Foreign Ownership, Control or Influence (FOCI) Risk Assessment Guidance

​​​​​​​​The Foreign Ownership, Control, or Influence (FOCI) Risk Assessment Guidance (the guidance) helps Australian organisations that are procuring technology products or services. Medium to large and mature, small-sized organisations can use this guide.

The guidance contains a template to support contract managers to assess a vendor’s exposure to FOCI and the related security risks. This template should form part of an organisation’s broader procurement due diligence processes.

This gives organisations a repeatable methodology to identify, assess and manage risks from vendors operating in their supply chains.

Organisations can choose to implement the guidance into their existing due diligence processes in part or in whole. The guidance is voluntary and there are no regulatory or reporting requirements.

The application of the guidance processes should always be supplemented with organisational risk management arrangements. Broader supply chain risks should also be taken into consideration – these are available at ​ Cyber Supply Chain Risk Management.

The assessment component of the guidance has two stages:

1. Vendor review questionnaire – to determine if you need a FOCI risk assessment for a foreign vendor.
2. FOCI risk assessment – using the research undertaken to answer the questionnaire, the full assessment will consider jurisdiction hazard against organisational exposure, FOCI activity risks and possible treatment options.

FOCI risk overview

Foreign Ownership, Control, or Influence (FOCI) risk is the ability for vendors to be directed by a foreign government either through:

• direct ownership channels
• domestic laws of the foreign jurisdiction, or
• outside influence.

Procuring technology vendors subject to FOCI increases your risk of exposure to undue influence or acts that can weaken your organisation’s security. It could also affect Australia’s national interests.

Examples of FOCI threats to your organisation include, but are not limited to:

• unauthorised access to or control of security technologies. This includes surveillance cameras, which can help threat actors identify targets for covert operations or compromise across government and industry
• unauthorised bulk data exfiltration and aggregation. This can give insights on business structures, finances, strategies, and exposure to risk that could be exploited or used for influence or interference
• theft of intellectual property. This harms Australian innovation, investment and market confidence
• sabotage, which can have significant impacts across all sectors of the economy and government security
• other activities that may conflict or interfere with the contracted or procured service.

Using the FOCI Risk Assessment Guidance

The Department of Home Affairs encourages organisations to consider FOCI risks as part of their broader risk management and due diligence processes. FOCI risk management can provide long-term benefits to organisational cyber and physical security. It can also prevent reputational damage and losses to commercial competitiveness.

You should refer to the guidance when you assess a technology product or service for procurement.

The vendor review questionnaire is a preliminary assessment tool that will help you check if you need a full FOCI risk assessment. The questionnaire takes approximately 60-90 minutes to complete. As you become familiar with the questions and resources, the questionnaire should take less time to complete.

A simple to follow and printable template of the vendor review questionnaire is available in the guidance. There is also a completed example.

The guidance also has a non-exhaustive list of publicly available resources to refer to when you complete the vendor review questionnaire.

The information you gather as part of conducting the risk assessment is a point-in-time assessment, which your organisation should review periodically.

Other considerations

The guidance does not provide an exhaustive list of security concerns associated with FOCI. Organisations should not rely on it alone for supply chain risk mitigation information, or to protect them from all potential acts of foreign interference, sabotage and espionage.

Organisations should always supplement the processes in this guidance with organisational risk management arrangements and broader supply chain risk considerations. You can find this information at Cyber Supply Chain Risk Management.

FOCI model clause bank for Australian Government entities

These model clauses aim to help Australian Government entities to manage and mitigate FOCI risks in procurement. They support a range of procurement activities, including:

• tendering
• contracting
• contract management.

The model clauses are optional. Entities should select and apply the clauses that are appropriate to the level of FOCI risk linked with a particular procurement activity.

Entities may use the clauses to embed practical safeguards into procurement arrangements, and to respond to changes in the supply chain over the life of a contract. The model clause bank complements the FOCI Risk Assessment Guidance.

Use of the model clauses supports supply chain security best practice. It may also help non‑corporate Commonwealth entities to meet their obligations under the Protective Security Policy Framework (PSPF).

The clauses are legally pre-drafted terms designed for use in procurement documents and contracts. It is not mandatory for buyers to use the clauses, but it can simplify the process of completing your contract.

When using the clauses, buyers should:

• incorporate the clauses without changes to preserve their legal integrity
• get their own legal advice and follow any requirements and policies that apply to them (for example, the Accountable Authority Instructions or the Commonwealth Procurement Rules)
• not use the clauses as a contract template.

If you plan to make major changes to your contract, you should seek legal advice. This is so you do not impose unfair terms on sellers or compromise the Commonwealth's position.

You can download the FOCI model clause bank for Australian Government entities below. It is also available at the Digital Transformation Agency’s BuyICT ClauseBank.

Documents

The guidance and accompanying materials are in beta. We will update them to ensure they stay fit for purpose.

• Guidance document with appendices included
• Guidance document without appendices
• Appendix A – Resources
• ​Appendix B – Vendor review questionnaire template
• Vendor review questionnaire: completed example​
• FOCI model clause bank for Australian Government entities​​​

You can find descriptions of key terms found within the guidance in a glossary at ​the end of the guidance.

Feedback

We welcome your input on how we can improve the guidance. We will consider your suggestions for future updates to this page and relevant documents. You can submit feedback in writing, or through the feedback button below.​