Understanding FOCI: Compliance and Microsoft 365 Solutions

32 Code of Federal Regulations Part 117 defines Foreign Ownership, Control, or Influence (FOCI) is a concept that has significant implications for organizations dealing with classified US data and in some cases, controlled unclassified information (CUI), particularly in the context of national security. This blog post aims to provide an understanding of FOCI, its applicability, compliance requirements, and how Microsoft 365 can assist in meeting these requirements. 

What is FOCI? 

Generally, FOCI it refers to the power, exercised or unexercised, direct or indirect, that a foreign interest has to direct or decide matters affecting the management or operations of a U.S. company in a manner that could result in unauthorized access to classified information or adversely affect the performance of a classified contract. Foreign interests can exercise this power through the ownership of a U.S. company’s securities, contractual arrangements, or other means. 

To Whom Does FOCI Apply? 

DoD typically makes a FOCI determination as part of determining if a U.S. entity needs to store, process, and transmit classified information or performs classified contracts. Changes in ownership, indebtedness, and other circumstances can cause a different determination or trigger mitigations or require negations. DoD’s primary consideration is the protection of classified information. The U.S. Government allows foreign investment consistent with the national security interest of the United States.  

Compliance with FOCI 

Organizations under FOCI must focus on several key areas to ensure compliance: 

  • Security Clearances: Ensure that all personnel handling classified information have the appropriate security clearances. This involves a thorough background check of the individuals to assess their trustworthiness and reliability before granting them access to classified information. 
  • Access Controls: Implement stringent access controls to prevent unauthorized access to classified information. This includes both physical and digital controls. Physical controls may involve secure storage facilities for classified information, while digital controls may include secure servers, firewalls, and encryption1. 
  • Auditing: Regularly audit access to classified information to detect and prevent any potential breaches. This involves monitoring and logging all access to classified information and analyzing these logs to identify any unusual or suspicious activity1. 
  • Training: Provide regular training to all employees about the importance of protecting classified information and the potential risks associated with FOCI. This training should cover the company’s security policies and procedures, the nature of the classified information they will be handling, and the potential consequences of a security breach. 

Microsoft 365 and FOCI Compliance 

Microsoft 365 offers several features that can assist organizations in meeting FOCI compliance requirements (e.g., § 117.18 Information system security). Organizations can use these features and capabilities to enhance security, improve auditing capabilities, ensure the protection of classified information, and demonstrate the efficacy of their Information System Security Program. 

  • Communication Auditing: Microsoft 365 provides comprehensive communication auditing capabilities. This feature allows organizations to track and monitor all communications within the M365 environment and Azure-hosted systems, including emails, chats, and shared documents. By maintaining a detailed log of these communications, organizations can identify any unusual activity or potential breaches of classified information. This proactive approach to monitoring can help organizations respond quickly to any security threats and maintain their compliance with FOCI. 
  • Compliance Practice Control Mapping: Another key feature of Microsoft 365 is its compliance practice control mapping. This tool helps organizations map their compliance practices to specific regulatory requirements. By providing a clear overview of how their practices align with FOCI compliance requirements, organizations can ensure they are meeting all necessary standards. This feature also allows for easy updates to compliance practices as regulations change, ensuring ongoing compliance. 
  • Data Loss Prevention (DLP): Microsoft 365’s DLP features are designed to prevent the accidental sharing of sensitive information. By identifying and blocking the transmission of classified information, DLP can significantly enhance the protection of classified information. This feature can be customized to meet the specific needs of an organization, providing flexible and robust protection for classified data. 
  • Advanced Threat Protection (ATP): ATP in Microsoft 365 can help protect against sophisticated threats such as phishing and zero-day malware. These types of threats can lead to breaches of classified information. ATP uses machine learning, detonation, and signal-sharing to quickly find and neutralize these threats. 
  • Information Protection and Compliance: Microsoft 365’s Information Protection and Compliance solution helps organizations to categorize (what Microsoft frequently calls classify), label, and protect sensitive data based on regulatory standards. It includes features like sensitivity labels, data classification, and data loss prevention policies that can be tailored to meet FOCI requirements.
  • Security and Compliance Center: The Microsoft 365 Security and Compliance Center is a unified interface that includes a variety of security and compliance tools. It provides organizations with a centralized location to manage and ensure FOCI compliance across all Microsoft 365 services. 

Relationship between FOCI and CUI assessments 

It is important to realize that, generally, FOCI related assessments and DIBCAC or CMMC C3PAO assessments are distinct activities. It is possible, and even likely, that entities can reuse or multi-purpose artifacts and evidence proving security policies, processes, and procedures are in use for both types of assessment. With its robust set of features in different offerings, Microsoft can play a key role in helping organizations meet FOCI compliance requirements. 

Conclusion 

Understanding and complying with FOCI is crucial for any organization dealing with classified information. With its robust set of features, Microsoft 365 can play a key role in helping organizations meet these compliance requirements.