Skip to main content
INS // Insights

NDAA Section 5949 Cloud Compliance for Defense Contractors

Updated April 2026 · 7 min read

The National Defense Authorization Act (NDAA) has become one of the most consequential legislative frameworks shaping technology procurement for defense programs. While Section 889 of the FY2019 NDAA addressed specific telecommunications equipment prohibitions, Section 5949 of the FY2023 NDAA extends the prohibition framework to semiconductor components and associated cloud infrastructure — with compliance implications for virtually every defense IT program using cloud services.

Understanding what Section 5949 restricts, how compliance is verified, and what it means for cloud subcontractors is critical for any organization delivering technology to DoD programs.

What Section 5949 Covers

Section 5949 of the FY2023 NDAA (James M. Inhofe National Defense Authorization Act for Fiscal Year 2023) restricts the use of semiconductor components from certain foreign entities of concern in national security systems. The provision:

  • Applies to: Systems operated by or for the Department of Defense
  • Restricts: Semiconductors from identified foreign entities of concern (primarily Chinese semiconductor manufacturers with ties to the Chinese government or military)
  • Effective timeline: Phased implementation — reporting requirements began in 2023, prohibition enforcement continues to phase in through 2027 for different system categories

The specific covered entities and technology categories are defined in the statute and updated through CMMC/FAR/DFARS rulemaking. Programs should reference current acquisition.gov guidance for the authoritative list.

Why This Matters for Cloud Programs

Cloud infrastructure involves semiconductor components at multiple layers:

  • Server CPUs and GPUs (compute hardware)
  • Network switching and routing hardware
  • Storage controllers
  • Smart NICs and FPGA accelerators
  • Security chips and TPMs

Cloud service providers (CSPs) operating in the U.S. government market have responded by providing documentation of their hardware supply chains for national security system deployments. AWS GovCloud, Azure Government, and Google Government Cloud each maintain supply chain transparency documentation for DoD customers.

For cloud engineering contractors: The practical compliance question is whether the cloud services being used in program delivery are themselves compliant with Section 5949's hardware restrictions, and whether the program's technology stack includes any direct procurements of hardware or software that could trigger the prohibition.

Compliance Requirements by System Category

Section 5949's applicability varies by system classification:

| System Category | Compliance Timeline | Key Requirement | |---|---|---| | National Security Systems (NSS) | FY2025 reporting + phased prohibition | Most restrictive; CSP hardware attestation required | | Critical infrastructure systems | FY2026 | Compliance assessment and mitigation plan | | General defense IT | FY2027 | Reporting and assessment |

Programs should work with their Contracting Officer (CO) and Program Manager (PM) to determine their system's classification and applicable timeline. The classification analysis is documented in the System Security Plan (SSP) and Program Protection Plan (PPP).

Cloud Service Provider Attestations

AWS, Microsoft, and Google have published documentation relevant to Section 5949 compliance for their government cloud offerings:

AWS GovCloud (US-West and US-East): AWS provides hardware supply chain transparency documentation for classified programs through dedicated government channels. For FedRAMP High and DoD IL5 deployments, the physical infrastructure is operated by US persons and located in US-based data centers with supply chain controls. AWS participates in the DoD Cloud Computing Security Requirements Guide (SRG) authorization process.

Azure Government: Microsoft's Azure Government infrastructure documentation addresses supply chain requirements for DoD programs through dedicated program protection documentation available to government customers.

Selection guidance: For programs with Section 5949 compliance obligations, use the CSP's government-specific offerings (GovCloud/Azure Government/Google Government Cloud) rather than commercial regions. These offerings have the supply chain controls and documentation packages that commercial regions lack.

Contractor Supply Chain Compliance Obligations

Defense IT contractors — including cloud engineering subcontractors — have specific obligations:

Hardware Procurement

Contractors who procure hardware for program delivery (servers, networking equipment, development workstations) must:

  • Review the Section 889 covered list for telecommunications equipment restrictions (the predecessor prohibition)
  • Monitor DFARS updates for Section 5949 implementing regulations
  • Maintain procurement records demonstrating that hardware doesn't include prohibited components
  • Flow down applicable clauses to subcontractors and suppliers

Software Supply Chain

The prohibition extends beyond hardware to technology components that may have prohibited semiconductor dependencies. This creates software supply chain visibility requirements:

# SBOM analysis for prohibited vendor identification
# Part of supply chain compliance verification

PROHIBITED_VENDOR_INDICATORS = [
    # Covered entities (illustrative — actual list from statute + guidance)
    "huawei",
    "zte",
    "hytera",
    "hangzhou_hikvision",
    "dahua",
]

def check_sbom_for_compliance(sbom_data: dict) -> list[dict]:
    """
    Scan SBOM components for potential prohibited vendor indicators.
    Returns list of components requiring further review.
    """
    flagged_components = []
    
    for package in sbom_data.get("packages", []):
        supplier = (package.get("supplier") or "").lower()
        origin_url = (package.get("downloadLocation") or "").lower()
        
        for indicator in PROHIBITED_VENDOR_INDICATORS:
            if indicator in supplier or indicator in origin_url:
                flagged_components.append({
                    "packageName": package.get("name"),
                    "version": package.get("versionInfo"),
                    "supplier": package.get("supplier"),
                    "indicator": indicator,
                    "review_required": True
                })
    
    return flagged_components

This SBOM analysis is integrated into Rutagon's CI/CD pipeline — every build checks dependencies against the compliance indicator list and flags any matches for security engineer review.

Flow-Down to Subcontractors

Prime contractors are responsible for ensuring their subcontractors comply with applicable NDAA provisions. Cloud engineering subs (like Rutagon) should:

  • Maintain a hardware procurement policy aligned with prohibition requirements
  • Provide hardware supply chain attestation to primes on request
  • Include compliant-hardware requirements in their own supplier agreements
  • Maintain SBOM documentation for software deliverables

Compliance Documentation Package

Programs with Section 5949 obligations should maintain:

  1. System classification determination — NSS vs. critical infrastructure vs. general defense IT
  2. CSP selection rationale — why the chosen cloud service meets prohibition requirements
  3. Hardware procurement records — documentation that contractor-procured hardware excludes prohibited components
  4. SBOM records — software bill of materials for delivered applications (generated per SLSA supply chain security requirements)
  5. Supplier attestations — hardware supply chain attestations from sub-tier suppliers
  6. Annual reviews — periodic re-review as the prohibited entity list evolves

This documentation package should be maintained in the program's document management system and referenced in the SSP supply chain risk management section.

Practical Guidance for Cloud Engineering Subs

For cloud engineering subcontractors delivering to DoD programs, Section 5949 practical compliance involves:

  1. Use GovCloud regions exclusively — AWS GovCloud, Azure Government, or Google Government Cloud for all program work
  2. Don't procure prohibited hardware — maintain a procurement policy with explicit exclusions
  3. Generate SBOMs for deliverables — provide software supply chain visibility to primes
  4. Answer supply chain questionnaires promptly — primes are asking because they're required to; a well-prepared sub provides documentation quickly
  5. Stay current on guidance — Section 5949 implementing regulations are still evolving; subscribe to DFARS rule tracking through acquisition.gov

Rutagon maintains compliance documentation aligned with current NDAA provisions as a standard element of subcontract delivery, making prime supply chain verification straightforward.

Discuss supply chain compliance requirements →

Frequently Asked Questions

Is Section 5949 the same as Section 889?

No — they're separate NDAA provisions. Section 889 (FY2019 NDAA) prohibits specific telecommunications and video surveillance equipment/services from named entities (Huawei, ZTE, Hytera, Hikvision, Dahua) for any federal procurement. Section 5949 (FY2023 NDAA) extends prohibition concepts to semiconductor components in national security systems. Programs must comply with both — Section 889 is already in full enforcement while Section 5949 is in phased implementation.

Does Section 5949 affect commercial cloud services hosted in the US?

It depends on the cloud service and program classification. Commercial cloud regions (AWS us-east-1, Azure East US, etc.) don't maintain the hardware supply chain documentation that government regions do. For programs classified as National Security Systems, using government-specific cloud regions with documented supply chain controls is the defensible compliance posture. Consult your CO and legal counsel for program-specific determinations.

How does a cloud engineering sub demonstrate Section 5949 compliance to a prime?

The standard package includes: hardware procurement policy documenting prohibited vendor exclusions, hardware purchase records for contractor-owned equipment (development systems, lab hardware), SBOM documentation for software deliverables, and CSP selection documentation showing government cloud regions were used. Primes typically request this through their CMMC/supply chain questionnaire process.

Are SBOM requirements directly tied to Section 5949?

SBOM requirements for federal software come from multiple sources: Executive Order 14028 (Cybersecurity EO) mandates SBOMs for critical software, NIST 800-161 recommends supply chain visibility tools including SBOMs, and Section 5949 compliance benefits from SBOM analysis to identify software with potential prohibited vendor dependencies. They're complementary requirements rather than directly linked.

When does full Section 5949 prohibition take effect?

Section 5949 has a phased implementation timeline. National Security System restrictions began with reporting requirements in FY2023-2024, with procurement prohibition phasing in through FY2027. The exact dates for each system category and prohibition type are specified in the statute and implementing regulations. Program offices should work with their CO to determine the specific compliance dates applicable to their program.