What Every FSO and Executive Needs to Know About FOCI Compliance

This post is based on our recent webinar, When FOCI Stops the Deal: A Guide for FSOs and Executive Teams. Watch the full recording before digging deeper below.

Executive Brief

Foreign Ownership, Control, and Influence (FOCI) is one of the most consequential compliance areas for any company holding – or pursuing – a facility clearance. A FOCI determination can shape board structure, slow contract performance, and in some cases stop a deal entirely.

Key things to know:

• FOCI evaluates whether foreign entities own, control, or influence your business in ways that could compromise national security
• The Defense Counterintelligence and Security Agency (DCSA) uses the Standard Form 328 (SF-328) – updated May 1, 2025 – as the primary tool to evaluate FOCI
• Mitigation is not a quick process, and the right instrument depends on the level and nature of foreign risk
• Responsibility for FOCI compliance sits with the Senior Management Official (SMO), not just the Facility Security Officer (FSO)
• Transparency with DCSA is the single most important factor in moving through the process efficiently
• A proposed rule from May 2026 (Section 847 of the FY20 National Defense Authorization Act (NDAA)) would extend FOCI review obligations to a much broader population of Department of Defense (DoD) (also known as the Department of War) contractors. We’ll cover that separately when the final rule lands.

Dig deeper below to learn more.

What is FOCI?

FOCI is the standard the U.S. government uses to determine whether a company can be trusted with national security information.

FOCI reviews are central to the facility clearance process. They begin with the SF-328, which is submitted to DCSA for evaluation.

DCSA reviews the form to determine the level of foreign risk, looking at:

• Ownership. What percentage of the company is held by foreign entities, and what rights come with that ownership.
• Control. Whether foreign stakeholders have the ability to direct business decisions even without a controlling ownership stake.
• Influence. Whether foreign relationships, contracts, supply chain arrangements, or board dynamics could shape how the company operates.

As Paul Michaels, CEO of Monoc Securities LLC and a longtime industrial security professional, put it: "Traditionally, DCSA really focused on ownership and control. But lately, over the last couple of years, they have really started to focus in on influence."

Ownership thresholds matter, but they are not the only thing DCSA looks at. Companies tied to adversarial nations sometimes acquire a small stake – below the threshold that triggers a mandatory report – but negotiate board seats, access to intellectual property, or financial review rights that provide meaningful control without crossing the ownership line.

Influence is murkier. It can include:

• Steering what policies the company adopts or declines
• Shaping whether the company prioritizes federal or commercial work
• Directing supply chain decisions in ways that could affect government contracts
• Pushing products or vendors into cleared environments that do not meet government specifications

Who is Responsible for FOCI Compliance?

Under 32 CFR Part 117, the legal responsibility for FOCI compliance sits with the Senior Management Official (SMO) – typically the president, CEO, or executive director of the cleared entity.

In practice, the FSO often manages the FOCI program day-to-day on behalf of the SMO. Legal counsel also frequently plays a significant role, particularly when completing and updating the SF-328.

"When we are talking legal responsibility, it belongs to the company and it belongs to the SMO," says Michaels.

The SF-328 must be kept current. Any significant organizational change – sales, acquisition, board restructuring, the addition of foreign nationals in key roles — triggers a new FOCI review. Companies are responsible for submitting updates proactively. DCSA will not tell you when to update it.

How the SF-328 Process Works

The SF-328 is the primary document DCSA uses to evaluate FOCI. It must be submitted at the start of the facility clearance process and updated whenever material changes occur.

DCSA released an updated SF-328 on May 1, 2025. If your last submission predates that version, plan to review it carefully — the form has changed in ways that matter:

• Condensed to nine questions, with consolidated nominee share / street name reporting
• Q4 now explicitly includes "binding authority" as a means of foreign control
• Q7b reporting threshold for foreign interest ownership has been lowered to 15%
• Comprehensive instructions and definitions have been added to reduce vague or incomplete responses
• A new mandatory Statement of Full Disclosure of Foreign Affiliations must accompany the form for any individual in a management position who holds a position with, serves, or represents a foreign interest

Since the updated form was released, DCSA has reported a 17% drop in the rejection rate for initial and upgrade FCL packages.

Beyond the initial clearance, FOCI reviews are also triggered by:

• Mergers, acquisitions, or changes in ownership structure
• New foreign nationals joining the board or Key Management Personnel (KMP) positions
• Significant changes to foreign contracts or supply chain arrangements
• Any material change that requires an updated SF-328

How DCSA Treats FOCI Risk

When DCSA identifies FOCI, it has five risk treatment approaches available:

• Mitigate. Reduce the risk through countermeasures — FOCI mitigation agreements and supplements. This is the most common path.
• Negate. Remove the foreign interest's ability to impact daily operations entirely.
• Transfer. Transfer the risk to a third party through a limited facility clearance.
• Accept. Accept all risk and residual risk without additional measures. Rare, and reserved for low-sensitivity situations.
• Avoid. Risk is unacceptable; deny or revoke the FCL. Least common.

Most cleared contractors with FOCI end up on the mitigate path. Of the roughly 13,129 cleared facilities under DCSA cognizance today, about 920 (7%) operate under a FOCI Action Plan.

FOCI Mitigation: What it Looks Like

For companies on the mitigate path, DCSA works with the company to determine the appropriate mitigation instrument based on the level of foreign risk. Common instruments include:

• Board Resolution (BR) or Special Board Resolution (SBR). The foreign shareholder formally agrees, at the board level, to specific controls DCSA will monitor. SBRs are the single most common FOCI action plan in use today.
• Security Control Agreement (SCA). Requires the creation of a separate governing structure, including new board members, to oversee the cleared entity.
• Special Security Agreement (SSA). Similar to an SCA but requires that outside directors approved by DCSA outnumber inside directors representing the foreign shareholder. The most prevalent of the more rigorous instruments.
• Proxy Agreement (PA). Used in the most sensitive cases, where foreign ownership is essentially held in trust by cleared U.S. nationals.

DCSA works from standard templates but tailors mitigations to the specific risk. The most consistent guidance from experienced practitioners: accept the DCSA templates as written. Deviating from them triggers additional review layers and adds significant time to the process. Get your facility clearance in place, prove your compliance posture, and pursue changes later.

What to Do Now

Whether you currently hold a facility clearance or are planning to pursue one, there are steps worth taking today:

• Review your SF-328 against the May 2025 version to ensure your filing reflects the new structure and disclosure standards.
• Confirm your KMP and management have Statements of Full Disclosure of Foreign Affiliations on file where applicable.
• Identify any pending or planned mergers and acquisitions (M&A) activity, board changes, or foreign relationships that could trigger a new FOCI review.
• Brief your SMO and legal team on where the company currently sits in DCSA's risk framework.
• Build your network of FOCI and industrial security professionals who can help you navigate questions DCSA may not always have the bandwidth to answer directly.

The FOCI process rewards transparency. Companies that are upfront with DCSA, submit accurate documentation, and work within the templates tend to move through mitigation faster and with less friction.

FAQs

Who is responsible for submitting FOCI-related documentation?

The SMO — typically the company's president or CEO — is legally responsible. The FSO often manages the program in practice, and legal counsel frequently plays a key role in completing the SF-328. DCSA will not notify companies when updates are required. It is the company's obligation to self-report any material changes.

How long does FOCI mitigation take?

There is no standard timeline. The process depends on the complexity of the FOCI, the level of foreign risk, whether KMP are already cleared, and how closely the company works within DCSA's templates. Deviating from standard templates adds time. Transparency and cooperation with DCSA reduce it.

What changed with the May 2025 SF-328?

The form was condensed to nine questions, the Q7b reporting threshold for foreign interest ownership was lowered to 15%, "binding authority" was added to Q4 as a control mechanism, and a Statement of Full Disclosure of Foreign Affiliations is now required for any management-level individual with foreign affiliations. DCSA has reported a 17% drop in rejection rates since the updated form took effect.

What is the single most important thing a company can do when going through FOCI?

Be transparent with DCSA. Companies that try to minimize or obscure their FOCI tend to end up with the most restrictive mitigation instruments. Companies that are upfront have more flexibility and move through the process more efficiently.

Helpful ISI Links

• FSO CMMC Awareness Checklist
• An FSO’s Guide to CMMC Readiness
• FOCI Requirements Set to Expand to Non-Classified Contractors
• An FSO's Guide to the Benefits of Managed Security Services
• Industrial Security Readiness Quiz