Sheepdog Prosperity Partners
Due Diligence

CFIUS: The Inbound Capital Screen

by | Jun 6, 2026 | Buyer's Guide, National Security Diligence | 0 comments

Educational only; not legal advice. SPP explains diligence issue-spotting, evidence collection, risk triage, and the accountant and certified-fraud-examiner workflow. It does not give CFIUS legal opinions or filing advice. Regulatory status is current as of drafting (2026-06-14); see the status note at the end.

A deal can die three ways at the hands of a single committee, and none of the three shows up on a financial model. The government can block it outright. It can let it close and then, months or years later, force it apart again. Or, most quietly of all, it can wave the deal through under a set of operating conditions that strip out the very thing the buyer was paying for, leaving a company that is legally acquired and strategically hollow. The committee is the Committee on Foreign Investment in the United States, known by the acronym CFIUS and pronounced, by the people who spend their lives in front of it, “sifius.” For any transaction with a foreign buyer, a foreign investor tucked inside the acquiring fund, or a target that happens to sit on the wrong patch of American ground, it is the single regulator most able to take the deal off the table.

The instinct on the buy side is to file CFIUS under legal, a matter for outside counsel to manage in the weeks before signing. That instinct is expensive, and it is expensive in a specific way: it arrives too late to change anything. Jurisdiction, the filing decision, and the review clock are not, at bottom, legal abstractions. They are functions of facts that a diligence team is already assembling for entirely commercial reasons. Who really owns the buyer, once the holding companies and the funds and the nominees are peeled back. What the target actually makes, and whether anyone in a windowless room in Washington would call it critical. Whether the company holds data on Americans, and how much. Where its buildings sit, and what they sit next to. Surface those facts in week two of diligence and CFIUS becomes a line on the closing checklist, a clearance to be obtained and a condition to be drafted. Surface them in week ten, or fail to surface them at all, and CFIUS becomes the reason the wire never sends, or the reason a closed deal is pried back open with a civil penalty attached to it.

This piece takes the inbound capital screen down to the studs. Where the review power comes from and how it grew. Who actually sits on the committee, and who does the investigating and the watching once a deal is inside it. What trips the wire in a live transaction, how the clock runs once it does, and what the government can really do when the clock stops. And then the part that earns the reading: the concrete diligence a certified public accountant (CPA) or certified fraud examiner (CFE) runs to keep a client out of the committee’s path, reduced to a trigger checklist and a small public-data exercise you can run yourself. The skill underneath all of it is unglamorous and portable: the ability to look at a deal and a buyer and say, with a source behind every sentence, whether this is a CFIUS deal, whether a filing is mandatory, and what the answer does to the calendar and to the allocation of risk between the parties.

What CFIUS was built to solve

Start with the problem the committee exists to fix, because the problem explains everything that follows. When a foreign buyer acquires an American business, the two sides of the table optimize for the same thing the rest of us do, which is value. Neither has any commercial reason to price in the possibility that the buyer’s government might, someday, use the control it just purchased to reach a sensitive technology, to plant itself beside a military base, or to sit on the personal data of millions of Americans. That cost is real, but it is external to the deal; it lands on the public, not on the parties. CFIUS is the mechanism the United States built to drag that external cost back onto the table and force someone to look at it before the money moves.

The authority is younger than most of the companies it now polices, and you can date its birth almost to the day. Its operative core is Section 721 of the Defense Production Act of 1950, a Cold War statute about industrial mobilization, codified at 50 U.S.C. 4565 and titled, with bureaucratic flatness, “Authority to review certain mergers, acquisitions, and takeovers.” Section 721 was not in the 1950 law. It was bolted on in 1988 by the Exon-Florio amendment, named for its two congressional sponsors and carried into law as a rider on the Omnibus Trade and Competitiveness Act of that year, after a proposed Japanese acquisition of an American semiconductor company turned a diffuse anxiety into a legislative one: that the foreign purchase of strategic industry might be a national-security event and not merely a commercial transaction.

From that seed the statute grew in layers, and the layers are the history. The fastest way to understand the modern committee is to read the amendment pedigree of 50 U.S.C. 4565 in order, with the Statutes at Large pinned, because each public law is a scar from a particular fight:

Layer Public law Date What it added
Exon-Florio Pub. L. 100-418, title V, sec. 5021 (102 Stat. 1425) Aug. 23, 1988 Created the review-and-suspend authority as Section 721 of the Defense Production Act.
Byrd amendment Pub. L. 102-484, title VIII, sec. 837 (106 Stat. 2463) Oct. 23, 1992 Made an investigation mandatory where a foreign-government-controlled entity was the acquirer, with a report to Congress.
FINSA Pub. L. 110-49 (121 Stat. 246) July 26, 2007 Codified the committee in statute, firming up its structure, process, and accountability.
FIRRMA Pub. L. 115-232, div. A, title XVII (132 Stat. 2177) Aug. 13, 2018 Created mandatory declarations, reached certain non-controlling investments, and extended jurisdiction to real estate and sensitive-data businesses.
FY2021 NDAA Pub. L. 116-283, sec. 9721(a) (134 Stat. 4839) Jan. 1, 2021 Technical amendment in the pedigree chain.
FY2026 NDAA Pub. L. 119-60, title LXXXI, sec. 8102 (139 Stat. 1837) Dec. 18, 2025 Built new real-estate sensitive-site machinery (covered below).

Three of those rows have deals behind them, and the deals are worth a sentence each, because they are how the law actually moves. The Byrd amendment of 1992 followed a wave of unease about foreign-government buyers and hard-wired a mandatory investigation whenever one of them was at the wheel. The Foreign Investment and National Security Act of 2007, which everyone calls FINSA, was Congress reacting to the Dubai Ports World controversy of 2006, in which a company owned by the government of the United Arab Emirates would have taken over operations at several major American ports; the political reaction was loud enough to write the committee, which had until then lived mostly in an executive order, into permanent statute. And the Foreign Investment Risk Review Modernization Act of 2018, FIRRMA, is the law that produced the CFIUS practitioners deal with today. It did not arrive as a proud standalone bill. It rode in as Title XVII of that year’s National Defense Authorization Act (the NDAA, the sprawling annual defense bill that has become Congress’s favorite vehicle for anything touching national security), and it rewrote the committee’s reach: mandatory filings for the first time, jurisdiction over minority investments that stop short of control, and a new mandate to police real estate and the businesses that hold Americans’ data.

The point of the history is not antiquarian. It is that CFIUS jurisdiction has expanded in one direction for nearly four decades and has never once contracted. The only safe working assumption on any deal with a foreign element is that the committee could reach it, and the diligence exists to prove, with sources, that it does not, or to plan for the reality that it does.

The operating detail lives one level down, in two regulations finalized in early 2020 to carry FIRRMA into force, both in Title 31 of the Code of Federal Regulations (the CFR, the codified body of federal agency rules). Part 800 of that title governs covered investment transactions, the committee’s core jurisdiction over investments in American businesses. Part 802 governs covered real estate transactions. Keep the two parts straight from the first day of diligence, because every trigger analysis runs through one or the other, and a surprising number run through both.

Who sits on the committee, and who does the watching

CFIUS is not an agency. It has no building of its own, no single administrator, no line in the federal budget with its name on it. It is a committee, in the most literal sense: a standing table of cabinet departments that convenes to look at deals, and the texture of who sits at that table, and who does the work between meetings, matters enormously to a buyer, because those are the people a deal will actually meet.

The membership is set by statute, at 50 U.S.C. 4565(k), and it reads like a map of where the government keeps its security anxieties. Nine voting members sit on the committee. The Secretary of the Treasury chairs it, which is itself a tell: the United States runs its investment-security screen out of its finance ministry, not its defense ministry, a structural choice that keeps the committee tethered to the idea that open investment is the default and review is the exception. The other eight voting seats belong to the Secretaries of State, Defense, Homeland Security, Commerce, and Energy; the Attorney General, who heads the Department of Justice (DOJ); the United States Trade Representative (USTR); and the Director of the Office of Science and Technology Policy (OSTP), the White House’s in-house scientist. Two more members sit without a vote, ex officio: the Secretary of Labor and the Director of National Intelligence (DNI). And a rotating cast of White House offices, the National Security Council and the National Economic Council among them, observe and participate as the matter warrants. The President can add other officials to a given case. It is, in other words, the whole national-security cabinet, assembled around a single transaction.

The day-to-day machinery sits inside Treasury, in the Office of Investment Security, which staffs the committee and runs the process the parties experience. Filings are received, processed, and coordinated at the staff level by an official the regulations call the Staff Chairperson, and a designated case team carries each transaction through review. When a notice comes in, the intelligence community goes to work in parallel: by statute the Director of National Intelligence is directed to produce a threat assessment for the transaction, a classified analysis of what the foreign acquirer is, who stands behind it, and what it might do with what it is buying. That assessment is the part of the process a buyer never sees and cannot rebut, and it is the engine behind a great deal of what the committee ultimately decides. The committee’s members, meanwhile, supply the subject-matter judgment from their own domains: Defense on the proximity to a base, Energy on the reach toward a national laboratory, Homeland Security on critical infrastructure, Commerce on the technology.

The most consequential institutional fact for a buyer comes after clearance, not before it, and it is the part most diligence misses. When CFIUS resolves a risk through mitigation rather than a block, somebody has to make sure the conditions are actually honored, sometimes for years. That job is split. Treasury’s Office of Investment Security houses a dedicated Monitoring and Enforcement function, and for each active mitigation agreement Treasury designates at least one other member agency, one with a substantive interest in the transaction, to negotiate, monitor, and enforce it. That designated agency, often the Department of Defense or the Department of Homeland Security depending on the risk, becomes the buyer’s long-term counterpart: the entity that receives the compliance reports, conducts the site visits and audits, approves the security officers, and, when the conditions slip, recommends the penalty. The civil-penalty record discussed below is the visible output of that quiet, continuous machinery. And when the sharpest remedy is in play, a presidential order to divest, it is the Attorney General and the Department of Justice who carry it into court if the parties do not comply, a step the government took for the first time in early 2026 in the Suirui matter described later in this piece.

For diligence, the lesson is concrete and easy to state. A buyer is not negotiating with an abstraction called CFIUS. It is dealing with a Treasury-led committee informed by a classified intelligence assessment it will never read, and, if mitigation results, it is signing up for a multi-year relationship with a specific monitoring agency that will audit it. Understanding that anatomy is the difference between treating CFIUS as a one-time gate and pricing it as what it often is: an ongoing operating constraint on the business being bought.

What changed from 2024 to 2026

The reason CFIUS belongs in a 2026 diligence playbook, and not the 2018 one gathering dust on a shelf, is that the committee grew both sharper teeth and longer reach in the span of about two years. The change came in three distinct registers.

The first is that the penalties became real money. For most of the committee’s life its enforcement power was close to theoretical; the threat of a fine was a threat in principle. A Treasury final rule published in late 2024 and effective December 26, 2024, carrying the Federal Register citation 89 FR 93179 (the Federal Register, abbreviated FR, being the government’s daily journal of new rules), ended that era. It raised the maximum civil penalty from 250,000 dollars, a cap set more than fifteen years earlier and never once adjusted for the passage of time, to 5,000,000 dollars per violation. And it did something subtler that deserves a buyer’s full attention: for a failure to make a mandatory filing, it set the maximum at the greater of 5,000,000 dollars or the value of the transaction itself. That clause uncouples the penalty from any fixed ceiling and ties it to the size of the deal, which means that on a large transaction the exposure for simply not filing when the law required it is no longer a rounding error. It is the deal.

The second register is real estate, where the net widened twice in quick succession. A separate 2024 rule (89 FR 88128, effective December 9, 2024) expanded the published list of military installations around which a foreign real-estate purchase falls inside Part 802. Then, in December 2025, Section 8102 of that year’s NDAA reached into the statute itself, and here precision matters, because the summaries that circulated about this provision overstated it. The actual text amends the real-estate definition in Section 721 to let the committee prescribe, by regulation, a list of military installations and other government sites that are sensitive for national-security reasons, a list that may include certain intelligence-community facilities and the National Laboratories as defined in the Energy Policy Act of 2005. It then directs each member agency, within a year and periodically after, to review the sites it placed on the list and to recommend both updates and the distance, described in the statute as close proximity or extended range, that ought to apply, each recommendation backed by a risk assessment. A companion provision folds the subject into the committee’s annual report and offers Congress a classified briefing on request. Read against the breathless alerts, three corrections fall out. The list is permissive; the statute says the committee may prescribe it, not that a sweeping new list is already in force. The energy piece is specifically the National Laboratories, not energy installations writ large. And Section 8102 sets no new proximity threshold by itself; it builds a process for agencies to recommend distances, with any actual change to come later through regulation, and it left the review clocks untouched. But the vector is unmistakable. The real-estate screen is being pushed past military bases toward a wider constellation of sensitive federal sites, and a buyer of American land near sensitive federal infrastructure can no longer assume that only bases count.

The third register is posture, the hardest to quantify and in some ways the most important. On February 21, 2025, the President issued the America First Investment Policy, a presidential memorandum that sets direction across the investment-security agencies. It is worth reading for what it is and is not. It expressly tasks CFIUS, and it names the foreign adversaries it has in mind: the People’s Republic of China, including Hong Kong and Macau, along with Cuba, Iran, North Korea, Russia, and the Maduro regime in Venezuela. It tells the agencies to fast-track investment from allied and trusted sources and to bear down on investment tied to those adversaries, and it presses Congress to widen the committee’s reach toward certain new construction, so-called greenfield investment. It is policy direction, not an enacted change to jurisdiction; it does not, on its own, move the statute or the regulations a single comma. But it tells a buyer which way the staff has been told to lean, and it is the backdrop against which the committee’s growing appetite for the tools below should be read.

The practical translation is short. CFIUS used to be a gate you walked through. It is now a gate with a meter running, a published list of fines bolted to the wall, and a standing instruction to the guards to look harder at certain travelers.

What trips the wire

CFIUS jurisdiction is neither automatic nor universal, and the diligence task is to test a live deal against the specific fact patterns the regulations call covered transactions. There are, in effect, three doors into the committee’s house, and a deal needs to open only one of them to be inside.

The first door is the classic one, a covered control transaction under Part 800: a foreign person acquires control of an American business. The word doing the work there is control, and the regulations read it functionally rather than as a bright-line percentage. A minority stake that carries the right to appoint a director, or to direct important decisions, can be control even at well under fifty percent; conversely, a passive majority economic interest stripped of governance rights might not be. The “U.S. business” half of the phrase is read broadly, reaching essentially any entity engaged in interstate commerce in the United States.

The second door is FIRRMA’s signature expansion, and it is the one that catches deals the old committee never would have seen. Even without control, a foreign investment can be covered if the target is what the regulations christen a TID U.S. business. The initials stand for the three categories that define the modern committee’s anxieties: critical Technology, critical Infrastructure, and sensitive personal Data. If a target produces or designs critical technology, operates or services critical infrastructure, or maintains sensitive personal data on American individuals, then a non-controlling foreign investment in it can be covered the moment the investment carries any of three rights: access to the company’s material nonpublic technical information, a seat or observer right on the board, or substantive involvement in the company’s decisions about its technology, infrastructure, or data. A minority venture round that looks, on its face, like a passive bet can be squarely inside CFIUS if the startup sits in one of those three buckets, which is exactly why the TID test belongs at the front of diligence and not the back.

The third door is location. Under Part 802, certain foreign purchases or leases of real estate are covered not because of any business that changes hands but because of where the dirt is: near specified airports and maritime ports, in proximity to listed military installations, and, increasingly, within reach of the broader sensitive sites that Section 8102 now contemplates. A foreign buyer can acquire nothing but a building and still land in front of the committee.

Open any one of those doors and the next question is the one that decides how much trouble the deal is in: is a filing mandatory, or merely a good idea? CFIUS is, at its foundation, a voluntary-notification regime, and most parties file voluntarily for a single reason, the safe harbor. A completed CFIUS review extinguishes the committee’s power to come back later and reopen the deal, and that finality is worth real money to a buyer and to the buyer’s lenders. But FIRRMA carved mandatory filings out of the voluntary default, and a declaration is required, not optional, in defined cases, chiefly where a foreign government holds a substantial interest, set at a twenty-five percent or greater voting interest, in a TID U.S. business, and in certain transactions involving critical technology. This is the distinction that matters most at intake, because a missed mandatory filing is precisely the violation the 2024 rule made so expensive.

Here the discipline of the certified fraud examiner earns its place. A CFE is trained to withhold belief until the evidence converges, to treat a clean-looking story as a hypothesis rather than a conclusion. The same posture is the right one for CFIUS. Do not conclude a deal is outside the committee because it looks commercial and the buyer seems friendly. Trace the buyer’s ownership to its ultimate beneficial owners, the actual human beings at the end of the chain; identify any government, anywhere, that sits in that chain; and classify the target against the technology, infrastructure, and data definitions, with a citation behind each step. The conclusion that a deal is not covered is a finding, and like any finding it has to be earned.

How the clock runs

The review timeline is fixed by statute, not by the convenience of the staff, and a buyer who maps that timeline onto the deal calendar disarms the most common CFIUS surprise, which is almost never rejection. It is delay. Parties enter through one of two vehicles, and the choice carries timing consequences that ripple all the way to the closing date.

Vehicle / stage Length Statutory or regulatory source What happens
Declaration (short-form) assessment 30 days 31 CFR 800.405 The committee clears the deal, requests a full notice, tells the parties it cannot complete action on a declaration, or takes no action.
Notice review 45 days 50 U.S.C. 4565(b)(1)(F) The committee reviews the accepted notice and clears it or opens an investigation.
Investigation 45 days 50 U.S.C. 4565(b)(2)(C) Where warranted; one 15-day extension in extraordinary circumstances.
Presidential decision 15 days 50 U.S.C. 4565(d)(2) If the committee refers the matter, the President acts or declines within 15 days.

A declaration is the abbreviated filing, roughly five pages, and it is the cheaper and faster route. Its risk is that it can come back not as a clearance but as a request to file the full notice, which spends the very weeks the parties were trying to save. A notice is the complete filing, and it opens the main clock: a worst-case noticed path runs forty-five days of review, then forty-five days of investigation, then fifteen days for a presidential decision, with a possible additional fifteen-day investigation extension folded in. And that is only the clock the public can see. In practice the parties submit a draft notice first, and the committee comments and asks for more before it formally accepts the filing and starts the statutory clock at all. The 2024 annual report puts numbers on that antechamber: the committee took, on average, 6.5 business days to comment on a draft notice and 2.7 business days to accept a formal one, and those are averages in a heavy year, which means a complicated deal can sit in pre-filing for weeks before the official countdown even begins.

The consequence is a single scheduling rule, and it is the most useful sentence a diligence team can hand a deal lead. For any transaction that plausibly touches CFIUS, build a regulatory calendar that assumes the full review-plus-investigation timeline, make CFIUS clearance an express condition to closing, and resist with both hands the temptation to close first and file later. Closing ahead of a required filing does not save time. It converts a timing problem into a penalty problem, and the penalty now scales with the size of the deal.

What the government can do when the clock stops

The remedy set is wider than outsiders assume, and, for CFIUS specifically, it is not primarily about seizing assets. The committee works through the clock above and through negotiated conditions, and the great majority of deals that draw real scrutiny are resolved well short of a block.

Clearance is the ordinary ending. The committee concludes its review or its investigation, finds the risk acceptable or absent, and the safe harbor snaps into place. Most filed deals end here.

Mitigation is the committee’s workhorse, the tool it reaches for when it finds a genuine concern but not an unmanageable one. Rather than kill the deal, it conditions it. The heavier instrument is a National Security Agreement, a name that compresses into the initials NSA in committee practice and should not be confused with the signals-intelligence agency of the same letters; it is an ongoing contract between the parties and the government that can require American citizens in sensitive roles, walls around data and facilities, assured continuity of supply to the government, governance carve-outs that keep the foreign owner away from certain decisions, independent security officers who report to the government as much as to the company, and audit rights the monitoring agency can exercise for years. The lighter instrument is a Letter of Assurance, or LOA, covering a narrower set of promises. None of this is cosmetic. A serious mitigation package can quietly remove the operational control a buyer believed it was acquiring, which is why mitigation is a question of deal economics and not merely of compliance, and why it belongs in the diligence memo and not only in the legal one.

Civil penalties are what follow a breach of those conditions, a missed divestment deadline, or a materially false filing, and as noted they have left the realm of theory. Treasury’s enforcement page records that through 2022 the committee had issued only two civil penalties in its entire history. That restraint is over, and the committee now publishes the record:

Year Penalty What the committee determined
2024 60,000,000 dollars T-Mobile US (named); under a 2018 agreement from the Sprint merger, failures to prevent unauthorized data access and to report them on time; followed a 2023 notice of penalty; the largest to date.
2024 18,000,000 dollars Agreement parties’ failure to move sensitive assets into a protected subsidiary; partly waivable on completing divestment.
2024 8,500,000 dollars An agreement party whose majority owners removed the independent directors and left the security-director role empty.
2024 1,250,000 dollars The maximum then authorized; a filing with five material misstatements, including forged documents and signatures; the filing was rejected and the deal abandoned.
2023 990,000 dollars Two breaches of a Letter of Assurance (a website foreign-ownership disclosure).
2023 200,000 dollars Failure to divest by a National Security Agreement deadline.
listed 100,000 dollars A separate missed divestment deadline.
2019 750,000 dollars Breach of a CFIUS interim order (failure to restrict and monitor access to protected data).
2018 1,000,000 dollars Repeated breach of a National Security Agreement (failure to establish required security policies; inadequate reporting).

The committee notes that, in place of a penalty, it can issue what it calls a Determination of Noncompliance Transmittal, a formal warning, for a first-time, inadvertent, or limited violation. The lesson in the table is the trajectory rather than any single number: penalties moved from rare six-figure events to a sixty-million-dollar matter, against a ceiling that now climbs with the value of the deal.

The presidential block and the forced unwind are the sharpest remedy, and the constitutional structure here is precise and worth getting right. The committee itself cannot prohibit a deal. Only the President can, under Section 721, and only on a finding of credible evidence that the foreign interest exercising control might take action that threatens national security, together with a finding that no other law is adequate to deal with it. Two clean, primary-sourced orders show the mechanic in its two timing modes.

In the matter of ByteDance’s acquisition of Musical.ly, the President ordered divestment of the assets used to run the TikTok service in the United States on August 14, 2020 (85 FR 51297), well after the deal had closed, complete with the destruction of American user data and weekly compliance certifications. That is the post-closing unwind in its pure form: a consummated transaction taken back apart by order. It should not be confused, and a diligence memo must not confuse it, with the separate divest-or-ban statute later upheld by the Supreme Court in TikTok Inc. v. Garland, 604 U.S. 56 (2025), or with Executive Order 14352 in 2025; those rest on a different law, the Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACA), and not on Section 721 at all. Same company, two different machines.

In the matter of Suirui International’s acquisition of Jupiter Systems, the President ordered divestment within 120 days on July 8, 2025 (90 FR 31125), and this one repays close reading on several fronts. It was a non-notified transaction, one the parties never filed, surfaced instead by a public tip. The order recited credible evidence that the purchasers might act to impair the national security, and it pointed to an indirect interest held by a Chinese military company and to a right to appoint a director. It is, by the 2024 annual report’s own account, the single non-notified transaction the committee ultimately ran all the way to a presidential prohibition. And it produced a sequel that broke new ground: in early 2026 the Department of Justice filed what the Congressional Research Service describes as the first lawsuit ever brought to enforce a Section 721 presidential order, after the parties allegedly failed to divest by the extended deadline. That enforcement suit is a set of government allegations in a filed complaint, not an adjudicated finding, and it has to be described that way; what is established is the underlying order and the government’s new willingness to go to court to make one stick.

A buyer should sit for a moment with the unusual judicial posture that the Suirui and TikTok orders share, because it contains two statements that look contradictory and are not. The statute provides, in so many words, that the President’s actions and findings under Section 721 are not subject to judicial review (50 U.S.C. 4565(e)). And yet, in Ralls Corp. v. CFIUS, 758 F.3d 296 (D.C. Cir. 2014), the United States Court of Appeals for the District of Columbia Circuit held that a presidential order forcing a Chinese-owned company to divest wind-farm interests near a Navy facility had deprived that company of constitutionally protected property without due process, because it had been given no notice of the unclassified evidence against it and no chance to respond. The reconciliation is the sophisticated point, and it is the one a good memo makes: the President’s substantive judgment about the threat is beyond a court’s reach, but the procedure that strips a party of a protected property interest is not entirely beyond review, even as genuinely classified material can still be withheld. For diligence, the reading is exact. Do not plan to litigate your way out of a presidential CFIUS order on the merits. But know that the process that produces one carries a constitutional floor, and that the floor is where what little leverage exists tends to live.

The quiet outcome is the one a buyer is by far the most likely to meet, and it almost never makes the news. Most CFIUS-sensitive deals that run into trouble do not end in a presidential order. They are restructured, abandoned, or quietly terminated under pressure, and the public record of the death, if there is one at all, sits in a securities filing rather than a Federal Register notice. Ant Financial’s proposed acquisition of MoneyGram collapsed in 2018 after the parties could not obtain CFIUS approval, a failure recorded in the target’s own Form 8-K filed with the Securities and Exchange Commission, not in any presidential block. Older episodes that are routinely miscited as blocks follow the same script: CNOOC withdrew its bid for the energy company Unocal in 2005 amid political opposition, before the committee ever decided anything, and Dubai Ports World agreed in 2006 to hand off its American port operations under pressure rather than be formally prohibited. A fourth often-cited matter, the reported unwind of Beijing Kunlun’s ownership of the dating app Grindr on data-security grounds around 2019 to 2020, produced no published order or committee document at all, because CFIUS proceedings are confidential; it belongs in a memo as reported context, flagged as such, not as a documented finding. The headline risk for the ordinary deal, in other words, is not the dramatic block. It is delay, conditions that change the economics, and a transaction that quietly dies with a press release that mentions everything except the real reason.

What the data shows

The committee quantifies its own behavior once a year, and the numbers are the closest thing a buyer has to a base rate. The figures below come from the CFIUS Annual Report to Congress for calendar year 2024, published in August 2025; when any of them goes into a memo, it should be cited to the specific table it came from, because the report counts several different things and the counts are not interchangeable.

CFIUS activity (CY2024) Count
Short-form declarations assessed 116
Full notices filed and accepted 209
Notices proceeding to investigation 116
Notices withdrawn after investigation began 49 (42 refiled)
Notices with mitigation measures or conditions adopted 25 (about 12 percent)
Notices concluded subject to a mitigation agreement 16 (about 9 percent)
Presidential decisions 2

Two of those rows are different metrics that look alike and should not be merged: the committee adopted mitigation measures or conditions on twenty-five notices, and separately concluded a deal through a formal, signed mitigation agreement on sixteen. The first number counts everything that carried a condition; the second counts only the matters resolved by a signed contract.

The non-notified figures are their own quiet drama, and they are the empirical answer to the perennial temptation to simply not file. In 2024 the committee sifted thousands of potential non-notified transactions, pulled ninety-eight in for a closer look, opened formal inquiries into seventy-six, requested filings in twelve, watched five parties file voluntarily once contacted, and ran one all the way to a presidential prohibition, the Suirui matter above. A non-notified deal is not a safe deal. It is an un-cleared deal the committee can reach back for, and, in the rare and instructive case, prohibit.

Read with a diligence eye, the year tells a buyer three honest things. Most filed deals clear; the committee is busy but not capricious. A real share of noticed deals, 116 of 209 in 2024, advance to a second-stage investigation, which means the longer clock is a planning risk to be reckoned with, not a remote contingency. And while an outright presidential block is genuinely rare, withdrawals after an investigation opens are not, and a withdrawal usually signals parties restructuring or walking away under pressure rather than a clean win. For the longer view, the same report records 783 declarations filed across 2019 to 2024 and, in its sector table, 2,187 notices across 2015 to 2024.

From findings to deal terms

Everything above resolves into a diligence request list, and the point of the list is to gather, early, the handful of facts that decide jurisdiction and the filing question while there is still time and leverage to act on them. For a deal with any foreign-investment dimension, the team should obtain and document the full ownership and control chart of the buyer, traced to the ultimate beneficial owners and to any government ownership, with percentages and with every governance, board, and information right spelled out, because a foreign-government voting interest at or above twenty-five percent in a sensitive target is a mandatory-filing flag the moment it appears. It should produce a clear-eyed classification of the target against the technology, infrastructure, and data test, treating each of the three as a separate analysis with its own regulatory definition rather than a single gut call. It should map the target’s complete American real-property footprint, owned and leased, with addresses, so proximity to listed installations and to the widening set of sensitive sites can be checked against Part 802. It should surface any prior CFIUS history, past filings, existing mitigation agreements, open compliance obligations, because an existing agreement the new deal would breach is a live penalty risk that the buyer inherits at closing. And it should inventory the target’s data and any foreign-access pathways, which is where this screen hands off to the data-security screen covered in the companion piece on Executive Order 14117.

The output is not a memo full of hedging. It is a short, structured section of the diligence report that a deal principal and counsel can actually use. It states the jurisdictional conclusion, which door if any the deal opens, with the regulatory citation and the facts that drive it. It states the filing conclusion, mandatory or voluntary, declaration or notice, with the reasoning, and a recommendation on whether to file for the safe harbor even where filing is not strictly required. It lays out the regulatory calendar, the forty-five-day review, the possible forty-five-day investigation with its fifteen-day extension, and the fifteen-day presidential window, mapped against the deal timeline, with CFIUS clearance framed as a condition to closing. And it specifies the deal-structure response, which is where a diligence finding becomes contract language: CFIUS clearance as an express condition precedent, meaning a condition that has to be satisfied before either side is obligated to close; representations on foreign ownership and on prior CFIUS compliance; a covenant to cooperate on the filing; a thoughtful allocation of regulatory risk that fixes how hard the buyer must try to win clearance, a commercially reasonable efforts standard, say, rather than an unconditional obligation to swallow any mitigation the government demands; a reverse termination fee if the buyer cannot clear; an escrow or indemnity against the post-closing unwind risk; and a long-stop date keyed to the realistic review timeline rather than an optimistic one. The memo does not predict the legal outcome. It identifies the exposure, sources it, and frames the decision for the people who own it, and it observes the same evidentiary rule that governs any fraud or diligence engagement: a number without a primary source is a lead, not a finding, and it goes into the memo marked that way or it does not go in at all.

Knowing when to hand the matter up is part of the skill. The diligence team spots and documents; it does not render the legal call. The trigger to escalate to qualified CFIUS counsel is any of a short list of facts: a plausible mandatory-filing trigger, such as critical technology paired with a covered investment, or a foreign-government interest at or above twenty-five percent in a TID business; a target already living under a mitigation agreement or National Security Agreement the deal would touch; a covered real-estate footprint near a listed installation or a sensitive site; a buyer ownership chain that resists being traced to its ultimate owners, which is itself a finding; or any prior CFIUS contact, filing, or non-notified inquiry in the target’s past. The strategic choices that follow, whether to file a declaration or a full notice, how to approach mitigation, how to time the filing against signing and closing, are legal and strategic judgments that belong to counsel. The value the diligence team adds is making certain those questions reach counsel while there is still room to maneuver, which means before signing, not in the conference room on closing day.

Practitioner Skill Built By This Article

Stripped to its core, the skill this piece builds is the ability to run a CFIUS jurisdiction and mandatory-filing screen on a deal and reduce the result to a defensible memo.

  • What you can now recognize: the three jurisdictional doors (control, covered investment in a TID business, covered real estate), the mandatory-filing triggers, the difference between a declaration and a notice, and the shape of the review clock.
  • What source you verify it against: the statute (50 U.S.C. 4565) and the two regulations (31 CFR Parts 800 and 802) for jurisdiction and timing; the declaration clock at 31 CFR 800.405; the current penalty rule (89 FR 93179) for exposure; and the CFIUS annual report and enforcement page for real-world base rates and the penalty record. Every figure in the memo traces to one of these, per the Authority Ladder the series follows.
  • What you can produce: the CFIUS section of a diligence report, the trigger checklist below, and a regulatory calendar that turns the statutory clock into a closing condition.
  • When you escalate: at any plausible mandatory-filing trigger, any existing mitigation agreement, any sensitive-site real estate, or any ownership chain you cannot trace. The legal determination, the filing strategy, and the mitigation negotiation belong to counsel.

This is forensic-accounting work pointed at a newer risk. The discipline is the one a certified fraud examiner already practices every day: trace ownership to its source, withhold the conclusion until the evidence converges, and keep a hard line between what the public record proves and what it merely suggests. A name in a corporate registry is a lead, not a finding; a gap in an ownership chart is a question, not an accusation. The CFIUS screen is that same discipline trained on a particular question, who is really buying this, and what might they do with what they bought. What stays genuinely beyond reach from public sources is the committee’s own decision, because its process is confidential by design, which is exactly why the work is about recognizing and pricing the exposure early rather than predicting the verdict.

The shipped artifact: CFIUS trigger checklist

Use this at intake on any deal with a foreign buyer, a foreign investor inside the acquiring fund, or an American target with sensitive operations or real estate. It produces leads for the memo, not legal conclusions.

  1. Buyer and control
  • Is any party in the buyer’s ownership or control chain a foreign person? Trace to ultimate beneficial owners.
  • Does any foreign government hold an interest, directly or indirectly? At or above a twenty-five percent voting interest in a sensitive target, that is a mandatory-filing flag.
  • Will the foreign party obtain control, a board seat, observer rights, or access to material nonpublic technical information?
  1. Target nature (the technology, infrastructure, and data test)
  • Critical technology: does the target produce, design, test, fabricate, or develop anything export-controlled or otherwise designated critical? (Overlaps with the export-control screen, B2.)
  • Critical infrastructure: does it own or operate covered infrastructure, or provide covered services to it?
  • Sensitive personal data: does it hold identifiable data on American individuals, and at what scale? (Overlaps with the data-security screen, C1.)
  1. Real estate (Part 802)
  • List every American property owned or leased, with addresses.
  • Check proximity to listed military installations, airports, and maritime ports, and to the expanding set of sensitive federal sites.
  1. CFIUS history
  • Any prior filings, declarations, or notices?
  • Any existing mitigation agreement, National Security Agreement, or Letter of Assurance, and any open obligations under it?
  • Any prior non-notified inquiry or committee contact?
  1. Filing posture
  • Does any mandatory-filing trigger apply? If yes, escalate immediately.
  • If filing is voluntary, is the safe harbor worth the time and cost on this deal?
  • Declaration or full notice, and why?
  1. Timeline and structure
  • Build the forty-five-day review, the forty-five-day investigation (plus a possible fifteen-day extension), and the fifteen-day presidential decision into the deal calendar.
  • Make CFIUS clearance a condition precedent.
  • Allocate CFIUS risk in the agreement: foreign-ownership and prior-compliance representations, a cooperation covenant, the clearance condition, the efforts standard, a reverse termination fee, and walk-away terms.
  1. Exposure
  • If a mandatory filing is missed on a deal of this value, the penalty ceiling is the greater of 5,000,000 dollars or the transaction value.
  • If the deal closes without a required clearance, model the unwind risk.

Applied DD Lab: Replicate the Screen

You cannot screen a specific deal with public data alone, because CFIUS proceedings are confidential. What you can build is the base rate, the empirical sense of how often the committee files, investigates, conditions, and blocks, which is exactly the context a good risk memo needs and the thing most memos lack. The exercise is to pull the figures from the CFIUS Annual Report to Congress, which Treasury publishes every year, and build a simple multi-year trend.

  • Dataset: the CFIUS Annual Report to Congress (public, on the Treasury CFIUS reports page). The most recent edition covers calendar year 2024 and was published in August 2025.
  • What it shows: for 2024, the committee assessed 116 declarations and reviewed 209 notices; it investigated 116 of those notices; 49 notices were withdrawn after an investigation began, of which 42 were refiled; one was rejected; and two transactions reached a presidential decision. It adopted mitigation measures or conditions on 25 notices and concluded action through a mitigation agreement on 16. On the non-notified side, it considered thousands of potential transactions, investigated 98, opened inquiries into 76, requested filings in 12, saw 5 parties file voluntarily after outreach, and saw 1 prohibited by presidential order. The longer trend is visible too: declarations ran 94, 126, 164, 154, 109, and 116 across 2019 through 2024.
  • How to run it: use the companion repository’s module-backed lablet to reproduce the annual-report trend table from the committed public-source figures. Run PYTHONPATH=src python3 -m ns_diligence.cfius_reports data/sample/cfius_annual_report_figures.csv data/redacted_outputs/a1_cfius_public_actions_sample.csv from the lab repository root. The lab is open-source at https://github.com/Sheepdog-Prosperity-Partners-LLC/national-security-diligence-lab.
  • What it can prove: that the committee’s activity has grown, and that mitigation, not the block, is its dominant tool. What it cannot prove: anything at all about a specific target. Aggregate policy data is context for a memo, never a substitute for deal-specific diligence. When you cite a multi-year total, cite the specific annual-report table you took it from, because the committee reports several different counts (notices, notices by sector, declarations) and they are not interchangeable.

The lab guardrail holds here as it does everywhere in this series: the output is a lead and a context, never a finding, and it uses only public government data.

Terms used in this article

The full glossary lives in the section’s master glossary; the terms you need for this piece:

  • CFIUS (Committee on Foreign Investment in the United States): the interagency committee, chaired by the Treasury Department, that reviews foreign investment in American businesses and certain real estate for national-security risk.
  • Defense Production Act (DPA): the 1950 statute whose Section 721 (50 U.S.C. 4565) houses the CFIUS authority.
  • Exon-Florio: the 1988 amendment that created the CFIUS review-and-suspend authority as Section 721.
  • FINSA (Foreign Investment and National Security Act of 2007): the law that wrote CFIUS into permanent statute after the Dubai Ports World controversy.
  • FIRRMA (Foreign Investment Risk Review Modernization Act of 2018): the law that modernized CFIUS, adding mandatory declarations and reaching certain non-controlling investments and real estate.
  • TID U.S. business: a U.S. business involved with critical Technology, critical Infrastructure, or sensitive personal Data; the category that drives heightened scrutiny and some mandatory filings.
  • Covered transaction: the umbrella for what CFIUS can review, comprising covered control transactions and covered investments (31 CFR Part 800) and covered real estate transactions (Part 802).
  • Declaration: the CFIUS short-form filing; it opens a 30-day assessment period.
  • Notice: the CFIUS full filing; it opens a 45-day review and a possible 45-day investigation.
  • Mitigation agreement (National Security Agreement, or NSA; Letter of Assurance, or LOA): the conditions CFIUS imposes to resolve a risk so a deal can proceed; breaching them can trigger a penalty.
  • Condition precedent: a condition that must be satisfied before the parties are obligated to close.
  • Presidential decision: the only path to formally block or unwind a deal under Section 721; the President must find credible evidence of a threat, and the action is not subject to judicial review.
  • Non-notified transaction: a deal nobody filed that the committee identifies and pulls in for review on its own.

Selected sources

  • Statute: 50 U.S.C. 4565 (Defense Production Act Section 721), including the membership provision at subsection (k), uscode.house.gov; the amendment pedigree runs Exon-Florio (Pub. L. 100-418, 1988) through Pub. L. 119-60 (2025).
  • Regulations: 31 CFR Part 800 (covered investments) and Part 802 (covered real estate), and the declaration clock at 31 CFR 800.405, eCFR.
  • 2024 rulemakings: penalty and mitigation final rule, 89 FR 93179 (effective December 26, 2024); military-installations rule, 89 FR 88128 (effective December 9, 2024), federalregister.gov.
  • December 2025 amendment: Pub. L. 119-60, Division H, Title LXXXI, Section 8102, congress.gov.
  • Policy: America First Investment Policy, presidential memorandum, February 21, 2025, whitehouse.gov.
  • Committee composition and process: Treasury, CFIUS Overview and CFIUS Mitigation pages, home.treasury.gov; Congressional Research Service, “Committee on Foreign Investment in the United States (CFIUS),” IF10177.
  • Enforcement and base rates: Treasury, CFIUS Annual Report to Congress for CY2024 (August 2025), and the Treasury CFIUS Enforcement page (penalty record), home.treasury.gov.
  • Case law: Ralls Corp. v. CFIUS, 758 F.3d 296 (D.C. Cir. 2014); and, on the separate PAFACA authority, TikTok Inc. v. Garland, 604 U.S. 56 (2025).
  • Presidential orders under Section 721: ByteDance / Musical.ly, 85 FR 51297 (August 19, 2020); Suirui International / Jupiter Systems, 90 FR 31125 (July 11, 2025).
  • Oversight: Congressional Research Service products on FIRRMA (IN10924), the CFIUS overview (RL33388), and the first Section 721 enforcement suit (LSB11435), congress.gov.
  • Further reading (scholarly): Wakely and Windsor, “Ralls on Remand,” 48 The International Lawyer 105 (2014); Eichensehr and Hwang, “National Security Creep in Corporate Transactions,” 123 Columbia Law Review 549 (2023); Wang, Liu and Dong, “The United States’ Strengthened National Security Review of Chinese Investment,” 40 American University International Law Review 1151 (2025).

Status note

  • Last reviewed: 2026-06-14
  • Next scheduled review: 2026-09-14
  • Current watch items: implementation of the Section 8102 sensitive-sites list and any resulting proximity-threshold regulation; the CFIUS Known Investor Program; the Suirui enforcement litigation as the first test of judicial enforcement of a Section 721 order; the America First Investment Policy memorandum and any follow-on rulemaking; continued non-notified activity; and the next annual-report figures.

By Noah Green CPA CFE, for Sheepdog Prosperity Partners. Educational only; not legal advice.

Submit a Comment

Your email address will not be published. Required fields are marked *