Proposed Rule Issued to Implement Expanded FOCI Disclosure and Risk Mitigation Requirements for Defense Contractors

Summary

On May 7, 2026, the Department of Defense (“DoD”) issued a proposed rule that would fundamentally expand the scope of foreign ownership, control, or influence (“FOCI”) disclosure and risk mitigation requirements for a significant number of companies that serve the national defense. The proposed rule, together with DoD Instruction (“DoDI”) 5205.87 (issued in 2024), would for the first time require many contractors and subcontractors performing unclassified work to disclose their beneficial ownership and FOCI status to the Defense Counterintelligence and Security Agency (“DCSA”), register in the National Industrial Security System (“NISS”), and—as necessary—implement and maintain FOCI risk mitigation measures. Specifically, the proposed rule would require:

• Covered contractors (including subcontractors at any tier) on contracts valued above $5 million to submit a Standard Form (“SF”) 328 and other information in NISS in connection with the award and modification of contracts;
• Covered contractors to agree to implement—where required based on the government’s FOCI assessment of the company—risk mitigation measures no later than 90 days post-award (and potentially much faster);
• Covered contractors to submit updated information when there are changes in beneficial ownership for the contractor or a subcontractor; and
• Covered contractors to meet strict and short reporting timelines if the covered contractor concludes that changes may place it—or one of its subcontractors—under FOCI and thereafter undertake actions to implement risk mitigation measures identified by the government.

Importantly, DoD estimates the $5 million threshold will capture nearly 40,000 companies, and that figure does not include commercial contractors that may be brought within scope on a case-by-case basis.

The proposed rule raises significant questions. Key among them:

• How broadly will DoD apply the regime to contracts for commercial products and services?
• How will DoD define and evaluate “risk to national security” and the scope of “sensitive data, systems, or processes” in the absence of clear definitional guidance?
• What forms of FOCI mitigation will DCSA require?
• How will contractors engage with DCSA on mitigation within the rule’s compressed timelines?
• How will the new regime interact with the existing NISPOM framework for cleared contractors?
• How are costs allocated for mitigation measures?
• What are the practical challenges of flow-down compliance obligations for prime contractors managing large subcontractor bases?
• Companies doing business with DoD should begin preparing now—assessing FOCI exposure, registering in NISS, and preparing a current SF 328 submission—well before the proposed rule ultimately goes into effect as anticipated later this year.

Companies doing business with DoD—either as a prime contractor or a subcontractor—should begin preparing now—by assessing FOCI exposure, registering in NISS, and preparing a current SF 328 submission with supporting information—well before the proposed rule ultimately goes into effect. Comments on the proposed rule are due July 6, 2026, and a final rule is anticipated later this year.

I. Introduction

The proposed rule would amend the Defense Federal Acquisition Regulation Supplement (“DFARS”) to require covered contractors and subcontractors to disclose their beneficial ownership and FOCI status to DCSA and, where applicable, to implement FOCI risk mitigation measures for the duration of their contracts. The proposed rule, published at 91 Fed. Reg. 24783, was long anticipated. It is the next step in DCSA’s FOCI expansion mission, implementing the statutory requirements under Section 847 of the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2020 (Pub. L. 116-92) and Section 819 of the NDAA for FY 2021 (Pub. L. 116-283), as well as elements of DoDI 5205.87, Mitigating Risks Related to Foreign Ownership, Control, or Influence for Covered DoD Contractors and Subcontractors, which took effect in May 2024. The preamble to the proposed rule describes the rule as “a cornerstone of DoD’s strategy to counter pervasive threats from strategic competitors,” and notes that it will “provide[] the necessary tools to ensure our partners in industry are secure, trustworthy, and free from the influence of those who seek to harm our national interests.”

Together, the proposed rule and the DoDI would establish a comprehensive new regime for addressing supply chain risks by identifying and mitigating FOCI across the defense industrial base—including, for the first time, in contractors that perform only unclassified work. The regime represents a sea change for both DoD contractors and DoD. The proposed rule would require many DoD contractors to meaningfully engage with DCSA for the first time and comply with broad disclosure obligations. It also would provide DoD with unprecedented visibility into the ownership structure of many more of its prime contractors and subcontractors and significantly expand the government’s scrutiny of FOCI and the number of companies subject to FOCI mitigation. The proposed rule also would materially expand DCSA’s workload and impose new timing requirements on DCSA’s processes. We understand DCSA has been increasing its staffing resources to prepare for these new demands. It remains to be seen how the agency’s new resources and processes will manage the large influx of FOCI reviews and increased number of companies under mitigation measures. 

This alert summarizes the key provisions of the proposed rule and the DoDI, identifies important takeaways and open questions, and offers practical guidance for companies that may be affected.

II. Background

Traditionally, FOCI mitigation in the defense context has been governed by the National Industrial Security Program Operating Manual (“NISPOM”) administered by DCSA and promulgated at 32 C.F.R. Part 117. Under the NISPOM framework, FOCI review and mitigation are required for companies that hold or are seeking a facility security clearance (“FCL”) to access classified information—contractors cannot maintain an active FCL with unmitigated FOCI. Policymakers believe that this scoping left a significant gap: contractors performing unclassified but sensitive work—including work involving controlled unclassified information (“CUI”), cybersecurity systems, and national security systems—were not subject to a similar systematic FOCI assessment, disclosure, or mitigation process.

In 2019, Congress moved to close this gap through Section 847 of the FY 2020 NDAA, which directed DoD to require covered contractors and subcontractors to disclose their beneficial ownership and FOCI status, update those disclosures when changes occur, and, if determined to be under FOCI, disclose contact information for each foreign owner that is a beneficial owner.  Section 847 also authorized the application of these requirements to contracts for commercial products and services where a designated senior DoD official determines that the contract involves a risk or potential risk to national security. Section 819 of the FY 2021 NDAA supplemented these requirements by mandating effective FOCI risk mitigation throughout the duration of the contract and directing DoD to revise its regulations to implement Section 847.

DoD took a first step toward implementation in May 2024 with the issuance of DoDI 5205.87, which establishes the institutional DoD policy for FOCI disclosure, assessment, and mitigation as required by Section 847. Somewhat curiously, the proposed DFARS rule does not explain how it interacts with DoDI 5205.87. One potential reading is that the proposed addition to the DFARS will work in tandem with DoDI 5205.87, with the proposed rule setting out the specific contract and solicitation clauses that must be included in in-scope contracts, and DoDI 5205.87 setting out the internal DoD policies and procedures to operationalize the requirements of Section 847 within DoD itself. Another possibility, however, is that the proposed rule is just the beginning, and additional regulations may be forthcoming that will codify the relevant government procedures, which are noticeably missing from the proposed DFARS changes.

III. Scope and Applicability

A. Covered Contractors and Subcontractors

The proposed rule applies to “covered contractor[s] or subcontractor[s],” which is defined as any company that is an existing or prospective contractor or subcontractor of DoD, at any tier, on a contract valued in excess of $5 million. The proposed rule, at a high level, implements the dictates of Section 847 of the FY 2020 NDAA and Section 819 of the FY 2021 NDAA by, among other things, requiring covered contractors to disclose their beneficial ownership and whether they are under FOCI, to update those disclosures when changes occur, to provide contact information for beneficial owners, and to maintain effective mitigation of FOCI risks throughout the duration of the contract or subcontract. The scope of covered contractors is deliberately broad.  It captures prime contractors and subcontractors, regardless of their tier, if their contract exceeds the $5 million threshold. It applies regardless of whether the contractor holds or is seeking an FCL.

The proposed rule will expand FOCI requirements to a significant number of new companies. While challenging to predict, DoD estimates that nearly 40,000 entities may be affected by the proposed rule. Notably, DoD’s estimate does not account for companies selling commercial products or services, as the agency does not know how many commercial contracts will be subject to these new requirements.

B. Case by Case Applicability to Commercial Contracts

The proposed rule would not apply to contracts for commercial products or services, unless a designated senior DoD official determines that the contract involves a risk or potential risk to national security or potential compromise because of sensitive data, systems, or processes. The proposed rule does not identify the senior DoD official who will be tasked with making that determination. Presumably that official will be identified in the final rule.

The proposed rule does not define a “potential risk to national security” or “potential compromise because of sensitive data, systems, or processes.” It is possible that this could affect many commercial technology companies that do business with DoD and handle sensitive unclassified information—likely including certain types of CUI—as part of performance of those contracts.

IV. Key Provisions of the Proposed Rule

A. Proposed Solicitation Provision

The proposed rule would prohibit DoD from “awarding a contract with a value in excess of $5 million to an offeror” unless the contractor has an “eligible status” in NISS or an exception applies. NISS is DCSA’s web-based platform for managing and overseeing the industrial security of contractors working with classified information.

The proposed rule’s solicitation provision, 252.240-70XX, clarifies that DoD may only award contracts to contractors that have (1) submitted an SF 328, Certificate Pertaining to Foreign Interests, and supporting documents—including contact information for each foreign beneficial owner—in NISS and (2) have been determined to not have risk related to FOCI or beneficial ownership or have agreed to implement “risk mitigation strategies” that have been identified by the requiring activity or program office no later than 90 days post-award.

If the requiring activity determines based on input from DCSA that FOCI or beneficial ownership present at the offeror poses a risk—or potential risk—of compromise to national security, but that the risk can be mitigated, the offeror must agree to implement a risk mitigation strategy within 90 calendar days of the award.

B. Proposed Contract Clause

The proposed rule’s contract clause, 252.240-70YY, specifies what it means for a contractor to be under FOCI. Contractors are under FOCI if “a foreign interest has the power, directly or indirectly, regardless of whether the power is exercised or is exercisable through the ownership of the [contractor’s] securities, to (i) direct or decide matters affecting the management or operations of that company in a manner that may result in a risk or potential risk to national security or potential compromise of sensitive data, systems, or processes; or (ii) otherwise control or influence the business or management of the Contractor in a manner that could adversely affect its ability to perform the contract or subcontract.”

Under the proposed contract clause, contractors must:

• Agree to risk mitigation measures identified in NISS at the time of award;
• Implement those measures within 90 days of contract award, option exercise, modification, or the identification of risks during performance;
• Submit an SF 328 and supporting documents prior to contract modification or renewal or when changes to previously submitted information occur; and
• Confirm that covered subcontractors “have an eligible status” in NISS before awarding a subcontract and that the eligible status is maintained during subcontract performance.

The contract clause also establishes reporting requirements for contractors. Specifically, contractors must report:

• Changes in FOCI or beneficial ownership during performance of the contract, by submitting an updated SF 328 in NISS; and
• Changes in FOCI or beneficial ownership of a subcontractor or supplier, by submitting an updated SF 328 in NISS.

If a prime contractor concludes that changes may place the contractor—or one of its subcontractors—under FOCI, the contractor must:

• Report the “foreign owner’s name or the beneficial owner’s name,” “relevant information” regarding the foreign or beneficial owner, and “any readily available information about risk mitigation actions undertaken or recommended” within three business days of the date of the identification or notification of FOCI.
• Initiate a plan of action to implement DCSA’s recommendations, submit additional information, describe risk mitigation efforts undertaken to date, and confirm in NISS that the contractor will comply with identified risk mitigation measures within 10 business days of being notified by DCSA that FOCI or beneficial ownership poses a risk —or potential risk— of “compromise to national security.”

V. The DoDI Framework

Assuming that the proposed DFARS rule is intended to work together with DoDI 5205.87, they create a framework where the DFARS rule establishes the contractual requirements for contractors, and DoDI 5205.87 provides the institutional framework for how the FOCI and beneficial ownership assessments are conducted, how mitigation is implemented, and how compliance is monitored. Several features of the DoDI merit particular attention in light of the proposed DFARS rule.

A. DCSA Assessment Process

Under the DoDI, DoD components notify DCSA of covered contractors whose proposals have been evaluated for further consideration before the source selection decision. DCSA then conducts a case review of beneficial ownership and FOCI, which may incorporate counterintelligence information. Based on its review, DCSA must deliver its risk indicator report or FOCI assessment and proposed risk mitigation strategy within 25 business days of a DoD component’s request.

Risk indicator reports must include a summary statement indicating whether FOCI risk indicators were found, background information on the contractor and its key personnel, and a risk mitigation strategy. Full FOCI assessments include identification of all risk indicators and triggering events, detailed analysis with references and analytic notes, and a determination of whether the FOCI poses a risk to national security.

B. Counterintelligence and Threat Assessment Integration

The DoDI tasks the Defense Intelligence Agency (“DIA”) with producing intelligence and counterintelligence assessments of foreign collection threats to mission-critical acquisitions and defense research assistance awards. This layer of analysis confirms that DoD intends to use FOCI data submitted by covered contractors as an input into its broader supply chain threat assessment. Companies involved in mission-critical acquisitions should therefore be aware that their FOCI disclosures may be evaluated not only by DCSA but also through the lens of DIA threat assessments.

C. Risk Mitigation Measures

Where DCSA recommends mitigation measures, those measures must be agreed to by the covered contractor and the contracting officer before contract award, which is consistent with the process outlined in the proposed DFARS rule. For subcontractors, mitigation must be agreed to after contract award but before contract performance begins. Mitigation measures must be executed and implemented within 90 calendar days of contract award or commencement of subcontract performance. DCSA will oversee implementation of, and compliance with, the mitigation measures, which remain in place for the duration of the contract while the contractor is under FOCI.

D. Ongoing Oversight and Non-Compliance

The DoDI includes several ongoing oversight mechanisms that are not reflected in the proposed DFARS rule. First, DCSA must annually review covered contractors with FOCI mitigation measures in place, assess whether their FOCI status has changed, and notify DoD officials of any acts of non-compliance. Second, DoD components must report annually to the Office of the Under Secretary of Defense for Intelligence and Security (“USD(I&S)”) on the number of covered contracts not awarded or terminated based on FOCI. Third, when non-compliance raises questions about whether a contractor’s FOCI remains effectively mitigated, DCSA must notify the applicable contracting officer and relevant officials through its system of records.

VI. Observations and Open Questions

The proposed rule and the DoDI together represent a significant and long-anticipated expansion of the FOCI regime. They do not, however, answer all of the questions that covered contractors will have. Some of our observations and key open questions are below:

1. Applicability of Commercial Exemption. The designated senior DoD official who will determine whether the requirements apply to contracts for commercial products and services has not yet been identified. The proposed rule uses the term as a placeholder. How this authority is delegated—and how aggressively it is exercised—will have significant implications for the scope of the regime’s practical reach. Indeed, the proposed rule’s general references to potential risks to national security or potential compromise because of sensitive data, systems, or processes establish a broad standard that could be significant for many commercial companies that support sensitive but unclassified DoD missions.
    
2. Evaluation of FOCI Risk. The proposed rule does not define some of the key terms on which important FOCI risk determinations will turn, and which can be broadly interpreted. For example, the rule provides that a company is under FOCI if a foreign interest has the power to direct or decide matters affecting the management or operations of a company “in a manner that may result in a risk or potential risk to national security or potential compromise of sensitive data, systems, or processes,” but does not define “risk to national security,” “sensitive data,” “sensitive systems,” or “sensitive processes.” The NISPOM’s FOCI mitigation regime for cleared contractors, by contrast, focuses in part on addressing risks involving unauthorized access to classified information, which is a more clearly defined set of information. If not addressed in the final rule, this opacity leaves the scope of the proposed rule ambiguous in meaningful ways.
    
3. Authority to Determine FOCI Risk and Mitigation. The proposed rule provides that the “requiring activity,” with DCSA input, will determine whether there is FOCI risk that may be mitigated. Under this framework, it is not entirely clear who, as between the requiring activity and DCSA, will make the ultimate decision regarding the level of risk identified and the mitigation required to address that risk. To the extent that decision is left to individual DoD components, this could potentially lead to variability, uneven outcomes, and lack of predictability for individual contractors competing for contracts and investors that own multiple companies performing DoD contracts or subcontracts.
    
4. Forms of FOCI Mitigation. The proposed rule does not identify the form(s) of FOCI mitigation measures that will be used to mitigate FOCI risks. For cleared contractors, the NISPOM identifies a set of acceptable FOCI mitigation mechanisms, which are used with relative predictability based on the nature of FOCI presented over a cleared company. The proposed DFARS rule does not indicate whether, and to what extent, DCSA will draw on the NISPOM’s FOCI mitigation measures, or the extent to which DCSA will telegraph for industry the range of potential mitigation measures. Further, some of the NISPOM mitigation measures are significant, requiring a cleared company to adopt governance requirements involving Outside Directors or Proxy Holders, and it is not clear whether or in what circumstances similarly significant mitigation may be required under the proposed DFARS rule and the DoDI.
    
5. Engagement with DCSA on Mitigation Requirements. The proposed rule provides that a contractor must agree to risk mitigation strategies identified in NISS at the time of the award. In practice, a company’s assessment of whether it can implement FOCI mitigation requirements often relies on discussions with DCSA about its operational practices, where some mutually agreed tailoring of mitigation measures often occurs. To what extent will the timelines outlined in the proposed rule and the DoDI, and DCSA’s increased workload, allow for productive engagement between the contractor and DCSA on mitigation requirements before a contract is awarded? And how exactly will this engagement occur in the context of competitive bidding?
    
6. Disclosure of Beneficial Owners. The proposed rule requires completion of the SF 328 form and submission of “supporting documents,” including “contact information of each beneficial owner.” We presume that DoD intended for the supporting documents requirement to focus on foreign beneficial owners, rather than all beneficial owners, and that this will be clarified in the final rule. Regardless, this is a potentially broader set of information than currently required of cleared contractors, and it could well prove challenging for many companies, particularly those that are publicly traded and do not have complete information about their stockholders. The proposed rule also requires contractors to report within three days any changes in beneficial ownership during performance of a contract—without reference to a reporting threshold—which may pose further practical challenges.
    
7. Timeline for FOCI Review. While the DoDI specifies a 25-business-day timeline for DCSA to deliver its assessment, the proposed rule does not incorporate this timeline into the DFARS. It is unclear what recourse, if any, contracting officers or offerors will have if DCSA review timelines extend beyond 25 business days and delay contract award. For example, will contract award timelines be held up pending completion of this review?
    
8. Cost Allocation. The proposed rule does not address the costs associated with the technical requirements of FOCI risk mitigation. The preamble states explicitly that these costs are “outside of the scope of this proposed rule.” This leaves open the question of how mitigation costs will be allocated between the government and the contractor, and whether contractors will have any contractual mechanism to recover mitigation-related expenses.
     
9. Flow-Down Requirements and Responsibility for Subcontractors. The flow-down requirement could place significant compliance burdens on prime contractors, who must ensure that all subcontractors above $5 million have an eligible NISS status before subcontract award. The proposed rule also requires contractors to report ownership changes of its subcontractors within three days of notice. This requirement could create substantial administrative challenges, particularly on large contracts. In addition, it is unclear whether and how subcontractors will be expected to disclose such information to prime contractors, and how confidentiality concerns will be managed.
     
10. Interaction with the NISPOM. The interaction between the new regime and the existing NISPOM framework is not fully addressed. Contractors that already hold facility security clearances and are subject to FOCI mitigation under the NISPOM may face overlapping—and potentially inconsistent—requirements. The proposed rule and the DoDI do not clearly delineate how the two regimes will interact for contractors subject to both.

We expect that these and other questions will be raised in public comments on the proposed rule, but as written, the rule itself leaves key issues unanswered and soon-to-be covered contractors unable to fully prepare for the rule’s impact.

VII. Practical Implications for Contractors

Notwithstanding some of the uncertainties outlined above, companies doing business with DoD—or seeking to do so—should take several steps now, even before the proposed rule is finalized.

• Assess FOCI exposure. Companies with any degree of foreign investment, foreign directors or officers, foreign suppliers, foreign debt, or other foreign ties should conduct a thorough self-assessment of their FOCI profile. The definition of “under FOCI” in the proposed rule is broad and captures any situation in which a foreign interest has the power, directly or indirectly, to direct or decide matters affecting management or operations in a manner that may pose a risk to national security.
• Register in NISS. Companies that are not already registered in NISS should do so proactively. Given the hard gate on contract award and the 25-working-day DCSA review timeline, waiting until a solicitation is issued to begin the registration and disclosure process could create significant delays and jeopardize award eligibility.
• Assemble the required information. Companies should prepare a current SF 328 and gather the supporting documentation—including contact information for all beneficial owners—that will be required for submission in NISS. Companies should also establish processes for tracking changes in real time, keeping this information up to date, and making required notifications.
• Evaluate subcontractor readiness. Prime contractors should begin assessing whether their subcontractors above $5 million are registered in NISS and prepared to comply with the flow-down requirements. Early engagement with key subcontractors will be critical to avoiding delays at the point of subcontract award and mitigating performance risk.
• Engage with DCSA. Companies with complex ownership structures—including those with a private equity sponsor, a sovereign wealth fund investor, a multinational parent company, or a dispersed shareholder base—may consider engaging with DCSA early to identify potential FOCI issues and begin the mitigation conversation before it becomes time-critical in connection with a critical recompete or another important pipeline opportunity.
• Submit comments. The comment period closes on July 6, 2026. Companies and industry groups should consider submitting comments. DCSA prides itself on being a cooperative partner with industry, and the rulemaking process here provides an opportunity for thoughtful and productive engagement.

If you have any questions concerning the material discussed in this client alert, please contact the members of our National Security and Government Contracts practice.