Educational only; not legal advice. SPP explains diligence issue-spotting, evidence collection, risk triage, and the accountant and certified-fraud-examiner workflow. It does not give filing advice, sanctions opinions, export classifications, or CFIUS legal opinions. Regulatory status is current as of drafting (2026-06-16); see the dated status notes in each piece.
National security used to be someone else’s department. It lived with the general counsel, the compliance team, the government-affairs shop down the hall, and on a deal it tended to arrive late, after the letter of intent, sometimes after the signing, occasionally not at all. A diligence team could run a clean quality-of-earnings analysis, pressure-test the working capital, confirm the customer concentration, and hand over a thick report that never once asked whether the United States government would let the transaction happen, or let it stay happened. For a long time that was a defensible way to work, because the government mostly was not asking. That era is over.
Between roughly 2024 and 2026 the federal government expanded and connected an interlocking set of screens that turns ordinary deal facts into national-security questions. Who actually owns the buyer, once the funds and holding companies are peeled back. What the target really makes, and whether anyone in Washington would call it critical. Whose money is in the acquiring fund. Where the data flows, and who can reach it. Where the company’s buildings sit, and what they sit next to. Each of those facts now has a federal regime attached to it, and the consequence of getting one wrong is not a strongly worded letter. It can be a blocked deal, a deal unwound after closing, a civil penalty that scales with the size of the transaction, an export denial order that cuts a company off from its supply chain, or the outright seizure of the asset.
That is the thesis of this section, stated as plainly as it can be: national security has become a financial-diligence problem. And the good news, for the people who do this work, is that the skill it demands is not a security-clearance skill or a Washington-insider skill. It is the same forensic, source-disciplined, follow-the-money skill a certified public accountant (CPA) and a certified fraud examiner (CFE) already practice on a quality-of-earnings review or a fraud examination, pointed at a different risk. Trace the ownership to its ultimate beneficial owner. Withhold the conclusion until the evidence converges. Keep a hard line between what the public record proves and what it merely suggests. Those instincts, applied to a short list of federal screens, are most of the job.
This hub maps the apparatus and routes you to the right spoke. Each of the eleven spokes that follows takes one screen down to the studs, with the statute and how it grew, the agencies that run and enforce it, what trips the wire in a live deal, what the government can do at the end, and the exact diligence a buyer runs to stay out of trouble, reduced to a checklist and a small public-data exercise you can run yourself. Read this piece first, then follow the track that fits your seat at the table.
Why this, why now
The first thing to understand is that almost none of these regimes is new. The Committee on Foreign Investment in the United States, known by the acronym CFIUS, has reviewed inbound foreign investment since the Exon-Florio amendment of 1988. The sanctions power runs back to the Trading with the Enemy Act of 1917 and, in its modern form, the International Emergency Economic Powers Act of 1977 (IEEPA). Export controls, the Bank Secrecy Act of 1970, and civil forfeiture are all older than most of the companies they now touch. If the laws are old, why does this belong in a 2026 playbook and not a 2006 one.
The answer is that, in a compressed window, the regimes converged, expanded, and grew teeth at the same time, and they did so in a way a dealmaker can feel. Four developments tell the story.
The government built a mirror image of CFIUS pointed the other direction. The Outbound Investment Security Program, effective January 2, 2025, restricts American capital flowing into Chinese semiconductors, quantum information technology, and artificial intelligence (AI). For the first time, money going out is screened, not just money coming in, and at the end of 2025 Congress wrote that program into permanent statute and widened its future reach. The penalty regimes stopped being theoretical. A 2024 rule lifted the maximum CFIUS civil penalty twentyfold, to five million dollars per violation or the value of the transaction, whichever is greater, and the committee promptly issued a sixty-million-dollar penalty against a single company. The Department of Justice (DOJ) stood up a data-security program under Executive Order 14117, effective April 8, 2025, that treats bulk sensitive data as a strategic asset to be walled off from countries of concern, which means data flows are now a diligence line item rather than a privacy afterthought. And the enforcement posture hardened across the board: the Deputy Attorney General’s framing that sanctions are the new Foreign Corrupt Practices Act (FCPA) became operational, complete with a corporate-enforcement unit, a merger-and-acquisition safe harbor for voluntary self-disclosure, and the largest Bank Secrecy Act penalty in history. Even the incentives changed. A federal whistleblower bounty program now reaches sanctions and national-security violations, the structural cousin of the False Claims Act qui tam suits that built much of the government’s fraud docket.
The pieces were drafted in different decades, by different agencies, for different reasons, and they have never been harmonized into a single code. But the buyer who sits across the table from a deal does not get to treat them as separate. They land together, on one transaction, at one closing, and the diligence has to see all of them at once.
Underneath the four developments is a single conceptual shift, and it is the one a diligence professional most needs to absorb. The government has concluded that capital, technology, data, and ownership are national-security surfaces and not merely commercial ones, and that the most efficient place to police them is the transaction itself, before the deal closes and while the leverage to impose conditions still exists. That is why these regimes increasingly behave less like after-the-fact enforcement and more like gates a deal has to clear. It is also why the work of clearing them has migrated out of the compliance department, which by design acts after a problem surfaces, and into the diligence room, which acts before the deal is done. The screens reward the buyer who treats national security as something to be priced and structured during diligence, and they punish the buyer who treats it as a box to check after signing. The first keeps its optionality. The second discovers, often too late, that the most important counterparty in the deal was a federal agency it never thought to diligence.
The map: six screens, several remedies, one workflow
There are six screens. The most useful way to hold them is as six questions the government now asks about a deal, which means the diligence team has to ask them first. This is the hub’s main artifact: the stack at a glance. The longer working version sits in the section’s regime_trigger_matrix.md file and D1 turns it into a full deal workflow.
| Screen | Core question | Governing law | Lead agency | Primary remedy set | Status (as of drafting) |
|---|---|---|---|---|---|
| Inbound capital (CFIUS) | Is a foreign person acquiring a sensitive US business? | Defense Production Act sec. 721; FIRRMA | CFIUS, chaired by Treasury | Mitigation, monitoring, penalty, blocked deal, forced unwind | In force |
| Outbound capital | Is US money flowing into a country-of-concern critical technology? | Executive Order 14105; 31 CFR Part 850; COINS Act | Treasury (Office of Investment Security) | Penalty, divestment, unwind | In force (eff. Jan. 2, 2025; conforming rulemaking pending) |
| Money (sanctions) | Is a counterparty or owner sanctioned, directly or by the 50 percent rule? | IEEPA; OFAC programs | Treasury (Office of Foreign Assets Control) | Penalty, blocked property, forfeiture, successor liability | In force |
| Trade (export controls) | Do the target’s products, technology, or people require a license? | Export Control Reform Act; the EAR; the ITAR | Commerce (Bureau of Industry and Security); State (DDTC) | Denial order, license restriction, civil and criminal penalty | In force |
| Money laundering (BSA/AML) | Can we actually see who owns and banks this? | Bank Secrecy Act; the AML Act of 2020; the Corporate Transparency Act | FinCEN (Treasury) | Consent order, civil penalty, criminal plea | In force (BOI narrowed; some FinCEN rules vacated or delayed) |
| Data (EO 14117) | Does a foreign adversary get access to bulk sensitive data? | Executive Order 14117; 28 CFR Part 202 | DOJ National Security Division | Penalty, restricted or prohibited transaction | In force (eff. April 8, 2025; phased) |
Two features of that table do more work than the rest, and missing either one is how a diligence memo goes wrong.
The first is that the remedies differ by screen, and they are not all the same hammer. It is tempting, once you learn that the government can seize assets, to imagine that every one of these roads ends in forfeiture. It does not. Forfeiture is the sharpest tool in the sanctions, money-laundering, and kleptocracy context, where prosecutors trace tainted proceeds and take them, and the spoke on asset seizure (C2) is where that machinery lives. But CFIUS runs mostly on negotiated mitigation, monitoring, civil penalties, blocked deals, and forced unwinds; the Bureau of Industry and Security reaches first for denial orders and license restrictions; FinCEN works through consent orders and monitorships. A buyer who fears only the dramatic seizure will miss the quieter remedy that actually threatens the deal in front of them, which is usually delay, a condition that changes the economics, or a transaction that quietly dies. The right mental model is six screens, several remedies, and one workflow that checks all of them, which is the model the integrated-workflow spoke (D1) builds out.
The second is that status is not static, and this screen is unusually prone to confident, sourced, and wrong sentences. The money-laundering perimeter is the clearest example. The Corporate Transparency Act promised a beneficial-ownership database that diligence teams could lean on; a March 2025 interim rule narrowed the reporting obligation to foreign-formed entities only, exempted every domestic company, and left the data confidential and access-limited rather than public. FinCEN’s residential-real-estate reporting rule was vacated by a federal court in March 2026 and is on appeal, so it is not a live filing requirement while the order stands. Its investment-adviser anti-money-laundering rule was pushed to January 1, 2028. A field guide that hard-codes last year’s status misleads the reader, which is why this section keeps a dated status table, cites it on every status claim, and revisits the volatile items every quarter. When a spoke tells you something is in force, it tells you as of when, and against what source.
Who runs the stack
Read the six spokes together and a pattern emerges that no single one of them shows on its own: a small number of institutions sit behind the whole apparatus, and knowing which one owns which screen tells a buyer who it will actually be dealing with.
The Treasury Department is the center of gravity. It chairs CFIUS through its Office of Investment Security; it runs the outbound-investment program out of the same office; it administers economic sanctions through the Office of Foreign Assets Control; and it houses the Financial Crimes Enforcement Network, FinCEN, which owns the Bank Secrecy Act and beneficial-ownership regimes. Four of the six screens, in other words, run through one building, which is part of why the United States treats investment security as a finance-ministry function and keeps open investment as the default. The Commerce Department, through its Bureau of Industry and Security, runs export controls on dual-use items, with the State Department’s Directorate of Defense Trade Controls handling the munitions side under the International Traffic in Arms Regulations. And the Justice Department runs the newest screen, the data-security program, out of its National Security Division.
What the Justice Department also does, across every one of these regimes, is litigate and seize. When the conditions a regulator negotiates are ignored, it is the Attorney General who goes to court. The Justice Department brought the first-ever lawsuit to enforce a presidential CFIUS divestment order in 2026; it prosecutes willful sanctions and export and Bank Secrecy Act violations criminally; and its Money Laundering and Asset Recovery Section and the kleptocracy task forces run the forfeitures that recover tainted capital. Feeding all of this, largely invisibly, is the intelligence community, which by statute supplies CFIUS with a threat assessment for each notified deal and informs the risk judgments across the stack. The practical lesson for a buyer is that these are not faceless processes. A CFIUS mitigation deal means a multi-year relationship with a designated monitoring agency that will audit the company; a sanctions or export matter can put the Justice Department across the table; and the entity an investor never sees, the intelligence assessment, is often the thing that decides the outcome.
One more pattern is worth naming, because it changes how a buyer should price the risk. When a company fails across these regimes, the remedies do not arrive one at a time or from a single agency; they stack. The 2024 Bank Secrecy Act resolution against a large bank is the teaching case. A single pattern of anti-money-laundering program failures drew a criminal guilty plea and more than 1.8 billion dollars from the Justice Department, a separate and record 1.3 billion dollar penalty plus a four-year independent monitorship from FinCEN, and a separate 450 million dollar penalty and a growth restriction from the bank’s primary banking regulator, all on the same conduct. The diligence translation is blunt: a control failure found in one screen should be assumed to carry exposure under several, because the agencies that run this stack increasingly act in parallel on the same facts.
How the screens overlap on one deal
The screens are easiest to learn one at a time, which is how the spokes are written, but they rarely arrive one at a time. A single transaction routinely trips several, and the diligence value is in seeing the whole set early rather than discovering them in sequence as each one detonates.
Consider a plausible mid-market deal: a foreign-controlled buyer acquiring a US company that designs specialized chips, holds a meaningful database of identifiable information on American users, sells into China, and leases space near a military installation. That one transaction is, at once, a CFIUS inbound matter (foreign control of a business that touches critical technology and sensitive data), an export-control matter (the chip designs and the China customers), a sanctions-screening matter (the buyer’s owners and the customer base), a data-security matter (the user database and any foreign access), and a real-estate matter (the lease near the base). Each screen has its own trigger, its own clock, its own filing or notification, and its own remedy, and they do not coordinate themselves. A diligence team that runs them as one workstream can sequence the filings, build the calendar, and price the risk before signing. A team that meets them one at a time learns about the export problem after the CFIUS filing, the data problem after the export problem, and the penalty after closing.
The fund side has its own version of the same trap. A US venture fund leading a round into a foreign artificial-intelligence company is, at the same moment, an outbound-investment matter (is the target a covered foreign person in a covered technology, and is the deal prohibited or merely notifiable), a sanctions matter (are any of the company’s owners, or the fund’s own limited partners, blocked, directly or by the 50 percent rule), and, where the fund commits as a limited partner into a pooled vehicle, a question about whether that channel itself reaches covered foreign persons. The outbound program’s reasonable-and-diligent-inquiry standard means the fund cannot wait for a regulator to raise any of this. The rule effectively orders the fund to run the analysis itself before the capital call and to keep the file that proves it did.
Worse, the screens run on clocks that do not line up. CFIUS sets a 45-day review, a possible 45-day investigation, and a 15-day presidential window; the outbound program’s notifiable tier is frequently filed only after the deal has already closed; export licenses run on their own variable timelines; and the data-security program phased its affirmative obligations across 2025. A diligence team that maps these clocks against the deal calendar can sequence the work and set realistic conditions to closing. A team that does not will find a ninety-day federal review sitting athwart a sixty-day signing-to-close timeline, discovered in week eight, when there is no longer any leverage to do anything about it.
This is exactly why the section ends with an integrated workflow (D1) rather than leaving the reader with six separate checklists. The workflow’s job is to take the deal’s facts once, run them against all six screens in a single pass, and produce one risk memo that a deal principal and counsel can act on, with each regime’s exposure sourced and each filing built into the timeline. The individual spokes teach the screens; the workflow teaches the sequencing.
The lab and the case-data layer
Every spoke also carries a small Applied Due Diligence Lab exercise. That is deliberate, and it is bounded. The lab does not turn a legal regime into a code trick, and it never tells a reader that a script has found a violation. It teaches a diligence habit: take a public or synthetic dataset, document where it came from, run a reproducible screen, and write down what the result can and cannot prove. A screening-list hit is a lead. A fuzzy name match is a lead. A synthetic ownership graph is a way to understand the Office of Foreign Assets Control 50 Percent Rule, not a substitute for source documents and sanctions counsel. An export-list query can tell you that a counterparty appears on a restricted-party list; it cannot classify the target’s product under the Export Administration Regulations. The lab’s value is that it turns the article’s procedure into something a practitioner can repeat without pretending that public data is more complete than it is.
The code surface is a companion repo under lab/national-security-diligence-lab/. The smaller lablets build the reader’s skill one piece at a time: pulling CFIUS annual-report figures, screening public lists, tracing a synthetic beneficial-ownership chain, checking a synthetic data threshold, and building a public forfeiture timeline. D2 is the capstone. It brings the pieces together into a runnable national-security screening toolkit, with fixture tests, live-source smoke tests, redacted outputs, and documentation that names the limits of the method. The rule across the repo is the same as the rule across the prose: public or synthetic data only, no client records, no target names, no confidential beneficial-ownership information, and no conclusion that belongs to counsel.
Actual case data lives in a separate public-case-data matter. That surface matters because the section needs real enforcement history, not only synthetic examples, but it also needs allegation-versus-finding discipline. D3 uses that matter to compare a CFIUS forced-unwind track with a forfeiture-recovery track. The case-data files keep the procedural timelines, source inventory, allegation posture, and publication-clearance notes outside the article draft until the facts are clean enough to publish. That separation lets SPP teach from real Ralls, Grindr/Kunlun, and 1MDB materials without mixing public-source enforcement history with the lab’s synthetic training data or with any client matter.
The through-line: the remedy depends on the regime, the discipline does not
For all the variety in these six regimes, the analytical discipline underneath them is single and familiar. It is the forensic accountant’s discipline: withhold belief until the evidence converges, trace ownership and money to a primary source, and separate what a public record can prove from what it can only suggest. A name on a screening list is a lead, not a finding. An ownership chart with a gap is a question, not an accusation. A target’s clean self-certification is a hypothesis to be tested, not a conclusion to be adopted. The diligence work, in every one of these screens, is to turn leads and gaps into a defensible memo: here is the exposure, here is the source behind it, here is what we can document, here is what requires counsel, and here is what remains unresolved after the public record is exhausted.
That discipline is also what keeps this work credible and inside the lines. SPP is not offering counterintelligence services, and it is not in the business of geopolitics. It is doing buy-side due diligence on national-security, sanctions, export-control, data-access, and illicit-finance exposure, the same way it does diligence on revenue quality or working capital. The framing is deliberately technical, and it is durable for that reason: protecting a client’s capital from forfeiture exposure and from tainted counterparties is sound diligence regardless of which way the political winds are blowing, and it reads the same to a buyer on either side of any debate.
Where to start, depending on who you are
The eleven spokes are organized into four tracks. Read this hub first, then follow your seat.
| If you are | Start with | Then |
|---|---|---|
| An acquirer of a US business | CFIUS (A1), then the integrated workflow (D1) | Sanctions (B1) and export controls (B2) |
| A fund or general partner deploying capital | Outbound investment (A2), then sanctions ownership tracing (B1) | The whistleblower and disclosure map (C3) |
| A lender or investor in a data business | The data-security program (C1) | The integrated workflow (D1) and the forfeiture piece (C2) |
| A seller preparing for diligence | The integrated workflow (D1) | Whichever screen your business triggers |
| Counsel or a certified fraud examiner building the screen | The screening toolkit (D2) | Forfeiture (C2) and the comparative case study (D3) |
The full slate runs in four tracks:
- The Capital Screens: CFIUS, the inbound screen (A1); Outbound Investment Security, the reverse CFIUS (A2).
- The Transaction Controls: OFAC sanctions and sanctions as the new FCPA (B1); export controls under the Bureau of Industry and Security and the International Traffic in Arms Regulations (B2); the Bank Secrecy Act and anti-money-laundering perimeter and FinCEN’s new frontiers (B3).
- Data and the Remedies: the DOJ data-security program (C1); asset seizure and forfeiture (C2); the whistleblower and bounty bridge (C3).
- The Buyer-Side Playbook: the integrated diligence workflow (D1); the screening toolkit, the section’s code capstone (D2); forced divestiture versus forfeiture, a comparative case study (D3).
Each spoke teaches one concrete diligence skill and ships one reusable artifact, a checklist, a worksheet, a memo template, or a runnable screen, so the section reads as a training course rather than only an explainer. This hub’s own artifact is the map above, the six-screen, several-remedy matrix that the integrated workflow turns into a single diligence pass.
What this section is and is not
This is an educational field guide for the buy side. It is not legal advice, a sanctions opinion, an export classification, or a CFIUS filing recommendation. Where a deal feature trips a regime, the right sequence is to spot it early, document the exposure with its source, structure around it in the deal terms, and bring in qualified counsel for the legal call. The diligence team’s contribution is specific and valuable precisely because it is bounded: it makes sure the right questions get asked while there is still time and leverage to act on them, which means before signing, not after the government asks the questions for you.
Terms used in this article
The full glossary lives in the section’s master glossary; the terms you need for this hub:
- CFIUS (Committee on Foreign Investment in the United States): the interagency committee, chaired by Treasury, that reviews foreign investment in US businesses for national-security risk.
- IEEPA (International Emergency Economic Powers Act): the 1977 emergency-powers statute behind most sanctions and the outbound-investment program.
- OFAC (Office of Foreign Assets Control): the Treasury office that administers and enforces US sanctions.
- SDN (Specially Designated National): a person or entity on OFAC’s blocked list.
- OFAC 50 Percent Rule: an entity owned 50 percent or more, in the aggregate, by sanctioned parties is itself blocked.
- BIS (Bureau of Industry and Security): the Commerce bureau that runs dual-use export controls.
- ECCN (Export Control Classification Number): the code that classifies an item for export-control licensing.
- BOI (Beneficial Ownership Information): ownership data reported to FinCEN; since March 2025, foreign-formed entities only, and confidential.
- Covered data transaction: a deal giving a country of concern access to bulk US sensitive data.
- Forfeiture: the government’s seizure of tainted assets or traced proceeds.
Selected sources
- CFIUS, Treasury: home.treasury.gov/policy-issues/international/the-committee-on-foreign-investment-in-the-united-states-cfius
- Outbound Investment Security Program, Treasury: home.treasury.gov/policy-issues/international/outbound-investment-program
- Office of Foreign Assets Control, Treasury: ofac.treasury.gov
- Bureau of Industry and Security, Commerce: bis.gov
- FinCEN beneficial ownership: fincen.gov/boi
- DOJ Data Security Program: justice.gov/nsd/data-security
- Per-screen statutes, rules, and enforcement records are cited in each spoke and tracked in the section’s status table.
- Section status dashboard:
source_status_table.md - Master regime-trigger matrix:
regime_trigger_matrix.md - Master glossary:
master_glossary.md - Companion lab:
lab/national-security-diligence-lab/ - Public case-data matter:
case_data_matter/
Status note
- Last reviewed: 2026-06-16
- Next scheduled review: 2026-09-16
- Current watch items: the residential-real-estate rule vacated and on appeal; the investment-adviser anti-money-laundering rule delayed to 2028; the beneficial-ownership domestic exemption; the COINS Act conforming rulemaking and the first outbound-investment enforcement actions; Executive Order 14117 guidance updates; and the Section 8102 CFIUS sensitive-sites rulemaking.
By Noah Green CPA CFE, for Sheepdog Prosperity Partners. Educational only; not legal advice.