What are contractor obligations for disclosing foreign affiliations on visa and security forms? (2026)

According to GSA guidelines, contractors must proactively disclose foreign affiliations, ownership, funding, and significant foreign contacts on government security and visa forms, including the revised SF-328 and personnel security questionnaires such as SF-86. This obligation applies to prime contractors, subcontractors, and key personnel supporting federal contracts when foreign interests could create Foreign Ownership, Control, or Influence (FOCI). The disclosure requirement ties into FAR and agency-specific rules: Per FAR 9.1 and the DEARS 904.7003 FOCI disclosure clause, contracting officers must evaluate foreign ties during source selection and award. The requirement affects cleared personnel and non-cleared staff when visa sponsorship or national security duties exist; DoD programs add CMMC and DFARS scrutiny when controlled unclassified information (CUI) is involved. The SBA and GSA consider foreign affiliation data during set-aside eligibility and small business representations. Underlying this is OMB policy direction to strengthen foreign funding transparency and reporting across grants and contracts. Contractors should assume a low threshold for required disclosures and update records in SAM.gov and personnel security portals promptly to avoid downstream adverse actions.

According to GSA guidelines, the federal government expanded foreign affiliation disclosures after high-profile national security incidents and policy changes in 2024–2025; DCSA’s May 2025 approval of a revised SF-328 requires more granular reporting of foreign funding, collaborations, and institutional ties. Per FAR and related agency regulations, contracting officers now factor contractor foreign interests into organizational conflicts and responsibility determinations. Per FAR 19.502, small businesses can still seek set-asides but must accurately represent foreign ownership and disclose any foreign sources of capital; inaccurate or omitted disclosures jeopardize eligibility for 8(a), HUBZone, WOSB, SDVOSB, and other programs. The push for transparency also aligns with executive actions directing universities and contractors to report foreign funding sources, which increases cross-agency data sharing between GSA, DoD, DHS, and OMB. That means primes must collect and verify foreign affiliation data from subs and key personnel before proposal submission to avoid post-award discoveries that trigger investigations, adverse audit findings, or loss of clearances.

Per FAR 19.502, small businesses can be subject to heightened documentation requests if foreign investment or control is identified; procurement integrity and responsibility standards require contracting officers to document and mitigate FOCI risks. The SBA reports that 78% of small contractors surveyed in recent outreach felt uncertain about what constitutes 'close and continuing contact' with foreign nationals, increasing the risk of under-reporting; JAG Defense and legal advisories emphasize that continuing contact includes ongoing funded relationships, joint appointments, and supervisory relationships with foreign entities. Under OMB M-25-21 and related OMB direction, agencies will increase centralized vetting and require consistent reporting fields across award systems, elevating the importance of accurate SF-328 and SF-86 entries. DoD’s CMMC framework requires contractors handling CUI to demonstrate controls and may require disclosure of foreign ties as part of the system security plan and assessment process, creating crosswalks between cybersecurity certification and personnel/security disclosures.

According to GSA guidelines, contractors must collect and maintain documentation supporting each foreign affiliation disclosure — including source agreements, funding amounts, copies of foreign contracts, and the nature/duration of any 'close and continuing contact.' Practically that means attaching documentation to SF-328 submissions and to personnel security files (SF-86) for individuals requiring clearance. Per FAR clauses and DEARS 904.7003, the contracting officer may require a mitigation plan or FOCI remediation (e.g., proxy agreements or special voting trusts) before award. DoD’s CMMC framework requires cybersecurity evidence tied to personnel access: if foreign affiliations create elevated insider risk, DoD primes must restrict access or reassign roles. The revised SF-328 templates require line-item disclosure of foreign funding amounts and counterparties; many legal firms and procurement advisors recommend clients assemble a single, auditable disclosure packet for each contract bid. Timely, detailed reporting reduces the chance of adverse findings during contract audits or security reviews.

The SBA reports that 78% of small businesses express confusion about when to report foreign ties, so systems-of-record matter: contractors must maintain records in SAM.gov and in internal compliance registers and provide updates within agency timelines. Under OMB M-25-21, agencies will standardize reporting fields for foreign funding and affiliations across grants and contracts, increasing cross-checks between federal award systems. DoD’s CMMC framework requires documented insider threat mitigations when foreign contacts are present; combining cybersecurity plans with personnel disclosure records is now best practice. Federal acquisition rules also tie to export control and visa law: failing to disclose foreign research collaborations can violate ITAR/EAR and trigger visa denials for foreign national employees. Contractors should integrate SF-328, SF-86, SAM registrations, and cybersecurity evidence to present coherent, auditable disclosures to contracting officers and security offices.

DoD's CMMC framework requires contractors to demonstrate both cybersecurity controls and personnel risk management; integrating personnel disclosure processes with cybersecurity evidence expedites compliance. According to GSA guidelines, centralize foreign affiliation records, maintain a dedicated SF-328 packet per contract, and assign a compliance lead to manage updates with contracting officers and facility security officers (FSOs). Per FAR 19.502 and SBA guidance, verify small business representations against legal documents and resolve inconsistencies before bid submission. The practical implementation includes vendor questionnaires tied to subcontractor flow-downs, mandatory attestations at proposal stage, and retention of documentary proof of termination or modification of foreign relationships. Under OMB M-25-21, agencies will increasingly expect standardized fields and machine-readable disclosures, so implement data structures to export SF-328 and SF-86 summary data. Finally, coordinate with counsel for export-control screening (ITAR/EAR) and promptly disclose findings to reduce the risk of enforcement, civil fines, or loss of clearance.