CFIUS: Treasury's Review of Foreign Investment in the U.S.
The Committee on Foreign Investment in the United States (CFIUS) is the interagency body that reviews cross-border transactions for national security implications, operating under the authority of the U.S. Department of the Treasury. Established by executive order and later codified through statute, CFIUS holds the power to impose conditions on deals, require divestitures, or recommend that the President block transactions outright. This page covers the committee's definition and jurisdiction, how reviews proceed mechanically, what drives national security findings, where classification lines are drawn, and where the system generates genuine policy tension.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
CFIUS reviews foreign acquisitions, mergers, and investments in U.S. businesses to determine whether they threaten national security. The statutory basis is Section 721 of the Defense Production Act of 1950, as amended by the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which significantly expanded both the committee's jurisdiction and its mandatory filing requirements.
The committee is chaired by the Secretary of the Treasury and draws members from 9 permanent voting agencies, including the Departments of Defense, State, Justice, Commerce, Energy, and Homeland Security, as well as the Office of the U.S. Trade Representative and the Office of Science and Technology Policy. The Director of National Intelligence participates as a non-voting member.
FIRRMA extended CFIUS authority beyond traditional full acquisitions to cover three additional transaction types: certain non-controlling investments in U.S. businesses involved in critical technology, critical infrastructure, or sensitive personal data (so-called "TID U.S. businesses"); real estate transactions proximate to U.S. military installations or sensitive government facilities; and any transaction that could result in foreign government control of a U.S. business. The geographic scope is national, with no sector excluded by default — though certain sectors trigger mandatory rather than voluntary filings.
Core mechanics or structure
A CFIUS review proceeds through a structured sequence of phases defined in statute and implementing regulations codified at 31 C.F.R. Part 800 (for covered investments) and 31 C.F.R. Part 802 (for covered real estate).
Parties may file either a short-form declaration (typically 30 days maximum review) or a full voluntary notice. Mandatory declarations are required for transactions in which a foreign government holds a 25 percent or greater voting interest in the acquirer and the target is a TID U.S. business, as well as for certain critical technology transactions under the pilot program rules.
Upon receipt of a complete notice, CFIUS has 45 days for an initial review. If national security concerns are identified, the committee may open a 45-day investigation phase. In cases presenting unresolved risk, the committee sends a report to the President, who then has 15 days to act. The entire statutory process — from notice acceptance through a presidential decision — therefore spans a maximum of 105 days under formal review.
The committee may enter into a National Security Agreement (NSA) or mitigation agreement with transaction parties as an alternative to a recommendation to block. Mitigation measures range from data access restrictions and supply chain audits to the appointment of a government-approved security officer.
CFIUS filing fees, introduced by FIRRMA, scale with transaction value. Fees range from $0 for transactions valued under $500,000 to a cap of $300,000 for transactions valued at $750 million or more (31 C.F.R. § 800.1101).
Causal relationships or drivers
Three structural factors explain why CFIUS activity has intensified since 2018. First, the volume of foreign direct investment into technology-intensive U.S. sectors grew substantially in the years preceding FIRRMA, particularly from Chinese state-affiliated entities acquiring semiconductor, artificial intelligence, and biotechnology companies. Second, the Intelligence Community's findings on technology transfer risks — embedded in annual threat assessments — have translated directly into CFIUS priority sectors. Third, FIRRMA's expansion to non-controlling investments closed a gap that allowed minority stakes, which did not trigger traditional full-acquisition review, to confer access to sensitive technology or data.
The causal chain within a review runs from transaction structure → ownership and control analysis → sector sensitivity assessment → threat and vulnerability analysis → risk determination. A transaction presenting a foreign state-owned enterprise acquiring a company with classified contracts, for example, will almost certainly proceed to investigation and likely result in mitigation conditions or a block recommendation, because all three risk factors (threat, vulnerability, and consequence) align.
The CFIUS Annual Report to Congress publishes aggregate data on filings, investigations, and presidential referrals. In the report covering calendar year 2022, CFIUS received 286 notices and declarations, a figure that illustrates the workload generated by FIRRMA's expanded jurisdiction.
Classification boundaries
CFIUS jurisdiction turns on precise definitional thresholds established in the implementing regulations. Not every foreign investment in a U.S. company qualifies as a "covered transaction."
Control is the central concept. Control means the power, direct or indirect, to determine, direct, or decide important matters affecting a U.S. business. Control is not synonymous with majority ownership — a 10 percent stake with board representation and veto rights over key decisions may constitute control, while a 51 percent passive financial stake may not.
TID U.S. businesses define the non-controlling investment perimeter. A business qualifies as a TID U.S. business if it: produces, designs, tests, or develops critical technology; owns, operates, or supplies critical infrastructure across 28 identified subsectors (including telecommunications, energy, water, transportation, and financial services); or maintains or collects sensitive personal data on 1 million or more U.S. persons (31 C.F.R. § 800.248).
Excepted investors from allied nations — currently Australia, Canada, and the United Kingdom — receive an exemption from the TID non-controlling investment rules (though not from control-based reviews) under 31 C.F.R. § 800.219. This three-country list reflects a finding that those governments maintain adequate processes for reviewing foreign investment for national security purposes.
Greenfield investments — where a foreign entity builds a new U.S. operation from scratch rather than acquiring an existing business — generally fall outside CFIUS jurisdiction because no U.S. business is being "acquired."
Tradeoffs and tensions
CFIUS embodies a structural tension between two legitimate federal interests: national security protection and the United States' longstanding policy of openness to foreign direct investment. The U.S. has historically ranked as the world's largest recipient of inward FDI; overly expansive CFIUS review risks signaling hostility to foreign capital, raising the cost of capital for U.S. companies that rely on foreign equity financing.
A second tension runs between process transparency and review effectiveness. Because CFIUS deliberations are classified and outcomes are rarely explained publicly, transaction parties — particularly smaller companies — operate with limited visibility into what makes a deal approvable. This asymmetry can disadvantage non-U.S. acquirers who lack Washington legal infrastructure.
A third tension is jurisdictional reach versus domestic policy neutrality. CFIUS's expanded authority over sensitive personal data has generated debate about whether the committee is effectively becoming a data governance body, addressing concerns (foreign access to health, financial, or biometric data of U.S. persons) that arguably overlap with Federal Trade Commission authorities or sector-specific privacy statutes.
The treatment of foreign investment and CFIUS review also intersects with the broader architecture of Treasury's international engagement functions, creating potential for diplomatic friction when allies' investments are subjected to the same review intensity as adversary-state transactions.
Common misconceptions
Misconception: CFIUS can block any foreign investment.
Correction: CFIUS jurisdiction requires a "covered transaction" as defined in statute. Greenfield investments, purely debt transactions with no equity rights, and investments by excepted investors in non-control TID transactions fall outside CFIUS authority entirely.
Misconception: A mandatory declaration substitutes for a full notice.
Correction: A mandatory declaration is a short-form filing, but CFIUS may respond to a declaration by requesting that parties file a full notice. Completion of a declaration does not provide the same "safe harbor" against future CFIUS action that completion of a full notice provides.
Misconception: CFIUS approval means regulatory approval.
Correction: CFIUS clearance addresses only national security. It does not constitute antitrust clearance (which resides with the Department of Justice and the Federal Trade Commission), sector-specific regulatory approval (e.g., FCC licenses, NRC approvals), or state-level approval requirements.
Misconception: CFIUS is a Treasury bureau.
Correction: CFIUS is an interagency committee. Treasury chairs it and houses the CFIUS Staff Chairperson's office, but no single agency holds autonomous authority. Decisions require committee consensus or presidential action. The full scope of Treasury's coordinating functions is detailed on the Treasury Authority home page.
Misconception: Only Chinese acquirers face CFIUS risk.
Correction: CFIUS reviews transactions from all foreign acquirers. The excepted investor exemption for Australia, Canada, and the United Kingdom is narrow and applies only to non-controlling TID investments. Control transactions from any country, including treaty allies, remain reviewable.
Checklist or steps (non-advisory)
The following describes the sequence of determinations and procedural steps in a standard CFIUS process under 31 C.F.R. Part 800:
- Jurisdiction analysis — Determine whether the transaction involves a U.S. business and whether the acquirer is a "foreign person" as defined in § 800.224.
- Control or TID assessment — Determine whether the transaction conveys control, or whether the target qualifies as a TID U.S. business subject to non-controlling investment rules.
- Mandatory filing determination — Evaluate whether the transaction triggers a mandatory declaration under § 800.401 (critical technology or foreign government 25%+ interest).
- Filing type selection — Choose between a short-form declaration (§ 800.403) or a full voluntary notice (§ 800.501); parties may also elect a full notice voluntarily.
- Submission to CFIUS — File through the CFIUS e-filing system with required documentation including organizational charts, transaction agreements, and business descriptions.
- 45-day initial review — CFIUS reviews for national security risk; may clear, enter mitigation, or open investigation.
- 45-day investigation (if opened) — Additional scrutiny; committee may negotiate mitigation measures (NSA) or refer to the President.
- Presidential action window — 15-day period for presidential decision after committee referral.
- Mitigation monitoring — If an NSA is executed, ongoing compliance monitoring by the relevant lead agency.
Reference table or matrix
| Phase | Statutory Timeframe | Trigger | Possible Outcome |
|---|---|---|---|
| Initial Review | 45 days | Accepted notice or declaration | Clearance, mitigation, or investigation |
| Investigation | 45 days | Unresolved national security concern | Clearance, NSA, or presidential referral |
| Presidential Action | 15 days | Committee referral | Clearance, conditions, or block order |
| Declaration Review | 30 days | Mandatory or voluntary declaration | Clearance, request for full notice, or referral to review |
| Transaction Type | Mandatory Filing? | Control Required? | Excepted Investor Exemption Available? |
|---|---|---|---|
| Full acquisition (non-TID) | No (voluntary) | Yes | No |
| Full acquisition (TID) | Conditional (foreign gov. 25%+) | Yes | No |
| Non-controlling TID investment | Conditional (critical tech) | No | Yes (AU, CA, UK) |
| Real estate near military installation | Conditional | No | No |
| Greenfield investment | Not applicable | Not applicable | Not applicable |
| Filing Type | Max Review Period | Safe Harbor on Completion? | Typical Page Length |
|---|---|---|---|
| Short-form declaration | 30 days | No | ~5–10 pages |
| Full voluntary notice | 105 days (all phases) | Yes | 50–200+ pages |