What must contractors do to comply with the proposed DFARS FOCI beneficial ownership and disclosure rule? 2026

According to GSA guidelines, contractors must begin internal discovery and data collection now to meet proposed DFARS/FOCI disclosure requirements. This opening summary names GSA, SBA, FAR, DoD, DCSA and OMB because each has a role: GSA coordinates acquisition policy, SBA addresses small business impacts, FAR governs contracting practices, DoD issues DFARS rules, DCSA will receive and vet FOCI submissions, and OMB oversees cross-agency data use. The May 7, 2026 proposed DFARS rule published in the Federal Register requires contractors to provide beneficial ownership information (BOI) and FOCI-related documentation to DCSA for entity vetting and FOCI mitigation assessments. Contractors must identify ultimate beneficial owners holding greater than 10 percent ownership and disclose foreign affiliations, board control, and material relationships, and must provide supporting corporate documents, shareholder registries, and organizational charts. The proposed rule applies to offerors and contractors for DoD prime and major subcontract awards; government-wide acquisition contractors with DoD involvement should assume applicability. Contractors should map their corporate tree, capture ownership percentages, and create an auditable record of communications. Expect DCSA to require electronic submissions in a standardized format and to start scheduling entity vetting shortly after the final rule's effective date.

According to GSA guidelines, contractors must confirm whether they are within scope by reviewing the proposed DFARS text and related DCSA instructions. Per FAR 19.502, small businesses can rely on certifications and size standards when assessing subcontracting impact, but FOCI reporting is independent of size status; an 8(a), HUBZone, WOSB, SDVOSB or VOSB designation does not exempt a firm from DCSA BOI and FOCI disclosure if the contract falls under DFARS applicability. The SBA reports that 78% of small defense contractors have multiple tiered ownership structures that will require extra due diligence, increasing the burden on small firms to trace ultimate beneficial owners across affiliates and trusts. Under OMB M-25-21, agencies will standardize identity and data sharing which means DCSA may share BOI across DoD components and other agencies for national security vetting. DoD's CMMC framework requires safeguarding of Controlled Unclassified Information (CUI) but does not replace the FOCI disclosure requirement; firms handling CUI must both meet CMMC requirements and provide BOI/FOCI disclosures when DFARS applicability is triggered. Contractors should therefore integrate FOCI data collection into CUI and subcontractor oversight processes to avoid duplicate effort and missed deadlines.

Per FAR 19.502, small businesses can seek help from SBA resource partners and procurement technical assistance centers to map ownership structures and register in SAM.gov. According to GSA guidelines, contractors must ensure SAM.gov entity registrations are current because DCSA will cross-reference SAM records during entity vetting; SAM registration inaccuracies can delay vetting by 30–60 days. The SBA reports that 78% of small firms lack documented procedures to collect beneficial ownership data, so program managers should allocate staff time and budget—industry guidance suggests $15,000–$120,000 depending on complexity—to assemble required documentation such as stock ledgers, trust instruments, and shareholder agreements. Under OMB M-25-21, agencies will expect standardized BOI fields; adopt machine-readable formats (CSV, XML) when possible. DoD's CMMC framework requires documented cybersecurity practices that complement FOCI mitigation steps—if DCSA imposes a mitigation plan, contractors will likely need to demonstrate controlled network segmentation, enhanced personnel vetting, and continuous monitoring to preserve eligibility for classified work.

According to GSA guidelines, the May 7, 2026 DFARS proposed rule expands DCSA's authority to collect beneficial ownership information and FOCI disclosures beyond traditional cleared contractors to include a broader range of DoD contractors and significant subcontractors. Per FAR 19.502, contracting officers must still apply small business rules where appropriate, but DFARS provisions take precedence for security-related reporting. The DFARS proposal implements Section 847 of the National Defense Authorization Act and aligns with DCSA's expanded industrial security mission to identify foreign influence risks before awarding contracts. The practical effect is that contracting officers will include new DFARS clauses requiring contractors and finalists to provide BOI and answer FOCI questionnaires; DCSA will use that information to open formal entity vetting and mitigation workflows. The proposed rule references corporate ownership thresholds, control indicators, and specific documentary evidence types—articles of incorporation, shareholder ledgers, operating agreements, trust instruments, and board minutes. Contractors should expect DCSA to correlate BOI submissions with public filings, open-source intelligence, and agency intelligence holdings to validate disclosures. The procedural change shifts compliance from a reactive post-award mitigation to a pre-award disclosure obligation for many solicitations, increasing the need for proactive collection and secure handling of sensitive ownership data.

Per FAR 19.502, small businesses can and should engage SBA counsel and local procurement assistance to interpret how DFARS FOCI clauses interact with size and socio-economic certifications. According to GSA guidelines, contractors must also track subcontractor ownership and FOCI exposure because prime contractors remain responsible for ensuring downstream compliance and may be required to submit subcontractor BOI. The SBA reports that 78% of firms outsource portions of their work to foreign-owned affiliates or contractors, which magnifies potential FOCI vectors and necessitates tight subcontractor flow-down and oversight. DoD's CMMC framework requires a maturity of cybersecurity practices that will intersect with FOCI mitigation when DCSA imposes remediation actions—expect combined requirements for personnel vetting, privileged access controls, and continuous monitoring. Under OMB M-25-21, agencies will coordinate BOI data use and may require that contractors attest to how BOI is stored and protected, increasing the need to encrypt and limit access to BOI within corporate systems. Contractors should therefore develop policy, mapping, and technical controls now to reduce friction at the time of a DCSA request.

According to GSA guidelines, contractors must implement a documented BOI/FOCI compliance program as part of corporate procurement and security operations. This program should include ownership mapping, a records repository, a designated compliance officer, and procedures for coordinating with legal counsel. Per FAR 19.502, small businesses can and should document reliance on SOC 1 or other audited financial controls when they exist, but that does not supplant the need to disclose BOI. The procedural requirements in the proposed DFARS call for standardized fields—UBO names, dates of birth or tax identifiers where available, ownership percentages, nationality, and the nature of any foreign relationships—plus copies of supporting documents. The OMB encourages agencies to minimize duplicative paperwork, so contractors should expect DCSA to permit previously collected BOI if properly notarized and contemporaneous. DoD's CMMC requirements for protecting CUI align with handling BOI because much ownership information will be treated as sensitive; apply least-privilege access, encryption at rest and in transit, and audit logging to BOI stores. Contractors should also review existing flow-down clauses and update subcontracts to require timely subcontractor BOI submissions to enable prime-level compliance.

Per FAR 19.502, small businesses can seek SBA technical assistance and legal resources to meet documentation standards; many SBA resource partners offer pro bono counsel for entity structuring and compliance. According to GSA guidelines, prime contractors must include clear flow-down language in Requests for Proposals and subcontracts to ensure subcontractor BOI is received within solicitation timelines—failure to do so risks disqualification of entire bids. The SBA reports that 78% of impacted firms will need third-party help to parse trust instruments and cross-border ownership chains; budget accordingly for legal and forensic accounting support. Under OMB M-25-21, agencies will prefer standardized submissions, so prepare machine-readable exports from corporate registries. DoD's CMMC framework requires traceability and documentation of who accessed sensitive data; apply those access controls to BOI to avoid internal misuse and to meet DCSA expectations during vetting and any subsequent mitigation agreements.

According to GSA guidelines, the top best practice is to integrate BOI/FOCI collection into existing compliance workflows—do not treat it as a one-off. Per FAR 19.502, small businesses can document delegations of authority and maintain a primary point of contact for DCSA submissions; designate a compliance owner and backup. The SBA reports that 78% of small firms succeed when they budget for outside counsel early; plan a $15,000–$120,000 budget based on ownership complexity to cover legal and forensic accounting costs. Under OMB M-25-21, agencies favor machine-readable standardized submissions, so adopt tools that can export CSV/XML BOI files and retain immutable audit trails for at least 6 years. DoD's CMMC framework requires cybersecurity hygiene; align BOI repositories with CMMC Level 2 or higher controls if you handle CUI to reduce the chance of additional mitigation orders. Finally, train procurement, legal, and security teams on what qualifies as UBO, foreign influence signals, and acceptable supporting documentation to shorten response time when a DCSA request arrives.