ISI Insights

FOCI Requirements set to expand to non-classified contractors

Written by ISI | Nov 6, 2025 5:59:12 PM

Executive Brief

  • FOCI requirements will extend to non-classified contracts by 2026.
  • DCSA’s authority expands under Section 847 (FY20 NDAA) and DoDI 5205.87.
  • Key changes include:
    • Coverage of unclassified contracts valued at $5M or more.
    • A FOCI review during source selection.
    • Contract-by-contract assessments of risk.
  • The DoD contracting officer will decide when and how mitigation measures apply.


 

How FOCI Is Currently Determined

A contractor is considered under Foreign Ownership, Control, or Influence (FOCI) when a foreign entity has the power to direct or influence decisions that could:

  • Lead to unauthorized access to classified information, or
  • Affect performance on a classified contract or agreement.

Currently, DCSA focuses on cleared contractors with Facility Clearances (FCLs). That scope is about to grow.

What’s Changing & When

Timeline: Expansion could start in 2025, but 2026 is more likely for full rollout.

Scope: FOCI reviews will extend to unclassified DoD contracts worth $5 million or more — marking a major shift in oversight.

Why It Matters

  • Expands DCSA’s assessment capabilities.
  • Enables faster, intelligence-driven threat analyses.
  • Strengthens protection of the Defense Industrial Base (DIB).
  • Provides a clearer, data-backed view of foreign influence risks across the contractor ecosystem.

How This Impacts Defense Contractors and Subcontractors

Expect to see:

  • New disclosure requirements for beneficial ownership and foreign operations on a per-contract basis.
  • Implementation of mitigation measures to reduce FOCI risk.
  • Potential contract denials for unmitigated risk.
  • Competitive disadvantage if unable to demonstrate low FOCI exposure.

Bottom line: Transparency and risk mitigation will become key differentiators in winning DoD work.

 

The FOCI Lifecycle

The FOCI lifecycle is comprised of five phases: 

  • Identification and Assessment: The potential for FOCI is identified by answering any question affirmatively on SF-328 and is then assessed by the cognizant security agency (CSA). For defense contractors, this will likely be the DCSA. However, an official determination of FOCI will come from your contracting officer. 
  • Mitigation Negotiation: If FOCI is determined, your business will have to enter into mitigation negotiations to remain eligible for your contracts. If negotiating and cooperating in good faith, your existing eligibility determination will remain in place. However, if your business refuses to negotiate or implement a mitigation plan, your existing determination will be revoked.
  • Mitigation Implementation: After negotiating your mitigation plan, you will then have to implement. Failure to implement any of the new security controls will lead to your eligibility determination being revoked. 
  • Mitigation Oversight: Your business will meet with your CSA at least annually to review the effectiveness of your mitigation plan and current security conditions.  
  • Change Condition, Amendment, or Renewal: At any time, your CSA may require your business to implement additional security measures to protect classified information. Some reasons for a change could be new ownership, a foreign intelligence threat, the effectiveness of the current plan requires an amendment, or your eligibility determination status is up for renewal.

Typical FOCI Action Plans

FOCI mitigation depends on whether the issue stems from ownership or other forms of influence.

When FOCI Is Not Related to Ownership

  • Modify or terminate foreign loan agreements or contracts.
  • Reduce foreign-source income or dependency.
  • Show financial independence from foreign entities.

When FOCI Is Related to Ownership

  • Adopt a board resolution (least restrictive) or Security Control Agreement (SCA).
    • An SCA typically applies when FOCI mitigation applies to a minority foreign investor.
  • Implement a Special Security Agreement (SSA) or Proxy Agreement (most restrictive).
    • May require a National Interest Determination (NID) to proceed with SSA as well as Government Security Committee (GSC) oversight, including: technology control plan, electronic communications plan, and affiliate operations plan.

Additional Mitigation or Negation Measures

  • Affiliate Operations Plan (AOP): Details how affiliated operations will be controlled and safeguarded, whether administrative, operational, or commercial.
    • Must be approved by the cognizant security agency (CSA).
  • Electronic Communications Plan (ECP): Ensures clear technical separation between contractor and foreign-affiliated systems and networks.
  • Facility Location Plan (FLP): Assists in determining whether the contractor's colocation or close proximity to foreign parent or affiliate can be allowed under the mitigation plan.
  • Technology Control Plan (TCP): Outlines security measures to prevent unauthorized access by non-U.S. personnel.

What’s Ahead for DCSA Operations

DCSA is scaling its FOCI oversight significantly:

  • Expanding from 2.5K to 43K companies under FOCI review.
  • Increasing annual reviews from ~200 to 4,300+ companies.
  • Pre-award vetting time reduced from 120 days (goal) to 25 days (target).
  • Growing its FOCI analyst team to 80 personnel (CIV/CTR).

This expansion will make DCSA’s FOCI process faster, broader, and more risk-informed — a major operational leap.

Steps Contractors Should Take Now

1. Compile Ownership Data

Identify and document all foreign entities with any ownership, control, or influence over your organization.

2. Review FOCI Mitigation Options

Evaluate potential measures like SCAs, SSAs, or internal security policies around cybersecurity and communications.

3. Budget for Compliance

Some mitigation actions—especially those involving governance or legal restructuring—may require additional compliance costs.

ISI Insight: Early preparation reduces delays and disruption once new requirements take effect.

Partner with Experts Like ISI

Mitigating FOCI risk = protecting contract eligibility.

Partnering with experts ensures your compliance framework is proactive, not reactive.

ISI Enterprises supports contractors by helping:

  • Interpret DCSA and DoD FOCI requirements.
  • Develop tailored mitigation and action plans under NISPOM and DoDI 5205.87.
  • Maintain contract readiness and eligibility for future bids.

 Learn more about ISI’s FSO & Clearance Services.

FAQ

What is Section 847?

Section 847 of the FY20 NDAA requires DoD contractors and subcontractors with contracts over $5 million to disclose their beneficial ownership and any FOCI to the Defense Counterintelligence and Security Agency (DCSA).
It promotes transparency, prevents foreign influence, and safeguards defense information through regular compliance reviews.

What is DoDI 5205.87?

DoDI 5205.87 complements Section 847 by defining how the DoD evaluates and mitigates FOCI risks.
It provides a standardized framework for assessments and mitigation, ensuring consistent enforcement and a stronger supply chain security posture.

How does SF 328 relate to FOCI?

The SF 328 (Certificate Pertaining to Foreign Interests) is the form contractors use to disclose FOCI information to DCSA.
It lists foreign ownership, control, or influence—giving the DoD visibility into national security risks tied to each contractor.

 

 
View full post