The U.S. Defense Department last month adopted a set of final rules covering the detection and avoidance of counterfeit electronic parts in the federal supply chain. The rules affect a wide swath of information technology firms that supply electronic components to the department, including software in some cases.
In general, the final rules require that covered federal contractors establish and maintain acceptable systems to detect and avoid counterfeit parts. These systems will be reviewed as part of a federal auditing process, and a contractor’s failure to maintain acceptable safeguards may result in “disapproval” of the contractor’s purchasing system and the withholding of payments.
Information technology industry sources have been decidedly mixed in their reactions to the requirements and their likely impact on contracting and the federal supply chain.
“Counterfeit semiconductor products can end up in critical consumer, industrial, medical and military devices, potentially undermining our public safety and national security,” said Brian Toohey, president and CEO of the Semiconductor Industry Association.
The new regulations “represent a long fought victory for the semiconductor industry and a significant step toward ensuring the safety and security of semiconductor products used by our military,” he added.
On the other hand, TechAmerica “continues to have serious reservations about the latest DoD counterfeit parts rule,” said Assistant General Counsel Rachel Wolkowitz.
“The piecemeal fashion in which these rules are being implemented, and the immediate effective dates, cause implementation and workability problems for the industry,” she told the E-Commerce Times.
Rules Rundown: Scope, Tracking and Costs
Among the key points in the final rules:
Scope of Regulation: DoD made it clear that the rules apply only to counterfeit (or suspected counterfeit) “electronic” parts, versus the agency’s original proposed version of just “counterfeit parts,” which could have included an even broader array of products.
The term “counterfeit” means products that have been “knowingly” mismarked, misidentified or otherwise misrepresented, DoD said, which seemingly reduces liability in situations where errors or other breaches were unintentional. The final regulations clarify that the definition of “electronic part” also “includes any embedded software or firmware”
The rules apply to prime contractors — generally larger companies — that are compliant with Cost Accounting Standards, known as “CAS contractors.” Importantly, however, DoD required that these CAS-covered contractors must “flow down” — or impose — the counterfeit rules on subcontractors at all tiers, regardless of whether those subcontractors are CAS-covered.
“This includes subcontractors providing commercial items or commercial off-the-shelf (COTS) items, and small businesses and educational institutions,” according to an analysis from law firm Crowell and Moring.
Tracking and Testing: The rules require that contractors be able to trace parts, but they’re allowed the flexibility to utilize industry standards and best practices. Tracking must include certification and documentation of the name and location of supply chain intermediaries, from the manufacturer to the direct source of the product for the seller, and, where available, the manufacturer’s batch identification for the electronic parts.
Under the rules, contractors must inspect and test electronic parts in accordance with accepted government and industry recognized standards, but the rules do not impose any specific methods for doing so.
DoD will not require the testing and inspection of all electronic parts, since that would be prohibitive. Further, the requirement to test or inspect is “dependent on the source of the electronic part,” and contractors will be allowed to make “risk-based decisions based on supply chain assurance measures,” DoD said.
Cost Recovery: The final rules make contractors responsible for absorbing any costs associated with the occurrence of counterfeit or suspected counterfeit parts, as well as any re-work or corrective actions. A “narrow exception” to the cost rule offers “only the slightest protection” to contractors, according to law firm Arnold and Porter.
The DoD rules were issued as a result of congressional concern about counterfeits expressed in national defense authorization laws. The department issued a draft of the rules last year and invited public comment before issuing the final rules on May 6, 2014, with immediate effect on contractors.
Contract Specialists Spot Deficiencies
In general, IT contracting specialists indicated that the final rules were an improvement over the DoD’s initial draft. Still, they felt the final regulations were deficient in significant areas of coverage.
One involves whether “commercial” products are covered. Prime contracts for direct acquisition of COTS items are exempted from the regulations, but when prime contracts also involve subcontractors, the exemption disappears.
“The new rule creates real challenges for the information technology sector, where most contractors rely heavily on commercial supply chains. If the prime contractor is covered by the requirements, then all of its subcontractors will also be covered, regardless of whether they supply commercial or defense-specific items,” Chris Haile, a partner at Crowell and Moring, told the E-Commerce Times.
Thus the ‘flow-down’ to subcontractors “creates two inconsistent regimes for COTS and ultimately hurts DoD’s ability to purchase COTS items,” said Wolkowitz.
“The rule has a fairly large hole in it because it really does not give contractors guidance about how to handle the very difficult yet unfortunately common problem of parts that are commercially obsolete but still needed to support DoD equipment,” said Catherine Kunz, also a partner at Crowell and Moring.
Other deficiencies listed by TechAmerica include aspects of the traceability issue, the liability treatment of inevitable “escapes” and an omission for covering independent brokers or existing inventory.
“Supply chain assurance is about managing risk. Responsible companies take measures and will comply with the rules to protect the supply chain, but counterfeit escapes are going to happen,” said Wolkowitz. “When it does, good actors should not be disqualified or otherwise penalized for doing everything right beyond remediation efforts. We would have liked DoD to make this kind of ‘safe harbor’ provision explicit.”
Industry Suggests Improvements
While SIA expressed stronger support for the final DoD rule than other contracting sources, the organization also offered some suggestions for improvement.
On the plus side, “we were very concerned that the proposed rule only subjected CAS-covered contracts to the requirements. However, the final rule strengthens and expands the flow down requirements to all subcontractors,” said Dustin Todd, director of government affairs at SIA.
The final definition of counterfeit electronic part was a “great improvement” over the DoD draft rule, Todd told the E-Commerce Times. “SIA believes that many of the other requirements within the rule will prevent suppliers that might knowingly misrepresent a part as authentic from engaging in the procurement process.”
DoD wisely avoided the use of the term “trusted supplier,” as it could have interfered with a similar term used elsewhere within the Defense Department, SIA noted. The department moved in the right direction in recognizing that some sort of authorized source protocol was important in supply chain protection.
DoD addressed that issue by referencing the use of suppliers “that are the original manufacturer, or sources with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer or suppliers that obtain parts exclusively from one or more of these sources.”
DoD still needs to address non-CAS covered contracts, SIA said, noting that the department may soon issue regulations for those agreements. Also, DoD did not include an expanded safe harbor provision in the final rule, as SIA had recommended.
“While the safe harbor was not expanded,” Todd said, “SIA believes that requirements in the underlying rule greatly incentivize, if not ultimately require, the use of authorized sources to mitigate the risks of counterfeits.”