From initial disclosure through executed mitigation agreement — with 16+ years of lived experience in FOCI-mitigated environments.
On May 7, 2025, the Department of Defense published a proposed rule that would extend Foreign Ownership, Control, or Influence requirements to unclassified contracts over $5 million. Until now, FOCI compliance was effectively the domain of contractors with facility clearances — companies operating in the classified space who had been through the DCSA disclosure and mitigation process. That is no longer the case. The proposed rule would bring an estimated 40,000 additional contractors into the FOCI framework, most of whom have never filed an SF 328, never engaged DCSA, and have no existing compliance infrastructure to stand up against a 90-day mitigation deadline.
The mechanism that will catch most companies off-guard is what counts as a "contract action." Under the proposed rule, it isn't just new awards that trigger the timeline. Option exercises and contract modifications — routine administrative events that companies process dozens of times per year — count as contract actions that can start the 90-day mitigation clock. A company that has been operating under a foreign parent for a decade with no FOCI implications may find itself in a mitigation timeline the moment a contracting officer exercises the next option on an existing $6M contract.
The four vectors that constitute FOCI are ownership, control, influence, and access. Ownership is the most obvious — a foreign-incorporated parent or foreign-national shareholders. Control is more subtle: the ability of a foreign person to direct or decide the policies of the U.S. company, whether through board composition, contractual rights, or management structure. Influence encompasses foreign-national employees in sensitive positions, joint ventures with foreign entities, or technology licensing arrangements that give a foreign party leverage. Access refers to foreign nationals with the ability to obtain classified or sensitive information through their role in the company.
What makes the current environment particularly urgent is the scope of beneficial ownership disclosure now required under the SF 328. The form demands transparency into the entire ownership chain — every entity with 5% or more beneficial interest, every board member, every officer with access to controlled information. Companies that were acquired by private equity funds with foreign limited partners, companies with foreign-national executives, companies whose parent corporation has a foreign-incorporated holding entity — all of these structures require disclosure and analysis before a contract action triggers the clock.
From initial ownership structure review through executed mitigation agreement — every phase of the FOCI process, managed by an advisor who has navigated it from the inside.
Ownership structure review, DFARS applicability analysis, and foreign nexus identification. Written findings with a clear risk rating and prioritized next steps.
Accurate, complete beneficial ownership disclosure with supporting corporate structure documentation. Avoiding SF 328 errors is critical — DCSA uses the form as the basis for its FOCI determination.
Managing the interaction from initial disclosure through the FOCI determination. What to disclose, when, and how — with direct experience on the contractor side of DCSA engagements.
SSA, proxy agreement, or voting trust — the right instrument depends on ownership structure and DCSA's risk determination. We have navigated all three, including agreement drafting and execution support.
Corporate structure review identifying all foreign interests requiring SF 328 disclosure — including PE fund structures, foreign-national board members, and foreign-incorporated holding entities.
Continuous compliance monitoring through the mitigation lifecycle. Contract action reviews before execution, annual recertification support, and SSA maintenance obligation management.
Every FOCI engagement follows a defined process, with clear deliverables at each phase and direct continuity from assessment through execution.
Ownership structure audit, DFARS applicability determination, and FOCI vector identification across ownership, control, influence, and access. Includes a review of all relevant corporate documents — articles of incorporation, shareholder agreements, board composition, and any existing government agreements. Deliverable: written findings and FOCI risk rating.
Mitigation pathway recommendation based on ownership structure and risk assessment — SSA vs. proxy agreement vs. voting trust. Includes a DCSA engagement plan, SF 328 preparation strategy, and the documentation framework required for the chosen mitigation instrument. Legal counsel referral provided if not already engaged. Deliverable: FOCI mitigation strategy document.
DCSA interface support through the mitigation determination and agreement execution. Ongoing advisory through DCSA negotiation of agreement terms, internal compliance policy development under the executed agreement, and transition to steady-state FOCI compliance operations. Deliverable: executed mitigation agreement and compliance program documentation.
Ownership structure review, DFARS applicability analysis, SF 328 preparation guidance, written findings report.
Full SSA/proxy/voting trust strategy, DCSA engagement support, and mitigation documentation package.
Continuous compliance monitoring, contract action reviews, and annual recertification support.
All engagements begin with an introductory call to assess scope and fit. Schedule a call →
Does the DFARS proposed rule affect my existing contracts?
Yes — option exercises and modifications on existing contracts count as contract actions that trigger the 90-day mitigation timeline under the proposed rule. If your contract is over $5M and involves a foreign nexus, the next modification or option exercise could start the clock. Many companies are already in this situation without realizing it. The time to conduct an ownership structure review is before that contract action, not after.
What's the difference between an SSA, proxy agreement, and voting trust?
A Security Control Agreement (SSA) is the lightest-touch mitigation instrument. It restricts the foreign parent's access to classified information and sensitive business data while allowing normal business operations to continue. An SSA is appropriate when the foreign interest is primarily ownership-based and the actual control and influence vectors are manageable. A proxy agreement goes further — it places voting control with U.S.-citizen proxy holders, effectively insulating day-to-day governance from foreign direction. A voting trust is the most restrictive instrument: legal title to shares is transferred to U.S. trustees, with the foreign shareholders retaining economic interests but no governance rights. The appropriate instrument is determined by DCSA based on the degree of foreign control and the sensitivity of the contracts involved. We have navigated all three.
How long does DCSA FOCI mitigation typically take?
Timeline depends heavily on the complexity of your ownership structure and the mitigation instrument required. SSAs, once DCSA accepts the SF 328 and opens the case, can move in 3–6 months for straightforward structures. Proxy agreements and voting trusts involve legal restructuring of the corporate governance framework — typically 6–18 months, sometimes longer for complex PE-backed structures with multiple foreign limited partners. The 90-day clock in the proposed rule is the deadline to have an agreement executed, not just in negotiation — which makes early engagement essential.
Do I need a lawyer or just a consultant?
Both, typically. Our role is the technical and operational FOCI compliance piece: the SF 328 preparation, DCSA engagement strategy, mitigation pathway recommendation, and compliance documentation. Legal counsel handles the corporate restructuring, agreement drafting, any securities law implications of ownership changes, and court filings if a voting trust is required. The two roles are complementary, not interchangeable. We can recommend FOCI-experienced corporate counsel if you don't already have a relationship in place.
Fulcrum Advisory works directly with defense contractors through every phase of the FOCI mitigation process — from initial ownership structure review through executed SSA, proxy agreement, or voting trust.
Schedule a CallThe May 7 proposed rule extends FOCI requirements to unclassified contracts over $5M. Here's what triggers the 90-day clock and what to do before it starts.
The four FOCI vectors, common ownership structures that require mitigation, and why your PE firm's corporate transaction team needs a FOCI advisor in the room before closing.