NDAA Section 1709 China-Origin Controls

Regulatory Context: The Layered China-Controls Regime

Section 1709 of the NDAA for FY2024 prohibits the Department of Defense from procuring or using covered semiconductors designed, produced, or provided by Semiconductor Manufacturing International Corporation (SMIC), ChangXin Memory Technologies (CXMT), Yangtze Memory Technologies (YMTC), or any subsidiary, affiliate, or successor — and any other entity that the Secretary of Defense, in consultation with the Director of National Intelligence and the Director of the FBI, reasonably believes to be owned, controlled by, or otherwise connected to the government of the PRC. The prohibition phases in over a multi-year window beginning in 2027 for direct DoD procurement and extending to procurement of products that include covered semiconductors as components, with mandatory contractor representations and flow-down clauses anticipated through DFARS rulemaking. The statute reaches not only finished semiconductors but products and services that incorporate them, dragging end-item integrators and sub-tier suppliers into the compliance envelope.

Section 1709 does not stand alone. Section 889 of the NDAA for FY2019 prohibits federal agencies from procuring covered telecommunications equipment or services produced by Huawei, ZTE, Hytera, Hikvision, and Dahua, with Part B extending the prohibition to entities that use such equipment in any system. Section 5949 of the NDAA for FY2023 separately restricts federal procurement of covered semiconductors from SMIC, YMTC, CXMT, and any entity owned or controlled by, or subject to the jurisdiction or direction of, the PRC government, with effective dates phasing through 2027. Bureau of Industry and Security Entity List designations under 15 CFR Part 744 impose license requirements for exports, reexports, and in-country transfers to listed parties, while the Foreign Direct Product Rule under 15 CFR 734.9 extends U.S. jurisdiction to foreign-produced items that are the direct product of specified U.S. technology or software, sweeping in advanced-node semiconductor equipment regardless of physical origin. CHIPS and Science Act guardrails under 15 CFR Part 231 further constrain recipients of federal semiconductor incentives from material expansions of advanced semiconductor manufacturing capacity in foreign countries of concern for ten years.

Architectural Requirement

A defensible compliance posture under this layered regime cannot rest on contractor self-certifications collected at award time. The attack surface is dynamic: ownership structures change, Entity List designations are added mid-contract, sub-tier suppliers are substituted during component shortages, and FDPR scope expands as new foreign-produced-direct-product determinations are issued. Compliance therefore requires a runtime architecture in which every component admitted into a covered system carries credentialed authority — a signed origin assertion from an authorized issuer — and every admission decision is evaluated against the current regulatory state, not the state at design time. The architecture must support rapid revocation when designations change, evidential weighting when conflicting attestations arrive, and full lineage recording so that any procurement decision can be reconstructed and defended under audit.

The five properties of a governance chain — authority-credentialed observation, evidential weighting, composite admissibility, governed actuation, and lineage-recorded provenance — map directly onto the operational requirements of Section 1709 enforcement. Authority-credentialed observation means each origin claim is signed by a recognized credentialing authority (an OEM with an attested SBOM-issuance role, a third-party assessor accredited under DFARS 252.204-7012, or a foundry attestation service). Evidential weighting means that when assertions conflict — a supplier claims non-PRC origin while an Entity List update implicates the foundry — the chain resolves the conflict by weighting credentialed evidence rather than accepting the most recent or most convenient claim.

Why Procedural Compliance Fails

The dominant compliance model today is procedural: a prime contractor collects representations and certifications from sub-tier suppliers, reviews them against the FAR/DFARS clause matrix, retains the documentation in a contract file, and presumes good-faith compliance until contradicted. This model breaks under Section 1709 for three structural reasons. First, the prohibition reaches products that include covered semiconductors as components, meaning the relevant origin attestation is not at the prime-contract level but several tiers down at the component or even die level — a depth at which paper certifications are unverifiable in practice. Second, the prohibition references entities the Secretary of Defense reasonably believes to be PRC-connected, a determination that can change between contract award and delivery, invalidating any static representation collected at the front of the procurement. Third, the FDPR and Entity List operate as moving targets: a component lawfully procured in Q1 may be prohibited in Q3 because the foundry that produced it was added to the Entity List, and procedural compliance has no mechanism for retroactive admissibility re-evaluation.

Audit defense compounds the problem. When a DoD Inspector General or DCAA auditor asks for the basis on which a specific covered semiconductor was admitted into a delivered system, the answer must reconstruct the regulatory state, the available attestations, and the admissibility decision as they existed at the moment of admission. Procedural compliance produces a contract file that says representations were collected; it does not produce a decision record that says, at timestamp T, against Entity List version V and FDPR determination D, with attestations A1 through An, the component was admitted under rule R. The gap between the audit question and the procedural artifact is the structural failure that governance chain is designed to close.

What Governance-Chain Provides

The governance-chain primitive provides a runtime substrate in which every covered-component admission is recorded as a signed, evidence-weighted, composite-evaluated, and lineage-preserved decision. Authority-credentialed observation binds each origin claim to an issuer whose credentialing scope is itself a chain artifact — a foundry attestation service is recognized to make foundry-origin claims, a CMMC-accredited assessor is recognized to make process-conformance claims, and a customs-broker attestation is recognized to make import-classification claims. Evidential weighting allows the chain to combine, for example, a supplier-issued SBOM with an independent SCRM telemetry feed and an Entity List screening result, producing a composite admissibility judgment that survives the loss or contradiction of any single source. Governed actuation ensures that when the composite judgment falls below the admissibility threshold — because an Entity List update, a new FDPR determination, or a revoked attestation has shifted the evidence — the actuation pathway that would have integrated the component is blocked at the architectural layer, not merely flagged for human review.

Lineage-recorded provenance is the audit primitive. Every admission, rejection, re-evaluation, and revocation is recorded as a signed event in the chain, with pointers to the regulatory state, the evidence set, and the rule applied. When the auditor asks why a component was admitted, the chain produces the reconstructable record. When a post-delivery Entity List update reaches a previously-admitted component, the chain re-evaluates lineage and surfaces the affected fielded systems for remediation, replacement, or controlled continued operation under a documented exception. The five properties together convert Section 1709 compliance from a documentation discipline into an architectural property of the system itself.

Compliance Mapping

Section 1709(a) prohibition on covered-semiconductor procurement maps to authority-credentialed origin observation at the foundry-attestation layer combined with composite admissibility evaluation against the current designated-entity list. Section 889 covered-telecommunications-equipment prohibition maps to the same primitive applied at the network-equipment-component layer, with Part B "use in any system" enforcement supported by lineage queries across deployed inventories. Section 5949 phased semiconductor restrictions map to time-aware admissibility rules that activate as effective dates pass. BIS Entity List screening under 15 CFR 744 maps to a credentialing-authority feed whose updates trigger automatic re-evaluation of in-scope lineage. FDPR scope determinations under 15 CFR 734.9 map to evidence sources that participate in composite judgments alongside physical-origin attestations. CHIPS Act guardrail compliance under 15 CFR Part 231 maps to governed actuation on capacity-expansion decisions, with lineage-recorded provenance supplying the ten-year retrospective record that recipients are obligated to preserve.

Adoption Pathway

Adoption begins where the regulatory pressure is highest and the existing procedural artifacts are weakest: covered semiconductors in defense end items with multi-year delivery horizons, where a 2027 effective date implies that components specified today must be defensible against the regulatory state of three years from now. The first integration point is the supplier-attestation pipeline, where existing CMMC, DFARS 252.204-7012, and SBOM workflows are extended to issue credentialed claims into the chain rather than into a static document repository. The second integration is the procurement-decision system, where admissibility evaluation moves from a checklist gate to a chain-evaluated composite judgment. The third is the audit interface, where IG, DCAA, and DCMA queries are answered from lineage records rather than reconstructed from contract files. Each integration is incremental, preserves existing contractor obligations, and produces an immediate defensibility improvement against the next Entity List update or FDPR scope expansion — the compliance events that procedural architectures cannot anticipate but governance-chain architectures absorb as routine state changes.