On December 18, 2025, President Trump signed the National Defense Authorization Act for Fiscal Year 2026 into law. Congressman Rick Allen, who supported the bill on the House floor, called it “a generational investment in our national defense.” At $900.6 billion and over 3,000 pages, it didn’t just set a defense budget, it reset the rules of engagement for every organization that sells into, supports, or supplies the U.S. government supply chain.
Three months have passed, has your organization been able to implement all the necessary changes? If not, you’re probably not alone. Here’s a few important benchmarks, and a checklist, to get you back on track.
What Actually Changed: The Four Shifts That Matter Most
1. Supply Chain Visibility Is Now a Contractual Expectation
The FY2026 NDAA formalized something that has been directionally true for years: the government wants to see inside your supply chain, not just your direct operations. Under Section 832, DoD must now allow expedited acceptance and qualification of critical readiness items, and contracting officers are expected to probe sourcing strategies and domestic alternatives earlier, including during pre-award. Section 833 creates an interim national security waiver program that actually incentivizes proactive disclosure: contractors who identify noncompliant sources through their own supply chain illumination systems can qualify for waivers through January 2028. That’s a meaningful carrot, but it only works if you have the monitoring infrastructure to find the issues in the first place.
Perhaps most telling is Section 838, which requires DoD to assess which of its own critical infrastructure depends on foreign materials or components. Congress had to mandate that the government map its own foreign dependencies, which should be read as an unambiguous signal about what will be expected of contractors next.
2. Foreign Adversary Restrictions Got Broader, More Specific, and Harder to Waive
The NDAA sharpened restrictions on supply chain exposure to China, Russia, Iran, and North Korea in ways that go well beyond prior iterations. The critical shift is in how compliance is now assessed: rather than looking only at where a product was finally assembled, the law evaluates ownership, control, processing, and component inputs at multiple stages of production.
Several provisions stand out. Section 842 prohibits DoD from procuring advanced batteries, including cells and key components — where they are owned by, sourced from, refined in, or produced by a foreign entity of concern, on a phased timeline already underway. Section 844 adds molybdenum, gallium, and germanium to the list of restricted covered materials. Sections 834 and 835 require DoD to develop strategies to eliminate reliance on adversary nations for optical glass and computer displays by 2030, while Section 850 phases out computer and printer acquisitions involving entities owned or controlled by China entirely. Section 847 extends these restrictions to photovoltaic modules and power inverters from foreign entities of concern.
For contractors, none of this is theoretical. Solicitation language is already probing multi-tier supplier identification, ownership information, and sourcing details at lower tiers of the supply chain. If your supplier list doesn’t capture that level of visibility, you’re going into bid season blind.
3. Cybersecurity Harmonization Is Coming — But Baseline Expectations Are Rising Now
Section 866 directs DoD to harmonize cybersecurity requirements across the Defense Industrial Base by June 1, 2026, with the intent to reduce duplicative and inconsistent contract-specific requirements. That’s a genuine concession to the compliance burden contractors have carried for years — but don’t mistake harmonization for a lowering of the bar. The same section requires a framework covering workforce risks, supply chain risks, adversarial tampering, and security monitoring, all drawing on NIST SP 800-series requirements and augmenting CMMC. Section 851 codifies the BIOSECURE Act, prohibiting contracts with designated biotechnology companies of concern.
And one provision drew a hard line with no grace period at all: Section 1532 required the exclusion and removal of AI tools developed by DeepSeek and High Flyer from DoD systems and contractor environments within 30 days of enactment. If anyone on your team is using those tools in connection with DoD contract performance, that’s a current violation — not a future compliance deadline.
The trajectory is clear. Cybersecurity compliance is moving toward a single, enforceable standard across the DIB, which means organizations managing bespoke requirements piecemeal need a repeatable, documented process in place before harmonization codifies what “good” looks like.
4. The Acquisition Reform Underneath It All
The FY2026 NDAA was built on a reform agenda — the SPEED Act and the FoRGED Act — designed, in Congress’s own words, to “eliminate regulatory barriers, enhance speed, and scale capacity for our Warfighters.” What emerged from that agenda has real implications for how contractors compete. The shift to “best value” over “lowest overall cost” under Section 812 changes how bids are evaluated. Section 1822 now requires contracting officers to justify using a non-commercial option rather than the reverse. Thresholds for cost and pricing data requirements jumped from $2.5 million to $10 million; Cost Accounting Standards compliance thresholds doubled from $50 million to $100 million. Project Spectrum, established under Section 1807, created a new online platform to help small and medium contractors meet cybersecurity and acquisition readiness requirements.
For supply chain teams, this means more competition, faster procurement cycles, and a government that expects contractors to move as quickly as it now has authority to.
Where Should You Actually Be by Now?
By now, it’s unlikely you’ve crossed every compliance checkbox off your list, but you should have a clear picture of where you stand.
If you’ve done the work, you’ve mapped your direct supplier portfolio for foreign adversary exposure, flagged materials subject to new covered materials restrictions, and engaged your legal and compliance teams on the phased battery and minerals timelines. You’ve audited your cybersecurity posture against CMMC requirements and begun building documentation that will survive scrutiny when harmonization happens in June.
If you haven’t, you’re not alone, but the clock is ticking. The voluntary compliance repository created by Section 836 already allows contractors to register compliant products proactively, and early registrants get ahead of mandatory requirements. Late registrants end up playing catch-up when contract timing matters most.
At Craft, we work with 35 federal agencies and private sector organizations across Aerospace & Defense, financial services, and logistics. The pattern we see consistently is this: the organizations that run into trouble aren’t the ones that lack good intentions, it’s the ones that lack a systematic way to see their supply chain clearly enough to act on it. The surface area is simply too large for human eyes to cover.
5 Things You Can Do Today If You’re Still Behind
1. Run a FOCI exposure scan on your top 250 suppliers. Don’t start with your full portfolio — start where the risk is highest. Your most critical, highest-spend suppliers are exactly the ones procurement teams assume are safe, and exactly the ones that can fly under the radar for years. Foreign ownership, control, and influence is often subtle: shell companies, layered investment structures, quiet acquisitions that never make headlines. A targeted scan of your most critical relationships buys you the most time to act if you find something.
2. Map your materials against the expanded covered materials list. Molybdenum, gallium, and germanium are now on the restricted list under Section 844, joining an already significant set of specialty metals and strategic materials subject to DFARS sourcing restrictions. Walk your bill of materials against the current covered materials regime and identify where your supply chain touches these materials and at what stage. If you find exposure, you want to know now — not when a contracting officer asks.
3. Audit your cybersecurity documentation against CMMC requirements before June 2026. When DoD finalizes the harmonized cybersecurity standard under Section 866, it becomes the benchmark against which your posture is measured. Organizations that have already documented their controls, mapped them to NIST SP 800-series requirements, and established repeatable governance processes will adapt quickly. Those managing compliance informally will have a harder time demonstrating they meet a newly codified standard.
4. Audit every AI tool your team uses against the prohibited entities list. Section 1532 was effective immediately upon signing. If anyone on your team is using DeepSeek or High Flyer AI tools in connection with DoD contract performance, that’s a current violation. Audit your tech stack, document what you find, and issue internal guidance now. This provision has already started to expand, so getting ahead of that process matters.
5. Build a continuous monitoring process, not a one-time audit. This is the most important step, and the one most organizations skip. A supplier that clears a review today can be acquired by a foreign entity tomorrow, develop a cybersecurity vulnerability next month, or show financial stress before your next contract renewal. The FY2026 NDAA was written for a threat environment that doesn’t pause between audits, and your monitoring capability needs to match that reality. Continuous, automated visibility across your supplier portfolio isn’t a nice-to-have anymore — it’s what the legislation assumes you already have.
The organizations that are ahead of this aren’t waiting for their contracting officers to ask hard questions. They already know which 2% of their suppliers need attention — because they built the intelligence infrastructure to find them. That’s the program. Everything else is paperwork.
Craft screens thousands of suppliers each month for federal agencies and private sector organizations across the Defense Industrial Base, using AI-powered risk frameworks built around the specific legislative and functional requirements of each customer. To understand where your supply chain stands against the FY2026 NDAA requirements, request a demo.