04/13/2026
William Walton
RMF Consultant, Dark Wolf
RMF Consultant, Dark Wolf
In the Department of War acquisition environment, the boundary between innovation and risk can shift very quickly. In early March 2026, that became especially clear when Anthropic AI was formally designated a supply chain risk, with direct implications for organizations that depend on AI in government settings.
From my perspective as an RMF practitioner, this is more than a news item. It is another sign that software supply chain risk now reaches beyond code quality, patching, and provenance. It also includes the provider’s policy posture, operational limits, and willingness to support mission use.
Anthropic’s role in the defense ecosystem had been growing for some time. Claude had been used in sensitive government contexts, including work tied to intelligence analysis, planning, and other mission-support activities.
That is what makes this shift so notable. It shows how quickly a supplier can move from trusted partner to restricted vendor when its stated boundaries conflict with government requirements. In this case, reporting indicated that the dispute centered on Anthropic’s refusal to support fully autonomous weapons and mass domestic surveillance, while the government moved to invoke its authority under 10 U.S.C. § 3252.
What stands out to me is not just the policy dispute, but what it says about the future of RMF. Technical capability alone is no longer enough. Supplier alignment with mission needs, legal authority, and policy expectations now matters just as much.
For organizations in the Defense Industrial Base that used Anthropic tools, the designation creates several immediate RMF concerns.
First, any system with an ATO that includes Anthropic components should be reviewed again. That review should focus on the System and Services Acquisition and Supply Chain Risk Management control families, especially where the technology sits within the authorization boundary and how it supports the mission.
Second, scope matters. Available reporting suggests the restriction is tied to Department of War contracting and related mission use, rather than a blanket prohibition on all Anthropic products or all commercial relationships. That distinction matters for organizations that must separate federal obligations from broader enterprise operations.
Third, transition is rarely simple. AI tools are often embedded deeply in workflows, integrations, and decision-support processes. Even when a replacement exists, organizations still need to preserve continuity, retrain users, validate outputs, and maintain compliance throughout the transition.
This development reflects a broader change in how supply chain risk is understood. Traditionally, S-SCRM focused on component provenance, vendor trust, and integrity controls. Those issues remain essential, but AI introduces additional factors, including ethical boundaries, policy posture, and the conditions under which a supplier is willing to participate in government work.
That makes RMF more complicated, but also more realistic. Organizations now need to ask not only whether a tool works, but whether it can remain usable under changing legal, ethical, and operational expectations. In that sense, supply chain risk is increasingly about alignment as much as performance.
The current litigation also underscores that this issue is still evolving. As of April 8, 2026, reporting indicated that Anthropic remained blocked from certain Department of War contracting activity while legal challenges continue. For contractors, that uncertainty is itself a risk factor, since it affects vendor selection, acquisition planning, and authorization strategy.
I see the Anthropic case as a useful marker for the next phase of RMF. It demonstrates how quickly an approved technology can become a risk concern when policy shifts or when supplier and government priorities diverge.
My view is that the right response is discipline, not panic. Organizations should map AI dependencies, document where those dependencies exist, test alternatives before they are needed, and make sure authorization packages can absorb change without losing control of the mission.
Those that take that approach will be better positioned for the next supply chain disruption, whether it comes from AI, cloud services, or another emerging technology category.
RMF is no longer just about checking technical boxes. It is about understanding how technology, policy, and mission requirements interact in an environment where supplier relationships can change quickly.
The Anthropic situation is a strong example of that reality. It reinforces a simple point: resilience today means being ready to adapt fast, replace critical capabilities when necessary, and maintain compliance even when the ground shifts beneath you.