Trust and Assurance

Assured and Preferred Supply of Microelectronics through Provenance, Traceability and Market Preferences

A white paper published March 2024

 

NDAA Section 224 Workshop

The Trust and Assurance committee held a workshop at the request of OSD to gather industry inputs on the implementation issues for NDAA Section 224.  The workshop was hosted by GLOBALFOUNDRIES on October14 and included members of the NDIA Systems Engineering Division Secure Systems Engineering committee.

Background

Title II, section 224 of the 2020 NDAA requires the establishment of operational security standards that will protect the United States, the DOD, and defense contractors that do business with the DOD from the theft of intellectual property and ensure national security and public safety in the application of new generations of wireless network technologies and microelectronics. Section 224 refers to these operational security standards as trusted supply chain and operational security standards and requires the Secretary of Defense (SECDEF) to establish these security standards no later than January 1, 2021. By January 1, 2023, nearly all microelectronics products and wireless network services purchased by the DOD must meet these new security standards.

Section 224 defines “security standards” as standards that systematize best practices relevant to six categories:

  1. Manufacturing location
  2. Company ownership
  3. Workforce composition
  4. Access to the product during manufacturing, suppliers’ design, sourcing, packaging, and distribution processes
  5. Reliability of the supply chain and
  6. Other matters germane to supply chain and operational security.

The workshop was organized into three breakout groups:

  • Manufacturing Location and Company Ownership
  • Workforce Composition & Access During Manufacturing
  • Reliability of Supply Chain & Operational Security

Workshop Results

The top three recommendations were:

  1. Develop a process to identify ownership and location
  2. Government and industry must quantify need, understand cost, understand how much legacy capability needs to be maintained, pay attention to measures that can keep existing capability in place while, diversifying supply, evaluating standard work to streamline compliance.
  3. Comprehensive tailorable portfolio of security requirements and associated standards across the life cycle. (Possibly broken out by stages in the life cycle, technology, etc.).

The following are the products of the workshop: