Defense Contractors Face Expansion of National Security Disclosure and Mitigation Requirements to Unclassified Contracts

On 7 May 2026, the Department of War (DoW) released a proposed rule that would, for the first time, extend foreign ownership, control, or influence (FOCI) review and mitigation requirements to uncleared contractors performing unclassified DoW contracts and subcontracts valued in excess of US$5 million. DoW estimates that approximately 37,740 entities—including roughly 21,511 small businesses—could fall within the new framework. The public comment period closes 6 July 2026. Through this proposed rule, DoW is moving FOCI review from a niche process associated with classified contracts into a broader, enterprise-level screening and mitigation regime for unclassified defense work. For many defense contractors this will be a highly consequential conceptual change by requiring companies that never needed a facility clearance or direct classified access to face the ownership disclosures, government risk review, and mitigation obligations of the FOCI process.

Background and Statutory Origin

The proposed rule implements Section 847 of the FY2020 National Defense Authorization Act (NDAA) and Section 819 of the FY2021 NDAA, together with elements of DoW Instruction 5205.87 (May 2024). In other words, this is not starting from scratch; DoW began moving in this direction some years ago, signaling the intent to broaden the FOCI review. Historically, FOCI scrutiny—administered by the Defense Counterintelligence and Security Agency (DCSA) under the National Industrial Security Program—has been reserved for contractors requiring access to classified information. The new framework reflects DoW’s view that FOCI risk is a function of ownership and supply-chain exposure, not classification status, and is designed to provide what DoW describes as an “unprecedented level of visibility” into the ownership structures of its industrial base. Crucially, the proposed rule reaches to both prime contractors and subcontractors, which will significantly enlarge the affected population of companies and will make flowdown compliance a key concern for prime contractors.

What the Proposed Rule Requires

The rule would create a new Defense Federal Acquisition Regulation Supplement (DFARS) Part 240, Information Security and Supply Chain Security, along with a new solicitation provision (DFARS 252.240-70XX) and contract clause (DFARS 252.240-70YY). Key obligations include:

Pre-Award Disclosure via NISS

Before contract award, offerors must submit a completed Standard Form (SF) 328, Certificate Pertaining to Foreign Interests, along with supporting documentation and contact information for each beneficial owner, through DCSA’s National Industrial Security System (NISS). Submission of an offer constitutes a representation that the information is current, accurate, and complete.

“Eligible” NISS Status as a Gate

Contracting officers may not award, modify, or exercise an option on a covered contract unless the contractor (or subcontractor) holds an “eligible” status in NISS. NISS eligibility thus operates as a gating requirement at every subsequent contract action, not just at initial award.

90-Day Mitigation Clock

If DCSA determines that FOCI or beneficial ownership poses a mitigable risk, the contractor must agree at award to implement a DCSA-approved mitigation strategy within 90 calendar days. The clock resets after each triggering contract action, including post-award identification of risk. The proposed rule does not specify what mitigation tools (e.g., board resolutions, proxy agreements, or structural changes) will apply to uncleared contractors—an open question of substantial concern.

Ongoing Reporting Duties

Contractors must update the SF-328 in NISS before any modification or renewal and whenever underlying ownership information changes. If a change may place the contractor under FOCI, the contractor must report owner details to DCSA within three business days, and the contractor must confirm a plan of action within 10 business days of receiving DCSA’s recommendations.

Subcontractor Flowdown

Prime contractors must flow the substance of the FOCI clause down to subcontractors at any tier whose subcontracts exceed US$5 million, and they must confirm and maintain subcontractor NISS eligibility before award and throughout performance.

The Commercial Item Exemption—Narrower Than It Appears

The rule generally excludes contracts for commercial products and services, including commercially available off-the-shelf items. However, this exemption is qualified in ways that compliance teams should not overlook. A “designated senior DoW official” (not yet identified) may direct that the new terms apply to any commercial acquisition involving “sensitive data, systems, or processes.” Notably, the proposed rule itself indicates that DoW views FOCI risk as driven by ownership rather than by what is being procured, suggesting the exemption may be invoked more frequently than its plain text implies—particularly for software, information technology, and other technology-heavy acquisitions. The rule does not yet specify the criteria, timing, notice, or appeal process governing such determinations.

Scope and Impact

DoW’s own estimates underscore the scale of the expansion:

• Approximately 3,774 unique awardees per year would have been captured under the rule based on FY2022–FY2024 data.
• Approximately 37,740 total entities (including offerors and subcontractors) could be subject to submission requirements.
• Approximately 21,511 of those entities are small businesses, many of which have no prior interaction with DCSA or NISS.
• Approximately 9,435 contractors are projected to need disclosure updates during performance; an additional approximately 1,887 would be affected by the refresh requirement before option exercise or modification.

Expected Implementation Timeline

• 7 May 2026: Proposed rule published in the Federal Register.
• 6 July 2026: Public comment period closes.
• Post-comment period: DoW will review comments and issue a final rule. No effective date has been set. Given the breadth of the rule and the open questions identified above, a final rule is unlikely before late 2026 or 2027, and DoW may issue interim or implementing guidance to address NISS onboarding for uncleared contractors.

Recommended Actions for Legal and Compliance Teams

The proposed rule represents a structural shift from a classified-information paradigm to an ownership-and-access paradigm that reaches deep into the defense industrial base, including companies with no prior DCSA exposure. Affected companies should begin internal preparation now, rather than waiting for a final rule. Recommended steps include the following:

Map Your Contract Portfolio Against the US$5 Million Threshold

Identify prime contracts, subcontracts, and pipeline opportunities that would be covered, including indefinite delivery, indefinite quantity task orders and option years that could trigger the eligibility gate.

Conduct an SF-328 Readiness Review

Walk through each question in SF-328 against current ownership records. Identify foreign parents, foreign limited partners, foreign minority investors, foreign-citizen officers or directors, foreign indebtedness, and foreign revenue concentrations that could trigger FOCI disclosure.

Build a Beneficial Ownership Inventory

Maintain a current, defensible record of all beneficial owners with contact information ready for NISS submission. Coordinate with corporate, mergers and acquisitions, and treasury functions to flag changes in real time.

Initiate NISS Registration Planning

For uncleared contractors with no prior DCSA interaction, identify a NISS account administrator, confirm commercial and government entity code alignment, and review available DCSA guidance on the registration process.

Assess Mitigation Exposure

For contractors with known foreign ownership or control elements, evaluate the realistic universe of mitigation outcomes—from attestations to board resolutions to structural arrangements—and how a 90-day clock would interact with the governance processes.

Update Subcontractor and Supplier Management Processes

Build NISS eligibility verification into supplier onboarding, prime/sub-flowdown templates, and ongoing supplier monitoring for subcontracts above US$5 million.

Engage With Private Equity Sponsors and Foreign Investors

Portfolio companies, joint ventures, and minority-investment structures may now require FOCI analysis, even where no classified work is involved—investors should be brought in early.

Consider Submitting Comments by 6 July 2026

Open questions on the commercial item exemption, the “senior DoW official” process, the mitigation toolbox for uncleared contractors, NISS onboarding, and legacy contracts are squarely teed up for industry input.

The firm’s International Trade, Investment Controls, and National Security practice group and Government Contracts and Procurement Policy practice group are closely monitoring these developments and can assist companies contemplating activity subject to these new requirements.