A bigger hammer: The proliferation of CFIUS mitigation agreements

The surge of Chinese investment in the US beginning around 2013 – peaking in 2016 and collapsing soon after – both spiked CFIUS’s workload and reshaped its worldview. The government’s primary response was the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which expanded the Committee’s authority, staffing and enforcement capacity.

By 2020-21, however, Chinese FDI in the US had largely dried up – yet the Committee’s expanded toolkit remained. Its attention shifted to third-party or indirect China risk, resulting in a paradox: between 2021 and 2023, the number of unique Chinese filings decreased, but the percentage of cases cleared with mitigation increased from 10% to 15%. By the end of 2024, CFIUS was monitoring 242 mitigation agreements (including a small number linked to voluntary abandonments and divestments) up from 166 in 2020.

CFIUS has generally operated on the view that Chinese parties cannot be relied upon to comply with mitigation obligations, meaning that most active CFIUS mitigation agreements are with investors from the Unites States’ longstanding partners and allies.

The costs of inertia: Investors and CFIUS under strain

Zombie NSAs impose a double burden. For investors, they add recurring compliance costs – reporting, audits, access controls, segregation measures and operational pre-clearances. For government, they consume finite monitoring resources.

Reflecting a policy shift toward stricter oversight, CMA site visits rose from 29 in 2021 to 79 in 2024, covering roughly 32% of active agreements (based on the number in place at the start of each year), compared to 17% in 2021. With bipartisan support for stronger monitoring and enforcement by the two most recent Assistant Secretaries of the Treasury, the Committee now faced a practical question: how best to direct its limited capacity toward agreements that actually mitigate risk. Terminating or consolidating outdated NSAs aligns investor and government interests – improving both efficiency and focus.

Reckoning with the mitigation boom: Why the time to act is now

CFIUS’s latest annual data suggests it has begun pruning legacy NSAs. 2024 marked the first year since CFIUS began reporting such data that the total number of active mitigation agreements fell – to 242 from 246 in 2023 – and the year with the most terminations on record (25, or 10% of the total, based on agreements in place at the start of the year).

Several factors have emerged that not only provide grounds for CFIUS to impose mitigation less frequently, but also for CFIUS and parties to existing agreements to consider whether some agreements can be terminated.

Presidential direction

The White House has signaled broad support for fewer long-term NSAs and more effective enforcement of those that remain. President Trump’s America First Investment Policy directs agencies to “cease the use of overly bureaucratic, complex and open-ended ‘mitigation’ agreements” and favor concrete time-bound measures. Although originally framed around Chinese investors, this logic applies more widely: perpetual behavioral NSAs are disfavored where finite steps or other authorities can address the risk.

New government authorities

CFIUS was conceived as a regulator of last resort – intervening only when other agencies lacked jurisdiction or capability. Over time, new authorities have emerged that now cover many risks historically addressed through mitigation. These include:

• Department of Justice’s (DOJ) Data Security Program (DSP): Implementing Executive Order 14117, the DSP prohibits or restricts certain “bulk sensitive personal data” and government-related data transactions with countries of concern. Effective April 2025, these rules give DOJ a direct mechanism to manage cross-border data risks once handled through CFIUS mitigation.
• Team Telecom modernization: In August 2024, the Federal Communications Commission (FCC) issued rules regarding standardized national security and law enforcement questions for telecommunications applications. The formalization of the Team Telecom process and its new certification regime reduces the need for overlapping CFIUS mitigation in telecom deals.
• Commerce’s ICTS Supply Chain rule: Redesigned at 15 C.F.R. Part 791, this rule authorizes the Commerce Department to restrict ICTS transactions involving foreign-adversary-linked suppliers posing undue risk. The Department’s new Office of Information and Communications Technology and Services now reviews these transactions directly, addressing risks – such as use of Huawei equipment – once handled through CFIUS vendor controls.
• Expanded export controls: Commerce’s September 2024 interim final rule, for example, added controls on quantum computing and other advanced technologies, tightening licensing and technology transfer requirements. These updates often replicate what legacy NSAs sought to achieve through access controls or network segregation.

Changing risk perceptions

While the Committee’s core risk framework remains largely stable, its enforcement intensity often reflects the policy priorities of individual agencies and political appointees. DOJ’s National Security Division (NSD), for instance, reported that in FY 2023-24 it co-led 21% of all mitigated CFIUS cases, compared with 8% the previous year – a dramatic shift in posture.

As leadership changes, so too can the appetite for mitigation. The departure of key officials may prompt agencies to reassess agreements that reflect personal rather than institutional risk judgments. This fluidity creates opportunities for investors to revisit legacy NSAs through dialogue grounded in evidence and timing.

Amending or terminating: substance before paperwork

Most NSAs contain a change-in-circumstances clause allowing amendment or termination when obligations are “no longer necessary” to address national security concerns. Success depends on demonstrating that the original risk has been mitigated through new regulation or has simply disappeared over time.

Before submitting a formal termination proposal, investors should prepare a concise memorandum mapping each NSA obligation to its original risk and showing how that risk is now addressed or the extent to which the assumptions behind the original risk assessment have not borne out.

Tone is critical. Approach CMAs in good faith, with intellectual humility, and recognize they may have information you do not. Simply asserting that “the risk no longer exists” is unlikely to succeed. Instead, articulate how your proposal supports the Committee’s own goals – focusing its resources on higher-priority risks.

If full termination is not yet feasible, identify the most burdensome provisions and collaborate with the CMAs to propose targeted amendments that improve efficiency without undermining security. Treat the amendment process as part of a longer conversation that could lead to eventual termination, not a one-off request. Where CMAs are receptive, use successful amendment proposals as a foundation for a structured wind-down with measurable milestones.

With thanks to Freshfields Brian Reissaus and Colin Costello for their contributions to this update.