Loading...
The Department of Defense is removing its duplicative National Industrial Security Program (NISP) regulations governing Foreign Ownership, Control, or Influence (FOCI) procedures for cleared contractors. This final rule eliminates DoD's redundant oversight in favor of centralized administration by N

Breaking analysis of what happened and who is affected.
The Department of Defense is removing its duplicative National Industrial Security Program (NISP) regulations governing Foreign Ownership, Control, or Influence (FOCI) procedures for cleared contractors. This final rule eliminates DoD's redundant oversight in favor of centralized administration by N
Read full report →Segment ImpactDeep dive into how this impacts each market segment.
This final rule removes the DoD's regulations on the National Industrial Security Program (NISP) regarding industrial security procedures and practices related to foreign ownership, control, or influence (FOCI) for U.S. Government activities. The interim final rule currently in effect is duplicative
Read full report →Action KitActionable checklists and implementation guidance.
This final rule removes the DoD's regulations on the National Industrial Security Program (NISP) regarding industrial security procedures and practices related to foreign ownership, control, or influence (FOCI) for U.S. Government activities. The interim final rule currently in effect is duplicative
Read full report →The Department of Defense is removing its duplicative National Industrial Security Program (NISP) regulations governing Foreign Ownership, Control, or Influence (FOCI) procedures for cleared contractors. This final rule eliminates DoD (Department of Defense)'s redundant oversight in favor of centralized administration by NARA's Information Security Oversight Office (ISOO), which already maintains authoritative NISP regulations. Cleared contractors operating under facility security clearances (FCLs) must now reference ISOO's 32 CFR Part 2004 as the sole regulatory authority for FOCI mitigation instruments, ownership reporting, and industrial security procedures. This consolidation does not change substantive FOCI requirements but eliminates regulatory duplication that has created compliance confusion.
Contractor Segments:
NAICS Codes (primary exposure):
Agencies:
Contract Vehicles:
No. The substantive FOCI requirements remain identical. This rule only eliminates DoD's duplicative regulations in favor of NARA ISOO's authoritative version at 32 CFR Part 2004. Your SSA, Proxy Agreement, Voting Trust Agreement, or other FOCI mitigation instrument remains in full force. However, you must now cite 32 CFR Part 2004 as the regulatory authority in all documentation, not the obsolete 32 CFR Part 117. Your FSO should immediately update compliance matrices, security procedures, and training materials to reference the correct regulation.
No. DCSA field operations remain unchanged. Industrial Security Representatives (ISRs) will continue conducting security reviews, processing SF-328 ownership changes, and administering FOCI mitigation instruments using the same procedures. The only difference is that DCSA now operates exclusively under ISOO's 32 CFR Part 2004 authority rather than maintaining parallel DoD regulations. Your ISR remains your primary point of contact for all FCL and FOCI matters.
Not solely because of this regulatory change. Existing FOCI mitigation instruments remain valid. However, if you submit new or amended FOCI documentation (ownership changes triggering SF-328 updates, SSA modifications, or new mitigation proposals), ensure all regulatory citations reference 32 CFR Part 2004. Proactively update your internal compliance documentation to avoid confusion during your next DCSA security review. Contractors should also review their CUI (Controlled Unclassified Information)-Safe CRM Guide (/insights/cui-safe-crm-guide) to ensure ownership data systems properly track FOCI thresholds.
Cabrillo Signals War Room detected this Federal Register publication within minutes of NARA posting and automatically classified it as HIGH severity based on its impact to cleared contractors across the Defense Industrial Base. The platform's regulatory change monitoring continuously scans Federal Register, agency policy memoranda, and DCSA guidance to identify shifts in NISP, FOCI, CMMC, and other compliance frameworks that affect proposal strategy and capture positioning.
Immediate Platform Actions:
Cabrillo Signals Intelligence Hub should be configured to track follow-on guidance from DCSA, ISOO policy clarifications, and agency-specific implementation memoranda. Set up saved searches for solicitations requiring FCLs in your target NAICS codes (particularly 336411, 541330, 541512) to identify opportunities where updated FOCI compliance documentation may provide competitive advantage. The Intelligence Hub's agency tracking will flag when DoD components issue updated security requirements guides or DD Form 254 templates reflecting the new regulatory citations.
Proposal Studio (Proposal OS) compliance matrices must be updated immediately. The AI-powered compliance engine should be retrained to flag any proposal content citing 32 CFR Part 117 as outdated. Update your win theme library to emphasize your company's proactive regulatory compliance and FSO training on current ISOO regulations. The bid/no-bid decision engine should weight FOCI-related risk factors based on 32 CFR Part 2004 thresholds, particularly for opportunities requiring Top Secret FCLs or work with foreign-owned competitors.
Proposal Studio Workflow Tracker should trigger an immediate compliance audit gate for all active proposals involving classified requirements. Route to your FSO and Contracts Director for verification that Section L compliance matrices, organizational conflict of interest representations, and security capability narratives reference 32 CFR Part 2004. The audit-ready documentation feature ensures all regulatory citations are traceable to current authority.
Notification Chain:
First 48-Hour Playbook:
Hour 0-4: FSO conducts emergency audit of all active FOCI mitigation instruments (SSAs, Proxy Agreements, Voting Trust Agreements) to identify documents citing 32 CFR Part 117. Capture team pulls all active proposals with classified requirements for compliance matrix review. Proposal Director freezes all security-related boilerplate until updates complete.
Hour 4-12: FSO drafts updated facility security procedures and FOCI compliance documentation referencing 32 CFR Part 2004. Proposal team updates compliance matrices for all active pursuits with submission deadlines within 30 days. Business Development reviews pipeline in Cabrillo Signals Match Engine to identify upcoming opportunities where security clearance capability is a discriminator.
Hour 12-24: General Counsel reviews teaming agreements and subcontractor flow-downs for regulatory citation updates. Proposal Director updates all templates in Proposal Studio library. FSO schedules training session for cleared employees on regulatory consolidation. Contracts Director coordinates with DCSA ISR to confirm no additional reporting required.
Hour 24-48: Capture Managers brief proposal teams on updated compliance approach and competitive positioning strategy. Business Development uses Cabrillo Signals Intelligence Hub to set up alerts for DCSA guidance updates and agency implementation memoranda. CFO reviews budget impact of any additional FSO training or compliance documentation updates. Executive leadership receives briefing on regulatory change and 30-day compliance verification plan.
---