Security Control Agreement Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Security Control Agreement?

The Security Control Agreement serves as a critical tool in U.S. national security infrastructure, specifically designed for situations where companies with foreign ownership or investment require access to classified information or contracts. This agreement type emerged from the need to balance national security interests with international business operations. It provides a framework for implementing and maintaining security controls, reporting mechanisms, and governance structures that satisfy federal requirements while allowing business operations to continue. The agreement must comply with NISPOM, FIRRMA, and other relevant federal regulations, and is typically required when foreign ownership or control exists but does not warrant a more restrictive Proxy Agreement or Voting Trust Agreement.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Security Control Agreement

A Security Control Agreement is a specialized legal instrument that allows companies with foreign ownership or investment to access classified U.S. government contracts and information while maintaining strict security protocols. This agreement creates a framework that balances national security interests with legitimate international business operations, ensuring compliance with federal regulations while enabling commercial activities.

When do you need this document?

You need a Security Control Agreement when your company has foreign ownership or investment and seeks to bid on or perform classified government contracts. This situation commonly arises when foreign investors hold significant stakes in U.S. defense contractors, technology companies working on sensitive projects, or businesses seeking facility security clearances. The agreement becomes necessary when the Committee on Foreign Investment in the United States (CFIUS) or the Defense Counterintelligence and Security Agency (DCSA) determines that foreign influence poses potential security risks but can be mitigated through structured controls rather than complete divestiture or proxy arrangements.

Key legal considerations

The agreement must establish robust security controls that isolate foreign parties from classified information and decision-making processes. Key provisions include creating a Government Security Committee with cleared U.S. citizens who oversee security matters, implementing information barriers to prevent unauthorized access, and establishing reporting requirements to government agencies. You must carefully define the scope of restricted activities, specify which personnel can access classified areas, and outline procedures for handling security violations. The agreement should address technology transfer restrictions, export control compliance, and protocols for board meetings where classified matters might arise. Additionally, consider provisions for regular security audits, employee screening procedures, and termination clauses that protect classified information if the arrangement ends.

Legal requirements in United States

Under U.S. federal law, Security Control Agreements must comply with the National Industrial Security Program Operating Manual (NISPOM), which establishes comprehensive requirements for protecting classified information in industry. The Foreign Investment Risk Review Modernization Act (FIRRMA) expanded CFIUS authority to review and impose conditions on foreign investments that could affect national security. Your agreement must satisfy Department of Defense security requirements and may need approval from relevant government agencies before implementation. The Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR) may impose additional restrictions on technology sharing and export activities. Compliance with the Defense Production Act of 1950 may also be required for companies involved in critical defense manufacturing. Regular reporting to the Defense Counterintelligence and Security Agency and other oversight bodies is typically mandatory, and failure to maintain required security standards can result in contract termination or facility clearance revocation.

GOVERNING LAW

Applicable law

This Security Control Agreement is drafted to comply with United States law. Key legislation includes:

NISPOM: National Industrial Security Program Operating Manual - Establishes requirements for protecting classified information and materials in industry.

FIRRMA: Foreign Investment Risk Review Modernization Act - Expands CFIUS authority to review foreign investments in US companies for national security concerns.

Defense Production Act of 1950: Provides the federal government broad authority to influence domestic industry in the interest of national defense.

EAR: Export Administration Regulations - Controls the export and re-export of commercial and dual-use items.

ITAR: International Traffic in Arms Regulations - Controls the export and import of defense-related articles and services.

DoD Security Requirements: Department of Defense specific security protocols and requirements for contractors and suppliers.

CFIUS Regulations: Committee on Foreign Investment in the United States regulations governing review of foreign investments for national security implications.

DSS Requirements: Defense Security Service requirements for handling classified information and maintaining facility clearances.

DCSA Guidelines: Defense Counterintelligence and Security Agency guidelines for industrial security and personnel vetting.

Securities Exchange Act of 1934: Federal law governing securities trading and requiring certain disclosures for public companies.

State Corporate Laws: Various state-specific corporate governance laws affecting company operations and control.

Delaware General Corporation Law: Comprehensive set of laws governing corporate operations for Delaware-incorporated entities.

FISMA: Federal Information Security Management Act - Sets information security standards for federal agencies and contractors.

CISA: Cybersecurity Information Sharing Act - Promotes sharing of cyber threat information between private sector and government.

State Data Protection Laws: Various state-specific laws governing data privacy and security requirements.

Industry-Specific Regulations: Sector-specific security and compliance requirements for industries like aerospace, defense, and technology.

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it