CFIUS Overview

Committee on Foreign Investment in the United States

In circumstances where foreign persons – including all types of business associations – are contemplating buying or making an investment in a US business, it is prudent to consider whether the contemplated transaction will be subject to the purview of the Committee on Foreign Investment in the United States (CFIUS or the Committee).


CFIUS is an interagency committee of the US government tasked with reviewing the national security implications of foreign acquisitions of and direct investments in US businesses. The Committee is chaired by the Department of the Treasury and comprised of nine voting members, two nonvoting ex officio members and other members as directed by the president from time to time.

CFIUS legislative timeline

1975: President Gerald Ford establishes CFIUS by executive order.

1988: The Exon-Florio amendment to the Defense Production Act (DPA) codifies the CFIUS review process for foreign investments.

1992: The Byrd amendment to the DPA requires mandatory CFIUS reviews for covered transactions involving foreign governments.

2007: The Foreign Investment and National Security Act of 2007 replaces the executive order and codifies CFIUS in the US code.

2018: The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) expands the jurisdiction of CFIUS and introduces mandatory filing requirements for transactions involving certain technologies, data or infrastructure.

Authority to block, modify or unwind transactions

Under FIRRMA and its implementing regulations (31 CFR Parts 800 and 802), CFIUS has broad authority to address perceived national security risks arising from cross-border transactions within the scope of its jurisdiction (covered transactions). While CFIUS itself cannot suspend or prohibit a transaction, its authority to refer transactions to the president for action gives CFIUS considerable leverage to negotiate “voluntary” mitigation terms with transaction parties in the form of National Security Agreements (NSAs).

Where CFIUS identifies national security risks relating to a particular transaction, the Committee has sweeping authority to mitigate such risks by blocking or modifying pending transactions – or unwinding transactions that have already closed. Examples of common mitigation measures include:

  • Forced divestiture of sensitive assets or business units.
  • Termination of sensitive government contracts.
  • Imposition of access controls regarding sensitive personal data.
  • Execution of government supply assurance agreements.
  • Appointment of security officers and third-party monitors.
  • Appointment of proxy boards consisting of US persons.

National security concerns and assessments

When CFIUS assesses the national security risks arising from a given transaction, it uses the following three-part conceptual framework:

  1. What is the threat presented by the foreign person’s intent and capabilities to harm US national security?
  2. What aspects of the US business present vulnerabilities to national security?
  3. What would the consequences for US national security be if the foreign person were to exploit the identified vulnerabilities?

Issues that have raised perceived national security risks range from the obvious (e.g., foreign acquisitions of US businesses with federal defense contracts) to the seemingly benign (e.g., foreign minority investments in offshore windfarm projects or online dating apps).

When assessing national security vulnerabilities, CFIUS considers a broad range of factors, including, but not limited to:

  • The US business’s contracts with US government customers.
  • Whether the US business deals in “critical technology,” “critical infrastructure” or “sensitive personal data.”
  • The proximity of the US business to sensitive commercial or US government assets or facilities.
  • The dominance of the US business in its industry.
  • The supply chain integrity of the US business.
  • The identities of the US business’s business partners and the nature of those relationships.

When assessing national security threats, CFIUS considers a parallel set of factors concerning the foreign person:

  • The specific identity and nationality of the foreign buyer/investor.
  • Whether the foreign buyer/investor has appeared before CFIUS in the past – and with what result.
  • The foreign buyer’s/investor’s business relationships (e.g., with other foreign partners).
  • The nature and sophistication of the foreign buyer’s/investor’s business and technology.
  • The foreign buyer’s/investor’s track record of complying with US and international laws (e.g., export controls, sanctions and anti-corruption regimes).

CFIUS jurisdiction and ‘TID US businesses’

Since its creation in 1975, CFIUS has had authority to review any transaction that could result in “control” of a “US business” by a “foreign person.” While the CFIUS regulations broadly define “control” to reach certain minority investments with significant governance rights (e.g., board representation), the traditional form of jurisdiction left CFIUS without authority to reach many venture-style foreign investments in sensitive US businesses. Following years of policy discussions, FIRRMA and its implementing regulations fundamentally changed the scope of CFIUS’s authority by expanding the Committee’s jurisdiction to reach nonpassive, noncontrolling investments in certain US businesses that deal in “critical Technology,” “critical Infrastructure” or “sensitive personal Data” (collectively, TID US businesses).

Mandatory CFIUS filings

Among FIRRMA’s most consequential innovations is the introduction of “mandatory” pre-closing CFIUS filing requirements for certain transactions involving a TID US business. Failure to submit a mandatory filing where required can result in civil monetary penalties in amounts up to the value of the underlying transaction. Mandatory CFIUS filings are required when a transaction affords a foreign person certain jurisdiction-triggering rights with respect to a TID US business.

With certain limited exceptions, mandatory filings are required when a foreign person is afforded “control” of or any of the following discrete information or governance rights with respect to a US business that “produces, designs, tests, manufactures, fabricates, or develops” any “critical technology” (i.e., technology controlled in certain ways under US export control laws):

  1. Access to “material nonpublic technical information” in the possession of the US business.
  2. A board seat or board observer right.
  3. “Involvement” in the US business’s “substantive decisionmaking” regarding “critical technology,” “critical infrastructure” or “sensitive personal data” as those terms are defined in the CFIUS regulations.

More expansive mandatory filing requirements apply to transactions where a foreign government holds a “substantial interest” in the foreign person investor or buyer.

The ‘voluntary’ CFIUS filing regime

Transactions that do not trigger a mandatory filing requirement may nonetheless be subject to CFIUS jurisdiction and review under the Committee’s traditional “voluntary” filing framework.  Such transactions include, but are not limited to:

  1. Any transaction that could result in foreign “control” of a US business.
  2. Transactions that afford a foreign person any of the aforementioned jurisdiction-triggering rights in a TID US business that does not deal in critical technology.
  3. Certain real estate transactions involving the purchase by, lease by or concession to a foreign person that affords them certain enumerated property rights.

Parties to a transaction that is subject to the voluntary CFIUS filing regime must decide whether to notify CFIUS of their transaction and seek the Committee’s approval to consummate it. While there are no penalties for forgoing a voluntary CFIUS filing, the Committee retains authority to unilaterally initiate a review of such transactions at any time – even years after the transaction has closed. As it can with any “covered transaction,” CFIUS has broad discretion to mitigate perceived national security risks arising from a closed transaction. Accordingly, parties must weigh the risks of a post-closing CFIUS review and enforcement action when considering whether to submit a voluntary CFIUS filing before closing any covered transaction.

In evaluating whether to submit a voluntary filing, parties should consider whether the potential national security risks will be of interest to CFIUS, whether CFIUS might wish to mitigate those risks, and what the cost and transaction timeline implications of a filing might be. While parties often have different degrees of CFIUS risk tolerance, it is usually in both parties’ interest to agree upon a specific course of action concerning CFIUS (e.g., closing conditions, representations and covenants) at the term sheet stage before definitive agreements are negotiated.

Types of CFIUS filings

When parties decide to submit a CFIUS filing (either pursuant to a mandatory filing requirement or a determination that a voluntary filing is warranted), they must decide what form of filing to make. A second important innovation introduced by FIRRMA was the creation of a “short-form” CFIUS “Declaration” that is subject to an abbreviated assessment period. While Declarations can be resolved more quickly and involve less expense than a traditional “Notice” filing, Declarations are not always more advantageous.

Declarations – advantages and disadvantages

A Declaration is a short-form summary document with an expedited 30-day “assessment” period. Declarations require far less (and far less detailed) information than Notices and do not require the parties to pay a filing fee to the Treasury.

The 30-day assessment period is not always sufficient for CFIUS to identify and resolve national security issues arising from the underlying transaction, however, meaning that filing a Declaration can result in an indeterminate outcome (e.g., a request from CFIUS for a Notice filing). Consequently, while Declarations offer the prospect of a relatively quick and inexpensive CFIUS process, they can – in practice – cost the parties more time and money if CFIUS requests a Notice after the Declaration assessment concludes. Similarly, parties that receive a “no action” outcome must decide whether to consummate their transaction and live with the possibility of another CFIUS review in the future.

Notices – advantages and disadvantages

A Notice is a more comprehensive and detailed submission with lengthier “review” and “investigation” periods that collectively can last between 45 and 105 days – and sometimes much longer. Notices require payment of filing fees based on the value of the underlying transaction.

CFIUS filing fees

Transaction value CFIUS filing fee
Less than $500,000 $0
$500,000 – $4,999,999 $750
$5,000,000 – $49,999,999 $7,500
$50,000,000 – $249,999,999 $75,000
$250,000,000 – $749,999,999 $150,000
$750,000,000+ $300,000

While Notices require filing fees and have the potential to involve more time and expense than Declarations, they offer the benefit of certain outcomes. Unlike Declarations, which can result in “no action” outcomes or requests for additional review, Notices theoretically result in the receipt of CFIUS approval or the abandonment of a transaction. 

CFIUS approval in the context of a Notice filing can take a variety of forms – from approval to close the transaction as initially contemplated to approval of a mitigated transaction (e.g., conditioned on the divestiture of sensitive assets, a smaller investment or the implementation of security protocols to address specific national security concerns).

The table below summarizes the differences between Declarations and Notices to consider when weighing which approach is best for a particular transaction.

Declarations versus Notices

  Declaration Notice
Format Short summary Comprehensive
Q&A response timing Parties have two business days to answer questions. Parties have three business days to answer questions.
Filing fee required? No Yes
Review period 30 days 45 – 105 days
Possible outcomes

CFIUS clearance: CFIUS formally approves the transaction, giving the parties “safe harbor” protection into the future.

No action: CFIUS allows the parties to close the transaction, but retains authority to review, mitigate or unwind the deal at any time in the future.

Request for notice: CFIUS requests that the parties submit a notice for further consideration.

CFIUS clearance: CFIUS formally approves the transaction, giving the parties “safe harbor” protection into the future.

Conditional clearance: CFIUS approves the transaction on the condition that the parties agree to mitigate identified national security risks with an NSA.

Presidential referral: CFIUS refers the transaction to the president for a decision (i.e., with a recommendation to prohibit or unwind the transaction).

Overall timeline 6 – 8 weeks 4 – 6 months

Consulting with CFIUS counsel

Any transaction that may involve a “foreign person” buyer or investor warrants consultation with CFIUS counsel at the outset to assess the key issues and dynamics that give rise to CFIUS risk. The CFIUS regulations are complex and apply broad and sometimes counterintuitive definitions to key terms. For example, the terms “control,” “US business,” “foreign person,” “critical technology,” “sensitive personal data,” “critical infrastructure,” “involvement,” “substantive decisionmaking” and “regulatory authorization” are all terms of art defined differently than their colloquial or corporate law meaning suggests.

In the early stages of a transaction, CFIUS counsel can help determine whether the transaction is subject to a mandatory pre-closing CFIUS filing requirement, or whether CFIUS instead could review the transaction post-closing under its voluntary filing regime. If no mandatory filing requirement applies, CFIUS counsel can direct diligence to inform decisions concerning a voluntary pre-closing CFIUS filing.

If a CFIUS filing is required or otherwise warranted, CFIUS counsel can advise with respect to what form of filing to make (i.e., a Declaration or Notice), prepare the filing and represent the parties before the Committee during the assessment, review and investigation, as circumstances require.

Regardless of whether the parties decide to submit a CFIUS filing, CFIUS counsel can advise the parties and their transaction counsel on measures to allocate and mitigate CFIUS risk and put the parties in the best position with respect to their cross-border transactions.

For additional information about CFIUS generally or a transaction specifically, please contact a member of Cooley’s CFIUS, export controls & economic sanctions, or government contracts practice groups below.