CFIUS Executive Order on Evolving National Security Risks and CFIUS Enforcement Guidelines



Updated May 17, 2024
CFIUS Executive Order on Evolving National Security Risks
and CFIUS Enforcement Guidelines

On September 15, 2022, the Biden Administration issued
It also addresses foreign investors’ use of U.S. entities and
the “first-ever presidential directive” defining additional
persons to act as third parties. This focus may signal U.S.
national security factors for the Committee on Foreign
government concerns that China among others may be
Investment in the United States (CFIUS) to consider in
using U.S. workarounds to evade scrutiny.
evaluating foreign investment transactions. Executive Order
14083
reaffirms a “commitment to open investment,” while
E.O. 14083 makes explicit certain national security factors
seeking to ensure CFIUS “remains responsive to an
that CFIUS is required to consider in reviewing investment
evolving national security landscape and the nature of the
transactions, but does not otherwise change its authorities
investments that pose related risks.” The E.O. informs how
or jurisdiction. The E.O. elaborates on two existing
CFIUS reviews strategic transactions—in general and with
factors in the CFIUS statute:
regard to key sectors and factors—and could potentially
enhance scrutiny of investments from countries of concern,
Critical U.S. supply chains resiliency—both inside
such as the People’s Republic of China (PRC or China).
and outside the defense industrial base. Key sectors
include microelectronics, artificial intelligence,
Also, in October 2022, the U.S. Department of the Treasury
biotechnology, quantum computing, advanced clean
published CFIUS Enforcement and Penalty Guidelines
energy, climate technologies, critical materials,
(Guidelines) that describe how it approaches enforcement
agriculture, and food security. The E.O. requires CFIUS
and penalty determinations for violations by parties subject
to consider U.S. supply chains broadly, not only U.S.
to CFIUS action. Some see the Guidelines as a signal that
Department of Defense supply chains.
CFIUS may more proactively seek enforcement actions and

civil monetary penalties. In April 2024, Treasury proposed
U.S. technological leadership—with a focus on areas
regulatory updates intended to further “sharpen [CFIUS]
affecting national security. The E.O. directs the Office
penalty and enforcement authorities.”
of Science and Technology Policy (OSTP) to publish
“periodically” a list of sectors, in addition to those the
E.O. identified, fundamental to U.S. technological
CFIUS Background
leadership. This provision may broaden the scope of
CFIUS is an interagency body, chaired by the U.S. Treasury
technologies and risk areas CFIUS considers. CFIUS is
Secretary, that serves the President in overseeing the
also to consider “relevant third-party ties” of the foreign
potential U.S. national security implications of certain foreign
person, and whether a transaction could lead to future
investment in the U.S. economy. It has associated authorities
advancements and applications in such technologies for
(50 U.S.C. §4565; 31 C.F.R. Chapter VIII) to review, clear, and,
the foreign actor that could undermine U.S. national
if required, impose terms of mitigation to address national
security. This framing directs CFIUS to not only
security risks before allowing transactions to proceed. CFIUS
consider how the transfer of a capability to a foreign
also has authority to refer transactions to the President for
acquirer could affect a loss of certain U.S. national
action, including prohibiting or compelling divestiture of
capabilities (with respect to manufacturing capabilities,
transactions that present risks CFIUS determines it cannot
services, critical mineral resources, or technologies) but
sufficiently mitigate. See CRS In Focus IF10177, The
also how an acquisition could enhance a foreign
Committee on Foreign Investment in the United States.
acquirer’s gain in capabilities. With China’s use of U.S.
acquisitions to fill technology gaps, this provision may
require CFIUS to more fully consider how a transaction
Executive Order 14083
advances PRC national capabilities.
CFIUS decisionmaking is not public, in part to protect the
confidentiality of parties to a transaction. E.O. 14083 gives
CFIUS is also to consider three additional factors:
insight into issues CFIUS may be navigating. The E.O.
requires CFIUS to adopt specified approaches and
Aggregate industry investment trends—whether a
direction. While the E.O. does not name China, it targets
transaction may affect U.S. national security with
behaviors common to PRC investments that seek U.S.
regard to the broader industry, and the effect of a series
capabilities in strategic areas prioritized and funded by
of investment transactions in which a foreign investor
China’s industrial policies (see CRS In Focus IF10964).
might gain control of a technology or sector over time.
The E.O. focuses on countries that have a strategic goal of
Cybersecurity—whether a transaction may provide
acquiring critical technology or critical infrastructure that
foreign persons or third parties access to capabilities or
affects U.S. leadership in areas related to national security.
information databases and systems to conduct cyber
https://crsreports.congress.gov

CFIUS Executive Order on Evolving National Security Risks and CFIUS Enforcement Guidelines
intrusions or malicious cyber-enabled activity, e.g.,
Guidelines encourage cooperation and “strongly
designed to affect election outcomes or operation of
encourage” self-disclosure of potential violations. Not all
critical infrastructure, such as smart grids. This
violations result in penalties; CFIUS has discretion to
provision looks at how transactions may create specific
determine appropriate remedies. CFIUS considers the
points of connection, access, and related touchpoints
timing of self-disclosure when determining how to respond
and risks in U.S. critical infrastructure.
to a violation. CFIUS also considers several factors in
U.S. persons’ sensitive data—whether a transaction
determining penalties, such as
involves a U.S. business with “access to U.S. persons’
• harm to U.S. national security;
sensitive data,” including “health, digital identity, or
• whether the conduct was intentional or the result of
other biological data and any data that could be
negligence, efforts to conceal or delay sharing
identifiable or de-anonymized,” that could be
information, and seniority of personnel involved;
exploited. The E.O. introduces a broader definition

than current CFIUS regulations with respect to U.S.

actions taken in response to the violation, including
businesses that maintain or collect sensitive personal
voluntary self-disclosure and cooperation; and
data. This factor also appears to promote greater
• the subject’s history, familiarity, compliance record
scrutiny of claims that parties use only anonymized
with CFIUS, and adequacy of internal policies.
data by examining de-anonymizing capabilities.
Considerations for Congress
Enforcement and Penalty Guidelines
The 118th Congress is considering legislation to strengthen
CFIUS’s first-ever Guidelines outline its approach to
CFIUS by addressing perceived gaps in jurisdiction and
enforcement actions and penalty determinations. The
PRC-related concerns, including U.S. outbound investment
Guidelines are non-binding and do not change CFIUS’s
and technology transfer to China in strategic industries;
statutory or regulatory authority to impose penalties. The
PRC investments in U.S. strategic sectors; “greenfield”
Guidelines outline three categories of conduct that can
investments in new U.S. facilities and land purchases.
constitute a violation of CFIUS’s legal authorities or
mitigation agreements: (1) failing to file a mandatory notice
The E.O. and Guidelines raise issues for possible legislation
or declaration triggering CFIUS review; (2) failing to
and oversight of the Foreign Investment Risk Review
comply with a mitigation agreement; and (3) making
Modernization Act of 2018 (FIRRMA, P.L. 115-232, Title
material misstatements, omissions, or false certifications.
XVII, Subtitle A), which expanded CFIUS jurisdiction in
key areas. Congress might update in statute the risk factors
In April 2024, Treasury proposed changes to mitigation and
and sectors that CFIUS must consider, drawing from the
enforcement provisions that would inform the Guidelines
E.O. and factors Congress recommended in FIRRMA
and enhance CFIUS’s regulatory authorities. As proposed,
§1702(c). Congress last updated such factors in the Foreign
the terms would, among other changes, (1) extend penalties
Investment and National Security Act, 2007 (P.L. 110-49).
for material misstatements or omissions to include
Congress might also consider whether to adopt the OSTP-
responses to CFIUS requests for information, (2) increase
defined technologies as the operative list that establishes
the maximum civil penalty amount to $5 million, and (3)
CFIUS jurisdiction over investments in which foreign
allow 20 business days for the petition and decision
parties have sensitive access to or influence over a U.S.
process.
business, but not formal control (i.e., non-passive and non-
controlling investments). The technologies on OSTP’s list
CFIUS Penalty Process
are more broadly defined than CFIUS statute/regulations,
CFIUS first sends a notice that explains the conduct to be
which set jurisdiction by export-controlled technologies.
penalized, the penalty amount, and the legal basis for the
action. The recipient has 15 days to submit a petition for
Congress might engage Treasury and other CFIUS member
reconsideration. CFIUS makes a final penalty determination
agencies to ascertain the extent to which CFIUS is acting on
within 15 days of receiving the petition or after the deadline
the new guidance in practice. With the E.O.’s focus on
to submit the petition expires; deadlines may be extended. If
aggregate investments, Congress could require enhanced
CFIUS concludes that an enforcement action is warranted,
reporting on PRC investments over time by sector, critical
regulations (31 C.F.R. §§800.901, 902) authorize imposing
supply chains, company, and country of investor. It could
penalties and damages, including a civil penalty of up to
examine when instances of aggregation should trigger a
$250,000 or, in some cases, the value of the transaction. To
new CFIUS review, or other agency responses to mergers
date, CFIUS has announced two civil penalties: a $1 mil ion
and acquisitions (e.g., related to antitrust, securities, and
penalty in 2018 for a party’s failure to establish security
telecom). On enforcement, Congress might scrutinize
policies and report as required in a mitigation agreement, and
CFIUS mitigation terms and practices, define in legislation
a $750,000 penalty in 2019 for a party violating a CFIUS
the enforcement mandates, expand penalties, or seek clarity
interim order while a transaction was under review.
on how disagreements among CFIUS agencies are resolved.
Peter J. Benson, Legislative Attorney
The Guidelines explain that CFIUS relies on U.S.-
Cathleen D. Cimino-Isaacs, Specialist in International
government data, publicly available information, third-party
Trade and Finance
service providers (e.g., auditors), tips, and information from
parties to transactions to determine violations. CFIUS also
Karen M. Sutter, Specialist in Asian Trade and Finance
has subpoena authority under 50 U.S.C. §4555(a). The
IF12415
https://crsreports.congress.gov

CFIUS Executive Order on Evolving National Security Risks and CFIUS Enforcement Guidelines


Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF12415 · VERSION 6 · UPDATED