Sign in Subscribe
Startup Central

CFIUS & National Security Rules for Startup Real Estate: Leases, Purchases & JV Playbook

Scope note: This is operational guidance, not a prediction of outcomes. CFIUS determinations are fact-specific, and export controls, data-security, and…

Promise Legal Staff

8 min read
Share
Abstract geometric lattice with teal membranes, copper lines, navy fresco texture, right-side space
Loading the Elevenlabs Text to Speech AudioNative Player...

This guide is for startup founders, in-house counsel, deal teams, and brokers working with venture-backed companies — especially those with foreign investors, foreign strategic partners, or cross-border operations. Commercial real estate is no longer “just a facilities issue”: location, access rights, and who can see or control sensitive operations can become a national-security diligence item that shows up in financings, government customer onboarding, and landlord/lender questionnaires. Missteps can stall a lease or purchase, trigger uncomfortable scrutiny, or force a restructure after you’ve already moved in. What follows is a practical, checklist-driven playbook to help you diligence, structure, and document deals in a way that’s easier to defend later.

Scope note: This is operational guidance, not a prediction of outcomes. CFIUS determinations are fact-specific, and export controls, data-security, and sector rules may apply independently of any CFIUS analysis.

Quick “Red-Flag Scan”

  • Any foreign investors/LPs with governance rights (board seat, vetoes, special approvals)?
  • Is the site near sensitive government, military, or critical infrastructure locations?
  • Does the lease/purchase grant meaningful access or exclusion rights, long terms, or broad renewals?
  • Will you run on-site compute/telecom, satellite/space work, robotics, advanced manufacturing, or large-scale data processing?
  • Does a JV/management agreement give a foreign person operational control or information access?
  • Do tenants/subtenants include foreign-owned entities or opaque beneficial ownership?
  • Is the landlord foreign-owned or financed by foreign lenders?
  • Do data flows go to/from foreign affiliates or vendors?

Mini-example: A deep-tech startup signs what looks like a standard lease near a sensitive facility. During later financing diligence, investors flag potential CFIUS/locations risk, and the company must renegotiate access rights and term provisions under deadline pressure.

Understand the New Risk Map: How CFIUS + Executive Actions Touch Commercial Real Estate

CFIUS (the Committee on Foreign Investment in the United States) is the U.S. interagency national-security review process for certain foreign investment transactions. Startups run into CFIUS not only in financings and M&A, but also in real estate deals when a lease, purchase, or concession could give a foreign person meaningful rights at a sensitive location.

The real estate angle (plain English): CFIUS jurisdiction can be triggered even without buying a U.S. business. Under CFIUS’s real-estate rules (31 C.F.R. Part 802), a lease can matter if it grants rights like physical access or the ability to exclude others, develop/improve the property, or install fixed structures — especially when the property is near certain military installations or within/near covered ports. That is why “term sheet-level” lease provisions (term/renewals, exclusive areas, rooftop/antenna rights, IT rooms, after-hours access) are now diligence items, not just business points.

Why expectations are rising: recent national-security executive actions and enforcement trends have increased scrutiny around sensitive technology, cross-border data access, and supply-chain/ICTS exposure. Practically, that means CRE diligence increasingly overlaps with investor diligence, KYC/beneficial ownership visibility, and site-specific data/security controls.

What changes for startups: expect more certifications and transparency requests from VCs, lenders, landlords, and prime contractors — and more “regulatory cooperation” conditions in deals. Related reading: PADFA implications and BOI reporting under the Corporate Transparency Act.

Example: a VC requires a short CFIUS/CRE risk memo before closing because the startup’s facility location plus foreign LP exposure creates diligence questions that must be answered on a tight timeline.

Build a CFIUS-Ready CRE Due Diligence File (Lease or Purchase)

The goal is simple: when an investor, lender, or government-facing customer asks “walk me through the location and who has access,” you can respond with a consistent, document-backed packet. Use this copy/paste checklist to build a repeatable diligence file.

  • Property + location: address, parcel/APN, site plan, and a geospatial/proximity check for sensitive sites. Document your methodology (tool used, date run, screenshots/exports).
  • Deal rights inventory (often missed): list any access areas and exclusion rights, signage rights, rooftop/antenna rights, utility/control rooms, security system control, and after-hours access/escort rules.
  • Business use + operations mapping: what happens on-site (R&D, testing, manufacturing, data processing) and what gets deployed (servers, lab gear, drones/robotics, satellite/telecom equipment).
  • Data + network architecture tied to the site: where data is stored/processed, cross-border access, and vendors with remote access (including building systems/network closets).
  • Parties + money: landlord ownership chain, property manager, key contractors; lender/mortgagee (if relevant) and any foreign-capital indicators.
  • Documentation output: a 1–2 page “national-security diligence memo” summarizing facts, red flags, and mitigations/contract asks.

Example: a SaaS startup discovers the landlord is controlled by a foreign holding company during financing diligence. They add ownership certifications, disclosure/update covenants, and a termination right if required mitigations become impossible.

Related reading for deal mechanics: purchase and sales agreements and the due diligence clause and lease agreements and real estate sales agreements for startups.

Structure Leases to Reduce Foreign-Investment and National-Security Friction

Lease structure is where “CFIUS risk” becomes operational: the more the lease looks like long-term control over sensitive space, systems, or access, the harder it is to answer diligence questions later. Aim for flexibility, documented security controls, and clean change-of-control mechanics.

  • Term/renewals: avoid stacking long terms plus automatic renewals while risk is still unknown; consider shorter initial terms with clearly negotiated renewal conditions.
  • Use clause: define permitted use and require consent for sensitive activities (e.g., high-security R&D, advanced manufacturing, large-scale data processing) so the landlord isn’t surprised — and you can show governance over risk changes.
  • Access/control rights: limit exclusive control over high-sensitivity areas (network closets, roofs, utility/control rooms). Implement badge/escort rules and visitor logs in the lease or an incorporated security policy.
  • Assignment/sublease/change of control: require notice/consent and add beneficial ownership disclosure for assignees/subtenants to prevent “unknown” foreign persons gaining access.
  • Regulatory cooperation: include cooperation language for lawful inquiries and carefully drafted certifications about foreign-person control where appropriate.
  • Conditions + exits: negotiate conditions tied to financing/CFIUS-risk clearance and a termination right if required mitigation becomes impracticable.

Mini sample clause building blocks (not a full template)

  • Beneficial ownership disclosure upon request
  • Restricted-access areas and security policy compliance
  • No remote access by non-approved vendors to building systems/network closets

Example: a robotics startup negotiates a secure lab carve-out: escorted access, no rooftop rights, and explicit sublease/assignment controls — reducing diligence friction without killing the deal.

Structure Purchases and Development Deals (and Their Financing) With CFIUS in Mind

Purchases and build-to-suit/development projects can concentrate national-security risk because they combine long-duration control, physical build-out decisions, and financing parties who ask hard questions late in the process. Treat CFIUS-style diligence as a front-end workstream.

  • Purchase diligence add-ons: review title and encumbrances that affect access/control (easements, shared facilities agreements, rights-of-way, reciprocal access agreements). These can create third-party physical access that undermines your “restricted area” story.
  • Development + supply chain: vet GC/subcontractor ownership and key equipment procurement (building systems, networking, security, specialized manufacturing equipment). Foreign-owned contractors or remote-maintenance vendors can become a diligence flashpoint.
  • Entity structuring: consider PropCo/OpCo separation and, where feasible, limit foreign-person governance rights in the property-owning entity — especially if the site is sensitive.
  • Governance/negative controls: avoid investor vetoes or board rights that look like operational control over security, access, IT, or vendor selection.
  • Financing coordination: expect lender “foreign investor” questionnaires and location-based risk questions; align your answers across lender, investor, and landlord/seller diligence.

Contract protections: add closing conditions tied to required consents/clearances, a cooperation covenant for any voluntary government engagement, and a negotiated allocation of cost/risk if mitigation measures are required.

Example: an advanced manufacturing startup acquires a facility using a PropCo with restricted investor rights; lender approval follows once governance limits and access controls are clearly documented.

JV and Partnership Arrangements: Stop CFIUS Risk Before It Becomes a Control Problem

Startups often add partners to solve real-estate constraints — capital for a PropCo, a strategic partner to build/operate specialized space, or a campus/university arrangement with shared infrastructure. These structures can create CFIUS-style issues because they expand who controls the site and who can access sensitive information, even if the partner’s intent is purely commercial.

Common JV patterns: foreign capital in a real-estate holding JV; a strategic partner JV for build-out/operations/shared facilities; and university/lab/industrial campus partnerships with shared security, utilities, or network infrastructure.

  • Risk drivers (translate to deal terms): governance rights (board seats, vetoes, observer rights) can create “control” or information access; operational decision rights over security/access/IT/vendor selection can be as sensitive as equity control; and shared facilities can create proximity and physical-access concerns.
  • Mitigation-by-design:
    • Governance: limit observer access to sensitive information, create a security committee, and carve sensitive decisions out of joint control.
    • Information controls: clean teams, scoped data rooms, role-based access, and audit logs.
    • Operational controls: site security plan, visitor controls, contractor vetting, and badge policies that apply to JV personnel.
    • Exit + deadlock: buy-sell triggers and a forced transfer option if regulatory risk escalates.

Example: a startup forms a JV with a foreign strategic partner. Governance is redesigned so the partner receives economic rights but not operational control over sensitive areas or access to restricted technical information.

For broader JV structuring mechanics, see unconventional partnerships in real estate development.

Tenant Screening and Counterparty KYC for Startups Managing Space (and for Landlords Renting to Startups)

Tenant screening matters more because access is the issue. Subtenants, lab users, “desk renters,” and short-term occupants can create the same control and information-access concerns as a direct tenant — especially if they can enter restricted areas, connect devices to networks, or use shared building systems.

Operational tenant-screening workflow (practical checklist)

  • Tier 1 (low risk): basic entity verification, good standing, address, and named signatory authority.
  • Tier 2/3 (medium/high risk): beneficial ownership and control-person review, sanctions/PEP checks, source-of-funds (as appropriate), and a review of any rights that would give operational control or privileged access.

What to collect: entity formation docs, ownership/cap table summary (or BOI-style info), control persons, country of formation, operating locations, and (when relevant) key customers and on-site activities.

How to document: write a short “tenant diligence memo” for each approval, attach your evidence, and keep an approval record (who approved, when, and under what conditions).

Program rules to enforce screening: no sublease/license without pre-approval, badge/access policy compliance, and an ongoing duty to update after any ownership/control change.

Example: a startup subleases desks to a fast-growing “international consultancy.” Screening reveals opaque ownership, so the startup shifts to a tighter license model with restricted access and declines the deal.

Related reading: the ultimate KYC compliance guide and BOI reporting requirements (useful as an internal data standard even beyond filing).

Practical Mitigation Strategies When You Can’t Avoid Foreign Capital or Sensitive Locations

Sometimes you can’t “design out” the risk: the best facility is near sensitive infrastructure, or your cap table includes foreign capital. In those cases, mitigation is a mix of contract language, operational controls, and governance guardrails that make access and information flows demonstrably safe.

  • Contractual: targeted reps/covenants, restricted-access provisions, audit/inspection rights, and clear termination triggers if required mitigation becomes infeasible.
  • Operational: a site security plan (badges/escorts/visitor logs), segmented networks, contractor vetting, and tight vendor remote-access controls (including building systems and network closets).
  • Corporate/governance: ring-fence sensitive operations, limit foreign-person governance or observer access where needed, use clean teams, and train staff on site security procedures.
  • Data/tech controls: data localization when justified, encryption, role-based access, logging/audit trails, and incident response readiness (often helpful in investor and customer diligence).

Escalate to specialized review if any decision trigger is present: a foreign government-linked investor/tenant; sensitive tech (space/satcom, advanced semiconductors, defense-adjacent, critical infrastructure); or a facility near sensitive sites with broad, long-term access/exclusion rights.

Short FAQ

  • Can a lease trigger CFIUS concerns? Yes — certain lease rights and sensitive locations can raise CFIUS-style issues even without an acquisition.
  • Does foreign VC money automatically create CFIUS problems? Not automatically; facts and rights (control/information access) matter.
  • KYC/BOI vs CFIUS? KYC/BOI is about identifying people/entities; CFIUS is a national-security review framework.
  • What helps if a lender/VC flags risk later? A documented diligence memo plus clear access, disclosure, and termination/mitigation clauses.

Offer: request our CFIUS-ready CRE diligence checklist / mitigation clause bank.