How to Prepare for a DCSA FOCI Review: What They Actually Look At

DCSA FOCI reviews are not surprise audits. They follow a defined process, request a predictable set of documents, and focus on a consistent set of compliance areas. Contractors who have been through the process — or who have worked with someone who has — can prepare for a DCSA review with confidence. Contractors who walk in cold, without understanding what DCSA is looking for, spend the review scrambling to produce documents they should have had ready before the first email arrived.

I've been on the contractor side of DCSA FOCI reviews multiple times across a 16-year tenure inside a FOCI-mitigated defense contractor. The reviews have a rhythm. The documents they want are predictable. The findings they generate are, with few exceptions, the same categories of issues every time. Here is what actually happens in a DCSA FOCI review, and how to be ready for it.

The Two Types of DCSA FOCI Review

Understanding which type of review you are facing determines what preparation looks like.

Initial FOCI determination reviews occur when a contractor first applies for a facility clearance (FCL) or when a contractor discloses FOCI on an SF 328 — either for the first time or following a corporate change that created a new FOCI condition. In an initial determination review, DCSA is trying to answer three questions: Does FOCI actually exist? What is the nature and degree of the FOCI? What mitigation instrument — if any — is appropriate to allow the contractor to hold an FCL?

Initial reviews are structured inquiries. DCSA will request documentation upfront, review it, and then typically conduct interviews with key personnel before issuing a FOCI determination. The timeline depends on the complexity of the ownership structure and the nature of the FOCI. A straightforward case with a single foreign parent and a clean SF 328 may move relatively quickly. A complex case involving layered PE ownership, multiple foreign LPs, and contractual rights spread across multiple agreements can take considerably longer.

Ongoing compliance reviews are conducted periodically for contractors with existing, executed mitigation agreements — Security Control Agreements, Special Security Agreements, proxy agreements, or voting trusts. These reviews verify that the contractor is in compliance with the terms of the mitigation agreement. Most mitigation agreements require annual reporting, and ongoing reviews typically coincide with that cycle or are triggered by a significant change event: a board composition change, an ownership change, a key management personnel change, or a material change to the company's foreign relationships.

The focus of ongoing reviews differs from initial reviews. DCSA is not re-determining whether FOCI exists — that's established. They are checking whether the contractor is living up to the mitigation agreement they signed.

What DCSA Wants to See

The document request list for a DCSA FOCI review is remarkably consistent across reviews. Having these documents current, organized, and readily accessible before a review is initiated is the single most effective preparation step a contractor can take.

The SF 328 and attachments. The Certificate Pertaining to Foreign Interests is the foundational document. DCSA will compare your current corporate structure against what the SF 328 says. Any gap between the two — a board member who joined after the last filing, a new investor not reflected, a change in the foreign parent's ownership percentage — is the starting point for questions. Keep your SF 328 current. File an amended SF 328 whenever a material change occurs. Do not wait for the annual review cycle to reflect a board change that happened eight months ago.

Corporate organizational charts. Current charts showing the full corporate structure: every subsidiary, every affiliate, and the ownership percentages at each level. DCSA traces ownership chains to identify all foreign interests. Charts that do not show the complete structure — that stop at the immediate parent without showing the parent's parent — create gaps that generate questions.

Board meeting minutes. Typically the most recent two to three years. DCSA reviews board minutes for several things: whether foreign nationals attended meetings (and whether their attendance was properly managed), whether there were discussions involving foreign-origin business that create influence concerns, whether board composition changes are accurately reflected in other documentation, and whether there is any evidence that the foreign parent or investor was exercising influence over decisions beyond what the mitigation agreement permits.

Board member biographical information. For every board member — including outside directors and government security committee members if applicable. DCSA wants to verify that board composition is as disclosed and that there are no undisclosed foreign connections among board members.

Foreign contact reports. Records of contacts with foreign governments or foreign-controlled entities, required under most mitigation agreements and under NISPOM for cleared contractors generally. Foreign contact reporting is one of the most commonly deficient areas in ongoing compliance reviews — not because companies have contacts they're hiding, but because they don't have a consistent process for identifying reportable contacts and getting them documented.

Beneficial ownership records. Cap tables, shareholder agreements, investor rights agreements, operating agreements for LLCs. DCSA needs to trace who actually owns what and what rights attach to that ownership. Investor rights agreements — which often contain information rights, approval rights, and anti-dilution provisions — are particularly important because they frequently contain the rights that constitute FOCI beyond simple ownership percentage.

Mitigation agreement and annual compliance documentation (for ongoing reviews). The executed agreement and the annual reports, certifications, and notifications required under it. DCSA will check whether annual reporting was submitted on time and whether it was complete and accurate.

The Most Common Findings

In my experience, the same categories of issues generate the majority of DCSA findings. Knowing what they are in advance means you can check for them before DCSA does.

Board composition issues. Foreign nationals or individuals with foreign connections on boards who were not disclosed on the SF 328, or whose roles changed after the last SF 328 update and the change wasn't reported. This is the most common finding in ongoing compliance reviews, and it is almost always a process failure rather than a deliberate concealment — companies simply don't have a mechanism that ties board changes to FOCI reporting obligations. The fix is a simple process: any board change triggers a FOCI compliance review and, if warranted, an SF 328 update.

Foreign national access. Key management personnel who are foreign nationals, or who have significant undisclosed foreign contacts, and whose positions give them access that conflicts with the mitigation agreement's requirements. The issue here is often a failure to apply the mitigation agreement's personnel security requirements consistently as staff changes occur. A mitigation agreement that restricts foreign national access to certain positions needs to be applied every time someone is promoted into or hired into those positions — not just reviewed annually.

Inadequate visitor logs and escort records. For contractors with mitigation agreements that restrict foreign national access to facilities, the agreement typically requires that foreign national visitors be escorted and logged. Visitor logs that are incomplete, not properly maintained, or that show foreign nationals in areas they should not have been in are a finding. This is an operational control that has to be embedded in daily facility management processes to be reliable.

Missing or late annual reporting. Under most mitigation agreements, contractors have specific annual reporting obligations — board composition certifications, foreign contact reports, material change notifications. Missing a reporting deadline, submitting incomplete reports, or failing to report a material change (a new foreign investor, a board change, a key management hire) within the required timeframe are findings that put the mitigation agreement itself at risk. Maintain a FOCI compliance calendar with all reporting deadlines and assign ownership to a specific person.

Conducting a Pre-Assessment Internal Review

Before a scheduled DCSA review — or proactively if you have reason to believe a review may be coming — conduct an internal pre-assessment against the same document set DCSA will request.

Start by pulling your current SF 328 and comparing it against your current corporate structure. Walk through every element: ownership percentages, board composition, key management personnel, foreign contracts, foreign financing. Any discrepancy between the SF 328 and the current reality is something you want to find and correct before DCSA finds it.

Pull board meeting minutes for the past two to three years and read them. Look for any attendance by foreign nationals. Look for any board discussions that reference foreign parent direction, foreign government contracts, or foreign investor preferences that go beyond what the mitigation agreement permits. Look for any board changes not reflected in other documentation.

Audit your foreign contact reports. Identify the universe of people at your company who would have reportable foreign contacts — business development, senior management, technical staff who attend international conferences. Verify that all required contacts have been reported and that the reporting is current.

Verify that all annual reporting under your mitigation agreement is current and complete. Pull the agreement, read the reporting obligations, and confirm that every required report has been submitted for every applicable period. If there are gaps, address them before DCSA asks about them.

Brief the people who will be interviewed — the FSO, key management personnel, board members who may be asked to speak with DCSA. They should be able to accurately describe their roles, their foreign contacts, and how the mitigation agreement works in practice. Inconsistencies between what interview subjects say and what the documents show are among the fastest ways to turn a routine review into a significant one.

What Happens When DCSA Finds a Problem

The outcome of a DCSA finding depends on the nature and severity of the issue, and critically on the contractor's response to it.

Minor findings — documentation gaps, reporting delays, administrative deficiencies — typically result in a corrective action request with a defined remediation timeline. DCSA identifies the issue, the contractor acknowledges it and commits to a remediation plan, and the plan is executed under DCSA oversight. These findings are manageable and do not typically put the facility clearance at risk if they are addressed promptly and in good faith.

Significant findings — undisclosed FOCI, material changes to ownership or control that were not reported, violations of the mitigation agreement's substantive requirements — carry more serious consequences. They can result in suspension of the facility clearance, referral to the Intelligence Community for counterintelligence review, and in extreme cases referral to law enforcement. At this level, the contractor needs outside legal counsel immediately.

The difference between a minor finding and a significant finding often comes down to two things: whether the issue appears to have been deliberate or negligent versus inadvertent, and whether the contractor was forthcoming when DCSA raised questions. Proactive disclosure — identifying an issue yourself and bringing it to DCSA before they find it — is always the better posture. DCSA's response to a contractor that discovers a reporting gap and proactively files a corrective SF 328 is meaningfully different from their response to a contractor where the gap is discovered during a review.

The overarching principle of FOCI compliance is the same as every other regulatory compliance framework: surprises are expensive. The contractors who do well in DCSA reviews are the ones who maintain their documentation, meet their reporting obligations, and treat FOCI compliance as an ongoing operational function rather than a periodic administrative exercise.