FY 2026 NDAA: Domestic Sourcing, Artificial Intelligence, Cybersecurity, and Acquisition Reforms

This client alert provides an overview of key provisions in the Fiscal Year 2026 National Defense Authorization Act (NDAA) affecting government contractors and technology companies through significant acquisition and industrial base reforms. The NDAA includes supply chain and domestic sourcing requirements, expands procurement bans tied to foreign adversaries, and increases investment in cybersecurity, artificial intelligence (AI) capabilities, and critical defense infrastructure. The alert highlights new compliance obligations, timelines, and potential opportunities to support the Department of Defense (DoD).

I. Supply Chain & Domestic Sourcing

The NDAA builds on existing sourcing frameworks to strengthen how the DoD addresses supply chain risk involving China, Russia, and other designated foreign adversaries. The NDAA expands domestic and allied sourcing expectations, introduces targeted measures to improve visibility into compliant supply chains, and adds or sharpens procurement restrictions tied to foreign source risk. Collectively, these changes signal a sustained policy trajectory toward trusted sources, enhanced transparency, and reduced reliance on adversary-controlled inputs.

A. Domestic Sourcing Rules

The NDAA does not fundamentally change the concept of domestic sourcing requirements, but it broadens coverage and adds new tools designed to move supply chains onshore or toward trusted allied sources.

• Plans to eliminate foreign reliance on certain products. NDAA Sections 834 and 835 require DoD to develop and begin implementing strategies to end reliance on specified adversary nations for certain products, including:

1. Optical glass and optical systems, with elimination targeted by January 1, 2030; and
2. Computer displays, with a similar January 1, 2030 target for eliminating reliance on adversary sources.
   
   While these provisions require planning rather than impose immediate bans, they provide clear direction for future procurements and sourcing decisions.

• Acceleration of “compliant source” qualification. NDAA Section 837 directs DoD to implement new processes to speed the qualification of compliant and domestic sources and to improve data sharing related to compliant materials. A dedicated working group will identify and address qualification bottlenecks that have historically slowed the entry of new suppliers.
  
  
• Voluntary compliance repository (by January 1, 2027). NDAA Section 836 requires DoD to establish a public, voluntary repository where offerors may register and attest that their products meet covered sourcing requirements. DoD is required to assess whether this repository could serve as a broader onboarding platform, potentially housing common contractor information such as ownership and corporate structure, country of ownership, Commercial and Government Entity (CAGE) or Data Universal Numbering System (DUNS) numbers, size status and North American Industry Classification System (NAICS) codes, and key compliance certifications. Participation may streamline due diligence and increase visibility across tiers.
  
  
• Seafood under the Berry Amendment framework. NDAA Section 831directs DoD to avoid procuring seafood originating from China, Russia, Iran, or North Korea for dining facilities, ship galleys, and commissaries, subject to narrow operational waivers outside the United States. This is a new, explicit country-of-origin restriction for certain food purchases that were not previously subject to Berry-style limitations.
  
  Contractors should expect more categories of products to be sourced domestically or from trusted countries, with fewer routine waivers over time. Solicitation language and pre-award questions are likely to probe sourcing strategies and domestic alternatives earlier in the procurement process.
  
  In addition, participation in the voluntary compliance repository is likely to increase DoD visibility into subcontractors and lower-tier suppliers. Contractors should be prepared for targeted requests seeking multi-tier supplier identification, ownership information, and sourcing details as part of proposal evaluations and compliance reviews. Early supply chain mapping and documentation will be increasingly important to demonstrate compliance.

B. Broader Procurement Bans Tied to Foreign Adversaries

The NDAA expands and refines several procurement restrictions designed to limit DoD’s exposure to supply chain risks associated with China, Russia, and other foreign adversaries. While restrictions on foreign-sourced products are not new, the NDAA broadens how compliance is assessed by introducing phased prohibitions that turn on ownership, control, processing, and component inputs, not solely on the location of final assembly.

• Advanced Batteries from Foreign Entities of Concern. NDAA Section 842 prohibits DoD from procuring advanced batteries, including the cells and key components used in those batteries, where they are owned by, sourced from, refined in, or produced by a foreign entity of concern. The restriction is on a phased timeline, beginning with new acquisition programs and later expanding to standard batteries and existing programs. Limited exceptions are available for certain commercial off-the-shelf (COTS) products used for office, medical, or other non-tactical purposes, and the statute includes a narrow, time-limited waiver process where mission needs cannot otherwise be met. The rule reaches upstream into the battery supply chain by focusing on foreign ownership and processing of battery components, not merely the location of final assembly.
  
  
• Expanded List of Prohibited Sensitive Materials with a Recycling Pathway. NDAA Section 844 also expands DoD’s restrictions on contracting for certain strategic materials sourced from non-allied nations. With a future effective date, the statute adds molybdenum, gallium, and germanium to the list of restricted “covered materials,” reflecting their importance to defense and advanced manufacturing. Congress included a narrow compliance pathway for recycled materials, subject to strict conditions. To qualify, both the recycling and all subsequent refining and separation must occur in the United States or qualifying allied countries, and the original material inputs must not originate from a covered foreign nation. This pathway is intended to support trusted domestic recycling capacity and does not permit recycling or processing in covered countries. Thus, a contractor should be able to trace not only the origin of covered materials but also where critical recycling and processing steps occur.
  
  
• Additive Manufacturing Equipment (3D Printers). Beginning one year after enactment, NDAA Section 849 restricts DoD from procuring certain additive manufacturing (AM) machines (3D printers), related equipment, and associated services from covered foreign companies or entities domiciled in covered countries. The restriction applies where foreign ownership, control, or involvement falls within the statute’s covered foreign entity criteria. Importantly, the NDAA reflects concern with manufacturing capability, not just finished products. The restriction focuses on who supplies and controls the AM equipment and related services, rather than solely where an end item is produced. As a result, DoD may restrict reliance on adversary-linked manufacturing platforms even where the end product would otherwise meet applicable sourcing requirements. Vendors should assess ownership, governance, and service relationships for equipment providers.
  
  
• Computers and Printers - Phased Restrictions Based on Ownership. NDAA Section 850 establishes a phased restriction on the procurement of computers and printers where the manufacturer, bidder, or offeror is owned or controlled by China. The restriction applies to both direct and indirect sales, including those made through subsidiaries, and includes limited exceptions and phased implementation dates. Compliance is based on who owns or controls the company and not solely on the location of manufacturing or final assembly. In other words, a computer or printer can be built in the United States or an allied country and still be prohibited if the company selling it is owned or controlled by a Chinese parent or affiliated entity. Contractors should conduct enhanced ownership and control diligence for Original Equipment Manufacturers and resellers.

Taken together, these provisions reflect a shift toward examining supply chain issues earlier in the acquisition process, rather than treating them solely as post-award compliance matters. The NDAA broadens the circumstances in which sourcing, supplier origin, and lower-tier involvement are relevant to award and performance decisions, even as contracting officers continue to evaluate compliance based on applicable solicitation requirements. Contractors that can clearly explain and document their sourcing choices when those issues are implicated will be better positioned in future procurements.

II. Increased investment in cyber-related infrastructure and artificial intelligence

A. Cyber operations & command authorities

Title XV, Subtitle A of the NDAA authorizes the Commander of United States Cyber Command (USCYBERCOM) to control and manage the planning, programming, budgeting, and execution of resources of the Cyber Mission Force (CMF). CMF directs, synchronizes, and coordinates cyberspace operations in defense of U.S. national interests. Accordingly, the NDAA requires the Secretary of Defense to assess how to best utilize CMF. This includes:

• Conducting one or more “tabletop exercises” to determine the future employment concepts that would comprise the cyber forces of DoD. Such concepts will evaluate whether to augment the capabilities of CMF or utilize formations outside of CMF. The exercises will assess various operational scenarios, which may include integrating non-cyber tactical units or other off-net cyber operations techniques.
• Ensuring the resiliency of the cyber forces by assigning behavioral health professionals, with the necessary security clearance, to operating locations of USCYBERCOM and CMF.

The Secretary of Defense cannot use funds appropriated under the NDAA to reduce the responsibilities, authorities, or oversight of the Commander of USCYBERCOM. Nor can the Secretary divert, consolidate, or curtail any existing cyber assessment capabilities or National Security Agency (NSA) certified red teams supporting operational testing and evaluation. The Secretary must provide an analytical basis to the appropriate congressional defense committees to deviate from these restrictions.

For government contractors, these provisions may generate opportunities to support USCYBERCOM’s efforts to plan, budget, and develop operational concepts for cyber forces, within CMF or otherwise. Contractors may also provide their expertise and capacity to perform cyber testing and evaluation activities that are aligned with NSA’s certified assessments. USCYBERCOM may also require contractors to provide specialized personnel or services in support of the NDAA’s occupational resiliency initiatives for cyber forces. Offerors should track forthcoming solicitations addressing planning support, exercises, and workforce resiliency.

B. Cybersecurity measures, Artificial Intelligence, and Machine Learning

Subtitles B and D of the NDAA provide for the development of cybersecurity measures, as well as the advancement and security of AI and machine learning (ML). The government contracting industry should be heavily involved in implementing the following NDAA initiatives:

• Section 151 (Telecomm Procurement). DoD senior officials or other employees that perform national security functions will require mobile phones or other telecommunications devices that have “enhanced cybersecurity protections.” These include data encryption, mitigating or obfuscating device identifiers, rotating network identifiers, and continuous mobile phone monitoring. Contractors may be asked to supply secure devices and mobile device management solutions.
  
  
• Section 1512 (Establishment of a DoD cybersecurity policy for AI/ML). The policy must address security threats specific to AI (e.g., model tampering, model jailbreaks, adversarial prompt injection), adopt best practices for the implementation and development of securing AI/ML, create standards for testing and monitoring AI/ML systems against corruption or unauthorized manipulation, and train DoD personnel to identify and mitigate vulnerabilities associated with AI/ML. Contractors should anticipate National Institute of Standards and Technology (NIST)-aligned AI risk management approaches.
  
  
• Section 1513 (Development of a framework to secure AI/ML). The Secretary of Defense must work with private industry and academic institutions to develop a security framework. This framework should set timelines and key milestones for implementing security measures, define the necessary resources and funding, and include metrics to track progress and effectiveness of the framework.
  
  
• Section 1514 (Development of a cybersecurity educational program). The program must have defined curricula and measurable performance metrics. The Secretary of Defense must consult with academic institutions as well as the Directors of the following agencies:

1. NSA
2. Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security
3. NIST
4. Federal Bureau of Investigation (FBI)
5. National Science Foundation (NSF)

• Section 1515 (Cybersecurity training). Cybersecurity training for members of the Armed Forces and DoD civilian employees must address the unique cybersecurity challenges associated with AI.
  
  
• Section 1531 (Computing Roadmap). Reassessment of DoD’s high-performance computing roadmap to ensure that data centers on military installations can manage the additional resource usage from AI. The assessment will consider electricity and water usage, as well as the mitigation of potential adverse effects of the increased resource usage on military installations and in surrounding communities.
  
  
• Section 1532 (Prohibited AI). DoD contractors are prohibited from using “covered artificial intelligence” when performing on DoD contracts. This means that DoD contractors cannot use AI developed by DeepSeek, which is owned by High Flyer (a Chinese company), or by any entity wholly owned, funded, or supported by High Flyer, including entities in which High Flyer holds a direct or indirect stake of 20% or more. Contractors should ensure that it does not use any covered AI used in performing on government contracts. The prohibition also applies to subcontractors. The Secretary of Defense may waive the prohibition on using covered AI but only on a case-by-case basis. Contractors will need to audit its use of any covered AI to ensure that none are used when performing on government contracts.  
  
  
• Section 1533 (AI Model Assessments). DoD must establish a cross-functional team to assess various AI models (including commercial AI models) slated for operational use. Major AI systems are contemplated for deployment on DoD’s business systems. The team will create an evaluation framework and governance structures for developing, assessing, testing, and deploying AI models.
  
  
• Section 1534 (AI Sandbox). On the other end of the deployment spectrum, DoD must establish a task force on AI sandbox environments used for experimentation, testing, and evaluation. The task force must explore how to deploy AI sandbox environments by using existing solutions, technical documents, and repositories for cost efficiency and productivity through enterprise licenses and contracts.

Accordingly, the NDAA is likely to create the following avenues for government contractors to support federal investments in AI and cybersecurity:

• Supply and integration of AI solutions: Provide AI solutions and services to support federal AI and cybersecurity initiatives, whether for major AI systems or experimental AI tested in a sandboxed environment. This may create near-term opportunities for commercial solutions and managed services.
  
  
• Procurement framework development: Help design procurement frameworks for AI/ML and cybersecurity solutions.
  
  
• Security framework and data center assessments: Contribute to creating an AI/ML security framework and perform logistical, environmental, health, and safety assessments for data centers facing increased AI/ML usage.
  
  
• Security engineering and staffing: Advise on AI/ML threat modeling, testing and evaluation, secure model development pipelines, and provide specialized AI/ML security personnel.
  
  
• Secure mobility and communications: Deploy and sustain secure mobile devices, mobile device management, hardened communications applications, and provide related compliance support.
  
  
• Education, training, and program support: Develop curricula, provide instruction, deliver program management, and supply subject-matter experts for cross-agency training on the AI-cybersecurity nexus.

C. Defense of Critical Infrastructure Against Cyber Attacks

NDAA Subtitle E requires DoD to conduct studies on the use of military capabilities to reduce the incentive for adversaries to target defense critical infrastructure. Studies will analyze adversarial capabilities and the investments required to develop potential countermeasures as well as offensive cyber and non-cyber operations. DoD must also conduct a study to develop a reserve component of CMF. The study should include, for example, guidance on training, support infrastructure, and the activation of reserve components and integration into active CMF components.

With these objectives, contracting opportunities may include providing analytic support for threat assessments, wargaming, modeling and simulation, and policy options used to inform the required studies. Indeed, Section 1544 of Subtitle E specifically requires collaboration among local industry and academic partnerships to identify competencies and skills for conducting operations and missions.

In sum, government contractors are likely to be heavily involved at all key phases in the procurement life cycle. This may include developing technical specifications and solicitations, offering AI/ML and cybersecurity solutions and associated services, and supporting DoD’s cyber forces in defending against cyber attacks or fighting adversaries to prevent such attacks.

III. Acquisition & Contracting Reform

The NDAA marks one of the most significant recalibrations of the defense acquisition system in recent years. Rather than adding new layers of procedure to an already complex framework, Congress focused on structural realignment by reorienting acquisition policy towards commercial buying, earlier and faster decision-making, and more consistent transition from concept to production. Two themes are present under Title XVIII: establishing commercial acquisition as the operating model and reforming governance and requirements upstream to enable speed. These changes are intended to improve speed to field while maintaining accountability.

Together, these provisions reorient acquisition policy away from compliance-heavy process requirements and toward contracting approaches that maintain focus on the intended deliverable.

A. Commercial Buying

Congress used the NDAA to move commercial acquisition from policy preference to practical default. Sections 1821 through 1828 directly target longstanding barriers that have made “commercial” acquisitions difficult to execute in practice-even when commercial solutions were available.

First, the NDAA requires the DoD to clarify which statutes and contract clauses apply to commercial products and services, and which are reserved solely for COTS items. This provision is intended to limit the routine expansion of flow downs that historically undermined commercial pricing models and discouraged nontraditional vendors from participating in defense procurements. Clearer clause applicability should reduce transaction costs and improve market access.

Second, Congress elevated the internal standard for rejecting commercial solutions. When a program office determines that a commercial product or service is unavailable, that conclusion must now be documented at the program level and approved by senior acquisition leadership. The effect is a meaningful shift in burden: the Government must now justify why it is buying noncommercial, rather than requiring contractors to establish eligibility for commercial treatment. This change may expand competitive opportunities for commercial vendors.

Third, the NDAA expands and clarifies the role of Commercial Solutions Openings (CSOs). CSOs are no longer treated as niche innovation tools; they are explicitly authorized for commercial products and services and may serve as the front end of a competitive process that leads directly to follow-on production. In the same vein, Congress modernized DoD’s authority for procurement for experimental purposes, aligning statutory language with how agencies already test, demonstrate, and modify commercial capabilities before scaling. Finally, Congress expanded exemptions from certain cost, pricing, and systems requirements for nontraditional defense contractors, reinforcing the policy goal of lowering entry barriers for commercial firms without eroding national security protections. Collectively, these steps should make it easier to field commercial technologies rapidly.

Commercial positioning now carries significance. Proposals that mirror commercial pricing, licensing, and delivery will align more closely with congressional intent than bespoke government-unique constructs. At the same time, traditional defense contractors should expect acquisition officials to scrutinize (and not automatically include) government-unique clauses that have historically been included in contracts by default.

B. Streamlining and Higher Thresholds

The NDAA reflects a shift in congressional approach to acquisition reform. Rather than focusing solely on contract mechanics, Sections 1801 through 1812 emphasize upstream governance and decision-making, while related threshold adjustments elsewhere in the NDAA address compliance burdens that no longer align with risk.

NDAA Section 1801 redefines the statutory objectives of the defense acquisition system, emphasizing speed to field, end-user validation, iterative design, and best-value tradeoffs across cost, schedule, performance, and quantity. This language marks a departure from acquisition structures built around fixed milestones and singular program baselines.

To support that shift, NDAA Section 1802 establishes portfolio acquisition executives, charged with managing capability portfolios rather than individual programs in isolation. This portfolio-based model explicitly authorizes tradeoffs across related efforts and is intended to prevent serial delays caused by program-by-program decision-making. NDAA Section 1805 reinforces this model by strengthening the statutory acquisition strategy framework-requiring earlier, disciplined consideration of issues that have historically delayed or derailed programs when left unresolved. Rather than simplifying strategy development, the provision requires programs to confront key issues early such as sustainment planning, data and software rights, modular open system approaches, incremental delivery, and continuous competition. The practical effect is greater rigor at the front end of acquisition planning, paired with increased flexibility during program execution.

Additionally, Congress decided to ease certain thresholds where compliance costs exceeded marginal value:

• Truthful Cost or Pricing Data (formerly known as the Truth in Negotiations Act) (TINA): The threshold increases to $10 million for contracts awarded after June 30, 2026.
• Cost Accounting Standards (CAS): Full CAS coverage thresholds increase to $100 million within 180 days of enactment, subject to regulatory implementation.
• Major Defense Acquisition Program and Major System thresholds: Dollar thresholds are updated to current-year values, reducing inadvertent elevation of programs into heightened oversight regimes due solely to inflation.

Taken together, these changes reflect a shift toward more targeted oversight. Congress preserved core accountability mechanisms while easing threshold-driven requirements that had increasingly imposed cost and delay without corresponding benefit

C. Incumbent Protests and Payment Withholding

Section 875 directs the DoD to revise the DoD Supplement to the Federal Acquisition Regulation (DFARS) to permit contracting officers to withhold payments from an incumbent during a bid protest filed with the Government Accountability Office (GAO), when the protest results in continued performance through a bridge contract or extension. The statute does not alter protest rights or prescribe specific withholding amounts or outcomes; rather, it creates discretion for DoD to address the economic effects of protests that delay competitive transitions while preserving incumbent revenue. If implemented through regulation, this authority may modestly rebalance the incentives surrounding incumbent‑filed protests, particularly in acquisitions transitioning away from legacy or government‑unique solutions.

The NDAA signals a recalibration of the defense acquisition system. Commercial acquisition is elevated within the statutory framework, and oversight is adjusted to reduce reliance on process volume and legacy thresholds. Title XVIII focuses on commercial alignment and earlier acquisition decisions aimed at improving transitions from capability definition into execution. At the same time, Congress has begun to address the incumbent advantages created by protests that delay competition while maintaining revenue. Although protest rights remain unchanged, the NDAA signals closer scrutiny of efforts to defend legacy or government‑unique solutions without clear program need.

For contractors, this framework places increased emphasis on commercial alignment and execution rather than bespoke compliance approaches. Contractors should review internal policies to align with commercial-first strategies and portfolio-based governance.

IV. Small Business Impact

Notably, the NDAA contains no reauthorization of the Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs. Funding for these programs lapsed on October 1, 2025, and the future of these programs is uncertain due to disagreement over the reforms of the programs. However, lessened burdens for non-traditional defense contractors (which includes small businesses) and higher thresholds for TINA and CAS (see Section III.B., supra) have reduced the barrier to entry for small businesses in certain areas.

V. Industrial Base

The NDAA includes several sections designed to strengthen the industrial base. Ultimately, the intention is to reduce U.S. reliance on foreign goods and services. To accomplish this, the NDAA includes:

• Section 867 - Modifications to Defense Industrial Base Fund: This section gives the DoD more flexibility in investing in the defense industrial base in select areas including power sources and advanced manufacturing. DoD can use contracts, other transaction agreements (OTAs), grants, cooperative agreements, incentives, or subsidies to improve the defense industrial base.
  
  
• Sections 1841 - 1847: Section 1841 creates a Civil Reserve Manufacturing Network (CRMN), a government-industry partnership designed to leverage commercial factories for defense material during emergencies or wartime. The Secretary of Defense is responsible for creating a collaborative forum to determine incentives for participation and develop other recommendations for the establishment of CRMN. Section 1843 requires the creation of a working group to identify workforce shortages in various advanced manufacturing career fields and to establish public-private partnerships to provide workforce development activities including recruiting, training, and retaining individuals in advanced manufacturing careers. Section 1844 establishes a collaborative forum to address challenges and limitations to the defense industrial base. Section 1847 requires delivering a report to the Senate by March 1, 2026 identifying policies that incentivize contractors in the defense industrial base to reduce or eliminate surge capacity (defined as the ability of contractors to rapidly increase production capacity to meet increased demand for defense articles and defense services) and identifying any steps taken to address regulatory barriers discouraging contractors from investing or maintaining surge capacity.

Taken together, these sections of the NDAA show a marked focus on improving the defense industrial base and providing for surge capacity in goods and services beyond the current methods of the Defense Production Act. We will closely follow reports coming out of these Sections in the coming months to determine what policies or regulatory changes may be on the horizon for defense contractors. Contractors should monitor implementation for incentives, workforce initiatives, and potential funding vehicles supporting capacity expansion.

Conclusion

The NDAA advances a coordinated agenda across sourcing, cybersecurity, AI, and acquisition reform that will materially affect how contractors position offerings and manage compliance. Companies should expect earlier scrutiny of supply chains, heightened ownership and component-origin diligence, and increased emphasis on commercial alignment in acquisition strategies. At the same time, new studies, task forces, and capability investments create opportunities to support DoD planning, security frameworks, and industrial base expansion. Early preparation through supply chain mapping, policy updates, and governance alignment will help contractors capitalize on opportunities while mitigating compliance risk.