On May 7, 2026, the U.S. Department of Defense (DoD) published a proposed rule (the Proposed Rule) that would, for the first time, require companies performing unclassified work for DoD to disclose whether they are subject to foreign ownership, control, or influence (FOCI), a screening process that historically has been required primarily for contractors with access to classified information.[1] DoD estimates that the Proposed Rule would affect an estimated 37,740 contractors and subcontractors. The Proposed Rule would implement statutory mandates under the National Defense Authorization Acts (NDAAs) for Fiscal Years 2020 and 2021, as well as elements of a 2024 DoD policy instruction on FOCI risk mitigation.[2] Comments on the Proposed Rule are due on July 6, 2026.
Overview of the Framework
The Proposed Rule would apply to any existing or prospective DoD contractor or subcontractor, at any tier, on a contract valued in excess of $5 million. The Proposed Rule would establish a disclosure-and-mitigation framework spanning the full lifecycle of a covered contract, from solicitation through performance, by adding new solicitation and contract-clause requirements to the Defense Federal Acquisition Regulation Supplement (DFARS).
At the solicitation stage, offerors would be required to submit a Standard Form 328 Certificate Pertaining to Foreign Interests (SF 328), a government questionnaire used to evaluate whether a company has ties to foreign entities, along with supporting documents and beneficial owner contact information, to the Defense Counterintelligence and Security Agency (DCSA) through a government platform called the National Industrial Security System (NISS). By submitting an offer, the offeror would represent that it has filed this information and that it is current, accurate, and complete. Contracting officers would be prohibited from awarding, modifying, or exercising an option on a covered contract unless the contractor has obtained an eligible status in NISS, effectively creating an eligibility gate that would need to be satisfied before any contract action proceeds.
During contract performance, the Proposed Rule would require contractors to keep their SF 328 and beneficial ownership information current, updating it prior to any contract modification or renewal, or whenever changes occur to previously provided information. If a contractor identifies changes in FOCI or beneficial ownership, or is notified of such changes by a subcontractor at any tier, it would be required to report the changes within 3 business days, including the foreign or beneficial owner’s name and any readily available risk mitigation information. If DCSA determines that the FOCI or beneficial ownership poses a risk, the contractor would then have 10 business days to initiate a plan of action, submit additional information, describe risk mitigation efforts, and confirm compliance.
Where DCSA identifies a risk that may be mitigated, the contractor would be required to implement risk mitigation strategies within 90 calendar days of award, option exercise, modification, or identification of risks during performance. The contractor also would be required to ensure that all subcontractors on subcontracts exceeding $5 million have obtained an eligible status in NISS before the subcontract is awarded and that they maintain that status for the duration of performance. Importantly, the proposed clause would also need to be included in subcontracts exceeding $5 million, meaning that subcontractors, not just prime contractors, would be subject to these same disclosure and mitigation obligations.
Application to Commercial Products and Services
Under federal procurement law, “commercial products” and “commercial services” (broadly, items and services that are customarily sold or offered for sale to the general public, as defined in the Federal Acquisition Regulation) are typically subject to fewer regulatory requirements. Consistent with that general framework, the Proposed Rule would not automatically apply to contracts for commercial products and services. Instead, the Proposed Rule would apply to such contracts only if a senior DoD official determines that the contract involves a risk or potential risk to national security because of sensitive data, systems, or processes.
However, DoD has signaled that it intends to use this authority broadly. In the preamble to the Proposed Rule, DoD reasons that because FOCI risk is inherent to the ownership of the company itself, rather than to what is being procured, a blanket exception for commercial products and services would undermine the NDAAs’ purpose. DoD states that an exception for contracts for the acquisition of commercial services and commercial products, including commercially available off-the-shelf (COTS) items, would “exclude the contracts intended to be covered by the law, thereby undermining the overarching public policy purpose of the law.” Accordingly, DoD intends to exercise its authority to extend the Proposed Rule’s disclosure and mitigation requirements to the acquisition of commercial products, including COTS, and to commercial services. As a practical matter, this means that commercial contractors selling to DoD should consider themselves potentially in scope.
Key Considerations
The Proposed Rule raises several practical questions for companies doing business with DoD:
- Agency Capacity and Timing Risk. DCSA would need to review SF 328 submissions and assess FOCI risk for an estimated 37,740 contractors and subcontractors that have not previously been subject to its oversight. Because a contractor would need to obtain NISS eligibility before a contract can be awarded, any delays in DCSA’s review process could ripple through the procurement timeline. Companies competing for time-sensitive awards should consider engaging with DCSA early, rather than waiting for a solicitation to be issued.
- Uncertainty for Commercial Contractors. As noted above, the Proposed Rule would not automatically apply to contracts for commercial products and services, but DoD has signaled its intent to apply it broadly. The Proposed Rule does not describe the criteria or procedures that would govern these national security risk determinations, or whether affected companies would receive notice or an opportunity to respond. Until the final rule or subsequent guidance provides clarity, commercial contractors selling to DoD should not assume they fall outside the scope of the Proposed Rule’s requirements and may wish to begin assessing their FOCI exposure now.
- Cost of Compliance. For companies under FOCI that may need to adopt significant governance changes, such as board restructuring, proxy agreements, or special security arrangements, within the 90-day compliance window, these costs likely would fall on the contractor as a cost of doing business with DoD. The Proposed Rule does not provide a mechanism for cost recovery, and contractors should factor potential compliance costs into their pricing and planning, particularly if FOCI risk could emerge or change during contract performance.
- Overlap with Existing Security Clearance Requirements. Companies that already hold facility security clearances to work on classified programs are already subject to FOCI screening and mitigation requirements under a separate regulatory framework known as the National Industrial Security Program Operating Manual Rule (NISPOM Rule) (32 CFR Part 117). The Proposed Rule states that it “does not duplicate, overlap, or conflict with any other Federal rules,” but the practical interaction between the two regimes is not fully addressed. For example, it is not clear whether a company that has already implemented FOCI mitigation measures under the NISPOM Rule for its classified work would need to undergo a separate assessment and implement additional or different mitigation for its unclassified contracts. Companies subject to both regimes should monitor the rulemaking for guidance on how these obligations will be harmonized.
- Private Equity and Complex Ownership Structures. The Proposed Rule’s disclosure requirements may present particular challenges for companies backed by private equity funds, sovereign wealth funds, or other investment structures involving layers of foreign beneficial ownership. The Proposed Rule defines “beneficial owner” by reference to SEC regulations, which capture any person who, directly or indirectly, has or shares voting or investment power over a company’s equity securities.[3] For portfolio companies with complex capitalization tables or passive foreign limited partners, identifying and reporting every beneficial owner, and updating that information within 3 business days of any change, may require new internal tracking processes and coordination with investors.
***
Cleary’s foreign investment and national security team is monitoring the rulemaking and is available to assist clients in evaluating their FOCI exposure, preparing for the proposed requirements, and submitting comments during the comment period.
[1] Defense Federal Acquisition Regulation Supplement: Mitigating Risks Related to Foreign Ownership, Control, or Influence (DFARS Case 2021-D011), 91 Fed. Reg. 24783 (May 7, 2026).
[2] Mitigating Risk Related to Foreign Ownership, Control, or Influence for Covered DoD Contractors and Subcontractors, DoD Instruction 5205.87 (May 13, 2024).
[3] See 91 Fed. Reg. 24788 (citing 17 C.F.R. § 240.13d-3) (defining “beneficial owner”).