Why a clean name-match screen is no longer enough, and why the diligence meant to find hidden China exposure can create risk on the other side of the Pacific.

Picture the boardwalk version of supply-chain compliance. It’s August. Fingers are that odd combination of french fry-greasy and ice cream-sticky The arcade is humming. Someone hands you the mallet. The first mole pops up with a familiar name: Huawei. Easy. Then SMIC. Fine. Then a listed Chinese military company. Also easy. You swing, you hit the obvious targets, and for a moment the game looks like it’s under control.

Then the real game starts.

An affiliate pops up under a different name. A covered chip appears four tiers down on the bill of materials (BOM). An “Assembled in Vietnam” label peeks out from behind a Chinese foundry. A commodity laptop turns out to contain memory nobody thought to diligence. A lobbyist retained by a parent-company consultant suddenly matters. And just when you reach for a bigger mallet, China-side countermeasures pop up too, because the act of mapping the supply chain may create its own risk if the request touches sensitive information, is framed as implementing a foreign restriction, or collides with Chinese law.

That is the 2026 China supply-chain compliance landscape. The problem isn’t just that more moles are popping up; it also is that they are popping up from different boards, under different rules, and sometimes from the other side of the arcade.

The three games now running at once

Section 1260H, the Chinese Military Companies list.

The list created under Section 1260H of the FY2021 National Defense Authorization Act (NDAA) is an identification mechanism. Standing alone, it doesn’t impose a procurement prohibition. The teeth come from later legislation.

Effective June 30, 2026, Section 805 of the FY2024 NDAA bars the Department of Defense (DoD) from entering into, renewing, or extending contracts with entities on the 1260H list and entities subject to their control. A separate goods-and-services prohibition takes effect June 30, 2027, and bars the DoD from procuring goods or services that include those produced or developed by listed entities or entities subject to their control, including when sourced indirectly through third parties. That prohibition includes important exceptions, among them an exception for components supplied as part of an end item or another component.

Section 851 of the FY2025 NDAA adds a separate June 30, 2026 readiness issue involving covered lobbyists. It is generally understood as restricting DoD contracting with companies or those whose parent or subsidiary contract with lobbyists for 1260H companies. Commentators have flagged drafting ambiguity, so contractors should watch for implementing guidance. But the practical takeaway is clear: defense contractors should make and document reasonable inquiries about relevant lobbying relationships.

Section 1346 of the FY2025 NDAA also adds a mechanism for the DoD to identify entities based on ownership and control relationships. That doesn’t mean every affiliate is automatically listed the moment ownership exists. It means ownership and control are now central to how future 1260H determinations may be made and justified.

Section 5949, Chinese semiconductors.

On or after December 23, 2027, Section 5949 of the FY2023 NDAA will prohibit federal agencies from procuring or obtaining covered semiconductor products or services, or electronic products or services that include covered semiconductor products or services, subject to statutory exceptions and implementing rules.

The named Chinese semiconductor companies are SMIC, CXMT, and YMTC together with their subsidiaries, affiliates, and successors. The Federal Acquisition Regulation (FAR) Council published a proposed rule on February 17, 2026. The comment period closed April 20, 2026. As of June 3, 2026, the FAR rule isn’t final.

That matters. The statutory effective date and covered-company framework are settled. The final FAR mechanics, certifications, reporting timelines, and treatment of some acquisition categories may still shift. But contractors shouldn’t treat Section 5949 as a niche chipmaker problem.

China’s Decrees 834 and 835.

China’s State Council has also moved. Decree No. 834—the industrial and supply-chain security regulation—and Decree No. 835—the regulation addressing improper foreign extraterritorial jurisdiction—were issued in spring 2026 and took effect immediately.

The decrees elevate tools China has been building for years, including blocking-rule concepts, counter-sanctions measures, and mechanisms aimed at foreign measures China views as improper extraterritorial jurisdiction. They shouldn’t be described as a blanket ban on ordinary supply-chain diligence. They are better understood as creating a higher-risk environment for certain diligence, especially where information is collected in China in violation of Chinese laws or rules, where sensitive industrial or supply-chain data is involved, or where the request can be characterized as assisting a foreign measure China has identified as improper.

And the framework isn’t theoretical. In May 2026, China’s Ministry of Justice, together with the Ministry of Commerce and other authorities, determined that the EU’s cross-border information demands in the Nuctech foreign-subsidies investigation constituted improper extraterritorial jurisdiction, and it ordered that the identified measures not be implemented or assisted. That was an EU fact pattern, not a U.S. contractor BOM request. But it shows the mechanism is live and has teeth.

The common mistake is treating these as list-screening problems, when they are really ownership, traceability, and jurisdiction-conflict problems. In other words, this isn’t one boardwalk game—it’s three games running at once.

Mole #1: “It’s an affiliate, not the listed entity.”

The first miss happens when companies treat restricted-party lists as lists of names rather than maps of corporate families.

Both the 1260H framework and Section 5949 require attention to ownership, control, subsidiaries, affiliates, and successors, though they do so in different ways. A foundry can spin a product line into a differently named joint venture. A listed or covered company can sit above or beside the entity that appears in the procurement file. A screen that looks only for “SMIC” or only for the exact 1260H list entry can sail right past the issue.

For international companies and primes with foreign sub-tiers, restricted-party screening has to follow beneficial ownership and control, not just trade names.

Mole #2: “It’s a sub-tier supplier, not my direct supplier.”

The June 2026 1260H contracting prohibition is the one most teams are preparing for. The harder operational issue comes later, with the June 2027 1260H goods-and-services prohibition and the December 2027 Section 5949 semiconductor prohibition. Those rules force contractors to look beyond the top tier, but they don’t do so in identical ways.

For 1260H, the June 2027 goods-and-services prohibition includes an important component exception. A component made by a 1260H entity and incorporated into a higher-level end item isn’t necessarily within the 1260H prohibition by virtue of that fact alone.

Section 5949 is different. It is aimed at covered semiconductor products and services, and at electronic products and services that include or use them. So if the hidden item is a covered semiconductor, Section 5949 may be the more important hook.

The right question isn’t simply “How far down the BOM does 1260H go?” The better question is “Which rule is doing the work?”

Mole #3: “It’s assembled in Mexico, Vietnam, or Malaysia, so it’s not Chinese.”

Final assembly is the boardwalk prize label of supply-chain compliance. It looks official. It feels reassuring. It may not answer the question.

None of these regimes can be cleared simply by pointing to final assembly in a third country. A server assembled in Malaysia may still include a covered semiconductor. A module assembled in Mexico may still raise ownership or control questions if the relevant entity sits under a restricted corporate family. Country-of-origin labels and substantial-transformation analyses may matter for Customs, but they don’t by themselves answer the questions these statutes ask.

Mole #4: “It’s a commercial commodity, surely COTS products are exempt.”

This is where the Section 5949 proposed rule really starts throwing sand in the gears. The proposed rule would apply broadly to electronic products and services provided to the government, including acquisitions of commercial products and commercial IT and telecommunications services. The FAR Council also stated that Section 5949 doesn’t exempt micro-purchases and that the Council intends to apply the rule to acquisitions at or below the simplified acquisition threshold. The proposed rule also indicates that the Council doesn’t intend to exempt commercial products or commercial IT and telecommunications services.

That means contractors should not assume ordinary catalog items are outside the frame. Memory and storage are the classic trap. NAND and DRAM from covered Chinese makers can appear in laptops, solid-state drives (SSDs), servers, networking gear, and Internet of Things (IoT) devices that a contractor buys from a catalog and never thinks of as “semiconductors.”

“I don’t make chips, so 5949 isn’t my problem” is exactly the kind of sentence that becomes a finding.

Mole #5: “It’s just our outside consultant.”

Section 851 is the boardwalk side game nobody noticed until it started taking quarters.

It isn’t about what the contractor buys. It’s about relationships with covered lobbyists. The provision is generally understood to create a June 30, 2026 prohibition affecting DoD contractors or their parents or subsidiaries that contract with an entity engaged in lobbying activities for a 1260H company. Because commentators have flagged drafting ambiguity, contractors should be careful in describing the precise legal mechanics until the DoD issues implementing guidance.

The practical step, however, is not ambiguous. Contractors should ask and document whether relevant outside lobbyists, lobbying firms, law firms, consultants, and similar service providers lobby for companies on the 1260H list. That inquiry should cover not only the contractor but also relevant parent and subsidiary relationships.

The bonus round nobody budgeted for: the map itself may be risky

Here is where the game just gets weird. To prepare for 1260H and Section 5949, contractors may need to map suppliers, collect BOMs, trace components, and document the absence of restricted or covered content. That is ordinary compliance work. But when the data sits in China, the request needs more care. Article 13 of Decree 834 does not make every supply-chain survey unlawful, but it does create risk around supply-chain information gathering that violates Chinese laws or rules, especially where sensitive industrial data or foreign sanctions-related diligence is involved.

So a routine BOM request is not automatically prohibited. But if it is sent into China to support a U.S. certification, seeks sensitive supply-chain information, or is framed as helping implement a foreign restriction against China, it may move into higher-risk territory.

Decree 835 adds another layer by allowing China to identify foreign measures it views as improper extraterritorial jurisdiction and restrict implementation of or assistance with those measures. The Nuctech action does not prove ordinary U.S. contractor diligence will be treated the same way, but it shows the mechanism is live.

The practical point is narrow but important: China-facing supply-chain mapping should be structured deliberately, reviewed locally where needed, and documented without gratuitously describing the work as helping implement foreign sanctions or discriminatory measures.

How to play without just swinging harder

The answer is not a bigger mallet, it’s a better game plan.

• Screen beyond names: Re-baseline restricted-party screening to capture ownership, control, subsidiaries, affiliates, and successors where the relevant regime makes those relationships material. Require vendors to identify beneficial owners, parent companies, controlled subsidiaries, manufacturing affiliates, and relevant successors, and refresh that information on a defined schedule.
• Separate the regimes: Build the review around the rule doing the work. For 1260H, focus on listed entities, entities subject to their control, end items, services, and the component exception. For Section 5949, focus on covered semiconductors and electronic products or services that include or use them. Do not collapse the two into one generic “China component” rule.
• Push diligence down, and paper it: Use supplier representations and flow-downs that reach relevant sub-tiers. Ask for the specific information the rule requires, preserve the request and the response, track non-responses and red flags, and document why the company accepted, rejected, or escalated the supplier’s answer.
• Treat commodity hardware as potentially in scope: Inventory the COTS products, commercial IT, networking equipment, storage, and memory products you resell, integrate, or provide to federal customers. Prioritize laptops, servers, SSDs, networking equipment, IoT devices, and other products likely to contain NAND, DRAM, or covered semiconductor content.
• Run jurisdiction-sensitive diligence: Where data must come from China, structure the request carefully. Decide who should ask, what data is actually needed, whether the local supplier should collect it under its own obligations, whether China counsel should review the request, and whether Chinese data, national-security, trade, or counter-sanctions rules are implicated.
• Sequence and document deliberately: Treat mapping, notice, supplier exit, substitution, and certification as separate steps. Capture the business and compliance rationale in real time and avoid gratuitous language suggesting the company is implementing sanctions or discriminatory measures against China when more accurate language is available.
• Do not forget the lobbyist screen: Add the Section 851 inquiry to the June 2026 readiness checklist. Identify relevant lobbying firms, law firms, consultants, trade associations, and government-affairs vendors used by the contractor, parent, and subsidiaries, and document the reasonable inquiry.

What is nailed down, and what is still popping up

Some parts of the game board are fixed. The 1260H contracting prohibition takes effect June 30, 2026. The 1260H goods-and-services prohibition takes effect June 30, 2027, with an important component exception. Section 5949’s statutory framework covers SMIC, CXMT, YMTC, and their subsidiaries, affiliates, and successors, with the relevant prohibition taking effect on or after December 23, 2027. The FAR Council published the Section 5949 proposed rule on February 17, 2026, and the comment period closed April 20, 2026. China’s Decrees 834 and 835 are in force, and China has already invoked the improper-extraterritorial-jurisdiction framework in the Nuctech matter.

But not every mole is fully visible yet. The Section 5949 FAR rule is still proposed. The DoD’s implementing guidance for the 1260H and Section 851 prohibitions remains important. And the China-side rules are still developing in practice, especially when ordinary commercial diligence begins to look like assistance with a foreign measure China considers improper.

That is why the right posture is not panic, and it is not complacency. The dates are close enough to plan against. The rules are clear enough to start mapping. But the board is still moving. The companies that do best will not be the ones swinging hardest. They will be the ones watching the whole board.