On May 7, 2026, the U.S. Department of Defense (DoD) published a proposed rule that would amend the Defense Federal Acquisition Regulation Supplement (DFARS) to add foreign ownership, control or influence (FOCI) disclosure and risk mitigation requirements (the Proposed Rule) for unclassified DoD contracts consistent with directives imposed by Congress. If implemented, the rule would apply to unclassified DoD contracts and subcontracts with a value exceeding $5 million, requiring covered contractors and subcontractors to disclose beneficial ownership and foreign interest information and, where necessary, implement FOCI mitigation measures. Comments on the Proposed Rule are due July 6, 2026. If implemented as proposed, this rulemaking creates a significant new administrative burden associated with bidding on unclassified DoD contracts.

Key Takeaways

• New FOCI disclosure obligations for unclassified work. For the first time, contractors and subcontractors on unclassified DoD contracts above $5 million would be required to disclose beneficial ownership and FOCI status to DCSA, with ongoing update obligations for the life of the contract.
• NISS eligibility as a prerequisite to award. Contracting officers would be prohibited from awarding, modifying, or exercising an option on a covered contract unless the offeror or contractor has an “eligible” status in the NISS, a designation that would require DCSA to have reviewed the entity’s disclosures and determined that FOCI either does not exist or has been appropriately mitigated. This effectively makes FOCI disclosure a requirement for contract award.
• Mitigation implementation within 90 days. If DCSA identifies a FOCI risk, the contractor must agree to and implement an approved risk mitigation strategy within 90 calendar days of the triggering contract action.
• Subcontractor flowdown. Prime contractors must insert the substance of the new clause (DFARS 252.240-70YY) into all subcontracts exceeding $5 million, at any tier, and must verify and maintain subcontractor NISS eligibility throughout performance.
• Limited carve out for contracts for commercial products and services. Although acquisitions of commercial products and commercial services are generally not subject to these new disclosure requirements, that exemption is not absolute. The Proposed Rule will authorize a designated senior DoD official to override that exemption upon a written determination that the contract involves a risk or potential risk to national security because of sensitive data, systems or processes.

Background

FOCI disclosure and mitigation requirements have historically only been a material concern for purposes of obtaining and performing classified contracts that require an entity to hold a facility security clearance and have been governed by the National Industrial Security Program Operating Manual (NISPOM), codified at 32 C.F.R. Part 117. The NISPOM prescribes the policies, procedures and practices for safeguarding U.S. government classified information and preventing its unauthorized disclosure. Under this framework, FOCI procedures were established to mitigate the risks associated with foreign ownership, control or influence by ensuring that foreign persons cannot gain unauthorized access to classified information that a cleared company will have access to in the course of its performance of a classified contract.

Until now, however, contractors performing solely on unclassified contracts were not subject to the same disclosure requirements. The Proposed Rule is intended to close that gap, providing what the preamble describes as an “unprecedented level of visibility” into contractor ownership across both classified and unclassified work, which is intended to reduce the risk that foreign adversaries could gain access to sensitive, unclassified DoD information and potentially steal the intellectual property underlying DoD systems.

The Proposed Rule implements Section 847 of the National Defense Authorization Act for Fiscal Year 2020 and Section 819(c)(2) of the National Defense Authorization Act for Fiscal Year 2021. Those provisions directed DoD to obtain and assess FOCI and beneficial ownership information from existing and prospective contractors and subcontractors performing on certain DoD contracts valued above $5 million.

DoD previously took an intermediate implementation step in May 2024 with the issuance of DoD Instruction 5205.87, “Mitigating Risks Related to Foreign Ownership, Control, or Influence for Covered DoD Contractors and Subcontractors,” which established the institutional DoD policy and procedural framework for FOCI disclosure, assessment, and mitigation as required by Section 847. The Proposed Rule would implement these requirements in the DFARS through specific solicitation provisions and contract clauses applicable to covered contracts and subcontracts.

Key Proposed Changes

Scope. The Proposed Rule would apply to covered contractors and subcontractors, which is defined as those performing under contracts or subcontracts with a value exceeding $5 million that do not involve the acquisition of commercial products, including commercial off the shelf (COTS) items, unless a designated official determines that the contract involves a risk or potential risk to national security because of sensitive data, systems or processes.

Pre-Award Disclosure Obligations. A new solicitation provision (DFARS 252.240-70XX) would require offerors to submit a completed SF 328 (Certificate Pertaining to Foreign Interests) and supporting documents, including contact information for each foreign owner that is a beneficial owner, to the Defense Counterintelligence and Security Agency (DCSA) through the National Industrial Security System (NISS) for review prior to contract award. On contracts valued in excess of $5 million, contracting officers would be prohibited from awarding, modifying, or exercising an option unless the offeror or contractor has an “eligible” status in NISS, a designation that would reflect a DCSA determination that the entity does not present unmitigated FOCI concerns.

Ongoing Compliance Obligation. A new contract clause (DFARS 252.240-70YY) would impose continuing obligations during performance of the contract. Contractors would be required to update their beneficial ownership and FOCI disclosures to DCSA in NISS if the information previously provided changes.

Mitigation Measures. Where DCSA determines that FOCI or beneficial ownership presents a risk, the offeror or contractor must agree to execute and implement risk mitigation strategies identified by the requiring activity or program office within 90 calendar days of contract award, modification, option exercise, or identification of risk during performance. The Proposed Rule does not specify what types of mitigation will be required for unclassified contracts.

Commercial Products and Services. The Proposed Rule would generally exempt the acquisition of commercial products (including COTS items) and commercial services from the disclosure and mitigation requirements. However, the Proposed Rule anticipates that a designated senior DoD official (who has not yet been identified) may override the exemption upon a written determination that the contract involves a risk or potential risk to national security because of sensitive data, systems or processes. DoD explains in the preamble that FOCI risk is a function of company ownership, not necessarily the nature of what is being procured, making blanket commercial exemptions difficult to defend from a national security standpoint.

Subcontractor Flowdown. Prime contractors would be responsible for flowing down the new clause by inserting the substance of the new clause into all subcontracts and other contractual instruments that exceeded $5 million. Those contractors must also ensure that all subcontractors awarded subcontracts exceeding $5 million have an “eligible” status in NISS prior to subcontract award and maintain that status for the duration of subcontract performance. If a subcontractor at any tier reports changes in FOCI or beneficial ownership to the prime contractor, that prime must report those changes to DCSA by submitting an updated Standard Form (SF) 328 in NISS.

Implications

1. FOCI disclosure will be required for a broader segment of government contractors.

The Proposed Rule would require many companies that perform only unclassified DoD work to engage with FOCI disclosure requirements for the first time. For contractors that have not previously interacted with DCSA or NISS, the rule would introduce a new pre-award diligence and disclosure process that must be incorporated into capture planning, bid preparation and award timelines.

If implemented as proposed, NISS eligibility would become a prerequisite to award, and a contractor that submits a technically strong and competitively priced proposal could still be unable to receive an award if its FOCI submission has not been completed, reviewed and cleared. Companies pursuing covered DoD opportunities should therefore assess their NISS status, ownership structure, foreign investor base, governance rights, debt arrangements and other reportable foreign interest relationships well before proposal submission.

Because the Proposed Rule requires companies to certify representations about their ownership, inaccurate or incomplete information could expose companies to liability under the False Claims Act. Separately, disputes over DCSA’s eligibility determinations or a contracting officer’s verification could give rise to new bid protest theories at the Government Accountability Office or Court of Federal Claims.

Finally, if DCSA cannot keep pace with the volume of new disclosures—potentially tens of thousands of entities – during award, modification or extension of contracts, companies and contracting officers may face significant delays through no fault of their own.

2. Potential mitigation for unclassified work remains uncertain; however, contractors performing on unclassified contracts may be required to undertake significant mitigation-related restructuring as a pre-condition to contract award.

In the classified contracting environment, DCSA has an established framework for addressing FOCI risk through mitigation instruments and related compliance controls. Depending on the nature and degree of foreign ownership, control or influence, those measures may include board resolutions, security control agreements, special security agreements, proxy agreements, voting trust agreements, outside directors or proxy holders, government security committees, technology control plans, electronic communications plans, restrictions on foreign-person access and related reporting and oversight obligations. These measures can be costly, operationally intrusive, and time-intensive to negotiate and implement and may require significant corporate restructuring to accomplish.

The Proposed Rule will now require contractors performing unclassified DoD work to also potentially mitigate FOCI as a condition for contract award. Notably, the proposed rule does not specify the mitigation measures that a contractor would be required to implement in this novel unclassified context or explain how those measures would be calibrated to the realities that the information at issue is necessarily unclassified. It remains unclear whether DCSA would adapt mitigation measures it has developed for contractors working on classified programs or develop more tailored and less burdensome mitigation measures for the, albeit sensitive, but ultimately unclassified work.

3. Contractors providing commercial products and services may face new obligations if DoD views data, systems or processes as sensitive.

While acquisitions of commercial products and services are generally exempt, under the framework of the Proposed Rule, a designated senior DoD official would be authorized to apply the new disclosure and FOCI mitigation requirements to such contract upon a written determination that the contract involves a risk or potential risk to national security because of sensitive data, systems or processes. This framing introduces uncertainty for contractors who provide solely commercial products and services to DoD.

Conclusion

The Proposed Rule represents a materially significant expansion of FOCI oversight, extending disclosure, mitigation and supply-chain compliance requirements to the tens of thousands of contractors performing unclassified DoD work. For many companies, this will be their first encounter with DCSA, NISS and the SF 328 process. Companies that perform covered contracts and subcontracts should consider initiating FOCI exposure assessments, SF 328 submission preparations, ownership structures audit and building subcontractor flowdown processes. The comment deadline of July 6, 2026, also provides an important opportunity to shape the final rule. Contractors with significant concerns about the proposed changes in their current form are encouraged to submit comments to this proposed rule. Akin’s cross-practice platform is well situated to assist with companies seeking to submit comments or that may be ultimately subject to this rule to better understand and frame out necessary compliance procedures.