New regulations reflect growing concern over supply chains for government systems

DOD likely to require more documentation, could even exclude companies from federal contracts.

Tam Harbert, Contributing Editor -- EDN, February 1, 2011

As early as this summer, OEMs and component makers who sell to the US Department of Defense may be required to supply more documentation to assure the DOD of the security of their supply chains. In the worst case scenario, they could be inexplicably excluded from contracts if the DOD determines they present a risk to the supply chain. The new authority was included in the National Defense Authorization Act for fiscal 2011 passed by the lame-duck Congress in late December.

Concern over DOD supply-chain security has been rising over the last several years. As more and more ICs are manufactured outside the United States, the government fears that extra circuitry or software could be inserted into systems that could disable weapons systems or enable cyber attacks. In addition to malicious code being snuck into bona fide parts, an increase in incidents of counterfeit parts is causing concern. For example, the government recently charged the owner and an employee of a company in Florida, VisionTech Components, with selling more than 59,000 counterfeit chips from China to the US Navy and military contractors for use in missile programs, as well as other sensitive areas.

Although the government has always had the authority to exclude a contractor from competition for national security reasons, the new provision specifies that the DOD does not have to tell the company why it was excluded, according to Trey Hodgkins, senior vice president for national security and procurement policy at TechAmerica, a trade association representing the IT industry. That leaves the company with no way to investigate the problem and try to correct it.

The government won’t say much about how it discovers such risks. “The government spends a lot of time being super secretive,” said Richard Stiennon, founder and chief research analyst at security consultancy IT-Harvest and author of the book, Surviving Cyberwar. “It’s almost like they are finding people guilty without a trial. If the Chinese truly are embedding stuff in our hardware, in our telephone networks, and in our software networks, shouldn't we know about it?”

The use of counterfeit chips in government systems is not always nefarious, he noted. “Usually it’s just a matter of somebody putting in uncertified components because they are cheaper.”

The legislation defines supply-chain risk as “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.”

The provision is not quite as draconian as industry initially feared, but it still has important implications for OEMs and component makers. In the original draft, any defense agency head or even senior procurement officer could exclude a company. The final version elevates the authority to a senior level—the secretary of defense or a secretary of one of the armed services. In addition, the provision now includes a detailed, senior-level review before any action can be taken, according to Hodgkins. Before any exclusion, the DOD must consider disclosing the risk to the company and perhaps the entire industrial base. The government should disclose whenever possible, said Hodgkins, because industry cannot correct problems in the supply chain if the government does not share such information.

The DOD must also consider less disruptive “competitive modifications,” such as tightening the qualifications companies have to meet before they can compete for the contract and setting stricter criteria by which those competing are evaluated, said Hodgkins. For example, the DOD could say that only companies that design their chips in the United States would qualify to compete. “If the government says upfront what the specifications are, then companies can exclude themselves. That's preferable,” said Hodgkins. And in evaluating bidders, the DOD might require that the companies submit documentation proving the assurance of their supply chain.

However, if the DOD determines these measures won’t reduce the risk and that the risk to national security of disclosing the nature of the risk outweighs the risk of not disclosing it, then the government can exclude the company. What’s worse is that the provision requires the DOD agency that takes this action to tell all DOD and other federal agencies that may be subject to the risk why it excluded the company.

TechAmerica is concerned that this would create a domino effect that could severely hurt the business and health of the excluded company, essentially without any due process, said Hodgkins. A prime contractor could be told not to use a particular chip company in one contract. Without knowing the reason for the exclusion, the contractor would probably shy away from using that supplier in other contracts, as well. And because the reason for exclusion would be shared across the government, a “cascading blacklisting effect” could result that would in effect bar the company from all government contracts. What’s more, word of this would undoubtedly spill into the commercial market as well, he noted.

“People will think, ‘if it's a threat [in one area], it’s probably a threat elsewhere,” said Hodgkins.

The provision is set to go into effect six months from the date of the legislation, which was late December. So by this summer, OEMs and component vendors could start seeing “some contract clauses come out of this that give the DOD the authority to step into an existing contract and take some of these actions,” said Hodgkins. In open competition awards, that authority could flow back to subcontractors and component suppliers. “I fully expect it to go to the tail of the supply chain,” he added. For example, the DOD might say it has identified a risk at a silicon wafer supplier and tell the prime contractor not to use a chip company that buys wafers from that supplier.

At the very least, the measure is likely to increase the amount of documentation required in the electronics supply chain. The government in general is pushing for greater supply chain assurance, said Stiennon. “They might want documentation that the box or the components weren’t intercepted en route and modified in any way,” he said. “You can see how this could create huge nightmares. Sometimes the OEMs don’t have that info because they outsource to [contract manufacturers.]”

Another way to ensure security would be for the DOD to require that all components for a specific contract come from a source approved by the Trusted Foundry Program. This little-known program, started in 2004 and run by DOD and the National Security Agency, qualifies domestic foundries and other component suppliers and electronics services to supply to the military.

Another program that could play a role is the Trust in Integrated Circuits program, launched by DARPA in 2007 (see sidebar). This research and development project’s goal is to develop technologies to verify and validate the design and fabrication of chips that are made under “untrusted conditions,” according to the program description on DARPA’s Web site. It focuses on custom and programmable chips—specifically ASICs and FPGAs.

The Trust in ICs project will be completed early this year. At that point, it may be transitioned to one of the DOD services, which could then put the technologies to use in the DOD supply chain. Although such a transition has yet to be announced, the new supply-chain provision “elevates the need for that kind of a program,” said Hodgkins.

What’s more, as government continues to seek ways to secure its systems against cyber attacks, there’s talk of creating a provision like the one in the defense legislation that would apply to all government contracts. “We expect more activity along these lines,” said Hodgkins.

---

Additional Resources

2005 Defense Science Board Task Force report on High Performance Microchip Supply Trusted Foundry Program Trust in Integrated Circuits Program

---