22 May 2026

DoD proposes major expansion of FOCI requirements to uncleared contractors

Written by:Dawn Stern Pete Young Nicholas Klein Christine Daya

Key points

The United States Department of Defense (DoD)’s proposed expansion of Foreign Ownership, Control, or Influence (FOCI) requirements to unclassified DoD contracts, if finalized, would apply to all DoD contracts and subcontracts of more than $5 million, except for commercial products and services.
The proposed rule would extend FOCI scrutiny to tens of thousands of previously unregulated contractors.
The proposed rule would introduce tight disclosure, reporting, and mitigation timelines.
Expanded FOCI requirements would create notable risk of procurement delays and transaction disruption.
The requirements could be extended to commercial products and services contracts by a designated DoD official.

Introduction

The DoD has proposed a significant expansion of FOCI requirements to unclassified DoD contracts for the first time. On May 7, 2026, DoD published a long-awaited proposed rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement Section 847 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2020, as amended by Section 819 of the FY 2021 NDAA.[1]

If finalized, the rule would impose new pre-award disclosure obligations, ongoing reporting requirements, and potential mitigation measures on tens of thousands of contractors and subcontractors that have not previously been subject to FOCI scrutiny.

Currently, FOCI disclosure and potential mitigation requirements are limited to foreign-owned or -controlled contractors with facility security clearances and access to classified information. Under the proposed rule, these requirements would extend to unclassified DoD contracts and subcontracts valued at more than $5 million.

The rule states commercial products and services contracts would be excluded unless a designated senior DoD official determines that the contract involves a risk or potential risk to national security or potential compromise because of sensitive data, systems, or processes.

Comments on the proposed rule are due July 6, 2026.

Background

DoD is one of five US government organizations authorized to establish and oversee the National Industrial Security Program (NISP). The Defense Counterintelligence and Security Agency (DCSA) administers the NISP, including FOCI assessments and mitigation, on behalf of DoD components and 35 other federal agencies.

Historically, DCSA FOCI review has focused on contractors with facility security clearances or that otherwise perform classified work (roughly 2,000 cases per year). That number is expected to expand significantly under the proposed DFARS rule and DoD Instruction (DoDI) 5205.87; DCSA is preparing for a surge of more than 40,000 case assessments annually.[2]

In effect, the proposed rule would create a FOCI-like regulatory regime for the uncleared defense industrial base, extending concepts historically limited to classified work into a much broader set of unclassified activities and assessing all levels of beneficial ownership and foreign affiliation.

Operating under FOCI

In practical terms, a contractor may be considered under FOCI when a foreign person has the ability – directly or indirectly – to influence management, operations, or decision making in a way that could pose a national security risk.

The formal definition of operating under FOCI, as adapted in DoDI 5205.87 and the proposed DFARS rule for unclassified contracts, provides that:

“[A] foreign interest has the power, direct or indirect, whether or not exercised, and whether or not exercisable through the ownership of the U.S. company’s securities, to direct or decide matters affecting the management or operations of that [contractor] in a manner which may result in a risk or potential risk to national security or potential compromise of sensitive data, systems, or processes, such as personally identifiable information, or national security systems, or could otherwise control or influence the business or management of the contractor in a manner that could adversely affect its ability to perform on the contract or subcontract.”

For instance, a contractor could be under FOCI (and subject to DCSA-imposed mitigation measures) if:

One or more members of its board of directors (or similar governing body), executive officers, general partners, or senior management officials are or become non-US persons
Non-US investors or shareholders hold significant ownership interests or governance rights (or there is a notable increase or change in such interests), or
The contractor has material contracts, financial arrangements, or other obligations with a foreign person (including financial institutions) or derives substantial revenue from foreign sources.

Contractors operating under FOCI – particularly those with access to controlled unclassified information (CUI), export-controlled data, or critical supply chains – could pose risks to US national security through potential access to or compromise of sensitive technologies, data, intellectual property, or supply chain integrity.

Qualifications for covered contractors or subcontractors

The rule would apply to any prime or subcontractor (at any tier) performing on a DoD contract, subcontract, or defense research assistance award (DRAA) valued at more than $5 million.
DRAAs include grants, cooperative agreements, technology investment agreements, and other non-procurement transactions for defense research.
The rule would exempt contracts for commercial products and commercial services. However, this exemption could be overridden if a designated senior DoD official determines that the contract involves a risk or potential risk to national security due to sensitive data, systems, processes, cybersecurity, or national security systems.
Requirements would need to be flowed down to all covered subcontracts.

FOCI review process and timeline

Under the proposed rule, offerors responding to solicitations containing the requirement must submit, or have on file, a completed SF-328, Certificate Pertaining to Foreign Interests, and supporting documentation through the National Industrial Security System (NISS).[3]

The SF-328 is structured around several core areas of inquiry. It begins with 1) detailed ownership disclosures, including all shareholders and beneficial owners, 2) intermediate and ultimate parent entities, and, if applicable, 3) investment funds, limited partners, general partners, and investment managers, with specific focus on whether any foreign person or entity, directly or indirectly, owns five percent or more of the outstanding shares, voting interests, or capital commitments.

The form next addresses the board of directors (or equivalent governing body) and senior management, requiring the nationality and any foreign affiliations of each director, officer, and key executive. Subsequent sections require information on the following:

The contractor’s foreign operations, assets, facilities, customers, and sources of revenue from foreign persons or markets
Any material contracts, business arrangements, indebtedness, liabilities, or other financial or contractual relationships with foreign persons or entities that could result in foreign influence over the contractor’s management or operations[4]

In addition, DCSA often requires a range of supplemental documentation. This commonly includes the contractor’s governance documents (e.g., articles of incorporation, bylaws, shareholder agreements, voting agreements, and side letters granting special rights); a detailed capitalization table identifying each investor’s or shareholder’s full legal name; and voting and economic ownership percentages.

Required information also includes nationality (or place of incorporation); organizational charts; customer and end-user lists; vendor, service provider, distributor, channel partner, and/or reseller lists; recent financial statements and other financial instruments; export control-related information; and Statements of Full Disclosure of Foreign Affiliations (FDFAs) for certain senior leaders.

DCSA reviews these materials to determine whether any potential FOCI risks exist that may require mitigation and aims for completion of FOCI assessments within 25 working days of receiving a complete request (per DoDI 5205.87).

Moreover, during performance, contractors must update their SF-328 in NISS before any contract modification or renewal and whenever FOCI or beneficial ownership information changes. If a change could place the contractor or subcontractor under FOCI, notification is required within three business days, with a plan of action due within ten business days if DCSA identifies risk. Contracting officers may not award, modify, or exercise options unless the contractor has an “eligible” status in NISS.

If FOCI risks are identified, the contractor must implement mitigation measures within 90 calendar days of award, option exercise, modification, or post-award identification of risk. Mitigation remains in effect for the life of the contract, including option periods. If risks cannot be adequately mitigated, the contract may not be awarded, amended, continued, or extended.

Together, these timelines likely create notable execution risk for contract awards, option exercises, and corporate transactions where FOCI issues are not identified and resolved early.

The proposed rule could also create significant compliance burden and timeline pressure for companies without prior FOCI experience, requiring new systems, training, documentation, and coordination with DCSA.

The proposed rule introduces several compressed timelines that may affect procurement and transaction planning. Key deadlines are summarized below.

Key FOCI mitigation timelines

Stage	Requirement	Timeline
Pre-award	Submission of SF-328 and supporting documents	Prior to award
Pre-award	FOCI assessment by DCSA	Approximately 25 working days of request
During performance	Update SF-328 and supporting documents (e.g., changes to ownership, control, or key management personnel)	Ongoing
During performance	Notification of potential FOCI-triggering change	Within three business days
During performance	Submission of plan of action (if risk is identified by DCSA)	Within ten business days
Post-identification of risk	Implementation of risk mitigation measures	Within 90 calendar days

Potential FOCI mitigation approaches

Mitigation requirements may draw from the NISP and existing cleared contractor frameworks. However, they could be highly fact-specific and risk-driven, depending on ownership structure, access to sensitive information, and contract scope.

Examples of FOCI mitigation include board or exclusion resolutions, visitation and access controls, restrictions on communications with foreign parents or shareholders, enhanced cybersecurity measures, limitations on shared persons and services, and supply chain security and reporting obligations.

In higher-risk cases, more stringent measures such as outside directors, proxy boards, or voting trusts may be required.

Next steps

While there may be changes to the proposed rule before it is finalized, contractors and investors are encouraged to begin assessing potential FOCI exposure now. It is not yet clear how DCSA will handle the projected increase to annual case reviews or the extent to which the designated DoD official will extend the requirements to commercial item contractors.

Such review is particularly relevant for private equity and venture capital firms and their portfolio companies, where complex ownership structures, foreign limited partners, and governance rights may prompt FOCI risk mitigation concerns that affect contract eligibility or transaction timelines.

Companies engaged in mergers and acquisitions activity or fundraising are encouraged to incorporate FOCI diligence early in the deal lifecycle to avoid delays, unexpected mitigation requirements, or valuation impacts.

Contractors with existing facility clearances should also be aware that separate mitigation agreements may apply to their unclassified work.

Failure to proactively assess FOCI exposure could result in lost contract opportunities, delayed awards or renewals, and disruptive mitigation requirements.

Potential action items

Contractors and investors may consider the following steps in light of DoD’s proposed rule:

Develop familiarity with SF-328 requirements and begin collecting relevant ownership and governance information, including related to any foreign affiliations and beneficiaries.
Establish access to and understanding of the NISS portal.
Conduct a proactive FOCI self-assessment.
Engage experienced national security counsel for mitigation planning and strategy.
Evaluate overlap in disclosure and compliance requirements under other related regulatory regimes and reporting systems such as the Committee on Foreign Investment in the US, the International Traffic in Arms Regulations, the System for Award Management, the Small Business Innovation Research and Small Business Technology Transfer programs, the Defense Advanced Research Projects Agency Countering Foreign Influence Program, National Security Presidential Memorandum-33, and relevant DFARS clauses (e.g., People’s Republic of China employment disclosures and foreign government ownership disclosures).

The comment period for the proposed rule closes on July 6, 2026, after which DoD is expected to move quickly toward final implementation. Companies are encouraged to prepare early to navigate the requirements and avoid disruption to contracting and transaction activity.

DLA Piper’s National Security and Global Trade and Government Contracting teams are available to conduct FOCI self-assessments, assist with public comment submissions, and support mitigation planning. For more information, please contact the authors.

^[1]^{See Proposed DFARS Rule (Federal Register, May 7, 2026) at Federal Register :: Defense Federal Acquisition Regulation Supplement: Mitigating Risks Related to Foreign Ownership, Control, or Influence (DFARS Case 2021-D011); see also Section 847 of the FY 2020 NDAA at https://www.congress.gov/116/plaws/publ92/PLAW-116publ92.pdf.}

^{[2] See DoDI 5205.87 – Mitigating Risks Related to Foreign Ownership, Control, or Influence for Covered DoD Contractors and Subcontractors (May 2024) at DoD Instruction 5205.87 "Mitigating Risks Related to Foreign Ownership, Control, or Influence for Covered DoD Contractors," May 13, 2024.}

^{[3] See National Industrial Security System (NISS) at https://niss.dcsa.mil/.}

^{[4] See https://www.gsa.gov/reference/forms/certificate-pertaining-to-foreign-interests.}