On May 12, the Defense Counterintelligence and Security Agency (DCSA) deployed a new Standard Form (SF) 328, Certificate Pertaining to Foreign Interests. All contractors that obtain, or intend to obtain, a facility security clearance (FCL) to perform classified government contracts or generally access classified materials must file an SF-328.
The DCSA uses the SF-328 as part of its review process when contractors apply for an FCL. The revised SF-328 requires contractors to provide additional information and to make more comprehensive disclosures so the government can better assess an organization's Foreign Ownership, Control, or Influence (FOCI). DCSA hopes the changes it made to the SF-328 will improve the quality of contractors' initial submissions and reduce processing times.
The revised SF-328 now asks more questions about foreign ownership, governance structures, and foreign funding arrangements. For example, organizations must report: revenue streams from foreign sources, including gifts, endowments, and grants; foreign ownership by country if a country, in aggregate, owns 5% or more of the organization; and any foreign debt obligations and financial support.
The revised SF-328 includes a Statement of Full Disclosure of Foreign Affiliations (FDFA) which must be completed by management personnel who hold positions or serve as consultants with foreign entities. And, the threshold for reporting foreign-sourced revenue has been lowered from 30% to 15%. As a result, the scope of the disclosures will be more comprehensive for many contractors.
In addition, the government is now using the SF-328 to determine eligibility for more than security clearances. The form is authorized to be used for the Department of Defense (DoD) Cybersecurity Maturity Model (CMMC) program, the DoD Small Business Innovation Research and Small Business Technology Transfer (SBIR/STTR) programs, and Section 847 of the FY 2020 National Defense Authorization Act (NDAA) which requires the DoD to enhance its assessment and mitigation of FOCI risks in companies working on non-classified defense contracts, subcontracts, or research grants exceeding $5 million.
As of May 12, contractors must complete the revised SF-328:
- For all new FCL applications;
- When seeking an FCL upgrade;
- When submitting a changed condition package; and
- For new or renewed FOCI mitigation agreements.
Existing SF-328 filings do not need to be resubmitted solely because of the update.
The revised SF-328's detailed questions require time and due diligence to answer. Consequently, contractors will need to work with their facility security officers, external shareholders, compliance professionals, and legal counsel to provide full and accurate responses when completing the form.
Zoe Waldman, a law clerk in Taft's Dayton office, contributed to the writing of this article.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
