Widening FOCI: DOD Issues Proposed Rule Expanding FOCI Review and Mitigation to Unclassified Prime and Subcontracts

As we’ve previously reported, the Proposed Rule, if finalized, would apply to unclassified DOD contracts and subcontracts valued in excess of $5 million, with certain exceptions. DOD calculated that the rule will potentially impact 37,740 entities—a nearly 20-fold expansion of FOCI review, and potential mitigation requirements, which have historically only applied to a much smaller set of entities involved with classified contracts and facility security clearances.

Among other things, the Proposed Rule would impose the requirements to covered offerors, contractors and subcontractors that include the following:

• Beneficial Ownership. Beneficial ownership information and contact information for each beneficial owner in the National Industrial Security System (NISS)
• SF328 FOCI Information. The Standard Form (SF) 328, a form that requires large swaths of detailed information and can take significant time and resources to complete
• Reporting Changes. Updates to their SF328 or beneficial ownership disclosures to the Defense Counterintelligence Security Agency (DCSA) “when changes occur.” This could include situations where any “no” answer becomes a “yes” answer.
• Mitigation Implementation. Requirement to agree to FOCI mitigation at the time of award and implement the mitigation strategy within 90 days of contract award, modification, exercise of option or identification of risks during contract performance

Contracting officers will be required to confirm a contractor’s eligibility status in NISS before awarding, modifying or exercising options on a covered contract. Covered subcontractors and suppliers must also have an eligible status in NISS prior to the subcontract award and maintain that eligible status for the duration of subcontract performance.

Commercial Items Excluded Unless DOD Determines Otherwise
The Proposed Rule would not cover commercial services or products, including commercial-off-the-shelf, or “COTS,” items unless DOD determines that the contract involves potential risk to national security or potential compromise of sensitive data, systems or processes.

New Solicitation Provision and Contract Clauses

• The new solicitation provision would require offerors to submit SF328, Certificate Pertaining to Foreign Interests, and supporting documents for DCSA review in NISS. Offerors will be required to represent, by submission of the offer, that (1) they have submitted the SF328 and contact information for each beneficial owner in the NISS and (2) the information is current, accurate and complete.
• The new contract clause requires contractors to (1) disclose to DCSA their beneficial ownership and whether they are under FOCI by submitting an updated SF328 in NISS; and (2) revise the SF328 and supporting documents, to include the contact information of each beneficial owner in NISS. Prime contractors must flow down the new contract clause to connected subcontracts exceeding $5 million.

The new solicitation provision aims to put offerors on notice that, if the DOD customer (“requiring activity”)—based on input from DCSA that FOCI or beneficial ownership poses a risk or potential risk of compromise to national security that may be mitigated, the offeror must agree to the risk mitigation strategies at the time of award, and agree to implement the risk mitigation strategy within 90 calendar days of contract award. In this regard, as we previously have noted, regulations give the DOD customer discretion to determine whether to apply FOCI mitigation based on input from DCSA.

If mitigation measures are required, they must remain in effect for the duration of the contract or subcontract. Mitigation could be patterned off of existing FOCI mitigation instruments used for cleared industry—such as Proxy Agreements, Special Security Agreements (SSAs) and Security Control Agreements (SCAs), and both Board Resolutions (BRs) and Special Board Resolutions (SBRs). Based on how some government activities have already been implementing FOCI mitigation prior to this Proposed Rule, companies should expect to see wide use of supplemental FOCI procedures, such as technology control plans (TCPs).

Updating Information
Under the Proposed Rule, where a contractor determines that a change may place it or the subcontractor at any tier under FOCI, the contractor must report that change within three business days of identification. Additionally, where DCSA notifies a contractor of a national security risk, the contractor has 10 business days to initiate a plan of action to implement DCSA’s mitigation recommendations and confirm compliance in NISS.

Foreign Contractors and Subcontractors Would Be Subject
The Proposed Rule does not distinguish between domestic and foreign contractors and subcontractors. Foreign companies holding or seeking DOD prime contracts or subcontracts exceeding $5 million should anticipate the Proposed Rule applying to them. This may include affiliates of an already FOCI-mitigated contractor.

How to Prepare
Now is the time for potentially affected companies to start preparing. They should consider the following.

• Register in NISS. Companies that are not yet registered in NISS should register in advance.
• Engage Stakeholders Internally and with Owners. Information from companies with parent entities or individuals can often take time to obtain and produce. Companies should not wait for a particular solicitation.
• Prepare SF328. Companies should also start preparing or updating SF328 and related information. This form was revised in May 2025 and can involve a large download of information not only about ownership, but also about foreign arrangements, affiliations and supply chain.
• Get Smart on FOCI and Mitigation. Understanding FOCI and potential mitigation instruments that can help companies anticipate what to expect.
• Advance Planning. Depending on a company’s circumstances, considerations could include early diligence and strategic decisions related to ownership, supply chains and government-customer engagement.

We are ready and willing to help clients navigate these potential requirements.