Congress Restricts AI Supply Chain Access for Defense Manufacturers

The 2026 National Defense Authorization Act introduces broad prohibitions on "Covered AI" in defense and intelligence agency contracts, creating a new compliance layer for manufacturers serving U.S. military supply chains.

The restrictions, analyzed by Freshfields partners Beth George and Anna Gressel alongside counsel Nathan Castellano, target AI systems developed by DeepSeek, its parent company High Flyer, and any entity owned, funded, or supported by High Flyer — including those with indirect ownership stakes as low as 20%. The prohibitions extend to AI from companies domiciled in or controlled by covered nations (North Korea, China, Russia, and Iran), entities on the Commerce Department's Consolidated Screening List, and organizations on China's civil-military fusion list.

The scope reaches well beyond prime contractors. The NDAA's requirements cascade through subcontractors and suppliers, meaning a component manufacturer using AI-powered quality inspection built on a covered system could expose the entire contract chain to liability. Companies must certify compliance, and incorrect certification carries False Claims Act exposure — a federal statute with treble damages and per-claim penalties.

The Secretary of Defense is also tasked with developing security frameworks addressing supply chain risks: counterfeit AI components, data poisoning, adversarial tampering, and unauthorized exposure or theft of AI technologies. These standards will build on the existing Cybersecurity Maturity Model Certification program.

For manufacturing AI operators in the defense industrial base, the practical requirement is straightforward — audit your AI supply chain now, from training data provenance to model origin, or risk exclusion from defense contracting.

Sources

AI Supply Chain and Security: Congress Mandates Strict Controls for AI Acquired by Defense Agencies — Freshfields