience: NSAs that benefit from a quality TPM often contain compliance requirements that are sufficiently complex to warrant the monitored entity’s buildout of an internal compliance program focused on NSA requirements. TPMs who have hands-on, in-house experience leading, designing, and building corporate compliance programs in the national security space can work cooperatively with the SO and monitored organization stakeholders to help develop and implement NSA controls that are integrated within the organization’s existing systems, processes, and culture, and support the organization’s success.
- Integrity, Perspective, and Credibility: The TPM’s ultimate currency is trustworthiness. In order to effectively deliver the complex value propositions and activities described in this document, the TPM must have the judgment, strategic perspective, and demonstrated integrity to operate and speak credibly with all of the NSA’s stakeholders. The TPM team should integrate seasoned professionals and leaders with demonstrated ability ensuring organizations achieve national security and compliance objectives.
One observation and recommendations based on practical experience is that the CMAs and transaction parties can optimize conditions for NSA success by agreeing on and prescribing in the NSA the specific role, responsibilities, focus areas, and required capabilities of the TPM. Such specified agreement helps to reduce friction and the risk of misaligned expectations in the TPM selection process and operationalization of the mitigation controls program.
- When a TPM Should be Used
TPMs are an important tool in the CFIUS mitigation solution kit. But they are not a panacea for every mitigation concern or agreement. In every instance where CFIUS risks necessitate mitigation, the package of controls (including a possible TPM role) should be tailored to the transaction’s particular relevant risk variables. CFIUS mitigation controls design and implementation is a complex and dynamic art, amenable to extensive consideration additional to the focused discussion of TPMs undertaken in this paper. The table below provides a conceptual taxonomy relating the relative risk arising from a non-exhaustive list of CFIUS-relevant variables to corresponding expectations regarding the depth or programmatic character of the mitigation controls.
Specifically with regard to whether to include a TPM, the following transaction-specific factors, particularly in combination, may indicate conditions where a TPM would be particularly helpful in achieving CMA and transaction party objectives:
- Complex Acquirer: Where the foreign acquirer is identified as relatively high risk based on nationality, personality, or organizational characteristics, a TPM’s real-time, persistent, focused, and independent technical oversight of the protected asset(s) may supplement and assure the effectiveness of complementary NSA requirements.
- High Volume and Sensitivity of Protected Data or Technology: Where a monitored organization deals with a relatively high volume of sensitive protected data or technology, theft may be an irreparable, one-time harm. Similarly, where the protected data or technology is particularly sensitive and/or intrinsic to important U.S. Government equities, proactive protection from exploitation is critical. In such circumstances, a TPMs real-time embedded oversight; focus on operationalization and efficacy of controls; and ability to conduct recurring, independent technical testing may be particularly valuable.
- Program Immaturity of Monitored Entity: Where the monitored entity does not have a mature security and compliance program and systems, is unfamiliar with NSA-like requirements, or is undergoing structural transition or re-organization, a TPM’s embedded engagement, coaching, program enhancement, and technical augmentation capabilities may be particularly valuable to the CMAs.
- Dispersed, Complex Organization: Where the monitored entity is geographically and/or nationally dispersed, highly complex, matrixed, or comprised of multiple legacy organizations and systems, symmetrical implementation of NSA requirements may prove challenging. A TPM with experience building effective compliance and risk mitigation programs in dispersed, complex, and/or changing organizations may be particularly valuable to the CMAs.
TPMs are an important part of the complete CFIUS mitigation tool set. TPMs can provide persistent presence and capabilities, which uniquely enable successful NSAs in transactions that otherwise may not be feasible due to identified national security risk. An effective TPM approach is necessarily collaborative and adaptive, enabling for a trust-based environment where all NSA stakeholder goals can be achieved through iterative, practical interaction and improvement. An effective TPM is able to understand the challenges of compliance from the mitigated organization’s perspective and work with the SO and key stakeholders to integrate compliance into the organization’s systems, processes, and culture. Based on our experience, the CMAs and the transaction parties have a shared interest in selecting a TPM with the perspective, capabilities, and credibility to implement the approach and principles described in this paper.
- The authors note that the approach and principles described in this paper are generally applicable across (and draws on insights from) a range of independent oversight contexts outside CFIUS, including Team Telecom, international trade controls, sensitive information security, and National Industrial Security Program mitigation, among others. But the language and particular applications developed in this paper are CFIUS-focused. ↑
- https://www.justice.gov/opa/speech/assistant-attorney-general-national-security-john-c-demers-delivers-keynote-aci-s-sixth ↑
- As an example from a related third party oversight context, when entering Consent Agreements with companies that require compliance mitigation in the area of defense export controls, the State Department’s Directorate of Defense Trade Controls often clearly identifies the third party monitor’s (“Special Compliance Officer” in Consent Agreement parlance) key areas of focus. See e.g., UTC Consent Agreement (2012), pages 8-12; Raytheon Company Consent Agreement (2013), pages 8-11.Similarly, the U.S. Department of Justice’s (“DOJ”) “Selection of Monitors in Criminal Division Matters” memorandum (“DOJ Monitor Memo”) of October 11, 2018, requires that deferred/non prosecution or plea agreements contain specific information about the monitor, including, but not limited to “an explanation of the responsibilities of the monitor and the monitorship’s scope” (C.5) and “the monitor’s required qualifications” (C.1). The authors believe that current NSA scope language concerning the role of a TPM would benefit from a similar detailing of required qualifications and scope. This will enable better development of proposals and support subsequent client and CFIUS review and selection processes.
Also, although somewhat beyond the scope of this paper, the authors believe that the DOJ Monitor Memo’s recommended monitor selection process provides worthwhile benchmarks for consideration in the CFIUS process.