It’s been two and a half years since the Federal Anti-Counterfeiting Amendment Act was signed into law and nearly that long since I covered the subject on these pages. So the topic is ripe for re-examination.
New Department of Defense (DoD) rules released in May and a new proposal issued in June further target counterfeit electronic parts by requiring entities in the defense supply chain to take steps to detect and avoid such parts. (Note: for DoD and throughout this article the term "counterfeit" means products that have been "knowingly" mismarked, misidentified or otherwise misrepresented.)
The Defense Federal Acquisition Regulation (DFAR) directions require immediate compliance and could have a serious financial impact on contractors and subcontractors that fail to comply. The rules apply to prime contractors compliant with Cost Accounting Standards (known as "CAS contractors"). Importantly, however, DoD requires that these CAS-covered contractors must "flow down" (read: impose) the counterfeit rules to subcontractors at all tiers, regardless of whether those subcontractors are covered by CAS. And there are no exceptions for small and non-CAS covered businesses.
On June 10, DoD, the General Services Administration (GSA) and NASA proposed amendments to Federal government procurement practices for reporting of “nonconforming items” including counterfeit items. The proposed rule would require contractors to report directly to the GIDEP database (GIDEP, an acronym for Government-Industry Data Exchange Program, is a cooperative activity between government and industry participants). Items that must be reported include counterfeit items, suspect counterfeit items, or items that contain a major or critical (take a deep breath here and please excuse the legalese government language) “nonconformance that is a common item and constitutes a quality escape from a lower level subcontractor or supplier that resulted in the release of nonconforming items to more than one customer”. Whew. The main point is that critical or major “non-conformance” items are those “likely to result in failure of the supplies or services or to materially reduce the usability of the supplies or services for their intended purpose.”
Contractors do receive notifications from the GIDEP system and they can enter a bill of goods into the system and GIDEP will alert them via email when a report has been submitted regarding an item on that list.
The proposed rule is intended to reduce the risk of counterfeit items entering the supply chain by ensuring that contractors report suspect items to a widely available database. While the rule would apply to government contractors only, trickle down inclusion language in the proposed rule means that in effect most companies in the electronics component business are likely to be subject to the mandatory GIDEP reporting requirements.
GIDEP is managed and funded by the U.S. Government. Among its participating organizations are: U.S. Army, Navy, Air Force, Defense Logistics Agency, National Aeronautical and Space Administration, Department of Energy, Department of Labor, Department of Commerce, General Services Administration, Federal Aviation Administration, U.S. Postal Service, National Institute of Standards and Technology, National Security Agency, as well as the Canadian Department of Defense.
Earlier this year, on May 6, the DoD issued its final anti-counterfeit rules resulting from the 2012 legislation, which took effect immediately and imposes a series of new requirements at contractors and subcontractors that supply or incorporate into their products (or services) the provision of electronic parts.
In general, the rules require that covered federal contractors establish and maintain acceptable systems to detect and avoid counterfeit parts. Failure to do so could bar the contractor from bidding on future opportunities or even halt payments from the Pentagon. The rule holds contractors liable for the costs of any counterfeit or suspect counterfeit parts, as well as any rework or corrective action costs required to remedy the use of such parts.
Companies further need to be able to demonstrate a degree of traceability for the parts they incorporate into systems, using industry standards and best practices. For electronic parts deemed to be mission-critical or impacting human safety contractors need to be able to point directly to the part source.
According to the DoD the following areas must be addressed in the design, operation, and maintenance of systems to detect and avoid counterfeit electronic parts and suspect counterfeit electronic parts:
- Engage in personnel education and training.
- Contractors must be able to trace parts; for example by means of a unique identifier that enables tracking back to the original manufacturer—both for parts supplied as discrete electronic parts as well as those contained in assemblies.
- Inspection and testing of electronic parts “shall be performed in accordance with accepted Government- and industry-recognized techniques.” Criteria for acceptance and rejection must be stated.
- Using suppliers that are the original manufacturer or an authorized aftermarket manufacturer or supplier and obtain parts exclusively from these sources.
- Systems must be put in place to report and quarantine counterfeit and suspect counterfeit electronic parts.
- Methodologies must be created to rapidly determine if a suspect counterfeit electronic part is, in fact, counterfeit.
- Flow-down measures must be implemented. This means counterfeit detection and avoidance requirements have to be passed on to subcontractors at all levels in the supply chain that buy or sell electronic parts or assemblies containing electronic parts (as well as to those performing authentication testing).
- Processes must be developed for keeping continually informed of current counterfeiting information and trends including processes for screening GIDEP reports.
- Methodology must be created for control of obsolete electronic parts.
It should be noted that in contracts with the Department of Defense, to reduce liability in situations where errors or other breaches were unintentional a contractor or any subcontractor providing a written report as required will not be subject to civil liability on the basis of such reporting, provided that a reasonable effort is made to determine that the end item, component, part, or material containing electronic parts that were counterfeit items or suspect counterfeit items.
DARPA: Seeking a tech solution
The U.S. Defense Advanced Research Projects Agency (DARPA) under BAA-14-16 has asked industry for proposals to develop a new method to detect counterfeit electronic components. Called the DARPA Supply Chain Hardware Integrity for Electronics Defense (SHIELD) program, its aim is development of a small (100 micron x 100 micron) component, or dielet, that authenticates the provenance of electronics components. DARPA notes that proposed dielets should contain a full encryption engine, sensors to detect tampering and should be readily affixable to microchips.
SHIELD technology would provide 100 percent assurance against common counterfeit threat modes such as:
- Recycled components that are sold as new
- Unlicensed overproduction of authorized components
- Test rejects and sub-standard components sold as high-quality components
- Parts marked with falsely elevated reliability or newer date of manufacture
- Clones and copies, which may be of low quality, or may include hidden functionality
- Components that are covertly repackaged for unauthorized applications.
According to DARPA, the dielet will be inserted into the electronic component’s package at the manufacturing site or affixed to existing trusted components, without any alteration of the host component’s design or reliability. There is no electrical connection between the dielet and the host component. Authenticity testing could be done anywhere with a handheld probe or with an automated one for larger volumes. Probes need to be close to the dielet for scanning. After a scan, an inexpensive appliance (perhaps a smartphone) would upload a serial number to a central, industry-owned server. The server then sends an unencrypted challenge to the dielet, which sends back an encrypted answer and data from passive sensors that could indicate tampering.
The concept behind SHIELD is to create a tool that costs less than a penny per unit, yet will make counterfeiting too expensive and technically difficult to do.
On June 12 The DARPA BAA-14-16 close date was re-set from May 30, 2014 to September 30, 2014.
Of course as we’ve stated before in covering the topic of counterfeit components, the threat of counterfeit semiconductors can be best reduced by taking one simple, straightforward action: buying semiconductor products either directly from Original Component Manufacturers or their authorized distributors (such as TTI).