On May 7, 2026, the Department of Defense (“DoD”) issued a new proposed rule—Defense Federal Acquisition Regulation Supplement: Mitigating Risks Related to Foreign Ownership, Control, or Influence (“DFARS Case 2021-D011”)—seeking to amend the DFARS to mitigate risks related to beneficial ownership or foreign ownership, control, or influence (“FOCI”) (the “Proposed Rule”). For defense contractors and subcontractors, the Proposed Rule further implements disclosure obligations, eligibility requirements, and contract performance responsibilities relating to all manner of foreign investment.
New Requirements:
The Proposed Rule introduces a series of structural changes to the DFARS regulatory framework that will directly affect “covered” contractors and subcontractors. “Covered” contractors and subcontractors are “existing or prospective contractors or subcontractors, at any tier, of the DoD with a contract or subcontract valued above $5 million.” By introducing this rule, DoD aims to amend the DFARS by creating Part 240, Information Security and Supply Chain Security, within which DoD proposes to create section 240.27X, Mitigation of Risks Related to Beneficial Ownership or Foreign Ownership, Control, or Influence.[1]
Solicitation Provision
The Proposed Rule will require a new solicitation provision, DFARS 252.240-70XX, Disclosure of Beneficial Ownership or Foreign Ownership, Control, or Influence — Representation, which will require offerors to complete a Standard Form (“SF”) 328, Certificate Pertaining to Foreign Interests, and provide supporting documents for Defense Counterintelligence and Security Agency (“DCSA”) review in the National Industrial Security System (“NISS”). These obligations had typically been confined to contractors seeking or holding a facility clearance. Now, such obligations have been expanded to capture all contractors who currently possess or are competing for a contract or subcontract above $5 million—and in some circumstances, even includes contractors selling purely commercial products and services. This provision also puts offerors on notice that if the requiring activity determines, based on input from DCSA, that FOCI or beneficial ownership poses a risk or potential risk of compromise to national security that may be mitigated, the offeror must agree at the time of award to implement a risk mitigation strategy within 90 days of award. By submitting its offer, the offeror must represent that it has submitted the SF 328 and the contact information of each beneficial owner[2] in NISS, and that the information is current, accurate, and complete.
Contract Clause
Additionally, a new contract clause, DFARS 252.240-70YY, Disclosure of Beneficial Ownership or Foreign Ownership, Control, or Influence, requires contractors to: (1) disclose to DCSA their beneficial ownership and whether they are under FOCI by submitting an updated SF 328 in NISS; and (2) update the SF 328 and supporting documents, including the contact information of each beneficial owner in NISS.
The clause further imposes important downstream obligations:
- Contractors must implement risk mitigation strategies within 90 calendar days of contract award, option exercise, modification, or the identification of risks during contract performance.
- Contractors must ensure all subcontractors awarded subcontracts exceeding $5 million have an eligible status in NISS prior to subcontract award and maintain that eligible status for the duration of subcontract performance.
- If the contractor has any changes in FOCI or beneficial ownership during performance of the contract, or if the contractor is notified of such by a subcontractor at any tier or supplier, the contractor must report the changes by submitting an updated SF 328 in NISS.
DFARS 252.240-70YY also establishes tight timeframes for mid-performance reporting:
- Within 3 business days from the date of identification or notification of a change that may place the contractor or subcontractor under FOCI, the contractor must report the foreign owner’s or beneficial owner’s name, relevant information about that person, and any readily available information about risk mitigation actions undertaken or recommended.
- Within 10 business days of being notified by DCSA that FOCI or beneficial ownership poses a risk or potential risk of compromise to national security, the contractor must initiate a plan of action to implement DCSA’s recommendations, submit additional information, describe any risk mitigation efforts undertaken to date, and confirm in NISS that it will comply with the identified risk mitigation recommendations.
The new procedures direct government contracting officers not to award or modify a contract, or exercise an option unless the offeror or contractor has a status of eligible in the NISS, available at https://niss.dcsa.mil/.
Practical Impacts:
For those contractors who hold facility clearances, the requirement to complete and update the SF 328 already generally applies. But for contractors who have not sought or obtained a facility clearance, this will likely be a new process, and one that is fairly complicated.
Of course, there are aspects of the Proposed Rule that seem to exceed the existing obligations even on companies with facility clearances. For example, under the Proposed Rule, contractors are required to update the SF 328 when there are “any changes in FOCI or beneficial ownership” and must certify that the SF 328 is “current, accurate, and complete” on the date proposals are submitted. There is no limitation on what constitutes a “change” that must be reported. For example, it is not limited to “material” changes.
Further, for companies not currently under FOCI mitigation, the risk mitigation strategies have to be implemented within 90 days of contract award, contract modification, or option exercise. Typically, such risk mitigation plans are proposed by contractors and approved by DCSA in advance of implementation. This process often takes multiple months itself, so it is unclear whether contractors can comply with the 90-day obligation, unless DCSA approval of the risk mitigation plan is quickly forthcoming upon the identification of FOCI—a timeline and internal government process over which contractors have no control.
Commercial Products and Services Providers
The Proposed Rule does not automatically apply to commercial products and services, unless the designated senior DoD official[3] determines that the contract involves a risk or potential risk to national security or potential compromise because of sensitive data, systems, or processes. However, contractors should not read this exemption as a safe harbor as it is currently unknown what criteria will be used to determine whether the contract involves a risk or potential risk to national security because of sensitive data, systems, or processes.
Flowdown Requirements
Finally, prime contractors must insert the substance of the new clause, including the flow-down obligation itself, in subcontracts and other contractual instruments that exceed $5 million. This means prime contractors will bear responsibility for ensuring that their entire supply chain is compliant, representing a significant new supply chain management burden and one that could cause significant performance delays.
Timeline of Changes:
| Milestone | Date / Timeframe |
| Proposed Rule Published in Federal Register | May 7, 2026 |
| Public Comment Period Closes | July 6, 2026 [4] |
| Final Rule (anticipated) | To be determined following public comment review |
Key Takeaways for Defense Contractors:
Entities that hold or intend to pursue DoD contracts valued above $5 million should begin assessing NISS eligibility status, reviewing beneficial ownership and FOCI disclosure posture, and evaluating their supply chain for subcontractor compliance obligations. Engaging experienced government contracts counsel during the comment period is also advisable to ensure your organization’s interests are properly represented.
*Robert Mobley is a law clerk in the firm's Washington, D.C. office.
FOOTNOTES
[1] This will implement paragraphs (b)(2)(A), (b)(2)(C), and (c)(1) of section 847 of the NDAA for FY 2020, paragraph (c)(2) of section 819 of the NDAA for FY 2021, and elements of DoD Instruction 5205.87.
[2] “Beneficial Owner” is defined in 17 C.F.R. 240.13d-3, and includes “any person who, directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise has or shares: (1) Voting power which includes the power to vote, or to direct the voting of, such security; and/or, (2) Investment power which includes the power to dispose, or to direct the disposition of, such security.”
[3] The Proposed Rule states, “The term ‘designated senior DoD official’ is used in this proposed rule as a placeholder.”
[4] Comments on the proposed rule must be submitted in writing on or before July 6, 2026, to be considered in the formation of a final rule.