Skip to main content

Biden Administration Identifies National Security Factors to Guide CFIUS Reviews

International Trade and Investment Alert™ | September 16, 2022

Authors: Michael T. Gershberg, Gregory Bernstein

On September 15, 2022, President Biden issued an Executive Order (“the EO”) to ensure that the Committee on Foreign Investment in the United States (“CFIUS” or “the Committee”) considers evolving national security risks when reviewing foreign investment transactions. The EO, which does not expand CFIUS’s jurisdiction or alter the CFIUS review process, identifies five specific areas that CFIUS should consider during its review. This is the first presidential directive regarding priority national security issues since CFIUS was codified in 1975. In addition to focusing CFIUS’s review of future covered transactions, the EO may be read as guidance to the private sector on how to approach future CFIUS filings, as well as a warning to certain foreign countries like China.

The EO was issued pursuant to Section 721 of the Defense Production Act of 1950—CFIUS’s authorizing statute—which lays out ten factors that the Committee may consider when reviewing transactions, as well as a catch-all factor of “such other factors as the President or the Committee may determine to be appropriate.” Pursuant to this statutory authority, the EO identifies the following five priority areas for the Committee to consider when reviewing transactions:

  • The transaction’s effect on supply chain resilience and security, including for supply chains outside the defense industrial basis;
  • The transaction’s effect on U.S. technological leadership;
  • Aggregate investment trends and the effect of multiple foreign investments in a single industry or in related industries;
  • Cybersecurity risks associated with the transaction; and
  • Whether the transaction may afford foreign parties with access to sensitive data that could be exploited or used to threaten national security.

I  Supply Chain Resilience and Security

The EO notes that certain foreign investments may “undermine supply chain resilience efforts and therefore national security by making the United States vulnerable to future supply disruptions.” Accordingly, the EO instructs CFIUS to consider the effect of a covered transaction on supply chain resilience, both within and outside of the defense industrial base. The EO highlights supply chains in sectors such as microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, climate adaptation technologies, critical materials (e.g. lithium and rare earth elements), and elements of the agriculture industrial base that implicate food security.

Although CFIUS already carefully scrutinizes investments in these areas, the EO provides specific guidance instructing CFIUS to take into consideration the degree of diversification through alternative suppliers, whether alternative supplies are located in allied countries, and the concentration of foreign ownership in any given supply chain.

II  The United States’ Technological Leadership

The EO, while acknowledging that foreign investment can foster domestic innovation, nonetheless highlights the importance of protecting United States technological leadership, especially in the sectors and industries mentioned above. Accordingly, the EO directs CFIUS to consider how a transaction could affect the United States’ technological leadership, as well as whether a transaction could lead to future technological advancements that would undermine national security. The EO also requires the Office of Science and Technology Policy (“OSTP”), whose director is a member of the Committee, to periodically publish a list of technology sectors that it views as fundamental to U.S. technological leadership in areas relevant to national security.

III  Aggregate Industry Investment Trends

The third factor for CFIUS to consider is aggregate industry investment trends. This factor relates primarily to incremental investments and situations where a foreign company or foreign country makes multiple investments in the same or related industries. The EO emphasizes the risk that such investments may, over time “cede, part-by-part, domestic development or control” in a given sector or technology.

This concern is not new, and was on the mind of lawmakers when they passed the Foreign Investment Risk Review Modernization Act (“FIRRMA”) in 2018. FIRRMA permits CFIUS to consider “the cumulative control of, or pattern of recent transactions involving, any one type of critical infrastructure, energy asset, critical material, or critical technology by a foreign government or foreign person” when evaluating the national security risk posed by a transaction. The EO permits CFIUS to request from the Department of Commerce’s International Trade Administration an analysis showing the industries in which the target company operates and whether there is any cumulative control of or pattern of recent transactions in any of those industries. In a fact sheet, the White House noted that “there may be a comparatively low threat associated with a foreign company or country acquiring a single firm in a sector, but a much higher threat associated with a foreign company or country acquiring multiple firms within the sector.”

This element of the EO is likely to be of particular importance to private equity investors and their co-investors who, for commercial reasons, may make multiple investments in the same or related industries. The Biden administration is signaling that it will look closely at such investments, and parties to such investments should keep this in mind when determining whether a CFIUS filing is advisable.

IV  Cybersecurity Risks

The EO identifies multiple cybersecurity risks that CFIUS should consider when reviewing a transaction. These include (i) whether the transaction may provide malignant foreign actors with direct or indirect access to information databases and systems that could be the target of malicious cyber-enabled activities, and (ii) the cybersecurity posture, practices, capabilities, and access of both the foreign person and the United States business, to the extent that such posture, practices, capabilities, and access may allow the foreign person or third parties to take harmful actions against the United States.

To underscore the importance of understanding the potential cybersecurity risks that a transaction may pose, the EO enumerates a number of malicious cyber-enabled activities that foreign persons may engage in, including:

  1. activity designed to undermine the protection or integrity of data in storage or databases or systems housing sensitive data;
  2. activity designed to interfere with United States elections, United States critical infrastructure, the defense industrial base, or other cybersecurity national security priorities; and
  3. the sabotage of critical energy infrastructure, including smart grids

While CFIUS already takes into consideration the cybersecurity policies and practices of U.S. businesses, this portion of the EO suggests that CFIUS may become more aggressive about ensuring that a U.S. business has robust cybersecurity policies in place and, where appropriate, using mitigation agreements to implement or strengthen such policies.

V   Sensitive Personal Data

Lastly, the EO instructs CFIUS to consider a range of factors related to sensitive personal data, such as whether the transaction involves a business that has access to sensitive personal data that could be identifiable or de-anonymized, or a business that has access to data on sub-populations of U.S. persons. The EO notes that advances in technology have “enable[d] the re‑identification or de‑anonymization of what once was unidentifiable data,” resulting in an increased risk that foreign persons might exploit access to certain data to target individuals or groups in the United States.

This portion of the EO builds on FIRRMA’s focus on sensitive personal data as an area of CFIUS’s expanded jurisdiction. In the past three years alone, CFIUS has blocked or unwound multiple transactions by Chinese acquirers due to concerns over the foreign person’s access to sensitive personal data, including ordering Beijing Shiji to divest StayNTouch, Kunlun Group to sell Grindr, iCarbonX to divest PatientsLikeMe, and, most famously, ByteDance to divest TikTok. The EO’s emphasis on keeping personal data, even data that may appear to be anonymized, out of the hands of foreign persons or governments that may exploit it can be read as a warning to Chinese acquirers that investments in U.S. businesses with access to personal data are likely to face stiff resistance.

Key Takeaways

While the EO does not make any legal changes to the CFIUS review process or the national security factors that CFIUS is authorized to consider, it does shed light on the Biden administration’s priorities and provides insights to foreign investors and U.S. businesses alike regarding what types of transactions are likely to draw the most scrutiny.

In a statement, Treasury Secretary Janet Yellen noted that the EO “reflect[s] the evolving national security threat landscape” and was intended to "sharpen[ ] the Committee’s focus on protecting America's national security, while maintaining the U.S. open investment policy.” Nonetheless, transactions that relate to the priority areas identified in the EO should expect an increased likelihood that CFIUS will unilaterally initiate a review if the transaction is not notified, and a greater chance that CFIUS’s review extends to the investigation phase.


This communication is for general information only. It is not intended, nor should it be relied upon, as legal advice. In some jurisdictions, this may be considered attorney advertising. Please refer to the firm’s data policy page for further information.