The Department of Defense (“DoD”) released a proposed rule on May 7, 2026, that would significantly expand Foreign Ownership, Control, and Influence (“FOCI”) and beneficial ownership disclosure requirements beyond cleared contractors to a much broader segment of the Defense Industrial Base. Soon, any contractor or subcontractor with a DoD contract exceeding five million dollars will need to report its FOCI status in the National Industrial Security System (“NISS”).
Who Is Covered Under the Proposed Rule
The proposed rule would apply to any existing or prospective contractor or subcontractor, at any tier, holding a DoD contract valued in excess of five million dollars—regardless of whether classified information is involved. The reporting and review framework will be established under a new DFARS Part 240, “Information Security and Supply Chain Security.” The DoD does not mince words. The rule is designed to provide an “unprecedented level of visibility” into the ownership structures of its partners and to prevent foreign adversaries from accessing sensitive unclassified information and critical technologies.
What the Rule Requires
The proposed rule has five primary components.
- Initial Disclosure Obligations. Before contract award, offerors must submit a Standard Form (“SF”) 328, Certificate Pertaining to Foreign Interests, and supporting documents in the Defense Counterintelligence and Security Agency’s (“DCSA”) NISS, including the contact information for each foreign owner that is a beneficial owner. By submitting an offer, the offeror represents that this information is current, accurate, and complete.
- Eligibility as a Condition for Award and Continued Performance. A contracting officer cannot award, modify, or exercise an option on any contract valued in excess of five million dollars unless the contractor has an “eligible” status in NISS. A lapse in status could jeopardize eligibility on active contracts.
- Ongoing Reporting Duties. Contractors must update and verify their SF-328 in NISS prior to any modification or renewal, or whenever previously disclosed information changes. If a change may place the contractor under FOCI, it must report the foreign or beneficial owner’s name and relevant details within three business days. If DCSA determines that the FOCI presents a risk to national security, the contractor has 10 business days from the date it is notified to start a plan of action and confirm in NISS that it will follow the recommended mitigation steps.
- The 90-Day Mitigation Clock. Where DCSA determines that FOCI poses a mitigable risk, the contractor must implement any DCSA-imposed mitigation strategies within 90 calendar days of award, option exercise, modification, or identification of the risk. These strategies—board resolutions, proxy agreements, or other structural changes—are often complex and time-consuming to negotiate.
- Subcontractor Flow-Down. Prime contractors must ensure that all subcontractors with subcontracts exceeding five million dollars have an eligible NISS status before subcontract award and maintain it throughout performance. The substance of the FOCI clause must be flowed down into those subcontracts.
When the Rule Reaches Commercial Contracts
The rule generally does not apply to commercial products and services, but a “designated senior DoD official” (not yet identified) can mandate these disclosures for commercial contracts involving sensitive data, systems, or processes. Given the current focus on software supply chain security, we expect this exception to be invoked frequently for tech-heavy acquisitions.
Conclusion and Next Steps
This proposed rule fits squarely within the DoD’s broader strategy to counter threats from strategic competitors. For many non-cleared contractors, this will be their first interaction with DCSA and NISS. Contractors should begin reviewing their ownership structures against the questions in the SF-328, evaluate which subcontractors exceed the five-million threshold, and begin researching the NISS registration process.
