2. Target Facility Locations
The addresses of the target’s facilities have become critically important in recent years. We learned from the case of Ralls Corporation that locations situated near sensitive U.S. government sites are seen by CFIUS as national security issues within its purview.29 Multiple subsequent CFIUS cases have affirmed that CFIUS scrutinizes the addresses of all facilities.
For these reasons, it is best to provide complete information on all physical locations owned, leased, or used by the target. FIRRMA now explicitly requires that CFIUS review the potential sensitivity of the location of real estate in a subject transaction.
3. Target Cybersecurity and Data Control Plans
Virtually all cases we’ve been involved in over the last two years have received scrutiny on cybersecurity. Additionally, almost all cases involving a target that manufactures or exports items subject to the U.S. International Traffic in Arms Regulations have received scrutiny on the company’s technology control plans and other ITAR technical data controls. Similarly, virtually all cases involving a target that deals in items specifically enumerated with an Export Control Classification Number on the U.S. Commerce Control List receive scrutiny on the technology controls.
If the target does not have a written cybersecurity plan in place, we recommend implementing one. If there is a plan in place, it should be reviewed and updated to address any heightened risk created by the proposed foreign ownership.
If the target’s commodities, technology, or technical data are controlled by the ITAR, or are categorized under any enumerated Export Control Classification Numbers (ECCNs) under the U.S. Export Administration Regulations, be sure there are written compliance policies and procedures, and be sure they are updated to address any heightened foreign ownership risk.
THE CFIUS BOOK
  §800.402(c)(1)(iv): The name, address, website address (if any), principal place of business, and place of incorporation or other legal organization of the U.S. business that is the subject of the transaction.
  §800.402(c)(3)(viii): a description and copy of the cyber security plan, if any, that will be used to protect against cyberattacks on the operation, design, and development of the U.S. business’s services, networks, systems, data storage, and facilities.
 43