DoW Proposed Rule Would Impose New FOCI Disclosure and Risk Mitigation Requirements on Thousands of Defense Contractors

By Edwin O. Childs, Patrick Rowan, Abram J. Pafford, Jack White, Jason M. Vespoli, John Sullivan & Sophie Marsh on May 27, 2026

On May 7, 2026, the Department of War (DoW) published a proposed rule that would dramatically expand the population of defense contractors that are required to disclose beneficial ownership and foreign ownership, control, or influence (FOCI) information to the Defense Counterintelligence and Security Agency (DCSA) and to mitigate identified FOCI risks. At present, DCSA addresses FOCI only when a contractor requires access to classified information in the performance of a classified contract. The proposed rule, which amends the Defense Federal Acquisition Regulation Supplement (DFARS), would require reporting and mitigation of FOCI for DoW contractors and subcontractors that seek to perform on unclassified non-commercial contracts, as well as certain unclassified commercial contracts. The proposed rule would apply to DoW contracts and subcontracts valued in excess of $5 million and implements provisions of the National Defense Authorization Acts (NDAAs) for Fiscal Years 2020 and 2021 and DoD Instruction 5205.87.

The comment period closes on July 6, 2026. If finalized, DoW estimates that, when offerors and subcontractors are taken into account, the rule would impact over 37,000 entities, of which approximately 57% are small businesses. This alert summarizes the key provisions of the proposed rule, analyzes the practical implications for federal contractors and subcontractors, and outlines recommended steps for compliance.

Key Takeaways

The proposed rule would create a new DFARS Part 240, “Information Security and Supply Chain Security,” establishing a comprehensive framework for FOCI disclosure and risk mitigation for covered DoW contractors and subcontractors.
Covered contractors and subcontractors must submit Standard Form (SF) 328, Certificate Pertaining to Foreign Interests, and beneficial ownership information to DCSA through the National Industrial Security System (NISS) and keep such disclosures current throughout contract performance.
If a contractor is determined to be under FOCI, it must implement risk mitigation strategies within 90 calendar days of contract award, modification, option exercise, or identification of risks during performance.
Contracting officers would be prohibited from awarding, modifying, or exercising options on contracts exceeding $5 million unless the contractor has an “eligible” status in NISS.
The proposed clause includes a flowdown requirement, obligating prime contractors to insert the substance of the clause in all subcontracts exceeding $5 million.

Practical Implications for Federal Contractors

The proposed rule would represent a significant expansion of DoW’s visibility into contractor ownership structures, particularly for contracts that do not involve access to classified information. While contractors holding facility security clearances are already subject to FOCI reporting under the National Industrial Security Program (NISP), this rule would extend similar disclosure obligations to a much broader population of DoW contractors. Based on recent data, the average number of unique entities that annually hold prime contracts to which the rule would apply is 3,774.

For contractors with foreign ownership, the rule introduces a hard deadline — 90 calendar days — to implement risk mitigation strategies, which could include board resolutions, proxy agreements, special security agreements, or other measures acceptable to DCSA. The 10-business-day response requirement after DCSA notification adds an additional urgency to monitoring NISS communications. Notably, the rule also creates a gating mechanism: contracting officers may not proceed with awards, modifications, or option exercises absent an “eligible” NISS status, meaning that a contractor’s failure to comply could result in loss of contract opportunities.

Background

The proposed rule implements paragraphs (b)(2)(A), (b)(2)(C), and (c)(1) of section 847 of the NDAA for FY 2020 (Pub. L. 116-92) and paragraph (c)(2) of section 819 of the NDAA for FY 2021 (Pub. L. 116-283). It also implements elements of DoD Instruction 5205.87, “Mitigating Risks Related to Foreign Ownership, Control, or Influence for Covered DoD Contractors and Subcontractors.” Section 847 requires covered contractors and subcontractors to disclose to DCSA their beneficial ownership and whether they are under FOCI, and if so, to disclose contact information for each foreign owner that is a beneficial owner. Section 819 requires that FOCI risks be mitigated for covered contracts and subcontracts.

According to DoW, the primary benefit of the rule is the “unprecedented level of visibility” it would provide into the ownership structures of offerors and contractors, particularly for contracts that do not involve access to classified information. DoW states that foreign adversaries have exploited gaps in ownership transparency to gain access to sensitive unclassified information, intellectual property, and critical technologies. The proposed rule would close that gap by mandating FOCI and beneficial ownership disclosures.

Applicability and Scope

The proposed rule would apply to DoW contracts and subcontracts valued above $5 million. The provision and clause would not apply to contracts at or below the Simplified Acquisition Threshold (SAT). For contracts involving commercial products — including commercially available off-the-shelf (COTS) items — and commercial services, the proposed rule would apply only if a designated senior DoW official determines that the contract involves a risk or potential risk to national security or potential compromise because of sensitive data, systems, or processes. The identity of this designated senior DoW official has not yet been specified; the rule uses the term as a placeholder.

The rule defines a “covered contractor or subcontractor” at new DFARS section 240.27X-2. The definition of “foreign ownership, control, or influence” incorporates the existing definition at 32 CFR part 117.11, while “beneficial owner” is defined by reference to 17 CFR 240.13d-3. Meaning that contractor is under FOCI if a foreign interest has the power to direct its management or policies, or if a foreign interest holds a controlling interest, regardless of whether that power is exercised.

Key Provisions

New Solicitation Provision (DFARS 252.240-70XX). The rule proposes a new solicitation provision requiring offerors to submit their SF 328 and supporting documents — including contact information for each foreign owner that is a beneficial owner — to DCSA through NISS prior to award. By submitting an offer, an offeror would represent that its SF 328 information is current, accurate, and complete. DoW would be prohibited from awarding a contract exceeding $5 million unless the offeror has made the required disclosures and either (i) is determined not to have FOCI or beneficial ownership risk, or (ii) agrees to execute risk mitigation strategies within 90 calendar days of award.

New Contract Clause (DFARS 252.240-70YY). The proposed contract clause would impose ongoing obligations on contractors including: (1) disclosing to DCSA their beneficial ownership and FOCI status by submitting an updated SF 328 in NISS; (2) updating the SF 328 and supporting documents throughout the life of the contract whenever changes occur; (3) disclosing contact information for each foreign owner that is a beneficial owner; (4) agreeing to and implementing risk mitigation strategies identified in NISS within 90 calendar days; and (5) within 10 business days of being notified by DCSA of a risk, initiating a plan of action to implement DCSA’s recommendations.

NISS Eligibility Requirement. Contracting officers would be prohibited from awarding, modifying, or exercising an option on a contract exceeding $5 million unless the contractor has an “eligible” status in NISS or an exception applies. Prior to exercising any option, contracting officers must verify the contractor’s NISS status.

Subcontract Flowdown. The proposed clause requires contractors to insert the substance of the clause in all subcontracts and other contractual instruments that exceed $5 million, creating a cascading disclosure and mitigation requirement throughout the supply chain.

90-Day Risk Mitigation Timeline. Contractors determined to be under FOCI must implement risk mitigation strategies within 90 calendar days of contract award, option exercise, modification, or identification of risks during contract performance. If notified by DCSA that FOCI poses a national security risk, the contractor must initiate a plan of action within 10 business days.

Recommended Next Steps

Federal contractors, subcontractors, and prospective offerors should consider the following actions in anticipation of the proposed rule:

Assess FOCI Exposure. Conduct an internal review of corporate ownership structures to determine whether any foreign interests hold beneficial ownership positions or otherwise exercise control or influence over the entity.
Prepare SF 328 Filings. Ensure that the company’s SF 328, Certificate Pertaining to Foreign Interests, is current and accurate, and register in NISS if not already registered.
Evaluate Supply Chain Obligations. Prime contractors should assess their subcontractor base to identify subcontracts exceeding $5 million that would be subject to the flowdown requirement, and communicate anticipated obligations to affected subcontractors.
Develop Mitigation Plans. Contractors with known FOCI should begin developing risk mitigation strategies now to ensure they can meet the 90-day implementation deadline upon contract award or option exercise.
Submit Public Comments. Stakeholders should consider submitting comments to the docket (DARS-2026-0133) on or before July 6, 2026, particularly regarding the undefined “designated senior [DoW] official” for commercial product exceptions, the scope of the “covered contractor” definition, and the adequacy of the 90-day mitigation timeline.

For questions about this proposed rule and its implications for defense contracting, FOCI compliance, and national security procurement requirements, contact any of the authors or another member of the McGuireWoods government contracting team.

Special thanks to summer associate Zoe H. Lebovic who contributed to the alert. She is not licensed to practice law.