CFIUS After the Fact: What Happens When Defense Startups Skip the Review

Most founders treat CFIUS like a tax audit: something that happens to other people, probably fine to ignore, definitely someone else's problem. Then the letter arrives.

Photo by Brett Sayles on Pexels.

The Committee on Foreign Investment in the United States has expanded its reach dramatically since the 2018 FIRRMA legislation. What used to be a relatively narrow review process focused on outright acquisitions now covers minority investments, certain real estate transactions, and any foreign involvement in companies working with critical technologies, critical infrastructure, or sensitive personal data. Defense tech startups sit squarely in that crosshairs, and many of them have no idea.

The consequences of skipping voluntary review aren't theoretical. They're operational and they're painful.

What "Mitigation" Actually Looks Like

When CFIUS catches an uncovered transaction, either through mandatory filing triggers or a post-close referral, the Committee can force divestiture, impose mitigation agreements, or both. Mitigation agreements are particularly brutal for early-stage companies.

A typical national security agreement (NSA) might require:

• A government security committee with veto power over hiring decisions
• Restrictions on which employees can access certain parts of the product
• Mandatory third-party audits, often annually
• Physical security requirements at facilities
• Limits on foreign national participation in R&D

For a 40-person startup, that's not compliance overhead. That's an organizational redesign.

Divestiture orders are rarer but they do happen. In 2020, the Treasury Department ordered the Chinese owners of gay dating app Grindr to sell their stake, not exactly a defense contractor, but the data sensitivity logic translates directly to companies holding location data, biometrics, or any information touching government personnel.

The Voluntary Filing Trap

Here's where founders get confused: CFIUS review is voluntary for most transactions. So many investors and founders skip it, reasoning that no filing means no risk. That logic is exactly backward.

Voluntary filing creates a safe harbor. CFIUS has a four-year lookback window on transactions that were never filed. That means a deal closed in 2022 with a foreign limited partner, even a passive one from an allied nation, can become a live CFIUS issue in 2026 if someone flags it.

Some transactions trigger mandatory filing requirements: TID U.S. businesses (technology, infrastructure, data) with certain foreign investor profiles must file. Penalties for missing mandatory filings run up to the full transaction value. Miss a $5M filing requirement on a $30M round and the math gets ugly fast.

graph TD
    A[Foreign Investment Proposed] --> B{Mandatory Filing Triggered?}
    B -->|Yes| C[File Declaration or Full Notice]
    B -->|No| D{TID Business + Foreign Government Nexus?}
    D -->|Yes| E[Strong Voluntary Filing Case]
    D -->|No| F{Sensitive Data or Proximity to Gov Facilities?}
    F -->|Yes| E
    F -->|No| G[Document Risk Analysis]
    C --> H((CFIUS Review))
    E --> H

The LP Problem Nobody Talks About

Venture funds with defense tech portfolios have a compounding problem. A fund-of-funds structure with a sovereign wealth fund LP, even one from an allied nation like Singapore or Norway, can create CFIUS exposure for every portfolio company that qualifies as a TID business. The portfolio company didn't choose that investor. The portfolio company may not even know about it. But the exposure is real.

Sophisticated defense-focused funds are now conducting LP diligence specifically for this reason. The question isn't just "where does this capital come from", it's "what does this LP's participation mean for our ability to invest in regulated sectors."

Founders taking institutional venture money should be asking these questions directly. Not accusatorially, but practically: does your LP base create CFIUS complications for companies in our space? A fund that can't answer that question cleanly is a fund that may create problems downstream.

The Proactive Play

The right move, especially for companies working in autonomous systems, sensing, communications, or anything with a plausible defense application, is to run CFIUS analysis before closing any round with foreign participation, not after. That includes indirect foreign exposure through fund structures.

Early voluntary filings take 30 days for a declaration, up to 45 for a full notice. That's friction, but it's manageable friction. The alternative is a retroactive review with a CFIUS staff that has more leverage and less goodwill.

Some founders treat the CFIUS process as a signal problem, a way of telling the government they're building something worth paying attention to. That framing isn't wrong. Done right, a clean CFIUS filing is a credibility marker, not a burden.

The startups that will scale in defense tech are the ones building compliance into their investor relations process from day one, not the ones discovering it during due diligence for a Series B.