On May 7, 2026, the U.S. Department of Defense (DoD) issued a long-awaited proposed rule that would extend foreign ownership, control, or influence (FOCI) requirements to defense contracts and subcontracts involving no classified work. This would represent a significant change because historically, FOCI disclosure and mitigation requirements have applied to classified contracts. The proposed rule would even permit DoD to apply these requirements to commercial-type contracts if the "designated senior DoD official" (who has not yet been designated) determines the contract involves a potential risk to national security or potential compromise because of sensitive data, systems, or processes.
Any companies doing business with the DoD and which may be subject to foreign ownership, control, or influence should carefully review the proposed rule and consider its implications for award of new business and post-award compliance.
Where is this proposed rule coming from?
Section 847 of the Fiscal Year (FY) 2020 National Defense Authorization Act (NDAA) required DoD to "improve the process and procedures for the assessment and mitigation of risks related to foreign ownership, control, or influence (FOCI) of contractors and subcontractors doing business" with it. This included:
- Requiring "covered contractors and subcontractors" to disclose "their beneficial ownership and whether they are under FOCI," provide updates on changes in such ownership, and furnish contact information for foreign owners if the company is under FOCI
- Considering FOCI risks as part of responsibility determinations, such that a finding that a company is under FOCI may render it non-responsible for award of DoD contracts
- Inserting clauses into DoD contracts requiring mitigation of FOCI risks during contract performance
- Designating an official to decline to award, to modify, or to terminate contracts if the Defense Counterintelligence and Security Agency (DCSA) finds that FOCI poses a risk to national security or potential risk of compromise
Section 847 exempted commercial contracts from these requirements, but with a potentially important exception: the requirements apply if a "designated senior official" determines "that the contract or subcontract involves a risk or potential risk to national security or potential compromise because of sensitive data, systems, or processes, such as personally identifiable information, cybersecurity, or national security systems."
In addition, Section 819 of the FY21 NDAA amended Section 847 to add a requirement for DoD "to require reports and conduct examinations on a periodic basis of covered contractors or subcontractors in order to assess compliance" with Section 847.
This proposed rule does not address Section 847's requirement for responsibility determinations based on FOCI considerations.
Didn't DoD already have a policy on this in place?
Yes, DoD Instruction (DoDI) 5205.87 set in place the DoD's internal policy framework for the statute's expanded FOCI requirements. But contractors and subcontractors have been waiting for the publication of the proposed rule in the Defense Federal Acquisition Regulation Supplement (DFARS) for contractual implementation.
FOCI mitigation requirements have been around for a long time. What is new here?
Once finalized and in effect, the DFARS rule will expand the type and number of defense contracts subject to FOCI requirements. Historically, FOCI mitigation has been relevant to post-award activities on contracts requiring contractor personnel to handle or that have access to classified materials or information. By contrast, and as DCSA has stated, Section 847 "is an expansion of existing FOCI vetting requirements to pre-award contract activities and unclassified contracts." Per DCSA, this "will mean a tougher look and additional scrutiny for unclassified contracts[.]"
The proposed rule estimates that, between prime contractors and subcontractors, there are "37,740 potentially impacted entities," "21,511 (57%)" of which "are estimated to be small businesses."
Why are FOCI requirements being extended to unclassified contracts?
The main reason is to address perceived risk created by the lack of FOCI requirements for contracts involving sensitive, but unclassified, information. The proposed rule explains:
The primary benefit of the section 847 requirement is the unprecedented level of visibility it provides into the ownership structures of offerors and contractors, particularly for contracts that do not involve access to classified information. Historically, this has been a significant vulnerability. Foreign adversaries have exploited this gap to gain access to sensitive, unclassified information, intellectual property, and critical technologies through various ownership, control, and influence avenues of foreign interest. By mandating the disclosure of FOCI and beneficial ownership, this rule proposes to close that gap, directly reducing the risk of unauthorized access to DoD information and mitigating the potential for theft of intellectual property that underpins our warfighting capabilities. This directly enhances the security of DoD acquisitions and minimizes contract performance risks associated with contractors who may be subject to foreign adversary leverage.
Which contracts and subcontracts are "covered" under the proposed rule?
The proposed rule defines "covered contractor or covered subcontractor" to mean "a company that is an existing or prospective contractor or subcontractor, at any tier, of DoD for a contract valued in excess of $5 million." A new provision would be inserted into solicitations for such contracts, and a new clause would be inserted into such contracts and subcontracts.
Is there an exception for commercial contracts or commercial off-the-shelf (COTS) items?
The proposed rule exempts commercial-type contracts--i.e., those let under Federal Acquisition Regulation (FAR) Part 12--but with a potentially important exception. The new FOCI requirements will apply to commercial DoD contracts above $5 million "if the designated senior DoD official determines that the contract involves a risk or potential risk to national security or potential compromise because of sensitive data, systems, or processes." The proposed rule states that "[t]he senior DoD official has not yet been designated" and "[t]he term 'designated senior DoD official' is used in this proposed rule as a placeholder."
There is no exemption for COTS items (other than the general commercial exemption noted above).
What sort of national security risk or sensitive data might trigger application of the new FOCI requirements to commercial DoD contracts?
It is not clear yet which commercial contracts DoD will designate as requiring FOCI disclosure and mitigation under the new Section 847 clause. But there are some clues.
For example, both Section 847 and DoDI 5205.87 state that application could be triggered by "risk or potential risk to national security or potential compromise because of sensitive data, systems, or processes, such as personally identifiable information [PII], cybersecurity, or national security systems" (emphasis added). Contracts involving the handling of PII or operation of a national security system may therefore be subject to the new clause.
DoDI 5205.87's definitions of the words "risk" and "compromise" also state that "sensitive data, systems, or processes" may include "controlled unclassified information" or CUI. It therefore appears that commercial contracts that may involve accessing or storing CUI could also now require FOCI mitigation under the proposed rule.
Finally, and as noted above, DoD's proposed rule states that one reason for the new requirements is to protect "intellectual property that underpins our warfighting capabilities" and other "critical technologies" (emphasis added). This raises the possibility that commercial technologies like artificial intelligence (AI) that are integrated into DoD systems could now also require the provider to engage in FOCI disclosure and mitigation.
Is there an exception for small businesses?
No, the proposed rule does not exempt contracts with small businesses.
When will a company be considered "under FOCI"?
The proposed rule states that a contractor is under FOCI when a "foreign interest has the power" ("directly or indirectly" and "regardless of whether the power is exercised or is exercisable through the ownership of the U.S. company's securities") to:
- "Direct or decide matters affecting the management or operations of that company in a manner that may result in a risk or potential risk to national security or potential compromise of sensitive data, systems, or processes," or
- "Otherwise control or influence the business or management of the Contractor in a manner that could adversely affect its ability to perform the contract or subcontract."
Notably, a company may be under FOCI even if it "[h]as not been granted a facility clearance and is not in the process of obtaining a facility clearance," underscoring the extension of FOCI requirements to unclassified work.
How will the proposed rule affect competition for DoD awards?
The proposed rule inserts FOCI considerations into the procurement process prior to award. Specifically, DoD contracting officers "must not award, modify, or exercise an option or otherwise extend a contract, task order, or delivery order with a value in excess of $5 million unless the contractor or prospective contractor has an eligible status in the National Industrial Security System [NISS] or an exception applies[.]"
As DCSA summarizes, NISS is the agency's "web-based platform for managing and overseeing the industrial security of contractors working with classified information." The referenced "exception" is for commercial products and commercial services (when the designated senior DoD official has not made a determination to apply the FOCI requirements).
To implement this pre-award policy, solicitations for covered contracts would include a provision requiring offerors to disclose FOCI or foreign beneficial ownership (including completion of Standard Form (SF) 328 for each beneficial foreign owner in NISS) and stating that no award will be made unless the offeror:
- "[i]s determined to not have risk related to FOCI or beneficial ownership," or
- "[a]grees to execute and implement the risk mitigation strategies identified by the program office or requiring activity within 90 calendar days of contract award."
Offerors will also have to represent that the disclosures are "current, accurate, and complete."
What will the proposed rule require of covered contractors and subcontractors during performance?
The proposed rule would also require insertion of a new DFARS clause into covered contracts. The draft clause contains several requirements:
- Risk Mitigation: The contractor must "[a]gree to the risk mitigation strategies identified in the [NISS] at the time of contract award, option exercise, modification, or identification of post-award changes" and then "[i]mplement the risk mitigation strategies within 90 calendar days of contract award, option exercise, modification, or the identification of risks during contract performance"
- Updated Disclosures: The contractor must "[c]omplete, update, and verify the currency of the [SF328] and supporting documents, to include the contact information of each beneficial owner in the [NISS] prior to contract modification or renewal, or when changes occur to information previously provided";
- Subcontract Award and Management: The contractor must "[e]nsure all subcontractors and suppliers that are subcontractors awarded subcontracts that exceed $5 million have an eligible status in the [NISS] prior to subcontract award and maintain the status of eligible in the [NISS] for the duration of subcontract performance"
- Reporting Changes and Mitigation: The contractor must report "any changes in FOCI or beneficial ownership during performance of the contract," including "if the contractor is notified of such by a subcontractor at any tier or supplier," by submitting an updated SF328 in NISS. If "the changes may place [the contractor] or the subcontractor at any tier under FOCI," the contractor has 3 business days to submit a separate report with "relevant information," including "any readily available information about risk mitigation actions undertaken or recommended"
- Plan of Action: If DCSA notifies the contractor that "FOCI or beneficial ownership poses a risk or potential risk of compromise to national security," then the contractor has 10 business days to "initiate a plan of action to implement DCSA's recommendations" and make additional reporting submissions
- Subcontract Flow-Down: The contractor must "insert the substance of" the new clause, including a requirement to flow down to lower-tier subcontracts, "in subcontracts and other contractual instruments that exceed $5 million"
When are comments on the proposed rule due?
Comments on the proposed rule should be submitted in writing on or before July 6, 2026, to be considered in the formation of a final rule. Instructions for submission are available at https://www.regulations.gov/document/DARS-2026-0133-0001.
What are the main takeaways for DoD contractors?
Defense contractors and subcontractors should understand that Congress and DoD are serious about addressing perceived vulnerabilities in the nation's defense posture created by the defense industrial base's relationships with foreign actors. Although this concern has traditionally pertained to classified work, Section 847 and its implementing policies and regulations recognize that unclassified data may also be sensitive and warrant additional safeguards from potential adversaries. Moreover, the potential threat is serious enough that even commercial vendors may have to disclose and mitigate issues related to foreign ownership if they want to do business with DoD.
Given the breadth of the proposed rule's application, and the fact that it will become a gating mechanism for award of new contracts and subcontracts, defense firms should review it carefully, especially if their ownership structure currently includes or may soon include foreign entities. Moreover, any time a new rule (like this one) includes a requirement to represent the accuracy of statements to the federal government, contractors should ensure a fulsome compliance plan is in place with the organization to ensure that any foreign investment or business is known pre-transaction. That way, the FOCI implication can be considered prior to actual events or transactions necessitating an update to a contractor's SF328. This is especially important because the failure to comply with national security requirements of this sort can lead to contract terminations, suspension and/or debarment, and even civil or criminal enforcement under the False Claims Acts.
Finally, contractors and subcontractors should consider commenting on the proposed rule and monitor for updates regarding its development. DoD may provide more details in guidance or the final rule. For example, Section 847 is clear that the commercial item exemption applies not only to prime contractors, but also to subcontractors. Yet, the proposed rule requires "[e]nsur[ing] all subcontractors and suppliers that are subcontractors awarded subcontracts that exceed $5 million have an eligible status in" NISS (emphasis added), with no express statement that subcontracts for commercial items are exempt unless the designated senior DoD official determines otherwise.