CFIUS, ICTS, and Outbound Investment Screening
Investment screening as a sanctions-adjacent tool: CFIUS jurisdiction under FIRRMA, ICTS supply-chain authority, and the 2024 outbound investment rule on China.
The Statutory Architecture of CFIUS
The Committee on Foreign Investment in the United States (CFIUS) is an interagency body chaired by the Secretary of the Treasury, operating under Section 721 of the Defense Production Act of 1950 (50 U.S.C. §4565). Its modern shape derives from the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA, Pub. L. 115-232), which expanded jurisdiction beyond classic control transactions to capture certain non-controlling investments in 'TID U.S. businesses' — those involved in critical Technology, critical Infrastructure, or sensitive personal Data. The implementing regulations sit at 31 C.F.R. Parts 800 and 802.
CFIUS is not a sanctions program. It is a national-security review mechanism that can block, unwind, or condition foreign acquisitions of U.S. businesses. But it functions in the same policy ecosystem as OFAC sanctions and BIS export controls, and increasingly the three are coordinated. A Chinese acquirer subject to no SDN listing may still be blocked by CFIUS; conversely, a Russian-linked acquirer may face both SDN designation and a CFIUS prohibition.
Mandatory Filings and the Covered Transaction Universe
Under FIRRMA, filings are mandatory in two situations: (1) covered investments in TID businesses producing or designing items subject to certain export-control regimes where a foreign person would acquire a 'substantial interest' tied to a foreign government (25 percent or more government ownership); and (2) covered transactions involving U.S. businesses developing 'critical technologies' for which a U.S. export license would be required to the foreign investor's jurisdiction (31 C.F.R. §800.401). All other covered transactions remain voluntary, but parties file because an unreviewed transaction carries indefinite CFIUS jurisdiction — the Committee can call in deals years later, as it did with the 2019 forced divestiture of Beijing Kunlun's acquisition of Grindr (closed 2016, unwound 2020).
Real Estate and the 2024 Rule Expansion
Part 802, added by FIRRMA, gives CFIUS jurisdiction over certain real estate transactions near sensitive U.S. government sites even where no U.S. business is acquired. The list of covered installations was substantially expanded by a Treasury final rule effective 17 December 2024, adding more than 50 military installations — including Grand Forks Air Force Base in North Dakota, the trigger site for the 2022 Fufeng Group corn-milling controversy. The rule extends the radius for many bases to 100 miles and captures additional missile fields and training ranges.
Mitigation, Blocks, and Presidential Action
Most CFIUS cases resolve through National Security Agreements (NSAs) imposing mitigation: governance restrictions, U.S.-citizen-only access to sensitive data, proxy boards, or divestiture of specific assets. Where mitigation is inadequate, the President may prohibit or unwind the transaction under §721(d). Presidential prohibitions remain rare but consequential: Ralls Corp. v. CFIUS (2012, wind farms near a Navy drone range), Broadcom-Qualcomm (March 2018), the Trump order against TikTok's parent ByteDance (August 2020, later litigated), and the January 2025 prohibition of Nippon Steel's $14.9 billion acquisition of U.S. Steel issued by President Biden. The Nippon Steel case demonstrates that CFIUS authority reaches even close-allied acquirers when domestic industrial-policy concerns intersect with the national-security framing.
Penalties for non-filing of mandatory transactions or breach of mitigation reach $5 million per violation or the value of the transaction (per the 2024 enforcement rule raising prior $250,000 caps). Treasury's enforcement and penalty guidelines, first published October 2022 and updated 2024, signal a shift from a clearance regime to an active enforcement posture.