ARTICLE
3 July 2025

Updated Standard Form 328, "Certificate Pertaining To Foreign Interests"

GP
Goodwin Procter LLP

Contributor

At Goodwin, we partner with our clients to practice law with integrity, ingenuity, agility, and ambition. Our 1,600 lawyers across the United States, Europe, and Asia excel at complex transactions, high-stakes litigation and world-class advisory services in the technology, life sciences, real estate, private equity, and financial industries. Our unique combination of deep experience serving both the innovators and investors in a rapidly changing, technology-driven economy sets us apart.
On May 12, 2025, the Defense Counterintelligence and Security Agency (DCSA) released an updated Standard Form 328 (SF-328), "Certificate Pertaining to Foreign Interests."
United States Government, Public Sector

Bottom Line Up Front

On May 12, 2025, the Defense Counterintelligence and Security Agency (DCSA) released an updated Standard Form 328 (SF-328), "Certificate Pertaining to Foreign Interests." The new SF-328 includes a number of changes to existing questions, as well as expanded instructions that are designed to assist filers in complying with the more detailed disclosure requirements imposed by SF-328. The National Industrial Security System has adopted the updated SF-328; accordingly, all companies filing facility security clearance (FCL) applications or changed condition packages after May 12, 2025, are now required to use the updated SF-328. The updated SF-328 has also been authorized for use by the federal government in connection with additional programs, which signals the Trump administration's focus on obtaining information about foreign interests in companies that do business — even unclassified business — as federal contractors or grant recipients.

Background

The DCSA is an agency within the U.S. Department of Defense (DOD) that conducts personnel security investigations for the US federal government, supervises industrial security, provides counterintelligence support to the cleared defense industrial base, and performs security education and training. The DCSA also provides the uniformed US military services, DOD, civilian federal agencies, and contractor facilities with security support services. Additionally, the DCSA administers the National Industrial Security Program (NISP) on behalf of the DOD and ensures that contractors are adequately protecting facilities, personnel, and associated classified information from attacks and unauthorized disclosure and dissemination.

All US federal government contractors that hold classified contracts or seek to perform classified work at the prime or subcontract level must use the SF-328 to disclose certain information to DCSA. Specifically, when a company first applies for FCL, it must complete and submit an initial SF-328. The company is required to update the SF-328 and resubmit it whenever a material change occurs. This allows DCSA to assess any risks associated with foreign ownership, control, and influence (FOCI). DCSA will consider a company to be operating under FOCI when a foreign interest has the "direct or indirect, whether or not exercised, and whether or not exercisable" ability "to direct or decide matters affecting the management or operations of that company in a manner which may result in unauthorized access to classified information or may adversely affect the performance of classified contracts."

Updates to the SF-328

The updated SF-328 includes nine questions, which are designed to improve DCSA's ability to assess whether contractors, academic institutions, or other entities seeking to perform classified work are operating under FOCI and whether any potential FOCI-related risks require imposed mitigation to protect US national security interests and classified information. Although the overall structure of the SF-328 remains the same, there are some important changes that should be noted. The updated SF-328 requires expanded disclosures related to

  • the structure, governance, and ownership of private equity and venture capital investment funds and joint ventures;
  • foreign business and academic relationships involving software research and development, intellectual property, and licensing agreements;
  • foreign loans and indebtedness; and
  • gifts and funding associated with endowments, grants, and nonmonetary compensation.

Comprehensive instructions, which provide clarity and specificity to industry and government stakeholders alike, are incorporated into the updated SF-328. The instructions clearly identify the existing information requirements for each affirmative response and will reduce processing timelines by ensuring sufficient information is provided in the initial submission. Additionally, policy-aligned definitions for terms used in the updated SF-328 and instuctions are incorporated to provide a consistent, common vernacular across industry and government users.

Once completed, the new SF-328 is considered controlled unclassified information. The form also instructs that if it is submitted in confidence and properly marked, the government will invoke applicable Freedom of Information Act exemptions to withhold the document from public disclosure. These additional protections should provide some comfort to government contractors and foreign investors who must disclose sensitive information.

Expanded Use of the Updated SF-328

The updated SF-328 is authorized for use with carrying out

  • section 847 of the 2020 National Defense Authorization Act (2020 NDAA);
  • the DOD Enhanced Security Program (DESP);
  • the DOD Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs; and
  • the DOD Cybersecurity Maturity Model Certification (CMMC) program.

Section 847 of the 2020 NDAA
Section 847 of the 2020 NDAA authorized the secretary of defense to collect certain information via the updated SF-328 to carry out expanded responsibilities regarding FOCI vetting. The 2020 NDAA authorized the secretary to expand the FOCI analysis to pre-award contract activities and unclassified contracts. Now, DOD contractors and subcontractors that are performing unclassified contracts valued at $5 million or more must comply with initial FOCI disclosure requirements, as well as periodical assessments associated with changed conditions. To assist contractors with understanding these new obligations, DCSA published a web page on its efforts to implement section 847.

DESP
The updated SF-328 will also be used in connection with DESP. Under DESP, companies that do not have FCL under the NISP may be granted access to certain classified information related to the DOD Innovation Initiative (DII). The DII is a departmentwide initiative to pursue innovative ways to sustain and advance warfighting and military capabilities in collaboration with the commercial marketplace. The updated SF-328 provides that a company's eligibility for participation in DESP and DII will not be approved if it does not complete the updated form accurately.

SBIR and STTR Programs
The updated SF-328 may also now be used to collect information from companies that are seeking funding via the SBIR and STTR programs. SBIR and STTR are federally funded initiatives that encourage small businesses to participate in R&D, with the ultimate goal of commercializing resulting innovative technologies. While companies are not currently required to complete the updated SF-328, a company's eligibility to participate in SBIR and STTR programs may be impacted by the failure to do so. It remains to be seen how the various federal agencies with SBIR and STTR authority will ultimately decide to utilize the updated SF-328. However, it appears that the use of the updated SF-328 in conjunction with SBIR and STTR is on the horizon.

CMMC
Finally, DCSA will also utilize the updated SF-328 to collect information in connection with the CMMC 2.0 program. As discussed in Goodwin's December 2024 client alert on the CMMC 2.0 program, CMMC 2.0 is a DOD framework intended to enhance the protection of unclassified information within the defense industrial base and throughout the DOD supply chain. The CMMC 2.0 program will require Level 2 certification assessments to be conducted by a CMMC third-party assessment organization (C3PAO) and ultimately accredited by the DOD-approved CMMC Accreditation Body (AB). The CMMC AB and all C3PAOs are required to receive favorable adjudication and are not subject to a level of risk from FOCI as determined by the CMMC Program Management Office (PMO). DCSA will conduct the FOCI assessments for the CMMC AB and C3PAOs after they are nominated by the CMMC PMO.

Takeaways

The updated SF-328 should improve the filer's clarity and understanding of the questions they are answering and the requirements related to information disclosure. The questions are arguably better-scoped; the associated and updated instructions are comprehensive; and the new Statement of Full Disclosure of Foreign Affiliations used to report foreign employment is robust. These improvements should ultimately reduce processing timelines by ensuring the right information is provided in the first submission.

The multiple authorized uses of the updated SF-328 should create uniformity among numerous authorities responsible for the vetting or review of companies or entities for foreign interest–related risks and establish more consistency among companies that are required to submit information to the US government regarding foreign ties and interests.

While DCSA anticipates that the updated SF-328 will streamline the review process by reducing the need for follow-up inquiries, it appears that the additional information required may increase the burden on companies and academic institutions tasked with collecting and providing the detailed information. Preparing the updated form will likely require greater involvement and coordination with internal and external stakeholders (affiliates, limited partner or general partner investors, shareholders, key management personnel, outside employers, joint venture partners, vendors, suppliers, accountants, auditors, legal counsel, and/or financial institutions).

Cleared companies should become familiar with the updated SF-328 and confirm whether there is a current need to file an update based on any changes in ownership or foreign ties. Additionally, uncleared entities should confirm whether involvement in unclassified programs will now necessitate the completion of the updated SF-328. This can be done by direct engagement with the appropriate contracting officer, grants officer, or other agency procurement points of contact.

Goodwin's Government Contracts & Grants team has significant experience counseling clients on matters involving FOCI mitigation and DCSA engagement. Additionally, the team is tracking the expanded use of the updated SF-328 and its impact on uncleared contractors going forward.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More