Insights
DoD’s Discretionary Power to Pull “Commercial” Companies into FOCI Review
On May 7, 2026, the Department of Defense (“DoD”; also referred to as the Department of War, or “DoW”) released a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement Section 847 of the FY 2020 National Defense Authorization Act (“NDAA”) and Section 819 of the FY 2021 NDAA.2
As discussed in a previous Torres Trade Law article on FOCI expansion, here, the proposal would significantly expand the DoD’s approach to identifying and mitigating risks related to Foreign Ownership, Control, or Influence (“FOCI”). Section 847 of the FY 2020 NDAA significantly expands FOCI scrutiny beyond the traditional cleared contractor context, as FOCI requirements may now apply to commercial products, commercial services, and even COTS (commercially available off‑the‑shelf) items, if a senior DoD official determines the contract involves a risk to national security because of sensitive data, systems, or processes.
This is the first time the DoD has been given explicit authority to apply FOCI rules to commercial-item contractors based on data exposure rather than the nature of the purchased product. Using FPDS data, DoD projects that the rule could affect tens of thousands of entities when offerors and subcontractors are included; potentially over 37,000 companies, more than half of which qualify as small businesses.
What FOCI Is
Foreign Ownership, Control, or Influence (FOCI) exists when a foreign person or entity has the power—direct or indirect—to influence or control a U.S. company’s operations, decisions, or management. FOCI can arise through ownership stakes, board representation, debt arrangements, joint ventures, or other business structures.3
FOCI presents several risks, including:
-
Foreign entities gaining access to confidential or sensitive information
-
Foreign adversaries are using complex legal structures to obscure ownership
-
Attempts to bypass U.S. oversight, compliance, or investigation
-
Cyber or economic espionage tied to foreign investors or partners
The DoD notes that close allies generally present lower FOCI risk, while adversaries such as China, Russia, Iran, and North Korea present higher risk.
DoD’s New Authority Over Commercial Companies
Historically, commercial-item contractors were exempt from many national-security requirements under 10 U.S.C. § 3452. Under the proposed rule, a designated senior DoD official may apply FOCI disclosure and mitigation requirements to commercial products or commercial services once a government contract exceeds $5 million, but only if the official determines that the contract involves:
“a risk or potential risk to national security because of sensitive data, systems, or processes.” (Proposed Rule, printed page 24783)
The keyword in § 847(c)(1) is “potential” security risk. This gives DoD vague discretionary authority. Moreover, there is no established bright line for what the DoD would consider sensitive data, systems, or processes, nor is there a prior precedent available to provide specific guidance regarding how the DoD intends to apply this discretion. Under the proposed rule, theoretically, any commercial item listed in the Federal Procurement Data System (FPDS) Product and Service Codes (PSC) Manual could be subject to FOCI requirements if:
-
The DoD awarded more than $5 million in contracts for that item or category
-
The contract exposes the contractor to sensitive data, systems, or processes
The largest commercial item suppliers to the U.S. government may face greater FOCI scrutiny where contract performance involves access to sensitive logistics data, personnel information, facility-level delivery schedules, biometric data, health-related data, pharmaceutical distribution data, IT systems, or other sensitive government processes. Beyond commercial IT and cloud services, the expanded FOCI review framework may therefore affect some non-traditional contractors, depending on the nature of the contract and the level of access involved.
This does not mean that entire commercial sectors will automatically be subject to FOCI review. Rather, the proposed rule appears to give DoD broader discretion to evaluate FOCI concerns when a contractor’s ownership, control, financing, or foreign relationships could create national security risk in connection with a specific government contract. In passing, this could include contractors supplying or supporting areas such as:
-
Consumer electronics, including commercial routers and drones
-
Tools, hardware, and generators
-
Office devices, supplies, and furniture
-
Construction materials and facility-related goods
-
Pharmaceuticals, medical supplies, and health-related distribution
-
Apparel, textiles, food, or other commercial goods where contract performance involves sensitive logistics, installation, personnel, or supply chain data
The risk is that contractors in non-traditional sectors could be brought within FOCI review if their contracts expose them to sensitive government information, systems, locations, or processes. For example, DLA Troop Support currently spends more than $2 billion each year on commercial clothing, including uniforms, boots, and other textile items for government or military use.4 High-volume procurement related to uniforms, food distribution, pharmaceuticals, hardware, or installation support may involve supply chain, delivery, facility, or personnel information that DoD could treat as national security-relevant in certain circumstances.
This could mean that commercial companies with no explicitly classified work or defense services could be required to file SF 328, disclose beneficial ownership, report foreign investors, lenders, and service providers, implement mitigation measures within 90 days, and undergo continuous monitoring in the National Industrial Security System (“NISS”).
Non-Traditional Commercial Contracts Potentially Within Scope
The figures below show that major federal procurement activity extends beyond traditional cleared defense contractors. In FY 2025, the following commercial goods categories exceeded $5 million in contracts and ranked among the highest-value commercial goods categories meeting that threshold:
|
FSC Code |
Category |
Contract Value |
|---|---|---|
|
5340 |
Hardware, Commercial |
$149,744,670 |
|
5680 |
Miscellaneous Construction Materials |
$50,798,685 |
|
7520 |
Office Devices and Accessories |
$24,162,454 |
Source: Data retrieved from USAspending.gov.
For FY 2026, the government’s top three highest-value commercial goods categories thus far are pharmaceuticals, medical supplies, and hardware materials and appliances:
|
PSC Code |
Description |
FY 2026 Contract Amount |
|---|---|---|
|
6505 |
Pharmaceuticals, vaccines, biologics |
$16,177,598,894 |
|
5340 |
Commercial hardware, fittings, fasteners |
$44,522,509 |
|
N072 |
Installation of household & commercial furnishings/appliances |
$1,005,708 |
Source: Data retrieved from USAspending.gov.
Furthermore, procurement of goods and services related to these industries routinely exposes contractors to sensitive geographic, health, or IT system data, which the proposed DFARS rule may now treat as national security-relevant.
Conclusion
If DoD applies the rule broadly, commercial contractors in construction, hardware, office supplies, and apparel sectors may face new ownership disclosure and mitigation obligations. Companies that sell commercial goods or services to DoD should assess whether their contracts exceed the $5 million threshold, whether their performance involves sensitive government data or systems, and whether their ownership, financing, governance, or foreign business relationships could raise FOCI concerns. The proposed rule gives DoD substantial discretion; contractors should closely monitor the rulemaking process and prepare for potential compliance applications.
***
The attorneys at Torres Trade Law, PLLC regularly assist U.S. and foreign companies with FOCI, CFIUS, export controls, sanctions, defense trade compliance, and national security-related due diligence. If you have questions about how the proposed DFARS rule may affect your company’s DoD contracting opportunities, beneficial ownership disclosures, mitigation obligations, or broader FOCI compliance posture, please contact our team for assistance.
1 I would like to thank our intern, Mary Abi-Karam, for her contributions to this article.
2 Defense Federal Acquisition Regulation Supplement: Mitigating Risks Related to Foreign Ownership, Control, or Influence (DFARS Case 2021-D011), 91 Fed. Reg. 24,783 (proposed May 7, 2026) (to be codified at 48 C.F.R. pts. 212, 217, 240 & 252).
3 Office of Indus. Base Growth, U.S. Dep’t of Def., Foreign Ownership, Control, or Influence (FOCI), https://business.defense.gov/Resources/FOCI/ (last visited June 10, 2026).
4 Chris Erbe, Demand of Textile Items Could Rise, DLA Director Tells Industry Officials, Def. Logistics Agency (Mar. 25, 2019), https://www.dla.mil/About-DLA/News/News-Article-View/Article/1794105/demand-of-textile-items-could-rise-dla-director-tells-industry-officials/.