By Carla O
For years, combatant commanders have owned the responsibility of spotting dangerous vendors in their theaters, but lacked an efficient means to remove them. DoW Instruction 3000.20 changes that. It also points out the gap that remains.
Key points
- New authority, broader scope. Effective June 12, Instruction 3000.20 lets combatant commanders identify dangerous foreign vendors and have contracting activities exclude, terminate, or void their contracts. This is a far broader version of an existing authority that was narrow and unevenly applied.
- Built to hold up. A designation rests on a real evidentiary standard, requiring moderate-to-high confidence and a “high” or “critical” threat rating.
- One gap remains. The policy supplies the authority to act, not the means to discover and prove the threat. That discovery gap is a live problem, but a solvable one.
For most of the past decade, combatant commanders have carried a responsibility that outran their tools. Force protection and mission assurance made spotting dangerous vendors in theater their problem, but the formal authority to remove one was narrow, tied largely to keeping contract dollars out of enemy hands, and applied unevenly across commands.
DoW Instruction 3000.20, Threat Mitigation in Commercial Support to Operations, closes most of that distance. Effective June 12 and approved by Michael Duffey, Under Secretary of War for Acquisition and Sustainment, it implements Vendor Threat Mitigation (VTM) authorities Congress first granted in FY15, replacing a 2018 memorandum built around preventing enemy funding.
The shift is one of scope. The old question was whether money was reaching the enemy. The new one is broader: does this vendor endanger the mission or the force at all through violence, espionage, organized crime, etc. The rules apply only to work performed outside the United States.
What commanders can now do
A combatant commander can designate a contractor as a “covered person or entity” when it engages in covered activities, including: violence against U.S., allied, or partner personnel and the financing, logistics, training, or intelligence behind it; foreign intelligence operations; transnational organized crime; or other conduct posing a direct or indirect risk to forces. Once the commander’s identification is formalized, a head of contracting activity can exclude the vendor from current and future awards, terminate for cause, or void the contract. The authority is non-delegable, and an enterprise-wide exclusion follows the vendor across the U.S. government.
For the broad range of threats a commander was already responsible for watching, in other words, there is finally a matching lever to pull.
A burden of proof
This authority comes with a real evidentiary bar for commanders. A designation requires moderate-to-high confidence and a “high” or “critical” threat rating. Below that line, the policy points to lighter measures first. The contracting activity reviews the identification and confirms it meets the required standard before acting, the vendor gets 30 days’ notice and a right to administrative review, and designations are revisited annually. In theory, a well-supported call is one that holds, and poorly justified designations will not unduly disadvantage compliant vendors.
Along with DOWI 3000.20, the Department issued changes to Class Deviation 2026-O0051. Together, this package of policies also pushes continuous screening obligations onto contractors and opens contractor and subcontractor records to government review. Those are useful enforcement and audit mechanisms, but downstream of the harder question.
The gap that remains
This new policy hands commanders the authority to act and the standard to make it stick, but not the means to find and prove the threat in the first place. Tellingly, the instruction tasks senior acquisition and intelligence leaders to “identify and recommend standards and tools to enable the use of [these] authorities” and points commands toward publicly and commercially available information.
However, threat mitigation teams are critically under-resourced to identify vendors whose connections to a sanctioned network or a hostile state are buried through shell companies or subsidiaries.
That discovery gap is not theoretical, and it is not new. Quantifind has automated screening at the roughly 100,000-company defense industrial base and surfaced precisely the risks 3000.20 now names — sanctions ties, charities linked to terror financing, and entities tied to espionage and organized crime — sitting within the DoW vendor base, alongside foreign-ownership cases a degree from Chinese state control.¹
Whether or not the government knows it, the risk is already there. What has been, and remains, missing is the means to see it.
Manual screening performed by resource-strapped analyst teams is simply incapable of resolving foreign entities across languages, aliases, and shell layers; mapping the network around them; and surfacing hidden connections with the kind of source-linked, audit-ready evidence a “high” or “critical” rating needs to survive a challenge.
The bottom line
For commanders who have long been accountable for vendor risk without a clean way to act on it, 3000.20 is good news. The authority now matches the responsibility, and the evidentiary standard will make these designations defensible. The one piece these policies leave on the table is the ability to find and prove the threat before it becomes an exposure. Fortunately, with purpose-built AI tools, closing this gap is well within reach.
About Quantifind
Quantifind provides AI-driven risk intelligence for due diligence, using open-source data and advanced name science to uncover hidden ownership and foreign influence. By resolving entities and mapping complex relationship networks, Quantifind delivers explainable insights at scale so acquisition teams can detect risk earlier and make confident procurement decisions at speed.
Learn more: https://www.quantifind.com/industry-public-sector/
Read the source documents: Quantifind Defense Industrial Base Screening Report · DoW Instruction 3000.20 · Class Deviation 2026-O0051 · ExecutiveGov coverage
¹ The DoW handles Foreign Ownership, Influence, and Control (FOCI) risk under DoDI 5205.87, but the threat operates on the same buried relationships as those covered under DoWI 3000.20