What is defense supply chain compliance?

Defense supply chain compliance is the set of regulatory requirements that govern how DoD contractors and their suppliers source, verify, and protect goods, services, and information throughout the supply chain. Key regulations include DFARS 252.204-7018 (supply chain risk reporting), Section 889 of the NDAA (banned telecommunications equipment), and counterfeit parts prevention standards AS6171 and AS6081. [VERIFIED: DFARS, NDAA 2019 §889, SAE International AS6171/AS6081]

What is DFARS 252.204-7018?

DFARS 252.204-7018 is the 'Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services' clause. It requires contractors to report if they discover covered defense telecommunications equipment or services in their supply chain during contract performance. Contractors must also provide semiannual reports to the Contracting Officer on discovered covered equipment. [VERIFIED: DFARS 252.204-7018, 48 CFR 252.204-7018]

What does Section 889 prohibit?

Section 889 of the FY2019 National Defense Authorization Act prohibits federal agencies from procuring or using telecommunications and video surveillance equipment or services from Huawei, ZTE, Hytera, Hikvision, Dahua, and their subsidiaries. It also prohibits contracts with companies that use such equipment in their own networks. Both prohibitions are now fully in effect and apply throughout the supply chain. [VERIFIED: NDAA FY2019 §889, FAR 52.204-24, FAR 52.204-25]

What are the four tiers of the defense supply chain?

Tier 1 contractors have direct contracts with DoD agencies. Tier 2 suppliers provide major subsystems, assemblies, or services to Tier 1 primes. Tier 3 suppliers provide components, materials, and services to Tier 2. Tier 4 suppliers are raw material and specialty item providers at the base of the supply chain. Compliance obligations flow down from Tier 1 through contract clauses, with DFARS requirements reaching all tiers that handle defense articles or controlled technical data. [AI-GENERATED tier framework based on DoD supply chain architecture]

How do counterfeit parts regulations apply to defense contractors?

DFARS 252.246-7007 and 252.246-7008 require contractors to establish counterfeit electronic part detection and avoidance systems. SAE AS6171 provides test methods for detecting counterfeit electronic parts. SAE AS6081 covers fraudulent/counterfeit electronic parts for distributors. Non-compliance can result in disallowed costs, liability for rework, and potential False Claims Act exposure. [VERIFIED: DFARS 252.246-7007, DFARS 252.246-7008, SAE International AS6171, SAE International AS6081]

What is NIST SP 800-161 and how does it apply?

NIST SP 800-161 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations) provides guidance for managing cybersecurity risks across the supply chain. It is the foundational reference for DoD SCRM programs and aligns with NIST SP 800-53 controls. While not yet a mandatory standalone standard, it underpins CMMC supply chain risk requirements and is increasingly referenced in DoD acquisition guidance. [VERIFIED: NIST SP 800-161 Rev. 1, NIST.gov]

How is the defense megacycle buildout changing supply chain requirements?

The DoD megacycle buildout — covering data centers, edge computing, and cloud infrastructure — is introducing new supply chain compliance requirements for power, cooling, and networking vendors. These providers now face DoD supply chain risk reviews, Section 889 equipment screening, and in some cases CMMC obligations if they handle CUI or technical specifications in their infrastructure services. [AI-GENERATED analysis based on DoD infrastructure expansion trends]

Defense Supply Chain Compliance Requirements: 2026 Guide

Why Defense Supply Chain Compliance Matters

The DoD supply chain is a $400B+ ecosystem spanning thousands of prime contractors, tens of thousands of subcontractors, and millions of supplier relationships. It is also one of the primary attack surfaces for adversarial nation-states. [VERIFIED] DFARS 252.239-7017, DFARS 252.204-7018

Supply chain failures cost the DoD in two ways: directly through counterfeit parts that cause mission failures, and indirectly through adversary access to sensitive technical data flowing through non-compliant suppliers. Both attack vectors are addressed through the layered compliance framework described in this guide.

Critically, supply chain compliance is not just a prime contractor problem. Obligations flow down to Tier 2, Tier 3, and in some cases Tier 4 suppliers through DFARS contract clauses. If you hold a subcontract under a DoD prime, you are already subject to many of these requirements — whether or not your prime has told you.

⚠️ Key Compliance Trigger

The presence of DFARS 252.204-7012, 252.204-7018, or 252.246-7007 in your prime's contract means these obligations flow to you as a subcontractor. Review your subcontract clauses carefully.

Defense Supply Chain Tiers Explained

The DoD supply chain is structured in tiers based on contractual relationship to the government. Each tier carries distinct compliance obligations, and requirements flow down through contract clauses — not always clearly communicated.

Prime Contractors

Direct contracts with DoD agencies. Highest compliance burden. Responsible for flowing requirements to their supply chain.

Full DFARS compliance suite
CMMC Level 2 or 3 (as required)
Section 889 certifications
SCRM program required
Subcontractor oversight required
Counterfeit parts program

Major Subcontractors

Provide major assemblies, subsystems, or managed services to Tier 1 primes. Significant compliance flow-down via prime's subcontract clauses.

DFARS 252.204-7018 (Section 889)
CMMC Level 1 or 2 (if CUI handled)
Counterfeit parts detection
Supply chain risk reporting
ITAR/EAR compliance if controlled items

Component Suppliers

Provide components, materials, and specialized services to Tier 2. Compliance scope depends on what they manufacture or handle.

Section 889 compliance for telecom
AS6171/AS6081 (electronic parts)
CMMC Level 1 minimum (if FCI flows)
Traceability documentation
Certificate of Conformance requirements

Raw Material & Specialty Suppliers

Raw materials, fasteners, specialty alloys, bulk electronics. Often overlooked but increasingly targeted by adversaries for materials substitution and counterfeiting.

Traceability chain of custody
Specialty metals compliance (Buy American/Berry)
Certificate of Compliance
Qualified Manufacturers List (QML) where applicable

[AI-GENERATED] Tier framework based on DoD supply chain architecture. Specific obligations vary by contract and program. [VERIFIED] DFARS flow-down requirements: DFARS 252.204-7021, DFARS 252.204-7018

Supply Chain Risk Management (SCRM) Framework

SCRM — Supply Chain Risk Management — is the systematic process of identifying, assessing, and mitigating risks across the defense supply chain. The DoD's SCRM framework draws from multiple standards, but the primary reference is NIST SP 800-161 Rev. 1 (Cybersecurity Supply Chain Risk Management Practices). [VERIFIED] NIST SP 800-161 Rev. 1

Core SCRM Requirements

A functional SCRM program for DoD contractors covers four domains:

Supplier identification and vetting: Know who is in your supply chain. This means tracking not just Tier 2 but also critical Tier 3 and Tier 4 suppliers. Foreign ownership, control, and influence (FOCI) reviews are required for suppliers accessing classified or sensitive programs.
Continuous monitoring: Supplier status changes — bankruptcy, acquisition by foreign entities, personnel changes in key roles. SCRM programs must monitor for triggering events that increase supply chain risk.
Incident reporting: When supply chain compromises are discovered, DFARS 252.204-7012 and related clauses require reporting to the DoD Cyber Crime Center (DC3) within 72 hours. [VERIFIED] DFARS 252.204-7012
Alternative sourcing: Critical programs must maintain fallback suppliers for critical components. Single-source dependencies on foreign suppliers for defense-critical materials are increasingly disallowed in DoD solicitations.

DFARS 252.204-7018: Supply Chain Risk Reporting

DFARS 252.204-7018 (Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services) is the foundational supply chain risk clause. It requires contractors to: [VERIFIED] DFARS 252.204-7018

Report to the Contracting Officer any discovery of covered telecommunications equipment or services as a part of its performance of the contract
Submit semiannual reports (on June 30 and December 31 each calendar year) that identify all covered telecommunications equipment or services discovered during that reporting period
Require the same reporting from subcontractors who perform work supporting the contract

📋 What Counts as "Covered" Telecom Equipment

Under DFARS 252.204-7018 and Section 889, covered equipment includes telecommunications or video surveillance equipment or services produced or provided by Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision Digital Technology, or Dahua Technology — or any subsidiary or affiliate of those entities. [VERIFIED] NDAA FY2019 §889(f)(3)

Section 889: Banned Telecommunications Equipment

Section 889 of the FY2019 National Defense Authorization Act imposes two distinct prohibitions, both now fully in effect. [VERIFIED] NDAA FY2019 §889, FAR 52.204-24, FAR 52.204-25

Prohibition	FAR Clause	What It Covers	Status
Part A Don't procure covered equipment	FAR 52.204-25	Federal agencies cannot buy covered telecom equipment/services for use or incorporated into a system	In Effect
Part B Don't contract with covered users	FAR 52.204-24	Agencies cannot contract with companies that use covered equipment in their own infrastructure	In Effect

Banned Equipment Entities

The five named entities and their subsidiaries/affiliates whose equipment is prohibited: [VERIFIED] NDAA FY2019 §889(f)(3)

Huawei Technologies Company — network infrastructure, 5G equipment, enterprise switches
ZTE Corporation — networking equipment, mobile infrastructure
Hytera Communications Corporation — two-way radios, digital mobile radio
Hangzhou Hikvision Digital Technology — video surveillance, IP cameras, NVRs
Dahua Technology Company — video surveillance, IP cameras, access control

⚠️ Part B is the Hidden Risk

Most contractors address Part A (don't buy covered equipment for the government). Part B is harder: it prohibits contracting with a company that uses covered equipment anywhere in its own operations — including in its own corporate network, security cameras, or phone systems. [AI-GENERATED] This has caught contractors off guard who had legacy Hikvision cameras in their own facilities.

Representation Requirements

FAR 52.204-24 requires annual representations in the System for Award Management (SAM.gov). Contractors must represent whether they use covered telecommunications equipment and if so provide details. False representations create False Claims Act liability. [VERIFIED] FAR 52.204-24

Counterfeit Parts Prevention: AS6171 and AS6081

Counterfeit electronic parts cost the DoD an estimated $200B+ over the past decade and have directly contributed to weapons system failures. [AI-GENERATED] Two DFARS clauses and two SAE International standards govern counterfeit parts requirements for defense contractors.

DFARS 252.246-7007 and 252.246-7008

These clauses require contractors to establish and maintain an acceptable counterfeit electronic part detection and avoidance system. Requirements include: [VERIFIED] DFARS 252.246-7007, DFARS 252.246-7008

Training personnel to detect counterfeit electronic parts
Inspection and testing of electronic parts, including purchasing from trusted suppliers (OCMs, authorized distributors, or independent distributors who perform SAE AS6081 testing)
Reporting of counterfeit electronic parts or suspected counterfeit electronic parts to the Government-Industry Data Exchange Program (GIDEP)
Flowdown of requirements to subcontractors that provide electronic parts to the contractor

SAE AS6171: Test Methods for Counterfeit Detection

AS6171 is the SAE International standard for test methods for counterfeit electronic parts detection. It provides: [VERIFIED] SAE AS6171

A tiered testing framework (AS6171/1 through AS6171/9) addressing different component types and failure modes
Visual inspection, X-ray, decapsulation, and electrical testing methods
Acceptance criteria for parts that may have been refurbished, remarked, or come from unauthorized sources

SAE AS6081: Independent Distributors

AS6081 governs fraudulent and counterfeit electronic parts mitigation procedures specifically for independent distributors. If a defense contractor sources electronic parts from an independent distributor (not an original component manufacturer or authorized distributor), AS6081 compliance is required from that distributor. [VERIFIED] SAE AS6081

Standard/Clause	Applies To	Key Requirement
DFARS 252.246-7007	Contractors acquiring electronic parts for use in a DoD contract	Must have DoD-acceptable counterfeit avoidance system; must not purchase from brokers/spot market without additional testing
DFARS 252.246-7008	Contractors acquiring electronic parts valued over $500 per unit	Electronic parts must come from original manufacturers, authorized suppliers, or trusted suppliers with SAE AS6081 controls
SAE AS6171	Test labs and contractors testing suspect parts	Standardized test methods for detecting counterfeit electronic parts by component type
SAE AS6081	Independent distributors of electronic components	Testing, traceability, and certification procedures for parts from non-OCM sources

Data Center Supply Chain Requirements

As the DoD's compute infrastructure expands — cloud, edge nodes, and classified enclaves — data center suppliers face new supply chain scrutiny. Power, cooling, and networking vendors supporting defense data centers are increasingly required to demonstrate supply chain integrity. [AI-GENERATED]

What's Required of Data Center Suppliers

Power equipment: UPS systems, PDUs, and backup generators must be screened for banned telecommunications-adjacent components. Critical power management software must also be evaluated for foreign software dependencies.
Cooling: Building management systems (BMS) and cooling controls increasingly run software with remote access capabilities. These systems must be evaluated for Section 889-adjacent telecom components and FOCI concerns in their software supply chains.
Networking: All network equipment serving classified or sensitive unclassified workloads must be sourced from approved vendors per the DoD Approved Products List (APL). Huawei, ZTE, and associated entities are excluded. Fiber providers serving classified facilities face background investigation requirements for technicians.

Managed Service Provider Requirements

MSPs and cloud service providers supporting DoD data must now meet FedRAMP authorization at the appropriate impact level, plus DFARS 252.204-7012 for CUI. For classified environments, CSPs must hold DoD Impact Level 4/5/6 authorization from DISA. [VERIFIED] DISA Cloud Computing Security, DoD IL authorization framework

The Megacycle Buildout and Supply Chain Implications

The DoD megacycle buildout — a generational expansion of defense AI infrastructure, data centers, and edge computing nodes — is materially changing supply chain compliance requirements. [AI-GENERATED]

Three shifts are underway:

1. Infrastructure Vendors Entering the Compliance Perimeter

Previously, data center vendors (power, cooling, structured cabling) operated largely outside the compliance perimeter. The megacycle buildout is pulling these vendors in. DoD data center contracts now routinely include DFARS clauses that flow to facility infrastructure suppliers — not just IT hardware and software vendors.

2. AI Hardware Supply Chain Scrutiny

GPUs, networking ASICs, and memory used in DoD AI programs face the same supply chain risk review as any other defense electronics. As NVIDIA, AMD, and other AI semiconductor suppliers become critical defense vendors, their own supply chains — fabless design, TSMC manufacturing, packaging in Southeast Asia — face DoD scrutiny. Programs of record increasingly require bills of materials for AI hardware. [AI-GENERATED]

3. Software Supply Chain Requirements

Executive Order 14028 (May 2021) and subsequent DoD guidance now require Software Bills of Materials (SBOMs) for software delivered under federal contracts. This extends supply chain requirements into the software layer: every open source dependency, every third-party library, every container base image must be traceable. [VERIFIED] EO 14028, WhiteHouse.gov; CISA SBOM resources

🔭 Where This Is Heading

The trajectory is toward full supply chain traceability — hardware BOM, software BOM, and supplier compliance attestations — as standard contract deliverables. Contractors who build these systems now will have a significant competitive advantage as requirements mature. [AI-GENERATED]

Key Compliance Requirements by Tier

Requirement	DFARS/FAR Clause	Tier 1	Tier 2	Tier 3	Tier 4
Section 889 representation	FAR 52.204-24/25	Required	Flow-down	Flow-down	Conditional
Telecom supply chain reporting	DFARS 252.204-7018	Required	Flow-down	Conditional	—
CUI/cybersecurity (DFARS 7012)	DFARS 252.204-7012	Required	Flow-down	Conditional	—
CMMC certification	DFARS 252.204-7021	Required	Flow-down	Conditional	—
Counterfeit parts avoidance	DFARS 252.246-7007/7008	Required	Flow-down	Flow-down	Conditional
GIDEP counterfeit reporting	DFARS 252.246-7008	Required	Flow-down	Flow-down	—
SCRM program	NIST SP 800-161 / CMMC SC domain	Required	Conditional	—	—
SBOM delivery	EO 14028 / NIST guidance	Required	Flow-down	Conditional	—

[AI-GENERATED] Tier applicability is an analytical framework. Specific contract clauses govern actual obligations. [VERIFIED] Clause citations: DFARS acquisition.gov, FAR acquisition.gov

Frequently Asked Questions

What is the SCRM domain in CMMC?

CMMC Level 2 includes 17 Supply Chain Risk Management (SR) practices derived from NIST SP 800-171 and NIST SP 800-161. These require contractors to identify and prioritize critical suppliers, establish supply chain risk assessment processes, and include supply chain risk requirements in acquisition strategies. [VERIFIED] CMMC Model v2.1, DoD CIO. dodcio.defense.gov/CMMC/

Does Section 889 apply to subcontractors?

Yes. FAR 52.204-24 requires the representation by all offerors and must be included in solicitations and contracts. Prime contractors must flow Section 889 requirements down to subcontractors at all tiers. The representation covers both the subcontractor's own equipment use and the equipment used in performing work on the contract. [VERIFIED] FAR 52.204-24

What is GIDEP and when must I report to it?

GIDEP (Government-Industry Data Exchange Program) is a cooperative activity between government and industry that seeks to reduce or eliminate expenditures of resources by sharing technical information. When a contractor identifies a counterfeit electronic part or suspect counterfeit under DFARS 252.246-7008, it must report the part to GIDEP within 60 days of discovery. Failure to report is itself a compliance violation. [VERIFIED] DFARS 252.246-7008, gidep.org

Are there specialty metals requirements separate from Section 889?

Yes. DFARS 252.225-7014 (Preference for Domestic Specialty Metals) requires that specialty metals incorporated in defense articles be melted or produced in the United States or a qualifying country. Specialty metals include steel, aluminum, titanium, zirconium, and others. Waivers exist for commercially available items but require documentation. This requirement reaches Tier 2 and Tier 3 suppliers of metal components. [VERIFIED] DFARS 252.225-7014

How do I check if a supplier is on the Entity List or CAATSA sanctions?

Use the Consolidated Screening List (CSL) maintained at trade.gov, which combines the BIS Entity List, SDN List, Debarred Parties List, and others into a single search. Additionally, CAATSA sanctions (Countering America's Adversaries Through Sanctions Act) can affect relationships with Russian, Iranian, and North Korean defense-sector entities. Defense contractors should screen suppliers at contract initiation and annually. [VERIFIED] trade.gov Consolidated Screening List

What is a Software Bill of Materials (SBOM) and is it required?

An SBOM is a formal record of the components, libraries, and dependencies in a software product — the software equivalent of a hardware bill of materials. Executive Order 14028 (May 2021) directed NIST to publish SBOM guidance, and CISA has published minimum SBOM requirements. For federal contracts, SBOM delivery requirements are appearing in newer DoD contracts, especially for critical software. The scope and format (SPDX or CycloneDX) are contract-specific. [VERIFIED] CISA SBOM resources, EO 14028

Getting Started with Supply Chain Compliance

The right starting point depends on your tier and contract profile. Here's a practical sequence: [AI-GENERATED]

Audit your subcontract clauses. Pull every DFARS clause from your current contracts. Flag 252.204-7012, 252.204-7018, 252.246-7007, 252.246-7008, and FAR 52.204-24/25. These are your active obligations.
Screen your infrastructure for Section 889 equipment. Walk through your facility and IT environment. Any Hikvision or Dahua cameras? Any Huawei or ZTE networking equipment? Legacy equipment in a closet counts. These need to come out before you can make a clean FAR 52.204-24 representation.
Map your electronic parts supply chain. For hardware products, identify which electronic components come from independent distributors (not OCMs or authorized distributors). These suppliers need AS6081-compliant testing programs or you need to shift to OCM/authorized channels.
Review your SPRS score for SC domain practices. If you're tracking NIST SP 800-171 via SPRS, look specifically at Supply Chain Risk Management (SC) practices. These are among the most commonly unimplemented controls in defense contractor assessments.
Use the Pulse tool to monitor your compliance posture and get alerts on regulatory changes affecting your supply chain obligations. Monitor your compliance at /tools/pulse →

For a broader view of your subcontractor compliance obligations beyond supply chain, see our Defense Subcontractor Compliance guide and the ITAR Compliance for Manufacturers guide.