One of the few areas of bipartisan Legislative and Executive Branch alignment over the past decade is an increasing seriousness about supply chain security for the defense industrial base. Defense contractors are by now familiar with the pattern: a compliance requirement is announced, implementation timelines slip, industry treats it as theoretical, and then it becomes a mandatory reality seemingly overnight. The Cybersecurity Maturity Model Certification (CMMC) 2.0 program (see Fluet Insight) is a prime example, with many now rushing to catch up to a requirement that suddenly has real teeth. Section 847 of the FY 2020 National Defense Authorization Act (NDAA) is the next regulatory shift that defense contractors need to prepare for and the implementing regulations are finally here.

The Pentagon had already begun laying the operational groundwork through DoD Instruction 5205.87, issued in March 2024. Since then, the Defense Counterintelligence and Security Agency (DCSA), the DoW entity responsible for ensuring that cleared contractors protect classified information while working on government contracts, has indicated it is actively building the infrastructure to process what it estimates will be over 40,000 annual FOCI assessments — up from roughly 2,000 today. However, the implementation timeline for this now six-year-old Congressional mandate has not been made clear—until now. On May 7, 2026, DoW published a proposed rule to implement Section 847 through the addition of new provisions in the Defense Federal Acquisition Regulation Supplement (DFARS), with a July 6 deadline for comments.

Previously, defense contractors could view Foreign Ownership, Control, or Influence (FOCI) as a specialized requirement relevant only to those holding Facility Security Clearances (FCLs) to perform classified work. Section 847 changes that calculus. This Insight serves as a primer for defense contractors on how FOCI scrutiny will expand well beyond the classified space, what to expect as the DFARS rulemaking advances, and what steps companies should be taking now.

Key Takeaways:

  • The $5M Threshold: Section 847 applies to all “covered” defense contracts, subcontracts, and research awards valued at or exceeding $5 million, including options.
  • Expanding to Unclassified Contracts: Unlike traditional FOCI reviews tied to the National Industrial Security Program (NISP), Section 847 extends FOCI reviews to unclassified contractors.
  • Beneficial Ownership and FOCI Disclosure: Contractors must identify and disclose their beneficial ownership, as well as foreign persons and entities that directly or indirectly hold ownership or serve as board members or management officials, with a requirement for continuous updates and annual reporting.
  • DFARS Proposed Rule: The proposed rule creates Part 240, Information Security and Supply Chain Security, requiring covered contractors to submit detailed information about their foreign ties via the SF-328 form.
  • Subcontractor Flow-Downs: Prime contractors will soon be responsible for ensuring that subcontractors performing on subcontracts in excess of $5 million are also compliant, creating a “ripple effect” through the supply chain.
  • The “CMMC Parallel”: Just as CMMC transformed cybersecurity from a “best practice” and unenforced contract term to a “contract eligibility” requirement, Section 847 makes FOCI a core element of a contractor’s “responsibility determination.”
  • Proactive Preparation is Key: Even without a final DFARS clause in every contract today, DCSA is already operationalizing these reviews for “mission-critical” acquisitions, and the proposed rule makes clear that these changes are coming soon for a much broader set of contractors.

What is Section 847 and What are the Requirements?

Section 847 of the FY 2020 NDAA was designed to protect the defense supply chain from adversarial influence. It mandates that the Pentagon improve its process for assessing FOCI risks in the defense industrial base, dramatically expanding the FOCI assessment and mitigation process from cleared contractors to all contractors with DoW contracts above $5 million (with exceptions for contracts for commercial products and services). The FOCI assessment is wide-ranging and considers a multitude of foreign linkages, including foreign owners, board members, management officials, suppliers, and customers.

Under the implementing guidance of DoD Instruction 5205.87 (effective May 13, 2024), and the new proposed rule and proposed DFARS provisions, the process includes:

  1. Mandatory Reporting: Submission of beneficial ownership data and other detailed information on a potential contractor’s FOCI via the SF-328 form into a centralized DCSA system of records.
  2. 25-Day Review Cycle: Once a review is triggered, DCSA has 25 working days to provide a Risk Indicator Report or a full FOCI Assessment.
  3. Discretionary Mitigation: Unlike the NISP, where mitigation is often a binary “pass/fail” for a clearance, Section 847 mitigation is discretionary and contract specific. The government may choose to accept the risk, require a mitigation agreement, or decline the contract award.
  4. Continuous Requirements: If beneficial ownership or FOCI changes during the life of the contract, the onus is on contractors to update their reporting to DCSA. This reporting, along with the initial disclosure, give significantly more information to the government about a company’s business, including aspects of the business that entirely unrelated to the government contract,
  5. Mitigation Agreement: While it remains to be seen precisely how FOCI mitigation will be handled for uncleared contractors, FOCI mitigation agreements for cleared contractors will likely impose significant operational requirements, including the addition of cleared U.S. citizen “outside directors” and in some cases even full U.S. person “proxy boards.”

The CMMC Lesson: Don’t Wait for Rule Implementation

The most dangerous mistake a contractor can make is to assume that since the DFARS rule is only in the proposed rule phase, no action is needed. We observed precisely this dynamic with respect to CMMC 2.0, and companies that delayed implementing the requisite protocols pending the issuance of the final rule are now scrambling to meet compliance hurdles that take months or years to clear.

Section 847 may be on a similar path, except the Pentagon is already using its authority to conduct these reviews for “mission-critical” programs. By the time a specific Section 847 clause appears in a solicitation, the government will expect FOCI data, including on any beneficial owners, to be ready for DCSA’s 25-day review. If a company has foreign ownership, has received significant foreign investment, or merely benefits from material foreign suppliers and customers, waiting until the bid stage to address FOCI could lead to a contracting award delay or a determination that the company is “not responsible.”

Next Steps for Defense Contractors

Section 847 represents a fundamental shift toward an intelligence-driven, enterprise-wide assessment of foreign influence. It is no longer a security niche; it is a business reality for contractors doing business with DoW. Prime contractors and subcontractors that act now, by conducting internal self-assessments and mapping their FOCI based on the SF-328 criteria, will be best positioned to maintain their competitive edge as these requirements become standard in Pentagon acquisitions.

If you are a defense contractor with awards exceeding $5 million, now is the time to conduct a preliminary FOCI self-assessment. Contact Fluet’s International Trade and Government Contracts Practices for help navigating these emerging requirements and ensuring governance structures are ready for the next wave of Pentagon scrutiny.