DOD Proposes Expanding FOCI Requirements to Cover Unclassified Contracts
What: On May 7, 2026, the Department of Defense/War (DoD) published a proposed rule that would extend, beyond classified contracts, the scope of Foreign Ownership, Control, or Influence (FOCI) requirements. The proposed rule, projected to impact as many as 37,740 contractors and subcontractors, would amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the FOCI and beneficial ownership disclosure and mitigation requirements of Section 847 of the FY2020 National Defense Authorization Act (NDAA) (discussed in our previous alert here) and Section 819 of the FY2021 NDAA. The proposed rule also implements elements of DoD Instruction 5205.87, Mitigating Risks Related to Foreign Ownership, Control, or Influence for Covered DoD Contractors and Subcontractors – which DoD issued in May 2024, as reported here. These NDAA requirements and accompanying Instruction greatly expand the universe of contractors that must disclose foreign ownership information and potentially implement risk mitigation measures that traditionally have been limited to contractors performing classified contracts.
The proposed rule is a significant first step in the long-awaited DFARS implementation of the Section 847 framework. It would create a new DFARS Part 240, Information Security and Supply Chain Security, and add a new solicitation provision (DFARS 252.240-70XX) and contract clause (DFARS 252.240-70YY) implementing the procurement, performance-period, and subcontract-level requirements of Section 847. The proposed rule would apply these requirements to DoD contracts and subcontracts at any tier valued over $5 million. It would exempt contracts for commercial products and services, however, including commercially available off-the-shelf items, unless a “designated senior DoD official” determines that a particular contract involves a risk or potential risk to national security because of sensitive data, systems, or processes. Comments on the proposed rule are due July 6, 2026.
What it means for industry: The proposed rule would operate through three mechanisms.
First, the new solicitation clause at DFARS 252.240-70XX would require that, by submission of an offer, offerors are representing that they have already submitted in the National Industrial Security System (NISS) the Standard Form (SF) 328 and contact information for each beneficial foreign owner and that the information is current, accurate, and complete. The provision also would put offerors with FOCI on notice that if the requiring activity, relying on the assessment of the Defense Counterintelligence and Security Agency (DCSA), determines that FOCI or beneficial foreign ownership poses a risk, the offeror may be subject to and must agree to a risk mitigation strategy at award.
Second, the contract clause at DFARS 252.240-70YY would impose four obligations on contractors during performance. Contractors would have to: (1) agree to and implement any risk mitigation strategies identified by DCSA within 90 calendar days of the relevant contract action (which includes award, option exercise, modification, or post-award identification of risk); (2) update their SF 328 in NISS before any contract modification or renewal and whenever the underlying FOCI information changes; (3) flow the substance of the clause down to covered subcontractors at any tier; and (4) report changes in FOCI or beneficial ownership during performance of the contract, with three- and ten-business day deadlines applying when a change may place the contractor or a subcontractor under FOCI.
Third, a new procedural requirement at DFARS 240.27X-4 and a conforming amendment to DFARS 217.207 would prohibit contracting officers from awarding, modifying, or exercising an option on a covered contract unless the offeror or contractor has an “eligible” NISS status. NISS eligibility would therefore operate as a gate not only at award, but also at each subsequent contract action.
Contractors should note several timing features in the proposed contract clause DFARS 252.240-70YY. The 90-day mitigation deadline would reset after each triggering contract action, including post-award identification of risk during performance. Thus, a contractor that clears DCSA review at award could face a fresh clock if circumstances change later. In addition, the SF 328 would have to be updated in NISS before any modification or renewal, which means the contractor’s disclosure obligations would continue through contract performance. Finally, the subcontractor flowdown would require the prime to confirm subcontractor NISS eligibility before subcontract award and throughout performance.
DoD estimates the proposed rule would bring approximately 37,740 entities within the scope of FOCI review obligations, including roughly 21,511 small businesses. DoD further projects that 9,435 contractors would need to update disclosures during performance and that 1,887 would be affected by the requirement to refresh disclosures before option exercise or modification. Many of these entities do not have NISS accounts or familiarity with DCSA processes.
The commercial item exemption also warrants scrutiny. Although the proposed rule states that it does not apply to contracts for commercial products or services, the exemption’s practical reach is unclear. The proposed rule does not identify the “senior DoD official” who would make the risk determinations to apply the solicitation or contract clauses to procurements and contracts for commercial products or services, articulate the criteria DoD would apply, or describe the procedure for issuing and communicating a determination. The proposed rule acknowledges that DoD currently does not know how many exclusively commercial contract awards would be subject to a determination, and assumes, for the purposes of cost estimation, that no exclusively commercial awards would be subject to the proposed rule’s requirements.
Other open questions include the timing of a risk determination relative to solicitation and award; whether determinations would be made on a contract-by-contract, program, or other basis; whether determinations would be subject to revision or rescission; whether commercial offerors would receive notice that a determination is under consideration; and whether or by what process contractors could appeal a determination. Until the final rule or subsequent guidance resolves these open questions, commercial offerors should not treat the exemption as resolving their FOCI compliance obligations.
Wiley’s Government Contracts and National Security practices are continuing to monitor this rulemaking and are ready to assist clients in navigating these changes.
