Skip to main content
govconCyber — Federal Cybersecurity Law Reference
Rule Updates

DoD Expands FOCI Reviews Beyond Cleared Contractors: What the New Instruction Means

A quietly issued DoD Instruction extends Foreign Ownership, Control or Influence reviews to all DoD contractors — not just those holding clearances. Here's the supply-chain picture.

Brandon Hancock, J.D., CMMC-RPPublished August 6, 2024Updated June 5, 20266 min read

Without much fanfare, on May 13, 2024, the Department of Defense published a new DoD Instruction (DoDI) that broadens who gets scrutinized for foreign ties. The headline: Foreign Ownership, Control or Influence (FOCI) review — long a feature of the *cleared* contractor world — is being extended toward the broader DoD contractor base, including companies doing unclassified work. Here is what defense contractors and their subs should understand.

The Problem DoD Is Targeting

DoD's concern is the integrity of the defense industrial base (DIB) supply chain. As the new guidance frames it, supply-chain risk is *asymmetric* — a vulnerability can be introduced at any tier, from a prime down to a small business, and in classified or unclassified work alike. A component, a software dependency, or an ownership stake at a lower tier can become a national-security problem regardless of clearance status.

What Changes

Historically, FOCI analysis applied to contractors that hold facility clearances and access classified information, administered through the security-clearance system. The new DoDI expands that review posture so that foreign ownership and influence concerns can be examined across a wider population of DoD contractors — reaching companies that previously sat outside the cleared-contractor framework.

In practice, this means:

  • More entities may face FOCI-style scrutiny, including those performing only unclassified work.
  • Additional filings and information requests about ownership, control relationships, and foreign connections.
  • A larger role for the Defense Counterintelligence and Security Agency (DCSA) in reviewing supply-chain and foreign-influence risk across tiers.

How This Fits the Cyber and Supply-Chain Picture

FOCI is not a cybersecurity rule, but it lives in the same neighborhood. DoD increasingly treats who controls a supplier as inseparable from how secure that supplier is — both are supply-chain integrity questions. Defense contractors already managing DFARS 252.204-7012 and CMMC, SPRS scoring, and NIST SP 800-171 should view FOCI review as another layer of the same diligence: proving the trustworthiness of your company and your lower tiers.

What to Do Now

  • Map your ownership and control structure, including foreign investors, board seats, and significant foreign contracts or debt.
  • Know your lower tiers. If you flow work to subs, understand their ownership too — risk at any tier can reach the prime.
  • Prepare for additional filings. Keep organizational records, ownership disclosures, and foreign-relationship documentation current and retrievable.
  • Coordinate security and corporate functions. FOCI questions cut across legal, security, and finance — assign an owner before a request arrives.

Key Takeaways

  • A May 13, 2024 DoD Instruction extends FOCI-style review beyond cleared contractors toward the broader DoD contractor base — including unclassified work.
  • Expect additional filings and DCSA reviews focused on foreign ownership and supply-chain integrity.
  • Treat FOCI as part of the same supply-chain trust picture as your cyber obligations.

See related defense obligations on the Defense industry page, or confirm your full requirement set with Find My Requirements. Because implementation details evolve, confirm the current DoDI text and any DCSA guidance before acting.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Rule UpdatesNIST Just Finalized 800-172 Rev 3 — Here's Why CMMC Level 3 Contractors Shouldn't Panic YetOn May 13, 2026, NIST finalized a much bigger version of the enhanced-security publication behind CMMC Level 3. The headline number nearly tripled — but if you're chasing Level 3 today, the rules you're measured against did not change.June 17, 2026 · 6 min readRule UpdatesWhere Did DFARS 7019 and 7020 Go? The FAR Overhaul's Quiet Cybersecurity ReshuffleTwo DFARS clauses that defense contractors have cited for years vanished on February 1, 2026. If you went looking for 252.204-7019 and couldn't find it, you're not imagining things — and the good news is that almost nothing about your actual obligations changed.June 17, 2026 · 5 min readRule UpdatesCISA's New Patching Directive (BOD 26-04) Rewrites the Vulnerability Clock — and Contractors Should Read It TooCISA's BOD 26-04 replaces BOD 19-02 and 22-01 with a risk-based patching model: fix the highest-risk, actively exploited, edge-facing flaws in three days. It binds agencies, but it reaches their contractors.June 14, 2026 · 6 min read