Stricter regulations imposed on disclosing foreign investment in defense manufacturer companies have some corporations in a state of chaos
The Defense Counterintelligence and Security Agency (DCSA) has introduced significant changes to the SF-328 form, which is now a crucial national security tool for assessing Foreign Ownership, Control, or Influence (FOCI) risks in U.S. defense contractors. The updated process, effective from May 12, 2025, requires more comprehensive initial disclosures and aims to speed up reviews.
Key changes in the revised SF-328 form process include:
- Embedding compliance requirements directly into the form
- Lowering the foreign revenue threshold triggering disclosure from 30% to 15%, broadening the scope of companies subject to FOCI review
- Asking about 5% or more direct or indirect ownership in the entity filling out the form from a foreign source, as well as questions about certain leadership positions and concurrent service at foreign-owned companies
Contractors who submitted SF-328 before May 12, 2025, do not need to refile the old form, but all new submissions must use the updated form. Any new foreign investment or governance changes involving contractors working on defense projects must be reported via the updated SF-328.
For companies seeking to ensure compliance, the following actions are recommended:
- Use the latest SF-328 form embedded in the National Industry Security System (NISS) system, available from the Defense Counterintelligence and Security Agency.
- Review guidance and expert legal commentary, such as the podcasts with international trade attorneys discussing the form's updates in detail.
- Engage legal counsel or consulting firms specializing in government contracts and FOCI compliance to guide through nuanced disclosure requirements and FOCI mitigation strategies.
- Monitor official DCSA communications and Homeland Security Acquisition Manual updates for evolving procedural details.
The SF-328 form is typically required to be submitted as part of a proposal package for government contracts with the Department of Defense (DoD). The new form also mentions SBIR, STTR programs, and CMMC, indicating that these programs will be subject to the new requirements. It's unclear whether new solicitation documents and RFPs require an SF-328 at this time.
DCSA conducts personnel and facility security clearances for the DoD and most of the federal government. To learn more about the complex rules and requirements of providing critical technology to the government, visit the DCSA's website, which offers videos and links to a training resource called CDSE.
Grant Schweikert, a special counsel at Cooley, recommends that companies involved in the SBIR, STTR programs, or the Cybersecurity Maturity Model Certification (CMMC) program may be required to complete the SF-328 form in the future. He also suggests reading the NISPOM and checking out resources on the DCSA website for companies looking to enter the space and ensure compliance.
As the Defense Department tightens its grip on foreign investments in U.S. defense contractors, companies should treat FOCI risk management as an ongoing governance priority, not a one-time filing exercise. The broadening scope and strategic emphasis on proactive identification of foreign influence risks make it essential for companies to stay informed and prepared.
In the wake of the revised SF-328 form process, the federal workforce, including companies involved in the SBIR, STTR programs, or the Cybersecurity Maturity Model Certification (CMMC) program, should anticipate being subject to more stringent FOCI review. To stay informed and prepare for this workforce reimagined, companies are advised to utilize the latest SF-328 form, engage legal counsel, monitor official communications, and consult expert resources, such as the CDSE training on the DCSA's website. Adopting a proactive lifestyle that emphasizes chronicling technology developments, concurrent service, and foreign ownership will be crucial in managing FOCI risks in the sports and defense industries.
