Proposed DFARS Rule on foreign ownership risk mitigation

The Proposed Rule implements sections 847 and 819 of the National Defense Authorization Acts (NDAAs) for Fiscal Years 2020 and 2021, which required that DoD establish rules and policies governing such disclosures by covered contractors and subcontractors with respect to unclassified contracts and the adoption of relevant mitigation strategies. The objective is to address potential national security risks associated with foreign participation in the DoD supply chain. 

Once finalized, the Proposed Rule will significantly expand the compliance obligations of virtually every company doing business with the DOD for contracts valued above $5 million—including many companies that have not previously been subject to FOCI-related requirements. DoD estimates that a total of 37,740 entities could be impacted, of which, 21,511 (57%) are estimated to be small businesses.

DoD has sought comments from interested parties on the Proposed Rule, which are due on or before July 6, 2026. 

Key points

Implications for contractors at all levels. The Proposed Rule has significant implications for covered federal contractors or subcontractors engaged in unclassified programs that have some degree of FOCI. We stand ready to assist such firms in evaluating their circumstances holistically and assessing what types of mitigation measures they are willing to propose and  accept in order to stay engaged in the US market. Some firms with significant federal procurement opportunities may elect to participate in the US market even if enterprise-wide mitigations such as those used for classified firms under FOCI are required. However, depending on the extent of possible business and nature and extent of proposed mitigations, some firms may choose to exit the increasingly regulated US procurement market (where cyber security rules, rules on controlled unclassified information, not to mention Buy America obligations among others impose increasingly higher costs on participation).

Notable process and substantive policy implications. The Proposed Rule has notable process and substantive implications for DoD and contractors.

Process implications. It is significant that individual DoD program offices or other government customers , rather than the Defense Counterintelligence and Security Agency (DCSA), will have the final say over mitigation decisions, after consultation with DCSA, which exclusively makes such determinations for firms engaged in classified contracts.  Thus, a wider spectrum of risk mitigation outcomes may emerge across different program offices in different DoD components -- reflecting the reality that certain DoD customer communities are more open-minded about foreign participation in the supplier base than others. 

Will CFIUS play a coordinating role in foreign acquisitions of uncleared contractors? As discussed below, in cases when FOCI arises as a result of a foreign acquisition, the review of such foreign investments by the interagency Committee on Foreign Investment in the United States (CFIUS) may serve as a coordinating mechanism that can lead to more considered DoD-wide approaches to risk mitigation for unclassified contractors.

Substantive implications – enterprise-wide or more tailored mitigations. The nature and extent of mitigation arrangements in the context of a particular program or activity remains uncertain. In some cases, existing enterprise-wide mitigation models used for classified firms under FOCI (special security agreements, proxies, special board resolutions and the like) may be utilized. In other cases, DoD may require somewhat different and possibly more tailored forms of mitigation yet to be determined. The traditional US mitigation model focuses on governance of the US firm under FOCI, not only the “ring fencing” of an unclassified program from foreign owners and employees. 

The tail wagging the dog: will case-by-case, program-specific determinations limit DoD’s ability to shape overall policies? One anomaly of the proposed system is that a particular program office, not DCSA or higher level DoD officials with a broader range of responsibility, could establish an enterprise-wide mitigation approach for a foreign supplier in the context of a particular acquisition program with significant consequences for the extent and cost of collaboration. This contract-specific approach raises questions about the ability to formulate consistent, across-the-board DoD policies in connection with FOCI mitigation. Considerations of security and ability to access cutting edge foreign technology will need to be balanced with more parochial interests that can arise in a program context. While DCSA will participate and can point out these issues, under the Proposed Rule it does not have the last word on these matters.

Background

The Proposed Rule is designed to increase transparency in the ownership structures of defense contractors, particularly on contracts that do not involve access to classified information. Until now, comprehensive FOCI review and mitigation have been limited to contractors seeking or holding facility security clearances under the National Industrial Security Program Operating Manual (NISPOM). For the first time, the Proposed Rule extends these concepts to the broader population of unclassified defense contractors.

The rule also implements elements of DoD Instruction 5205.87, which establishes procedures related to the disclosure of beneficial ownership and mitigation of FOCI risk. The rule proposes to create a new DFARS Part 240, Information Security and Supply Chain Security, and add a new section 240.27X governing the mitigation of FOCI and beneficial ownership risks.

What is covered – contracts and subcontracts over $5 million 

The Proposed Rule covers existing contractors and subcontractors (as well as prospective contractors or subcontractors) at any tier, with a DOD contract or subcontract valued above $5 million.

The rule does not apply to commercial products and commercial services unless a designated senior DoD official determines that the contract involves a risk or potential risk to national security because of sensitive data, systems, or processes. The senior DoD official has not yet been designated; the term "designated senior [DoD] official" is used as a placeholder in the Proposed Rule.

According to Federal Procurement Data System data, the average number of unique entities for FY 2022 – 2024 with awards above $5 million (excluding exclusively commercial awards) is 3,774, of which 2,148 (57%) are small businesses. When factoring in offerors and subcontractors, DoD estimates 37,740 entities are potentially impacted, of which 21,511 (57%) are estimated to be small businesses.

Key requirements

Disclosure obligations

The rule introduces two new regulatory instruments:

Solicitation Provision (252.240-70XX): Offerors on federal contracts must submit the Standard Form (SF) 328 (SF-328), Certificate Pertaining to Foreign Interests, and supporting documents—including contact information for each foreign owner that is a beneficial owner—for DCSA review in the National Industrial Security System (NISS). By submitting an offer, the offeror represents that it has submitted the SF-328 and beneficial owner contact information in NISS, and that the information is current, accurate and complete.

Contract Clause (252.240-70YY): Post-award, contractors must complete, update and verify the currency of the SF-328 and supporting documents in NISS prior to contract modification or renewal, or when changes occur to previously provided information. Notably, this means that acquisitions of a contractor by a foreign person will require the submission of an updated SF-328.

NISS eligibility

Contractors and offerors must have an “eligible” status in NISS as a precondition for the contracting officer to issue awards, modifications or options of covered contracts (i.e., contracts valued above $5 million). If the contractor utilizes a subcontractor in a covered contract, such subcontractor must also have an “eligible” status in NISS: (a) prior to the subcontract award; and (b) until performance is complete.

Risk mitigation – 90-day window

In addition to maintaining NISS eligibility, contractors must implement risk mitigation strategies within 90 days of: (a) the award, modification or option exercise of a contract; and, if applicable, (b) the identification of any risks during the performance period. 

Rapid reporting

If a change occurs that may place a contractor or any of its subcontractors at any tier under FOCI (e.g., a foreign acquisition), the Proposed Rule requires prompt reporting. 

• Within three (3) business days of any such change, the contract must report: (a) the foreign or beneficial owner’s name; (b) relevant information; and (c) any readily available recommended or already-taken risk mitigation actions.
• Within ten (10) business days of receiving notice from DCSA that the contractor’s FOCI or beneficial ownership may be a risk to national security, the contractor must: (a) create a plan of action to implement DCSA’s recommendations; (b) provide additional information; (c) describe risk mitigation measures taken to-date; and (d) confirm compliance with DCSA’s recommendations within NISS.

Subcontract flow-down

Contractors must flow down to subcontractors the reporting requirements, as well as other disclosure requirements, by inserting the substance of 252.240-70YY into subcontracts or other contractual instruments that exceed $5 million. 

Comparison to the classified FOCI framework under the NISPOM

Defense contractors with facility security clearances (FCLs) are already familiar with the FOCI framework administered by DCSA under the NISPOM. The Proposed Rule extends FOCI-related concepts to a much broader population of contractors and borrows several foundational concepts from the classified FOCI framework, including the same definition of FOCI (by reference to 32 CFR 117.11(a)(1)), the same primary disclosure vehicle (SF-328), reliance on DCSA and its NISS infrastructure for intake and review, and the core principle that FOCI risk must be identified and mitigated. However, there are notable differences in structure and process. 

Key differences 

Scope of covered contractors. Under the NISPOM, FOCI review applies only to companies that hold, or are seeking, a facility clearance to access classified information. The Proposed Rule applies to all contractors and subcontractors at any tier on DoD contracts valued above $5 million—regardless of whether the contract involves classified information. This extends FOCI disclosure obligations to a vast number of companies that have never been subject to DCSA oversight.

Risk determination authority. Under the NISPOM, as noted above, it is DCSA, not DoD program offices, that conducts a formal FOCI adjudication and determines whether a company is under FOCI and what mitigation is required. Under the Proposed Rule, DCSA reviews the disclosures and provides input, but it is the DoD program office that determines whether FOCI or beneficial ownership poses a risk or potential risk to national security. This division of authority is a significant departure from the classified model.

Mitigation instruments. In a classified context, DCSA may require specific, well-established FOCI mitigation instruments, such as a Board Resolution, Special Security Agreement (SSA), Security Control Agreement (SCA), Proxy Agreement, Voting Trust Agreement or Board resolutions, each of which has defined governance structures. The Proposed Rule does not reference these instruments. Instead, it refers generically to "risk mitigation strategies identified in" NISS and DCSA "recommendations." The precise nature of risk mitigation under the Proposed Rule remains undefined.

Enterprise-wide or program-specific mitigation. Notably, the prevalent methods of FOCI mitigation for classified firms are mostly enterprise-wide mechanisms, with significant restrictions on foreign participation in governance of the company, visitation and the extent of shared services between the cleared firm and its foreign affiliates. Whether contracting offices will use these types of mechanisms as distinct from security procedures specific to a particular program remains to be seen. 

Timelines. The NISPOM does not impose a fixed statutory timeline for FOCI mitigation after initial identification. The Proposed Rule imposes a 90-calendar-day deadline to implement risk mitigation strategies in a program context, along with compressed rapid-reporting windows of three (3) and ten (10) business days for FOCI changes. These accelerated timelines have no direct parallel in the classified FOCI regime.

Practical impacts 

Prime and subcontractors with foreign investors, board members or complex ownership structures should pay particular attention and carefully evaluate their circumstances. The rule captures not only prime contractors but subcontractors at every tier, meaning that foreign investment or ownership at any level of the supply chain could trigger disclosure and mitigation obligations. A key question is whether the nature and extent of their US procurement business justifies the regulatory burdens and costs of participating in the increasingly regulated US procurement market. Firms will need to take these issues into account in shaping strategy and proposing and deciding whether to accept particular mitigations. 

Foreign acquisitions of US contractors engaged in unclassified programs may soon receive closer review by CFIUS. CFIUS, which today reviews a wide range of covered foreign investments, effectively serves as a coordinating mechanism for consideration of FOCI issues for cleared contractors. DCSA and DoD participate in CFIUS deliberations and provide their views. In this regard, the CFIUS process, where DoD components and programs are engaged and provide their views on a coordinated basis, may help shape a DoD-wide policy or approach to mitigation in a particular case before CFIUS—thereby helping to address the fractured, program-specific mitigation process envisaged by the Proposed Rule.

Small businesses constitute an estimated 57% of effected entities. Although DoD asserts it does not expect a significant economic impact, the operational burden of NISS registration, SF-328 preparation, ongoing monitoring and the compressed reporting timelines is likely to be meaningful for smaller contractors with limited compliance infrastructure.

Commercial contractors are not categorically exempt. The rule preserves authority for a designated senior DoD official—not yet identified—to apply disclosure, reporting and risk mitigation requirements to commercial products (including commercially available off-the-shelf items) or commercial services where national security concerns are present, or may become present, because of sensitive data, systems or processes.

Conclusion

The proposed DFARS rule represents a fundamental expansion of the government's FOCI oversight framework—extending disclosure, reporting and risk mitigation obligations that have historically applied only to cleared contractors in the classified space to the far broader population of defense contractors and subcontractors with unclassified contracts valued above $5 million. 

Companies should begin preparing now to be in the best position to comply when a final rule takes effect.

__________

If you have any questions about this legal briefing, please feel free to contact any of the attorneys listed under 'Related People/Contributors' or the Eversheds Sutherland attorney with whom you regularly work.