Got It Covered? Expanded FOCI Oversight for Contractors and Subcontractors

The U.S. Department of War (DOW) on May 7, 2026, published a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement Sections 847 and 819 of the fiscal years (FY) 2020 and 2021 National Defense Authorization Act, extending foreign ownership, control, or influence (FOCI) disclosure and mitigation requirements to unclassified defense contracts valued at more than $5 million. Historically, FOCI disclosure and mitigation have been limited to companies holding facility security clearances for classified work.

The proposed rule would require covered contractors and subcontractors to disclose beneficial ownership and FOCI status to the Defense Counterintelligence and Security Agency (DCSA) via the National Industrial Security System (NISS) using Standard Form (SF) 328.

Contracting officers would be prohibited from awarding, modifying or exercising options on covered contracts unless the contractor maintains "eligible" status in NISS, creating a pre-award gate at each subsequent contract action. Where FOCI risks are identified, contractors must implement a DCSA-recommended mitigation strategy within 90 calendar days.

The proposed rule would create new disclosure, verification and risk‑mitigation obligations on DOW contractors and subcontractors with contracts or subcontracts valued above $5 million. It may also apply to certain commercial products and services contracts if a designated senior DOW official identifies a national security risk involving sensitive data, systems or processes.

As reported in a previous Holland & Knight alert, "DOD Proposed Rule Will Expand FOCI Requirements to Non-Classified Defense Contracts," DOW Instruction 5205.87 laid the groundwork for these reforms. The newly proposed DFARS rule builds on that instruction by implementing Section 847 through a new solicitation provision (DFARS 252.240-70XX) and contract clause (DFARS 252.240-70YY) governing procurement, performance-period and subcontract-level requirements.

Scope

DOW proposes to create DFARS Part 240 and a new section 240.27X, Mitigation of Risks Related to Beneficial Ownership or Foreign Ownership, Control, or Influence.

The proposed rule applies to existing or prospective DOW contractors and subcontractors, at any tier, with contracts valued above $5 million (Covered Contractors and Covered Subcontractors).

The proposed rule will generally not apply to commercial products and commercial services, unless a designated senior DOW official determines that a contract involves a risk or potential risk to national security.

Policy Requirements

Covered Contractors and Covered Subcontractors must:

• disclose to the DCSA their beneficial ownership and whether they are under FOCI, using SF 328 and supporting documents in the NISS
• keep these disclosures current and update them when changes occur
• if under FOCI, disclose contact information for each foreign owner that is a beneficial owner
• as recommended by DCSA, mitigate FOCI risks throughout the duration of the contract or subcontract, consistent with statutory requirements

Contracting Officer Procedures

A contracting officer must not take a covered contract action unless the contractor or prospective contractor has an "eligible" status in NISS, unless an applicable exception applies.

Prior to exercising options, contracting officers must verify NISS eligibility.

Clause/Provision Prescription

A new solicitation provision and contract clause will be required in solicitations and contracts of more than $5 million and may apply to commercial contracts when a designated official identifies a national security risk. In addition, the solicitation provision would require offerors, at the time of award, to agree to implement a mitigation strategy within 90 days if DCSA identifies a mitigable FOCI or beneficial ownership risk.

Reporting Timelines During Performance

During performance, contractors must submit an updated SF 328 to report any changes in FOCI or beneficial ownership. If a change may place the contractor or a subcontractor under FOCI, the contractor must report the foreign or beneficial owner's name, relevant information and any readily available risk mitigation details to DCSA within three business days. After DCSA notifies the contractor that a risk exists, the contractor must advise DCSA of its proposed plan of action within 10 business days. The 90-day mitigation deadline resets after each triggering contract action, including post-award identification of risk during performance.

Subcontractor Flowdown

The contract clause must be flowed down in substance to all subcontracts and other contractual instruments exceeding $5 million at any tier. Prime contractors must confirm subcontractor NISS eligibility before subcontract award and throughout performance.

Application to Contracts at or Below the Simplified Acquisition Threshold and Commercial Products and Services Contracts

DOW has clarified that the proposed rule will not apply to contracts at or below the Simplified Acquisition Threshold, which is currently $350,000 in most procurements. This approach aligns with the statutory framework governing low‑value procurements and reflects DOW's decision not to extend these disclosure obligations to smaller contracts.

DOW also may apply the proposed rule to contracts for commercial products, including commercially available off-the-shelf items, and commercial services if a designated official determines the contract presents a national security risk because of sensitive data, systems or processes. DOW has emphasized that FOCI risk turns on company ownership, not necessarily the nature of what is being procured, signaling potential application even in commercial acquisitions.

Scale of Impact and Key Differences from Existing FOCI Framework

The scale of the proposed expansion is significant. DOW estimates the rule would bring approximately 37,740 entities within FOCI review obligations, including roughly 21,511 small businesses. DCSA currently processes approximately 2,000 FOCI cases annually in the classified-contract context; under the proposed rule, the estimated annual workload would expand to around 41,000 cases encompassing both cleared and uncleared companies, covering up to $200 billion in acquisitions that currently do not require FOCI vetting.

The proposed rule differs from the traditional National Industrial Security Program Operating Manual (NISPOM) FOCI framework in several important ways. Most notably, FOCI oversight and mitigation historically have been applied by DCSA at the company level to contractors holding facility security clearances for access to classified information. In other words, in order for a company to maintain the clearance necessary to perform on particular classified contracts, that company itself had to undergo FOCI mitigation.

The proposed rule would instead apply potential FOCI mitigation on a contract-by-contract basis in the unclassified space, with the contracting officer, rather than DCSA alone, as the mitigation decision-maker. Additionally, though mitigation is mandatory under the NISPOM when FOCI is identified, the proposed DFARS rule makes mitigation discretionary. DOW may choose not to impose it based on its risk determination.

That said, it is unclear how FOCI mitigation under the proposed rule will differ in practice from the well-established FOCI mitigation structures employed by DCSA in the classified-contractor context. As discussed below, Covered Contractors or Subcontractors with numerous contracts may find it prudent (or necessary) to implement companywide FOCI mitigation structures, such as Security Control Agreements or Special Security Agreements, that mirror those used traditionally by DCSA under the NISPOM.

Transactional Considerations

Mergers and acquisitions (M&A) and financing transactions involving covered contractors should account for DFARS compliance at signing and closing, including pre-award SF 328 submissions, NISS eligibility and post-closing change reporting. Mid-performance acquisitions or recapitalizations may trigger new assessments and mitigation obligations. Where parties anticipate a change in beneficial ownership (with ownership directly or indirectly of 5 percent or more by a foreign person as the preexisting reporting threshold), they should assess potential mitigation requirements and related business impacts early.

Business Implications and Action Items

Public comments on the proposed rule are due by July 6, 2026, after which a final rule will be issued.

This proposed rule, once implemented, will operationalize the mandate from Section 847 (FY 2020 NDAA) and integrate FOCI and beneficial ownership vetting into DOW's contract award process for major unclassified contracts. Given the new eligibility gates at each contract action, defense contractors and their investors should begin compliance preparations now to avoid disruptions to future awards and remain trusted partners in the national security supply chain.

Contractors should take the following actions to prepare:

• Identify your company's beneficial owners and any foreign stakeholders and ensure you know how to report that information into DOW's systems. Confirm access to and familiarity with NISS and SF 328.
• Update subcontracting policies to require subcontractors with awards over $5 million to comply with the proposed rule requirements.
• Plan for maintaining "eligible" status by establishing internal processes to update ownership information promptly upon changes and to respond swiftly if any foreign ownership or control is identified (including developing a FOCI mitigation plan with legal counsel).
• Consider how potential mitigation structures would be implemented by the company, if recommended by DCSA.
• Watch for the final DFARS rule and any DOW guidance. Holland & Knight will continue to monitor these developments. Contractors and industry groups may wish to submit comments to help shape a practical final rule.
• If your company is involved in or contemplating M&A activity, private equity investment or recapitalization, assess whether the transaction could trigger FOCI reporting obligations or mitigation requirements under the proposed framework.

For more information or questions, please contact the authors.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.