- DOW has issued department-wide rules for spotting risky foreign vendors and removing them from contracts, grants and cooperative agreements
- The directive covers only work performed overseas
- Commanders can flag vendors tied to violence, foreign intelligence operations or organized crime, triggering possible removal from current or future awards
The Department of War has set department-wide procedures for identifying foreign vendors that pose security risks to U.S. operations abroad and removing them from federal contracts, grants and cooperative agreements.
DoW Instruction 3000.20, titled “Threat Mitigation in Commercial Support to Operations,” took effect Friday, the same day it was published. Michael Duffey, under secretary of war for acquisition and sustainment and a 2026 Wash100 Award winner, approved the directive, which implements vendor threat mitigation authorities granted by Congress in the fiscal 2015 defense authorization act and expanded in the fiscal 2024 act. It cancels a 2018 memorandum that focused narrowly on preventing contract funds from reaching enemy forces.
The policy applies only to work performed outside the United States. Contracts carried out entirely inside the country are not covered.
Which Vendors Does the Policy Target?
The instruction assigns combatant commanders the responsibility for vetting vendors in their areas of responsibility. A commander can designate a contractor as a “covered person or entity” if it engages in what the policy calls covered activities:
- Violence against U.S., allied or partner personnel and the financing, logistics, training or intelligence support that enables it
- Foreign intelligence operations against the U.S. or its partners
- Transnational organized crime
- Other conduct that poses a direct or indirect risk to missions and forces
A commander must hold moderate-to-high confidence in the underlying threat assessment and assign a “critical” or “high” threat rating. Below that threshold, the policy directs commanders to manage the risk through less intrusive steps first, such as barring someone from an installation, requiring escorted access or revising contract terms.
What Happens Once a Vendor Is Flagged?
When a commander finds a covered person or entity engaged in covered activities, the deputy assistant secretary of war for logistics must be notified. The official, along with other acquisition heads, will review the commander’s findings and decide whether to take a covered procurement action — excluding the vendor from current or future awards, terminating its contract for default, or voiding the agreement in whole or in part.
The authority to take those actions cannot be delegated below the contracting-activity head. Vendors must receive a notice no later than 30 days before an action takes effect. They can challenge it through an administrative review, though the department may withhold the underlying rationale when disclosure would compromise national security or expose classified information. Commanders and contracting officials must review flagged vendors each year to decide whether to keep or lift the restrictions.
How Will Contracting Officers Apply the Authorities Now?
Alongside the instruction, the Defense Pricing, Contracting and Acquisition Policy office issued Class Deviation 2026-O0051 to give contracting officers operative contract language ahead of permanent regulatory changes. The deviation adds two clauses to solicitations and contracts performed overseas, including those for commercial products and services bought under streamlined procedures.
The first clause requires contractors to comply with vendor threat mitigation policies and to avoid covered activities. It also obligates them to vet their own supply chains: checking the System for Award Management for prohibited or restricted sources before awarding a subcontract and at least monthly afterward, dropping any listed subcontractor unless a contracting officer approves an exception, and reporting covered activities as soon as they surface. The second clause authorizes the government to examine contractor and subcontractor records when needed to support the vendor threat mitigation programs established by combatant commanders.
How Does This Build on DOW’s Vendor Threat Mitigation Efforts?
The directive extends a vendor-vetting push that gained momentum earlier this year. In February, Duffey approved a vendor threat mitigation guidance that standardized how department components assess commercial suppliers and coordinate across the contracting, intelligence, security, legal and mission-assurance communities.
