In the 22nd episode of "Are We All Clear? Facilitating Security Clearances," host Marina O'Brien is joined by Washington, D.C., International Trade attorney Andrew McAllister to help break down the Defense Counterintelligence and Security Agency's (DCSA) changes to the Standard Form 328 (SF-328), also known as the Certificate Pertaining to Foreign Interest. Mr. McAllister explains that the main goals of the updates are to reduce processing timelines by placing an emphasis on more thorough submissions and align with the expanded efforts to assess and mitigate foreign ownership, control or influence (FOCI) following the implementation of Section 847 of the National Defense Authorization Act (NDAA). One of the most significant changes to the document is in Question B, where the threshold of foreign revenue has been lowered from 30 percent to 15 percent, which will qualify a much higher number of companies. Importantly, Mr. McAllister clarifies that listeners who have previously submitted documents should not be alarmed — if you submitted or signed an SF-328 form prior to May 12, 2025, the old form is acceptable — but moving forward, any new actions must be conducted using the new form.
Listen to more episodes of Are We All Clear? here.
Podcast Transcript
Marina O'Brien: Welcome to the 22nd episode of Are We All Clear? The Podcast on Facilitating Security Clearances. I'm your host, Marina O'Brien, an international trade associate with Holland & Knight's Washington, D.C., office. In today's episode, we will cover the recent changes included in the SF-328 form, also known as the Certificate Pertaining to Foreign Interest, which was updated and released by the Department of Defense Counterintelligence and Security Agency in May. To help us learn more about what changed, what remained the same and what that means for the defense, and, as we will hear later on, the government contracting community at large, we have with us Andrew McAllister, a partner from Holland & Knight's International Trade practice and a member of the firm's National Security & Defense Industry Group. Welcome back to the podcast, Andrew. I hope you're staying cool during the heat wave.
Andrew McAllister: It's certainly a hot one here in Washington, so thanks Marina, it's great to be back. As you might expect, we work in hot and cold conditions, so we don't stop on account of weather.
Marina O'Brien: Absolutely. Well, before we delve deeper into the updates to the SF-328 and how that may impact our listeners, I'd like to provide a bit of a background on the form itself. SF-328, or Standard Form 328, is a form used by DCSA or any other cognizant security agency — for example, the Department of Energy — to ascertain the presence and level of any foreign ownership, control or influence, also known as FOCI, in the government contractors when they're applying and maintaining a facility clearance. So this form is filled out by the contractor and submitted as part of its application for an FCL or facility clearance, or when submitting a change conditions package if the company is already cleared. The form was updated on May 12, 2025, and we are now going to discuss why it changed, what changed and how it impacts our listeners, most of which are government contractors. So, Andrew, what was the DCSA's reasoning for releasing the new SF-328?
Andrew McAllister: Well, so I would say first, Marina, it's been quite some time since they've made any changes to the form, so I think we were due for an update, and so I think it's been in the works — DCSA has had this on its radar for quite some time. And so as DCSA sort of announced with its issuance of the form, one of the main goals of the new form is to reduce processing timelines by ensuring a thorough first submission with adequate information to reduce the need for additional rounds of questioning. So the reformulation of some of the questions, the added clarity, etc., is meant to hopefully reduce that back and forth, which can be time-consuming, particularly if a company is looking to get a clearance for the first time. Delays with the SF-328, delays with the information pertaining to foreign ownership, control or influence, can really be an impediment to getting that clearance because the information is needed so that it can be essentially passed through different areas of DCSA in order to make that FOCI determination. And so the changes also reflect, I believe, the expanded efforts and mission of the Department of Defense to better improve its understanding, assessment and mitigation of FOCI risk. This is particularly the case in light of the implementation of Section 847 of the National Defense Authorization Act. And those provisions, which are, I would say, moving into effect, we're waiting for regulations to be issued. But that would expand the FOCI assessment and mitigation to non-classified DOD contracts in excess of $5 million. As we understand it, the expansion with Section 847 is going to drastically increase the number of companies that are going through this exercise. And I think DCSA saw that and sort of determined that, well, this is an immediate need to make sure the form is as clear as possible before we get this onslaught of additional FOCI issues.
Marina O'Brien: Yes, that all makes a lot of sense, and Section 847 will definitely impact many government contractors who didn't have to worry in the past about FOCI reporting. OK, let's switch gears and talk about the changes. Could you please give us a high-level overview of the changes in the form?
Andrew McAllister: Absolutely, and so I guess one sort of initial change is the document has shrunk from 10 questions to nine questions. So that's the first thing you see when you open up the form. I would say the other piece is that the instructions in completing the form are embedded within the form itself. And so previously there were instructions, sort of standalone documents, and then those familiar with completing the information through the electronic portal, currently the NISS system, there were also prompts within that system. And so part of it is to sort of combine and amalgamate all of the information into a single document. And so again, there's, at a high level, three main changes: changes to questions, those comprehensive instructions being updated and streamlined, and then the third one is that there's now a specific form for the statement of full disclosure of foreign affiliations. And so that was referenced in the prior iteration of the form, but it didn't spell out and provide that template in a nice, easy-to-find type manner.
Marina O'Brien: OK, well let's unpack each one. First, the questions. Which questions were changed?
Andrew McAllister: Yeah, so as I said, the structure of the SF-328 remains essentially the same, meaning they're yes-no questions. They look quite easy and simplistic when you first open the form, but obviously there's quite a bit of detail and quite a bit of supplemental information that a company needs to provide when it has affirmative responses. So in terms of looking at some of the specific questions, which I would say broaden the scope of aspects and provide maybe more in-depth disclosures as well. So question one, as an example, talks about nominee shares. Those were previously captured in a separate question, it's actually the question that was deleted, question eight. And so nominee shares is getting at do we have instances, do we have information where there may be individuals or owners behind the shares and we want to make sure that DCSA actually knows the companies and individuals that hold the different ownership interest? Question five, which talks about relationships and arrangements with foreign persons, things like contracts and agreements, it also adds grants and side letters as well. Question seven, this one is interesting, it talks about some additional, reportable proceeds that a company needs to be transparent about, and those include tuition, gifts, endowments in addition to revenue and net income. And so again, question seven is really looking at the sort of foreign exposure, the foreign revenue, foreign net income that applies to the contractor. And then, frankly, one of the most important changes is in question B, it's lowered a threshold. It used to say: Are at least 30 percent of your proceeds from a foreign source? And so they've lowered the threshold from 30 percent to 15 percent. And so that's going to capture a lot more companies because there's just a higher incident, of course, of companies that have at least 15 percent foreign revenue versus at least 30 percent foreign revenue.
Marina O'Brien: Yeah, definitely, just from working on several M&A deals and when we diligence their foreign sales and look at the percentages, it is very easy to hit that 15 percent threshold. So this leads me to the second major change. These uploaded questions come with new instructions, as you said, and guidance that are now embedded. And they are intended to provide additional specificity and clearance so that the initial submissions by contractors provide sufficient information, so there are no follow-up questions, hopefully. So tell us a little bit more about the instructions.
Andrew McAllister: Yes. So as you said, I mean, there's quite a bit of change in terms of the instructions, everything from definitions to the instructions about individual questions. And so I'm really just going to highlight or point a few — we could probably go on for a little while about this — but one area is related to question one. The instructions are certainly clearer in terms of the nature of foreign ownership that needs to be reportable, and now it says, essentially, foreign ownership greater than 5 percent in the aggregate by multiple foreign persons from the same country or within affiliated entities. So again, we see obviously the common owners could be things like European ownership, but then we often see things like the Cayman Islands or other — call them tax shelters — and so again, if you had multiple Cayman Island entities that each held 4 percent of the cleared contractor, those would be aggregated together to get above 5 percent. And so again, just a couple of other things, one is in terms of the relationships and contracts with foreign persons, the instructions are more explicit about saying foreign outsourcing contractual relationships are covered, and it gives examples of manufacturing, research and development, software development — that's often a big one — quality assurance and administrative services. So again, this goes beyond well, yeah, I have customers outside the U.S. and I sell to them. No, this is about looking at your business in its entirety. Administrative services — was somebody outside the U.S. helping with HR services? — as an example. And so the last one that I would point to is that there's more detail on debt obligations and the type of information that's required. They've also added something about bankruptcy exposure, and so again I think that that's sort of geared toward, OK, well is the contractor in some kind of precarious position financially such that a foreign interest would have some ability to control, influence, etc.?
Marina O'Brien: So this has been my experience, I'd like to hear more from you on this issue, but it seems that DCSA really did put a lot more instructions into writing to make certain things clear to the contracting community, but a lot of those things it feels were already being done by DCSA in practice through follow-up questions. So now this is just trying to get ahead and not have to deal with this in a piecemeal sort of a way. Is that your experience as well?
Andrew McAllister: Yeah, I would say it's similar Marina. I think the more detail, the more explicit instructions, I believe is most helpful to companies that are relatively new to this world that maybe haven't gone through prior iterations of the SF-328 or FOCI mitigation. But yes, in terms of, you know, when we're involved in helping a company create the SF-328 response as well as the remarks to the response, and that's really where the rubber meets the road. So those would be narrative responses after a company has answered in the affirmative. And so we have always been comprehensive about trying to think of things that DCSA may want to see, whether it's debt relationships with a foreign party, whether it's affiliations providing sometimes source documentation, so that we don't have to wait for a round of comments from DCSA to say, oh, well great, we understood your response about X, Y and Z, but we really need to see the source documents so that we can confirm that the company's organizational documents match. And so there are things such as providing source documents, providing citations, which I would say we were doing a lot of that previously, but I think there's still some added value and certainly some added nuance on what DCSA is looking for.
Marina O'Brien: Well, turning now to the third major change. The new SF-328 includes a new official format for providing information that relates to foreign affiliations. Can you tell us more?
Andrew McAllister: Yeah, absolutely. So a foreign affiliation statement is required when the entity responds affirmatively to question eight. Question eight asks if any individuals holding management positions within the organization also hold positions with or serve as consultants or representative for any foreign person. And so let's give you an example that I see all the time, which is yes, the individual has a management responsibility on the cleared contractor's board or acts as a senior officer. Well, it turns out they're also a director of this tiny little Indian subsidiary that maybe is unrelated to the business of the government contractor, maybe it's providing software development, etc. And so that's the type of person that would need to fill out the form. And so for each individual there's essentially a separate requirement to fill out the foreign affiliation statement, and in that form or statement you list comprehensive information pertaining to the individual, the foreign interest, the individual's relationship with the foreign interests and the individual's duties with the U.S. entity.
Marina O'Brien: Well, that's quite a lot of information, but let's talk about what remained the same. What hasn't changed?
Andrew McAllister: So picking up on the prior question to some degree, question three of the new form remains similar to the old form. It's a request related to foreign persons who serve as a member of the governing body or hold a management role with the company. And so that's quite similar. I will say there is one additional nuance in the new instructions where it asks for previous professional academic or familial ties the foreign person has with individuals in a management position or owners of your organization. And so, again, they're wanting to understand is there some kind of influence that that foreign person may provide, or do they have some connection to the CEO of the company from a past life where that foreign person was the individual's supervisor? And so, again, it's largely the same question, but they are adding a bit of nuance there. And another question, question eight of the new form, remains quite similar to question nine of the old form. This question relates to individuals who serve as a member of governing board management role and hold positions with a foreign person. So again, this is my example of an individual who might be working or sitting as a director of a foreign company.
Marina O'Brien: Well, with these new changes in mind, are there any industries or institutions particularly impacted by these changes and expanded scope of the SF-328?
Andrew McAllister: So I guess one that sort of sticks out particularly as you read the instructions to the SF-328 are academic institutions. And academic institutions, we've seen that those become more of a thing in terms of export control compliance, export control enforcement. And so I think this is sort of expanding some of the oversight and acknowledgement of the role of universities here. And so, as part of the instructions, there are questions or guidance that talks about including tuition, gifts and endowments in the question pertaining to foreign revenue. So I think that's a pretty good indication that DCSA is wanting to understand more about academic institutions and universities. And I guess just one other piece relating to that same group is, depending on responses to certain questions within the SF-328, there may be a need for that institution to provide further information about foreign student population, foreign faculty population, research agreements with foreign persons and any exchange programs with foreign persons. So as you can see, this is fairly intrusive and could require some time on behalf of the institution to pull together this information.
Marina O'Brien: Yeah, I can definitely see them hiring some extra folks to assist with both export control side and the security professionals, especially if they work on a lot of grants from the U.S. government and work on classified information. But let's now turn to a little bit more on the logistics. How has the new SF-328 been deployed? Where can our listeners find it, and who must use it?
Andrew McAllister: Yeah, so I would say it's deployed within the NISS system. And so the NISS system is really the system of record in terms of facility security clearance-related paperwork. And so it was deployed within that portal on May 12 of this year, 2025. And so, pursuant to the guidance of DCSA — really all new applications for an FCL, upgrades of existing FCLs, as well as new change condition packages that are initiated or submitted on or after that date, will require the updated form. And so not to alarm anyone, if you have an existing SF-328 that was submitted, signed, etc. prior to May 12, you're OK. You just need to provide the new form when you go through your next action with respect to NISS, such as an upgrade request, you may have a change condition related to new ownership, you may have a renew or a review of your mitigation agreement. So there are certain triggering events that would cause you to need to utilize that new form, but until then you're OK with the existing form.
Marina O'Brien: OK, great. So contractors, if I hear you right, will need only to submit the new form if they're submitting a new or initial facility clearance, they're upgrading, reporting any FOCI changes or they're renewing, for example, a mitigation agreement as well. But if they've submitted a change condition package prior to May 12 or their application, then they're safe under the old form. All right, so, any parting words?
Andrew McAllister So I guess just to sort of wrap things up, I would say the updates to the SF-328 were a long time coming, but I think it does signify the U.S. government's continued emphasis on understanding foreign involvement as it pertains to national security. Whether it's things that we've seen in the news such as the Nippon Steel-U.S. Steel agreement that's been reached with respect to the Committee on Foreign Investment in the U.S., whether it's other areas, supply chain, etc., the U.S. government is focused on full transparent information as to how some of these foreign interests may impact national security. And so I think this falls right in line with the government priorities.
Marina O'Brien: And we definitely see this in the expanded use of the form now capturing or about to start capturing government contractors that don't even work on classified information. They don't have clearance as long as they meet the $5 million threshold.
So as our listeners know, this area is full of acronyms. This week, we had multiple acronyms, including DOD, Department of Defense, FCL, Facility Clearance, DCSA, the Defense Counterintelligence and Security Agency, CSA, or the Cognizant Security Agency. We mentioned the NISS, which stands for the National Industrial Security System, and of course, FOCI, foreign ownership, control or influence. Each episode we ask our speaker to explain an acronym that featured in the episode with wrong answers only. Andrew, would you like to choose an acronym?
Andrew McAllister: SF as in the SF-328. And so my statement there would be SF, submit fully. And so what that means is, you look at the form and you tell yourself it's only nine questions, this can't take longer than an hour. But we need to submit it fully, meaning we need to pull in the various resources within the company: the supply chain team, the sales team on revenue numbers, legal team, finance and accounting team. And so we really need to understand a lot of different components of the company and how it works. Not only in the classified space, but more broadly, how does the company work and where do its tentacles go, whether it's the company itself or the individual. So that would be mine, submit fully.
Marina O'Brien: That's quite on point, I would say. Well, thank you for joining us, Andrew, and thank you to our listeners for following us and listening, and I hope everyone has a great week. Please tune in soon for our next episode.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
