On May 7, 2026, the Department of Defense (Department of War)https://www.whitehouse.gov/presidential-actions/2025/09/restoring-the-united-states-department-of-war/. issued a proposed Defense Federal Acquisition Regulation Supplement (DFARS) rule that would (i) require prime contractors and subcontractors on most awards above $5 million to disclose beneficial ownership and foreign ownership, control, or influence (FOCI) information through the Defense Counterintelligence and Security Agency’s (DCSA’s) National Industrial Security System (NISS); (ii) maintain those disclosures throughout performance; and (iii) implement FOCI mitigation measures within 90 days where risks are identified, with an exceptions framework for commercial products and services based on a senior DOD risk determination.
The proposed DFARS rule is subject to public comments, which are due by July 6, 2026. Current and prospective DOD contractors and subcontractors, as well as investors or prospective investors in DOD contractors and subcontractors, may want to review the rule and consider submitting comments.
Section 847 of the FY 2020 National Defense Authorization Act (NDAA) mandates that covered contractors and subcontractors disclose to DCSA their beneficial ownership and whether they are under FOCI. Further, when covered entities submit a changed condition update, DCSA must re-assess whether the covered entity is subject to FOCI.
The proposed DFARS rule was issued as DFARS Case 2021-D011 and operationalizes requirements in Section 847 and Section 819 of the FY 2021 NDAA, codifies aspects of DOD Instruction 5205.87, and introduces a new DFARS framework for pre-award eligibility, disclosure, mitigation, and flowdown across the defense supply chain.
Beneficial ownership, in the context of Section 847, “identifies the true individuals or entities who ultimately own or control a business, even if through indirect means, to assess potential foreign influence,” helping DOD “mitigate security risks and ensure foreign entities cannot compromise sensitive defense operations or classified information.”https://www.dcsa.mil/Section847/. The requirement represents “an expansion of existing FOCI vetting requirements to pre-award contract activities and unclassified contracts.”Id.
Historically, FOCI oversight was centered on contractors performing “cleared” work on classified programs or with classified information subject to the National Industrial Security Program Operating Manual (NISPOM), 32 C.F.R. part 117. Section 847 and the proposed DFARS rule would extend FOCI oversight to many “uncleared” contractors. DCSA describes this effort as part of a “collective whole of government effort to resist and deter adversaries vying for advantages” and emphasizes that “NDAA, Section 847 serves as a vital tool in minimizing national security risks associated with foreign influence in the defense sector.”Id.
The proposed DFARS rule follows the May 13, 2024, DOD publication of Instruction 5205.87, which established the internal policy framework for implementing Section 847, mandating detailed assessments of beneficial ownership to detect FOCI issues early in the contracting process and ensuring DOD can establish necessary mitigation measures before awarding contracts or defense research grants. The instruction assigns responsibility to DCSA for conducting case reviews of beneficial ownership and delivering FOCI assessments and risk mitigation strategies.
By tying the proposed DFARS rule’s disclosure and eligibility conditions to the Standard Form (SF) 328, Certificate Pertaining to Foreign Interests, and NISS disclosure requirements, DOD is effectively harmonizing uncleared covered contracts with long-standing industrial security disclosure standards, while adapting the assessment to contract-specific risk profiles. The Office of the Director of National Intelligence has reported that “foreign threat actors are using the complex ownership structures of private equity and venture capital firms to acquire access, and often legal and financial rights, to sensitive assets from unknowing startups, early-stage growth companies, and their investors,” underscoring the urgency of expanded beneficial ownership transparency.https://www.dni.gov/files/NCSC/documents/products/FINALSafeguardingOurInnovationBulletin.pdf.
The proposed DFARS rule adopts the NISPOM’s conceptual definition of FOCI and its multi-factor approach to assessing foreign influence, but applies it contract-by-contract in the unclassified space, with the contracting officer as the mitigation decision-maker — a structural difference from enterprise-level mitigation for cleared companies.
The proposed solicitation provision DFARS 252.240-70XX requires an offeror seeking a covered contract to submit the SF 328 and supporting documentation in NISS for DCSA review, including contact information for each beneficial owner where applicable, and to represent that the disclosures are current, accurate, and complete. If, based on DCSA input, the program office or requiring activity determines that FOCI or beneficial ownership presents a risk that may be mitigated, the offeror must agree at award to implement the mitigation within 90 days of contract award.
The contract clause DFARS 252.240-70YY defines “beneficial owner” by reference to SEC Rule 13d-3 and aligns FOCI with the NISPOM framework, while providing a DOD-specific “foreign interest” definition. Under the clause, a contractor is “under FOCI” if a foreign interest has the power, directly or indirectly, whether exercised or not, to “(i) direct or decide matters affecting the management or operations of that company in a manner that may result in a risk or potential risk to national security or potential compromise of sensitive data, systems, or processes; or (ii) otherwise control or influence the business or management of the Contractor in a manner that could adversely affect its ability to perform the contract or subcontract.”
Under the clause, contractors must (i) agree to the identified mitigation at award, option exercise, or modification, or upon post-award risk identification; (ii) implement mitigation within 90 days; (iii) complete, update, and verify the SF 328 and supporting materials in NISS prior to modification or renewal or when changes occur; and (iv) ensure subcontractors above $5 million achieve and maintain NISS eligibility throughout performance.
During performance, contractors must submit an updated SF 328 to report any changes in FOCI or beneficial ownership. If a change may place the contractor or a subcontractor under FOCI, they must report the foreign or beneficial owner’s name, relevant information, and any readily available risk mitigation details within three business days, and initiate a plan of action within 10 business days after DCSA notifies the contractor that risk exists, confirming compliance with the recommended mitigation. The clause must be flowed down in substance to all subcontracts and other contractual instruments exceeding $5 million.
The rule would not apply to commercial products or services absent a written determination by a designated senior DOD official that the contract involves a risk or potential risk to national security due to sensitive data, systems, or processes — such as personally identifiable information, cybersecurity, or national security systems. However, that senior DOD official has not yet been designated.
The scale of the expansion of FOCI review is striking. DCSA currently processes approximately 2,000 FOCI cases annually in the cleared-company context. Under the proposed DFARS rule, the estimated annual workload expands to around 41,000 cases encompassing both cleared and uncleared companies. DCSA’s existing entity vetting timelines for cleared companies are contingent upon contractual requirements with a 120-day goal (not in statute), whereas Section 847 imposes a pre-contract award vetting requirement within 25 working days. DCSA’s estimates suggest the rule would add security requirements for up to $200 billion worth of acquisitions that currently do not require FOCI vetting.
Several material questions remain open. The designated senior DOD official for commercial item determinations has not been named. The scope of mitigation that may be required for purely unclassified work remains unspecified, and while standard FOCI mitigation measures that currently apply to cleared contractors will likely also apply in some cases to uncleared contractors, alternative mitigation mechanisms are also likely to be developed for less sensitive cases. Additional procedures are expected in the Procedures, Guidance, and Information (PGI) companion to DFARS.
Several key differences distinguish the proposed DFARS rule from traditional DCSA FOCI mitigation:
Contract capture and award gating will change as NISS eligibility and SF 328 submission move earlier in the process, requiring offerors to complete beneficial ownership diligence and filings pre-award and to maintain eligibility checks at option exercises and modifications. Confirmation of US ownership or approved FOCI mitigation will be a requirement to do business, and disclosures will need to be updated with any change of control or other change in information previously disclosed.
Primes will need to integrate subcontractor NISS eligibility verification into source selection and subcontract award processes and ensure flowdown compliance for entities above $5 million throughout performance.
Given the aggressive 90-day mitigation window, contractors should pre-plan feasible governance and operational mitigations keyed to their ownership structures and risk profiles. The most common mechanisms for mitigating significant FOCI under existing FOCI procedures for cleared companies are the Special Security Agreement and the Proxy Agreement, while less significant FOCI can be mitigated through a Security Control Agreement or a Special Board Resolution. For companies with 100% foreign ownership on unclassified work, governance-oriented measures such as board resolutions, independent US directors, cybersecurity plans, and annual audits and reporting may be appropriate. DCSA may decide to leverage a commitment letter and interim measures to permit contract award while governance and operational mitigations are negotiated.
Ownership transparency will require readiness to produce SF 328-caliber information, including comprehensive beneficial ownership charts, aggregation of 5% or greater foreign holdings across affiliated entities, details of foreign outsourcing relationships, and disclosure of foreign debt obligations or bankruptcy exposure. Private equity sponsors and other investors should anticipate enhanced diligence on governance, oversight rights, and sovereign or non-US limited partner participation, particularly where portfolio companies seek defense work implicating sensitive data, systems, or processes.
Defense technology and national security startups should prioritize foreign influence considerations in all capital-raising activities, including early discussion with potential investors and legal input on the likelihood that anticipated investments may subject the company to burdensome mitigation measures. Companies should assume that DOD customers will require disclosure of all 5% or greater equity holders and all managers, directors, or officers, including the citizenship and foreign connections of each such person.
M&A and financing transactions involving covered contractors should account for DFARS 252.240-70YY compliance at signing and closing, including pre-award SF 328 submissions, NISS eligibility, and post-closing change reporting and mitigation plans capable of meeting the 90-day deadline if DCSA or the contracting activity requires mitigation. Importantly, the FOCI review and potential mitigation requirements can also apply to existing contracts if the performing contractor or subcontractor reports changes to its beneficial ownership during the term, meaning that mid-performance acquisitions or recapitalizations may trigger new assessments and mitigation obligations.
Investors in the defense sector should anticipate broader diligence into foreign sources of funding at the fund and portfolio level, including non-US organizational structures, to support timely and accurate beneficial ownership disclosures. In the defense technology space, investors should expect portfolio companies to probe more deeply into the origins of their capital — particularly with respect to limited partners and entities formed in non-US jurisdictions for tax purposes. Where a target is pursuing classified work, investors may want to seek confirmation of the target’s baseline familiarity with security clearance obligations as a required component of their investment diligence.
Companies unable to mitigate FOCI risks adequately face significant consequences, such as potential denial of contracts or grants with financial implications, increased operational costs from assessments and potential restructuring, and competitive disadvantage compared to those that can assure DOD of their independence from foreign influence. Where parties anticipate a change in beneficial ownership triggering notice — with ownership directly or indirectly of 5% or more by a foreign person as the pre-existing reporting threshold — they should understand the risk of potential FOCI or other mitigation requirements and how mitigation could impact the business.