How to Navigate Regulatory Factors for More Resilient and Secure Supply Chains

In December 2022, the U.S. Congress passed a prohibition on Chinese technologies that will affect both private- and public-sector supply chains. Section 5949 of the National Defense Authorization Act (NDAA) for Fiscal Year 2023 prohibits the U.S. government from acquiring parts, products, or services from specific Chinese semiconductor companies. Going into effect in December 2027, the law will affect industry providers of information and communications technology (ICT), consumer electronics, automobiles, medical devices, and other products that contain semiconductors.

Responsibility for implementation will principally fall on private industry, which will need to proactively illuminate supply chains to continue serving government clients and avoid costly disruptions, delays, and other related issues. Procurement officers across the federal government will also need to implement the prohibition measures, and potentially plan sourcing strategies (e.g., identifying and positioning themselves to contract with alternative suppliers) to mitigate negative impacts.

Section 5949 is representative of a rising tide of measures that seek to disentangle and de-risk American supply chains from China-provided sensitive technology and is by no means the only semiconductor-related regulation to which companies and government organizations will need to adapt. As an experienced practitioner and provider of supply chain risk management (SCRM) services for public- and private-sector organizations, Guidehouse is uniquely positioned to help clients navigate this challenging and rapidly evolving environment.

Understanding the Scope of Prohibitions

Section 5949 states that federal agencies may not procure parts, products, or services from a list of certain named Chinese semiconductor companies. Further, federal contractors are prohibited from providing components, parts, or products from these companies. If contractors supply such items to the U.S. government, they will have to self-report and will be responsible for taking corrective action.

The Federal Acquisition Security Council is required to provide guidance on this prohibition by December 23, 2025—exactly two years before it goes into effect on December 23, 2027. Once enacted, heads of agencies may provide a waiver if alternatives are unavailable or prohibitively expensive and the waiver is not expected to compromise national security. The listed Chinese entities include the following companies below, as well as any subsidiary, affiliate, or successor entity.

• Semiconductor Manufacturing International Corporation (SMIC)
• ChangXin Memory Technologies (CXMT)
• Yangtze Memory Technologies Corp (YMTC)

Why Chinese Semiconductor Companies?

Section 5949 names three Chinese semiconductor companies for several reasons. First, these regulations are related to larger concerns around the People’s Republic of China’s (PRC) ownership, control, and influence over these companies, as well as its technology sector in general.

Second, Section 5949 is driven in part by concerns regarding the Chinese Communist Party’s Military-Civil Fusion policy, which seeks to propel the People’s Liberation Army to technological prominence via increased cooperation between Chinese civilian organizations—such as the designated semiconductor entities—and the military and defense industrial sector.

Lastly, Section 5949 clearly reinforces other U.S. efforts to bolster its semiconductor industries and enhance its own ICT supply chain resilience.

Assessing Supply Chain Impacts

Organizations that aren’t proactively performing SCRM and monitoring the ever-changing semiconductor industry risk operational disruptions and falling out of compliance with laws and regulations such as Section 5949. A lack of planning and operational awareness could be damaging for public and private organizations alike, as both sectors will need to navigate an ever-changing regulatory landscape in the years to come.

Section 5949 is part of a larger strategic trend to de-risk and disentangle U.S.-Chinese supply chains, and to make U.S. supply chains more resilient and secure. Other policies that illuminate this trend include:

• In 2018, the U.S. Congress passed Section 889 of the NDAA for Fiscal Year 2019, which prohibited the U.S. government from acquiring goods, services, or equipment from specific Chinese telecommunications companies, including Huawei, ZTE, and others
• In August 2022, President Biden signed into law the CHIPS and Science Act, which incentivizes domestic U.S. semiconductor manufacturing, research, and development
• In October 2022, the Department of Commerce’s Bureau of Industry and Security implemented export controls on advanced computing and semiconductor manufacturing items to China
• In August 2023, the Biden administration published an executive order prohibiting American investment in certain Chinese technologies—including semiconductors

These actions highlight the rapidly evolving political, legal, and regulatory environment that public-sector and industry organizations must operate in on a day-to-day basis.

Section 5949 also specifically outlines the possibility of additional entity designations for companies that are owned, controlled, or otherwise connected to the government of a foreign country of concern. Most semiconductor design and manufacturing in the PRC likely fits this definition, which provides additional incentive for starting to undertake proactive supply chain risk assessments and industrial base analyses now—even if the three entities initially designated under Section 5949 aren’t of concern.

Further, Section 5949 will affect federal procurement of goods and services in priority categories including ICT, transportation, healthcare, and more. Given that semiconductor supply chain entanglement extends well beyond ICT services and products such as laptops, mobile phones, data centers, and cloud computing, beginning to address the Section 5949 requirements as soon as possible is crucial.

Planning for Disruption Across the Board

Recent years have seen auto manufacturers and medical device vendors become increasingly reliant on semiconductor supply chains—as was demonstrated in 2021, when surging demand, winter storms, energy shortages, and COVID- 19- related shutdowns led to disruptions and cost increases for multiple semiconductor-dependent industries. The auto industry in particular will likely be an area of focus for federal purchasers, as modern cars frequently contain more than 1,000 semiconductor chips, which normally come from a variety of vendors.

Industry organizations interested in doing business with the federal government will, therefore, need to ensure compliance with Section 5949 and other semiconductor-related regulations. The onus of implementation will primarily fall on private companies, as they will be responsible for illuminating their supply chains and ensuring that various component parts come from compliant sources. Contractors will be required to self-report the presence of prohibited products or parts in their goods and will typically bear the costs of mitigation and remediation actions.

Penalties for non-compliance could include contract termination or non-renewal. As a result, proactive supply chain illumination and preparation for the enforcement of Section 5949 will aid federal contractors in being able to compliantly serve the government without interruption, loss of business, or reputational harm.

For public sector organizations, planning and preparation are also critical. Although Section 5949 does not go into effect until December 2027, the procurement life cycle can take years from acquisition planning to contract award. Additionally, Section 5949 and other restrictions on the use of Chinese technology may constrain supply chains and reduce the number of viable vendors.

To mitigate potential supply chain disruptions, procurement officers may need to address supply chain issues during market research and develop alternate sourcing strategies in advance in the event they should be needed. Furthermore, the waiver for Section 5949 has a relatively high bar, meaning it will probably be challenging to acquire, which could result in federal agencies paying more for compliant goods.

For the military and intelligence community, Section 5949 and other such regulations are insufficient guards against the prevalence of Chinese technology in sensitive U.S. hardware and software. Nevertheless, these regulations do highlight concerns about the presence of malicious technology in U.S. government supply chains. It is our view that sensitive national security clients, and other clients as well, will need to go beyond satisfying regulatory and legislative requirements to illuminate supply chains to multiple tiers, conduct due diligence, and perform continuous monitoring to identify, assess, and mitigate risks.

Benefits of Collaboration

Guidehouse has the supply chain risk management expertise, capability, technology, and data necessary to provide both government and industry organizations with deeper insights into their semiconductor and technology supply chains. We offer a range of SCRM services, including strategic and operational transformation, program design and implementation, supply chain illumination and industrial base analysis, and due diligence and risk assessments and ratings.

Such information is critical to helping organizations understand how much risk they are currently exposed to, and how to reduce that risk. We leverage publicly available information, commercially enabled data, proprietary tools, and data, as well as best practices driven by our subject matter experts, to refine and capitalize on our research and analysis.

Our experts come from careers in both industry and government, and have backgrounds in fields like supply chain security, information protection, law, finance, cybersecurity, intelligence, law enforcement, data science and analysis, and investigations. We have a proven track record of successfully delivering these insights to multiple government agencies and industrial and technology companies.

Solutions for Resilience

Guidehouse’s experience can help your organization better manage the risks and understand the opportunities in your supply chains. In previous engagements we have:

• Supported a U.S. Department of Defense (DoD) Program Management Office (PMO) — Guidehouse supported the PMO by illuminating the supply chain of a platform to better understand the risks associated with key components and organizations that could affect overall program cost, schedule, and performance. Guidehouse supported the PMO with a team of subject matter specialists, open-source analysts, and data scientists to identify and locate more than 6,000 companies and 150,000 components in the global supply chain, primarily through open-source research and advanced analytics.
• Provided another government program with independent, open-source analyses via due diligence and risk assessments on vendors — These reports provided insights and information regarding the supply chain threats, vulnerabilities, and risks of critical suppliers, and resulted in industrial base analyses on strategic opportunities and initiatives, including specific market and workforce studies, COVID-19 assessments, contracting improvements, and global supply chain risks.
• Developed and stood up an enterprise-wide supply chain risk management program for a civilian cabinet-level department — This included designing and deploying governance and oversight structures, performing stakeholder engagement and training, developing policy and procedures, implementing vendor supply chain risk assessments, integrating open-source data and automated platforms, and developing continuous improvement measures and performance metrics.

Conclusion

Section 5949 and other semiconductor-related regulations will very likely affect federal and commercial business procurement in a wide variety of sectors, including ICT, transportation, healthcare, and more. The costs of mitigation and remediation will tend to fall mostly on private companies, which will be required to self-report the presence of banned components in their supply chains. However, government organizations will also face disruptions and cost increases if supply chains are constrained, and the number of compliant vendors is reduced. Both government and industry organizations can benefit immensely, however, from proactive supply chain risk management activities, including supply chain illumination, industrial base analyses, due diligence, and risk assessments.