A new proposed Defense Federal Acquisition Regulation Supplement (DFARS) FARS Rule, DFARS Case 2021-D011 would:

• Significantly expand the scope of foreign ownership, control or influence (FOCI) reviews that would have profound implications for any contractor doing business (or seeking to do business) with the Department of Defense (DoD) under a contract greater than $5 million, including, potentially, commercial contractors; and
• Fundamentally change the role of the Defense Counterintelligence and Security Agency (DCSA) in connection with FOCI reviews by giving DCSA a central, gatekeeping function in defense contracting that has previously been limited to DoD contractors who require access to classified information as part of the National Industrial Security Program (NISP). Vendors who provided purely commercial or unclassified goods or services previously never interacted with the DCSA to do business with the DoD.

It remains to be seen how DCSA will administer its new role, how it will apply these standards and what downstream effects this will have across the defense industrial base. But commercial goods or services contractors may be facing a brave new world.

Basic Requirement

DFARS Case 2021-D011 requires any contractor or subcontractor with a DoD contract valued above $5 million to disclose beneficial ownership information and any FOCI to the DCSA, even when no classified work is involved. Commercial contracts are generally exempt; however, a designated (but unnamed) senior DoD official can determine that “the contract involves a risk or potential risk to national security or potential compromise because of sensitive data, systems, or processes,” potentially sweeping in some of these contracts at this official’s discretion. The Pentagon estimates that over 37,000 companies could ultimately be affected by the rule, approximately 57% of which are small businesses.

Two New Clauses, Many Questions

The Proposed Rule creates two new clauses:

• DFARS 252.240-70“XX” would require offerors to provide a “current, accurate, and complete” Standard Form (SF) 328, Certificate Pertaining to Foreign Interests and supporting documents for DCSA review in the National Industrial Security System (NISS). And, for procurements, contracting officers will be unable to issue awards unless the contractor or prospective contractor has an eligible status in the NISS or an exception applies.  
• DFARS 252.240-70“YY” would require the contractor to accept any risk mitigation strategies NISS prescribes at the time of contract award, option exercise, modification or identification of post-award changes and implement those strategies within 90 calendar days. These requirements also flow down to subcontracts and instruments that exceed $5 million, including the flow down requirement itself. A contractor also is responsible for ensuring their subcontractors who are subject to the rule maintain an eligible status in NISS prior to subcontract award and throughout subcontract performance, and for reporting changes in FOCI during performance. If the changes create a FOCI issue, the contractor has three business days to report and provide risk mitigation actions. If DCSA assesses a risk or potential risk to national security, the contractor has 10 business days to initiate a plan of action to implement any DCSA recommendations.

The Proposed Rule raises significant implementation questions. DCSA would now be responsible for carrying out a mission different from the one it traditionally performs. Key aspects of the proposed rule also remain unclear, such as the office or criteria that will be used to apply this rule to commercial contracts and how the $5 million threshold itself would be calculated.

In addition, modern companies often have complex ownership structures that include venture capital and private equity investment and multinational corporate structures and subsidiaries in multiple countries. All of these factors create uncertainty amongst the defense contracting community.

Guidance for Contractors and Private Equity

What, then, can companies do in the face of this uncertainty? The answer is to:

• prepare;
• build compliance competence and infrastructure now; and
• have complete and accurate forms ready to submit, which can provide a competitive advantage.

Companies should become familiar with the Proposed Rule and engage their compliance departments to identify potential exposure. Companies may hold multiple contracts or subcontracts that qualify under the rule. Small businesses, many of which may have never dealt with FOCI, may make up over half of the affected businesses and may need a great deal of guidance while also being the least able to afford comprehensive legal support. Compliance personnel should consider not only a company’s own contracts and subcontracts, but also its agreements with covered subcontractors as well, to ensure that requirements are flowed down as necessary with plenty of runway for this learning process.

Although the rule contains a carveout for commercial items, it also provides that a senior DoD official can apply FOCI requirement to commercial contracts where that official determines the contract may involve a risk or a potential risk to national security or potential compromise. The criteria for this determination are so broad that it may be a matter of complete discretion. Companies that perform commercial contracts may not be insulated from this rule, particularly if the company’s contracts involve providing goods or services involving Controlled Unclassified Information (CUI), Controlled Technical Information (CTI) or Covered Defense Information (CDI).

For contractors that already perform classified work, the practical effects of this rule change are that DCSA, regardless of its capabilities, will almost certainly extend its response time for its regular work, and a substantial backlog in everything from new applications under the rule to DCSA changed conditions packages seems likely to follow. Contractors who submit incomplete, inaccurate or unclear forms will likely face delays followed by resubmission requests, making it important to seek legal counsel to minimize such delays. Procurement delays due to DCSA review may also lead to more contract extensions. Companies competing for awards that are late to disclose or have complex ownership structures may be disadvantaged in procurement due to these long processing times for FOCI reviews.

For private equity (PE), the proposed rule represents a fundamental risk shift for defense-industry companies. PE-owned companies may present complex FOCI structures that include foreign partners and/or co-investors that involve sovereign wealth funds, foreign pension funds or foreign investors. There may also be foreign management, directors or board members. The proposed rule requires disclosing all these ownership layers. For such companies, M&A diligence can consider potential complications from DCSA review for companies with DoD contracts above this $5 million threshold.

Even if they are not contemplating M&A at this time, PE-owned companies can be prepared by auditing the beneficial ownership of their portfolio companies and mapping the beneficial ownership to identify whether any foreign investors hold positions that could trigger FOCI concerns under existing DCSA standards. These companies also should consider whether any limited partnership agreements contain provisions that indicate influence. If potential FOCI is found, these companies should understand mitigation mechanisms that may be imposed, such as independent board membership and access controls that might affect the economics of portfolio companies. Finally, companies must determine whether they are subject to the rule and prepare for SF-328 documentation if that is the case.

Next Steps

Here are practical steps companies can take now in response to the Proposed Rule:

1. Determine whether your company wishes to submit any comments by close of the notice and comment period July 6 and post comments.
2. Identify all DoD contracts and subcontracts exceeding $5 million, including subcontracts at any tier and indefinite delivery contracts with orders in aggregate amounting to $5 million.
3. Gain an understanding of your company’s full ownership structure, including documenting and developing a logical flow chart of any foreign exposure (i.e., foreign investors).
4. Determine whether your commercial products and commercial services are eligible for exemption and identify potential risk exposure to any exceptions under the rule.
5. Determine the role of limited partners and whether they have influence over governance or investment decisions. If so, this should be part of your documentation.
6. Identify whether your company or its subsidiaries are competing for DoD contracts or subcontracts valued at greater than $5 million. It is important to note that this includes subcontracts at any tier, which may be overlooked.
7. Evaluate M&A targets under the new paradigm, adding FOCI screening into pre-letter-of-intent diligence for any defense-industry target.
8. Consider engaging counsel where complex PE or foreign ownership is involved.
9. For each entity that competes for DoD contracts, begin constructing the SF-328 package. Seek legal counsel if necessary.

Miles & Stockbridge’s Government Contracts practice has deep experience advising defense contractors, subcontractors and investors on FOCI compliance, DCSA industrial security requirements, SF-328 submissions and FOCI mitigation strategy. We are actively reviewing the proposed rule and can assist clients who wish to submit comments, prepare for NISS eligibility determinations, structure transactions to minimize FOCI exposure or develop SF-328 submissions for the DCSA.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.