Aerospace & Defense Restricted Party Screening & Export Control Compliance

Restricted party screening platforms and global trade management systems provide essential compliance infrastructure — aggregating government watchlists, screening entity names, and flagging potential matches. These tools are the operational backbone of any compliance program. But list-matching alone can only flag entities that appear on a published government list. It cannot surface the ownership and control networks, subsidiary relationships, or front company structures behind those listed entities. That’s where Kharon comes in. Kharon’s research methodology aligns to the regulatory red flag indicators that enforcement agencies use — military-civil fusion connections, foreign government ownership insights, procurement network risks — to identify restricted entities and their networks, including entities that no published government list captures. All intelligence is led and verified by subject matter experts with backgrounds in global security regulations and open source investigations. The result is risk intelligence that integrates directly into the screening platforms companies already use — identifying a restricted party’s unlisted subsidiary, a front company created to circumvent a designation, or an intermediary operating on behalf of a military end user. Kharon’s intelligence and your screening infrastructure work together: better data in, better compliance decisions out.

Restricted party screening is the process of checking customers, suppliers, end users, and other business partners against government-maintained lists of entities subject to sanctions, export control restrictions, or procurement prohibitions. In aerospace and defense, the regulatory obligations driving screening span multiple jurisdictions and frameworks: sanctions programs and their associated 50% ownership rules, the BIS Entity List and Affiliates Rule, military end use and end user restrictions, Section 889 telecommunications prohibitions, and Section 1260H Chinese military company procurement bans. These screening obligations intersect with broader supply chain risk management and due diligence requirements — including UFLPA forced labor compliance, FOCI assessment, and international frameworks such as the EU Dual-Use Regulation — which demand entity-level ownership intelligence that goes well beyond name-matching. Effective restricted party screening in the defense industrial base means identifying entities that are restricted by operation of law — such as unlisted subsidiaries majority-owned by designated entities — even when they don’t appear on any published list. Kharon delivers the verified entity intelligence that enables this level of screening and due diligence depth.

The Defense Federal Acquisition Regulation Supplement (DFARS) imposes compliance requirements on contractors and subcontractors working with the Department of Defense. Several DFARS provisions directly affect supply chain risk management: DFARS 252.204-7018 implements the Section 889 prohibition on procuring telecommunications equipment from certain Chinese entities, while DFARS provisions related to Section 1260H restrict procurement from Chinese military companies designated by the Department of Defense. Compliance requires visibility not just into Tier 1 suppliers but into sub-tier ownership structures — because a component sourced from an entity owned or controlled by a designated party can create the same compliance exposure as sourcing directly from that party. Kharon’s ownership and control intelligence provides the sub-tier visibility that DFARS compliance demands.

Section 889 of the National Defense Authorization Act prohibits the federal government, and its contractors and subcontractors, from procuring or using telecommunications and video surveillance equipment and services from specified Chinese companies along with additional entities identified by the Secretary of Defense, and their subsidiaries and affiliates. The prohibition extends throughout the supply chain: a contractor whose sub-tier supplier incorporates covered telecommunications equipment can face compliance exposure even without a direct purchasing relationship. Identifying subsidiaries and affiliates of covered entities requires ownership intelligence that goes beyond published lists, because corporate restructuring, joint ventures, and intermediary entities can obscure connections to the named companies. Kharon’s ownership and control intelligence helps contractors trace these relationships across their supply chains.

Section 1260H of the FY2021 National Defense Authorization Act requires the Department of Defense to publish and maintain a list of Chinese military companies — entities the DOD identifies as connected to China’s military-civil fusion strategy. The list has grown steadily, with recent additions including major technology, battery, and logistics firms. Effective June 30, 2026, DoD is prohibited from entering into new contracts with listed entities or entities under their control. Effective June 30, 2027, the prohibition extends to indirect procurement — covering end products produced or provided by listed entities or their controlled subsidiaries, even through sub-tier supply chain relationships. Kharon’s data covers 1260H-designated entities, their ownership networks, and their commercial relationships — enabling contractors to assess exposure across their supply base.

The Bureau of Industry and Security (BIS) Entity List identifies foreign entities subject to specific export license requirements under the Export Administration Regulations (EAR). The BIS Affiliates Rule extends these restrictions to entities that are owned 50 percent or more — whether directly or indirectly, individually or in the aggregate — by one or more Entity List parties, even when the affiliate itself is not individually listed. (The Affiliates Rule was suspended for one year beginning November 2025 as part of a bilateral trade agreement; the suspension expires November 10, 2026, unless extended, and contractors should treat this as a preparation window for reinstatement. The underlying ownership risks the Rule addresses remain relevant regardless, and contractors should continue building compliance infrastructure to identify these affiliates.) The OFAC 50 Percent Rule operates separately, treating entities owned 50 percent or more in the aggregate by one or more blocked persons as themselves blocked — even if the entity does not appear on the SDN List. Identifying unlisted restricted entities under both frameworks requires mapping ownership and corporate control structures that static screening tools cannot surface through basic name-matching. Kharon’s data maps these ownership networks and identifies entities restricted by operation of both BIS and OFAC rules — giving compliance teams the intelligence they need for defensible license determination and screening.

Foreign Ownership, Control, or Influence (FOCI) refers to situations where a foreign entity has the ability to affect the management or operations of a U.S. company. While FOCI assessment is most commonly associated with the National Industrial Security Program (NISP) — which requires that companies holding facility security clearances be evaluated for FOCI indicators — the concept extends well beyond the cleared contractor context. Any organization concerned about foreign influence in its ownership structure, governance, or operations should understand FOCI risk indicators: foreign ownership of voting shares, foreign representation on boards of directors, contractual arrangements with foreign entities, and financial relationships that could provide leverage. In the aerospace and defense sector specifically, FOCI indicators signal supply chain, counterintelligence, and procurement risk — including connections to adversarial state-owned enterprises and military organizations — that affect both cleared and non-cleared contractors. Kharon datasets for FOCI assessment — including sanctions ownership intelligence, state-owned enterprise data, and investor relationship analysis — support FOCI identification by surfacing foreign government connections, military-civil fusion linkages, and corporate structures that standard due diligence processes may not reveal.

The BIS Military End Use / End User (MEU) Rule restricts exports of specified items to military end users and for military end uses in certain countries, including China, Russia, Belarus, Venezuela, Myanmar, Cambodia, and Nicaragua. Compliance requires not just screening against a published list of known military end users, but assessing whether an end user has connections to military organizations, military programs, or military-civil fusion activities that would trigger MEU restrictions. Kharon’s Military End Use data maps the networks behind known and suspected military end users — ownership and control connections, commercial relationships, and procurement activity that indicate military end use risk. This intelligence supports export control officers in making informed license determination decisions and conducting defensible end-user verification.

Yes. Kharon’s GraphCast datasets and our API are designed to integrate directly into the screening systems and global trade management (GTM) platforms that defense contractors already use — including platforms from Descartes and e2open through the Kharon Activation Network — no rip-and-replace required. GraphCast data files feed into existing restricted party screening workflows, enriching screening coverage with ownership intelligence and network-mapped entity relationships. The Kharon API enables custom integrations for organizations that need Kharon intelligence embedded in proprietary compliance systems, ERP modules, or automated workflow tools. GraphCast datasets and our API deliver data that is structured and readable by AI and LLM-powered systems, grounding automated results in a reliable source of truth.

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s framework for ensuring that defense contractors and subcontractors protect controlled unclassified information (CUI) and federal contract information (FCI) across the defense supply chain. CMMC 2.0 phased enforcement began in late 2025, with mandatory third-party assessments for Level 2 contractors rolling out through 2028. While CMMC is primarily a cybersecurity framework, supply chain risk management intersects with cybersecurity compliance in important ways: NIST SP 800-171 Rev. 2 remains the current control baseline for CMMC Level 2; Rev. 3, finalized in May 2024, introduced a Supply Chain Risk Management control family that references NIST SP 800-161, which recommends evaluating country-based threats and geographic risks in supplier relationships. FOCI exposure can compromise the security of CUI-handling systems, and restricted party connections in the supply chain can create pathways for unauthorized technology transfer. Kharon’s entity-level ownership intelligence complements CMMC compliance efforts by providing the supply chain ownership visibility that cybersecurity assessments alone do not deliver — helping contractors understand not just whether their sub-tier suppliers meet cybersecurity standards, but who owns and controls them.

While U.S. export controls — including the EAR, ITAR, and sanctions programs — remain the dominant compliance framework for aerospace and defense companies, international frameworks are expanding in scope and enforcement. The EU Dual-Use Regulation (2021/821) controls exports of items with both civilian and military applications, with periodic updates to its control lists aligned to multilateral export control regimes including the Wassenaar Arrangement. The EU Forced Labour Regulation (entered into force December 2024, with enforcement beginning December 2027) adds supply chain due diligence obligations for companies selling into EU markets. Many aerospace and defense companies operate across jurisdictions and must navigate multiple export control regimes simultaneously — a challenge compounded when different jurisdictions apply restrictions to different entities or use different ownership thresholds. Kharon’s entity intelligence maps corporate ownership and control networks across jurisdictions, supporting compliance teams that must assess restricted party risk under multiple regulatory frameworks.

Aerospace and defense companies are increasingly exploring AI and data analytics to strengthen export control compliance — from automated screening to network analysis to predictive risk assessment. The challenge is ensuring that AI-driven compliance tools are grounded in verified, expert-sourced intelligence rather than unverified risk data and scoring that lack the sourcing and documentation regulators expect. Kharon’s data is structured and readable by AI and LLM-powered systems to ground results in a reliable source of truth — enabling aerospace and defense companies to build AI-augmented compliance workflows where automated analysis is anchored in the kind of expert-verified entity intelligence that enforcement agencies recognize and trust.

Aerospace and defense companies evaluating screening solutions should assess four capabilities beyond basic list-matching: (1) ownership intelligence — does the solution map ownership networks, subsidiary relationships, and corporate control structures to identify entities restricted by operation of law? (2) regulatory red flag alignment — does the research methodology identify risk entities based on regulatory red flag indicators — such as military-civil fusion connections, foreign government ownership ties, and irregular procurement networks — or only match names against published lists? (3) dual-directional coverage — does the solution address both inbound supply chain risk (Section 889, 1260H, FOCI) and outbound export control obligations (BIS Entity List, MEU, sanctions)? (4) integration and defensibility — does the data integrate into existing screening infrastructure, and is the intelligence sourced and documented at a level that will satisfy government customers and regulatory inquiries?