United States: DOD Final Rule On Counterfeit Electronic Parts: Some Improvements, But Risks Remain For Contractors
On May 6, 2014, the U.S. Department of Defense (DOD) published its first set of final regulations imposing specific obligations on defense contractors and their suppliers for the detection and avoidance of counterfeit electronic parts. These final regulations represent the culmination of a rulemaking process initiated almost a year ago, with DOD's release of its proposed regulations implementing Section 818 of the fiscal year (FY) 2012 National Defense Authorization Act (NDAA). Section 818 had directed DOD to issue regulations making certain "covered" defense contractors responsible for detecting and avoiding the use or inclusion of counterfeit electronic parts in the products they supply to DOD. DOD's final regulations revise or supplement several aspects of the proposed regulations to address issues noted by industry in its comments on the proposed regulations, but leave other troublesome aspects unchanged. Moreover, with DOD's clarification that the onerous counterfeit detection and avoidance requirements must be flowed down to all subcontractors and suppliers, including suppliers of commercial items and small business suppliers, defense contractors must confront the reality that many commercial or small business suppliers will refuse to supply products on those terms and may exit the defense sector altogether. Accordingly, while the final regulations represent an improvement over DOD's initial proposal, they continue to expose contractors and their suppliers to significant compliance burdens and risks, essentially placing the entire risk of counterfeit detection and avoidance on contractors and establishing what amounts to a strict liability regime for counterfeit escapes. DOD itself acknowledges that "many issues associated with management of the counterfeit parts problem remain to be resolved," and the final regulations defer the development of much-needed guidance regarding how DOD intends to evaluate contractor counterfeit detection and avoidance systems to the Defense Contract Management Agency (DCMA). Thus, while these regulations are "final" (and therefore immediately effective), they are far from the final word from DOD on contractor responsibility for addressing the problem of counterfeit electronic parts in the defense supply chain. This Legal Alert highlights key provisions in the final regulations, focusing on changes from the proposed regulations, and identifies important near-term considerations for defense contractors and suppliers given the immediate effective date of the final regulations.
Summary of Key Changes in Final Rules
Revised Definition of Counterfeit PartsThe proposed regulations had included three separate definitions of "counterfeit parts," with the third definition arguably extending "counterfeit" treatment to garden-variety quality issues by encompassing parts that do not meet "the performance requirements for the intended use." In response to a number of comments taking issue with the proposed definitions, DOD has narrowed the definition of "counterfeit" parts, adopting a single definition that is limited to electronic parts. DOD's revised definition also helpfully clarifies that intent to mislead or misrepresent is a key element of the definition. The final regulations define "counterfeit electronic part" as: an unlawful or unauthorized reproduction, substitution, or alteration that has been knowingly mismarked, misidentified, or otherwise misrepresented to be an authentic, unmodified electronic part from the original manufacturer, or a source with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer. Unlawful or unauthorized substitution includes used electronic parts represented as new, or the false identification of grade, serial number, lot number, date code, or performance characteristics. DOD's revised definition should ensure that, absent evidence of a knowing misrepresentation, genuine parts that have quality issues or are otherwise out of specification will not be treated as a "counterfeits," or subjected to the onerous obligations attendant to counterfeit electronic parts under DOD's rules (e.g., reporting and quarantining requirements, cost unallowability of remediation/repair, etc.).
Revised Definition of "Suspect Counterfeit Parts"The final regulations also slightly revise the definition of "suspect counterfeit electronic part" to clarify that a part's "suspect" status should be based on "credible evidence (including, but not limited to, visual inspection or testing) [that] provides reasonable doubt that the electronic part is authentic." DOD characterized its addition of the phrase "credible evidence" as an effort "to strengthen the fact-based approach" to the definition of "suspect counterfeit" parts, which should provide some reassurance to contractors that they will not be expected to characterize a part as a "suspect counterfeit" without some credible, "fact-based" evidence that the part may be inauthentic.
Addition of Embedded Software/Firmware to Definition of Electronic PartsThe proposed regulations adopted the same definition of "electronic part" found in Section 818(f) of the 2012 NDAA. Under that definition, an electronic part is "an integrated circuit, a discrete electronic component (including, but not limited to, a transistor, capacitor, resistor, or diode), or a circuit assembly." The final regulations retain the statutory definition, but clarify that the definition of "electronic part" also "includes any embedded software or firmware" in an electronic part. Note that the duty to detect and avoid counterfeit electronic parts applies not only to companies that supply individual "electronic parts" (as that term is defined in the final regulations), but also to companies that supply products containing electronic parts.
Express Endorsement of Risk-Based Counterfeit Detection and Avoidance SystemsOne of the key criticisms of DOD's proposed regulations was that the regulations did not expressly acknowledge that an effective counterfeit detection and avoidance system can be, and actually should be, risk-based – in other words, that an effective system focuses its counterfeit detection and avoidance efforts on mission-critical and safety-related parts, or parts at a higher risk of being counterfeit, over parts that are at low risk of counterfeiting or pose a low risk to mission performance or safety. In its final regulations, DOD responds to that criticism by explicitly recognizing and endorsing a risk-based approach by contractors to counterfeit detection and avoidance. The final rule now states that "[a] counterfeit electronic part detection and avoidance system shall include risk-based policies and procedures." DFARS 246.870-2(b). The final rule also describes the risk-based analysis contractors will be expected to undertake when determining what tests and inspections they will perform on electronic parts. Contractors will be required to select tests and inspections "based on minimizing risk to the Government." DFARS 252.246-7007(c)(2). Factors to be considered in making that risk assessment include: "the assessed probability of receiving a counterfeit electronic part; the probability that the inspection or test selected will detect a counterfeit electronic part; and the potential negative consequences of a counterfeit electronic part being installed (e.g., human safety, mission success) where such consequences are made known to the Contractor." The final rule's reference to "risk-based policies and procedures" and endorsement of risk-based testing and inspection determinations are beneficial to contractors, because they signal that a contractor system that allocates detection and avoidance resources based on risk will not be deemed inadequate. Indeed, the final rule eases the concern that contractors would be required to test and inspect all electronic parts. DOD's clarification that the rule "does not require all electronic parts to be treated equally" is significant and should permit contractors to allocate their limited testing and inspection resources in a manner that focuses on the parts most at risk of being counterfeit. The benefits of this revision are mitigated somewhat, however, by DOD's continued imposition of what amounts to strict liability on contractors for the escape of any counterfeit or suspect counterfeit parts into the defense supply chain. That is, while DOD's final rule indicates that an effective counterfeit detection and avoidance system includes risk-based policies and procedures, adhering to those policies and procedures will not insulate a contractor from liability for a counterfeit or suspect counterfeit electronic part that escapes into the defense supply chain — even when DOD has reviewed and approved the contractor's system as effectively "minimizing risk to the Government."
Additional Criteria for Contractor Counterfeit Detection and Avoidance SystemsThe proposed regulations identified nine required elements of a contractor's counterfeit electronic part detection and avoidance system, reciting the nine elements listed in Section 818. In its final rules, DOD added three new elements to the nine statutorily required elements: (1) a process for "keeping continually informed of current counterfeiting information and trends"; (2) a process for screening Government-Industry Data Exchange Program (GIDEP) reports and other credible sources of information regarding reported discoveries of counterfeit or suspect counterfeit electronic parts; and (3) processes to control obsolete electronic parts. The new system criterion requiring contractors to stay "continually informed of current counterfeiting information and trends" appears primarily designed to ensure that contractors are monitoring the adoption and evolution of industry standards regarding counterfeit detection and avoidance techniques. Contractors will be expected to stay abreast of changes to industry standards and to upgrade their own internal processes accordingly as those standards evolve. This new system criterion also likely substantially overlaps with the second new criterion requiring active screening of GIDEP and other credible sources of information regarding discovery of counterfeit parts — as keeping informed as to which parts have been detected by other companies as counterfeits or suspected counterfeits, and the identity of the suppliers who provided those parts, would also presumably be an element of "keeping continually informed of current counterfeiting information and trends." With regard to the third new system criterion, implementation of a process to "control obsolete electronic parts," the final rules provide a definition of "obsolete electronic part," but otherwise do not offer guidance regarding what measures contractors will be expected to take to "control" obsolete parts. An "obsolete electronic part" is "an electronic part that is no longer in production by the original manufacturer or an aftermarket manufacturer that has been provided express written authorization from the current design activity or original manufacturer." These out-of-production parts represent a particular challenge in counterfeit prevention, because the primary (and most efficient) counterfeit mitigation technique – buying the part directly from the original manufacturer or one of its authorized distributors – is often unavailable. The challenge of addressing obsolete parts is particularly acute in the defense sector, because the production life cycle for many semiconductors is measured in months, whereas the production life cycle for many defense systems and platforms is measured in decades. While several commenters sought additional guidance from DOD regarding how they will be expected to mitigate the risks inherent with obsolete parts, DOD declined to provide such guidance, claiming that it would be "outside the scope" of the final regulations. DOD also declined to provide a mechanism for contractors to seek and obtain direction from DOD on how to proceed with purchasing of obsolete parts that may not be traceable back to the original manufacturer. Thus, the final rule essentially saddles contractors and their suppliers with the full burden of managing parts obsolescence and the attendant risks of counterfeits in out-of-production electronic parts. Under the final regulations, a contractor's counterfeit electronic part detection and avoidance system must address:
- The training of personnel.
- The inspection and testing of electronic parts, including criteria for acceptance and rejection of parts. Tests and inspections "shall be performed in accordance with accepted Government- and industry-recognized techniques."
- Processes to abolish counterfeit parts proliferation.
- Processes for maintaining electronic part traceability (such as item unique identification) that enable tracking of the supply chain back to the original manufacturer, whether the parts are supplied as discrete electronic parts or are contained in assemblies.
- Use of suppliers that are the original manufacturer, sources with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer or suppliers that obtain parts exclusively from one or more of these sources.
- The reporting and quarantining of counterfeit electronic parts and suspect counterfeit electronic parts.
- Methodologies to identify suspect counterfeit parts and to rapidly determine if a suspect counterfeit part is, in fact, counterfeit.
- The design, operation, and maintenance of systems to detect and avoid counterfeit electronic parts and suspect counterfeit electronic parts.
- The flow down of counterfeit detection and avoidance requirements, including applicable system criteria, to subcontractors at all levels in the supply chain that are responsible for buying or selling electronic parts or assemblies containing electronic parts, or for performing authentication testing.
- A process for keeping continually informed of current counterfeiting information and trends.
- A process for screening GIDEP reports and other credible sources of counterfeiting information.
- Control of obsolete electronic parts.
Clarification of Coverage of Commercial Item Subcontracts and Small Business SubcontractorsThe contract clauses imposing the requirement for a counterfeit electronic parts detection and avoidance system apply directly only to contracts covered by the Cost Accounting Standards (CAS). Yet that limitation does not insulate smaller companies or companies that are not themselves subject to CAS coverage from the impact of these rules. One of the requirements of the regulations is that CAS-covered contractors flow these anti-counterfeiting requirements down throughout their supply chains. The final rules clarify that this flowdown requirement applies to all subcontracts for electronic parts or assemblies containing electronic parts, including subcontracts for commercial items and subcontracts with small businesses. Thus, any company supplying electronic parts, or products containing electronic parts, to one of the major defense contractors – or even to a company that is in one of the major defense contractors' supply chains — will be confronted with purchase order terms and conditions requiring the adoption and implementation of similarly complex procedures to detect and avoid counterfeit electronic parts. Those purchase order terms and conditions will likely also include requirements that the supplier provide certifications of authenticity of supplied parts, provide information tracing the "pedigree" of the part back to the original manufacturer (to comply with the system criterion on electronic part traceability), and indemnify the upstream customer for any damages resulting from the later discovery of a counterfeit or suspect counterfeit electronic part in the products supplied, a degree of potential liability that many downstream suppliers (particularly smaller firms or commercial item suppliers) may not be willing to assume. This broad flowdown requirement poses several issues for contractors that are not fully resolved by the final rule. Given the mandatory nature of the flowdown requirement, contractors may not be able to use commercial item suppliers who refuse to accept the flowdown requiring the supplier to adopt a counterfeit electronic part detection and avoidance system meeting the twelve system criteria specified in the DFARS final rule. Thus, the flowdown requirement could deprive contractors (and DOD) of access to the benefits of commercial technology and products. Nor does the final rule provide guidance regarding how contractors will be expected to monitor their suppliers' compliance with the flowdown requirements. Contractors themselves will have their counterfeit electronic parts detection and avoidance systems reviewed by DCMA; will contractors be expected to perform their own reviews of subcontractor systems?
DOD Declines to Expand the Limited and Ineffectual "Safe Harbor" Provided by CongressOne of the more disappointing aspects of the final regulations was DOD's unwillingness to expand the proposed regulations' limited "safe harbor" provision. Contractors sought an expanded "safe harbor" provision to protect them from the harsh application of the new cost principle establishing as unallowable the cost of counterfeit electronic parts and suspect counterfeit electronic parts, and the cost of rework or corrective action that may be required to remedy the use or inclusion of such parts. DOD contended its hands were tied by Congress, and that it could not expand the limited "safe harbor" provision Congress provided in Section 833 of the FY 2013 NDAA. Under that limited "safe harbor" provision, a contractor can recover the costs of rework or corrective action related to a counterfeit or suspect counterfeit electronic part only if: (i) the counterfeit or suspect counterfeit electronic part was provided to the contractor as Government-furnished property (GFP); (ii) the contractor has in place a DOD-reviewed and –approved system to detect and avoid counterfeit and suspect counterfeit parts; and (iii) the contractor provides timely (i.e., within 60 days after the contractor becomes aware) notice to the Government of the discovery of the counterfeit or suspect counterfeit part. The use of the conjunctive "and," rather than the disjunctive "or," indicates that this "safe harbor" is only available if all three of the conditions are met. This "safe harbor" provision is better than nothing — but only marginally so. Even under this "safe harbor" provision, a contractor remains liable for the cost of repairing and replacing a counterfeit part that the Government itself furnished to the contractor as GFP, if the contractor has not already had its counterfeit electronic parts detection and avoidance system reviewed and approved by DOD, a process that could take several years given the number of contractors DCMA will need to review and the current lack of a DCMA checklist to conduct the evaluation. While DOD arguably has the authority to expand upon the limited "safe harbor" Congress carved out in the FY 2013 NDAA, it is clear from DOD's discussion of comments on the "safe harbor" provision that DOD feels constrained by Congress's unwillingness to legislate a broader "safe harbor." Thus, contractors seeking a more effective "safe harbor" provision will need to focus their efforts on Congress.
Immediate Implications for Defense Contractors and Suppliers
Final Rules Immediately Effective For New ContractsThe final rule is effective immediately, meaning that these contract clauses will be incorporated in newly awarded CAS-covered contracts. However, as discussed below, these provisions will not apply — absent a contract modification — to contracts awarded prior to May 6, 2014. To ensure their ability to comply with the requirements of the final rule in newly awarded contracts, contractors should immediately review their existing counterfeit electronic parts detection and avoidance systems against the system criteria required under DFARS 252.246-7007. If a contractor is not already registered as a member of GIDEP, it should do so immediately in order to be able to monitor reports regarding discovery of counterfeit electronic parts and file its own reports if the need arises. Impact on Existing Inventory of Electronic Parts In its response to comments on the proposed regulations, DOD indicated that it intends to apply the new rules regarding traceability and authentication to a contractor's existing inventory of electronic parts, except for parts that were "procured in connection with a previous DOD contract." DOD's refusal to "grandfather" electronic parts already on the shelf from the new traceability and authentication requirements may limit contractors' ability to use existing electronic parts inventory on newly awarded DOD contracts, given that contractors may not be able to demonstrate the required traceability of such parts through the various intermediaries in the supply chain.
Application to Existing Contracts Through Contract ModificationWhile the new contract clauses do not automatically apply to contracts awarded prior to May 6, 2014, contractors may face requests by DOD to incorporate the new clauses into existing contracts through a contract modification. If faced with such a request, contractors should carefully consider the cost impact and feasibility of including these new requirements in an existing contract — particularly given that contractors may not be able to establish compliance with all twelve system criteria for electronic parts contractors purchased before the final rules were adopted. Given the substantial new burdens imposed on contractors and their suppliers by these new final rules, contractors should resist efforts by DOD to characterize the incorporation of the new clauses into an existing contract as a "no-cost" administrative modification. ... Read More
Researchers create undetectable layout-level hardware Trojans
The fact that most of computer hardware is produced outside the US and Europe has long presented a worry for the governments of those countries and for the companies and corporations based in them. They are especially concerned about the security of integrated circuits used in military devices, industrial control systems, medical and other critical devices, and are aware that the possibility of hardware Trojans being integrated in them during the manufacturing process is not at all far-fetched. A group of researchers from several universities in the US, Switzerland, the Netherlands and Germany have recently published a paper dealing with precisely that possibility, and have proposed an "extremely stealthy approach for implementing hardware Trojans below the gate level". "Often circuit blocks in a single IC are designed by different parties, manufactured by an external and possibly off-shore foundry, packaged by a separate company and supplied by an independent distributor. This increased exploitation of out-sourcing and aggressive use of globalization in circuit manufacturing has given rise to several trust and security issues, as each of the parties involved potentially constitutes a security risk," they pointed out, adding that threat of hardware Trojans is expected to only increase with time, especially with the recent concerns about cyberwar. Theirs is not the first research into creating a hardware Trojan, but it is among the first ones that instead of adding additional circuitry to the IC's design have concentrated on changing the dopant polarity of a few of its transistors. "Doping" a transistor is effected by introducing impurities into its structure with the purpose of changing its electrical properties. Previous research has managed to make them fail before they should have, but this group has succeeded in making the protection provided by an Intel random number generator (RNG) weaker than intended, and to create a hidden side-channel into an AES SBox implementation in order to leak out secret keys. But most important of all, their modifications fooled a number of common Trojan testing methods that included optical inspection and checking against “golden chips” (i.e. a definitive, verified example of how the chip should look and be). "To the best of our knowledge, our dopant-based Trojans are the first proposed, implemented, tested, and evaluated layout-level hardware Trojans that can do more than act as denial-of-service Trojans based on aging effects," they concluded. ... Read More
Counterfeit parts have real consequences
Counterfeit components pose a growing problem in the electronics supply chain -- the same supply chain that brings us everything from our personal phones and tablets, to workplace computers, to crucial military electronic equipment used in combat situations or to fly commercial jets. These fraudulent parts can not only cause significant inconveniences when your equipment fails, but also lead to very costly recalls for companies, and even jeopardize lives. Conservative reports identify well over 100 incidents of counterfeit components per month. In response to this growing threat, various steps are being taken to combat counterfeit parts. For example, last year the U.S. Government passed theNational Defense Authorization Act (NDAA). Section 818 of this Act requires defense contractors to tighten supply chain traceability and parts procurement to minimize counterfeit risk. The penalties and punishments in NDAA send a clear message of deterrence to encourage tighter quality management processes by engaging and defining "Trusted Suppliers" by their level of testing, sourcing, and quality management procedures for anti-counterfeiting. The crux of this deterrence though rests in how counterfeit parts are defined, and this issue will challenge the technology industry for a while to come.... Read More
Webcast 14 Dec. to help microelectronics industry chart course for meeting DNA-marking mandat
NASHUA, N.H., 11 Dec. 2012. The government's DNA-marking mandatefor electronic parts has been called expensive, confusing, and questionably effective, yet is the law of the land. A panel of industry experts will give on how to follow the mandate's guidelines, and chart a course for what suppliers can expect in the future during aWebcast at 1 p.m. this Friday, 14 Dec. 2012, sponsored by Military & Aerospace Electronics. ... Read More
New DARPA Program Seeks to Reveal Backdoors and Other Hidden Malicious Functionality in Commercial IT Devices
The Defense Advanced Research Projects Agency (DARPA) Information Innovation Office (I2O) will conduct a briefing in support of the anticipated Broad Agency Announcement (BAA) for the VET – Vetting Commodity IT Software and Firmware program. When released, the BAA will be posted on the Federal Business Opportunities (FBO) website, http://www.fedbizopps.gov, and possibly the Grants.gov website,http://www.grants.gov/. This Proposers’ Day is unclassified. ... Read More
Government chips with DNA: Policy or folly?
The US Defense Logistics Agency (DLA)'s new anti-counterfeiting requirementbecame effective November 15, mandating that electronic microcircuits it procures must be "marked with botanically-generated DNA marking material." It's a move to address increasing concerns about the proliferance of counterfeit components, which carries the twin worries of reliability and security. Credit to John Keller over at our sister publication Military and Aerospace Electronics who has been tracking this story and hashing out its implications to the military supply-side. Applied DNA Sciences and Altera have been working on technology which converts plant DNA into genetic codes, to be mixed with ink to mark products or even directly infused into materials. Detectable in the simplest way with a swab or blacklight, the technology is already used in end products including wine, textiles, and European bank notes. James Hayward, head of Applied DNA, flatly states "the strongest claim in the industry [...] which is our DNA cannot be copied." ... Read More
Pentagon stirs up semiconductor industry with its requirement to mark parts with unique DNA
A new anti-counterfeiting requirement from the U.S. Defense Logistics Agency (DLA) at Fort Belvoir, Va., is triggering pushback from semiconductor manufacturers, who claim the new requirement is not an appropriate cure for electronics counterfeiting, does not adequate authenticate legacy semiconductors, has not been tested adequately, and will increase semiconductor manufacturing costs. The DNA-marking mandate, which became effective on 15 November requires all semiconductors sold to the U.S. Department of Defense (DOD) to be marked with DNA-based materials unique to each government contractor. The intent is to prevent counterfeit parts from entering the DOD supply chain by authenticating each piece with a unique DNA-based signature. Using DNA -- sort for deoxyribonucleic acid, or the biological building block of all life -- is intended to provide a fool-proof fingerprint for each semiconductor the DOD buys to rule out the possibility of counterfeiting. ... Read More
Feds, industry split over counterfeit parts strategy
Europe has a lot to say about Counterfeit Semiconductors. Part II: Both the exhibitors and the customers agree about the solution.
Rochester and all the companies exhibiting at Electronica, especially the original component manufacturers, are looking to help customers by providing authorizedcomponents that eliminate the possibility of counterfeit. As counterfeiters get more sophisticated, they are employing increasingly clever techniques to pass off fake components. However, what is interesting is that 40% of counterfeit components that are reported can be easily purchased from authorized sources. In conversations here at Electronica, many have said that third party testing, visual testing and any electrical testing that does not utilize the OCM test programs are not definitive methods of identifying counterfeit components. ... Read More
Morning Bell: Cybersecurity: Do You Trust the Government with Your Computer?