The Defense Acquisition Regulations System has issued a significant proposed rule that would dramatically expand disclosure and compliance obligations for defense contractors and subcontractors regarding beneficial ownership and foreign ownership, control, or influence (FOCI). The proposed amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) implement key provisions of the National Defense Authorization Acts (NDAAs) for Fiscal Years 2020 and 2021 and reflect the Department of Defense’s broader push to secure the defense industrial base from foreign adversarial influence.
If finalized, the rule would create extensive new reporting, certification, and risk-mitigation obligations for contractors performing DoD contracts valued above $5 million — including, in some circumstances, contractors providing commercial products and commercial services.
Comments on the proposed rule are due by July 6, 2026.
The Rule’s Core Objective: Increased Visibility into Foreign Influence and Beneficial Ownership
The proposed DFARS rule is designed to operationalize Section 847 of the FY 2020 NDAA and Section 819 of the FY 2021 NDAA. At its core, the rule seeks to provide DoD with unprecedented visibility into the ownership structures and foreign influence risks associated with companies performing defense contracts. Historically, many DoD contractors that did not require access to classified information operated outside the traditional industrial security review process. According to DoD, foreign adversaries have exploited this gap to gain access to sensitive technologies, intellectual property, and supply chain information through indirect ownership interests and foreign influence arrangements. The proposed rule attempts to close that gap by requiring covered contractors and subcontractors to disclose beneficial ownership information and identify whether they are subject to FOCI.
New DFARS Part 240 and Section 240.27X
The proposal would create an entirely new DFARS Part 240 titled “Information Security and Supply Chain Security.” Within that new part, DoD proposes DFARS Section 240.27X, “Mitigation of Risks Related to Beneficial Ownership or Foreign Ownership, Control, or Influence.” The new framework would establish disclosure obligations related to beneficial ownership and FOCI; ongoing reporting requirements throughout contract performance; mandatory risk mitigation obligations; new solicitation representations and contract clauses; and new award eligibility requirements tied to contractor status in the National Industrial Security System (NISS). The rule would apply to “covered contractors or subcontractors,” a newly defined term that would identify the entities subject to the disclosure and mitigation requirements.
Mandatory Disclosures Through NISS
A centerpiece of the proposal is the requirement that contractors submit disclosure information through the Defense Counterintelligence and Security Agency’s NISS. The proposed solicitation provision at DFARS 252.240-70XX would require offerors to submit a Standard Form 328 (Certificate Pertaining to Foreign Interests); provide supporting documentation in NISS; disclose contact information for beneficial owners; and certify that the submitted information is current, accurate, and complete. The proposal also would require contractors to update this information throughout the life of the contract whenever ownership or FOCI-related circumstances change. Notably, contractors determined to pose a potential national security risk based on FOCI or beneficial ownership concerns may be required to implement a formal risk mitigation strategy within 90 days of contract award.
NISS Eligibility Becomes a Gatekeeper for Award and Options
One of the most consequential aspects of the proposed rule is its linkage between contractor eligibility and NISS status. Under proposed DFARS 240.27X-4, contracting officers would be prohibited from awarding contracts; modifying contracts; or exercising options unless the contractor has an “eligible” status in NISS. This requirement could create significant operational and timing implications for contractors, particularly those unfamiliar with the DCSA review process or those with complex ownership structures involving foreign investment. Contractors should anticipate increased scrutiny during pre-award responsibility determinations and option exercises.
Commercial Contractors Are Not Exempt
Although the rule would not apply to contracts at or below the simplified acquisition threshold, DoD expressly intends for the requirements to reach commercial item contractors — including providers of commercially available off-the-shelf (COTS) products — in certain circumstances. Specifically, the rule would apply to commercial products and commercial services when a designated senior DoD official determines that a procurement presents a national security risk due to sensitive data, systems, or processes. DoD’s justification is notable. The agency argues that excluding commercial contractors would undermine the very purpose of the statute because FOCI risks are tied to ownership structures rather than the nature of the goods or services being procured. This reflects DoD’s increasingly expansive view of supply chain security and suggests continued growth in national security-driven compliance requirements across traditionally commercial procurements.
Significant Compliance Burdens Expected
DoD estimates that approximately 37,740 entities could ultimately be impacted by the proposed rule, including more than 21,000 small businesses. The rule would impose several ongoing compliance obligations, including initial beneficial ownership and FOCI disclosures; continuous updates during contract performance; additional disclosures tied to contract modifications and option exercises; and certifications tied to proposal submissions.
Although DoD states that some reporting burdens are already captured through existing Office of Management and Budget information collections, contractors should expect meaningful administrative, legal, and compliance costs associated with implementing the new framework. For companies with foreign investors, private equity ownership, layered subsidiaries, or international affiliates, the burden could be particularly substantial.
A Broader National Security and Supply Chain Security Initiative
The proposed rule is part of a much larger federal effort to strengthen supply chain security and counter foreign adversarial influence within critical industries. DoD explicitly ties the rule to broader executive branch initiatives, including Executive Order 14017, which directed a government-wide effort to strengthen supply chain resilience; and Executive Order 14028, which focused heavily on software and cybersecurity supply chain security. The proposal also underscores DoD’s view that foreign ownership visibility is now a foundational national security issue — not merely a classified contracting concern.
Key Takeaways for Government Contractors
Government contractors — particularly those operating in the defense, technology, aerospace, cybersecurity, and advanced manufacturing sectors — should pay close attention to this rulemaking.
If finalized, the rule could require contractors to reevaluate ownership and investment structures; enhance internal beneficial ownership tracking mechanisms; prepare for ongoing DCSA reporting obligations; develop FOCI mitigation plans; and integrate NISS compliance into bid and contract administration processes.
Contractors with foreign investment or multinational ownership structures should begin assessing potential vulnerabilities now, particularly given the proposal’s emphasis on continuous disclosure and ongoing mitigation obligations.
The proposed rule also signals that DoD intends to continue integrating national security considerations directly into procurement eligibility and contractor responsibility determinations — even for commercial acquisitions that historically operated outside the traditional industrial security framework.
For many federal contractors, FOCI-related disclosure obligations may soon rank among the most consequential compliance requirements they face.
