In May 2024, the US Department of Defense (DoD) published the long-awaited DoD Instruction [1] (FOCI Instruction) expanding the FOCI review process from solely US government contractors that access classified information to all US government contractors performing on certain unclassified contracts with a value exceeding US$5 million. For the uninitiated, the US government mitigates FOCI at US companies that require security clearances through the implementation of FOCI mitigation plans. These plans vary based on the nature of the FOCI (and other risks), and can include security controls at the cleared US companies, such as requirements for independent directors, visitation and access controls, restrictions on communications with the foreign owner, and limitations on shared services and operations, among other requirements. Typically, parties that work with the DoD to implement and comply with these mitigation plans do so in order to obtain or maintain facility security clearances (FCLs) required for performance on classified contracts.

The FOCI Instruction creates a requirement for a “covered contractor or subcontractor” to undergo a FOCI review during the source selection process for a potential government contract award. (Note that full implementation of the FOCI Instruction will be delayed until release of the corresponding Defense Federal Acquisition Regulation Supplement (DFARS) provision, which remains pending.) A “covered contractor or subcontractor” is defined by the FOCI Instruction as “an existing or prospective contractor or subcontractor of the DoD on a contract, subcontract, or defense research assistance award [DRAA] with a value exceeding $5 million.” However, Section 847 and the FOCI Instruction explicitly exclude contractors providing commercial products or services unless a DoD Component or Principal Staff Assistant official determines “the contract involves a risk or potential risk to national security or potential compromise of sensitive data, systems, or processes such as personally identifiable information, cybersecurity, or national security system.” Recent data provided by the Defense Counterintelligence and Security Agency (DCSA) estimates that covered contractors or subcontractors could number 200,000-250,000 (compared to the 13,000 companies that are subject to the FOCI review process today). As a result, while DCSA currently conducts FOCI reviews on roughly 500 to 600 contractors (of the 13,000 total contractors) in a given year, DCSA is now anticipating that it may conduct FOCI reviews on 7,000 to 8,000 contractors (due to new potential contract awards or existing covered contractors or subcontractors reporting a change in beneficial ownership (or, theoretically, other material changes), as a result of the FOCI Instruction.

During the FOCI review, DCSA will analyze FOCI and other risk indicators, including, but not limited to, foreign ownership and foreign leadership, to determine whether sufficient risk indicators are present to warrant mitigation measures in order for the contractor to be eligible for contract award.

It is presently unclear how FOCI and other risks will be mitigated for contractors holding only unclassified contracts. It stands to reason that there will be some differences as compared to the program for cleared contractors, but it is highly likely that the standard FOCI mitigation measures that currently apply to cleared DoD contractors, and can impose significant restrictions, will also apply, in some cases, to uncleared DoD contractors or subcontractors that do not require access to classified information. However, alternative FOCI mitigation mechanisms are also likely to be developed for less sensitive cases. What is known, however, is that, according to the FOCI Instruction, DCSA must work with the covered contractors or subcontractors to execute and implement the required mitigation measures within 90 days after contract or DRAA award or commencement of performance on the contract. Our experience is that this would be an improbably fast turnaround for many traditional FOCI mitigation scenarios.

Importantly, note that the FOCI review and potential for mitigation requirements can also apply to an existing contract, subcontract or DRAA if the performing contractor or subcontractor reports changes to its beneficial ownership information during the term of the contract, subcontract or DRAA. Therefore, if any covered contractor or subcontractor anticipates a change in beneficial ownership triggering notice (the threshold for such change is not specified in the DoD Instruction, but 5% or more change in the beneficial ownership is the trigger under pre-existing reporting thresholds), the contractor or subcontractor should understand its risk of potential FOCI or other risk mitigation requirements, and how such mitigation could impact its business.

[1] The FOCI Instruction (DoD Instruction “Mitigating Risks Related to Foreign Ownership, Control, or Influence [(FOCI)] for Covered DoD Contractors and Subcontractors” (DoDI 5205.87)) stems from Section 847 of the National Defense Authorization Act for Fiscal Year 2020 (Section 847). (Section 819 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 amended Section 847, requiring that the Secretary of Defense develop an implementation plan for Section 847 by March 1, 2021.)