Opening Remarks from the Co-Chairs

Heather L. Finstuen
Partner
Covington & Burling LLP

Richard Ray
FSO / TCO / ITPSO
Eutelsat America Corp.

Interview: Examining the New DCSA Administration’s Priorities, Initiatives and Review Timelines

• Updates on the roles and responsibilities of newly hired DCSA personnel, and how agency resources are being utilized
• Update on DCSA amendments to forms, such as the Electronic Communications Plan (ECP)
• Key takeaways on the strategies and schemes that the foreign adversaries are using
• Analyzing the kinds of threats that FOCI mitigation is designed to counter, including new, emerging risks

Cybersecurity Mitigation and CUI: Preparing for CMMC 2.0 Regulation and Ensuring Your FOCI Company is Using Correct Security Controls

Curtis H. Chappell
Vice President, Security
Thales Defense & Security, Inc.

Maria Keady
Principal Compliance Manager / FSO / ITPSO
BlackBerry Government Solutions

Ernie Magnotti
Chief Information Security Officer (CISO)
Leonardo DRS

The U.S. Department of Defense issued a proposed rule to implement the Cybersecurity Maturity Model Certification (CMMC) Program (Proposed Rule) in December 2023. The proposed rule is expected to more strictly control how Controlled Unclassified Information (CUI) is safeguarded and disseminated with impacts on FOCI mitigation, contracts, third-party contractors, parent companies and cloud service providers. This session will cover key topics, including:

• Safeguarding the relationship of a foreign entity and the mitigated entity, delineating access to network controls and cyber controls, and updating your company’s Electronic Communication Plans (ECP)
• Managing the rising cost of delineating network access
• Conducting a gap analysis to determine the compliance status of the parent company
• Meeting expectations for more strict safeguarding obligations for storage, processing and transmitting of sensitive DoD information
• Ensuring your FOCI company has the necessary security controls and that you are not relying on the controls of the parent company
• Determining which contractors need assessments and certifications – and whether they are self-assessments or third-party assessments (C3PAO) or by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
• Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)

Networking Break

Vulnerability Assessments and Self-Inspections: Preparing and Managing an On-Site Assessment and What Can Generate the Best Possible Outcome

Margaret M. Cassidy
Managing Attorney
Cassidy Law LLC

As DCSA is conducting more in-person engagement and onsite security checks, learn the latest lessons on how to prepare for an onsite assessment – and the expected (and unexpected) ramifications of an unfavorable result.

• Ensuring your company’s security policy is robust and being followed for all FOCI locations
• Determining if all FOCI locations are needed, being used and using the security policy
• Examining what can lead to a poor vulnerability assessment
• Itemizing the consequences of a vulnerability assessment and implementing a strategy » Customer notifications » Remediation
• Exploring what constitutes a security incident-and what doesn’t
• Conducting governance and risk assessments
• Scrutiny of governance models to protect shareholders
• The pitfalls to avoid for internal and self-audits when preparing for a DCSA assessment

Polling & Hypothetical Scenarios

The Nuances of Roles of Outside Director and Proxy Holder Roles: Balancing the Wants and Needs of Stakeholders and National Security Interests

Pamela Drew
Proxy Holder
Eutelsat America Corp.
Outside Director QuinetiQ Inc.

Mary Griggs
Outside Director
CGI Federal, Integris Composites, Inc., Coalfire Federal, Airbus U.S. Space & Defense

During this session, speakers will lead delegates through a series of hypothetical scenarios that showcase the nuances of how a FOCI mitigated company can balance the roles of an outside director with its foreign parent. Delegates are encouraged to participate in anonymous live polling for enhanced benchmarking. Key topics will include:

• Approaching the role of an outside director when the FOCI mitigated company has no classified work, but is carrying a clearance for contract
• Balancing the needs and wants of the parent company and the shareholders
• What needs to be reported to the government security committee
• Documenting the government security committee meeting, and justifying how a company is in compliance with the NISPOM

AI DEMO & CASE STUDY

How AI is Being Used for Risk Mitigation

Networking Luncheon for Speakers and Delegates

Roundtable Discussion

How DCSA’s FOCI Scope is Expanding Beyond Foreign Owned Companies and Impacting Supply Chain

Jill M. McClune
US General Counsel
Avon Protection/Team Wendy

Richard Ray
FSO / TCO / ITPSO
Eutelsat America Corp.

Proposed changes to the National Defense Authorization Act (NDAA), Section 847 directs the U.S. Department of Defense to reduce reliance on services, supplies, or materials obtained from certain geographic areas, which may be controlled by adversarial countries. The change would also direct DoD to mitigate the risks to national security and the defense supply chain related to such a reliance. Announced in 2022, DoD is due to issue a report to congressional defense committees this year and is currently seeking input.

• Determining which FOCI companies, non-FOCI companies, public trust contracts and third-party contractors are subject to increased scrutiny
• Anticipating DCSA’s expectations and guidance
• Analyzing the need for an Electronic Communication Monitoring Plan, or a Quality Management Plan, or an export license
• Monitoring international suppliers and evaluating supply chain security and resiliency

CFIUS and Export Controls Interplay: Navigating the CFIUS and FOCI Process for Companies Under Both Agreements – And How to Avoid Hiccups

Antonia Tzinova
Partner
Holland & Knight LLP

Daniel Pickard
Shareholder & International Trade & National Security Practice Group Leader
Buchanan Ingersoll & Rooney, PC

• Determining where CFIUS and DSCA align and diverge • Deciphering when there is a mandatory filing obligation
• Accomplishing DCSA and CFIUS expectations-and overcoming operational challenges
• Dovetailing CFIUS and FOCI mitigation with export compliance and licensing requirements
• Determining the sequencing of CFIUS and FOCI submissions
• Examining what kind of data exports are controlled and need an export license

Networking Break

Cyber Mitigation Case Study

During this session, delegates will delve into the complexities of an acquisition from the lens of cybersecurity. This will include a look at how to vet policy prior to acquisition, ensuring the acquired company has not already been breached, and how to ensure robust safeguards following the acquisition. Topics will include:

• Assessing cyber risk before, during and after acquisition
• Complying with DCSA’s requirements for a robust cybersecurity policy and how to meet expectations in the event of a breach
• Itemizing the mechanics of mitigating against the risk of a cyber breach
• Consolidating operation measures while ensuring high cybersecurity standards among shared electronic services and share technology services
• Examining how ECPs and AOPs could be altered to strengthen cybersecurity standards

Interactive Roundtable Discussions – Pick your roundtable!

Back by popular demand! Delegates are invited to break out into smaller group discussion tables to trade experiences and lessons learned for confronting the challenges of maintaining security standards amid a remote and hybrid workforce. Facilitators will guide the conversation to identify the latest best practices. Delegates are encouraged to choose their preferred table topic, and to move between tables during the discussion.

Table One: Insider Threat: How are you safeguarding access and information?

Table Two: How is the government vetting your employee’s online social footprint?

Table Three: How does cybersecurity fit into a mitigation strategy? Table Four: Considerations for safeguarding your supply chain

Conference Adjourns

Early Riser

FSO Benchmarking: Tackling the next Wave of Complex and Real-World Challenges (by invitation only)

Join this early riser, smaller-group session to share the top-of-mind concerns affecting FSOs and how to meet the evolving demands of the job.

Remarks from the Co-Chairs

Keynote Address

Jeffrey P. Spinnanger
Director, Information and Acquisition Protection, OUSD(I&S)
U.S. Department of Defense

Classified Contracts and Controlled Unclassified Information CUI: What DCSA Now Requires and Navigating a CUI in a FOCI Mitigated Landscape

• Paraphrasing information that is passed to affiliates about classified contracts
• Establishing networking and IT requirements and how to separate the network CUI from affiliate companies
• Determining who has access when a global company has different subsidiaries
• Ensuring continuous auditing and compliance
• Examining who has access to what when employees have dual citizenship
• Reviewing the requirements when your classified documents are off site

Networking Break

HYPOTHETICAL SCENARIOS

FOCI and Cybersecurity Breach Action Plan: Tailoring Your Incident Response to Meet Mitigation Security Requirements and Breach Policy

Ernie Magnotti
Chief Information Security Officer (CISO)
Leonardo DRS

Robert Metzger
Partner
Rogers Joseph O’Donnell

What happens during a breach? This interactive session will examine the play-by-play of how a FOCI mitigated company will now need to react to a cybersecurity breach under stricter Department of Defense and CMMC safeguards

• Determining your company’s obligations under NISPOM in the context of a cyber breach
• Ensuring your FOCI company is following its cybersecurity breach policy and implementing checks
• Deciphering which policies kick-in during a cyber breach: Systems Security Plan (SSP) for Controlled Unclassified Information (CUI) and Standard Policies and Procedures (SPP)
• Examining the effect of a breach on a cleared company with classified information
• Analyzing how the breach effects the whole company and who has responsibility
• Determining what the security representative can and can’t tell the parent
• Reconciling the effects on the AOP

Mitigation Strategies: How DCSA is Now Expanding its Scope and Increasing Requirements for Special Board Resolutions

Matthew Madalo
General Counsel
Siemens Corporation

Norman E. Pashoian III
Industrial Security Consultant
White & Case LLP

• Analyzing how DSCA is now reviewing Board Resolutions, how requirements are changing and which types of companies are now affected
• Examining the requirements for a Board Resolution, and when the foreign entity does not own voting stock enough to elect a representative to the company’s governing board
• How to handle a cleared subsidiary when the parent company has a small-percentage of foreign ownership
• Determining which tools are (and aren’t) necessary in a mitigation, such as proxies, board resolutions and company service arrangements.
• Addressing when an investor has a right to a board seat, but is not exercising their right, and documenting it for DCSA

SSA and Proxy Agreements

Determining When to Restructure FOCI Mitigation Agreement: Key Considerations, and processes for SSAs, Proxy and other Agreements

Michelle D. Hertz
VP, General Counsel & Corporate Secretary
CGI Federal Inc.

Stefan Lopatkiewicz
General Counsel
Eutelsat America Corp.

• Contrasting the differences between an SSA and a Proxy Agreement, and their pros and cons for a company
• How to meet DSCA mitigation expectations when restructuring foreign ownership, control, or influence
• Expected timelines and what can cause delays
• Weighing the pros and cons, and the impact of each type of agreement
• Examining the relationship with the foreign parent, how it differs under a Proxy Agreement, a Special Security Agreement, a Security Control Agreement or other agreement
• Appointing an inside director under a Special Security Agreement following a PA restructuring

Business Leaders Panel

The Role of C-Level Executives in FOCI Mitigated Companies

Dennis S. Kallelis
Chief Security Officer
IDEMIA Identity & Security

Alex Veneziano
Chief Administrative Officer
Airbus US Space and Defense

Moderator:

Erin Estevez
Partner
Holland & Knight LLP

Best Practices for handling FOCI agreements

• The relationship between DCSA and the company, and dos and don’ts of working with DCSA
• CFIUS LOA FOCI Agreement, with controls, restrictions, audits, and penalties
• Becoming FOCI proficient and detecting and handling FOCI concerns in the initial stages
• Implementing a FOCI mitigation agreement with fewer resources
• Budgeting and the business impact of FOCI mitigation on possible delays to company operations
• Utilizing legal counsel and FSO expertise vs. when to hire a consultant

Closing Remarks from the Co-Chairs & Conference Concludes