Venture capital, private equity, and other private investors provide billions of dollars in vital funding for defense and national security technology companies every year. Such funding supports the US national security mission, but with some risk.
The Office of the Director of National Intelligence reports that foreign threat actors are using the complex ownership structures of private equity and venture capital firms to acquire access, and often legal and financial rights, to sensitive assets from unknowing startups, early-stage growth companies, and their investors.
In response, regulators recently expanded mandatory national security risk assessments for companies engaged in research, development, and performance of classified and unclassified government programs.
Government agencies use the SF 328 Certificate Pertaining to Foreign Interests to assess foreign ownership, control, or influence. Until recently, only companies that were considered for an entity eligibility determination for access to classified information (facility clearance) were required to complete and submit the SF-328 10-question survey to the Defense Counterintelligence and Security Agency.
The latest requirements, outlined in Section 847 of the National Defense Authorization Act, dictate that all “covered contractors and subcontractors” are required to disclose their beneficial ownership and whether they are under foreign ownership, control, or influence; update such disclosures when previously provided information has changed; and if determined to be under such ownership or influence, disclose contact information for each foreign beneficial owner. Just weeks before issuing the updated instruction, the government requested comments on a draft revised SF 328. A new DoD FAR supplement clause is expected to be proposed as early as this month.
Covered Contractors. At first glance, the new requirements appear limited since they apply only to “covered contractors and subcontractors”—those that have been awarded or are seeking DOD contract awards valued at more than $5 million.
However, in fiscal year 2024 alone, 4,902 different companies were awarded 8,205 prime contracts valued above the $5 million threshold. The DCSA has suggested in recent budget requests that more than 100,00 companies could be impacted.
Early-Stage Funding. The Small Business Innovation Research and Small Business Technology Transfer programs are the largest sources of early-stage funding in the US, according to the SBA, accounting for more than 7,000 awards ($4 billion) annually.
The Extension Act of 2022 requires that all SBIR and STTR proposals government-wide include an SBA-approved foreign disclosure form. Now, at a minimum, all covered contractors submitting an SBIR or STTR proposal will be subject to new beneficial ownership disclosures, and some suggest perhaps all such proposals may soon be required to include a completed SF 328. In either scenario, the DCSA is poised for a barrage of new requests.
CMMC. The new rules are expected to be integrated into the forthcoming cybersecurity maturity model certification program currently being finalized by the DOD, which is expected to impact upwards of 300,000 companies in the defense industrial base.
As the DCSA prepares for these impacts, it’s imperative the industry does the same.
Investors
Defense technology and national security investors can expect portfolio companies to request more information about foreign sources of funding, including with respect to limited partners and entities organized in non-US jurisdictions for tax purposes.
Investors should also require potential portfolio companies seeking work involving classified information demonstrate a basic understanding of the obligations attached to security clearances as a mandatory step during investment diligence.
Startups
Defense technology and national security startups should prioritize foreign influence considerations in all capital-raising activities. This should include early discussion with potential investors and legal input on the likelihood that anticipated investments may subject the company to burdensome mitigation measures imposed by the government.
Assume government customers will require disclosure of all equity holders and leadership teams, including the citizenship and foreign connections of each person on the board.
Government
When developing meaningful updates to this critical government function, US security agencies should consult with experienced private-sector corporate attorneys who understand current trends in investment structures and concepts.
Doing so will strengthen national security by impeding bad actors’ ability to evade detection and eliminating a significant barrier to entry for innovative technology builders. A well-drafted and modernized SF 328 would also allow companies and investors to understand their obligations and report changes, ideally without incurring considerable legal fees in the process.
The DOD may be the first mover publicly, but clearly the entire federal government recognizes the problem and is searching for a solution. Unless and until the current threat environment changes, all companies and investors in the defense and security technology ecosystem should prepare to assess and disclose all foreign relationships to their US federal government customers.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Grant Schweikert is special counsel at Cooley and advises companies and investors in strategic investments and M&A transactions in US defense, aerospace, and national security.
Umer Chaudhry is a senior associate at Cooley and advises on complex regulations in government contracts and national security, including AI, quantum computing, and cybersecurity.
Write for Us: Author Guidelines