I've been getting calls about this all morning. Let me break it down:
What 10 USC §3252 actually covers: Historically, supply chain risk designations under this statute apply only to covered procurement — meaning the Pentagon's own contracts and its contractors' Pentagon-related work. It was designed for situations like Huawei/ZTE where the concern was compromised hardware in DoD systems. It has never been used against a US-headquartered company before.
Scope of the designation: On its face, the designation means the DoD cannot procure Anthropic products, and DoD contractors cannot use Anthropic products in connection with DoD contracts. Anthropic's position — which is legally sound — is that it cannot extend to how contractors use Claude for their non-Pentagon commercial customers. Your legal doc review pipeline for private-sector clients should be unaffected.
The chilling effect is real, though: Even if the legal scope is narrow, companies may drop Claude preemptively to avoid any appearance of a security issue during contract renewals or audits. That's the practical risk Anthropic faces, and frankly it's probably the intended effect of the designation.
The irony: OpenAI just signed its Pentagon deal with the same two guardrails Anthropic insisted on — no mass surveillance applications and no fully autonomous weapons systems. The Pentagon apparently found those terms acceptable from OpenAI but unacceptable from Anthropic.
The 6-month wind-down: This applies to existing DoD contracts that currently use Anthropic products. Agencies have 6 months to transition away. It does not retroactively void existing commercial contracts between Anthropic and private companies.