SUPPLEMENTARY INFORMATION:

Title; Associated Form; and OMB Number: Certificate Pertaining to Foreign Interests; SF-328; OMB Control Number 0704-0579.

Type of Request: Revision.

Number of Respondents: 62,950.

Responses per Respondent: 1.

Annual Responses: 62,950.

Average Burden per Response: 100 minutes.

Annual Burden Hours: 104,917.

Needs and Uses: Information collection via the Standard Form (SF) 328, “Certificate Pertaining to Foreign Interests,” is necessary to support the execution of 32 CFR part 117, “National Industrial Security Program (NISPOM),” ( print page 74278) dated December 21, 2020, or equivalent. Executive Order (E.O.) 12829, as amended, “National Industrial Security Program (NISP),” section 202 (a) stipulates that the Secretary of Defense serves as the Executive Agent for inspecting and monitoring the contractors, licensees, and grantees who require or will require access to, or who store or will store classified information; and for determining eligibility for access to classified information of contractors, licensees, and grantees and their respective employees. Section 202 (e) also authorizes the Executive Agent to issue, after consultation with affected agencies, standard forms that will promote the implementation of the NISP.

E.O. 12829 was amended by E.O. 13691, adding the Secretary of Homeland Security as the fifth Cognizant Security Agency. Section 202 (d) of E.O. 12829 stipulates that the Secretary of Homeland Security may determine the eligibility for access to Classified National Security Information of contractors, licensees and grantees and their respective employees under a designated critical infrastructure protection program, including parties to agreements with such programs. The Secretary of Homeland Security also may inspect and monitor the contractors, grantees or licensees and facilities or may enter into written agreements with the Secretary of Defense, as Executive Agent or with the office of the Director of Intelligence/Director of Central Intelligence Agency to inspect and monitor these programs in whole or in part on behalf of the Secretary of Homeland Security. The specific requirements necessary to protect classified information released to private industry are found in NISPOM; found in DoDI 5220.31 “National Industrial Security Program (NISP),” which incorporates and cancels DoD Instruction 5220.22, “National Industrial Security Program,” March 18, 2011, as amended. The SF 328 incorporates its usage for the NISP portion of the Classified Critical Infrastructure Protection Program as stipulated under E.O. 12829, as amended by E.O. 13691. Revisions to the SF 328 will also incorporate its usage under the DoD's Innovation initiative through the DoD Enhanced Security Program (DESP), pursuant to section 951 of Public Law 114-328 (10 U.S.C. 1564 note). The DESP is a DoD only initiative and is not part of the NISP. Companies participating under the DESP do not require a DoD contract but are required to enter into a Memorandum of Agreement. Completion of the SF 328 and submission of supporting documentation ( e.g., company or entity charter documents, board meeting minutes, stock or securities information, descriptions of organizational structures, contracts, sales, leases and/or loan agreements and revenue documents, annual reports and income statements, etc.) is part of the eligibility determination for access to classified information and/or issuance of an Entity Eligibility Determination (also known as a Facility Security Clearance).

Section 847 of the National Defense Authorization Act for Fiscal Year 2020 (Pub. L. 116-92), “Mitigating Risks Related to Foreign Ownership, Control, or Influence of Department of Defense Contractors or Subcontractors,” requires the Secretary for Defense to improve the process and procedures for the assessment and mitigation of risks related to FOCI of contractors and subcontractors doing business with the DoD, in conjunction with the Departments efforts to develop and implement an improved analytical framework for mitigating risk relating to ownership structure, as required by 10 U.S.C. 2509 and section 847 of Public Law 116-92. To fulfill the requirements of sec. 847, contractors and subcontractors must disclose to DCSA their beneficial ownership and whether they are under FOCI, and to update those disclosures when changes occur to information previously provided consistent with the requirements of the NISPOM. In addition, sec. 847 provides for the creation of other measures as necessary to be consistent with other relevant authorities, including the NISP.

The Small Business Innovation Research and Small Business Technology Transfer (SBIR/STTR) Extension Act of 2022, Public Law 117-183, section 4, “Foreign Risk Management” (DoD SBIR/STTR programs), requires the head of each Federal agency required to establish a SBIR or STTR program to implement a due diligence program to assess security risks presented by small business concerns seeking federal awards. These security risks includes, among other things, foreign interested-related risks. The DoD intends to utilize the SF 328 as the basis for information collection for DoD SBIR/STTR program participants to disclose their foreign interests, and to report any future changes, as appropriate. For DoD SBIR/STTR, the DoD will use this form to collect information to conduct a risk-based due diligence review and assess security risks presented by small business concerns seeking a federally funded award through the DoD SBIR/STTR programs. The submission will be required to be submitted as part of the SBIR/STTR solicitation package, and details concerning its submission will be included in the solicitation published to perspective submitters.

The use of the SF 328 will also be required by the forthcoming Cybersecurity Maturity Model Certification (CMMC) program, which is currently in the Rulemaking process under 32 CFR part 170. The CMMC program will require CMMC Level 2 Certification Assessments be conducted by a CMMC Third Party Assessment Organization (C3PAO), accredited by the DoD approved CMMC Accreditation Body (AB). To be accredited, the CMMC AB and all C3PAOs must receive a favorable adjudication and not be subject to a level of risk from Foreign Ownership, Control, or Influence (FOCI) as determined by the CMMC Program Management Office (PMO). DCSA will conduct the FOCI assessments for the CMMC AB and C3PAOs after they are nominated by the CMMC PMO.

The multiple authorized uses of this form will create uniformity among numerous authorities responsible for the vetting or review of companies or entities for foreign interest-related risks. In addition, it will establish more consistency among industry concerning their basic information submission requirements regarding foreign interest information.

The submission of the SF-328, and supporting documentation, may be done electronically through a government approved system of record.

Affected Public: Business or other for profit; Not-for-profit institutions.

Frequency: On occasion.

Respondent's Obligation: Voluntary.

OMB Desk Officer: Ms. Jasmeet Seehra.

You may also submit comments and recommendations, identified by Docket ID number and title, by the following method:

• Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.

Instructions: All submissions received must include the agency name, Docket ID number, and title for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the internet at http://www.regulations.gov as they are received without change, including any personal identifiers or contact information.

DoD Clearance Officer: Mr. Reginald Lucas. ( print page 74279)

Requests for copies of the information collection proposal should be sent to Mr. Lucas at whs.mc-alex.esd.mbx.dd-dod-information-collections@mail.mil.