The SF-328 (Certificate Pertaining to Foreign Interests) is the form DCSA uses to evaluate whether your company has foreign ownership, control, or influence — and what to do about it. It was overhauled in May 2025. Section 847 is about to require it from 37,000 contractors who have never seen it. This is your complete guide.
The Standard Form 328 — officially the Certificate Pertaining to Foreign Interests — is the primary form the Defense Counterintelligence and Security Agency (DCSA) uses to evaluate Foreign Ownership, Control, or Influence (FOCI) in defense contractors.
When you submit an SF-328, you are telling DCSA everything about who owns your company, who controls it, and whether any foreign nationals or foreign entities have the ability to influence how it operates. DCSA uses this information to determine whether your company poses a national security risk — and if so, what mitigation is required before you can access classified information or, under the new Section 847 rule, perform certain unclassified defense work.
The form was significantly updated on May 12, 2025 — the first major revision since 2018. The new version is now mandatory for all submissions. When completed, it is classified as Controlled Unclassified Information (CUI) and protected from FOIA disclosure.
Two separate tracks. Know which one applies to you.
You must submit an SF-328 if your company is:
This has been required since the NISP was established. If you hold an FCL today and have not submitted a 2025-version SF-328, you will need to when your next changed condition or renewal occurs.
Under the proposed DFARS rule (May 7, 2026), you will need to submit an SF-328 if:
Comment period closes July 6, 2026. Final rule expected late 2026. Compliance required within 90 days of contract award once finalized. Start preparing now.
Section 847 DetailsThe updated 2025 SF-328 consolidated 10 questions into 9 and significantly expanded the instructions. Here is what each question covers and what trips companies up.
Does any foreign person, entity, or government own 5% or more of any class of your company's securities or voting interest? This question was expanded in 2025 to require disclosure of the entire beneficial ownership and control structure for any entity holding 5%+. Nominee shares and street name holdings previously in Q8 are now consolidated here.
Do foreign persons hold board seats, officer positions, or other positions that give them the ability to direct or decide company policy? Includes foreign nationals on advisory boards with meaningful access to operations.
Is any foreign government, or entity owned/controlled by a foreign government, involved in ownership or control? Sovereign wealth funds, state-owned enterprises, and government pension funds all trigger this question — even through intermediary entities.
Do you have licenses, agreements, or other arrangements with foreign entities that give them access to your technology, technical data, or intellectual property? This includes source code escrow arrangements and joint development agreements.
Are you indebted to a foreign person or entity? Includes loans, lines of credit, bonds, and other debt instruments. The 2025 update expanded this to cover arrangements that give foreign creditors covenants or consent rights over company operations.
Do you have contracts, agreements, or understandings with foreign persons that give them a right to appoint personnel, influence management decisions, or receive preferential treatment in business decisions?
Do you derive revenue, net income, gifts, tuition, or endowments from foreign sources? The 2025 update lowered the reporting threshold from 30% to 15% of total revenue or net income, and added tuition, gifts, and endowments to the list. For contractors, focus on revenue concentration from foreign customers.
Do any of your KMP (directors, officers, and others who influence management) hold positions with foreign entities? The 2025 form adds a supplemental FDFA (Statement of Full Disclosure of Foreign Affiliations) for each KMP with foreign affiliations — a two-page questionnaire covering the nature of the foreign role, length of association, and degree of operational involvement.
A catch-all for any other foreign interest, arrangement, or relationship not captured above. DCSA uses this as a prompt for companies to disclose anything that a reasonable person would consider relevant to a foreign influence assessment — even if it does not fit neatly into questions 1–8.
DCSA reviews your submission for completeness and accuracy. The 2025 form was redesigned to reduce back-and-forth by requiring more information upfront. Expect DCSA to contact you if clarification is needed — respond promptly, as delays count against your processing timeline.
Timeline: Varies — incomplete submissions add weeksDCSA makes one of three findings: (A) No FOCI — proceed with FCL application, no mitigation required; (B) FOCI exists, mitigable — mitigation agreement required before FCL can be granted; (C) FOCI exists, not mitigable — FCL cannot be granted (very rare).
Processing: Avg. 155 days (no FOCI) • 266 days (FOCI, Tier 2) • 263 days (full mitigation)DCSA will propose a mitigation instrument. Options range from a simple Board Resolution (least restrictive) to a Special Security Agreement (SSA) or Proxy Agreement (most restrictive). The right instrument depends on the nature and degree of foreign ownership and the classification level of work you intend to perform.
Negotiation: 30–90 days typicalOnce a mitigation agreement is in place, your obligations do not end — they begin. Annual GSC compliance reports, self-inspections, DCSA vulnerability assessments, changed condition notifications, and document library maintenance are all recurring requirements.
Recurring: Annual reports • Annual self-inspection • Periodic DCSA visitsForeign ownership is disclosed but the foreign parent agrees not to exercise control. Used when foreign interest is limited and passive.
Foreign parent has minority ownership. US-citizen board majority required. Annual compliance reporting to DCSA.
Foreign parent owns majority. Government Security Committee (GSC) of US-citizen directors required. Most extensive compliance obligations including ECP, TCP, AOP.
Foreign parent's voting rights held by US-citizen proxy holders approved by DCSA. Reserved for highest-risk situations or Top Secret level work.
Fulcrum Advisory has experience with FOCI compliance across the full lifecycle — from initial SF-328 assessment through mitigation agreement navigation, ongoing compliance management, and DCSA engagement preparation.
A Fulcrum Advisory consultant will review your situation and respond within one business day. You can also reach us directly at info@fulcrumadvisory.us.
No — existing submissions are not required to be resubmitted solely because the form changed. However, any new submission, changed condition package, or FCL renewal initiated after May 12, 2025, must use the updated form. If you submitted under the old form and your package is already in NISS, DCSA will process it under the prior version.
DCSA requires disclosure of any foreign person or entity owning 5% or more of any class of securities or voting interest. This threshold was expanded in 2025 to require mapping the entire beneficial ownership chain — not just the immediate shareholder. A foreign LP in a VC fund that holds 5%+ of your company must be traced and disclosed.
Finding FOCI is not a disqualifier. The vast majority of companies with FOCI receive a mitigation agreement (Board Resolution, SCA, SSA, or Proxy) that allows them to proceed with FCL and classified contract work. The key is to engage DCSA transparently and early. Companies that disclose completely tend to receive favorable treatment versus those where DCSA discovers undisclosed interests.
Processing times vary significantly based on FOCI complexity. DCSA averages approximately 155 days for companies with no FOCI concern, 266 days for Tier 2 (some FOCI mitigation required), and 263 days for full FOCI mitigation cases. Incomplete submissions and slow responses to DCSA inquiries are the most common sources of delay.
NISS (National Industrial Security System) is DCSA's online portal for all facility security clearance applications and FOCI submissions. Your company's Facility Security Officer (FSO) or authorized representative initiates the submission through NISS. If you do not yet have an FCL or NISS account, submission typically occurs through a sponsoring contracting officer or agency.
Not yet in most cases. As of mid-2026, Section 847 is still in proposed rulemaking — the DFARS proposed rule was published May 7, 2026, with comments due July 6, 2026. The final rule is not yet in force. However, DCSA has stated it is already conducting FOCI assessments for mission-critical unclassified acquisitions, and the rule is widely expected to be finalized in late 2026. The smart move is to assess your ownership structure now, before a contract award triggers the requirement.
The Statement of Full Disclosure of Foreign Affiliations (FDFA) is a two-page supplement added to the 2025 SF-328. It must be completed by any Key Management Personnel (KMP) — directors, officers, and others who influence management — who hold positions with foreign entities. The FDFA requests information about the nature of the foreign role, length of association, and degree of operational involvement. Companies with internationally mobile leadership teams should expect this to significantly increase their SF-328 preparation burden.