I agree with your second paragraph; we will have to see to what degree the "viral" effect of Supply Chain Risk designation goes (perhaps you contract the DoD under an LLC that has a supply chain firewall from your company) and also look forward to seeing how this would be handled in court, but I would not automatically be dismissive of this being totally legal.

> does not "influence their supply chain"

I would be wary of making this conclusion. Obviously it could conceivably influence the supply chain when you build on top of their model. If you look at the type of risks enumerated in DoD guidelines, it is not just "oh this software has vulnerability" which is what started the discussion in this subthread in the first place. There are many kinds of risks DoD needs to address, none are particularly new; including Sustainment Risk. The closest thing I remember to this case was Sun Java "no use in nuclear facility" EULA term, which LLM suggests was ignored by DoE/D because that was interpreted as a "limitation on warranty" not a "restriction of use."