The Defense Department may now officials exclude contractors or subcontractors from receiving information technology contracts based on the risk their supply chain poses to national security systems, Fierce Government reports.

This authority comes from earlier national defense authorization bills, and it expires in September 2018. An interim rule from DoD says that the authority applies to the acquisition of any IT product or service, including commercial items, as long as the contractor in question operates a supply chain that poses a significant risk to a particular national security system. The rule also specifies that the exclusion clause can only apply to national security systems, and then only to items “the loss of integrity of which could result in a supply chain risk to the entire system.”

The bar for excluding a company from a contract is set rather high, the article says: The exclusion process must officially begin with an official at least at the level of a service acquisition executive asking for permission from a committee constituted by the undersecretary for acquisition, technology and logistics, and the DoD chief information office, who must have a risk assessment from the undersecretary for intelligence.

If the application is approved, the official seeking it must make out a written determination that less intrusive measures aren’t reasonably available, and Congress must be notified. The excluded company need not be notified of their exclusion, and a secret decision to exclude cannot be litigated in a federal court.