New DoD proposed rule would impose FOCI disclosure and mitigation obligations on unclassified contracts

On May 7, 2026, the US Department of Defense (“DoD,” also known as the “Department of War”) published a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (“DFARS”). The proposed rule aims to implement sections of the National Defense Authorization Act (“NDAA”) for Fiscal Years 2020 and 2021 relating to the mitigation of risks associated with beneficial ownership and foreign ownership, control or influence (“FOCI”). As detailed below, the proposed rule would introduce significant new disclosure and risk mitigation obligations for a broad range of defense contractors and subcontractors, including those holding unclassified government contracts. While the rule has not yet been finalized, the proposal signals DoD’s continued focus on securing the defense industrial base.

Significantly, the proposed rule would require covered contractors that hold unclassified contracts at the prime or subcontract level to disclose their beneficial ownership and FOCI status to the DoD’s Defense Counterintelligence and Security Agency (“DCSA”). It would also mandate contract clauses requiring  the effective mitigation of FOCI-related risks throughout contract performance. The proposed rule would apply to contracts and subcontracts with a value exceeding US$5 million.

At a high level, the proposed rule will amend the DFARS in the following ways:

• A new DFARS Part 240 on Information Security and Supply Chain Security will be created. The rule proposes establishing a new framework wherein contracting officers are prohibited from awarding a contract, modifying a contract or exercising an option unless the contractor has a status of “eligible” in its National Industrial Security System (“NISS”) account, available at https://niss.dcsa.mil, and under DCSA cognizance. The proposed rule lacks clarity on the steps an uncleared contractor must take to register in NISS, although these details may be disclosed in the relevant contract solicitation.
• A new solicitation provision will require pre-award FOCI disclosures. Contractors will be required to submit a completed Standard Form (“SF”) 328, Certificate Pertaining to Foreign Interests, to DCSA in NISS along with supporting documentation, such as the contact information of each beneficial owner. Contractors must represent, by submission of the offer, that the information provided is current, accurate, and complete. Importantly, if DCSA determines that FOCI or beneficial ownership poses a risk or a potential risk of compromise to national security, the contractor must agree at the time of the award to implement a risk mitigation strategy within 90 days of receiving the award. 
• The SF 328 form requires contractors to disclose detailed information about their ownership structure, including the identities of parent companies, investors, officers and board members, as well as any foreign financial interests—including revenues at certain thresholds and debt or other relationships—that could potentially compromise the contractor’s ability to safeguard information or perform on the underlying contract. 

DoD contracts will include a new contract clause that imposes ongoing FOCI disclosure and mitigation obligations during contract performance. Contractors will be required to:

1. Disclose their beneficial ownership and any FOCI by submitting and maintaining a current SF 328 and supporting documentation. Although the proposed rule does not clearly define “supporting documentation,” contractors should be prepared to provide DCSA with additional materials upon request, such as a complete ownership and control chart, a listing of all parent entities and the identities of all officers and board members including their countries of citizenship.
2. Implement risk mitigation strategies within 90 calendar days of contract award, option exercise, contract modification or the identification of FOCI-related risks during contract performance. It is important to note that contractors could be subject to multiple FOCI risk mitigation strategies given that such strategies could be contract specific.
3. Ensure that all contractors awarded contracts or subcontracts exceeding US$5 million maintain an “eligible” status in their respective NISS accounts prior to award and for the duration of performance.
4. Report any changes in FOCI or beneficial ownership during contract performance, including submitting an updated SF 328 in NISS. The contractor must also provide the foreign or beneficial owner’s name, relevant ownership details and any available information regarding risk mitigation actions to DCSA within three business days of making the initial notification. DCSA will provide the contractor with recommendations to address any new FOCI and the contractor must advise DCSA of its proposed plan of action to address the recommendations within 10 business days of receipt. 

The scope of risk mitigation strategies that may be required for unclassified contracts is unknown. The rule specifically creates a process under which contractors holding unclassified contracts may be subject to applicable FOCI risk mitigation strategies as determined by DCSA. While DCSA is expected to apply its FOCI mitigation toolbox based on the level of risk, it is likely that the mitigation required for uncleared contracts will differ from the mitigation applied to cleared entities under FOCI. 

Where designated, the rule may apply to commercial products and services, including Commercially Available Off-the-Shelf (“COTS”) items. Although the relevant regulations generally exempt commercial product  acquisition contracts and subcontracts, including those for COTS items, from FOCI coverage unless a written determination is made that it is in the best interest of DoD to apply the regulations to such contracts, the proposed rule suggests DoD has determined that FOCI risk is driven by the ownership of a company and not necessarily by the nature of what is being procured.  As such, DoD has indicated that it intends to apply the proposed rule to acquisitions of commercial products and services, including COTS items.

Businesses and defense contractors should closely monitor the rulemaking process and assess their FOCI exposure and readiness to (1) submit a SF 328 to DCSA and (2) where applicable implement DCSA-developed FOCI risk mitigation strategies within the proposed 90-day window. 
Companies are also encouraged to submit comments by July 6, 2026, particularly regarding the scope of coverage, the definition of “covered contractor” and the practicalities of the mitigation requirements.
 

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2026 White & Case LLP}