New SF-328 Released and Embedded Guidance Seeks More Information Up Front

On May 12, 2025, the Defense Counterintelligence and Security Agency (DCSA) released a new SF-328^[1] consisting of 9 questions and 6 pages of instructions that detail the types of supporting documentation requested and identify information required by different responding entities (e.g., corporate, non-profit, academic, etc.). With this SF-328, DCSA is seeking certain frequently requested information and documents with initial SF-328 submissions rather than obtaining these documents through communications or revised SF-328 submissions. Additionally, when completed, the new SF-328 is considered Controlled Unclassified Information (CUI).

The form now consists of 9 questions rather than 10 as shown below^[2]:

May 2025 SF-328

November 2018 SF-328

The new SF-328 expressly states that the form is authorized for use in the National Industrial Security Program, to carry out Section 847 of the 2020 NDAA^[3], the DoD Enhanced Security Program, the DoD Small Business Innovation Research and Small Business Technology Transfer (SBIR/STTR) programs, and the DoD Cybersecurity Maturity Model Certification (CMMC) program. The form also acknowledges that applicable Freedom of Information Act (FOIA) exemptions will be invoked by the government to withhold the document from public disclosure when submitted by an entity in confidence and properly marked.

Key Takeaways

Cleared entities and entities that otherwise are required to submit SF-328s should consider:

• reviewing the new SF-328 to evaluate whether the company or entity has undergone changes requiring reporting under the new form and guidance; and
• beginning updates to SF-328s or initial preparations of SF-328s early, including identifying all company or entity stakeholders under the new SF-328 guidance.

Crowell is available to support preparation of the new SF-328 and related filings and further discuss questions concerning the new form.