On May 7, 2026, the Department of Defense (DoD) proposed changes to the Defense Federal Acquisition Regulation Supplement (DFARS) that, when finalized, will impact nearly 38,000 defense contractors and subcontractors. The proposed changes will require companies to disclose foreign ownership, control, or influence (FOCI), which they must mitigate before the contracting officer can award, modify, or extend a contract.

Although companies working with classified information may be familiar with FOCI mitigation, the proposed DFARS changes, when finalized, will apply FOCI mitigation to certain unclassified contracts as well. The proposed changes implement Section 847 of the 2020 National Defense Authorization Act (NDAA) and Department of Defense Instruction (DoDI) 5205.87, Mitigating Risks Related to Foreign Ownership, Control, or Influence for Covered DoD Contractors and Subcontractors. This alert provides an overview of key provisions.

Applicable Contracts

The proposed changes will apply to DoD contracts, and subcontracts at any tier, valued at more than $5 million. Commercial products and services contracts awarded under Federal Acquisition Regulation (FAR) Part 12 are excepted, unless a to-be-determined “senior DoD official” determines “that the contract involves a risk or potential risk to national security or potential compromise because of sensitive data, systems, or processes.”

Pre-Contract Award Requirements

A new DFARS 252.240-70XX solicitation provision will require contractors to complete the Standard Form (SF) 328, Certificate Pertaining to Foreign Interests. The SF 328 asks nine questions to identify FOCI risks. FOCI risk exists when a foreign interest has the power, directly or indirectly, whether exercised or not, to direct or influence the management or operations of the contractor that may result in a risk to national security; potential compromise of sensitive data, systems, or processes; or adversely affecting the contractor’s ability to perform the contract. The SF 328 questions therefore concern foreign ownership, debt, contracts and agreements, outside positions, and management officials. Notably, contractors must specifically disclose whether any foreign entity owns, directly or indirectly, more than five percent of any class of stock, participation interest, unit, or capital commitment.

Before contract award, contractors will submit the SF 328 to the Defense Counterintelligence and Security Agency (DCSA). They must also provide contact information for each of their foreign beneficial owners. Contractors shall use the National Industrial Security System (NISS), https://niss.dcsa.mil, to submit the SF 328 and foreign beneficial owner contact information.

DCSA, in coordination with the program office or requiring activity, will review the SF 328 for FOCI risk. If the program office or requiring activity finds FOCI risk, the contractor must agree to implement mitigation strategies “identified by the program office or requiring activity” within 90 calendar days of contract award.

Notably, none of the proposed changes to the DFARS, Section 847, or DoDI 5205.87 provide for any specific mitigation strategies. Presumably, they will be similar to those DCSA uses with companies working with classified information: board resolutions, security control agreements, special security agreements, and proxy agreements.

Post-Contract Award Requirements

A clause at DFARS 252.240-70YY will impose a continuing duty to report any changes in FOCI or beneficial ownership during contract performance. Contractors must complete, update, and verify the currency of their SF 328 before any contract modification or option exercise. Moreover, contractors must submit a new SF 328 within three business days should there be a change to information previously submitted. If DCSA determines the changes create FOCI risk, the contractor has 10 business days to provide a plan to implement risk mitigation recommendations; submit additional information; describe any risk mitigation efforts already taken; and confirm it will comply with risk mitigation recommendations.

It is unclear how long contractors will have to implement a recommendation if the FOCI risk arises after award.

As noted above, the DFARS proposed changes will apply to subcontracts exceeding $5 million. Thus, under the 252.240-70YY clause, a contractor must ensure its subcontractor has an eligible status in the NISS and has submitted its SF 328 prior to subcontract award and maintains its eligibility. Additionally, the 252.240-70YY clause is a mandatory flow down clause; subcontractors at all tiers should be prepared to address FOCI risks when their subcontracts are for more than $5 million.

Takeaways

• Contractors that have never completed an SF 328 should consider reviewing it before it is required in a contract. Answering the nine questions can take time, particularly for companies with a parent company and/or affiliate companies.
• Contractors with an SF 328 already on file should review their SF 328 to ensure the information is current and accurate.
• Contractors should review their diligence practices and workflows for merger and acquisition transactions, new investors, new suppliers, and changes in management to ensure timely identification of potential FOCI issues.
• Contractors should update their onboarding requirements for subcontractors to include FOCI disclosures where required.
• There does not appear to be a procedure to challenge a FOCI determination. Contractors may have to agree to a mitigation strategy or risk losing a contract.
• Contractors potentially under FOCI preferring to avoid disclosure and possible mitigation should ensure their products and services meet the FAR’s definition of commercial under FAR 2.101 to maximize application of the commercial products and services exception.

Conclusion

Comments to the proposed changes are due July 6, 2026. The final version, however, is not likely to significantly change since the changes are required by statute. Although the proposed changes, when finalized, will not automatically disqualify contractors that have FOCI, these contractors will likely need to contend with new obligations under this new rule.

For help navigating those obligations or questions about this alert, contact Wilson Sonsini’s Government Contracts attorneys.