Congress Sets Contracting Prohibitions on Untrusted Semiconductors and Services that Use Them

The U.S. Government Accountability Office (GAO) recently released a review of federal cybersecurity high-risk areas that they monitor and assess. Supply Chain Risk Management (SCRM) features prominently among the four areas highlighted in the latest review, especially the numerous information and communications technology (ICT) supply chain risks that federal agencies face.

Agencies Slow to Address Supply Chain Risk Management Recommendations

Underscoring the need for further action by federal agencies, GAO cited their December 2020 review of 23 civilian agencies which found that none had fully implemented all of the seven foundational practices for SCRM and that 14 had not implemented any of the practices. As an example, GAO noted that only three out of the 23 agencies had fully developed organizational procedures to detect counterfeit and compromised ICT products prior deployment. As of December 2022, GAO found that 130 of their 145 SCRM recommendations were not yet implemented and none of the 23 agencies had fully implemented all recommendations that GAO had addressed to them.

Prohibitions on Untrusted Semiconductors

The ICT supply chain risks to federal agencies have increasingly gained the attention of Congress and key federal departments and agencies, especially for how these risks impact U.S. national security and global economic competitiveness. The breadth and depth of the issue led congressional leaders to include a new round of semiconductor SCRM provisions in the latest FY 2023 National Defense Authorization Act (NDAA) passed in mid-December.

Section 5949 of the law prohibits federal executive branch agencies from procuring products or services that include prohibited semiconductor products or from entering into/extending a contract “with an entity to procure or obtain electronic parts or products that use any electronic parts or products that include covered semiconductor products or services” (emphasis added).

In the bill, Congress designates as ‘‘covered semiconductor product or services’’ (i.e. prohibited) as those designed, produced or provided by an entity owned, controlled by, or otherwise connected to the governments China, Iran, North Korea, Russia, or any country engaged in conduct detrimental to U.S. national security or foreign policy. More specifically, the bill calls out semiconductor products or services by Semiconductor Manufacturing International Corporation (SMIC), ChangXin Memory Technologies (CXMT), Yangtze Memory Technologies Corp (YMTC), or any subsidiaries, affiliates, or successors.

These prohibitions are set to take effect in five years, i.e. December 2027. That said, Congress is requiring that the Federal Acquisition Regulatory (FAR) Council to create regulations implementing the prohibitions by December 2025, “including a requirement for prime contractors to incorporate the substance of such prohibitions and applicable implementing contract clauses into contracts for the supply of electronic parts or products” (emphasis added).

Caveats – Scope and Waivers

The first caveat to note is that these provisions currently only apply federal critical systems, such systems designated as a national security system (NSS) or those designated by the Department of Defense (DOD) or Federal Acquisition Security Council (FASC). The provisions expressly say that this does not include systems used for routine administrative and business applications, including payroll, finance, logistics, and personnel management. So these non-critical systems are out of scope, for now.

Congress also provides for the possibility of waivers authorized by the Secretaries of Commerce, Defense, Energy, or Homeland Security or the Director of National Intelligence if any of them “determines the waiver is in the critical national security interests of the United States.”

Further, Congress provides for a head of an executive agency to issue a two-year waiver (renewable) if the agency head “determines that no compliant product or service is available to be procured as, and when, needed at United States market prices or a price that is not considered prohibitively expensive; and . . . determines that such waiver could not reasonably be expected to compromise the critical national security interests of the United States.” Agency heads granting a waiver must report it to Congress within 30 days.

Concurrent Effort and Regulations

• Study of Current Supply Chain and Future Strategy – By the end of June 2023, the Secretary of Commerce – in coordination with the other authorized waiver-granting department heads named above – is to analyze and report on the state of U.S. domestic and trusted ally semiconductor design and production capacity and the risks posed by untrusted semiconductors in federal systems and the supply chains of contractors and subcontractors. Commerce is also directed to develop a strategy to improve domestic semiconductor design and production capacity and to improve supply chain traceability.
• Microelectronics Traceability and Diversification Initiative – Congress has also directed the Commerce Secretary to establish by December 2024, a microelectronics traceability and diversification initiative to coordinate analysis and response to federal microelectronics supply chain vulnerabilities. Other federal agencies and industry are to have their input into the effort.
• Federal Acquisition Recommendations and Rules – In light of the strategy due from Commerce in June 2023, the Federal Acquisition Security Council (FASC) is to issue by December 2024 recommendations to mitigate federal supply chain risks relevant to the acquisition of semiconductor products and services and make recommendations to the Federal Acquisition Regulatory Council for any needed regulations to mitigate these supply chain risks.

Contractor Responsibilities

Under the FASC regulations coming by December 2024, federal contractors, subcontractors and suppliers (i.e. domestic semiconductor producers and suppliers of foreign sources) will be required to certify to the non-use of any prohibited/covered semiconductor products or services; detect and avoid the use or inclusion of them; and disclose to direct customers any inclusion of a covered semiconductor product or service. Further, contractors or suppliers will be responsible for any rework or corrective action required to remedy the use of prohibited products or services, and the costs associated with remediation are not allowable costs for federal contracts.

If a contractor or subcontractor becomes aware of the use of a prohibited product or service and notifies their federal customer(s) accordingly, the firm will avoid civil liability or exclusion from being considered a “presently responsible” contractor if they make “a comprehensive and documentable effort to identify and remove covered semiconductor products or services from the Federal supply.”

The bottom line is this: contractors, subcontractors and component suppliers, (i.e. the entire supply chain) will be responsible to rid untrusted semiconductors from all products and services provided to federal customers, to certify to this fact, and to communicate/remedy the situation if a discovery is made, and at their cost.

Implications

Clearly (and necessarily) this has implications for the entire federal ICT supply chain – from semiconductor manufacturers and distributors to the contracted service providers and subcontractors that use them. Diligence and scrutiny will be required at every point along the way to delivering IT goods and services to federal customers.

Regarding the potential implications for small businesses that either prime or subcontract in these areas, while a firm’s monitoring of its upstream supply chain could be potentially burdensome and costly, the FY 2023 NDAA includes a provision that all federal bidders and contractors “may reasonably rely on the certifications of compliance” from their upstream product and service suppliers when providing proposals to federal agencies. As such, primes/subs “are not required to conduct independent third party audits or other formal reviews related to such certifications.” That provision at least helps keep the burden of responsibility closer to the source of the issue and shows some awareness of the effort it will take to rid the U.S. supply chain of untrusted technology.