DOD Proposed Rule Will Expand FOCI Requirements to Non-Classified Defense Contracts

The U.S. Department of Defense (DOD) issued DOD Instruction 5205.87, titled "Mitigating Risks Related to Foreign Ownership, Control, or Influence for Covered DOD Contractors," on May 13, 2024. The instruction establishes policy and assigns responsibilities to assess and determine if the beneficial ownership of a covered contractor or subcontractor requires mitigating foreign ownership, control, or influence (FOCI), pursuant to Part 117 of Title 32, Code of Federal Regulations (CFR).

The primary goal of this directive is to protect the DOD's supply chains and defense industrial base against adversary FOCI, which could jeopardize critical data, systems or procedures. It requires detailed assessments of beneficial ownership to detect FOCI issues early in the contracting process, allowing the DOD to establish necessary mitigation measures prior to granting contracts or defense research assistance grants.

Responsibilities for controlling and mitigating FOCI risks are shared among several DOD components. The Under Secretary of Defense for Intelligence and Security – OUSD(I&S) – oversees the overall assessment and mitigation activities, ensuring consistent policy application across the DOD. The Defense Counterintelligence and Security Agency (DCSA) conducts case studies of beneficial ownership and delivers FOCI assessments and risk mitigation techniques. The Director of the Defense Intelligence Agency (DIA) provides counterintelligence support, focusing on detecting and evaluating foreign collection risks to mission-critical purchases and defense research grants.

DOD Instruction 5205.87 introduces a split process and decision-making approach. DCSA, which currently conducts FOCI mitigation reviews in the classified world, will continue performing assessments based on established processes. However, it will be the DOD contracting officer who decides whether to impose mitigation measures. If imposed, the contractor will have 90 days from the contract award to implement the proposed or required mitigation.

Risk factors, assessment standards and mitigation measures are expected to remain consistent with those currently known to the industry. Expect that companies will need to complete Standard Form 328, a certificate pertaining to foreign interests, similar to what is required in the classified world. Companies with experience in FOCI are likely well-positioned to address Section 847 challenges.

Based on a recent update to DCSA's website, which created a new page for Section 847, DCSA expects that the Defense Federal Acquisition Regulation Supplement (DFARS) clause is likely to be published and implemented in the course of the next 12 to 18 months. DFARS is a set of regulations that supplements the Federal Acquisition Regulation (FAR) and provides specific guidance and rules for the DOD acquisition process. It governs the procurement of goods and services for defense purposes and ensures that these processes align with national security requirements, defense policies and statutory obligations.

DOD Instruction 5205.87 Key Terms

A covered contractor or subcontractor for purposes of DOD Instruction 5205.87 is defined as "a company that is an existing or prospective contractor or subcontractor of the DOD on a contract, subcontract, or defense research assistance award with a value exceeding $5 million. Contractors for commercial products or services are excluded, unless the designated Principal Staff Assistant (PSA) or DOD Component official determines that the contract involves a risk or potential risk to national security or potential compromise of sensitive data, systems, or processes such as personally identifiable information, cybersecurity, or national security system."

A commercial product is a non-real estate item typically used by the general public or non-governmental entities. It includes:

• General Public Use. A product typically used by the general public or non-governmental entities for non-governmental purposes; this includes products that have been sold, leased or licensed to the public or offered for such transactions
• Evolved Products. Products that have evolved from those used by the general public through technological advancements; these products may not yet be available in the commercial marketplace but will be in time to meet government delivery requirements
• Modified Products. Products that would meet the criteria of general public use or evolved products, except for:
  • modifications commonly available in the commercial marketplace
  • minor modifications not commonly available, made to meet federal government requirements; these modifications should not significantly alter the product's function or essential characteristics
• Combinations. Any combination of the above products that are typically combined and sold together to the general public
• Internal Transfers. Products or combinations of products that meet the above criteria, even if transferred between different divisions, subsidiaries or affiliates of a contractor
• Nondevelopmental Items. Items developed exclusively at private expense and sold in substantial quantities on a competitive basis to multiple state, local or foreign governments

Commercial services are:

• Support Services. Includes installation, maintenance, repair, training and other services for supporting a commercial product; these services must be similar to those provided to the general public under similar terms
• Marketplace Services. Services offered and sold competitively in large quantities in the commercial marketplace based on established catalog or market prices for specific tasks or outcomes, under standard commercial terms
  • Catalog Price. A price listed in a regularly maintained catalog or price list, available for inspection, showing prices at which sales are made to the general public
  • Market Price. Current prices established through ordinary trade between buyers and sellers, substantiated through competition or independent sources
• Internal Transfers. Services described above, even if transferred within different divisions, subsidiaries or affiliates of a contractor¹

Section 847 vs. DCSA FOCI Mitigation: Key Differences

Section 847, as described in DOD Instruction 5205.87, and DCSA FOCI mitigation are closely related, but they serve different roles within the framework of protecting national security from foreign control or influence.

• DOD Instruction 5205.87 establishes policy and assigns responsibilities for assessing and mitigating FOCI risks for covered DOD contractors and subcontractors, whereas DCSA FOCI mitigation specifically addresses the implementation of FOCI mitigation plans for companies that require security clearances, traditionally focusing on classified contracts.

• DOD Instruction 5205.87 applies to a broader range of contracts, including certain unclassified contracts valued over $5 million (and lower-value contracts with extension options that could cumulatively exceed $5 million), whereas DCSA FOCI mitigation traditionally applies to contractors that access classified information and require facility security clearances (FCLs).

• DOD Instruction 5205.87 requires a FOCI review during the source selection process for potential government contract awards, whereas DCSA FOCI mitigation involves analyzing FOCI and other risk indicators for cleared contractors at the time of a material change to their ownership or operations to determine if sufficient risk indicators are present to warrant mitigation measures.

• Split Decision-Making. Another key difference is the split process in decision-making – DCSA will conduct the review and issue the assessment, but it is the contracting authority that will decide on whether to implement any mitigation measures or what type of mitigation measures to implement.

• On a Contract Basis. DOD Instruction 5205.87 provides for assessment on a contract-by-contract basis with new FOCI mitigation potentially added for each new covered contract. In contrast, DCSA FOCI mitigation focuses on whether the company has any classified contracts, in which case the mitigation is imposed on the company as a whole, regardless of other non-classified work they may have.

• Mitigation Measures. Under DOD Instruction 5205.87, it appears that FOCI mitigation is discretionary, meaning the DOD may choose not to impose mitigation. However, DCSA FOCI mitigation is mandatory, with the contracting officer or DCSA selecting from the same prescribed FOCI mitigation measures in the National Industrial Security Program Operating Manual (NISPOM).

Implications for Defense Contractors

DOD Instruction 5205.87 impacts defense contractors by imposing stricter scrutiny and requirements to identify and mitigate risks associated with FOCI. Below are some ways the directive will impact defense contractors:

• Assessment and Disclosure. Defense contractors are required to disclose detailed information about their beneficial ownership and foreign operations on a contract-by-contract basis if the contract meets the minimum requirement of a covered contract. This means they must provide transparency about any foreign entities that may have a stake or influence in their operations.
• Mitigation Measures. If a FOCI risk is identified, contractors must work with the DOD contracting officer to implement measures to mitigate those risks. This could involve restructuring the company, implementing new policies and procedures on cybersecurity and electronic communications, or altering the way it handles sensitive information.
• Compliance and Oversight. Contractors must comply with the established FOCI assessment and mitigation processes. The DOD, through its various components, will oversee and ensure that contractors adhere to the necessary security measures.
• Potential for Contract Denial. If a contractor cannot adequately mitigate FOCI risks, it may be denied contracts or grants, which could have significant financial implications for the company.
• Increased Costs. The need for thorough assessments and potential restructuring to mitigate FOCI can lead to increased operational costs for defense contractors.
• Competitive Disadvantage. Contractors unable to demonstrate a low risk of FOCI or effectively mitigate FOCI may find themselves at a competitive disadvantage compared to those that can assure the DOD of their independence from foreign influence.

Overall, this instruction aims to enhance national security by ensuring that defense contractors are not subject to foreign influences that could compromise the integrity of the defense supply chain and classified information. Contractors must be diligent in understanding and complying with these requirements to maintain eligibility for DOD contracts and grants.

Conclusion

In summary, though both Section 847 and DCSA FOCI mitigation aim to protect national security interests from FOCI, Section 847 expands the scope and application of FOCI reviews and mitigation measures beyond what has traditionally been covered by DCSA's FOCI mitigation efforts. The instruction requires a proactive strategy to control all FOCI-related risks, ensuring that defense contractors, whether dealing with classified or covered unclassified contracts, are not compromised by foreign influence.

Although mitigation measures are optional, companies bidding for federal contracts must engage in rigorous due diligence and are encouraged to familiarize themselves with the new requirements during the anticipated 12- to 18-month implementation period. Section 847 is likely to have a significant impact on a large portion of the DOD contracting community.

Former Holland & Knight Summer Associate Noah Curtin contributed to this alert.

Notes

¹ DOD Instruction 5205.87 uses the definition of commercial products and commercial services in Section 2.101 of FAR.