When the U.S. National Defense Authorization Act (NDAA) for Fiscal Year 2020 was signed into law in December 2019, the broader public attention largely fell on its topline budget allocations and headline procurement programs. Yet beneath these more conspicuous elements, the legislation embedded provisions that arguably carried equal—if not greater—long-term significance for federal contractors. Among these, Section 889’s restrictions on certain telecommunications vendors stood out, as did the range of new measures aimed at tightening the security of supply chains serving the national defense apparatus.
By mid-2020, contractors had begun grappling with the practical implications of these requirements. Section 889, in particular, introduced prohibitions on the use of covered telecommunications equipment or services from specified Chinese entities, including well-known firms like Huawei and ZTE. On paper, this seemed straightforward enough. But in reality, the task of mapping complex supply chains to ensure full compliance proved anything but. Many contractors found themselves revisiting supplier relationships that had gone unquestioned for years, if not decades, in an effort to identify possible exposure to restricted vendors.
One of the primary tools available to contractors in this effort was the open vendor exclusion list maintained by the General Services Administration (GSA). This list, updated regularly and made accessible through the GSA’s online portal, served as a reference point for firms looking to validate the status of their suppliers. Using this resource, contractors could cross-check their vendor master files, flagging any entities that appeared on the exclusion list for further scrutiny or outright removal. Some contractors chose to integrate automated queries against the GSA list into their supplier onboarding processes, while others undertook more periodic, manual reviews. The aim, in either case, was to catch non-compliant suppliers before their presence in the supply chain translated into a regulatory breach.
The process of supplier validation, however, was rarely neat. Questions frequently arose regarding subsidiaries, joint ventures, and other forms of indirect involvement that weren’t always clearly captured in vendor records. What if a supplier, for instance, sourced components from a covered telecom entity without disclosing this to the prime contractor? Could the contractor reasonably be held accountable for that? The NDAA provisions placed the burden on contractors to make good-faith efforts at due diligence, but exactly where the boundary of responsibility lay often felt ambiguous. Some contractors responded by implementing tiered verification protocols—conducting deeper checks on higher-risk suppliers or those operating in sensitive sectors such as electronics and communications.
The administrative side of compliance also came into sharper focus. To satisfy federal contracting officers that Section 889 obligations were being met, contractors were advised to prepare quarterly affidavits or certifications attesting to their compliance status. These affidavits typically included statements confirming that the contractor had reviewed its supply chain, identified any covered equipment or services, and taken appropriate steps to eliminate their use where required. There was, it should be said, no universal format for these affidavits. Different agencies and contracting officers had varying preferences, and templates circulated within industry circles reflected a range of stylistic and substantive approaches.
Nonetheless, certain core elements tended to feature in most affidavits. These included identification of the contractor and relevant contract numbers, a declaration of compliance (or disclosure of any known exceptions), a description of the diligence process undertaken, and a signature attesting to the truthfulness of the statement. Many contractors found it prudent to append supporting documentation—such as supplier audit logs or screenshots from the GSA exclusion portal—as a means of reinforcing the credibility of their attestations. There was, after all, a growing awareness that these affidavits might later be scrutinized in the event of a compliance investigation.
Interestingly, the process of drafting these affidavits often revealed gaps in contractors’ own internal controls. Firms discovered instances where supplier records were incomplete, outdated, or inconsistent across business units. The need to produce quarterly certifications forced many to undertake broader data hygiene exercises, cleaning up vendor master files and standardizing processes for supplier onboarding and review. In some cases, this led to the adoption of new enterprise resource planning (ERP) modules or third-party compliance tools designed to streamline and document supply chain checks.
At the same time, the implementation of NDAA supply chain measures highlighted tensions that were not easily resolved. For example, smaller contractors, with limited administrative resources, sometimes struggled to meet the documentation standards expected of larger prime contractors. There were also concerns about how these requirements might impact supply chain diversity. Some suppliers, particularly smaller or foreign-owned firms, found the new compliance expectations daunting, leading them to withdraw from federal supply chains altogether. Whether this was an unintended side effect or an implicit feature of the policy—designed to winnow out less transparent entities—was a matter of some debate.
Then there were the inevitable grey areas. A contractor might diligently exclude covered telecommunications equipment from its own operations, only to discover that a subcontractor several tiers down had inadvertently introduced such equipment into the supply chain. How to balance regulatory compliance with operational practicality remained an open question. And while contracting officers could provide guidance, much of the responsibility for navigating these complexities ultimately rested with the contractors themselves.
By late 2020, it was clear that NDAA supply chain security measures had not only added a new layer of compliance work but had also reshaped how contractors approached supplier relationships. The integration of GSA’s open vendor blacklist, the drafting of quarterly Section 889 affidavits, and the broader emphasis on transparency collectively signaled a shift in the defense procurement ecosystem. Supply chain security, once perhaps a secondary concern, had moved squarely into the foreground of federal contracting practice.