PRIA Logo
Start Free Watch
Back to search
Commerce & SecuritiesNational Security

CFIUS — Foreign Investment National Security Review

14 min read·Updated Apr 21, 2026

CFIUS — Foreign Investment National Security Review

The Committee on Foreign Investment in the United States (CFIUS) is an interagency committee, chaired by the Treasury Secretary, that reviews foreign acquisitions of, investments in, and certain real estate transactions involving U.S. businesses to determine whether they threaten national security — and can recommend that the President block or unwind the transaction. Authorized by Section 721 of the Defense Production Act (50 U.S.C. § 4565) and significantly expanded by the Foreign Investment Risk Review Modernization Act (FIRRMA) of 2018, CFIUS reviewed approximately 440 transactions in its most recent reporting year and has blocked or forced divestitures of high-profile deals in semiconductors, telecommunications, social media, and other sensitive sectors. If you're acquiring a U.S. business and the buyer involves foreign ownership, CFIUS is the gatekeeper that decides whether the deal goes through.

Current Law (2026)

ParameterValue
Governing law50 U.S.C. § 4565 (Defense Production Act § 721); FIRRMA (2018)
ChairSecretary of the Treasury
Committee members9 agencies (Treasury, Defense, State, Commerce, Energy, Homeland Security, USTR, DOJ, OSTP) plus others as relevant
JurisdictionCovered transactions (mergers, acquisitions, investments) that could result in foreign control of a U.S. business; certain non-controlling investments in critical technology, critical infrastructure, and sensitive personal data businesses; real estate near military installations
FilingVoluntary (but CFIUS can initiate review of non-filed transactions); mandatory for certain government-related investments
Review timeline45-day initial review + optional 45-day investigation + 15-day presidential decision
Presidential authorityPresident may block or unwind any covered transaction that threatens national security
Penalties for non-filingUp to the value of the transaction for material misstatements or failure to file mandatory declarations
Recent blocked dealsTikTok divestiture order (2020/2024), Qualcomm/Broadcom (2018), Ant Group/MoneyGram (2018)
  • 50 U.S.C. § 4565 — Authority to review certain mergers, acquisitions, and takeovers (establishes CFIUS; authorizes review of any covered transaction that could result in foreign control of a U.S. business or foreign investment in certain sensitive sectors; authorizes the President to suspend or prohibit any transaction that threatens national security; no judicial review of presidential decisions)

How It Works

CFIUS has jurisdiction over three categories of transactions. Covered control transactions include any merger, acquisition, or takeover that could result in foreign control of a U.S. business — even a minority stake if it conveys control through board seats, veto rights, or operational authority. Covered investments (added by FIRRMA in 2018) capture non-controlling foreign investments that provide access to critical technology, critical infrastructure, or sensitive personal data of U.S. citizens, without the foreign investor needing to take control. And certain real estate transactions near sensitive military installations or government facilities fall within CFIUS jurisdiction even if no U.S. business is involved. FIRRMA's expansion was driven by concerns about Chinese investment in U.S. technology companies — before 2018, CFIUS jurisdiction was limited to control transactions, leaving minority investments and joint ventures outside its authority.

Filing is generally voluntary — parties may submit a full notice (detailed filing triggering formal review) or a short-form declaration (5-page summary that CFIUS may clear or upgrade to a full notice). But "voluntary" has teeth: CFIUS can initiate review of any covered transaction it learns about, even years after closing, and can order divestiture. Mandatory filing is required for critical technology transactions where a foreign government has a substantial interest, including sovereign wealth funds and state-owned enterprises. After filing, CFIUS conducts a 45-day initial review, followed by a 45-day investigation if concerns remain (extendable by 15 days). During review, CFIUS negotiates mitigation agreements — security clearance requirements, data firewalling, board observer rights for a government-appointed security director, restrictions on technology transfer — to address national security concerns while allowing the deal to proceed. If mitigation fails, CFIUS refers the transaction to the President, who has 15 days to block or unwind it. Presidential CFIUS decisions are not subject to judicial review.

How It Affects You

If your U.S. company is being acquired by a foreign buyer: CFIUS due diligence should begin before signing — not after. The questions to answer at term sheet stage: (1) Is the buyer or any of its investors controlled by a foreign government (sovereign wealth fund, state-owned enterprise, or state-directed entity)? Chinese government-linked buyers face the most severe scrutiny; investors from "excepted foreign states" (allies including Australia, Canada, New Zealand, UK) face lighter review. (2) Does your company operate in a critical technology sector (semiconductors, AI, biotech, nuclear energy, quantum computing, hypersonics, satellites), own or operate critical infrastructure (power grids, water systems, financial systems, port facilities), or hold sensitive personal data on large numbers of U.S. persons? If yes to any of these, CFIUS review is essentially certain and mandatory filing may be required.

The filing choice matters: a short-form Declaration (typically 5 pages) costs less and takes 30 days, but CFIUS may request a full Notice — and if you file a Declaration and CFIUS requests a Notice, you've only delayed the clock. A full Notice (detailed, typically 100+ pages with exhibits) triggers the formal 45-day review + 45-day investigation timeline, up to 105 total days. Government filing fees for full notices run up to $300,000 depending on deal value — budget for this in your transaction costs. Legal fees for a complex CFIUS filing typically run $500,000–$2 million.

The risk of not filing: CFIUS can review any covered transaction, including transactions that already closed, and can order post-closing divestiture. The TikTok situation demonstrates that even years post-closing, a CFIUS national security concern doesn't expire. Build a CFIUS clause into your M&A agreements that addresses what happens if CFIUS orders conditions or blocks the deal — walk rights, reverse termination fees, and agreement on who bears mitigation costs are all negotiable.

If you're a foreign investor or a fund with foreign limited partners considering a U.S. investment: FIRRMA (2018) dramatically expanded the transactions that trigger CFIUS jurisdiction beyond full acquisitions. Non-controlling minority investments in U.S. companies that: (1) produce or have access to critical technologies in specified sectors; (2) own or operate critical infrastructure; or (3) collect or maintain sensitive personal data on more than 1 million U.S. persons — are now covered investments regardless of whether you're taking a controlling stake.

Key jurisdictional triggers to assess: Is your fund structured so that a foreign government or state-affiliated entity holds a substantial interest (10%+ of certain funds, or 49%+ of certain types)? If so, even a small U.S. investment in a covered sector may require mandatory CFIUS declaration. "Sensitive personal data" includes: precise geolocation data, biometric data, health/genetic data, financial data (bank account info, credit scores), and personal communications metadata — all for 1M+ U.S. persons. A SaaS company with 2 million users' precise location data may qualify. Structure matters: advisory board seats, information rights, and veto rights over certain decisions (even without majority ownership) can constitute "control" triggering full review.

Real estate near sensitive sites: foreign purchases of real estate within one mile of a military installation or classified U.S. government facility, or within 100 miles of certain designated sensitive locations, now trigger CFIUS jurisdiction under FIRRMA's real estate provisions — even with no associated business acquisition. If you're considering U.S. real estate investments near defense infrastructure, map your target against CFIUS's sensitive site list before proceeding.

If you run a tech, defense, or data company that has received or is considering foreign investment: CFIUS's reach extends to your existing cap table. If you have foreign investors — particularly from China, Russia, Iran, North Korea, Cuba, or Venezuela (designated "foreign adversary" countries) — any material investment, change in rights, or new round from those investors may trigger CFIUS review. Even existing investors can create CFIUS issues if their rights change.

To assess your exposure: (1) map your cap table for foreign investors and identify any state-connected ownership; (2) identify whether your business touches critical technology (most semiconductor, AI, biotech, and defense companies do), critical infrastructure, or sensitive personal data; (3) if you're in these categories, any new foreign investment — including secondary market sales of your shares to foreign purchasers — may be a covered transaction requiring CFIUS clearance. For defense contractors specifically: DCSA (Defense Counterintelligence and Security Agency) coordinates with CFIUS on foreign ownership, control, and influence (FOCI) determinations for cleared companies. Mitigation for cleared companies typically includes: a Government Security Committee (GSC) chaired by a DCSA-approved security officer; restrictions limiting cleared operations to U.S. citizens; data firewalls separating classified from unclassified systems; and board-level reporting to DCSA. These mitigation commitments are formalized in a Security Control Agreement (SCA) or Special Security Agreement (SSA) — negotiate their terms carefully as they constrain business operations for the life of the agreement.

State Variations

CFIUS is exclusively a federal authority with no state equivalent:

  • No state government has the authority to review or block foreign investment on national security grounds
  • State corporate law governs the mechanics of M&A transactions, but CFIUS review is a federal overlay
  • Some states have foreign ownership restrictions on agricultural land, which operate independently of CFIUS
  • State economic development agencies may encourage foreign investment while federal CFIUS review may restrict it

Implementing Regulations

The Treasury Department's CFIUS regulations implementing 50 U.S.C. § 4565 cover two distinct transaction types through two Parts.

31 CFR Part 800 governs foreign acquisitions of U.S. businesses — covered control transactions and covered investments under FIRRMA. It defines the mandatory and voluntary filing framework, establishes the declaration and notice procedures, specifies the mitigation agreement authority, and sets penalties for non-compliance.

The real estate regulations at 31 CFR Part 802 — Regulations Pertaining to Certain Transactions by Foreign Persons Involving Real Estate in the United States — operate separately and are the more recently expanded authority (effective February 2020, most recently amended at 89 FR 93186, November 2024). Key provisions:

  • § 802.101 — Scope: CFIUS may review "covered real estate transactions" — purchases, leases, or concessions of real property by a foreign person where the property is near a U.S. military installation or sensitive government facility, and the transaction gives the foreign person certain property rights (purchase, lease, concession with access/exclusion rights, or construction)
  • § 802.102 — Risk-based analysis: any CFIUS determination must be grounded in a risk-based analysis of threat (intent and capability of the foreign person), vulnerability (susceptibility of the property), and consequences to national security — not proximity alone
  • § 802.212 — Covered real estate definition: property located within one mile of certain military installations listed in an appendix to the rule; within the extended range area (typically 100 miles) of certain installations including submarine bases and missile testing ranges; or within any county or census tract containing a listed air or naval installation — the specific installations are listed in Appendix A to Part 802
  • § 802.216 — Excepted real estate transactions: exemptions include purchases by U.S. nationals, transactions in urbanized areas (defined census tracts with population density thresholds) that don't meet proximity criteria, and single housing units
  • § 802.217 — Excepted foreign state investors: foreign persons from designated excepted foreign states (allies including Australia, Canada, New Zealand, and the United Kingdom as of 2024 determinations) are exempt from the real estate review requirements, provided certain ownership thresholds are met
  • §§ 802.401–802.406 — Declarations: parties to a covered real estate transaction may file a short-form declaration (5-page summary) voluntarily or mandatorily; CFIUS must respond within 30 days — clearing the transaction, requesting a full notice, or initiating unilateral review
  • §§ 802.501–802.510 — Notices: full voluntary notice triggers the formal 45-day review + 45-day investigation timeline; CFIUS may impose conditions or refer to the President
  • §§ 802.701–802.708 — Filing fees: fees for real estate notices scale with transaction value, from $750 (transactions under $500,000) to $300,000 (transactions exceeding $750 million); declarations have no fee
  • §§ 802.901–802.902 — Penalties: civil monetary penalties up to $250,000 or the value of the transaction (whichever is greater) for material misstatements, omissions, or failure to file a mandatory declaration

In practice, the real estate rules most commonly affect foreign purchases of farmland, residential properties, or commercial real estate near military bases, naval stations, missile test ranges, and NSA/CIA facilities. The appendix listing covered installations is extensive — over 200 sites — meaning foreign buyers of rural or semi-rural property anywhere near a defense installation need to map the property against Appendix A before closing.

31 CFR Part 850 — Provisions Pertaining to U.S. Investments in Certain National Security Technologies and Products in Countries of Concern — operates alongside the inbound CFIUS regime as an outbound investment counterpart. While Parts 800 and 802 screen foreign investment into the United States, Part 850 restricts U.S. persons from investing outward into covered technologies in "countries of concern" (China, including Hong Kong and Macau). The program was established by Executive Order 14105 (August 9, 2023) and took effect January 2, 2025 (January 2025 final rule). Key provisions:

  • § 850.101 — Scope: restricts U.S. persons from engaging in "covered transactions" involving "covered foreign entities" in three covered national security technology sectors; administered by Treasury in consultation with Commerce; does not supersede or replace other applicable export control, sanctions, or foreign investment authorities
  • §§ 850.201–850.229 — Definitions (Subpart B): the definitional subpart is the heart of compliance. Three covered technology categories:
    1. Semiconductors and microelectronics: includes advanced packaging (2.5D/3D chip stacking), certain fabrication equipment above performance thresholds, and integrated circuits meeting specific node/performance specifications; the technical thresholds distinguish leading-edge (prohibited or notifiable) from legacy (generally not covered) semiconductors
    2. Quantum information technologies: quantum computers, quantum sensors above certain sensitivity thresholds, and quantum communication systems; both hardware and software are covered
    3. AI systems: systems that use machine learning to make decisions — covered when the AI system is designed or intended for military end-use, national intelligence purposes, surveillance of persons based on political opinion or religious belief, or meeting specific computational training thresholds (compute used for training)
  • § 850.209 — Country of concern: the term currently means China (including Hong Kong and Macau); the Secretary of the Treasury may add additional countries by further rulemaking
  • § 850.210 — Covered transaction: includes acquisition of equity interests (including minority stakes, convertible instruments, and options), greenfield investments (establishing new operations), joint ventures involving covered foreign entities, and debt instruments with certain governance or economic rights; covers both direct and indirect investments through subsidiaries, controlled foreign entities, and funds
  • § 850.301 — Prohibited transactions: outright banned investments in specific categories — primarily investments in covered foreign entities engaged in developing integrated circuits at leading-edge nodes (advanced logic chips, NAND flash memory, DRAM chips) or developing certain quantum computers or AI systems with specific capabilities; prohibited transactions may not be completed even with notification; § 850.303 prohibits "knowingly directing" a transaction by a non-U.S. entity that would be prohibited if done by a U.S. person
  • §§ 850.401–850.406 — Notifiable transactions (Subpart D): transactions in covered technologies that fall below the threshold for outright prohibition are permitted but must be reported to Treasury within 30 days after completion; the notification requirement applies to investments in quantum sensing, less-advanced chip companies, and AI systems not meeting the most sensitive capabilities thresholds; failure to file a required notification is a violation even if the transaction itself is not prohibited
  • §§ 850.501–850.504 — Exceptions and exemptions: publicly traded securities held purely passively (no board rights, no access to non-public technical information) are exempt; investments in sovereign debt, money market instruments, and certain government securities are exempt; LP interests in investment funds that made binding capital commitments before the regulations' publication date may qualify for limited grandfather treatment; buyout situations that were contractually obligated before the program's effective date may be exempt
  • §§ 850.701–850.704 — Penalties: civil monetary penalties up to $250,000 per violation or the value of the transaction, whichever is greater; the Secretary may refer matters to the Attorney General for criminal prosecution; there is no voluntary self-disclosure reduction program equivalent to OFAC's — each violation is assessed on its facts

The outbound investment program is conceptually different from export controls (which restrict the transfer of technology) and CFIUS (which reviews whether a foreign party can acquire a stake in a U.S. company). Part 850 restricts what a U.S. person can do with its own capital — investing in a Chinese-controlled company developing leading-edge chips, even if no U.S. technology is transferred, would be a prohibited transaction. Compliance teams for U.S. private equity, venture capital, and corporate development functions active in China must screen new investments against the covered technology definitions. The definitional complexity (especially for AI systems) makes the threshold determination — prohibited vs. notifiable vs. exempt — the primary compliance challenge. The 30-day post-closing notification requirement for notifiable transactions means compliance assessment must be completed before closing, not after.

Recent rulemakings: The outbound investment rule was finalized at 89 FR 90368 (November 2024), effective January 2, 2025. Treasury has published guidance addressing notification submission procedures and FAQs on key definitional questions (particularly for AI thresholds).

Pending Legislation

  • HR 6707 — CFIUSMCA Act: address CFIUS review in the context of USMCA trade agreement compliance. Status: Introduced.
  • HR 7074 — Keeping Public Lands Out of Adversarial Hands Act: restrict foreign adversary acquisition of interests near public lands. Status: Introduced.

Recent Developments

CFIUS activity has increased dramatically, driven by U.S.-China technology competition. The TikTok divestiture saga — in which CFIUS determined that ByteDance's Chinese ownership of the social media platform posed a national security threat, leading to legislation requiring divestiture or a ban — became the highest-profile CFIUS case in history. CFIUS has increasingly focused on semiconductor supply chains, artificial intelligence, quantum computing, biotechnology, and agricultural technology — sectors also governed by tightening export controls. The Treasury Department has implemented FIRRMA's provisions through regulations expanding covered real estate and critical technology definitions. Outbound investment screening — restricting U.S. investment in Chinese technology sectors — has emerged as a complementary tool, authorized by executive order in 2023, though it operates outside the CFIUS statutory framework.

  • TikTok deadline and Trump extension (2025): Congress passed legislation in April 2024 requiring ByteDance to divest TikTok or face a U.S. ban — the first time Congress mandated a CFIUS-related divestiture by statute. The Supreme Court upheld the law in January 2025. On Day 1, Trump issued an executive order delaying enforcement by 75 days, citing ongoing deal negotiations. As of early 2026, a divestiture deal had not been completed; TikTok continued operating under successive enforcement deferrals while negotiations with potential U.S. buyers proceeded. The episode demonstrated that CFIUS concerns, when severe enough, can lead to forced divestiture and that the President has significant discretion over enforcement timing.
  • Outbound investment rules finalized (2025): The Biden-era executive order on outbound investment screening (EO 14105, August 2023) was implemented through Treasury regulations effective January 2025, restricting U.S. persons from investing in Chinese companies in three sectors: semiconductors and microelectronics, quantum information technologies, and AI systems. The Trump administration reviewed these rules but kept them in place, adding them to broader China technology competition strategy.
  • Agricultural land restrictions tightened: Following the agricultural land provisions in NDAA FY2024 (expanding CFIUS jurisdiction over foreign purchases near military installations), the Trump administration directed CFIUS to scrutinize Chinese-affiliated agricultural land purchases more aggressively. Over 30 states have enacted their own restrictions. The USDA Agriculture Foreign Investment Disclosure Act (AFIDA) requires disclosure of foreign agricultural land purchases — GAO found significant compliance gaps and data quality issues.
  • AI and biotech CFIUS priorities (2026): CFIUS has increased mandatory reviews of foreign investments in AI companies, genomics, and synthetic biology. The Biden administration's 2024 proposed rulemaking expanding covered investment definitions was finalized and took effect; foreign investments in certain AI training data companies and large language model developers now require CFIUS notification. The Trump administration has maintained these expansions while accelerating review timelines for deals involving allied nations under bilateral CFIUS arrangements.
  • CFIUS filing volumes: Annual CFIUS declarations and notices reached record levels in 2023-2024, with technology sector filings dominant. Voluntary filings have increased as companies seek safe harbor from post-closing reviews. Mitigation agreements (requiring structural changes, security officers, or board-level restrictions) are increasingly standard for deals approved with conditions.