A National Security Agreement (NSA) is a legally binding instrument used by governments to address national security concerns raised by foreign investment, mergers, supply-chain dependencies, or sensitive contracts. The best-known regime is operated by the Committee on Foreign Investment in the United States (CFIUS), an interagency body chaired by the Treasury Secretary that reviews foreign acquisitions of U.S. businesses. When CFIUS identifies risks it cannot resolve through divestiture or blocking, it negotiates an NSA with the transaction parties as a condition of clearance.
Typical NSA provisions include:
- Governance controls such as appointing U.S. citizens to security-cleared director or officer positions, or creating a Government Security Committee on the board.
- Data and facility access restrictions, including segregating sensitive data, limiting foreign-national access, and using approved IT systems.
- Supply-chain commitments, such as continuing to supply U.S. government customers or sourcing from approved vendors.
- Audit, reporting, and monitoring obligations, often involving a third-party monitor or auditor paid for by the company.
- Remedies for breach, ranging from fines to forced divestiture.
The legal basis in the U.S. is the Defense Production Act of 1950, Section 721, as amended by the Foreign Investment and National Security Act of 2007 (FINSA) and the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA). FIRRMA significantly expanded CFIUS jurisdiction over non-controlling investments in critical technology, critical infrastructure, and sensitive personal data ("TID" businesses).
Other jurisdictions use analogous instruments under different names: the United Kingdom's National Security and Investment Act 2021 allows ministers to impose remedies via final orders; the European Union coordinates through Regulation 2019/452; and Australia's Foreign Investment Review Board can attach binding conditions to FIRB approvals.
NSAs are distinct from intergovernmental security treaties. They are commercial-regulatory instruments, usually confidential, though their existence is often disclosed in securities filings or government press releases.
Example
In 2020, ByteDance entered protracted negotiations with CFIUS over a potential National Security Agreement governing TikTok's U.S. operations, data storage, and source-code oversight.
Frequently asked questions
CFIUS member agencies monitor compliance, with the Treasury Department coordinating and the relevant lead agency (often Defense, Justice, or Homeland Security) handling day-to-day oversight.
Keep learning