AI-Enabled Continuous Monitoring: Key to NDAA Compliance

The NDAA Ernst Amendment represents a fundamental paradigm shift in federal procurement.

By Jason English

The 2026 National Defense Authorization Act (NDAA) imposes some of the most sweeping vendor-vetting rules in recent memory. At its core is the Ernst Amendment, which requires stronger safeguards to block vendors with undisclosed ties to the Chinese Communist Party (CCP) or other foreign adversaries from entering the federal supply chain. The deadline for implementing the requirements outlined by the NDAA is September 30, 2026. Before this time, federal agencies and contractors must implement validated, end-to-end screening processes or risk compliance failures and mission disruption.

The 2026 NDAA doesn’t just add new requirements. It fundamentally redefines vendor vetting as a counterintelligence mission requiring continuous vigilance, advanced analytics, and cross-agency collaboration. What we’re seeing is a transition from “trust but verify” to “verify continuously.”

Federal acquisition professionals, defense contractors, supply chain risk managers, and policy leaders should start taking action now as the NDAA Ernst Amendment represents a fundamental paradigm shift in federal procurement. Its parameters require agencies and contractors to move beyond checkbox compliance and adopt active, intelligence-driven safeguards against hidden adversarial vendors.

Three Primary Shifts

Three core shifts illustrate this new direction, including moving from self-attestation to third-party validation, from focusing solely on ownership to accounting for broader influence, and from point-in-time checks to continuous monitoring. Together, these changes call for a more proactive, intelligence-driven approach to protecting the federal supply chain.

1. From Self-Attestation to Third-Party Validation – With this new policy, federal procurement is shifting away from its long-standing reliance on contractor self-reporting. Under the Ernst amendment, the Defense Counterintelligence and Security Agency (DCSA) will serve as the validation authority, requiring validated, end-to-end screening that moves vetting from trust-based attestations to independently verified oversight.
2. From Ownership to Influence – Traditionally, supply chain reviews have focused on foreign ownership, control, or influence (FOCI). However, adversaries increasingly leverage unofficial affiliations, political influence networks, and entities such as China’s United Front Work Department to gain access. As a result, legal ownership alone no longer captures the full spectrum of risks.
3. From Point-in-Time to Continuous Monitoring – One-time vetting at the start of a contract is no longer sufficient. The new framework requires continuous monitoring, with contractors required to maintain ongoing alerts, conduct periodic reassessments, and proactively report any material changes in their circumstances.

  

Risk-Based Tiering

A tiered approach can allow checks to be applied more strategically. For example, using a basic, lightweight review for low-risk suppliers with counterintelligence-grade vetting for high-risk cases. This can help agencies and contractors focus resources effectively while meeting the law’s requirements.

• High-risk Suppliers – These include suppliers that support critical infrastructure or produce critical technologies, such as semiconductors and biotechnologies. This would also include suppliers with overseas ownership structures and those operating in geopolitically sensitive or contested regions.
• Medium-risk Suppliers – These are suppliers supporting non-mission-critical capabilities, or that may have limited foreign ties but lack transparent governance structures.
• Low-risk Suppliers – These include commodity-based suppliers, such as those providing facility maintenance equipment, office supplies, and general administrative goods.

Even with tiered risk assessments prioritizing the most critical vendors, continuous end-to-end supply chain monitoring can generate an enormous volume of data that must be tracked, analyzed, acted upon, and documented.

The information that must be sourced and tracked can encompass government procurement records, financial flows, business structures, multilingual open-source intelligence, watch lists, sanctions, foreign registries, and other relevant data. The sheer scale and complexity of integrating all this data make manual oversight difficult, if not impossible. For larger vendor supply chains, this requires AI-driven tools capable of compiling and processing vast datasets, identifying subtle risk patterns, and providing actionable intelligence.

Where Commercial Tools Fit

In an environment where adversaries continuously adapt their concealment methods, government systems alone cannot maintain the decision advantage necessary to protect the supply chain. Commercial platforms serve as force multipliers, providing deep analytics and adversary-focused intelligence that enable agencies to meet both the letter and the spirit of the Ernst Amendment’s requirements.

Commercial AI-enabled platforms scour open-source intelligence from publicly available data, along with proprietary data, to deliver mission-speed analytics that resolve aliases, match entities across thousands of data sources, and identify obscured connections in real time.

The most advanced of these platforms integrate seamlessly with existing government systems through Application Programming Interfaces (APIs) and secure data feeds, augmenting rather than replacing internal capabilities.

The critical advantage is speed. While legacy systems may take days or weeks to process and correlate information, AI-driven tools operate much faster, performing link analysis and risk scoring quickly enough to support acquisition decisions without creating bottlenecks.

The goal is to translate technical intelligence findings into actionable insights that procurement officials and program managers can use to make informed, risk-based decisions.

Next Steps

On a recent webinar on this topic, John Tenaglia, principal director, defense pricing and contracting at the U.S. Department of War (DoW), indicated that he will soon publish proposed policy rules. He added that they will then be published for public comment. Nevertheless, he underscored that the final rules will closely follow what the statutory language requires.

In the meantime, contractors should now begin building their risk frameworks by identifying and prioritizing (tiering) suppliers, starting with those critical to their operations. Conducting preliminary self-assessments of the supply chain will allow you to get ahead of government inquiries and eliminate surprises before contract awards. The regulatory details will continue to evolve, but the fundamental requirements are clear enough to begin meaningful preparation.

Other steps to take could include developing vendor intelligence tradecraft, that is, treating supply chain vetting as a distinct intelligence discipline rather than simply a compliance exercise. Teams need training to read and interpret beneficial ownership structures and to understand how shell companies, nested subsidiaries, and complex corporate arrangements can obscure accurate control. Equally important is learning how to interpret risk flags when they emerge and communicate those risks effectively to decision-makers. Building this competency takes time, so starting now is paramount.

U.S. adversaries are actively exploiting supply chain vulnerability. There’s a reason these policies are being put in place, underscoring the urgency of action needed.

As the federal community defines this challenge and formulates comprehensive policies, I would caution against waiting for final policy and implementation guidelines. Start identifying your risk framework. Begin mapping your critical suppliers and triage them to help you prioritize vendor vetting. In this way, when the policy, regulation, and collaboration guidelines are finalized, you will be ahead of the power curve and can be entirely focused on your mission.

About the Author

Jason English serves as Senior Vice President of Supply Chain Risk and Vendor Vetting Solutions at Babel Street, where he leads the development and execution of go-to-market strategies for global defense, intelligence, commercial, and international markets. A retired Naval Intelligence Officer with 26 years of distinguished service, Jason has directed intelligence operations across multiple DoD and Intelligence Community organizations, specializing in global risk management, military operations, and cybersecurity. At Babel Street, he leverages his operational expertise and strategic vision to deliver innovative vendor-vetting and supply-chain risk solutions in support of mission-critical DoD and IC requirements. His background includes proven success in business development, strategic planning, and governmental affairs. Jason is a graduate of the U.S. Naval Academy, the U.S. Air Force Command & Staff College, and the College of William & Mary.