Executive Order 14117 establishes a framework for the United States to assess and mitigate risks associated with foreign investments and vendor relationships that may pose threats to national security. This guide provides a comprehensive overview of the compliance landscape under EO 14117, detailing the core requirements, penalties for non-compliance, and practical steps organizations can take to build an effective compliance program.
| Regulation | Executive Order 14117 |
|---|---|
| Max Penalty | Criminal and civil penalties under IEEPA |
| Enforcing Authority | Department of Justice (DOJ) |
| Official Source | White House |
What Is Executive Order 14117?
Executive Order 14117, signed in 2022, aims to safeguard U.S. national security by scrutinizing foreign investments and vendor relationships that may introduce risks to critical supply chains and technological infrastructure. This regulation empowers the federal government to review and potentially block transactions that could harm national interests. The order emphasizes the need for due diligence in vendor selection and investment processes, particularly when dealing with entities from nations deemed as threats.
The EO is part of a broader strategy to enhance the resilience of the U.S. economy and protect sensitive technologies from foreign adversaries. It aligns with existing frameworks such as the Committee on Foreign Investment in the United States (CFIUS) and export controls under the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR). Organizations must be aware of the interplay between these regulations to ensure comprehensive compliance.
Who Must Comply
Organizations that engage in transactions involving foreign entities, particularly those that could impact national security, must comply with EO 14117. This includes U.S. companies that are considering investments in foreign firms, as well as foreign companies seeking to establish a presence in the U.S. market. The scope of compliance extends to various sectors, including technology, telecommunications, and critical infrastructure.
Additionally, any organization that partners with vendors or suppliers from foreign nations must conduct thorough due diligence to assess potential risks. This requirement is particularly pertinent for businesses in sensitive industries, where foreign influence could compromise operational integrity or data security. Compliance is not optional; failure to adhere to EO 14117 can result in significant penalties.
Core Compliance Requirements
Risk assessment. Organizations must conduct a comprehensive risk assessment to identify potential threats posed by foreign investments and vendor relationships. This assessment should evaluate the nature of the foreign entity, its ownership structure, and any affiliations with foreign governments or military organizations.
Due diligence procedures. Establishing robust due diligence procedures is essential for compliance. Organizations should implement thorough vetting processes for vendors and investment opportunities, including background checks, financial assessments, and evaluations of the foreign entity’s compliance with U.S. laws and regulations.
Ongoing monitoring. Compliance does not end with initial due diligence; organizations must also establish mechanisms for ongoing monitoring of foreign relationships. This includes regular reviews of vendor performance, changes in ownership or control, and any geopolitical developments that may affect the risk profile of the foreign entity.
Reporting obligations. Organizations must be aware of their reporting obligations under EO 14117. This includes notifying the Department of Justice of any transactions that may raise national security concerns. Timely reporting is critical to ensure that the government can assess potential risks and take appropriate action.
Penalties and Enforcement
The enforcement of EO 14117 falls under the jurisdiction of the Department of Justice, which has the authority to impose both criminal and civil penalties for violations. Penalties can be severe, including substantial fines and potential imprisonment for individuals involved in non-compliant transactions. The maximum penalties are outlined under the International Emergency Economic Powers Act (IEEPA), which provides the government with broad powers to regulate economic transactions that threaten national security.
In addition to financial penalties, organizations may face reputational damage and loss of business opportunities as a result of non-compliance. The DOJ may also seek to block transactions or impose restrictions on future dealings with foreign entities, further complicating an organization’s operational landscape. Therefore, it is imperative for organizations to take compliance seriously and implement robust frameworks to mitigate risks.
Building a Defensible Compliance Program
To effectively navigate the complexities of EO 14117, organizations should build a defensible compliance program. The following steps outline a structured approach to establishing such a program:
-
Assess current compliance posture and identify gaps.
-
Develop a comprehensive risk assessment framework tailored to foreign investments and vendor relationships.
-
Implement due diligence procedures that include vendor vetting and background checks.
-
Establish ongoing monitoring mechanisms for foreign relationships.
-
Train employees on compliance obligations and the importance of due diligence.
-
Create reporting protocols for transactions that may raise national security concerns.
-
Regularly review and update compliance policies to reflect changes in regulations and risk environments.
-
Engage legal counsel or compliance experts to ensure adherence to EO 14117 and related frameworks.
Practical Implementation Priorities
Establish a compliance team. Organizations should designate a compliance team responsible for overseeing adherence to EO 14117. This team should include representatives from legal, compliance, and operational departments to ensure a holistic approach to risk management.
Integrate with existing frameworks. It is crucial to align the compliance program with other regulatory frameworks, such as CFIUS and ITAR/EAR. This integration helps streamline compliance efforts and reduces the risk of duplicated efforts across different regulations.
Leverage technology. Utilizing technology solutions can enhance due diligence processes and ongoing monitoring capabilities. Automated tools can assist in tracking vendor performance, identifying potential risks, and ensuring compliance with reporting obligations.
Engage stakeholders. Organizations should engage key stakeholders, including senior management and board members, in compliance discussions. This engagement fosters a culture of compliance and ensures that resources are allocated appropriately to address potential risks.
Run a Free Privacy Scan
Before building a compliance program, an automated scan of your public-facing properties identifies the gaps that carry the most immediate regulatory risk — undisclosed trackers, consent mechanism failures, data sharing without adequate notice, and policy misalignments. BD Emerson’s privacy scanner produces a detailed findings report against Executive Order 14117 requirements within minutes.
Run your free scan or speak with a privacy expert to discuss your compliance obligations under Executive Order 14117 and build a prioritized remediation plan.
Regulatory Crosswalk
Organizations subject to this regulation often operate under these overlapping frameworks: CFIUS, ITAR/EAR. BD Emerson maps controls across frameworks to reduce duplicated compliance effort.