Aerospace & Defense FOCI Mitigation

DCSA Facility Security Clearance, FOCI Mitigation, and Special Security Agreements in Defense M&A

Acquiring a defense contractor that holds a facility security clearance places the transaction inside one of the most regulated frameworks in U.S. corporate law. The National Industrial Security Program, administered by the Defense Counterintelligence and Security Agency, conditions every classified contract on continuous compliance with security requirements that transfer obligations from seller to buyer in ways that have no analog in commercial M&A. Understanding the FOCI mitigation spectrum, the role of outside directors, and the operational demands of a Government Security Committee is not optional for buyers in this space. It is the threshold competency required to close and operate after closing.

Request Engagement Assessment

The NISPOM Statutory Framework

The National Industrial Security Program Operating Manual, known as NISPOM, is the foundational regulatory instrument governing the protection of classified information in the hands of private contractors. It is authorized under Executive Order 12829, which established the National Industrial Security Program, and implemented through Department of Defense Instruction 5220.22. The NISPOM establishes the baseline requirements that all cleared defense contractors must satisfy: personnel security procedures, physical security standards, information systems controls, and the specific obligations that arise when foreign interests become involved in the ownership or control of a cleared company.

The statutory authority underlying the NISPOM traces to the National Security Act, the Atomic Energy Act, and the Arms Export Control Act, which together grant the Executive Branch broad authority to condition access to classified national security information on compliance with security requirements it specifies. For defense contractors, this authority is delegated to the DoD, which has in turn delegated operational administration to DCSA. The result is a regulatory system in which a contractor's ability to perform on classified government work depends entirely on its maintenance of a valid facility security clearance, and that clearance is subject to suspension or revocation if DCSA determines that the contractor has failed to meet its obligations.

The NISPOM was comprehensively revised and codified at 32 C.F.R. Part 117 effective February 2021, converting what had been an incorporated reference document into a binding federal regulation. That codification matters for M&A practitioners because it means NISPOM obligations are now enforceable with the same legal weight as any other federal regulation, not merely as contractual conditions in a government contract. Buyers acquiring cleared contractors must understand that they are acquiring regulatory obligations, not simply contractual ones, and that the regulatory obligations survive the transaction regardless of how the purchase agreement addresses them.

Facility Clearance Levels: Confidential, Secret, Top Secret, and SCI

A facility security clearance, commonly called an FCL, authorizes a contractor to access classified information at or below the level of the clearance. The three main classification levels are Confidential, Secret, and Top Secret, arranged in ascending order of sensitivity. Sensitive Compartmented Information, known as SCI, sits above Top Secret and is governed by additional rules administered by the Director of National Intelligence in addition to the NISPOM framework.

A Confidential facility clearance authorizes access to information whose unauthorized disclosure could reasonably be expected to cause damage to national security. A Secret clearance covers information whose disclosure could cause serious damage. A Top Secret clearance covers information whose disclosure could cause exceptionally grave damage. The practical significance of these distinctions in M&A is that the level of the facility clearance directly affects which FOCI mitigation instruments DCSA will accept. For Confidential and some Secret work, DCSA may accept a Security Control Agreement. For Top Secret and SCI work, DCSA is significantly more likely to require a Special Security Agreement or, in cases of substantial foreign ownership, a Proxy Agreement or Voting Trust.

Buyers must conduct clearance-level due diligence as part of any defense acquisition. The relevant questions are: what level of clearance does the target hold, what programs is it currently performing under that clearance, and what level of classified access will the ongoing business require. The answers determine which mitigation instruments are available and, by extension, whether the transaction is executable within the buyer's timeline and structure. A buyer that discovers mid-stream that the target's most significant contracts require Top Secret access, and that the buyer's foreign investor structure will require a Proxy Agreement, may find that its original deal timeline is off by 12 months or more.

DCSA's Oversight Role

The Defense Counterintelligence and Security Agency, which assumed the functions of the former Defense Security Service in 2019, is the cognizant security agency responsible for administering the NISPOM for most DoD contractors. DCSA issues and maintains facility security clearances, conducts security reviews and inspections, approves FOCI mitigation instruments, and has authority to suspend or revoke clearances when a contractor is out of compliance.

DCSA's M&A role begins with the contractor's obligation to notify DCSA promptly when there is a change in ownership, control, or foreign interest that could affect the facility clearance. This notification obligation exists independently of any notification requirement in the purchase agreement or under Hart-Scott-Rodino. DCSA notification typically occurs before closing, and in many transactions DCSA's approval of a mitigation instrument is a condition to closing because the buyer cannot legally operate the classified business without it.

DCSA conducts its review through Industrial Security Representatives assigned to cleared facilities. When a transaction is reported, DCSA will open a FOCI review, evaluate the ownership structure, determine whether FOCI exists, and if so, identify what mitigation instrument it will require. DCSA also coordinates with the relevant program offices and contracting officers for classified contracts in the target's portfolio, because those agencies retain independent authority over the classified work being performed. A transaction that satisfies DCSA may still face delays if individual program offices are slow to acknowledge the mitigation instrument or if they impose additional requirements for particularly sensitive programs.

For contractors performing work that implicates other cognizant security agencies, such as the Department of Energy for nuclear-related programs or the intelligence community for SCI programs, DCSA coordinates with those agencies. Buyers should identify all cognizant security agencies applicable to the target's programs during due diligence, because multi-agency coordination adds time and complexity that is not visible from a simple facility clearance review.

FOCI Triggers and the SF-328 Certificate

Foreign Ownership, Control, or Influence, referred to throughout the NISPOM as FOCI, is the condition that triggers the mitigation framework. FOCI exists when a foreign interest has the ability to direct or decide matters affecting the management or operations of the contractor in a manner that could adversely affect classified information or the performance of classified contracts.

The NISPOM identifies specific numeric thresholds that create presumptive FOCI: foreign ownership of 25% or more of the contractor's voting stock; a single foreign shareholder with 10% or more of significant voting rights; or the presence of 10 or more foreign nationals on the board of directors. These thresholds are not the only way FOCI can arise. DCSA also evaluates whether foreign interests exercise de facto control through economic relationships, technology licensing arrangements, loan covenants, personnel placement, or other mechanisms that fall below the numeric thresholds but effectively allow a foreign party to influence management decisions.

The instrument through which a contractor discloses its foreign interest to DCSA is Standard Form 328, the Certificate Pertaining to Foreign Interests. The SF-328 requires disclosure of all foreign ownership percentages, foreign nationals serving as directors or officers, foreign government relationships, and sources of foreign revenue above certain thresholds. It is a certification signed by a senior officer of the company, and its accuracy is a legal obligation. Knowingly making false statements on the SF-328 exposes the signing officer to criminal liability under 18 U.S.C. Section 1001.

In an M&A context, the SF-328 must be completed and submitted when the ownership change occurs. Counsel should treat the SF-328 preparation as a parallel workstream to the purchase agreement negotiation, not a post-closing task. The information required to complete the SF-328 accurately is largely the same information that needs to be developed for the FOCI analysis: the identity and citizenship of all owners, the percentage of voting and non-voting interests, the composition of the board, and any contractual arrangements that could give a foreign party influence over management. That due diligence work product should feed the SF-328 directly.

Board Resolution: The Lightest Mitigation Instrument

A Board Resolution is the least restrictive mitigation instrument available under the NISPOM. It is available only when the foreign interest is minimal, typically where foreign ownership falls below 5% and DCSA concludes that the foreign interest does not create meaningful FOCI risk. Under a Board Resolution, the contractor's board passes a formal resolution committing to comply with all NISPOM requirements and to notify DCSA of any changes in foreign interest.

The Board Resolution does not require outside directors, a Government Security Committee, or any restructuring of governance. It is essentially a formal acknowledgment that the contractor understands its obligations and commits to maintaining them. Because it imposes so little operational burden, it is the fastest instrument to obtain and the one DCSA approves with the least scrutiny. However, it is also the most limited. A Board Resolution is not available for any transaction that creates meaningful foreign ownership, and it provides no mechanism for DCSA oversight of day-to-day operations.

For buyers that are structured as purely domestic entities with only minor foreign investor participation, a Board Resolution may be sufficient. For any transaction involving a foreign strategic buyer, a private equity fund with significant foreign limited partner concentration, or a foreign parent company, a Board Resolution will not be adequate and should not be planned for.

Security Control Agreement

A Security Control Agreement is a contractual instrument negotiated between the contractor and DCSA that imposes specific governance and operational controls designed to prevent the foreign interest from accessing or adversely affecting classified information. The SCA is appropriate when FOCI exists but is not so extensive that DCSA concludes that effective mitigation requires outside directors or the more intrusive instruments in the spectrum.

Under an SCA, the contractor's existing management is permitted to retain authority over classified operations, subject to the controls specified in the agreement. Those controls typically include restrictions on access to classified information by foreign nationals affiliated with the foreign parent, requirements for physical security measures, limitations on the sharing of technology with the foreign parent, and obligations to maintain Technology Control Plans and Electronic Communications Plans as described below. The SCA also requires the contractor to establish internal controls and reporting mechanisms that allow DCSA to verify compliance.

The SCA is more demanding than a Board Resolution but less intrusive than an SSA. It does not require the appointment of outside directors and does not require the establishment of a Government Security Committee. The company's own management team, provided it is composed of cleared U.S. citizens, can operate classified programs under the SCA framework. For transactions where the foreign interest is a minority investor with limited governance rights, the SCA is frequently the appropriate instrument.

Negotiating an SCA requires close coordination between legal counsel and the company's Facility Security Officer. The FSO has primary responsibility for implementing the SCA's operational requirements and must understand exactly what the agreement demands before it is finalized. An SCA that imposes obligations the FSO cannot practically implement, or that are inconsistent with the company's actual operational structure, will create compliance gaps that surface during DCSA inspections.

Special Security Agreement

A Special Security Agreement is the most frequently encountered mitigation instrument in significant defense M&A transactions. It is required when DCSA determines that the foreign interest is substantial enough that the contractor's existing management team, operating alone, cannot be relied upon to insulate classified information from the foreign parent. The SSA addresses this concern by requiring the appointment of outside directors who hold U.S. security clearances and who are independent of the foreign parent, and by establishing a Government Security Committee through which those outside directors exercise supervisory authority over all classified operations.

The SSA is a formal agreement between three parties: the contractor, the foreign parent (or the foreign interest holding entity), and DCSA. Each party assumes specific obligations. The contractor commits to operating its classified business only through structures approved by DCSA and to implementing the operational controls specified in the agreement. The foreign parent agrees to limit its participation in contractor governance to matters that do not affect classified programs and to cooperate with the GSC and outside directors. DCSA commits to the mitigation framework and retains authority to conduct compliance reviews.

The Technology Control Plan is a core deliverable under an SSA. The TCP identifies all controlled technology the contractor possesses, establishes procedures for limiting access to that technology to authorized personnel, and specifies how the contractor will prevent the foreign parent from gaining access through shared information systems, joint facilities, or personnel movement. The Electronic Communications Plan, similarly required under an SSA, governs how electronic communications are controlled to prevent inadvertent transfer of classified or export-controlled technical data to foreign persons.

From a deal structuring perspective, the SSA often requires ring-fencing the cleared subsidiary from the broader corporate group. This may mean establishing separate information systems, separate physical facilities, separate financial reporting, and separate personnel functions. The cost and operational complexity of ring-fencing should be quantified during due diligence and included in the buyer's valuation model. Companies that underestimate ring-fencing costs frequently discover post-closing that the cleared business is more expensive to operate than the seller represented.

Proxy Agreement and Voting Trust Agreement

A Proxy Agreement and a Voting Trust Agreement represent the most restrictive end of the FOCI mitigation spectrum. Both instruments require that the foreign parent transfer its voting rights over the cleared contractor to U.S. citizens who hold government-approved security clearances and who exercise those rights independently of the foreign parent. The difference between the two instruments lies primarily in the legal mechanism used to accomplish the transfer: a Proxy Agreement uses a formal proxy arrangement, while a Voting Trust involves the creation of a trust under which U.S. proxy holders or trustees hold and vote the stock.

A Proxy Agreement or Voting Trust is required when DCSA concludes that the foreign interest is so pervasive that even an SSA with outside directors cannot adequately protect classified information. This situation arises most commonly when the foreign parent holds a majority ownership interest, when the classified programs involved are at the Top Secret or SCI level, or when the nature of the foreign interest (for example, a foreign government-owned enterprise) makes any degree of continued foreign governance involvement unacceptable.

The practical effect of a Proxy Agreement or Voting Trust is that the foreign parent loses operational control of the cleared entity for purposes of all matters affecting classified programs. The proxy holders or trustees, who must be approved by DCSA and cannot be employees, officers, or affiliates of the foreign parent, effectively operate the cleared business as an independent entity. The foreign parent retains its economic interest, meaning it receives dividends and bears economic risk, but it cannot direct management, remove officers, or influence operational decisions.

For a foreign strategic buyer that intends to integrate the acquired business into its global operations, a Proxy Agreement or Voting Trust may be functionally incompatible with the acquisition thesis. A buyer that wanted to transfer technology, share management resources, or integrate supply chains will find that the Proxy or Voting Trust structure prevents it from doing so. That incompatibility should surface during due diligence, before the acquisition is structured as a transaction that will require these instruments.

Outside Director Selection and DCSA Approval

Outside directors are the personnel through whom an SSA operates in practice. They sit on the contractor's board specifically to exercise supervisory authority over classified operations, and they do so independently of the foreign parent. Their selection, qualification, and DCSA approval are among the most time-consuming elements of the SSA negotiation process.

Outside directors must be U.S. citizens. They must hold, or be eligible to hold, a Personnel Security Clearance at the level required by the cleared work the contractor performs. They must be free of conflicts of interest, meaning they cannot have employment relationships, financial relationships, or family relationships with the foreign parent or its affiliates that could compromise their independence. DCSA will conduct a background investigation of each proposed outside director before approving the appointment, and that investigation takes time.

Candidates for outside director roles typically come from a pool that includes former senior government officials, retired military officers, former intelligence community professionals, and independent corporate directors with national security experience. The pool is not unlimited, and suitable candidates who are willing to take on the obligations of an outside director role are in demand across the defense industry. Identifying qualified candidates early in the transaction process is advisable, because delays in DCSA's approval of outside director nominees directly delay the effectiveness of the SSA and, by extension, the contractor's ability to continue performing on classified contracts.

Outside directors are compensated for their service, typically through director fees negotiated as part of the SSA or the company's board compensation structure. The compensation must be structured to avoid creating financial dependence on the foreign parent that could compromise the outside directors' independence. Counsel should review the compensation structure carefully to ensure it cannot be characterized as giving the foreign parent indirect influence over outside director conduct.

Government Security Committee Operations

The Government Security Committee is the formal governance body through which outside directors exercise their authority over classified operations under an SSA. It is not an advisory body. The GSC has substantive decision-making authority over matters affecting the protection of classified information, and its decisions cannot be overridden by the foreign parent or by board members affiliated with the foreign parent.

The GSC's jurisdiction covers a defined set of operational matters: approving the Technology Control Plan and any amendments; approving the Electronic Communications Plan; reviewing and approving access requests by foreign nationals; overseeing the Facility Security Officer's activities; reviewing compliance with DCSA requirements; and addressing any security incidents or potential violations. On matters outside this jurisdiction, the foreign parent's board representatives participate normally. The division of authority is specified in the SSA and must be implemented consistently in the company's governance documents.

The GSC is required to meet on a regular schedule, at minimum annually, and more frequently when the volume of classified activity warrants it. Meeting minutes must be maintained and are subject to DCSA review during inspections. The outside directors must be actively engaged in GSC work, not merely nominal participants. DCSA has the authority to interview outside directors and to review GSC records to determine whether the committee is functioning as intended.

A Government Security Monitor, commonly referred to as a GSM, may be assigned by DCSA to observe and report on GSC operations. The GSM is a government employee who attends GSC meetings, reviews records, and reports to DCSA on whether the SSA is being implemented effectively. Not all SSA companies are assigned a GSM, but those performing particularly sensitive classified work frequently are. Buyers should anticipate the operational implications of GSM oversight, including the administrative burden of preparing for and responding to GSM inquiries.

Interim Clearance and Pre-Closing Security Reviews

One of the most significant operational risks in defense M&A is the gap between the signing of a purchase agreement and the effective approval of a FOCI mitigation instrument. During that period, the target's facility clearance may be in a suspended or provisional state, which can affect its ability to accept new classified work or to perform on existing classified contracts.

DCSA may grant an interim facility clearance to allow a contractor to continue performing classified work while the full mitigation instrument is under review. Interim clearance is a discretionary decision by DCSA, not an entitlement. It is more likely to be granted when the buyer has a track record with DCSA, the proposed mitigation instrument is well-developed and likely to be approved, the classified programs involved are at lower sensitivity levels, and the contracting officers for the relevant programs are supportive of interim operation.

Pre-closing security reviews are increasingly common in significant defense transactions. Before closing, the buyer and seller submit the proposed mitigation structure to DCSA for advance review, with the goal of identifying and resolving issues before the transaction closes and before the clearance enters a formal review period. This approach is not guaranteed to accelerate DCSA's timeline, but it reduces the risk of surprise. Counsel experienced in defense transactions will structure the pre-closing review submission to address the specific factors DCSA scrutinizes most heavily for the applicable mitigation instrument.

Purchase agreements in defense transactions should address the clearance risk allocation directly. Standard provisions include covenants requiring the seller to maintain the facility clearance through closing, representations about the current status of classified contracts and any pending DCSA reviews, closing conditions tied to DCSA action on the mitigation instrument, and interim operating covenants that restrict the buyer from taking actions that could prejudice DCSA's review. The interplay between these provisions and the deal economics, particularly in long-tail transactions where DCSA approval could take 12 months or more, requires careful attention.

Post-Closing Reporting, SSA Amendments, and Allied Security Coordination

The obligations that arise from a FOCI mitigation instrument do not end at closing. For contractors operating under an SSA, Proxy Agreement, or Voting Trust, post-closing compliance is an ongoing operational function that requires dedicated resources and active legal oversight.

Annual reporting to DCSA is mandatory under most mitigation instruments. The annual report typically covers the company's ownership structure, the composition of its board and management, any changes to its classified programs or contracts, a certification of outside director independence, and a summary of GSC activities during the year. Failure to submit timely and accurate annual reports is itself a compliance deficiency that DCSA takes seriously.

SSA amendments are required whenever the ownership structure of the contractor changes materially. Ownership changes include not only sales of equity but also reorganizations, recapitalizations, changes in the foreign parent's ownership of the holding company, and changes in the identity of the foreign investors in a private equity structure. The SSA will specify the notification timeline, and DCSA's review of the amendment may require the same level of analysis as the original instrument negotiation. Buyers with portfolio company structures that are subject to frequent recapitalization or secondary sales should build SSA amendment obligations into their fund governance processes.

DCSA conducts periodic compliance inspections of cleared facilities, including those operating under FOCI mitigation instruments. These inspections review physical security, personnel security, information systems security, and the implementation of the specific requirements in the applicable mitigation instrument. Inspection findings that identify material deficiencies can result in corrective action plans and, in serious cases, clearance suspension. Companies that treat the mitigation instrument as a closing condition to be satisfied once and then forgotten will eventually face inspection findings that create significant operational disruption.

For defense contractors with international operations, FOCI mitigation in the United States must be coordinated with equivalent security requirements in allied nations. The United Kingdom's Ministry of Defence administers its own facility clearance system under the UK Security Policy Framework, and contractors that hold both U.S. and UK clearances must satisfy both regimes. Similar bilateral coordination obligations exist for contractors operating under clearances issued by Canada, Australia, and other Five Eyes partners, as well as NATO member nations. The International Visits and Agreements program administered by DCSA governs how cleared U.S. contractors interact with foreign government personnel and provides the framework for coordinating security obligations across jurisdictions.

Buyers in cross-border defense transactions should engage counsel with experience in both U.S. and applicable foreign security regimes. A mitigation structure that satisfies DCSA may not simultaneously satisfy the UK MOD or the equivalent agency in another allied nation, and optimizing the structure across multiple regimes requires coordination that purely domestic counsel cannot provide.

Frequently Asked Questions

How long does FOCI mitigation take, and how does it affect deal timelines?

FOCI mitigation timelines vary significantly based on the instrument selected. A Board Resolution is the fastest option and can be approved within 30 to 60 days when foreign ownership is below 5% and DCSA accepts the structure. A Security Control Agreement typically requires 60 to 120 days. A Special Security Agreement, which requires appointing outside directors, forming a Government Security Committee, and negotiating detailed compliance plans, commonly takes 6 to 12 months from initial filing to final approval. A Proxy Agreement or Voting Trust, the most complex instruments, can extend to 12 to 18 months or longer due to the depth of review DCSA conducts and the complexity of outside director and proxy holder vetting. Buyers and sellers should identify the likely instrument during due diligence and build those timelines into the purchase agreement, including appropriate closing condition language tied to DCSA action.

How does a buyer choose between an SCA, SSA, Proxy Agreement, and Voting Trust?

The selection is driven by the degree of foreign interest and the sensitivity of the classified work involved. A Security Control Agreement is appropriate when the foreign interest is significant but not dominant, and when the government is satisfied that management controls can adequately insulate classified information. A Special Security Agreement is required when foreign ownership or control reaches a level where DCSA determines that U.S. management personnel cannot adequately protect classified information without the structural participation of outside directors operating through a Government Security Committee. A Proxy Agreement or Voting Trust is required in the most sensitive cases, particularly for programs at the Top Secret or SCI level or when the foreign parent has ownership that makes an SSA inadequate. The determination is not purely formulaic. DCSA evaluates the totality of the foreign interest, the nature of the classified programs, and the proposed ownership structure before specifying which instrument is required.

What qualifications must outside directors meet to satisfy DCSA?

Outside directors appointed under an SSA must hold or be eligible to hold a Personnel Security Clearance at the level required by the classified work the company performs. They must be U.S. citizens with no foreign nationals or foreign government affiliates in their immediate family who could create a counterintelligence risk. DCSA reviews each proposed outside director for financial conflicts, prior employment history, and relationships with the foreign parent or its affiliates. Outside directors must be independent, meaning they cannot be employees, officers, or directors of the foreign parent company or its subsidiaries. They typically include former senior government officials, retired military officers, or independent business executives with relevant experience. DCSA retains the authority to reject proposed outside directors and require substitutions, which can add months to the mitigation timeline if initial nominees are not accepted.

What is the required composition of a Government Security Committee?

The Government Security Committee is the board-level body that exercises supervisory authority over all classified operations under an SSA. It must include at minimum the outside directors appointed pursuant to the SSA. In many structures, the Facility Security Officer sits as a non-voting participant or advisor to the GSC. The GSC is responsible for approving the Technology Control Plan, the Electronic Communications Plan, and any significant operational decisions that could affect the protection of classified information. The GSC must meet on a regular schedule, at least annually and more frequently when classified contract activity warrants it. Meeting minutes are maintained and may be subject to review by DCSA. The outside directors on the GSC cannot be outvoted or overridden by the foreign parent or its affiliated board members on matters within the GSC's jurisdiction.

Can a defense contractor obtain an interim facility clearance during DCSA review?

An interim facility clearance is possible in certain circumstances, but it is not guaranteed and should not be assumed as part of deal planning. DCSA may grant interim clearance status to allow a contractor to continue performing on classified contracts while the full mitigation instrument is under review, provided that preliminary review of the proposed structure does not reveal disqualifying factors. Interim clearance is more likely to be available where the transaction involves a buyer who already holds facility clearances, where the proposed mitigation instrument is a Board Resolution or SCA rather than an SSA or Proxy, and where the classified programs involved are at lower sensitivity levels. For programs involving Top Secret or SCI access, DCSA is considerably less likely to grant interim status. Contracting officers must also separately approve any interim arrangements for active classified contracts, and there is no guarantee that program offices will accept interim clearance as a substitute for full DCSA action.

What happens if ownership of an SSA company changes after the agreement is in place?

Any ownership change affecting a company operating under an SSA requires notification to DCSA and, in most cases, a formal amendment to the existing agreement. The SSA itself will contain specific provisions governing the notification timeline, which is commonly 30 days from the date of the ownership change or the date the company becomes aware of it. DCSA will evaluate whether the change materially alters the foreign interest analysis, whether the existing mitigation instrument remains adequate, and whether a more restrictive instrument is now required. In some cases, a change in ownership will trigger a full re-evaluation as if the mitigation were being negotiated for the first time. Companies that fail to notify DCSA of ownership changes risk suspension or revocation of their facility clearance, which would immediately affect their ability to perform on classified contracts. Buyers acquiring SSA companies should include in the purchase agreement representations and covenants addressing notification obligations and cooperation with DCSA.

Can a defense contractor lose classified contracts if FOCI mitigation is poorly structured?

Yes. If FOCI mitigation is inadequate, DCSA has authority to suspend or revoke a contractor's facility clearance. Revocation terminates the contractor's ability to access classified information, which effectively makes it impossible to perform on classified government contracts. Contracting officers are required to take action when a contractor loses its clearance, which can include terminating classified contracts for convenience or cause depending on the circumstances. Beyond direct revocation, a poorly structured mitigation instrument that fails an annual review or a DCSA compliance inspection can result in a corrective action period, during which the contractor is on notice that clearance revocation is possible if deficiencies are not resolved. The business consequence is severe. Defense contractors whose revenue depends substantially on classified work cannot survive clearance revocation, which is why selection of the correct mitigation instrument and rigorous ongoing compliance are essential from the earliest stages of the transaction.

Who must complete the SF-328 Certificate Pertaining to Foreign Interests, and when?

The SF-328, formally titled Certificate Pertaining to Foreign Interests, must be completed by any entity seeking or holding a facility clearance when there is a change in ownership, control, or foreign interest that could affect the clearance. This includes the target company in a transaction where a foreign person or entity is acquiring an interest. The SF-328 is submitted to DCSA through the National Industrial Security System and must be signed by a senior officer of the company, typically the CEO or president, who certifies the accuracy of the disclosed information. The form requires disclosure of all foreign ownership percentages, foreign nationals on the board or in key management positions, foreign sources of revenue, and any foreign government contracts or relationships. Completing the SF-328 accurately and completely is critical, because misrepresentation or omission can result in enforcement action independent of the underlying clearance decision. Legal counsel should review the SF-328 before submission to ensure all disclosures are accurate and consistent with the purchase agreement representations.

Related Resources

FOCI mitigation operates alongside two other major compliance regimes that affect defense contractor acquisitions. Understanding how these frameworks interact is essential for buyers evaluating the full regulatory burden of a defense transaction.

Defense M&A Requires Specialized Legal Counsel

Transactions involving cleared defense contractors present regulatory complexity that has no equivalent in commercial M&A. The FOCI mitigation timeline, the operational demands of an SSA, and the risk of clearance disruption during a transaction require counsel who understands both the legal framework and the operational realities of how DCSA works. If your transaction involves a facility security clearance, the time to engage is before you have committed to a structure that may not be approvable.

Submit Transaction Details

Request Engagement Assessment

Describe your transaction and we will respond with a direct assessment of the legal issues involved.

Request Engagement Assessment

Tell us about your deal. We review every submission and respond within one business day.

Your information is kept strictly confidential and will never be shared. Privacy Policy