Summary
As a result of a broader U.S. government effort to address supply chain vulnerabilities, Congress passed a new law focused on U.S. Department of Defense (DOD) contracting with certain entities that operate under foreign ownership, control or influence (FOCI). What was once a restriction primarily on companies performing on classified DOD contracts will soon apply to contractors and subcontractors performing on certain unclassified contracts, as well as research and development (R&D). More specifically, contractors and subcontractors that are or wish to perform on unclassified, non-commercial DOD contracts exceeding $5 million in value will need to report information regarding any FOCI issues. If the contract is sensitive and/or the FOCI raises concerns, the DOD will have the authority to cancel the contracts or require that the contractor put in place corporate mitigation in order to perform on the contract free of any perceived FOCI.
Final rules implementing the process will be issued soon, so all current and prospective DOD contractors and subcontractors, especially those currently operating under unmitigated FOCI (which is defined in 32 C.F.R. 117.11), should be aware of these new rules and prepared to address their application.
The New FOCI Law
On May 13, 2024, the DOD issued Instruction 5205.87: Mitigating Risks Related to Foreign Ownership, Control, or Influence for Covered DoD Contractors and Subcontractors (Instruction), requiring DOD agencies to comply with Section 847 of the National Defense Authorization Act for Fiscal Year 2020 (FY20 NDAA). Broadly, Section 847 of the FY20 NDAA significantly expands FOCI reviews for contractors, as the DOD previously only conducted such assessments where contractors and subcontractors sought or held security clearances and/or accessed DOD classified or controlled unclassified information.
Section 847 requires the DOD to collect FOCI information for covered contractors (and subcontractors) performing on non-commercial contracts exceeding $5 million in value. Disclosures of FOCI are to be provided at the time the contract or subcontract is awarded, amended, or renewed, but not later than a year after the DOD issues final implementing regulations. The rules also apply to R&D and procurement activities. In addition, Section 847 mandates that subject contractors or subcontractors update and disclose changes to FOCI to the DOD throughout the life of the contract. Such rules will likely be included as clauses to DOD contracts. Contractors determined to be under FOCI must also disclose contact information for each of their beneficial foreign owners, as defined in statute.
Section 847 requires the DOD to assess and evaluate the FOCI and determine whether such FOCI would pose a risk or potential risk to national security or a potential compromise to sensitive data, systems, or processes, such as personally identifiable information, cybersecurity, or national security systems.
Notably, Section 847 excludes contractors and subcontractors providing commercial products or services as defined in FAR 2.101. Notwithstanding that limitation, however, a designated senior DOD official may conclude that a national security risk could warrant a FOCI review for specific commercial item contracts.
DoD Instruction 5205.87
The Instruction organizes the DOD’s implementation of Section 847 of the FY20 NDAA, assigning responsibilities to relevant DoD agencies and officials to determine if the beneficial ownership of a covered contractor or subcontractor requires FOCI mitigation. As currently organized, principals within the DOD, such as the Under Secretary of Defense for Acquisition and Sustainment (USD A&S) and the Under Secretary for Defense Research and Engineering (USD R&E), among others, will be required to collect FOCI information from contractors and subcontractors. They will then provide that information to the Under Secretary of Defense for Intelligence and Security (USD I&S) who would, through the director of Defense Counterintelligence and Security Agency (DCSA) review the FOCI and potentially recommend FOCI mitigation.
The Instruction provides procedures to help DCSA analyze whether the contractor or subcontractor poses risks to U.S. national security to warrant mitigation measures. In conducting a FOCI review, the DCSA would analyze various risk factors, such as relevant foreign interest, the government of such foreign interest, record of compliance with U.S. laws, the type and sensitivity of the information the entity would have access to, and any other factor that indicates or demonstrates capability of foreign interests to control or influence the entity's operations or management, among others. See 32 C.F.R. 117.11(b).
In its Instruction, the DOD revealed that subject contractors and subcontractors could initially and throughout the life of the contract be required to submit a Standard Form 328, otherwise known as the Certificate Pertaining to Foreign Interests. The Certificate is a 10-question document used by DCSA to determine a company’s FOCI risk as it includes questions about foreign ownership and contracts with foreign persons, among other issues.
Based on its assessment, the DCSA will subsequently provide a risk indicator report or a FOCI assessment and proposed risk mitigation strategy to the DOD contracting officer no later than 25 working days after receiving a request. The contracting officer will then make the ultimate decision whether to proceed with FOCI mitigation or determine to cancel, not renew, or not award a contract. Where accepted and necessary, the DCSA will execute and oversee the FOCI mitigation measures with the covered contractor or subcontractor. This will also apply to defense research assistance awards. These mitigation actions can vary from relatively simple measures such as board resolutions, to fairly complex matters that include the appointment of outside directors, cybersecurity plans, and annual audits and reporting, among many other measures.
[View source.]
