FOCI and Supply-Chain Disclosure Requirements Are Expanding Across DoD Contracting

Foreign ownership, control, or influence (FOCI) has traditionally been a “cleared contractor” issue: if a company needs a Facility Clearance (FCL) to perform classified work, it submits the Standard Form 328 (SF-328) to the Defense Counterintelligence and Security Agency (DCSA), discloses foreign ownership and other foreign interests, and—if applicable—implements mitigation (e.g., governance controls) as a condition of access to classified information. DCSA also expects cleared entities to report material ownership/foreign-interest changes during performance through established change-notification pathways. (DCSA)

Section 847 of the FY2020 National Defense Authorization Act (NDAA) is the inflection point. Congress directed DoD to strengthen how it identifies and mitigates foreign influence risks across the defense industrial base, including improved beneficial-ownership visibility and processes that can be operationalized through DFARS rulemaking and contract clauses. (GovInfo) The practical significance is that FOCI is no longer framed solely as a classified-information safeguard; it is increasingly treated as a broader supply-chain and industrial-security risk-management problem for covered DoD acquisitions, including unclassified efforts that may still implicate sensitive data, technology, or mission assurance.

Consistent with that direction, credible practitioner reporting indicates DoD is expected to propose (and then finalize) a DFARS rule that would require many offerors and subcontractors on DoD contracts above a stated dollar threshold (commonly described as $5 million, with exceptions) to disclose FOCI-related information during the bid/proposal phase—regardless of whether the bidder holds an FCL—and to update disclosures when ownership changes create new FOCI implications. If implemented as described, the compliance footprint expands from a comparatively small cleared universe to a much larger population of DoD performers; some commentary projects growth in the number of entities subject to FOCI-type review from roughly 2,000 to more than 40,000.

In parallel, DCSA’s updated SF-328—approved May 1, 2025—signals a tightening of expectations around the quality, completeness, and usability of foreign-interest disclosures. DCSA’s own announcement emphasizes clearer scoping, definitions, and expanded instructions intended to elicit the “right information” up front and reduce processing delays. (DCSA) Notably for transaction practice, the revised SF-328 ecosystem is increasingly discussed as reaching beyond cap table mapping into supply-chain visibility: contractors should expect more pointed questions and more demanding substantiation where foreign affiliations, foreign sourcing, or foreign touchpoints could present risk. (DCSA)

For government-contracts M&A, the combined effect is structural. Diligence can no longer treat FOCI as a specialized workstream triggered only by classified programs. Buyers, sellers, and investors should assume that ownership structure, investor rights, governance controls, and key supplier dependencies may become bid-stage issues that affect eligibility, evaluation risk, timing to award, and post-award change management. And because agencies may begin “pulling forward” these expectations before a uniform DFARS clause is fully implemented, deal teams should plan for earlier engagement among legal, security, compliance, and supply-chain stakeholders—especially where a transaction introduces foreign limited partners, foreign board influence, or offshore dependencies that could be construed as leverage over operations.

Disclaimer:
This article is for general informational purposes only and does not constitute legal advice. Proposed DFARS requirements may change before publication or implementation, and agency practice may vary by program. Contractors and deal teams should consult qualified counsel and, where appropriate, security and supply-chain experts for advice tailored to specific facts.