The Pentagon Enters Its Mitigation Era: FOCI Review and Mitigation Expand Beyond Classified Contracts

On May 6, 2026, the Department of Defense ("DoD”) published a long-awaited proposed rule that would amend the Defense Federal Acquisition Regulation Supplement ("DFARS") to align with the requirements of the National Defense Authorization Act ("NDAA") for Fiscal Years 2020 and 2021 (the “Proposed Rule”). The Proposed Rule is of particular significance to the defense industrial base, as it would apply foreign ownership, control, or influence ("FOCI") reviews and mitigation requirements to uncleared contractors seeking to perform unclassified DoD contracts and subcontracts.

Who Should Care

• Defense contractors and subcontractors without classified contracts
  Companies performing unclassified but sensitive DoD work – including manufacturing, engineering, IT, logistics, or supply‑chain functions – may face FOCI review for the first time.
• Private equity sponsors and investors in defense‑adjacent businesses
  Ownership structures, minority investors, and foreign limited partners may now trigger FOCI scrutiny or mitigation requirements even where portfolio companies do not access classified information.
• Companies relying on commercial product or services exceptions
  Contractors that view their DoD work as “commercial” should reassess risk, as DoD retains discretion to apply FOCI requirements where sensitive data, systems, or processes are implicated.
• Businesses bidding on or supporting DoD contracts exceeding $5 million
  Prime contractors and subcontractors alike may be required to submit ownership disclosures (SF‑328) and accept potential mitigation obligations as a condition of award.

Background

Historically, FOCI reviews and mitigation measures have been applied principally to contractors requiring access to classified information under the National Industrial Security Program ("NISP"). Section 847 of the NDAA for FY 2020, together with Section 819 of the NDAA for FY 2021, directed the DoD to extend FOCI reviews – and, potentially, mitigation – to contractors that do not handle classified information but are nonetheless engaged in sensitive unclassified defense work for which the solicitation or award is valued in excess of $5 million. The new requirement generally excludes contracts for commercial products and commercial services.  (However, even for such commercial products/services contracts, DoD can determine that a contract poses “risk or potential risk to national security or potential compromise because of sensitive data, systems, or processes.”) Importantly, these thresholds apply to both prime contracts and subcontracts.

This expansion to contractors who don’t perform on classified contracts reflects growing U.S. Government concern regarding FOCI risks within the defense supply chain, even in the absence of classified access.

The Proposed Rule

The Proposed Rule would amend the DFARS by creating a new part 240, Information Security and Supply Chain Security. The new part 240 would:

• Establish procedures for contracting officers to implement disclosure and risk mitigation requirements, such as directing contracting officers not to award, modify, or exercise a contract option unless the offeror or contractor has a status of "eligible" in the National Industrial Security System ("NISS").
• Mandate the use of a new solicitation provision and contract clause (the “New Terms”) in applicable solicitations and contracts valued in excess of $5 million, requiring the contractor to:
  • submit an SF-328 (Certificate Pertaining to Foreign Interests) and supporting documents to the Defense Counterintelligence and Security Agency (“DCSA”);
  • provide contact information for each beneficial owner;
  • acknowledge that if the requiring activity determines (with DCSA input) that FOCI or beneficial ownership poses a potential or actual risk to national security that can be mitigated, the contractor must agree at award to implement a risk mitigation strategy within 90 days; and
  • submit updates to initial SF-328s reflecting changes to beneficial owners and other responses as applicable over the life of the contract.
• Require that, for acquisitions using FAR part 12 procedures, the New Terms be included if a designated senior DoD official determines the contract “involves a risk or potential risk to national security or potential compromise due to sensitive data, systems, or processes.”
• Note that the Proposed Rule does not provide guidance respecting the types of risk mitigation that may apply when an uncleared contractor or subcontractor is found to be under FOCI.  (This open question is fuel for comment.)

Impact

According to DoD (as detailed in the Proposed Rule), the average number of unique awardees that would likely have been captured under this rule during fiscal years 2022–2024 was 3,774 per year.  DoD estimates that small businesses comprise approximately 57% of this figure.  However, assuming each award attracted two offerors on average and involved five subcontractors, DoD estimates that up to 37,740 entities could have been subject to the Proposed Rule’s submission requirements.  These figures do not account for updated disclosures that contractors may need to make during the lifetime of a contract.  The Proposed Rule does not estimate the number of contractors that may require some form of risk mitigation.

How Dechert Can Help

The Proposed Rule is subject to a public comment period ending on July 6, 2026. The Dechert National Security Group is carefully reviewing the Proposed Rule to determine whether comments are warranted.  Affected contractors and stakeholders should also thoroughly review the Proposed Rule.  The Dechert team is available to assist clients who wish to submit comments separately.

We will provide a more thorough analysis over the coming weeks.  In the meantime, the Dechert National Security Group’s best-in-class FOCI Mitigation/Government Contracts team can answer any questions you may have respecting the application of the DFARS amendment to your business, the submission of SF-328s and supplemental documentation, or potential FOCI risk mitigation strategies.