DoD proposes expanding FOCI requirements to unclassified contracts

By Michael Lowell, Lizbeth Rodriguez-Johnson, Justin Angotti, Mitch Bailey, Karla Perez Chacon, Kirsten Lowell, Lee Williams & Erika Yeager on June 3, 2026

Key takeaways:

Subject to limited exceptions, the proposed rule would require existing or prospective DoD contractors and subcontractors, at any tier, on contracts exceeding $5 million to disclose foreign ownership, control, and influence (FOCI) and beneficial ownership information – extending obligations that historically applied only to classified work.

Covered contractors determined to be under FOCI must implement risk mitigation strategies within 90 calendar days of contract award, modification, option exercise, or identification of a FOCI-related risk during performance.

Contracts for commercial products and services would be exempt unless a designated senior DoD official determines the contract involves a national security risk due to sensitive data, systems, or processes.

On May 7, 2026, the Department of Defense/War (DoD) published a proposed rule that would significantly expand the scope of FOCI requirements beyond classified contracts. The proposed rule would amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the disclosure and risk mitigation requirements of Section 847 of the FY 2020 National Defense Authorization Act (NDAA) and Section 819 of the FY 2021 NDAA, as well as elements of DoD Instruction 5205.87. Comments are due by July 6, 2026.

The proposed rule would apply to “covered contractors and subcontractors,” defined as existing or prospective DoD contractors or subcontractors, at any tier, performing under a contract valued in excess of $5 million. DoD estimates the $5 million threshold will capture approximately 37,740 entities, roughly 57% of which are small businesses. Historically, FOCI disclosure and mitigation obligations have applied primarily to contractors performing classified work under the National Industrial Security Program (NISP). The proposed rule would extend similar requirements to certain contractors holding unclassified contracts – a significant expansion that DoD states is necessary because “foreign adversaries have exploited this gap to gain access to sensitive, unclassified information, intellectual property, and critical technologies.”

The proposed rule would operate through two new contract instruments: a solicitation provision (DFARS 252.240-70XX) and a contract clause (DFARS 252.240-70YY). Under the solicitation provision, offerors would represent at the time of offer submission that they have submitted a current Standard Form (SF) 328, Certificate Pertaining to Foreign Interests, in the National Industrial Security System (NISS), along with contact information for each beneficial foreign owner. Offerors that are aware of FOCI would also be required to agree to accept risk mitigation strategies as a condition of award. Importantly, contracting officers generally would be prohibited from awarding, modifying, or exercising an option on a covered contract unless the contractor has an “eligible” status in NISS or an exception applies.

The contract clause would impose ongoing obligations during performance, including the following:

Contractors must disclose their beneficial ownership and FOCI status by maintaining a current SF 328 in NISS.
Contractors must implement risk mitigation strategies within 90 calendar days of contract award, modification, option exercise, or the identification of FOCI-related risks during performance.
All subcontractors awarded contracts exceeding $5 million must maintain an “eligible” status in NISS prior to award and for the duration of performance.
Contractors would be required to update their SF 328 and, where the change could result in FOCI concerns, notify the Defense Counterintelligence and Security Agency (DCSA) within three business days. The notification would include information regarding the foreign owner or beneficial owner, the relevant ownership interests, and any available information concerning mitigation measures.

In addition, within 10 business days of being notified by DCSA that a FOCI or beneficial ownership issue poses a risk or potential risk to national security, a contractor would be required to initiate a plan of action, provide any requested information, describe mitigation efforts already undertaken, and confirm in NISS its intent to comply with DCSA’s recommended mitigation measures.

Importantly, the proposed rule would not apply to contracts for commercial products and commercial services, including commercially available off-the-shelf (COTS) items, unless a designated senior DoD official determines that the contract involves a risk or potential risk to national security because of sensitive data, systems, or processes. This case-by-case determination leaves open questions regarding the extent to which the rule ultimately may be applied to commercial contracting activities.

Defense contractors and subcontractors with contracts exceeding $5 million should begin assessing their potential FOCI exposure, ensuring they are registered in NISS, and preparing a current SF 328 submission with supporting documentation well in advance of a final rule. Prime contractors should also evaluate whether their subcontractors above the $5 million threshold are prepared to comply with the flow-down requirements. For many contractors that have not previously operated within the NISP framework, compliance may require establishing new processes to collect ownership information, monitor changes in foreign ownership and control, maintain NISS registrations, and respond to DCSA inquiries and mitigation requirements.

Comments on the proposed rule may be submitted via the Federal eRulemaking Portal at regulations.gov under DFARS Case 2021-D011, or by email to osd.dfars@mail.mil, on or before July 6, 2026.