DoD Instruction Expands FOCI Review Process to All Contractors

Email

256-834-8648

DoD Instruction Intended to Protect Defense Supply Chain: Defense Contractors and Subcontractors Subject to Additional Filings and DCSA Reviews

by: David Vance Lucas of Womble Bond Dickinson (US) LLP - Client Alert

Wednesday, August 7, 2024

Print Mail Download info_icon_img

/>i

Concerns regarding the integrity of the U.S. defense industrial base supply chain continue to grow. Similar to national cybersecurity risks, national security risks to the defense supply chain are asymmetric and can arise at any level in the supply chain – both at the prime and small business entity levels – as well as with classified and unclassified work.

Defense industrial base supply chain integrity

Without much publicity or fanfare, on May 13, 2024, the U.S. Department of Defense (DoD) published a new DoD Instruction (DoDI). The new DoDI expands the Foreign Ownership Control and Influence (FOCI) review process from contractors that hold DoD clearances and access classified information to all DoD contractors – cleared or not – that hold certain contracts in excess of $5 million. [DoD Instruction 5205.87 “Mitigating Risks Related to Foreign Ownership, Control, or Influence (FOCI) for Covered DoD Contractors and Subcontractors”]

As background, a DoDI provides policy and procedural guidance to those responsible for, or covered by, the DoDI, including policy implementation, operational standards, procedural responsibilities, and specific actions required by an agency policy or directive.

The May “FOCI Instruction” is the most recent effort by the DoD to expand protection to the defense supply chain. As a result, for the first time, DoD contractors that are not cleared and don’t access classified information will nonetheless be subject to FOCI disclosure requirements and potential FOCI mitigation requirements by the Defense Counterintelligence and Security Agency (DCSA).

Foreign Ownership Control and Influence

FOCI refers to a situation where a U.S. business engaged in providing products, services, or technology to the US government is subject to potential control or influence by a foreign entity, more specifically.

Foreign Ownership occurs when a foreign entity, whether a government, company, or individual, holds an ownership interest in a business, whether in the form of equity, debt, or other indicia of ownership.
Foreign Control occurs when a foreign entity has the power to influence or direct the policies, operations, or decisions of a business, which can include minority ownership, voting rights, board representation, executive management, contractual agreements, or other arrangements that allow the foreign entity to dictate or alter the business’s actions.
Foreign Influence refers to situations where a foreign entity has the ability to affect the decisions or actions of a business through subjective, rather than direct control, via informal or indirect means, such as financial dependencies, strategic partnerships, or familial ties.

Defense contractors subject to FOCI pose a risk to U.S. national security, particularly with regard to classified or sensitive information. More specifically, foreign entities can exploit their ownership, control, or influence, to access, manipulate, or sabotage sensitive US government projects.

FOCI is also a key factor considered by the Committee on Foreign Investment in the U.S. (CFIUS) when assessing whether to permit foreign direct investment in a U.S. business involved with certain Critical Technologies, Infrastructure, and Sensitive Data.

FOCI Mitigation

Historically, FOCI mitigation has been limited to companies that hold DoD security clearances, have access to DoD classified or controlled but unclassified information (CUI), and have some level of non-U.S. involvement in their ownership, operations, or governance. Mitigation was in part accomplished by requiring defense contractors to submit Standard From 328s (SF328) which divulge foreign ownership in the contractor.

The DCSA is responsible for conducting FOCI reviews. In conducting a typical FOCI review, the DCSA analyzes various FOCI risk factors, including, but not limited to, foreign ownership, leadership, voting rights, and financing to determine whether sufficient risk factors are present to warrant mitigation measures for a contractor to be eligible for contract award. If warranted by the FOCI review, the contractor would be required to implement a suitable FOCI mitigation plan to protect national security from the perceived FOCI risk.

FOCI mitigation plans vary from relatively simple corporate exclusionary resolutions and firewalls, to special purpose legal entities with independent directors and management, visitation and access controls, communication restrictions, shared services and operations limitations, and other physical and electronic protections.

Expansion of FOCI Disclosure and Mitigation

The May FOCI Instruction expands historical coverage beyond U.S. DoD cleared contractors, to more broadly defined “covered contractor or subcontractor.” The FOCI Instruction defines a “covered contractor or subcontractor” to be “an existing or prospective contractor or subcontractor of the DoD on a contract, subcontract, or defense research assistance award [DRAA] with a value exceeding $5 million”. The FOCI Instruction potentially excludes contractors providing commercial products or services, so long as the subject contract is not determined to involve a “potential risk to national security or potential compromise of sensitive data, systems, or processes such as personally identifiable information, cybersecurity, or national security system.”

The FOCI Instruction also expands the DCSA’s role to perform FOCI reviews for all “covered contractors” during the source selection process for covered contract. However, the FOCI Instruction does not specify the scope of the DCSA FOCI review of non-cleared DoD contractors, which will need to be further specified in the Defense Federal Acquisition Regulation Supplement (DFARS) enacting the FOCI Instruction.

As a result, it is currently unclear how FOCI risks will be mitigated for defense contractors that only perform unclassified contracts or only possess CUI. It is also currently unclear what or how FOCI mitigation measures that currently apply to cleared contractors, will be applied to uncleared contractors that do not require access to classified information. It is possible that new FOCI mitigation measures will be developed by the DCSA for unclassified or less sensitive contracts.

Otherwise, the FOCI Instruction does provide that DCSA, and “covered contractors” are required to execute and implement any required mitigation measures within 90 days after contract or DRAA award or commencement of performance on the contract.

Finally, if a “covered contractor” has a change in beneficial ownership, such will trigger the filing of an updated SF328. Based on existing regulations a 5% or more change in the beneficial ownership of a “covered contractor” will the trigger a filing requirement.

Recommendation

Understanding and managing FOCI is now essential for all DoD contractors to ensure that they are compliant with applicable national security and FOCI requirements.

As a result, all DoD contractors and subcontractors, regardless of size and status of clearance, should carefully review the FOCI Instruction and understand its application to their business and their resulting compliance obligations.

Additionally, DoD contractors that do not currently hold a facility clearance but do have DoD contracts in excess of $5 million should familiarize themselves with the SF-328 and establish policies and procedures to assess and comply with the FOCI Instruction and forthcoming DFARS provision.