Grant Schweikert There’s a lot of talk lately and, and action, so to speak, in the defense tech space, the national security technology space, lots of innovative companies and emerging technologies are very interested in the defense market. As people know that have been involved in government contracts market and defense market for a long time, there are certain significant barriers to entry and the SF-328 turns out to be one of those. As you know, and the article explains, it’s been updated recently and we can talk about those updates. But I was up in New York yesterday at the launch of the NatSec 100 list. This is a list put out by Silicon Valley Defense Group and the great folks there, including Mike Keating, who’s the new executive director, and Rhett Jeppson sponsored it at JP Morgan’s headquarters in New York. And it just kind of confirms and gets me excited about the defense tech space because there are so many unique companies entering the market, tons of innovative founders who are interested in national security. And a lot of them will be impacted by these regulations.
Terry Gerton So what is DoD’s role in providing oversight when foreign investors want to invest in domestic defense firms?
Grant Schweikert The primary agency that is involved in this process is the Defense Counterintelligence and Security Agency. So DCSA, and you might hear me say that, refer to DCSA a few times. They are DoD’s primary agency for conducting both personnel clearances and what we call facility security clearances, which is essentially a clearance for a company or for a defense contractor, not a specific person. Now, DoD conducts most of the security clearance function for actually most of the federal government, so they’ve been delegated that authority. And part of what we’re going to talk about, the SF-328, is kind of the first gating form that you submit. If you’re a company interested in doing work for DoD, specifically in the past, it’s been related to classified work. So just a portion of the government contracts work that, you know, thousands of contracts compete for. One of the things that’s unique about this time with the SF-328 is that the government is becoming much more interested about the details of your company, especially given the complex corporate structures and certain investment vehicles and private equity and venture capital roles in the space. They’ve done a lot of great work to make sure that the companies that are participating and are performing these very critical national security functions are vetted properly. And that’s essentially what this form is designed to do.
Terry Gerton All right, so you’ve mentioned it, the SF-328. The new guidance from DoD changes some provisions in this form. Can you explain what those are and how they’re going to work?
Grant Schweikert The form itself looks fairly similar to what it did in May. They released the new form and some new instructions. If you were a lay person looking at this for the first time and you put the old one and the new one side by side, you might not realize how many changes there are. Yes, there are now nine questions instead of 10. I think you would notice right away that the full document is eight pages, the signature page is the second one, and then there’s six pages of instructions. It used to be there was a two-page PDF, and there was a separate PDF that were kind of informal instructions. So they’ve incorporated the instructions into the document, which is a really good thing. Anything we can do to make it easier for companies to prepare this and to get over that hurdle of getting their facility clearance, so they can really get into the mission of their companies and supporting the warfighters and the government, is good. There are a couple very nuanced changes, and I don’t know if we want to get too much into the weeds, but essentially DCSA has formalized some of those instructions that they put out informally before. They’ve gone into great depth, particularly around supporting documentation that’s required when a company answers “yes” to one of these nine yes-or-no questions. And that’s really how it’s set up. So there’s nine questions now in the new form, and if you answer a yes, then you go to the third through eighth pages and read the instructions for that question. And then you provide the supporting documentation that’s listed there.
Terry Gerton I’m speaking with Grant Schweikert. He’s a special counsel with Cooley. It sounds a little bit like filling out your taxes. If you say, yes, you have to go to a different form and fill out more details. What are the most important things that you want contractors to know about this new form and making sure that they can get the answers right the first time?
Grant Schweikert Getting the answers right the first time has been historically the biggest challenge, I think, for DCSA. When you consider the companies that are engaging in this space, they’re not always sophisticated companies like General Dynamics, for example, or Lockheed Martin. In fact, they’re not typically companies like that. Those types of companies have been involved in this area for a long time and now we have companies like Anduril and Shield AI and even smaller companies like Nominal and Havoc AI and all the innovative technology companies that tend to have AI at the end of their names. So they’re trying to fill this out. Maybe it’s a founder, or maybe it’s a new hire that’s a security professional trying to fill this out, and it’s not quite intuitive although the government has taken some steps to do that. I’ll point out a few things. Question one is really the baseline question, and it asks about 5% or more direct or indirect ownership in the entity filling out this form from a foreign source, and particularly a foreign person, which is also defined at the end of the instruction. And so, you know, that’s kind of the baseline and then, you know, there’s the following eight questions are a little bit more specific about certain leadership positions and do you have management personnel or members of the board of directors that serve concurrently at foreign-owned companies, things like that.
Terry Gerton So you mentioned early on that this used to be just for folks who were working in the classified space, but that the eligibility requirements may be expanded. How can a firm know if they need to fill this out?
Grant Schweikert So when you compete for a government contract and specifically with DoD, you, you typically respond to an RFP, which is a request for proposals. So the request for a proposals will typically direct you to this form and to fill it out as part of your proposal package, but you’re right. One of the main points of the article, and we mentioned this in an article a few months ago with Bloomberg, that this was coming or that it looked like it was coming. The new SF-328 specifically mentions the SBIR, STTR programs and the CMMC program. So a little bit of alphabet soup there: SBIR, STTR is Small Business Innovative Research, contracts and grants specifically designed for new companies, early stage companies to come in and demonstrate their technology to a government customer. That’s a huge chunk of DoD innovation space. If you’re involved in generative AI and looking at the government market as a place to develop your technology, a lot of those companies get started in the SBIR program. CMMC is the new cybersecurity regulations, which have been going back and forth for probably close to a decade — cybersecurity maturity model certification is CMMC — and that’s also going to capture a huge chunk of the defense contracting space. Going back to what’s new, the SF-328 now mentions SBIR and CMMC; it’s a little bit unclear whether the new solicitation documents and RFPs require an SF-328, but I think it’s clear that if it hasn’t been implemented yet across DoD, that it’s coming. And so companies that were not required to fill out this form in the past can expect to have that requirement in the future.
Terry Gerton That’s really helpful and if you’re either a new company who’s never done this before or an experienced company, but looking to make sure that you address the changes correctly, what resources would you point folks to? Is DoD doing anything to provide assistance or are there other documents that folks could refer to, to make that they’re on the right side of compliance here?
Grant Schweikert Yeah, so if you’re a new company interested in entering the space, a few things I can recommend — and there are things to read and take a look at; as a lawyer, I read regulations, I recognize that it might be not the most exciting thing to do — but the overarching regulation is called the NISPOM. It’s 32 CFR 117, and it’s not super long. You can read it in a half an hour, an hour. I would read through that just to get the lay of the land. All of these requirements stem from the NISPOM. And then just check out DCSA’s website. They have great resources on their website. They have lots of videos. They have some links to a training resource called CDSE, Charlie Delta Sierra Echo, and that’s kind of their training website for new security professionals and others who are interested in learning about, you know, the complex rules and requirements of providing critical technology to the government.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
