New SF-328 Released and Embedded Guidance Seeks More Information Up Front
Client Alert | 26 min read | 05.16.25
On May 12, 2025, the Defense Counterintelligence and Security Agency (DCSA) released a new SF-328[1] consisting of 9 questions and 6 pages of instructions that detail the types of supporting documentation requested and identify information required by different responding entities (e.g., corporate, non-profit, academic, etc.). With this SF-328, DCSA is seeking certain frequently requested information and documents with initial SF-328 submissions rather than obtaining these documents through communications or revised SF-328 submissions. Additionally, when completed, the new SF-328 is considered Controlled Unclassified Information (CUI).
The form now consists of 9 questions rather than 10 as shown below[2]:
May 2025 SF-328
November 2018 SF-328

The new SF-328 expressly states that the form is authorized for use in the National Industrial Security Program, to carry out Section 847 of the 2020 NDAA[3], the DoD Enhanced Security Program, the DoD Small Business Innovation Research and Small Business Technology Transfer (SBIR/STTR) programs, and the DoD Cybersecurity Maturity Model Certification (CMMC) program. The form also acknowledges that applicable Freedom of Information Act (FOIA) exemptions will be invoked by the government to withhold the document from public disclosure when submitted by an entity in confidence and properly marked.
Key Takeaways
Cleared entities and entities that otherwise are required to submit SF-328s should consider:
- reviewing the new SF-328 to evaluate whether the company or entity has undergone changes requiring reporting under the new form and guidance; and
- beginning updates to SF-328s or initial preparations of SF-328s early, including identifying all company or entity stakeholders under the new SF-328 guidance.
Crowell is available to support preparation of the new SF-328 and related filings and further discuss questions concerning the new form.
Insights
Client Alert | 2 min read | 08.27.25
CPSC Maintains Momentum on eFiling Requirements for Consumer Products
A question often asked by consumer product companies these days is whether the eFiling requirements will go into effect as planned given the political upheaval at the U.S. Consumer Product Safety Commission (CPSC) and the dismissal of the three Democrat Commissioners. While that is an impossible question to answer with certainty, all signals suggest the requirements will be implemented on schedule for July 8, 2026.
Client Alert | 10 min read | 08.27.25
The New EU “Pharma Package”: Advertising – A Comparison of Commission/Parliament/Council Positions
Client Alert | less than 1 min read | 08.26.25
Contractors and Competition - Antitrust Probes of Classified Intel Require a Delicate Balance
Client Alert | 3 min read | 08.26.25