DoD Proposes DFARS Rule Expanding Foreign Ownership Disclosure to 40,000 Unclassified Contractors

The Department of Defense published a proposed rule in the Federal Register on May 7, 2026, that would amend the Defense Federal Acquisition Regulation Supplement (DFARS) to expand Foreign Ownership, Control, or Influence (FOCI) disclosure obligations to defense contractors and subcontractors performing on unclassified contracts valued above $5 million. Currently, FOCI requirements apply primarily to contractors with access to classified information, requiring disclosure and mitigation through the Defense Counterintelligence and Security Agency. The proposed rule implements Sections 847 and 848 of the National Defense Authorization Act for Fiscal Year 2020 — a congressional mandate set with a July 2021 deadline that DoD missed by nearly five years, reflecting the administrative complexity of extending an existing classified-space framework to an unclassified contractor population roughly 15 times larger in total company count and substantially more diverse in ownership structure.

What the Rule Requires

Under the proposed rule, contractors and subcontractors seeking DoD contracts above $5 million would be required to disclose beneficial ownership information and report FOCI status to DCSA. Disclosures must include identifying information about any foreign person or entity that directly or indirectly owns 25 percent or more of the contractor's voting securities, or that otherwise exercises significant influence over the contractor's management, board composition, or technology decisions. Disclosures must be updated throughout the contract's performance period — not merely at award — and any material change in ownership or control must be reported to DCSA within 30 days of the change occurring. This ongoing reporting obligation distinguishes the proposed rule from the one-time disclosure model that governs most federal contractor certification requirements.

Contractors identified as having FOCI would be required to mitigate risks within 90 days of identification — typically through a Security Control Agreement for lower-risk foreign ownership, a Special Security Agreement for majority foreign ownership, or more restrictive instruments such as a Proxy Agreement or Voting Trust for situations where foreign control is deemed unacceptable without full insulation of the contractor's management and technical operations from foreign influence. DCSA's National Industrial Security Program office manages these instruments and provides compliance guidance through its FOCI adjudication process, which historically has been staffed to handle classified-facility caseloads rather than the broader population this rule would create.

The rule's scope is expansive: approximately 40,000 companies would be covered under the new threshold, compared to the few thousand classified contractors currently subject to FOCI requirements. Scott Freling, a government contracts partner at Covington & Burling, told Federal News Network that while the policy goal is sound, "putting it into practice is a lot more challenging, and it's a big ask" at that scale. Heather Finstuen, also of Covington & Burling, noted that DCSA's historical classified-space operations would need to expand vastly to process the new disclosure volume, raising questions about whether DCSA has the staffing and systems infrastructure to adjudicate the anticipated case flow without creating delays in contract award timelines for the broader contractor community.

Background: Why FOCI Matters

FOCI poses a counterintelligence risk because foreign ownership of a defense contractor can provide an adversary government with access to sensitive — even unclassified — technical data, manufacturing processes, personnel information, and supply chain relationships. Unlike classified information, which is protected by physical and administrative controls under the National Industrial Security Program, unclassified controlled technical information can be accessed through normal contract performance activities without triggering security protocols. The 2023 DoD Counterintelligence Strategy specifically identified FOCI in the defense industrial base as a priority concern, following documented cases of Chinese state-linked investment in companies supplying components to U.S. defense programs.

The private equity ecosystem adds compliance complexity: many mid-tier defense suppliers are portfolio companies of PE funds with diverse limited partner rosters that may include foreign sovereign wealth funds or state-linked investors. Tracing beneficial ownership through layered fund structures to identify a reportable foreign principal is a non-trivial compliance exercise, and industry associations have begun preparing member guidance on how to conduct that beneficial ownership analysis before the rule takes effect. The 60-day comment period is the primary opportunity for industry to seek regulatory clarity on this definitional question and on DCSA's capacity to process the resulting disclosure volume.

DCSA Capacity and Implementation Risk

The most substantive concern raised in early industry previews of the proposed rule is whether DCSA has the case management infrastructure to process disclosures from 40,000 potential new reporting entities without creating de facto barriers to DoD contract awards for companies under review. DCSA's Industrial Security Facilities Database currently tracks approximately 10,000 cleared facilities; the proposed rule would require DCSA to build or procure a separate database architecture for unclassified FOCI disclosures and staff an adjudication function capable of processing the significantly larger caseload. Industry associations have requested that the final rule include explicit timelines for DCSA adjudication of FOCI disclosures to prevent review backlogs from becoming a source of contract award delays, and have suggested a phased implementation approach that allows DCSA to build processing capacity incrementally before the rule applies to the full contractor population.

What It Means for Contractors

Any contractor currently performing on unclassified DoD contracts above $5 million should assess its ownership structure and identify beneficial owners before the rule is finalized — early compliance preparation avoids award delays once the rule takes effect, expected in late FY2026 or FY2027.
Private equity-backed defense firms and those with foreign investors or foreign parent companies face the highest compliance burden; engaging legal counsel experienced in DCSA mitigation instruments before the final rule is published is advisable given the 90-day post-identification mitigation deadline that will apply from the rule's effective date.
Comments on the proposed rule are due 60 days after Federal Register publication; industry associations including the Professional Services Council and the National Defense Industrial Association have indicated they will file comments addressing DCSA capacity and definitional clarity — individual firms should review those filings and submit their own if unique ownership circumstances warrant specific regulatory guidance.
DCSA's National Industrial Security Program office manages FOCI mitigations — guidance documents are available at dcsa.mil/mc/pv/mbi/foci/; firms unfamiliar with the FOCI process should schedule an exploratory meeting with their DCSA Industrial Security Representative before the rule's effective date to understand applicable mitigation options and expected processing timelines.