Artifact · v0 (real content)

Firewall Structure Precedents

Three foreign-owned defense companies that built US cleared subsidiaries. What the structure looks like, how long it takes, and what SmartOne would actually face. This is context for a decision you have not yet made.

3.2 · Defense and NATO Liaison · artifact id: firewall-precedents-v0.html · 2026-05-28 · v0 draft

Framing. Your own words on the May 15 call: "This might be something for the back pocket, and I don't think it's pertinent for now." This artifact exists so the back pocket is stocked with real information. It is not a recommendation to activate this path.

What "firewall" actually means

A firewall structure refers to legal and governance arrangements that allow a foreign-owned parent company to operate a US subsidiary that can access classified or sensitive defense contracts. The governing framework is Foreign Ownership, Control, or Influence (FOCI) mitigation, administered by the Defense Counterintelligence and Security Agency (DCSA).

The core concern: can a foreign parent access classified information or direct corporate strategy in ways that compromise US national security? FOCI mitigation places governance control over the cleared subsidiary in the hands of vetted, cleared US citizens, independent of the foreign parent.

There are four principal mitigation instruments, ranked least to most restrictive:

Instrument	When used	Key condition
FOCI Board Resolution	Minority foreign investor without board seat rights	Foreign investor signs a resolution committing to keep classified governance separate
Security Control Agreement (SCA)	Minority foreign investor with board seat rights at the cleared company	Investor representative subject to security rules
Special Security Agreement (SSA)	Majority foreign-owned companies	Classified governance controlled by vetted US citizens. The BAE Systems model.
Proxy Agreement	Majority ownership when SSA insufficient	Foreign parent transfers voting rights to US-citizen proxy holders with government-approved clearances

For SmartOne: with a Canadian parent and Malagasy operating presence, the realistic path is an SSA or Proxy Agreement. The non-FVEY element is harder to clear than the Canadian element. Canada benefits from partial ITAR exemptions and FVEY (Five Eyes) intelligence-sharing alignment. Madagascar has no comparable status.

Precedent 1: BAE Systems Inc.

BAE Systems Inc.

UK parent · US cleared subsidiary

Structure

BAE Systems plc is a British multinational defense company. BAE Systems Inc. is its US subsidiary, incorporated in Delaware. The subsidiary operates under a Special Security Agreement (SSA) that allows it to work on some of the most sensitive US defense programs despite UK ownership. American executives govern the cleared subsidiary with decision-making authority independent of the British parent.

Scale achieved

BAE Systems Inc. is one of the six largest US DoD suppliers. Approximately 35,000 employees within US borders. Works on some of the most sensitive programs in the DoD portfolio, including nuclear programs and classified electronics.

The SSA gives BAE Systems Inc. the ability to conduct classified work in the US while BAE Systems plc maintains commercial and strategic oversight of non-classified activities. The firewall is not theoretical; it is operationally maintained by a Government Security Committee of cleared US-citizen directors. National Security Law Firm; BAE Systems Inc. Wikipedia

Relevance to SmartOne

This is the closest public precedent to the structure Amyn described on the call. A British company, majority foreign-owned, running a US subsidiary that wins the most sensitive US defense work through FOCI mitigation. SmartOne's ownership is more complex (Canadian parent with Malagasy operating presence) but the structural pattern is the same. The difference: BAE Systems plc is a publicly traded company with clear British ownership and a decades-long US defense track record. SmartOne would start from zero with no US defense track record and a more complex ownership structure to clear.

Precedent 2: DroneShield

DroneShield

Australian parent · Virginia subsidiary

Structure

DroneShield is an Australian counter-drone company listed on the ASX. Its US subsidiary, DroneShield LLC, is headquartered in Virginia. The subsidiary facilitates local sales and compliance with US Buy American provisions. Manufacturing remains in Sydney; the US entity handles contracting, compliance, and customer relationships.

Scale achieved

Won a $33M contract with an unnamed US government agency for counter-UAS technology. Multiple additional US government contract wins in 2024-2025. The Australian parent retains strategic control; the Virginia entity handles the cleared work.

DroneShield's US entity structure demonstrates that an ASX-listed Australian company can win meaningful US government contracts through a properly structured US subsidiary. The hardware focus means different FOCI requirements than a data-services firm, but the parent-to-subsidiary pattern is directly parallel. Fierce Electronics; DroneShield Wikipedia

Relevance to SmartOne

Australia is a Five Eyes nation, like Canada. Australia-to-US subsidiary structures face similar but not identical FOCI review as Canada-to-US structures. The Virginia HQ pattern is worth noting: proximity to Pentagon procurement decision-makers matters more than most companies acknowledge in early-stage defense planning. DroneShield's experience shows the structural path is real for Southern Hemisphere companies; Canada's FVEY status provides even more favorable initial conditions.

Precedent 3: Anduril and the AUKUS inverse

Anduril Industries

US founder · Australian joint venture

Anduril is a US-founded defense technology company that established significant Australian presence through the AUKUS defense technology framework. For SmartOne, the relevant observation is the inverse: Australian defense firms pursuing US work must stand up a distinct US legal entity and accept FOCI oversight by DCSA. The same applies to Canadian firms. The AUKUS framework also demonstrates that Five Eyes nations are increasingly comfortable with cross-border defense technology structures, which is favorable context for a Canadian company seeking a US cleared entity.

Relevance to SmartOne

The AUKUS framework signals that the US DoD is moving toward more formalized tech-sharing structures with Five Eyes partners. A Canadian company with a US subsidiary in 2026 operates in a more favorable FOCI review environment than a comparable company from a non-FVEY nation. The Mauritian element of SmartOne's structure does not benefit from this.

What SmartOne would actually face: the four costs

3-5

Years to first cleared contract

$200-500K

FOCI mitigation legal fees

12-24 mo

FOCI negotiation timeline (complex structure)

Madagascar workers usable for ITAR data

$150-350K

US subsidiary first-year infrastructure

Step	Realistic duration
Decision to proceed + legal structure design	3-6 months
US subsidiary formation + banking + office	1-3 months
FOCI mitigation negotiation with DCSA (complex multi-jurisdictional ownership)	12-24 months
Facility Security Clearance approval	6-12 months after FOCI
Key personnel clearances at Secret level	6-12 months per person
First cleared annotation workforce operational	12-18 months after FCL
Total: decision to first cleared contract delivery	3 to 5 years

The hidden cost the TAM does not reflect. SmartOne's primary cost advantage is its Madagascar workforce. That workforce cannot be used for ITAR-controlled or classified data because of the "deemed export" rule: providing a Malagasy employee access to ITAR-controlled technical data is legally equivalent to exporting it. A cleared US subsidiary would need to build a separate US-based cleared annotation workforce from scratch. Building a team of 50 cleared US annotators takes 2-4 years and costs significantly more per annotation unit than Madagascar-based work. The economics of defense data annotation are not obviously better than commercial Physical AI annotation when this cost is fully loaded.

May 2026 regulatory development: FOCI expansion

On May 7, 2026, the US DoD issued a proposed rule extending FOCI requirements to defense contracts and subcontracts involving no classified work, at a threshold of $5M or more. Previously FOCI applied primarily to classified work. When finalized, this rule would mean that a foreign-owned data annotation company bidding on non-classified US defense data work above $5M would still need FOCI mitigation.

Implication for SmartOne. The compliance perimeter just expanded. If the defense channel activates, the founders need to know that even non-classified work above $5M requires FOCI mitigation. The threshold applies to the structure, not just the data classification. Source: Venable LLP, May 2026.

The "is this worth it" question

Three factors deserve direct acknowledgment before any activation decision:

SmartOne's cost advantage (Madagascar workforce) is structurally unavailable for classified defense work. A cleared US annotation workforce must be built separately at significantly higher unit costs.
The 3-5 year timeline is measured against a company currently in survival mode burning $100K per month. Defense is a very long option; the company needs to still be operating when the option becomes exercisable.
The proposed May 2026 DFARS rule expanding FOCI requirements to unclassified contracts above $5M raises the compliance cost of even the initial steps.

None of these factors is a reason not to pursue the defense channel eventually. They are reasons to make the decision with clear eyes about what activation actually costs, and to ensure the decision is made when the company has the runway and the alignment to resource it properly.