May 26, 2023
CFIUS Executive Order on Evolving National Security Risks
and CFIUS Enforcement Guidelines
On September 15, 2022, the Biden Administration issued
entities and persons to act as third parties. This focus may
the “first-ever presidential directive” defining additional
signal U.S. government concerns that China among others
national security factors for the Committee on Foreign
may be using U.S. workarounds to evade scrutiny.
Investment in the United States (CFIUS) to consider in
evaluating foreign investment transactions. Executive Order
With respect to investments directly or indirectly
14083 reaffirms a “commitment to open investment,” while
involving foreign adversaries or other countries of
seeking to ensure CFIUS “remains responsive to an
special concern, what may otherwise appear to be an
evolving national security landscape and the nature of the
economic transaction undertaken for commercial
investments that pose related risks.” The E.O. informs how
purposes may actually present an unacceptable risk to
CFIUS reviews strategic transactions—in general and with
U.S. national security due to the legal environment,
regard to key sectors and factors—and could potentially
intentions, or capabilities of the foreign person,
enhance scrutiny of investments from countries of concern,
including foreign governments, involved in the
such as the People’s Republic of China (PRC or China).
transaction.
—E.O. 14083
Also, in October 2022, the U.S. Department of the Treasury
published CFIUS Enforcement and Penalty Guidelines
E.O. 14083 makes explicit certain national security factors
(Guidelines) that describe how it approaches enforcement
that CFIUS is required to consider in reviewing investment
transactions, but does not otherwise change its authorities
and penalty determinations for violations by parties subject
to CFIUS action. Some see the Guidelines as a signal that
or jurisdiction. The E.O. elaborates on two existing
CFIUS may more proactively seek enforcement actions and
factors in the CFIUS statute:
• Critical U.S. supply chains resiliency—both inside
civil monetary penalties.
and outside the defense industrial base. Key sectors
CFIUS Background
include microelectronics, artificial intelligence,
CFIUS is an interagency body, chaired by the U.S. Treasury
biotechnology, quantum computing, advanced clean
Secretary, which serves the President in overseeing the
energy, climate technologies, critical materials,
potential national security implications of certain foreign
agriculture, and food security. The E.O. requires CFIUS
investment in the U.S. economy. It has associated legal
to consider U.S. supply chains broadly, not only U.S.
authorities (50 U.S.C. § 4565; 31 C.F.R. Chapter VIII), for
Department of Defense supply chains.
example, to review, clear, and, if required, impose terms of
• U.S. technological leadership—with a focus on areas
mitigation to address U.S. national security risks before
affecting national security. The E.O. directs the Office
allowing transactions to proceed. CFIUS also has authority to
of Science and Technology Policy (OSTP) to publish
refer transactions to the President for action, including
“periodically” a list of sectors, in addition to those the
prohibiting or compelling divestiture of transactions that
E.O. identified, fundamental to U.S. technological
present risks CFIUS determines it cannot sufficiently mitigate.
leadership. This provision may broaden the scope of
See CRS In Focus IF10177, The Committee on Foreign
technologies CFIUS considers and place emphasis on
Investment in the United States.
certain areas of risk in reviewing transactions. CFIUS is
also to consider “relevant third-party ties” of the foreign
Executive Order 14083
person, and whether a transaction could lead to future
advancements and applications in such technologies for
CFIUS decision-making is not public, in part to protect the
the foreign actor that could undermine U.S. national
confidentiality of parties to a transaction. E.O. 14083 gives
security. This framing directs CFIUS to not only
insight into issues CFIUS may be navigating. The use of an
consider how the transfer of a capability to a foreign
E.O. requires CFIUS to adopt specified approaches and
acquirer could affect a loss of certain U.S. national
direction. While the E.O. does not name China, it targets
capabilities (with respect to manufacturing capabilities,
behaviors common to PRC investments that seek U.S.
services, critical mineral resources, or technologies) but
capabilities in strategic areas prioritized and funded by
China’s
also how an acquisition could enhance a foreign
industrial policies (see CRS In Focus IF10964,
“Made in China 2025” Industrial Policies: Issues for
acquirer’s gain in capabilities. In particular, with
China’s use of U.S. acquisitions to fill technology gaps,
Congress). The E.O. focuses on countries that have a
this provision may require CFIUS to more fully consider
strategic goal of acquiring critical technology/infrastructure
how a transaction advances PRC national capabilities.
that affects U.S. leadership in areas related to national
security. It also addresses foreign investors’ use of U.S.
CFIUS is also to consider three additional factors:
https://crsreports.congress.gov
CFIUS Executive Order on Evolving National Security Risks and CFIUS Enforcement Guidelines
• Aggregate industry investment trends—whether a
determine what remedies are appropriate. CFIUS considers
transaction may affect U.S. national security with
the timing of self-disclosure when determining how to
regard to the broader industry, and the effect of a series
respond to a violation. CFIUS also considers several factors
of investment transactions in which a foreign investor
in determining penalties, such as:
might gain control of a technology or sector over time.
•
•
Harm to U.S. national security;
Cybersecurity—whether a transaction may provide
• Whether the conduct was intentional or the result of
foreign persons or third parties access to capabilities or
negligence, efforts to conceal or delay sharing
information databases and systems to conduct cyber
information, and seniority of personnel involved;
intrusions or malicious cyber-enabled activity, e.g.,
• Actions taken in response to the violation, including
designed to affect election outcomes or operation of
voluntary self-disclosure and cooperation;
critical infrastructure, such as smart grids. This
•
provision looks at how transactions may create specific
The subject’s history, familiarity, and record of
points of connection, access, and related touchpoints
compliance with CFIUS and the extent to which its
and risks in U.S. critical infrastructure.
internal policies were adequate.
• U.S. persons’ sensitive data—whether a transaction
Considerations for Congress
involves a U.S. business with “access to U.S. persons’
The 118th Congress is considering various legislation to
sensitive data,” including “health, digital identity, or
strengthen CFIUS by addressing perceived gaps in
other biological data and any data that could be
jurisdiction and China-related concerns, including: U.S.
identifiable or de-anonymized,” that could be
outbound investment and technology transfer and licensing
exploited. The E.O. introduces a broader definition
to China in strategic industries; PRC investments in U.S.
than current CFIUS regulations with respect to U.S.
strategic sectors; PRC ties to U.S. research; “greenfield”
businesses that maintain or collect sensitive personal
investments in new U.S. facilities and land purchases.
data. This factor also appears to promote greater
The E.O. and Guidelines raise issues for possible legislation
scrutiny of claims that parties use only anonymized
and oversight of the Foreign Investment Risk Review
data by examining de-anonymizing capabilities.
Modernization Act of 2018 (FIRRMA, P.L. 115-232, Title
Enforcement and Penalty Guidelines
XVII, Subtitle A), which expanded CFIUS jurisdiction in
CFIUS’ first-ever Guidelines outline its approach to
key areas. Congress might update in statute the risk factors
enforcement actions and penalty determinations. The
and sectors that CFIUS must consider, drawing from the
Guidelines are non-binding and do not change CFIUS’
E.O. and the factors Congress recommended in FIRRMA
statutory or regulatory authority to impose penalties. The
§1702(c). Congress last updated such factors in the Foreign
Guidelines outline three categories of conduct that can
Investment and National Security Act of 2007 (P.L. 110-
constitute a violation of CFIUS’ legal authorities or
49). Similarly, Congress might consider whether to adopt
mitigation agreements: 1) failing to file a mandatory notice
the OSTP-defined technologies as the operative list that
or declaration triggering CFIUS review; 2) failing to
establishes CFIUS jurisdiction over investments in which
comply with a mitigation agreement; and 3) making
foreign parties have sensitive access to or influence over a
material misstatements, omissions or false certifications.
U.S. business, but not formal control (i.e., non-passive and
non-controlling investments). The technologies on OSTP’s
CFIUS Penalty Process
list are more broadly defined than current CFIUS statute
In imposing penalties, CFIUS first sends a notice that explains
and regulations, which set jurisdiction by export-controlled
the conduct to be penalized, the penalty amount, and the legal
technologies.
basis for the action. The recipient has 15 days to submit a
petition for reconsideration. CFIUS makes a final penalty
Congress might engage Treasury and other CFIUS member
determination within 15 days of receiving the petition or after
agencies to ascertain the extent to which CFIUS is acting on
the deadline to submit the petition expires. Deadlines may be
the new guidance in practice. With the E.O.’s focus on
extended upon agreement. If CFIUS concludes that an
aggregate investments, Congress could require enhanced
enforcement action is warranted, federal regulations (31
reporting on PRC investments over time by sector, critical
C.F.R. §§ 800.901, 902) authorize imposing penalties and
supply chains, company, and country of investor. It could
damages, including a civil penalty of up to $250,000 or, in
examine when instances of aggregation should trigger a
some cases, the value of the transaction. To date, CFIUS has
new CFIUS review, or other agency responses to mergers
announced two civil penalties: a $1 mil ion penalty in 2018 for
and acquisitions, including related to antitrust, securities,
a party’s failure to establish security policies and report as
and telecom, for example. Given the E.O.’s specific
required in a mitigation agreement, and a $750,000 penalty in
mention of agriculture and food security, Congress might
2019 for a party violating a CFIUS interim order while a
consider making the U.S. Department of Agriculture a full
transaction was under review.
CFIUS member agency. On enforcement, Congress might
scrutinize CFIUS mitigation terms and practices, define in
The Guidelines explain that CFIUS relies on U.S.-
legislation the enforcement mandates, expand penalties
government data, publicly available information, third-party
(e.g., criminal), or seek clarity on how any disagreements
service providers (e.g., auditors), tips, and information from
among CFIUS agencies are resolved.
parties to transactions to determine violations. CFIUS also
has subpoena authority under 50 U.S.C. § 4555(a). The
Cathleen D. Cimino-Isaacs, Specialist in International
Guidelines encourage cooperation and “strongly
Trade and Finance
encourage” self-disclosure of potential violations. Not all
Stephen P. Mulligan, Legislative Attorney
violations result in penalties; CFIUS has discretion to
Karen M. Sutter, Specialist in Asian Trade and Finance
https://crsreports.congress.gov
CFIUS Executive Order on Evolving National Security Risks and CFIUS Enforcement Guidelines
IF12415
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF12415 · VERSION 1 · NEW