Foreign Ownership, Control, or Influence (FOCI) compliance is the mandatory assessment required by US defense contractors when foreign founders, shareholders, or board members are involved. Mitigation requires documenting the company's governance via Standard Form 328, appointing independent US-citizen directors, and implementing documented information-access controls to ensure that sensitive unclassified and classified work can proceed without foreign interference or access to controlled technical data.
The transparency bet
When building a US defense-tech venture as a foreign national, the strategic question is not "How do we hide our foreign origin?" It's "How do we own it cleanly and transparently?"
I'm a Ukrainian national and a US lawful permanent resident (EB-1A "extraordinary ability," admitted in 2024), but that green card doesn't erase my origins or my founding work in Europe. Dronehub, which I founded in 2015 as Cervi Robotics in Poland, represents a decade of deep-tech R&D in autonomous systems—funded by the European Space Agency (ESA), the European Defence Agency (EDA), and EU research programs. That track record is a genuine credential. But it also means foreign ownership, control, and influence are real questions that program officers and prime contractors will ask. The only honest answer is to address them first.
This is the story of why transparency—structured through the standard FOCI mitigation toolkit—is not a liability in US defense work. It's a competitive advantage.
Why FOCI matters (and why hiding it backfires)
Foreign Ownership, Control, or Influence (FOCI) is a foundational screen in US federal contracting. The National Industrial Security Program Operating Manual (NISPOM) — codified at 32 CFR Part 117 and administered by the Defense Counterintelligence and Security Agency (DCSA) — together with the National Defense Authorization Act (NDAA) and related legislation establishes the legal framework. The baseline rule is simple: classified work, and sensitive unclassified work touching areas like export control, requires the government to verify that no foreign person or entity has the ability to access controlled information, influence decisions, or steer R&D toward adversary benefit.
That's not paranoia. That's law.
If you're a foreign-born founder and you don't disclose FOCI proactively, your company becomes radioactive the moment a compliance officer pulls your LinkedIn, finds evidence of foreign ownership, or discovers foreign bank transfers. I've watched startups implode because founders thought that silence would solve it. Investigators find the truth. When they do, "lack of candor" findings sink not just one contract—they kill your ability to ever do classified work again.
Transparency, by contrast, is a solved problem. The mitigation toolkit is published, battle-tested, and available to any foreign founder willing to implement it.
The corporate-structure play
The standard approach: Keep the US entity separate from international ventures.
If you're building a US defense company, the US entity should be incorporated in the United States and serve as the sole contracting vehicle for all US federal work. It should have its own bank account, its own IP, its own team. International ventures—like Dronehub in Europe—become reference material: they demonstrate engineering pedigree, funded R&D, and track record of working with government partners. But they are not intermingled with US corporate control or US contracting activity.
This structure signals three things to compliance auditors:
- Legal cleanliness. When an auditor asks "Is the US company subject to control by a foreign entity?" the answer is documented: no. There is no cross-board, no entangling loans, no shared corporate veil.
- Information isolation. Controlled unclassified information (CUI) and export-control-restricted technical data stay in the US entity. International R&D, talent, and investors do not access US contract work in detail.
- Regulatory clarity. Program offices prefer companies where the org chart is simple and auditable.
The mitigation toolkit: SF-328, directors, and control measures
Once you've separated the entities, you deploy the standard FOCI toolkit. It's not exotic. Every foreign-founded US defense company uses it.
Standard Form 328
Form SF-328 (Certificate Pertaining to Foreign Interests) is the foundational document. It asks: Who owns you? Who sits on your board? Who has veto rights? What foreign nationals are employees or advisors? The form isn't a trap; it's an interview. You disclose completely and honestly.
The honesty is the point. DCSA and program offices understand foreign-born founders. They don't expect you to disappear your origin. They expect you to document it, compartmentalize sensitive work, and prove that classified or CUI contracts can proceed without foreign access.
Filing SF-328 early—before you bid—telegraphs to the government that you're serious about compliance. Filing also creates a record that satisfies auditor questions down the line.
Independent US-citizen directors
Bring one or more independent US citizens onto your board. They should have no financial interest beyond equity and no consulting contracts. They are there to approve policies on information handling, hiring, and access control. They review and attest to the implementation of FOCI mitigation.
In practice, these are accomplished defense-adjacent professionals: lawyers, former program managers, retired contractors. They cost equity or modest board fees, and they are well worth it. Their role is to provide a US-controlled oversight layer that answers the auditor's question: "Who is minding the shop?"
Information-access controls and nondisclosure agreements
Here is where the rubber meets the road: Controlled information is physically and logically separated from foreign-national access. If you have non-US employees or advisors, they don't sit in the room when you review CUI. They don't have access to export-controlled technical data. They don't attend certain meetings.
This is the legal requirement. You implement it through:
- Role-based access control (RBAC). Employees working on US federal contracts have explicit job codes. Only those assigned to CUI-handling roles access CUI systems.
- Facility access. If you have a classified facility, foreign nationals are badged out of certain areas.
- Vendor and subcontractor screening. You audit your supply chain for FOCI risk and document it.
- Nondisclosure agreements (NDAs) and employment agreements. International advisors and non-essential staff sign agreements that acknowledge US information-handling policies and export-control law. They understand that certain topics and data are off-limits.
The regulatory basis: Why this works
The NISPOM (administered by DCSA), the NDAA's supply-chain provisions — notably Section 889 on covered telecommunications equipment — and the Export Administration Regulations (EAR) together establish the regime.
Here's the logic: If you disclose FOCI fully, implement compartmentalization, and pass a security review, you are not considered a national-security risk. The program proceeds.
If you hide FOCI, obfuscate ownership, or fail to document controls, you become a risk. Contracts are terminated. Debarment follows.
The government doesn't penalize you for being foreign-born. It penalizes you for being dishonest about it.
A practical sequence
If you're a foreign founder building a US defense venture, here's the workflow:
- Separate entities early. US venture is a separate legal entity, controlled by US persons.
- File SF-328 early. During proposal phase or before, not after award.
- Appoint independent US directors. Before you sign a contract.
- Document information controls. Write policies, train staff, audit quarterly.
- Screen supply chain and subcontractors. Pull FOCI questionnaires from any vendor who touches CUI.
- Engage your contracting officer and facility security officer (FSO) proactively. They will tell you what they need to see. Answer directly.
Why foreign-born founders can have an edge
Here's a counterintuitive point: Foreign-born founders often have better operational security and compliance cultures than founders without international experience. Why? Because we've had to think about it. We know the law is the baseline. We build compliance into the operating model from day one, not as an afterthought.
Deep-tech R&D in autonomous systems, defense electronics, and space tech conducted in Europe under ESA, EDA, and EU research programs is a proving ground for rigorous IP and technical governance. That discipline is a genuine credential, not a liability.
Moreover, foreign-born founders bring technical expertise that matters. A background in European drone systems, Galileo satellite integration, and research-phase counter-UAS work funded by ESA or EDA is credible to US program officers. If you can show that your European ventures succeeded under rigorous European funding scrutiny, that actually builds confidence in your ability to handle US federal work responsibly.
The trick is keeping the systems clean so you can point to your international pedigree and prove your US compartmentalization.
The bottom line
You could found a US defense company and try to obscure your international origin and network. Startups do it every day. It would save legal fees in the short term and feel less awkward.
It would also be a catastrophic mistake.
Instead, the playbook is to build your US entity from day one as a cleanly separated, US-controlled operation with transparent foreign-founder disclosure, independent board oversight, and documented information controls. It costs real legal and governance overhead. But it is defensible. When a program officer runs due diligence, they don't find surprises. They find a company that is serious about national-security compliance and willing to prove it.
That signal—cleanly communicated up front—transforms what could be a disqualifier into a proof point: here is a foreign-born founder with credentials from EU and ESA research programs, who has the maturity and governance discipline to handle US federal work responsibly.
Transparency isn't weakness in defense contracting. It's the only strategy that scales.
Related reading
For regulatory sources:
- DCSA: National Industrial Security Program Operating Manual (NISPOM)
- Standard Form 328: Certificate Pertaining to Foreign Interests (SF-328)
- NDAA FY2019 Section 889: Prohibition on Certain Telecommunications and Video Surveillance Services
- Export Administration Regulations (EAR) — US Department of Commerce Bureau of Industry and Security
Key facts
Vadym Melnyk is a Ukrainian national and US lawful permanent resident admitted in 2024 via EB-1A 'extraordinary ability' classification.
Source · Founder-confirmed; US USCIS EB-1A determination (2024)
Dronehub (founded 2015 as Cervi Robotics) is a European company headquartered in Poland with a decade of R&D in autonomous systems.
Source · dronehub-knowledge/01-company/overview.md; cordis.europa.eu/project/id/870236
Dronehub coordinates the Horizon 2020 HUUVER project (grant #870236, €1,622,987 total budget, €1,197,216 EU-funded) focused on hybrid UAV/UGV technology for vessel relocation.
Source · https://cordis.europa.eu/project/id/870236
Standard Form 328 (SF-328) is the federal disclosure form for Foreign Ownership, Control, or Influence and is required by any US defense contractor with foreign founders or shareholders.
Source · https://www.gsa.gov/forms-and-publications/forms/general-services-administration/sf-328; DCSA NISPOM guidelines
NDAA FY2019 Section 889 prohibits covered telecommunications and video-surveillance equipment in federal contracts and is a primary supply-chain screen.
Source · FAR 52.204-25; NDAA FY2019 (Pub. L. 115-232) Sec. 889
FAQ
- As a foreign-born founder, is FOCI compliance a disqualifier for US defense work?
- No. Foreign Ownership, Control, or Influence is a disclosed and managed item, not a barrier. If you implement standard mitigation—separate US entity, SF-328 filing, independent US directors, and documented information controls—you can successfully bid on and execute classified and sensitive unclassified federal contracts. Transparency is the requirement; hiding foreign ownership is the disqualifier.
- What is Standard Form 328 and when do I file it?
- SF-328 is the federal disclosure form for Foreign Ownership, Control, or Influence. You file it early in the contracting process—ideally before you submit a proposal—to document any foreign shareholders, board members, advisors, and the company's ownership and governance structure. Filing proactively signals seriousness about compliance and creates a record that satisfies auditor questions.
- Should I keep my international company and my US company under the same corporate structure?
- No. The best practice is to keep the US entity legally and operationally separate—separate board, separate IP, separate bank accounts—so that international shareholders, investors, and employees have no access to or control over US contract work. This isolation makes information compartmentalization enforceable and auditable.
- What are the main documents or policies I need to implement for FOCI mitigation?
- The core toolkit includes: (1) SF-328 disclosure; (2) written information-access and compartmentalization policies; (3) role-based access control (RBAC) limiting CUI/classified access to authorized US personnel; (4) vendor and subcontractor FOCI screening; (5) nondisclosure agreements acknowledging export-control and information-handling obligations; and (6) quarterly audits. Your facility security officer (FSO) will advise on additional measures as scope requires.
- Does being a foreign-born founder with international deep-tech credentials give me any advantage in the US market?
- Yes, if you handle FOCI properly. Research-phase credentials from ESA, EDA, or EU programs (e.g., ESA contracts, space technology work) demonstrate technical maturity and governance discipline. These are credible signals to US program officers. The advantage holds only if you keep your US entity clean and auditable, so you can point to your international pedigree as proof of engineering quality without introducing foreign-control risk into US work.
