The U.S. government has made one thing clear: CFIUS oversight is here to stay — and it’s getting tougher. The Committee on Foreign Investment in the United States’ 2024 annual report highlights a sharp increase in enforcement, expanded jurisdiction, and an emphasis on monitoring and enforcement of program compliance. Civil penalties have already reached record levels, and organizations that fail to prepare risk costly delays, reputational harm, or even blocked transactions. Organizations that are adept at interpreting the regulatory landscape, and anticipating CFIUS' national security questions and concerns, will more successfully close deals, manage transaction obligations and operate with confidence in a complex and continually evolving environment.

Posted In:

Law360
August 27, 2025
Share

The 2024 annual report to Congress from the Committee on Foreign Investment in the United States, released earlier this month, confirmed that the U.S. government is taking a more assertive approach to foreign investment oversight.[1]

For companies, investors and law firms alike, the message is clear — CFIUS requires more than a spot-check review during the transaction process. CFIUS has an enduring regulatory regime with expanding jurisdiction, with an increasing capacity and appetite for enforcement actions.

For companies pursuing CFIUS approval, review of the committee’s 2024 activity is a timely opportunity to assess recurring themes, and strengthen compliance programs, internal controls and risk mitigation measures, thereby demonstrating a proactive commitment to national security obligations.

Failing to do so can jeopardize transactions or trigger costly delays, as CFIUS’ relevance and scrutiny are unlikely to diminish in the near or long term.

Enforcement Emerges

The most impactful takeaway from the report is its emphasis on enforcement. The report highlights several key committee actions that clearly illustrate this 2024 strategic priority.

From imposing record civil penalties to enhancing internal capabilities, and introducing new tools and processes, in 2024 CFIUS demonstrated that monitoring and enforcement of program compliance were priorities.

For example, the Treasury introduced a public-facing webpage dedicated to enforcement, providing a behind-the-curtain peek at an agency that typically operated outside the public view. The Treasury’s Aug. 14, 2024, press release noted that CFIUS issued more than three times the penalties in 2023 and 2024 than it previously issued in its nearly 50-year history.[2]

Further, the Treasury reaffirmed its commitment to compliance monitoring and oversight post-closing with updated guidance in November 2024,[3] which emphasizes these areas as mitigation priorities.[4]

It also introduced new timelines for parties responding to mitigation proposals, extended penalty reconsideration procedures, and enhanced CFIUS’ compliance and monitoring tools to better safeguard U.S. national security.

These commitments underscore a shift in the committee’s posture, placing emphasis not simply on reviewing review transactions, but on holding transaction parties accountable beyond the deal’s closing date. The penalties issued by CFIUS in 2024 demonstrate its ability to leverage its new teeth.

Companies subject to mitigation agreements should take their national security agreement obligations just as seriously as they do other major compliance requirements by using strong, well-developed internal controls to meet them.

To begin, organizations should consider the following steps a baseline.

Conduct a thorough self-assessment of the organization’s national security posture. Start by evaluating the organization’s overall national security risk profile by reviewing its data practices, cybersecurity protocols, and compliance with export controls, sanctions and anti-bribery laws.

Conduct comprehensive due diligence and relationship mapping. Map and scrutinize the organization’s critical relationships, such as those with foreign investors, customers, partners and supply chains, to identify potential hidden connections — e.g., with funding sources or indirect links to higher-risk entities.

Align a national security strategy with the organization’s business strategy.[5] Ensure the business strategy not only accommodates but actively incorporates national security considerations. Acknowledge that strategies focused solely on closing a deal may conflict with long-term security objectives.

Anticipate and prepare for CFIUS-driven mitigation. Understand potential mitigation requirements — like data segregation, cybersecurity upgrades and operational separation — and proactively plan to mitigate business disruptions. Mitigation obligations may significantly affect operations, cost structures and integration plans.

Civil penalties have risen year after year, growing from a total of two civil penalties between 1975 and 2022, to seven publicly disclosed penalties in 2023 and 2024 alone.

Noncompliance with CFIUS’ terms, or a failure to appropriately file or notify may have significant reputational and financial consequences.

Real Estate Jurisdiction

Another significant trend in 2024 was CFIUS’ jurisdictional expansion in real estate transactions.

In July 2024, the Treasury proposed expanding covered real estate zones around military bases, broadening the scope of transactions near military facilities and critical infrastructure that would be subject to review. This marked a notable shift in how real estate considerations subject to CFIUS oversight are treated.

Looking ahead, these enhanced rules could carry increased penalties and more complex compliance obligations. While national security concerns in relation to real estate have historically received less attention than those tied to technology or data, this focus has expanded steadily in recent years.

New real estate provisions released in November 2024 demonstrated a maturing view of the way in which geography may be considered, particularly with regard to access and proximity to sensitive facilities, including national infrastructure.

This was illustrated by President Joe Biden’s May 13, 2024, executive order requiring MineOne Partners Ltd. to sell property being used as a cryptocurrency mining facility because it was located within one mile of a strategic military installation.

America First

The committee’s ongoing evolution may be tied to recent White House policy initiatives. The current administration’s “America First” posture, and more specifically the “America First” investment policy announced in February, has likely influenced the committee’s direction.

It is likely that it will encourage continued emphasis on using CFIUS as a mechanism to protect U.S. technological leadership, data sovereignty and critical supply chains.[6]

This trend is particularly evident in the committee’s focus on artificial intelligence, quantum computing, biotechnology and personal data.

Within the category of critical technology transactions, five countries led the way for notices and declarations for fiscal year 2024: Japan (24), France (20), China (16), Germany (14) and the United Arab Emirates (14).

Moving Forward

To further the priorities outlined and acted on in the committee’s 2024 report, in May, CFIUS introduced a pilot program intended to improve the review process for certain trusted participants.

If successful, the known investor program will result in more efficient and expedited reviews for trusted foreign investors. Those with established and proven records of compliance may benefit from fewer procedural requirements and faster processing.

Insights from the 2024 CFIUS annual report, along with committee priorities announced throughout 2024 and into 2025, highlight patterns in jurisdictional reach, enforcement priorities and mitigation expectations that should inform decisions about whether to participate.

Moreover, the committee’s jurisdiction and enforcement powers may continue to expand and be exercised, with implications for cross-border investment transactions.

Companies should be prepared to engage early. CFIUS considerations should be incorporated in early diligence and deal structuring rather than as a legal formality or closing condition.

Compliance risk is an ongoing obligation. Mitigation agreements often require continued monitoring, third-party audits, and changes to companies’ existing governance and operations.

By becoming more transparent as it increases enforcement efforts, CFIUS has heightened organizations’ reputational risks. Failure to anticipate, account for or appropriately satisfy CFIUS concerns may degrade shareholder confidence, regulatory relationships and public trust.

Alternatively, doing things the right way may yield positive benefits. For example, as time passes transaction parties sometimes wish to revisit their agreements to renegotiate terms or scope. Approaching the committee with a proven track record of cooperation and successful compliance can go a long way in such a pursuit.

Likewise, being approved for participation in the known investor program may enable faster, more efficient and thus cheaper submission and approval processes for any future filing needs.

Conclusion

The U.S. remains open to foreign investment — but under the influence of the “America First” policy and CFIUS’ strategic priorities, investment opportunities will continue to be conditioned on national security interests.

As the 2024 annual report helps illustrate, CFIUS continues to grow in capability and confidence, as it expands its authority and flexes its enforcement muscles, while also refining its tools and processes to function more effectively.

Those subject to this regime must mature beyond reactive compliance and enact a proactive preparedness to include CFIUS in broader risk and governance frameworks.

Those adept at interpreting the regulatory landscape, and anticipating CFIUS’ national security questions and concerns, will more successfully close deals, manage transaction obligations and operate with confidence in a complex and continually evolving environment.

Nathan Fisher helps organizations and counsel with CFIUS related issues. If you have any questions or would like to discuss this topic please reach out them directly.

This article originally appeared in Law360.

To receive StoneTurn Insights, sign up for our newsletter.

[1] U.S. Treasury Department, accessed 8 August 2025. https://home.treasury.gov/system/files/206/2024-CFIUS-Annual-Report.pdf.

[2] U.S. Treasury Department, Treasury Unveils New CFIUS Enforcement Website to Provide Further Clarity and Transparency Regarding CFIUS Penalties and Other Enforcement Actions, accessed 12 August 2025. https://home.treasury.gov/news/press-releases/jy2537.

[3] Federal Register, 26 November 2024, accessed 12 August 2025. https://www.federalregister.gov/documents/2024/11/26/2024-27310/penalty-provisions-provision-of-information-negotiation-of-mitigation-agreements-and-other.

[4] Library of Congress, 29 May 2025, accessed 12 August 2025. https://www.congress.gov/crs-product/IF10177.

[5] Scott Boylan, StoneTurn, 5 June 2024. https://stoneturn.com/insight/the-importance-of-having-a-national-security-strategy/.

[6] The White House: America First Investment Policy, 21 February 2025, accessed 12 August 2025. https://www.whitehouse.gov/presidential-actions/2025/02/america-first-investment-policy/.

 

Meet the Author

StoneTurn Cybersecurity Managing Director Nathan (Nate) Fischer

Nathan D. Fisher

Managing Director
Share

About the Authors

StoneTurn Cybersecurity Managing Director Nathan (Nate) Fischer

Nathan D. Fisher

Nathan Fisher, a Managing Director with StoneTurn, brings over a decade of experience investigating national security threats to the U.S. government. As a Special Agent with the Federal Bureau of […]

Read Bio
Read Bio

Tags

Compliance, Remediation and Monitoring
National Security and CFIUS Compliance

Related Insights