Jupiter/Suirui unwind: What this divestment order means for CFIUS risk and strategy

In one move, the administration: (1) prohibited the four-year-old deal outright, (2) barred Suirui from accessing any of Jupiter’s non-public technology or sensitive assets, and (3) gave the company only 120 days to divest, subject to oversight, mandatory certifications, and weekly compliance reporting to CFIUS.

The mechanics of how this matter reached the White House remain confidential, but likely Suirui never filed for review (a non-notified transaction). Regardless of how it surfaced, the message is clear: CFIUS is watching—backward and forward—and deals involving Chinese ownership of sensitive U.S. technology remain highly vulnerable.

This action also confirms that President Trump’s second term will likely continue the aggressive national-security enforcement posture that characterized his first. In his first four-and-a-half years in office, President Trump has already blocked more deals than any prior administration and there are no signs of this aggressive approach changing, especially where China and defense-adjacent tech intersect.

Here are six critical insights from the Jupiter transaction that should shape the playbook for every cross-border M&A, minority investment, or joint venture involving U.S. technology, infrastructure, or sensitive data.

1. CFIUS doesn’t forget

The Jupiter divestment order targeted a transaction that closed in February 2020 - more than five years ago. This is a stark reminder that CFIUS’s enforcement division, the Office of Investment Security, routinely culls public filings, customs data, whistleblower tips, and classified sources to identify non-notified transactions.

This action is a further reminder that there is no statute of limitations or legal protection without receiving so-called safe harbor from CFIUS. Confidentiality agreements, offshore holding structures, or lack of publicity will not insulate an unreviewed transaction once CFIUS takes an interest.

Practical guidance: Any historical investments that did not receive prior CFIUS review and approval that involve foreign ownership, especially in sectors like advanced computing, AI, biotech, aerospace, energy, or national security contracting, should be reviewed against today’s CFIUS risk posture. What felt routine in 2019 may look radioactive in 2025.

2. Chinese controlled deals rarely survive

CFIUS has shown near-zero tolerance for transactions involving Chinese control of sensitive U.S. technology and U.S. government-adjacent businesses – even those dealing in less sensitive tech. The Jupiter deal fits that pattern perfectly: a People's Republic of China (PRC)-controlled acquirer, and a target whose systems are capable of displaying classified intelligence data. Clearance was – arguably – always unlikely. The real surprise is that the parties did not appear to take review seriously, either failing to file, or possibly doing so in a manner that fell short of conveying the full scope of risk.

Practical guidance: If a Chinese-linked entity is acquiring operational control or access to a sensitive technology or dataset, assume the default outcome is prohibition unless a tailored mitigation package is negotiated in advance. Already closed a deal that was not reviewed? Start your risk assessment now.

3. “Immediate firewall” requirements raise the bar

 Most presidential divestment orders simply require a divestment sale. The Jupiter order went further. It mandated that Suirui immediately cease access to all of Jupiter’s source code, IT systems, customer data, and facilities. These technical and physical firewalls were required by the order to be operational within seven days.

In an era where data can be copied instantly, this is a strong signal that CFIUS expects robust and auditable isolation protocols.

Practical guidance: Develop a break-glass plan (emergency isolation protocol) that can be executed within 24 hours. This should include revoking credentials, isolating networks, transitioning code repositories to escrow, and ensuring separate build environments. Companies that can demonstrate preparedness will fair far better than those caught scrambling.

4. “Independent buyer” now means truly independent

Under the divestment terms, any future buyer of Jupiter must clear a 30-day CFIUS review. More notably, the Committee reserved the right to reject any buyer with even indirect contractual, financial, familial, or governance ties to Suirui. This standard captures fund-to-fund relationships, limited partners (LPs) and general partners (GPs), co-investors, suppliers, or others with a “close and continuous relationship” with Suirui.

Practical guidance: Prepare to demonstrate complete independence from the seller. Buyers should expect scrutiny of their ownership structure, governance rights, information-sharing obligations, and post-closing support relationships.

5. Destruction of IP is not a bluff

Suirui is not just being forced to divest, it must also destroy or divest all source code and intellectual property developed while under Chinese ownership. That remedy could gut the enterprise value of many companies.

This is not symbolic. It reflects CFIUS’s view that national-security risk outweighs commercial considerations once a company is perceived to have evaded or misled the review process.

Practical guidance: Filing early may feel burdensome, but it preserves strategic flexibility. A post-closing prohibition often leads to asset fire sales, customer flight, and reputational damage that cannot be undone.

6. Transparency matters more than ever

According to public reporting, Suirui never formally announced the Jupiter acquisition, and Jupiter’s website made little or no mention of the change in ownership. This “quiet” approach backfired.

Practical guidance: Ensure consistency across internal narratives, public announcements, and regulatory filings. Inconsistencies or silence will only fuel suspicion. When CFIUS thinks you are hiding something, it starts looking for what else might be hiding.

Conclusion

The Jupiter/Suirui divestment is a textbook reminder that CFIUS enforcement reaches into the past, demands fast responses, and imposes sweeping remedies when companies fall short. For General Counsels (GCs), deal teams, and boards, the imperative is clear: embed CFIUS review early, before the term-sheet stage. Scrub old deals. Stress test your isolation plans. And act like CFIUS is already watching because there is a good chance it is.

Reprinted with permission from the Aug. 14, 2025 edition of the “National Law Journal”© 2025 ALM Global Properties, LLC. All rights reserved.