On May 7, 2026, the Department of Defense ("DoD") published a proposed rule that would amend the Defense Federal Acquisition Regulation Supplement ("DFARS") to impose new disclosure and mitigation obligations on existing and prospective DoD contractors and subcontractors. Specifically, the proposed rule would require DoD contractors and subcontractors with contracts over $5 million to disclose beneficial ownership and Foreign Ownership, Control, or Influence (“FOCI”) information, even if there is no classified information involved. Additionally, commercial contracts are not categorically exempt from FOCI review. While they are generally excluded by the new requirement, DoD can determine that a specific contract poses a national security risk. DoD has not yet specified which official will be responsible for making these determinations. Comments on the Proposed Rule are due on or before July 6, 2026.
Scope of the Proposed Rule. Contractors and subcontractors may be subject to beneficial ownership and FOCI review if they maintain contracts or subcontracts over $5 million in value, including contracts that do not involve access to classified information. The rule may cover certain commercial acquisitions if DoD determines that sensitive data, systems, or processes create a national security risk. If a contractor or subcontractor is “covered,” they must submit a Standard Form 328 (Certificate Pertaining to Foreign Interests) and supporting documentation through the National Industrial Security System (“NISS”) for review by the Defense Counterintelligence and Security Agency (“DCSA”).
Based on DoD estimates, an average of over 37,000 entities would potentially be impacted by the proposed rule. Of those entities, over 21,000 are small businesses and an estimated 9,435 would be required to update their disclosures during contract performance.
Ongoing Mitigation and Reporting Obligations. The proposed rule prohibits DoD from awarding covered contracts unless the offeror has made the required disclosures and, if required, agrees to implement risk mitigation strategies identified by the relevant program office. Once a contract is awarded, contractors and subcontractors are required to implement any identified risk mitigation strategies within 90 calendar days of the award, contract modification, or identification of risks. This mitigation and reporting process is an ongoing requirement; if a contractor has any changes in beneficial ownership or FOCI, they must submit an updated SF-328 and supporting documentation. Where changes may place the contractor or a subcontractor under FOCI, the contractor must report specified information—including the foreign or beneficial owner's name, relevant information about the foreign owner, and any readily available information about risk mitigation actions—within three business days of identification or notification. Within 10 business days of being notified by DCSA that FOCI or beneficial ownership poses a risk or potential risk, the contractor must initiate a plan of action to implement DCSA's recommendations and confirm in NISS that it will comply with the identified risk mitigation recommendations.
The proposed rule also directs contracting officers not to award, modify, or exercise an option or extend a contract in excess of $5 million unless the contractor has eligible status in NISS. This requires contractors to ensure their covered subcontractors have and maintain eligible NISS status.
Commercial Contracts Could Be Subject to the Requirement. While the proposed rule would not automatically apply to contracts for commercial products, commercially available off-the-shelf (“COTS”) products, and commercial services, it could apply in some cases. For acquisitions valued above $5 million, a DoD official may determine that the contract involves a risk or potential risk to national security or determine that the contract could compromise sensitive data, systems, or processes. Contracts for commercial products, COTS, and commercial services would then trigger the proposed rule.
Takeaways. Defense contractors and companies involved in the defense supply chain should assess whether they have processes in place to identify beneficial owners and potential foreign interest to comply with the ongoing requirements of the proposed rule. The proposed rule would be a significant expansion of the FOCI disclosure and mitigation regime and would create compliance obligations for companies that have not previously been required to hold clearances or been subject to review. Companies that pursue covered DoD contracts or subcontracts involving sensitive data, systems, or processes may want to review their contract and subcontract procedures and post-award monitoring controls to account for these new reporting requirements. Additionally, investors participating in mergers and acquisitions of defense contractors and companies involved in the defense supply chain should carefully diligence potential application of the proposed rule and how it might impact proposed transactions.
This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.