Why Should They Have All the Fun? DoD Instruction Expands DCSA’s FOCI Reach Beyond Cleared Contractors
Client Alert | 4 min read | 06.06.24
On May 13, 2024, the Department of Defense (DoD) issued an instruction implementing policies and procedures that DoD will use to identify contractors (including uncleared contractors) requiring foreign ownership, control, and influence (FOCI) determinations, review related information, and address FOCI concerns. These policies and procedures were put in place pursuant to Section 847 of the 2020 National Defense Authorization Act[1] (Section 847). These FOCI requirements will, for the first time, subject many uncleared DoD contractors to rigorous disclosure requirements, scrutiny, and potential mitigation by the Defense Counterintelligence and Security Agency (DCSA).
DoD Instruction 5205.87, Mitigating Risks Related to Foreign Ownership, Control, or Influence for Covered DoD Contractors and Subcontractors, (“the Instruction”) provides direction to various DoD components, including DCSA, for FOCI review of “covered contractors,” which includes contractors and subcontractors receiving a DoD contract or subcontract with a value over $5 million, with a carve-out for contracts for commercial products and services that do not present a risk or potential risk to national security or potential compromise of certain data or systems.[2]
This comes as part of a continued focus on government supply chain security and FOCI concerns, including with respect to less-sensitive, unclassified contracts.
While the contractor-facing DFARS rule remains pending (although this rulemaking was originally scheduled for completion in 2021),[3] this internal DoD Instruction provides insight into the roles and responsibilities within DoD, as well as some of the procedures (e.g., the questionnaire that will be used to solicit the required disclosures). Companies may consider taking action to prepare for these FOCI reviews.
FOCI Review and Mitigation Requirement
Section 847 and the Instruction require that covered contractors:
- disclose to DCSA their beneficial ownership and whether they are under FOCI; and
- update such disclosures when changes occur.
FOCI Review Process
Triggering a Review
The Instruction indicates that DoD components will provide DCSA with a list of potential covered contractors (and previously identified covered contractors that will be required to submit updated FOCI information) before source selection decisions are made in acquisitions. DCSA reviews will be requested by the DoD Components or by a covered contractor on behalf of a subcontractor through a DCSA system of records (not yet designated).
The Review
- Information: As will be familiar to cleared contractors, the Instruction contemplates covered contractors providing a completed Standard Form 328 “Certificate Pertaining to Foreign Interests” (SF-328) along with other requested documentation (e.g., business documentation). The SF-328 currently consists of 10 yes/no questions that require additional explanation for each “yes” response.
In recent years, DCSA has asked progressively more follow up questions and sought more detail in SF-328 responses, including probing ownership that the contractor has otherwise identified as domestic. It is well known that DCSA’s FOCI concerns have broadened beyond focusing primarily on ownership to examining the softer elements of foreign “influence” (e.g., foreign contracts/revenue, foreign officers/directors, and foreign subsidiaries). - Steps: DCSA will be responsible for conducting a FOCI review within 25 working days of a DoD component request. After review, DCSA will provide, if appropriate, a risk indicator report or risk mitigation strategy to the applicably DoD Component. Based on DCSA’s recommendation, the Principal Staff Assistant or DoD Component will determine whether the covered contractor is found to be under FOCI and what mitigations are required.
FOCI Mitigation
If the DoD component determines that FOCI mitigation cannot sufficiently protect against identified risks, then the contract, subcontract, or defense research assistance award may not be awarded, amended, or extended.
If the DoD component requires FOCI mitigation for an award to a covered contractor, DCSA, the covered contractor, and contracting officer will need to agree to the exact mitigation measures before award. For subcontractors, the mitigation measures may be agreed after contract award but before contract performance.
DCSA will execute final FOCI mitigation measures with the covered contractor within 90 working days of the contract or defense research assistance award. However, the measures should be executed and implemented by the covered contractor within 90 calendar days of either award or, for subcontracts, commencement of performance.
The mitigation will remain in place for the duration of the contract, subcontract, or defense research assistance award while the covered contractor remains under FOCI.
Key Takeaways
Companies that do not currently hold a facility clearance that hold, or may consider pursuing, DoD contracts in excess of $5 million for other than commercial products and services should:
- review the SF-328 form;
- begin developing a plan for responding to the SF-328 when required, including collecting certain relevant information on foreign ownership and other foreign contacts made by the contractor (i.e., foreign customer contracts or debts); and
- assess whether DCSA may identify FOCI concerns and begin considering what mitigations may be required.
[1] Amended by Section 819 of the 2021 National Defense Authorization Act.
[2] Specifically, the definition of “covered contractor” is any company that “is an existing or prospective contractor or subcontractor of the DoD on a contract, subcontract, or defense research assistance award with a value exceeding $5 million. Contractors for commercial products or services are excluded, unless the designated Principal Staff Assistant or DoD Component official determines that the contract involves a risk or potential risk to national security or potential compromise of sensitive data, systems, or processes such as personally identifiable information, cybersecurity, or national security system.”
[3] This date was rescheduled from the original March 2021.
Insights
Client Alert | 3 min read | 12.10.24
Fast Lane to the Future: FCC Greenlights Smarter, Safer Cars
The Federal Communications Commission (FCC) has recently issued a second report and order to modernize vehicle communication technology by transitioning to Cellular-Vehicle-to-Everything (C-V2X) systems within the 5.9 GHz spectrum band. This initiative is part of a broader effort to advance Intelligent Transportation Systems (ITS) in the U.S., enhancing road safety and traffic efficiency. While we previously reported on the frustrations with the long time it took to finalize rules concerning C-V2X technology, this almost-final version of the rule has stirred excitement in the industry as companies can start to accelerate development, now that they know the rules they must comply with.
Client Alert | 6 min read | 12.09.24
Eleven States Sue Asset Managers Alleging ESG Conspiracy to Restrict Coal Production
Client Alert | 3 min read | 12.09.24
New York Department of Labor Issues Guidance Regarding Paid Prenatal Leave, Taking Effect January 1
Client Alert | 4 min read | 12.06.24