Agenda
Day 1
September 30, 2024
HYPOTHETICAL SCENARIOS
FOCI and Cybersecurity Breach Action Plan: Tailoring Your Incident Response to Meet Mitigation Security Requirements and Breach Policy
Ernie MagnottiChief Information Security Officer (CISO)Leonardo DRS
Robert MetzgerPartnerRogers Joseph O’Donnell
What happens during a breach? This interactive session will examine the play-by-play of how a FOCI mitigated company will now need to react to a cybersecurity breach under stricter Department of Defense and CMMC safeguards
- Determining your company’s obligations under NISPOM in the context of a cyber breach
- Ensuring your FOCI company is following its cybersecurity breach policy and implementing checks
- Deciphering which policies kick-in during a cyber breach: Systems Security Plan (SSP) for Controlled Unclassified Information (CUI) and Standard Policies and Procedures (SPP)
- Examining the effect of a breach on a cleared company with classified information
- Analyzing how the breach effects the whole company and who has responsibility
- Determining what the security representative can and can’t tell the parent
- Reconciling the effects on the AOP
Networking Break
Vulnerability Assessments and Self-Inspections: Preparing and Managing an On-Site Assessment and What Can Generate the Best Possible Outcome
Margaret M. CassidyManaging Attorney Cassidy Law LLC
Sabrina DeBargeMission Region Action Officer for Industrial Security, Mid-Atlantic RegionDefense Counterintelligence and Security Agency
Jason GarkeyChief Security OfficerMomentus Space
As DCSA is conducting more in-person engagement and onsite security checks, learn the latest lessons on how to prepare for an onsite assessment – and the expected (and unexpected) ramifications of an unfavorable result.
- Ensuring your company’s security policy is robust and being followed for all FOCI locations
- Determining if all FOCI locations are needed, being used and using the security policy
- Examining what can lead to a poor vulnerability assessment
- Itemizing the consequences of a vulnerability assessment and implementing a strategy » Customer notifications » Remediation
- Exploring what constitutes a security incident-and what doesn’t
- Conducting governance and risk assessments
- Scrutiny of governance models to protect shareholders
- The pitfalls to avoid for internal and self-audits when preparing for a DCSA assessment
Polling & Hypothetical Scenarios
The Nuances of Roles of Outside Director and Proxy Holder Roles: Balancing the Wants and Needs of Stakeholders and National Security Interests
Pamela DrewProxy HolderEutelsat America Corp.Outside Director QuinetiQ Inc.
Mary GriggsOutside DirectorCGI Federal, Integris Composites, Inc., Coalfire Federal, Airbus U.S. Space & Defense
Chris GrinerSenior PartnerSquire Patton Boggs (US) LLP
During this session, speakers will lead delegates through a series of hypothetical scenarios that showcase the nuances of how a FOCI mitigated company can balance the roles of an outside director with its foreign parent. Delegates are encouraged to participate in anonymous live polling for enhanced benchmarking. Key topics will include:
- Approaching the role of an outside director when the FOCI mitigated company has no classified work, but is carrying a clearance for contract
- Balancing the needs and wants of the parent company and the shareholders
- What needs to be reported to the government security committee
- Documenting the government security committee meeting, and justifying how a company is in compliance with the NISPOM
Networking Luncheon for Speakers and Delegates
Roundtable Discussion
How DCSA’s FOCI Scope is Expanding Beyond Foreign Owned Companies and Impacting Supply Chain
Jill M. McCluneUS General CounselAvon Protection/Team Wendy
Richard RayFSO / TCO / ITPSOEutelsat America Corp.
Proposed changes to the National Defense Authorization Act (NDAA), Section 847 directs the U.S. Department of Defense to reduce reliance on services, supplies, or materials obtained from certain geographic areas, which may be controlled by adversarial countries. The change would also direct DoD to mitigate the risks to national security and the defense supply chain related to such a reliance. Announced in 2022, DoD is due to issue a report to congressional defense committees this year and is currently seeking input.
- Determining which FOCI companies, non-FOCI companies, public trust contracts and third-party contractors are subject to increased scrutiny
- Anticipating DCSA’s expectations and guidance
- Analyzing the need for an Electronic Communication Monitoring Plan, or a Quality Management Plan, or an export license
- Monitoring international suppliers and evaluating supply chain security and resiliency
CFIUS and Export Controls Interplay: Navigating the CFIUS and FOCI Process for Companies Under Both Agreements – And How to Avoid Hiccups
Antonia TzinovaPartnerHolland & Knight LLP
Daniel PickardShareholder & International Trade & National Security Practice Group Leader Buchanan Ingersoll & Rooney, PC
Stephanie Lutz, CAP, SFPCRisk Management OfficerDefense Counterintelligence and Security Agency (DCSA)
- Determining where CFIUS and DSCA align and diverge • Deciphering when there is a mandatory filing obligation
- Accomplishing DCSA and CFIUS expectations-and overcoming operational challenges
- Dovetailing CFIUS and FOCI mitigation with export compliance and licensing requirements
- Determining the sequencing of CFIUS and FOCI submissions
- Examining what kind of data exports are controlled and need an export license
Networking Break
Jon R. KnightCounselBaker & Hostetler LLP
Johnathan RudySenior CounselTransUnion
During this session, delegates will delve into the complexities of an acquisition from the lens of cybersecurity. This will include a look at how to vet policy prior to acquisition, ensuring the acquired company has not already been breached, and how to ensure robust safeguards following the acquisition. Topics will include:
- Assessing cyber risk before, during and after acquisition
- Complying with DCSA’s requirements for a robust cybersecurity policy and how to meet expectations in the event of a breach
- Itemizing the mechanics of mitigating against the risk of a cyber breach
- Consolidating operation measures while ensuring high cybersecurity standards among shared electronic services and share technology services
- Examining how ECPs and AOPs could be altered to strengthen cybersecurity standards
Heather L. FinstuenPartnerCovington & Burling LLP
Richard RayFSO / TCO / ITPSOEutelsat America Corp.
Curtis H. ChappellVice President, SecurityThales Defense & Security, Inc.
Back by popular demand! Delegates are invited to break out into smaller group discussion tables to trade experiences and lessons learned for confronting the challenges of maintaining security standards amid a remote and hybrid workforce. Facilitators will guide the conversation to identify the latest best practices. Delegates are encouraged to choose their preferred table topic, and to move between tables during the discussion.
Table One: Insider Threat: How are you safeguarding access and information?
Table Two: Considerations for safeguarding your supply chain
Table Three: How does cybersecurity fit into a mitigation strategy?
Conference Adjourns
Day 2
October 1, 2024
Remarks from the Co-Chairs
Classified Contracts and Controlled Unclassified Information CUI: What DCSA Now Requires and Navigating a CUI in a FOCI Mitigated Landscape
Stacey BurtonVice President, Deputy General CounselElbit Systems of America
Mike CuendetIT DirectorCEM Defense Materials LLC
- Paraphrasing information that is passed to affiliates about classified contracts
- Establishing networking and IT requirements and how to separate the network CUI from affiliate companies
- Determining who has access when a global company has different subsidiaries
- Ensuring continuous auditing and compliance
- Examining who has access to what when employees have dual citizenship
- Reviewing the requirements when your classified documents are off site
Networking Break
New! Cybersecurity Mitigation and CUI: Preparing for your CMMC Assessment and Ensuring Your FOCI Company Can Demonstrate Compliance
Curtis H. ChappellVice President, SecurityThales Defense & Security, Inc.
Maria KeadyPrincipal Compliance Manager / FSO / ITPSOBlackBerry Government Solutions
Ernie MagnottiChief Information Security Officer (CISO)Leonardo DRS
The U.S. Department of Defense issued a proposed rule to implement the Cybersecurity Maturity Model Certification (CMMC) Program (Proposed Rule) in December 2023. The proposed rule is expected to more strictly control how Controlled Unclassified Information (CUI) is safeguarded and disseminated with impacts on FOCI mitigation, contracts, third-party contractors, parent companies and cloud service providers. This session will cover key topics, including:
- Safeguarding the relationship of a foreign entity and the mitigated entity, delineating access to network controls and cyber controls, and updating your company’s Electronic Communication Plans (ECP)
- Managing the rising cost of delineating network access
- Conducting a gap analysis to determine the compliance status of the parent company
- Meeting expectations for more strict safeguarding obligations for storage, processing and transmitting of sensitive DoD information
- Ensuring your FOCI company has the necessary security controls and that you are not relying on the controls of the parent company
- Determining which contractors need assessments and certifications – and whether they are self-assessments or third-party assessments (C3PAO) or by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
- Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)
Mitigation Strategies: How DCSA is Now Expanding its Scope and Increasing Requirements for Special Board Resolutions
Matthew MadaloGeneral CounselSiemens Corporation
Norman E. Pashoian IIIIndustrial Security ConsultantWhite & Case LLP
- Analyzing how DSCA is now reviewing Board Resolutions, how requirements are changing and which types of companies are now affected
- Examining the requirements for a Board Resolution, and when the foreign entity does not own voting stock enough to elect a representative to the company’s governing board
- How to handle a cleared subsidiary when the parent company has a small-percentage of foreign ownership
- Determining which tools are (and aren’t) necessary in a mitigation, such as proxies, board resolutions and company service arrangements.
- Addressing when an investor has a right to a board seat, but is not exercising their right, and documenting it for DCSA
SSA and Proxy Agreements
Determining When to Restructure FOCI Mitigation Agreement: Key Considerations, and processes for SSAs, Proxy and other Agreements
Michelle D. HertzVP, General Counsel & Corporate SecretaryCGI Federal Inc.
Stefan LopatkiewiczFormer Corporate SecretaryEutelsat America Corp.
- Contrasting the differences between an SSA and a Proxy Agreement, and their pros and cons for a company
- How to meet DSCA mitigation expectations when restructuring foreign ownership, control, or influence
- Expected timelines and what can cause delays
- Weighing the pros and cons, and the impact of each type of agreement
- Examining the relationship with the foreign parent, how it differs under a Proxy Agreement, a Special Security Agreement, a Security Control Agreement or other agreement
- Appointing an inside director under a Special Security Agreement following a PA restructuring
Dennis S. KallelisChief Security OfficerIDEMIA Identity & Security
Alex VenezianoChief Administrative OfficerAirbus US Space and Defense
Andrew K. McAllisterPartnerHolland & Knight LLP
Best Practices for handling FOCI agreements
- The relationship between DCSA and the company, and dos and don’ts of working with DCSA
- CFIUS LOA FOCI Agreement, with controls, restrictions, audits, and penalties
- Becoming FOCI proficient and detecting and handling FOCI concerns in the initial stages
- Implementing a FOCI mitigation agreement with fewer resources
- Budgeting and the business impact of FOCI mitigation on possible delays to company operations
- Utilizing legal counsel and FSO expertise vs. when to hire a consultant