Full Report
The Pentagon added a slew of Chinese companies, including Alibaba Group, Baidu Inc and carmaker BYD, to a list of entities it believes have aided the Chinese military, complicating the fragile diplomatic relationship between Washington and Beijing. The Defense Department published an updated “1260H list” Monday evening stateside — a roster of companies the Pentagon considers affiliated with China’s military or…
Analysis Summary
# Regulation/Compliance: Updated DOD Section 1260H List
## Overview
This requirement stems from Section 1260H of the William M. (Mac) Thornberry National Defense Authorization Act (NDAA) for Fiscal Year 2021. It requires the Department of Defense (DoD) to identify and list "Chinese military companies" operating directly or indirectly in the United States. The recent update adds several high-profile Chinese technology and industrial firms to this restrictive roster.
## Key Details
- **Issuing Authority:** U.S. Department of Defense (DoD)
- **Effective Date:** Immediate for listing; June 2026 for direct contracting prohibitions; June 2027 for third-party procurement prohibitions.
- **Jurisdiction:** United States Federal Defense Procurement
- **Status:** In Effect (Updated)
## Requirements
### Mandatory Requirements
1. **Direct Contracting Prohibition:** The DoD is prohibited from entering into direct contracts with any entity identified on the 1260H list.
2. **Indirect Procurement Prohibition:** Prime contractors and subcontractors are prohibited from procuring products or services from listed entities for use in DoD programs.
3. **Disclosure:** Companies bidding on DoD contracts must often disclose or certify that their supply chains do not involve prohibited entities.
### Recommended Practices
1. **Supply Chain Mapping:** Organizations should identify if any components or services from Alibaba, Baidu, or BYD are integrated into their offerings.
2. **Vendor Risk Assessment:** Conduct immediate due diligence on Tier 1 and Tier 2 suppliers to determine exposure to listed entities.
## Affected Organizations
- **Industries:** Defense Industrial Base (DIB), Information Technology, Telecommunications, Automotive, and AI Research.
- **Organization Size:** All sizes (any organization that contracts with the U.S. Department of Defense).
- **Geographic Scope:** Global entities doing business with the U.S. DoD.
## Compliance Timeline
- **June 2026:** Final deadline for the DoD to cease direct contracting with newly added entities (e.g., Alibaba, Baidu, BYD).
- **June 2027:** Deadline for the prohibition of procuring products or services from these entities through third-party intermediaries (the "Supply Chain" deadline).
## Implementation Guidance
### Assessment Phase
- Audit existing contracts to identify any direct relationships with listed Chinese entities.
- Scan Bills of Materials (BOM) for hardware or software dependencies on Alibaba Cloud services, Baidu AI/mapping tools, or BYD battery/vehicle technology.
### Implementation Phase
- Develop a transition plan to migrate away from listed entities' services (e.g., moving data from Alibaba Cloud to a compliant provider).
- Update procurement policies to include the 1260H list in "Restricted Parties" screening.
### Validation Phase
- Implement automated vendor screening tools that flag Section 1260H entities.
- Require "Affidavit of Compliance" from subcontractors regarding their use of restricted Chinese military-linked technology.
## Technical Requirements
- **Cloud Migration:** Removal of workloads from restricted cloud service providers (CSPs).
- **Hardening:** Disabling and replacing firmware or components sourced from listed entities.
- **Data Sovereignty:** Ensuring no DoD-related data is processed or stored by services owned by the listed entities.
## Penalties & Enforcement
- **Fines:** Potential civil and criminal penalties under the False Claims Act if a contractor knowingly misrepresents their supply chain.
- **Other Consequences:** Suspension or debarment from federal contracting; loss of existing contract awards.
- **Enforcement:** Enforced via the Defense Federal Acquisition Regulation Supplement (DFARS) and DoD procurement audits.
## Related Standards
- **NDAA Section 889:** Prohibits use of certain telecommunications and video surveillance equipment.
- **NIST SP 800-161:** Cybersecurity Supply Chain Risk Management (C-SCRM) for Systems and Organizations.
- **CMMC:** The Cybersecurity Maturity Model Certification (Supply chain integrity components).
## Resources
- **Official Documentation:** [defense[.]gov/News/Releases/](https://www.defense.gov/News/Releases/) (Search for 1260H List updates)
- **Guidance Documents:** [acq[.]osd[.]mil/asda/dpc/](https://www.acq.osd.mil/asda/dpc/) (Defense Pricing and Contracting)
## Practical Recommendations
- **Immediate Action:** Review the full "1260H List" update for all newly added subsidiaries, as many companies operate under various brand names.
- **Legal Review:** Consult with counsel specialized in International Traffic in Arms Regulations (ITAR) and DFARS to assess the impact on current multi-year performance contracts.