Foreign Ownership Rules May Soon Reach Thousands of Uncleared Defense Contractors

A proposed DoD rule would carry foreign-ownership disclosure out of the classified world and into ordinary defense contracting — potentially reaching tens of thousands of companies that have never filed an SF-328 or thought of themselves as part of the industrial-security framework. On May 7, 2026, the Department of Defense published DFARS Case 2021-D011, a proposed rule that would extend foreign ownership, control, or influence disclosure requirements to any DoD contract or subcontract valued above $5 million — classified or not. DoD's own estimates put the affected population at roughly 37,740 entities, approximately 57 percent of them small businesses. The public comment period closes July 6, 2026.

A Familiar Concept, an Unfamiliar Reach

If you have followed our guide to standing up a cleared government contracting company, you already know FOCI as a facility-clearance problem: a company seeking access to classified information discloses its foreign ties, and DCSA decides whether those ties can be mitigated. For most of its history, that is exactly where FOCI lived — inside the world of classified work, governed by the National Industrial Security Program Operating Manual (NISPOM), codified at 32 C.F.R. Part 117.

DoD's newly proposed rule would redraw that line. It would carry FOCI disclosure out of the classified context and into ordinary, unclassified contracting — reaching tens of thousands of companies that have never filed an SF-328 and may never have considered themselves part of the industrial-security framework at all. This article explains what the proposed rule would do, who it would touch, and what a prudent contractor might do now, while emphasizing that the rule is proposed, not final.

What FOCI Has Meant Until Now

Foreign ownership, control, or influence is the framework the government uses to decide whether a company's foreign relationships pose an unacceptable risk to classified programs. Under the NISPOM, a contractor seeking or holding a facility security clearance completes the SF-328, Certificate Pertaining to Foreign Interests, and DCSA assesses whether foreign ownership, foreign financing, foreign-national directors, or similar factors place the company under FOCI. Where FOCI exists and cannot be mitigated, a facility clearance cannot be granted.

Two features of that legacy system matter here. First, it was triggered by access to classified information, not by contract dollar value. Second, it operated largely as a one-time gate at the clearance stage, with updates as circumstances changed. The proposed rule keeps the FOCI concept but detaches it from both of those anchors.

What the Proposed Rule Would Actually Do

The proposal would implement Section 847 of the FY 2020 National Defense Authorization Act (Pub. L. 116-92) and Section 819 of the FY 2021 NDAA (Pub. L. 116-283), together with elements of DoD Instruction 5205.87 (May 13, 2024). Mechanically, it would create a new DFARS Part 240, Information Security and Supply Chain Security, and a new section 240.27X governing beneficial-ownership and FOCI mitigation.

It would operate through two new contract instruments:

• A solicitation provision (DFARS 252.240-70XX) — a representation. By submitting an offer, the offeror would represent that it has filed a current SF-328 in NISS, along with contact information for each foreign beneficial owner, and — if aware of FOCI — would agree to accept risk-mitigation measures as a condition of award.
• A contract clause (DFARS 252.240-70YY) — an ongoing disclosure obligation. During performance, the contractor would keep its SF-328 and beneficial-ownership information current and report changes on a defined timeline.

The keystone is what practitioners are calling the eligibility gate: a contracting officer generally could not award a covered contract, exercise an option, or issue a modification unless the contractor holds an "eligible" status in NISS. In other words, ownership disclosure would become a precondition to doing the business, not a consequence of holding a clearance.

It is worth stating plainly what this is not. The proposed rule does not create a facility clearance requirement for uncleared contractors. Rather, it creates a procurement eligibility requirement tied to foreign ownership disclosure and DCSA review. A covered contractor would not be "getting a clearance"; it would be establishing NISS eligibility as a condition of award. This is procurement law operating through the industrial-security apparatus, not a new clearance regime.

Who Would Be Covered

The proposed threshold is any existing or prospective DoD contract or subcontract — at any tier — valued in excess of $5 million. DoD's own regulatory impact analysis estimates this would capture approximately 37,740 entities, of which approximately 57 percent (about 21,000) are small businesses. Published analyses project that the change would expand DCSA's annual FOCI caseload from roughly 2,000 cases to an estimated 41,000, dramatically enlarging the agency's workload and reach.

The proposal generally excludes commercial products and commercial services from its primary coverage, while preserving authority for a "designated senior DoD official" — a term the rule itself flags as a placeholder — to require compliance in certain national-security circumstances. That exclusion is not absolute: where the official determines a commercial-item contract involves a risk to national security because of sensitive data, systems, or processes, the carve-back may not apply. Contractors who believe they fall within the commercial exception should not treat it as a guaranteed safe harbor without reviewing the specific contract context.

The Mechanics: SF-328, Beneficial Ownership, and the Compliance Clock

The Form and the Filing System

Disclosure would run through the familiar SF-328 (OMB Control No. 0704-0579), submitted to DCSA via NISS. NISS already serves as DCSA's portal for industrial-security matters involving cleared contractors; the proposal would dramatically expand its use to defense contractors that have never previously interacted with the system. For contractors already inside the cleared world, this foreign ownership disclosure is well-trodden ground. For the much larger population of uncleared contractors suddenly within scope, the SF-328 and NISS registration represent new compliance infrastructure that takes time to establish — another reason early attention pays off.

Who Counts as a Beneficial Owner

The proposal draws its definition of "beneficial owner" from the securities-law standard at 17 C.F.R. § 240.13d-3 — broadly, a person who directly or indirectly holds or shares voting power or investment power over the company. Notably, the proposal incorporates this existing securities-law definition rather than creating a unique DFARS definition of beneficial ownership — a drafting choice procurement counsel will recognize as importing a substantial body of settled interpretation. Foreign ownership at the 5%-or-more level has been the preexisting reporting reference point, and minority and indirect interests can qualify under the standard.

The Deadlines

During performance, the proposed clause would impose a defined cadence if a contractor identifies (or is notified by a subcontractor of) a change that may place it under FOCI:

• Within 3 business days — report the foreign or beneficial owner's name, relevant information about that owner, and any readily available information on mitigation actions taken or recommended.
• Within 10 business days of being notified by DCSA that the FOCI or beneficial ownership poses a risk — initiate a plan of action to implement DCSA's recommendations, submit additional information, and confirm in NISS that the contractor will comply.
• Within 90 calendar days of award, option exercise, modification, or identification of a risk during performance — implement the required risk-mitigation strategy.

Why This Matters — Strategically

For affected companies, the practical consequence is that ownership structure becomes a contracting issue rather than a back-office one. Three implications stand out.

First, transactions. Mergers, acquisitions, recapitalizations, and financings involving covered contractors would need to account for FOCI compliance at signing and closing — pre-award SF-328 submissions, NISS eligibility, and post-closing change reporting. A mid-performance change in beneficial ownership could trigger a fresh assessment and new mitigation obligations on a 90-day clock.

Second, the subcontract flow-down. Because the rule reaches subcontractors at any tier, prime contractors would be expected to police their supply chains — and sophisticated primes are likely to begin requesting SF-328 information and confirming NISS eligibility as a condition of subcontract award well before any final rule takes effect. A small subcontractor's ownership facts could become a gating item for work it has not yet bid.

Third, timing. The contractors most exposed are those who learn of the requirement at the moment of award, when there is no longer time to assemble disclosures or design mitigation. The contractors best positioned are those who map their exposure in advance.

What Remains Uncertain

It bears emphasis that this is a proposed rule. It has not been finalized, and several of its most consequential features — the $5 million threshold, the absence of a flow-down tier cutoff, the 90-day mitigation window, the precise scope of the commercial-item carve-back, and the identity and authority of the "designated senior DoD official" — could change before a final rule issues. The proposal does not establish an effective date for the obligations it describes; those would be set in the final rule and applied through the contract clauses when included in solicitations.

Comments are due July 6, 2026. A contractor that believes the proposal would impose disproportionate burdens — small businesses and allied foreign-owned firms among them — retains the opportunity to say so on the record, and DFARS rulemaking has been shaped by industry comment before.

Frequently Asked Questions

Does this apply to me if I don't hold a facility clearance?

Under the proposal, potentially yes. The defining feature of the rule is that it would decouple FOCI disclosure from classified access. The trigger would be a covered DoD contract or subcontract above $5 million at any tier, regardless of whether classified information is involved.

What is the SF-328?

The SF-328 is the Certificate Pertaining to Foreign Interests, a standard government questionnaire used to evaluate whether a company has foreign ties relevant to FOCI. It would be filed with DCSA through the National Industrial Security System (NISS).

What counts as a "beneficial owner"?

The proposal uses the securities-law definition at 17 C.F.R. § 240.13d-3 — generally, a person who directly or indirectly holds or shares voting or investment power over the company. Foreign ownership at the 5%-or-more level has been the preexisting reporting reference point. Minority and indirect interests can qualify.

What happens if DCSA determines I'm under FOCI?

The proposal would give the contractor a defined window — 10 business days to initiate a plan of action after DCSA notice, and 90 calendar days from the relevant contract action or risk identification to implement a mitigation strategy. The specific mitigation measures would depend on the nature and degree of the foreign interest. For context on how FOCI mitigation has historically worked in the cleared world, see our guide to obtaining a Facility Clearance.

Can I still bid while my NISS status is pending?

The proposal's eligibility gate would generally prohibit a contracting officer from awarding, modifying, or exercising an option on a covered contract unless the contractor holds an "eligible" status in NISS or an exception applies. As a practical matter, that makes establishing eligibility a precondition to award rather than a step that can be deferred.

Does this affect my existing contracts?

Not immediately. The proposal would apply only after a final rule becomes effective and the applicable DFARS provisions are included in solicitations or contracts. Existing contracts generally would not become subject to the new requirements unless and until they are modified to incorporate the new clauses. The practical exposure for current work tends to arise at the next option exercise or modification.

How We Can Help

My office advises defense contractors and their counsel on FOCI-related matters — including reviewing corporate structure and ownership for FOCI exposure, preparing for SF-328 submissions, assessing the impact of proposed transactions on NISS eligibility, and advising subcontractors on flow-down obligations. As a DCSA-certified Facility Security Officer for possessing facilities and an Insider Threat Program Senior Official with a 26-year background in federal security and intelligence community operations, I understand both the regulatory mechanics and the practical realities of how DCSA reviews these matters. Where key personnel at a covered company also hold individual security clearances, a FOCI determination at the facility level can cascade into their personal clearance status — an additional dimension of the risk that is worth mapping before the eligibility gate is triggered.

For companies mapping their exposure before a final rule issues, a consultation now costs far less than a missed eligibility gate at contract award. If your company holds or is pursuing DoD contracts above $5 million and has any foreign ownership, foreign investors, or foreign-national directors or officers, this is the time to understand where you stand. Schedule a consultation to discuss your specific ownership facts and what the proposed rule would mean for your contracting pipeline.