What the New DFARS FOCI Rule Means for 40,000 Defense Contractors

For the past several decades, FOCI — Foreign Ownership, Control, or Influence — has been primarily a concern for contractors with facility clearances: companies holding facility security clearances (FCLs) under the National Industrial Security Program. NISPOM governed the framework. DCSA ran the reviews. And contractors without cleared facilities mostly didn't need to think about it.

That changes with the May 7, 2025 DFARS proposed rule. For the first time, FOCI disclosure requirements are being extended to unclassified defense contracts over $5 million. Contractors that have never had a facility clearance, never filed an SF 328, and never engaged with DCSA on FOCI matters may now find themselves subject to mandatory disclosure — and potentially mandatory mitigation — simply because of who owns equity in their company.

I've spent 16 years inside a FOCI-mitigated defense contractor. I've run DCSA FOCI reviews, managed SF 328 filings, and navigated mitigation agreement cycles from both sides of the table. This rule is significant. Here is what it actually says and what you need to do before your next contract action.

What the Rule Actually Says

The proposed DFARS rule would add a new clause — anticipated as DFARS 252.204-XXXX — requiring contractors to disclose FOCI if they hold or are awarded unclassified DoD contracts valued above $5 million. The disclosure mechanism is the SF 328, the same Certificate Pertaining to Foreign Interests that classified contractors have been filing for decades.

The rule requires disclosure when a contractor has a foreign nexus — meaning foreign ownership at or above the presumptive 25% threshold, foreign nationals in key management positions, foreign-controlled financing, or other indicators of potential foreign influence. Contractors meeting disclosure thresholds are required to submit the SF 328 to DCSA, which will then make a FOCI determination.

If DCSA determines that FOCI exists, the contractor must execute a mitigation agreement — a Security Control Agreement (SCA), Special Security Agreement (SSA), proxy agreement, or voting trust, depending on the ownership structure and the nature of the FOCI.

The comment period closes July 6, 2025. This is a proposed rule, not a final rule — but the direction of travel is clear, and the administrative history behind it is substantial. Contractors should treat this as a near-certainty and begin preparation now rather than waiting for finalization.

Which Contracts Are Covered

The $5 million threshold covers the total contract value, including options. This is not a per-year figure. A three-year contract at $2 million per year is a $6 million contract and would fall under the rule.

The "unclassified" scope is broader than many contractors realize. This rule is not limited to contractors working on sensitive or restricted programs. It applies to any DoD contract above the threshold — logistics support, IT services, professional services, facilities maintenance, training support. The unifying factor is the dollar threshold and the DoD customer, not the sensitivity of the work being performed.

Contract vehicles covered include prime contracts, certain subcontracts, and task orders above the threshold. If you are a subcontractor on a large prime receiving your own direct subcontract above $5 million, the proposed rule would apply to you. Multi-award IDIQ vehicles where individual task orders are below $5 million but the total ceiling is above it — that determination will depend on the specific rule language as finalized.

What is explicitly not covered: contracts for commercial items under FAR Part 12 (in most cases), contracts with small businesses below the threshold, and contracts with state and local governments. Sole source awards and competitive awards are treated the same — the trigger is the contract value and the presence of FOCI, not the award mechanism.

The 90-Day Mitigation Clock

Once DCSA makes a FOCI determination — meaning they've reviewed your SF 328 and concluded that foreign ownership, control, or influence exists — a 90-day clock starts for negotiating and executing a mitigation agreement.

Ninety days sounds like a lot of time. It is not.

A mitigation agreement is a negotiated instrument between DCSA, the contractor, and in many cases the foreign parent or investor. The type of agreement depends on the nature and degree of FOCI. A Security Control Agreement is the lightest instrument — typically used when a foreign parent exists but the work is not particularly sensitive and the relationship can be managed through operational controls. An SSA is more demanding: it requires an outside board member structure, Government Security Committee oversight, and DCSA participation in certain board functions. A proxy agreement or voting trust is the most restrictive — effectively placing control of the company in the hands of U.S. persons approved by DCSA.

Each of these instruments requires outside legal counsel experienced in FOCI matters, DCSA negotiation, and in many cases investor or board-level approval. For a company that has never engaged with this process before, 90 days from DCSA's determination to executed agreement is genuinely tight. If you wait until DCSA comes to you, you are already behind.

What "Foreign Ownership, Control, or Influence" Actually Means

FOCI is not limited to majority foreign ownership. Many contractors will be surprised to discover they have a FOCI issue because they're thinking about ownership in terms of voting stock and ignoring the other three vectors.

Ownership: A foreign person or entity owning 25% or more of a contractor's voting securities creates a presumption of FOCI. But even below 25%, other factors can establish FOCI. Ownership includes direct ownership and indirect ownership through intermediate entities.

Control: Foreign nationals on the board of directors, voting rights held by foreign persons, contractual rights giving a foreign entity effective control over business decisions. A foreign investor with a minority stake but a board seat and certain protective provisions may still constitute FOCI under a totality-of-circumstances analysis.

Influence: Foreign financing arrangements — loans, credit facilities, or financial instruments where a foreign entity holds leverage. Contracts with foreign governments that create financial dependence. Foreign parent company approval requirements for certain business decisions. Influence is the most fact-specific vector and the one most often missed in early FOCI analyses.

Access: Key management personnel who are foreign nationals or who have foreign government connections. Senior technical staff with access to sensitive information who owe allegiance or obligation to a foreign government.

The private equity dimension deserves special attention. Many mid-sized defense contractors have PE backing. PE funds routinely have foreign limited partners — sovereign wealth funds, foreign pension funds, foreign family offices. If those LPs represent a meaningful economic interest and the PE fund has governance rights in the portfolio company, the analysis becomes complicated quickly. The question isn't just "is there a foreign LP" — it's whether the totality of the LP's economic interest, combined with the fund's governance rights over the contractor, constitutes FOCI. This analysis needs to happen before the next contract action, not after DCSA raises the question.

What Contractors Should Do Right Now

The rule is proposed, not final — but the preparation steps are the same regardless of when it finalizes. If you wait for the final rule to start your ownership analysis, you will be reacting to a timeline DCSA controls, not one you control.

1. Conduct a full ownership structure audit. Trace every investor, LP interest, board member, and foreign contract relationship. This means going to the cap table, the LP agreements, the board composition documents, and any investor rights agreements. If your company has been through M&A activity, trace the predecessor structures as well. Document the analysis in writing.
2. Review your existing DoD contracts for the $5 million threshold. Pull your contract portfolio. Identify every DoD prime contract and significant subcontract. Calculate total contract value including options. Identify which contracts have upcoming option exercises or modifications.
3. Identify your next upcoming contract action. An option exercise, a contract modification, a new award — any of these is a potential trigger. If you have an option exercise scheduled in the next six months, that is your near-term risk event. Understand when it will happen.
4. Engage outside FOCI-experienced counsel before the next contract action. Not after. FOCI counsel needs to review your ownership structure, advise on disclosure obligations, and help you understand your risk posture before DCSA is involved. There are relatively few law firms with genuine FOCI experience — find one that has actually negotiated mitigation agreements with DCSA, not one that has read the NISPOM chapter on FOCI.
5. Engage a FOCI advisor to assess your risk and prepare SF 328 documentation. Legal counsel handles the corporate structure side. A FOCI-experienced technical advisor handles the disclosure preparation, DCSA interface, and mitigation agreement navigation. These are different skill sets and you need both.

The comment period closes July 6, 2025. Whether the final rule arrives in late 2025 or early 2026, the direction is set. The contractors who respond well to this rule will be the ones who started their ownership analysis before DCSA came to them with questions.