Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United States
Executive Order 14083, issued September 15, 2022, directs the Committee on Foreign Investment in the United States (CFIUS) to ensure its review of foreign investments stays robust in the face of evolving national security risks. Building on the existing FIRRMA framework (the Defense Production Act, section 721), the order expands the factors CFIUS should consider when assessing covered transactions. It places particular emphasis on supply chain resilience, critical and emerging technologies, cybersecurity, and the handling of United States persons’ sensitive data. It also requires periodic publication of technology-sector priorities by the Office of Science and Technology Policy (OSTP) and mandates ongoing reviews of CFIUS processes with reporting to the National Security Advisor, ensuring policy updates keep pace with changing threats. The order does not change CFIUS’s jurisdiction or create new legal rights; instead, it guides how reviews should be conducted to better identify and mitigate national security risks. In short, the order strengthens CFIUS’s analytical framework to consider patterns of investment, cross-cutting risks (like cybersecurity and data privacy), and sector-wide trends, while linking review guidance to evolving technology priorities and periodic internal improvements.
Key Points
- 1Expanded and elaborated factors for CFIUS review. The order adds and clarifies considerations related to supply chain resilience, diversification of suppliers, and how aggregate or pattern-based investments (not just a single transaction) could collectively threaten national security. It also emphasizes critical technologies and sectors identified as fundamental to U.S. leadership.
- 2Cybersecurity and data-security emphasis. The order requires consideration of risks from foreign investments that could enable cyber intrusions, access to sensitive databases, or disruption of elections, critical infrastructure, or cybersecurity priorities. It also looks at the cybersecurity posture of both the foreign investor and the U.S. target to assess potential misuse.
- 3Sensitive data and privacy concerns. The order directs attention to investments that involve United States persons’ sensitive data (including health, digital identity, genetic data, and data that could be de-anonymized) and to risks posed by transfers of such data to foreign entities, including the impact of third-party ties.
- 4OSTP-led technology sectors list. OSTP, with input from other Committee members, must periodically publish a list of technology sectors fundamental to U.S. leadership (e.g., microelectronics, AI, biotech, quantum computing, advanced clean energy, climate tech, critical minerals). CFIUS should consider this list when evaluating transactions.
- 5Regular review and reporting. The Committee must regularly review its processes, practices, and regulations, and provide a public-facing report with policy recommendations to the Assistant to the President for National Security Affairs to help address evolving national security risks.