Why Should They Have All The Fun? DoD Instruction Expands DCSA's FOCI Reach Beyond Cleared Contractors

On May 13, 2024, the Department of Defense (DoD) issued an instruction implementing policies and procedures that DoD will use to identify contractors (including uncleared contractors) requiring foreign ownership, control, and influence (FOCI) determinations, review related information, and address FOCI concerns. These policies and procedures were put in place pursuant to Section 847 of the 2020 National Defense Authorization Act¹ (Section 847). These FOCI requirements will, for the first time, subject many uncleared DoD contractors to rigorous disclosure requirements, scrutiny, and potential mitigation by the Defense Counterintelligence and Security Agency (DCSA). Cleared contractors already subject to DCSA FOCI review also may be required to report FOCI information more often than is currently required.

DoD Instruction 5205.87, Mitigating Risks Related to Foreign Ownership, Control, or Influence for Covered DoD Contractors and Subcontractors, ("the Instruction") provides direction to various DoD components, including DCSA, for FOCI review of "covered contractors," which includes contractors and subcontractors receiving a DoD contract or subcontract with a value over $5 million, with a carve-out for contracts for commercial products and services that do not present a risk or potential risk to national security or potential compromise of certain data or systems.²

This change appears poised to radically expand the administrative burden currently associated with DCSA's FOCI examination of cleared contractors to a broad spectrum of cleared and uncleared DoD contractors. This comes as part of a continued focus on government supply chain security and FOCI concerns, including with respect to less-sensitive, unclassified contracts.

While the contractor-facing DFARS rule remains pending (although this rulemaking was originally scheduled for completion in 2021),³ this internal DoD Instruction provides insight into the roles and responsibilities within DoD, as well as some of the procedures (e.g., the questionnaire that will be used to solicit the required disclosures). Companies may consider taking action to prepare for these FOCI reviews.

FOCI Review and Mitigation Requirement

Section 847 and the Instruction require that covered contractors:

1. disclose to DCSA their beneficial ownership and whether they are under FOCI (and, if they are, to disclose contact information for each of its foreign owners that is a beneficial owner); and
2. update such disclosures when (i) changes occur and (ii) a contract or subcontract is awarded, amended, or renewed.

The Instruction tasks the Defense Intelligence Agency with providing threat analysis of supply chain risk for mission critical acquisitions, and that analysis may be used to support determinations to require FOCI reporting under government contracts for the acquisition of commercial products and services, which are otherwise carved out from coverage under the definition of covered contractor.

FOCI Review Process

Triggering a Review

The Instruction indicates that DoD components will provide DCSA with a list of potential covered contractors (and previously identified covered contractors that will be required to submit updated FOCI information) before source selection decisions are made in acquisitions. DCSA reviews will be requested by the DoD Components or by a covered contractor on behalf of a subcontractor through a DCSA system of records (not yet designated).

The Review

1. Information: As will be familiar to cleared contractors, the Instruction contemplates covered contractors providing a completed Standard Form 328 "Certificate Pertaining to Foreign Interests" (SF-328) along with other requested documentation (e.g., business documentation). The SF-328 currently consists of 10 yes/no questions that require additional explanation for each "yes" response.
   
   In recent years, DCSA has asked progressively more follow up questions and sought more detail in SF-328 responses, including probing ownership that the contractor has otherwise identified as domestic. It is well known that DCSA's FOCI concerns have broadened beyond focusing primarily on ownership to examining the softer elements of foreign "influence" (e.g., foreign contracts/revenue, foreign officers/directors, and foreign subsidiaries).
   
   The Instruction provides that the government will not require an update to a FOCI review conducted within the past 12 months where there has been no beneficial ownership change since the previous submission. Cleared contractors may therefore be spared procurement-driven FOCI updates if a company is already submitting updated SF-328 documents annually.
   
   
2. Steps: DCSA will be responsible for conducting a FOCI review within 25 working days of a DoD component request. After review, DCSA will provide, if appropriate, a risk indicator report and risk mitigation strategy to the applicably DoD Component. Based on DCSA's recommendation, the Principal Staff Assistant or DoD Component will determine whether the covered contractor is found to be under FOCI and what mitigations are required.

FOCI Mitigation

If the DoD component determines that FOCI mitigation cannot sufficiently protect against identified risks, then the contract, subcontract, or defense research assistance award may not be awarded, amended, or extended.

If the DoD component requires FOCI mitigation for an award to a covered contractor, the covered contractor and contracting officer will need to agree to the exact mitigation measures before award. For subcontractors, the mitigation measures may be agreed after contract award but before contract performance.

DCSA will execute final FOCI mitigation measures with the covered contractor within 90 working days of the contract or defense research assistance award. However, the measures should be executed and implemented by the covered contractor within 90 calendar days of either award or, for subcontracts, commencement of performance.

The mitigation will remain in place for the duration of the contract, subcontract, or defense research assistance award while the covered contractor remains under FOCI.

Annual Updates

FOCI-mitigated covered contractors likely will be required to provide annual updates to support DCSA's annual review for changes in FOCI status.

Key Takeaways

Companies that do not currently hold a facility clearance that hold, or may consider pursuing, DoD contracts in excess of $5 million for other than commercial products and services should:

1. review the SF-328 form;
2. begin developing a plan for responding to the SF-328 when required, including collecting certain relevant information on foreign ownership and other foreign contacts made by the contractor (i.e., foreign customer contracts or debts); and
3. assess whether DCSA may identify FOCI concerns and begin considering what mitigations may be required.

Companies that already hold a facility clearance and are likely to be found to be a "covered contractor" should plan to adjust for an annual SF-328 update process as necessary.

1. Amended by Section 819 of the 2021 National Defense Authorization Act.

2. Specifically, the definition of "covered contractor" is any company that "is an existing or prospective contractor or subcontractor of the DoD on a contract, subcontract, or defense research assistance award with a value exceeding $5 million. Contractors for commercial products or services are excluded, unless the designated Principal Staff Assistant or DoD Component official determines that the contract involves a risk or potential risk to national security or potential compromise of sensitive data, systems, or processes such as personally identifiable information, cybersecurity, or national security system."

3. This date was rescheduled from the original March 2021.