Navigating the FY 2026 NDAA: implications for energy, infrastructure, technology, and private capital

Alert
|
10 min read
Melissa Taylormoore |
Hope Anderson |
Farhad Jalinous |
Suzanne Perry

The FY 2026 National Defense Authorization Act (NDAA), signed into law on December 18, 2025, represents more than a statutory vehicle for annual defense spending. With a topline authorization of $900.6 billion, the Act now functions as a comprehensive regulatory framework shaping US national security policy, supply chains, technology governance, and capital formation. Its scope and operational consequences extend well beyond traditional defense contractors, increasingly reaching commercial enterprises across energy, infrastructure, artificial intelligence, and private investment portfolios with even indirect connections to US markets or national security priorities.

Unlike earlier NDAAs that layered discrete authorities atop existing regulatory regimes, the FY 2026 NDAA consolidates, harmonizes, and accelerates national security enforcement tools across capital, technology, and supply chains. As a result, companies that once viewed defense-related regulation as peripheral now face direct exposure through ownership structures, technology dependencies, data architecture, and vendor sourcing decisions. The Act effectively embeds national security considerations into ordinary commercial decision-making.

This white paper provides a multi-disciplinary synthesis of the FY 2026 NDAA, grounded in continuous monitoring of the legislation as it progressed through Congress. By integrating strategic perspectives from our Energy, Mining and Minerals, CFIUS and Foreign Ownership, Control or Influence (FOCI), Private Capital, and AI practices, this analysis transforms discrete regulatory signals into a cohesive, enterprise-focused framework. It is designed specifically for in-house legal and operational executives who must translate complex national security mandates into actionable business strategy.

Specifically, this paper examines how the FY 2026 NDAA reshapes risk and opportunity across three interrelated domains: energy and infrastructure (including critical mineral supply), where national security considerations increasingly influence financing, sourcing, and project governance; technology and artificial intelligence, where platforms, data, and software architecture are treated as security-sensitive assets; and private capital, where regulatory alignment has become a material driver of valuation, deal certainty, and exit readiness. Taken together, these developments reflect a broader shift in which national security concerns are embedded directly into the commercial economy rather than appended as post-closing compliance obligations.

The Evolution of National Security Risk: Risk Follows Capital

The FY 2026 NDAA codifies a fundamental shift in US national security policy: risk now follows capital, access, and influence, not merely contract privity. Rather than relying on isolated enforcement actions or siloed regulatory regimes, the Act aligns investment controls, export restrictions, procurement rules, and ownership disclosure obligations to ensure that commercial activities are assessed through a national security lens at much earlier stages of the business lifecycle.

Two legislative developments are particularly consequential

First, the codification of the Comprehensive Outbound Investment National Security Act (COINS Act) significantly expands outbound investment review and imposes mandatory notification, and, in certain cases, outright prohibitions, on US investments involving "countries of concern." The COINS Act broadens that designation to include Russia, Iran, North Korea, Cuba, and Venezuela, and targets "prohibited technologies", such as hypersonics, advanced semiconductors, and high-performance computing. Importantly, regulatory exposure is not limited to controlling stakes. Minority investments, joint ventures, licensing arrangements, governance rights, and access to technical information can all trigger scrutiny. Capital deployment decisions that previously appeared commercially neutral may now create regulatory exposure based on downstream technology transfer or strategic influence.

Second, Section 8102 expands CFIUS jurisdiction over real estate transactions by authorizing the designation of "national security-sensitive sites," including Department of Energy national laboratories, energy production facilities, and other critical infrastructure locations. This expansion transforms physical proximity into a material diligence factor for infrastructure investors, data center developers, and energy projects. The provision underscores that geographic adjacency, operational access, and infrastructure interdependence can implicate national security review independent of ownership levels.

Together, these provisions confirm that ownership percentage alone is no longer determinative. Information rights, board observation, technical collaboration, and physical location increasingly drive regulatory outcomes. For in-house legal teams, the implication is clear: national security analysis must be integrated into capital allocation, joint-venture structuring, and site selection decisions at the outset—not treated as a post-signing compliance exercise.

Energy and Infrastructure: The "Energy Dominance" Mandate

Energy infrastructure now sits squarely at the center of US national security policy, with the FY 2026 NDAA reinforcing an "energy dominance" framework that links resilience, industrial capacity, and geopolitical stability. Grid modernization, energy storage, advanced manufacturing, and critical minerals are no longer treated as purely commercial initiatives; they are regulated as strategic assets essential to national defense preparedness and economic security.

Section 833's supply chain "illumination" framework is emblematic of this approach. The provision authorizes the Department of Defense to grant time-limited national security waivers through January 1, 2028, where contractors promptly disclose noncompliant components identified through approved illumination systems. While framed as a waiver mechanism, the provision creates a strong incentive structure: transparency is rewarded, while opacity increasingly results in loss of eligibility, delayed funding, or adverse diligence findings. For energy companies, illumination obligations extend into batteries, transformers, inverters, power electronics, and grid-scale storage systems, often implicating sub-tier suppliers far removed from direct federal contracting relationships.

The NDAA also allocates $2 billion to the National Defense Stockpile under Section 1412, linking federal support to sourcing eligibility tied to a dynamically evolving list of approximately 50 "applicable critical minerals." Legal and compliance teams must now monitor how modifications to that list affect eligibility for federal grants, tax incentives, and financing. Minerals such as lithium, cobalt, and germanium, central to energy storage and transmission, present particular risk due to concentrated global supply chains.

Section 851, incorporating the BIOSECURE Act, further expands the national security perimeter into advanced manufacturing and materials innovation. By prohibiting executive agencies from procuring biotechnology equipment or services from designated Biotechnology Companies of Concern (BCOCs) and requiring contractors to phase out such dependencies over five years, the provision reaches deep into R&D ecosystems where bio-enabled, nano-enabled, or materials-science processes intersect with energy innovation. Risk often surfaces not at deployment, but during Department of Energy diligence reviews, audits, or follow-on funding decisions.

As a result, energy security has become a board-level enterprise risk. Legal and compliance functions increasingly operate as an internal control tower, coordinating supply chain audits, capital structuring decisions, and escalation protocols to align commercial execution with national security expectations.

Technology and AI: Platforms as National Security Assets

The FY 2026 NDAA leaves little ambiguity that software platforms, AI systems, and data infrastructure are national security assets. The regulatory focus has shifted from functional outputs to provenance: who developed the technology, how it was trained, and where its dependencies reside. Architecture decisions once left to engineering teams now carry regulatory consequences.

Section 1532 requires removal of AI models developed by certain foreign-linked entities (including DeepSeek and HighFlyer) from Department of Defense systems within 30 days of enactment and prohibits their use in      contract performance. 

Critically, Section 1532's prohibition on 'covered artificial intelligence' extends beyond a simple 'rip-and-replace' requirement: it defines covered AI to include technology developed by specified foreign-linked entities and by entities in which those foreign entities have a direct or indirect 20 percent or greater ownership interest, meaning companies and counsel must analyze indirect ownership and funding relationships to determine whether an AI system is subject to the statutory ban. This requirement reflects a broader move toward de facto allow-lists for AI components and increases pressure on companies to inventory AI dependencies well beyond customer-facing applications.

The Act also reinforces transparency expectations through emerging AI Software Bills of Materials (AI SBOMs). Although framed as traceability measures, these requirements effectively mandate granular disclosure of training data sources, model lineage, embedded open-source components, and update pathways. Section 6603 further directs the Intelligence Community to establish standards for hosting publicly available AI models on classified systems, signaling that transparency and security must coexist rather than compete.

Finally, Section 866, directing the Department of Defense to harmonize cybersecurity requirements across the Defense Industrial Base, reflects a deliberate policy choice: reduce duplicative compliance regimes while raising baseline expectations. For technology companies, this convergence underscores the necessity of embedding governance, cybersecurity, and supply chain visibility into product development from inception, not retrofitting controls post-deployment.

Private Capital: Compliance as a Strategic Lever

For private equity and venture capital firms, the FY 2026 NDAA fundamentally reframes compliance from a cost center to a strategic lever influencing valuation, deal certainty, and exits. Through incorporation of the SPEED and FoRGED Acts, the NDAA lowers barriers for non-traditional contractors while rewarding early regulatory alignment.

Section 1806 raises the threshold for full Cost Accounting Standards (CAS) coverage from $50 million to $100 million and increases the contract-specific applicability threshold to $35 million. Section 1804 similarly increases the Truthful Cost or Pricing Data (TINA) threshold to $10 million for contracts entered after June 30, 2026. The sole-source approval threshold also increases dramatically, accelerating procurement timelines for innovative and "SPEED-ready" companies.

Section 1826 provides broad exemptions for nontraditional defense contractors from FAR Part 31 cost principles and TINA requirements, allowing investors to distinguish targets that can access federal markets without incurring legacy compliance burdens. Conversely, deficiencies in HFIAA readiness, opaque ownership chains, unvetted technology stacks, or poorly documented supply chains increasingly surface as material diligence issues that can suppress valuation or delay exits.

Portfolio-wide visibility, often through NDAA-focused compliance dashboards, enables early identification of CAS, TINA, supply chain, and insider-reporting triggers. This visibility supports proactive remediation and transforms compliance oversight into a tool for operational resilience and exit preparation.

Continuity with Prior NDAAs and Legacy National Security Regimes

Although the FY 2026 NDAA introduces significant new authorities and thresholds, it is best understood as an extension and acceleration of prior NDAA policy trajectories, rather than a regulatory reset. Existing regimes, including CMIC designations, export controls under ECRA and ITAR, Section 889 supply chain prohibitions, CFIUS mitigation obligations, and sanctions enforcement, and the intending Section 847 (FY20) implementation regarding beneficial ownership disclosures for purposes of identifying FOCI factors and whether FOCI mitigation arrangements apply continue to operate in parallel and are increasingly reinforced by the 2026 Act.

Treating FY 2026 in isolation risks overlooking these foundational obligations, which remain central to diligence, compliance, and enforcement exposure. In practice, regulators are applying a cumulative lens: past compliance failures amplify present risk, while demonstrated governance maturity mitigates scrutiny.

Reauthorization and Expansion of Authorities for DFC

The FY2026 NDAA included the bipartisan DFC Modernization and Reauthorization Act of 2025, which increased the investment limits for, provided more flexibility for equity funding by, and extended to 2031 the charter of, the United States International Development Finance Corporation. Among other things, the amendments to the existing BUILD Act brought about by the FY2026 NDA allow DFC to consider financing in all international geographies other than enumerated "countries of concern". Ability to invest in the wealthiest twenty countries worldwide is limited but now possible through investments (a) in the "Five Eyes" countries, and (b) in energy, critical minerals, rare earths, and information and communications technologies, including undersea cables. Changes also include an explicit mention of national security in the agency's core purposes and a suggestion from Congress that the agency should consider projects to advance secure supply chains to meet the critical minerals needs of the United States and its allies and partners. Considering parallel developments in pursuing critical mineral and defense partnerships with allies and the focus on minerals processing in the January 16, 2026 Executive Order (Adjusting imports of processed critical minerals and their derivative products into the United States – PCMDPs), we expect that investments by DFC to include a renewed focus on mining and minerals processing in a broader range of countries than those in which DFC previously worked.  And, as we are seeing in domestic finance programs from the Departments of Energy, Commerce, Defense and the Export-Import Bank of the United States, there is likely to be growing emphasis on minerals important for the Defense Industrial Base.

Conclusion

The FY 2026 NDAA marks a paradigmatic shift in the relationship between national security regulation and the commercial economy. Energy infrastructure, technology platforms, AI systems, and private capital investments are now governed by an integrated framework in which transparency, provenance, and governance define both compliance and competitiveness.

For investors, these capabilities are no longer just "checks in a box," they are fundamental pillars of valuation. During the diligence phase, the ability to quantify an asset's supply chain illumination and NDAA governance maturity provides a clear indicator of deal certainty and future exit viability. When developing a divestiture strategy, proactively cleaning up ownership stacks and verifying technology provenance serves to de-risk the asset, potentially commanding a premium by ensuring the target is "SPEED-ready" and insulated from CFIUS or COINS Act interventions. In a securitized market, a company's national security alignment is as material to its terminal value as its EBITDA.

In this environment, the NDAA is no longer merely a defense statute. It is a roadmap for how national security will shape commercial decision-making in 2026 and beyond.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2026 White & Case LLP

Contacts

Melissa Taylormoore
Melissa Taylormoore
Partner|Washington, DC
Services
US Government Contracts, Litigation, National Security, Employment, Compensation & Benefits
Hope Anderson
Hope Anderson
Partner|Los Angeles
Services
Data, Privacy & Cybersecurity, Technology, Artificial Intelligence (AI), Privacy Advisory and Compliance, AI Regulatory, Content and non-privacy data regulation
Farhad Jalinous
Farhad Jalinous
Partner|Washington, DC
Services
International Trade, Mergers & Acquisitions, Foreign Direct Investment (FDI) Reviews, Technology, Financial Institutions, Taiwan
Suzanne Perry
Suzanne Perry
Partner|Washington, DC
Services
Project Development and Finance, Debt Finance, Power, Private Capital, Infrastructure, Financial Institutions

Service areas

Top