PixeloneStocker / Getty Images
When the Pentagon formally notified Anthropic in early March that it had been designated a "supply chain risk," it wielded a label that had existed for years but had never once been turned against an American company. In letters dated March 3, 2026, the Department of Defense designated Anthropic as the first domestic firm. The tools the government invoked were 10 U.S.C. § 3252 and the Federal Acquisition Supply Chain Security Act of 2018, two statutes with a clear legislative pedigree: They were built to protect federal systems from foreign adversaries.
The question now central to Anthropic's legal and constitutional battle with the Pentagon is whether that framework can lawfully be repurposed to punish an American technology company over a contract disagreement.
The supply chain risk framework rests on two distinct legal authorities, and both trace to the same period of escalating U.S. concern about Chinese and Russian technology infiltrating federal networks.
Section 3252 of Title 10 was originally enacted as part of the National Defense Authorization Act for Fiscal Year 2019, signed into law on Aug. 13, 2018. It provides the secretary of defense and the secretaries of the Army, Navy, and Air Force with authority to exclude a source from Pentagon procurements involving national security systems. The statute defines the threat it targets with specificity. A "supply chain risk" is "the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert" a covered system so as to "surveil, deny, disrupt, or otherwise degrade" its operation.
