É«»¨ÌÃ

Book a demo

Security Control Agreement Template for the United States

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Security Control Agreement?

The Security Control Agreement serves as a critical tool in U.S. national security infrastructure, specifically designed for situations where companies with foreign ownership or investment require access to classified information or contracts. This agreement type emerged from the need to balance national security interests with international business operations. It provides a framework for implementing and maintaining security controls, reporting mechanisms, and governance structures that satisfy federal requirements while allowing business operations to continue. The agreement must comply with NISPOM, FIRRMA, and other relevant federal regulations, and is typically required when foreign ownership or control exists but does not warrant a more restrictive Proxy Agreement or Voting Trust Agreement.

Frequently Asked Questions

Is a Security Control Agreement legally binding under US federal law?

Yes, a Security Control Agreement is legally binding under US federal law and creates enforceable obligations for all parties. Once executed, it becomes a contractual commitment that must comply with NISPOM requirements and CFIUS mitigation measures. Violations can result in loss of security clearances, contract termination, and potential criminal penalties under federal security regulations.

Can my company access classified information without a Security Control Agreement?

No, companies with foreign ownership or investment cannot access classified US government information without an approved Security Control Agreement or similar mitigation measure. The Department of Defense and other agencies require these agreements to ensure foreign entities cannot access sensitive national security information. Operating without proper agreements violates federal security regulations and can result in criminal prosecution.

How long does CFIUS review take for Security Control Agreement approval?

CFIUS review of Security Control Agreements typically takes 45-75 days for initial review, but can extend to 6-12 months for complex cases requiring multiple agency coordination. The timeline depends on the sensitivity of the classified information involved, the foreign investor's country of origin, and the completeness of the submission. Incomplete filings or additional information requests can significantlyÑÓ³¤ the process.

How does a Security Control Agreement differ from a Special Security Agreement?

A Security Control Agreement is used for CFIUS mitigation when foreign investment occurs, while a Special Security Agreement (SSA) is used when a foreign-owned company seeks a facility security clearance. Security Control Agreements focus on isolating foreign influence from classified operations, whereas SSAs establish proxy boards and voting trusts. Both serve different regulatory purposes under NISPOM but address foreign ownership concerns differently.

Which federal agencies must approve my Security Control Agreement?

Security Control Agreements typically require approval from the Defense Counterintelligence and Security Agency (DCSA), the relevant government contracting agency, and potentially CFIUS member agencies. For defense contracts, the Department of Defense is the primary approving authority. Other agencies like the Department of Energy or Homeland Security may be involved depending on the type of classified information and contracts involved.

Can foreign nationals serve on my board if I have a Security Control Agreement?

Generally no, Security Control Agreements typically prohibit foreign nationals from serving on the board of directors or in executive positions with access to classified information. The agreement usually requires US citizen-only governance for classified operations and may mandate a separate proxy board structure. Limited exceptions may exist for specific roles with proper security clearances and approval from the cognizant security agency.

How often must I report compliance with my Security Control Agreement?

Security Control Agreements typically require annual compliance certifications to DCSA and quarterly or semi-annual reports to relevant government agencies. Some agreements may require immediate notification of material changes in ownership, governance, or security incidents. The specific reporting frequency depends on the agreement terms, classification level of information accessed, and the government agency's requirements.

Reviewed by

Legal Engineer, GenieAI

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Legal Engineer, GenieAI

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Reviewed by

&

Publisher

GenieAI

Category

Security Agreement

Sector

Business

Cost

Free to use

Last updated

About the Security Control Agreement

A Security Control Agreement is a specialized legal instrument that allows companies with foreign ownership or investment to access classified U.S. government contracts and information while maintaining strict security protocols. This agreement creates a framework that balances national security interests with legitimate international business operations, ensuring compliance with federal regulations while enabling commercial activities.

When do you need this document?

You need a Security Control Agreement when your company has foreign ownership or investment and seeks to bid on or perform classified government contracts. This situation commonly arises when foreign investors hold significant stakes in U.S. defense contractors, technology companies working on sensitive projects, or businesses seeking facility security clearances. The agreement becomes necessary when the Committee on Foreign Investment in the United States (CFIUS) or the Defense Counterintelligence and Security Agency (DCSA) determines that foreign influence poses potential security risks but can be mitigated through structured controls rather than complete divestiture or proxy arrangements.

Key legal considerations

The agreement must establish robust security controls that isolate foreign parties from classified information and decision-making processes. Key provisions include creating a Government Security Committee with cleared U.S. citizens who oversee security matters, implementing information barriers to prevent unauthorized access, and establishing reporting requirements to government agencies. You must carefully define the scope of restricted activities, specify which personnel can access classified areas, and outline procedures for handling security violations. The agreement should address technology transfer restrictions, export control compliance, and protocols for board meetings where classified matters might arise. Additionally, consider provisions for regular security audits, employee screening procedures, and termination clauses that protect classified information if the arrangement ends.

Legal requirements in United States

Under U.S. federal law, Security Control Agreements must comply with the National Industrial Security Program Operating Manual (NISPOM), which establishes comprehensive requirements for protecting classified information in industry. The Foreign Investment Risk Review Modernization Act (FIRRMA) expanded CFIUS authority to review and impose conditions on foreign investments that could affect national security. Your agreement must satisfy Department of Defense security requirements and may need approval from relevant government agencies before implementation. The Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR) may impose additional restrictions on technology sharing and export activities. Compliance with the Defense Production Act of 1950 may also be required for companies involved in critical defense manufacturing. Regular reporting to the Defense Counterintelligence and Security Agency and other oversight bodies is typically mandatory, and failure to maintain required security standards can result in contract termination or facility clearance revocation.

GOVERNING LAW

Applicable law

This Security Control Agreement is drafted to comply with United States law. Key legislation includes:

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it