A CFIUS mitigation agreement is a negotiated arrangement between the Committee on Foreign Investment in the United States (CFIUS) and parties to a covered transaction—typically a foreign acquirer and a U.S. target—that imposes conditions designed to address national-security concerns identified during CFIUS review. Rather than blocking a deal outright or recommending that the President do so, CFIUS can clear the transaction subject to ongoing obligations the parties must meet.
CFIUS is an interagency body chaired by the Treasury Secretary, with members including the Departments of Defense, State, Justice, Commerce, Energy, and Homeland Security. Its authority derives from Section 721 of the Defense Production Act of 1950, as amended most recently by the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which expanded CFIUS jurisdiction to certain non-controlling investments and real estate transactions and explicitly codified the use of mitigation.
Typical mitigation terms can include:
- Governance restrictions, such as excluding foreign personnel from access to sensitive technology, data, or facilities.
- Security control agreements requiring a U.S.-citizen board committee or proxy arrangement.
- Divestiture of specific assets, business lines, or contracts.
- Data-handling and cybersecurity protocols, including U.S.-based storage and audit rights.
- Compliance monitoring, third-party auditors, and reporting obligations to a lead CFIUS agency.
Agreements are enforceable; FIRRMA strengthened CFIUS's authority to impose civil penalties for breach. The Treasury's annual reports to Congress have shown a steady increase in mitigation use, particularly in semiconductors, biotech, defense supply chains, and personal-data businesses. High-profile examples include conditions imposed on Chinese-owned platforms and the well-known forced divestiture of Grindr by Beijing Kunlun in 2019–2020 after CFIUS determined mitigation alone was insufficient.
For researchers, mitigation agreements illustrate how the United States uses regulatory tools—rather than outright bans—to reconcile open investment policy with security concerns over technology transfer and data exposure.
Example
In 2018, CFIUS required Chinese firm Beijing Kunlun to divest dating app Grindr after concluding that a mitigation agreement could not adequately protect U.S. user data; the sale was completed in 2020.
Frequently asked questions
A designated lead agency (often Defense, Treasury, or Homeland Security) monitors compliance, with CFIUS empowered to impose civil penalties or order divestment for material breaches under FIRRMA.
Keep learning