Key takeaways
- CFIUS reviews acquisitions of U.S. businesses by foreign persons or entities for national security risk; the review covers technology, critical infrastructure, sensitive personal data, and proximity to military facilities — not just defense contractors
- Mandatory CFIUS filing is required for certain acquisitions of TID U.S. Businesses (technology, infrastructure, data) by foreign government-controlled investors; voluntary filing is available and strongly advisable even when not mandatory
- CFIUS can approve, approve with mitigation conditions (national security agreements), or refer a transaction to the President for prohibition — and can review transactions after closing if no filing was made
- The CFIUS review period is 30 days for a short-form declaration or 45 days for a full notice, extendable by an additional 45 days; deals involving Chinese or Russian buyers face heightened scrutiny and longer timelines
- Sellers with U.S. government contracts, export-controlled technology (ITAR/EAR), or large databases of sensitive personal data should conduct a CFIUS risk assessment before accepting any foreign buyer offer
In this article
What CFIUS is and why it matters in lower-middle-market M&A
The Committee on Foreign Investment in the United States is an interagency body chaired by the Secretary of the Treasury that reviews acquisitions of U.S. businesses by foreign persons for national security risk. CFIUS's authority was significantly expanded by the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which broadened the types of transactions subject to review and introduced mandatory filing requirements for certain categories of investment.
In the lower middle market, CFIUS is most relevant when a foreign buyer — a foreign company, a foreign private equity fund, or a U.S. company with significant foreign ownership — is among the potential acquirers. The nationality of the ultimate beneficial owner of the buyer, not the buyer's corporate domicile, determines CFIUS jurisdiction. A European private equity fund with a sovereign wealth fund limited partner may be a foreign government-controlled investor for CFIUS purposes. An Asian strategic acquirer may have foreign government connections that trigger mandatory filing. A U.S.-domiciled company owned by a foreign holding company may still be a foreign buyer under CFIUS rules.
Governing statute: Defense Production Act of 1950, as amended by FIRRMA (2018)
Administering body: interagency committee chaired by Secretary of the Treasury
Jurisdiction: acquisitions of U.S. businesses by foreign persons; minority investments in TID U.S. Businesses
Mandatory filing: required for certain acquisitions by foreign government-controlled investors of TID U.S. Businesses
Voluntary filing: available and advisable for transactions with national security nexus
Review period: 30 days (declaration) or 45 days (full notice), extendable by additional 45 days
Post-close review: CFIUS can review transactions after closing if no filing was made; no statute of limitations
Which businesses are most at risk of CFIUS review
CFIUS jurisdiction expanded significantly under FIRRMA to cover four categories of U.S. business beyond traditional defense and national security contractors. Understanding which category applies is the starting point for any CFIUS risk assessment.
CFIUS Risk Categories Under FIRRMA
The most commonly overlooked CFIUS triggers in the lower middle market are: (1) sensitive personal data — businesses that collect health, financial, or location data on large numbers of Americans, including healthcare companies, fintech businesses, and consumer apps; (2) export-controlled technology — manufacturers and service providers with ITAR or EAR classification on their products or processes, even if they do not self-identify as defense companies; and (3) proximity — businesses with facilities near military installations, which can trigger review even for otherwise commercial businesses.
A seller who collects and maintains health data, financial data, or precise geolocation data on more than one million Americans operates a "TID U.S. Business" under FIRRMA. This includes healthcare businesses, employers with large employee health plan data, consumer financial services companies, and businesses that use location-enabled mobile applications. If a foreign buyer acquires such a business without a CFIUS filing, CFIUS can conduct a post-close review at any time with no statute of limitations.
Mandatory vs. voluntary filings: when each applies
FIRRMA created two tracks for CFIUS filings: mandatory and voluntary. A failure to make a mandatory filing can result in civil penalties of up to the value of the transaction.
Mandatory filing is required when a foreign government-controlled investor acquires a "substantial interest" (generally 25% or more of voting interests) in a TID U.S. Business, or when a foreign person acquires any interest in a TID U.S. Business that involves critical technology subject to export controls. Mandatory filings can be submitted as a short-form declaration (30-day review period) or a full notice (45-day review period).
CFIUS Filing Requirements
Scroll to see more →
Voluntary filing — when not legally required — is strongly advisable for transactions with any national security nexus. A completed transaction with no filing provides no safe harbor: CFIUS can review it at any time and impose conditions or recommend presidential prohibition after close. The uncertainty of an unfiled transaction is a risk many buyers and their financing sources will not accept, making a voluntary filing a practical requirement even when not legally mandated.
Working through this yourself?
Kolton works directly with founders on M&A readiness, deal structure, and AI implementation — one advisor, not a team of generalists.
Schedule a conversation →How CFIUS affects deal timing and what happens during a review
A CFIUS filing triggers a structured review process with defined timelines that must be built into the deal timeline. The basic review periods are 30 days for a short-form declaration and 45 days for a full notice, with a possible 45-day extension. During the review period the transaction may not close without CFIUS clearance.
At the end of the review period, CFIUS has four options: clear the transaction, clear with conditions (a national security agreement imposing ongoing obligations), request additional time, or refer the transaction to the President for determination. Presidential referrals are rare but can result in a prohibition.
CFIUS Deal Timeline Impact
Scroll to see more →
Deals involving Chinese buyers face heightened scrutiny and longer timelines regardless of the specific business. CFIUS has been more likely to impose conditions or recommend prohibition on Chinese-controlled acquisitions in technology, infrastructure, and data categories. Founders who receive interest from Chinese acquirers should assume a CFIUS review will be required and plan accordingly — both in terms of timeline and the likelihood of conditions.
CFIUS mitigation conditions in national security agreements can be significant ongoing obligations: restrictions on which employees can access certain systems, requirements for U.S.-citizen oversight of certain functions, prohibition on sharing certain technical data with the foreign buyer, and in some cases appointment of a government-approved security officer. These conditions are negotiated between the parties and CFIUS before closing. Sellers should ensure their M&A advisor has CFIUS experience and can advise on the likely conditions for their specific business and buyer.
What sellers should do before accepting a foreign buyer offer
A seller entertaining interest from any foreign buyer should conduct a CFIUS risk assessment before the LOI stage. The LOI is the point at which timeline, regulatory closing conditions, and termination rights are negotiated. A seller who does not understand their CFIUS exposure before signing an LOI may accept terms that do not account for the review period, or accept a deal from a foreign buyer who cannot obtain CFIUS clearance at any price.
CFIUS Pre-LOI Checklist for Sellers
Identify all foreign buyers in the process
For any bidder with foreign ownership, beneficial ownership, or LP base, map the ownership structure back to the ultimate owners; identify any foreign government-connected investors
Assess TID U.S. Business status
Determine whether the business operates in critical technology, critical infrastructure, sensitive personal data, or proximity-to-military categories
Identify export-controlled technology
Review whether any products, components, or services are subject to ITAR or EAR controls; export controls are an independent CFIUS trigger
Review government contracts
Identify all federal contracts and their classification or sensitivity level; DoD and intelligence community contracts are significant CFIUS triggers
Assess mandatory filing requirement
Work with CFIUS counsel to determine whether a mandatory filing applies to any foreign buyer offer
Build CFIUS timeline into the deal
Require foreign buyers to submit CFIUS declarations before LOI signing, or include a regulatory closing condition with a defined outside date
Negotiate a reverse termination fee for CFIUS failure
If a foreign buyer cannot obtain CFIUS clearance, the seller should have a reverse break-up fee — typically 5–10% of deal value — as compensation for taking the business off the market
The reverse termination fee is the key contractual protection for sellers entertaining foreign buyers. Without it, a seller who signs an LOI with a foreign buyer, takes the business off the market for 6–12 months during a CFIUS review, and then has the deal blocked by CFIUS receives nothing for the time lost.
Frequently asked questions
Does CFIUS apply to minority investments?
Yes, in certain circumstances. FIRRMA expanded CFIUS jurisdiction to cover minority investments by foreign persons in TID U.S. Businesses that afford the foreign investor board representation, access to material non-public technical information, or involvement in substantive business decisions. A PE deal in which a foreign limited partner receives board observation rights in a TID portfolio company may trigger review for the LP's minority interest.
Does CFIUS apply to asset sales?
Yes. CFIUS jurisdiction covers acquisitions of any U.S. business — including asset acquisitions — by a foreign person. The analysis focuses on whether the foreign person is gaining control of a U.S. business or access to its technology, data, or operations, not on the legal form of the transaction.
Work with Glacier Lake Partners
Assess CFIUS risk in your transaction
We help founders understand CFIUS exposure and build appropriate timeline and condition provisions into deals involving foreign buyers.
Start a Conversation →Research sources
Disclaimer: Financial figures and case studies in this article are illustrative, based on representative middle market assumptions, and are not guarantees of outcome. Statistical references are drawn from cited third-party research; individual transaction and operational results vary based on business characteristics, market conditions, and deal structure. This content is for informational purposes only and does not constitute legal, financial, or investment advice. Consult qualified advisors for guidance specific to your situation.
Explore adjacent topics
