The bill prohibits the Secretary of Defense from entering into, renewing, or extending contracts for software source code with persons that meet any of three China‑related criteria: substantial AI research ties in a covered country, prior access that could enable reverse engineering, or operation of data centers in a covered country (including those run by affiliates or on behalf of the contractor). It includes a national‑security waiver and a three‑year applicability window measured from enactment.
This is a focused supply‑chain and IP control aimed at reducing the risk that adversary states gain the ability to inspect, copy, or reverse‑engineer defense‑related source code. For procurement officials and contractors, the bill creates new screening obligations, raises questions about how to classify corporate relationships and facilities, and pressures multinational firms and cloud providers that host code or run data centers in covered countries.
At a Glance
What It Does
The bill forbids the Defense Department from signing, renewing, or extending contracts for software source code with entities that meet specified connections to a "covered country." It creates three concrete triggering categories (AI research facilities, access enabling reverse engineering, and data centers) and allows the Secretary to grant a waiver for national security reasons.
Who It Affects
DoD program offices, prime contractors and subcontractors that supply or host software source code, multinational technology companies with affiliates or data centers in covered countries, and cloud or colocation providers that host defense code in those jurisdictions.
Why It Matters
It imposes an exclusionary procurement rule tied to national‑security definitions in the FY2024 NDAA, likely forcing broader vendor vetting, contract flow‑down clauses, and corporate restructuring to preserve eligibility. The bill also signals a narrower tolerance for foreign‑connected AI research partnerships in defense work.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill targets contracts where the Department of Defense takes custody of, or has rights to, software source code. Rather than regulating runtime services or binary deliveries, it focuses on the highest‑sensitivity asset in software procurement: the source code itself.
If a prospective vendor falls into any of the bill’s three categories connecting it to a covered country, the Secretary is barred from entering into, renewing, or extending a source‑code contract with that vendor.
Who counts as a disqualified person is the bill’s practical core. It disqualifies entities that (1) own/operate/significantly fund facilities in a covered country whose primary purpose — as the Secretary determines — is AI research or development; (2) have previously given the covered country access to the same software or source code in a way that could allow reverse engineering; or (3) operate a data center in a covered country with respect to the subject source code, including operations by parents, affiliates, or when the covered country operates the center on the entity’s behalf.
The bill imports the term “covered country” from section 812 of the FY2024 NDAA, connecting this rule to an existing statutory list and its processes.The Secretary can waive the prohibition if doing so is in the national security interests of the United States, centralizing exception decisions at the Defense Department. The prohibition applies only to contracts entered into, renewed, or extended during the three‑year period after enactment.
The statute defines "material interest" as a financial or other interest the Secretary finds significant enough to influence a decision, but it leaves much of the operational definition and the Secretary’s standards to implementing practice. Collectively, these features push acquisition offices to build vendor‑screening procedures, require new contract representations and warranties, and force companies to evaluate how foreign affiliates, hosted services, and prior access affect eligibility.
The Five Things You Need to Know
The ban covers entering into, renewing, or extending any contract for the provision of software source code with a disqualified person.
The bill disqualifies persons that own/operate AI research facilities in a covered country, allow access that could enable reverse engineering of the same source code, or operate data centers in a covered country (including affiliates or facilities operated on their behalf).
The term "covered country" is not defined in the bill itself but is incorporated by reference to section 812 of the National Defense Authorization Act for Fiscal Year 2024.
The Secretary of Defense may waive the prohibition if the Secretary determines the waiver is in the national security interests of the United States.
The prohibition applies only to contracts entered into, renewed, or extended within three years after enactment; it is not indefinite.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Prohibition on source‑code contracts
Subsection (a) establishes the operative rule: the Secretary may not enter into, renew, or extend a contract for software source code with any person described in subsection (b). Practically, that makes this an affirmative negative obligation on contracting officers and acquisition officials: a covered relationship triggers ineligibility. The provision is narrowly scoped to source‑code deliverables rather than broader software services or licenses.
AI research or development facilities in covered countries
Clause (1) disqualifies entities that own, operate, substantially fund, or have a material interest in a facility located in a covered country if that facility’s primary purpose — as the Secretary determines — is AI research or development. The Secretary’s ability to determine "primary purpose" gives the Department substantial discretion to assess whether an overseas lab or campus creates a disqualifying tie, which will matter for universities, R&D subsidiaries, and joint ventures.
Prior access enabling reverse engineering
Clause (2) bars entities that have allowed a covered country access to the software or its source code where that access could permit reverse engineering. This is an effects‑based trigger: it focuses on whether the prior access created a technical pathway for compromise rather than on ownership alone. Contractors will need to inventory past sharing, licensing, and hosting arrangements to assess whether prior disclosures meet this standard.
Data centers in covered countries, including affiliates and hosted arrangements
Clause (3) treats operation of a data center in a covered country as disqualifying where the center relates to the subject source code. Importantly, it explicitly covers data centers operated by parents, subsidiaries, or affiliates of the bidder, and centers operated on the bidder’s behalf by the covered country itself. That reach means a U.S. parent with a hosted cloud instance or an affiliate data center in a covered country could lose eligibility unless arrangements isolate or prevent access to source code.
Waiver, applicability, and definitions
Subsection (c) gives the Secretary authority to waive the prohibition for national‑security reasons; subsection (d) limits the rule to contracts entered, renewed, or extended within three years of enactment; and subsection (e) incorporates the "covered country" definition from the FY2024 NDAA and defines "material interest" as a financial or other interest the Secretary deems significant. Together these clauses centralize key determinations at the Department of Defense while setting a temporary effective window for the prohibition.
This bill is one of many.
Codify tracks hundreds of bills on Defense across all five countries.
Explore Defense in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- DoD program offices and risk managers — the ban reduces the number of vendors with pathways for foreign reverse engineering and gives acquisition teams a statutory tool to block risky source‑code arrangements.
- U.S. software vendors without covered‑country ties — they face reduced competition from firms with disqualifying foreign operations and can use the rule as a market differentiator when bidding on source‑code contracts.
- Security‑minded primes and integrators — firms that already compartmentalize code or maintain dedicated domestic hosting will be advantaged because the bill rewards suppliers who can demonstrate isolation from covered‑country exposure.
- Policy and compliance teams at defense contractors — they gain clearer statutory grounding to demand representations, warranties, and flow‑down clauses from subcontractors and hosting providers.
Who Bears the Cost
- Multinational technology firms with affiliates, data centers, or significant R&D ties in covered countries — they may be excluded from source‑code contracts even if their U.S. operations are otherwise compliant.
- Cloud providers and third‑party hosts operating data centers in covered countries — their hosting arrangements could disqualify customers or force costly re‑hosting and contractual segregation of source code.
- DoD contracting officers and acquisition support teams — they will need new screening processes, technical assessments, and legal review to implement the prohibition consistently.
- U.S. subsidiaries of foreign firms that rely on parent or affiliate facilities in covered countries — despite being U.S. entities, they may be disqualified because of corporate ties or hosted infrastructure.
Key Issues
The Core Tension
The bill balances two legitimate goals that pull in opposite directions: preventing adversaries from obtaining or reproducing sensitive source code versus keeping a sufficiently broad, capable vendor pool to support defense software development. Tight exclusions improve security but shrink options and may penalize U.S. businesses with global footprints; leaving discretion to the Secretary preserves flexibility but introduces regulatory uncertainty contractors must navigate.
The text leaves several high‑stakes judgments to the Secretary of Defense without prescribing standards. "Primary purpose" of a facility and what constitutes a "material interest" are both delegated determinations; implementing guidance will determine whether a given R&D lab or minority investment triggers disqualification. That delegation accelerates deployment but creates uncertainty for firms trying to predict eligibility.
Operationally, the bill’s effects will hinge on implementation discipline. The reverse‑engineering trigger is technically sensible but fact‑intensive; tracing whether past access "could allow" reverse engineering will require forensic review and potentially proprietary technical assessments.
The inclusion of affiliates and on‑behalf data centers broadens scope but also risks excluding U.S. entities because of distant corporate relationships. Finally, the lack of procedural guardrails for the waiver raises questions about transparency and predictability: centralized waivers enable necessary exceptions but also concentrate discretion that commercial actors must manage.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.