DoD Proposes Sweeping FOCI Disclosure Rule for Defense Contractors
The DoD has proposed a rule expanding FOCI disclosure and mitigation requirements for contractors.
Why it matters: Defense contractors and their legal teams face broader compliance obligations, even for unclassified work, as DoD seeks to close gaps exploited by foreign adversaries. The proposal impacts contract eligibility, risk management, and business operations across the defense supply chain.
- Proposed rule covers all contractors and subcontractors with DoD contracts over $5 million.
- Nearly 40,000 entities, 57% of them small businesses, may be affected.
- Covered firms must submit SF 328 and detailed foreign ownership info to DCSA via NISS.
- Contractors must implement mitigation measures within 90 days if determined to be under FOCI.
- Exemptions exist for commercial contracts unless deemed a national security risk by DoD.
The Department of Defense (DoD) released a proposed rule on May 7, 2026, seeking to expand foreign ownership, control, or influence (FOCI) disclosure obligations for defense contractors and subcontractors. This move implements National Defense Authorization Act requirements for fiscal years 2020 and 2021, aiming to protect national security by overseeing beneficial ownership beyond classified work.
- The rule applies to both existing and prospective contractors at any tier with DoD contracts over $5 million, broadening the scope from previous rules, which largely targeted holders of classified contracts.
- Impact will be significant: nearly 40,000 entities may fall under the new regime, with approximately 57% counted as small businesses.
- Under the proposal, affected companies must file Standard Form (SF) 328, Certificate Pertaining to Foreign Interests, and provide direct contact data for each foreign beneficial owner via the Defense Counterintelligence and Security Agency’s (DCSA) National Industrial Security System.
- Those determined to be under FOCI must complete required mitigation steps within 90 days following a contract award, modification, or option exercise.
- Commercial product and service contracts are exempt—unless a designated senior DoD official finds national security or sensitive data risks, though the rule leaves key terms and processes undefined.
The DoD emphasizes the “unprecedented level of visibility” this rule would bring into contractor ownership structures, especially for contracts not involving classified information. The intent is to close loopholes that allow foreign adversaries access to sensitive but unclassified technologies and data.
Comments on the proposed rule are due by July 6, 2026. Legal advisors and defense contractors should review their ownership profiles and prepare to address potential FOCI findings and compliance gaps as the rule moves toward finalization.
By the numbers:
- 40,000 — Estimated number of affected entities under the new rule
- 57% — Proportion of affected entities that are small businesses
- $5 million — Contract minimum for the rule’s applicability
- 90 days — Time allowed for FOCI mitigation measures after contract action
Yes, but: The proposed rule lacks clarity on definitions of 'risk to national security' and specific mitigation requirements, creating uncertainty for contractors.
What's next: Comments are due by July 6, 2026; contractors should monitor for updates following the comment period.