Analysis of the Final Rule for DFARS Case 2012-D055

Over the past week, I have seen several articles written by contracts law subject matter experts concerning the final rule for DFARS Case 2012-D055. While each of these articles cover some of the key points and changes from the proposed rule, the articles do not discuss a number of important points that are relevant to defense contractors. Below I describe important points of the final rule and my own thoughts about them.

* * *

Clarification of system elements and criteria for suitability of the “Contractor Counterfeit Electronic Part Detection and Avoidance System”…

The final rule does not address clarifications sought by industry for several of the system elements presented in the proposed rule. The added language refines the description of some elements, but applicability is not very clear. For example, the testing requirement is not specifically directed to parts acquired from other than OCMs of their authorized dealers; does the rule, therefore, require counterfeit detection testing for all electronic parts, including those acquired from OCMs of their authorized dealers? The final rule requires the use of processes for maintaining electronic part traceability back to the original manufacturer; does the traceability requirement apply to parts sourced on the open market where such traceability generally does not exist?

Definition of “electronic part”…

The definition of “electronic part” in the final rule includes “embedded software and firmware” which presumably refers to software and firmware embedded within certain types of “integrated circuits”, such as Field Programmable Gate Arrays. This addition broadens the scope of the definition and, in turn, broadens the scope of counterfeits covered by the rule. The elements of the “Contractor Counterfeit Electronic Part Detection and Avoidance System”, however, are meaningful for hardware (integrated circuits, circuit assembly, etc.) and do not really address counterfeit avoidance and detection practices for embedded software or firmware. Furthermore, the rule depends on standards which are hardware centric, such as AS5553 and AS6174 cited in the FAR Case 2012-032 on ‘Higher-Level Contract Quality Requirements’.

Definition of “counterfeit electronic part”…

The definition of “counterfeit electronic part” no longer resembles the broad definition in the proposed rule that would include general non-conformances. The fix, however, is not so much due the addition of the word “electronic” to the definition of “counterfeit part” as a number of articles suggest. It is largely due to the elimination of the third part of the definition in the proposed rule …

(3) A new, used, outdated, or expired item from a legally authorized source that is misrepresented by any source to the end-user as meeting the performance requirements for the intended use.

The “intent” element…

A number of articles emphasize the introduction of the “intent” element to the definition of “counterfeit electronic part”. Some comments to the proposed rule suggested a definition that would substantially limit the definition of “counterfeit part” — If a supplier didn’t intend to furnish a counterfeit part, then the part itself is not counterfeit. The analysis of public comments dismisses this suggestion ….

“Terms indicating supplier failure to exercise appropriate counterfeit detection and avoidance measures, such as “recklessly” and “negligently,” are not included in the definition because they have no bearing on whether the part itself is counterfeit (i.e., supplier negligence cannot change the status of a counterfeit part to a non-counterfeit part).”

System Propagation Throughout the Supply Chain…

The final rule introduces a requirement for contractors to “establish and maintain an acceptable counterfeit electronic part avoidance and detection system” as a part of the contractor’s purchasing system. Rather than also directing counterfeit prevention requirements toward lower tier suppliers, the propagation of counterfeit detection and avoidance requirements is to be accomplished through the flow down of “counterfeit system criteria” from the prime contractor to all subcontractor tiers providing electronic parts or assemblies containing electronic parts.

Allowable costs and assumptions of cost recovery…

The cost of counterfeit electronic parts and suspect counterfeit electronic parts and the cost of rework or corrective action that may be required to remedy the use or inclusion of such parts are not allowable costs under DoD contracts (except for very limited conditions).

The requirements of the final rule concerning unallowable costs are based, in part, on the assumption that contractors will recover costs associated with counterfeit part quality escapes from their lower-tier suppliers. The final rule presumes: (1) lower level suppliers universally accept counterfeit prevention flow down clauses, and (2) contractors generally recover all costs from its suppliers that supplied counterfeit or suspect counterfeit parts or supplied items containing counterfeit or suspect counterfeit parts.

To further complicate matters, smaller suppliers (including electronic part suppliers) who, according to the proposed rule, are exempt from counterfeit electronic part avoidance and detection system requirements are not adequately capitalized to be able to hold harmless and indemnify prime and upper tier contractors for costs that cannot be recovered from their customers.

“Trusted Suppliers” and electronic part supplier selection…

The final rule addresses the confusion and conflict with the DoD Trusted Foundry Program by eliminating the use of the term “trusted supplier” appearing in Section 818 of the NDAA for FY2012. The final rule communicates requirements for …

“use of suppliers that are the original manufacturer, or sources with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer or suppliers that obtain parts exclusively from one or more of these sources.

The final rule, however, does not describe criteria for use of other suppliers (such as Independent Distributors) when electronic parts are not available from OCMs, authorized distributors, or authorized aftermarket suppliers.

“When parts are not available from any of these sources, use of suppliers that meet applicable counterfeit detection and avoidance system criteria.”

Risk-Based Approach …

A number of articles observe that the rule discusses a “risk-based approach”. Some interpret this to extend to all twelve of the elements of a “Contractor Counterfeit Electronic Part Detection and Avoidance System”. The rule specifically allows for a risk-based approach in the selection of tests and inspections to detect counterfeits. An allowance for a risk-based approach is not explicitly stated in any of the other system elements. It remains to be seen whether or not one can presume that contractor discretion is allowed for all elements of the ‘system’ versus strict compliance to the rule.

The final rule is explicit about the basis for determination of risk when selecting tests and inspections to detect counterfeits. In contrast to a number of approaches for managing the risk of introducing counterfeit parts into the supply chain, the final rule requires selection of tests and inspections based on minimizing risk to the Government…

“Determination of risk shall be based on the assessed probability of receiving a counterfeit electronic part; the probability that the inspection or test selected will detect a counterfeit electronic part; and the potential negative consequences of a counterfeit electronic part being installed (e.g., human safety, mission success) where such consequences are made known to the Contractor.”

Electronic Parts Obsolescence…

While the analysis of public comments acknowledges “parts obsolescence is a matter of concern because it can create vulnerabilities in the supply chain”, it does not acknowledge that obsolescence risk mitigation depends largely on collaboration between DoD and its contractors. The final rule does not include mechanisms necessary to support this collaboration.

Detailed guidance and mechanisms concerning supply chain processes to mitigate risks inherent with obsolete parts are outside the scope of this case.

Proposals for the NDAA for FY 2014 were offered to foster collaboration between DoD and its contractors to address electronic part obsolescence. Drafts of the NDAA for FY 2014 included amendments that would require DoD to implement a process to identify and replace obsolete electronic parts included in acquisition programs (i.e. Sec. 803. Identification and Replacement of Obsolete Electronic Parts). These amendments, however, did not survive.

Applicability to small business set-asides…

The analysis of public comments clearly states that the rule excludes small business set-asides from clause requirements. A number of articles, however, do not discuss this and suggest that counterfeit electronic part detection and avoidance requirements are to be flowed down throughout the supply chain to all players in the supply chain.

Applicability to existing inventory…

The analysis of public comments is very clear about applicability to existing inventory…

If the parts are already on the contractor’s shelf or in inventory, and they were not procured in connection with a previous DoD contract, they will be subject to the same requirements, such as traceability and authentication.

This has significant implications for contractors who have accumulated inventory to support long term requirements before the counterfeit parts threat and associated supply chain issues were well understood. This also has significant implications for others who acquired inventory through mergers and acquisitions without intimate knowledge of the history of that inventory. Though a contractor or subcontractor may apply counterfeit prevention due diligence for materiel procurements going forward, the contractor or subcontractor may not have performed the same or similar due diligence for its inventory or have maintained traceability required by the final rule.

Applicability to COTS items…

The rule requires contractors to include counterfeit electronic part detection and avoidance system requirements in subcontracts for commercial items containing electronic parts. This creates a significant dilemma for contractors. A COTS Original Equipment Manufacturer (OEM) will frequently advise its customers that the best way to avoid counterfeits of its finished products is to purchase them directly from the OEM or its authorized dealer. It is common, however, for the COTS OEM or its authorized dealer to refuse requirements from customers dictating procurement, reporting and remediation practices such as those described in the final rule. On the other hand, the analysis of comments in the final rule states that DoD is not to implement counterfeit electronic part detection and avoidance for its direct purchases of COTS items.

Disposition of Counterfeit Electronic Parts …

Some contractors do not return suspect counterfeit parts: (a) because they may be required for evidence if the Government later expresses an investigatory interest and (b) for fear that one of the upstream suppliers in the chain may subsequently attempt to sell them again. Others, however, treat suspect counterfeit parts like other “non-conforming” material and return them for a refund or credit.

The final rule does not allow contractors to return counterfeit electronic parts or suspect counterfeit electronic parts to the seller or to otherwise return them to the supply chain. The final rule, however, does not provide direction concerning the care and handling of the suspect counterfeit parts; how to secure and store them; how long they should be retained; or direction concerning the destruction of the parts.

Reporting of  Counterfeit Electronic Parts…

The final rule clearly requires the reporting of counterfeit electronic parts and suspect counterfeit electronic parts (a) to the Contracting Officer, and (b) to the Government-Industry Data Exchange Program (GIDEP). The analysis of public comments states that FAR Case 2013–002, Enhanced Reporting of Nonconforming Parts, will provide clear direction for reporting to the Contracting Officer and to GIDEP.

The analysis of public comments includes a discussion of the contractor’s obligations to report fraudulent activity to the DoD Inspector General (IG) under the FAR and DFARS mandatory disclosure rules. In its formal comments to the proposed rule, the Office of The DoD IG recommended including this expectation for the reporting of counterfeit electronic parts and suspect counterfeit electronic parts in the final rule (see DARS-2013-0014-0020). The final rule, however, does not specifically address the reporting of counterfeit electronic parts and suspect counterfeit electronic parts to the DoD IG.

“Although DoD recognizes the importance of the ‘‘mandatory disclosure’’ rules, this may not be an appropriate use of them because it suggests a contractor has committed an ‘ethical or code of conduct violation.’ ’’

* * *

In closing, several issues concerning the final rule require further study by contract law subject matter experts. I look forward to future articles discussing the fine points described above.

 

This essay is available in the following publication …

Livingston, H., “An Assessment of the Final DFARS Rule on Detection and Avoidance of Counterfeit Electronic Parts (DFARS Case 2012-D055)“, May 2014

Advertisements

5 thoughts on “Analysis of the Final Rule for DFARS Case 2012-D055

  1. Mike Sharkey says:

    Thank You. Like you, I feel the final ruling on DFARS Case 2012-D055 is anything but final. It certainly hasn’t provided the panacea of an ULTIMATE RULE satisfactory to everyone. It’s unfortunate, but I don’t have any sympathy for those “acquiring” and now holding a stock pile of now suspect items. Caveat emptor. They may be holding a bag now. Certainly, not identifying these articles of suspect heritage is now criminal.

    In my limited perspective, the RULING now empowers services and agencies with the ability to require full “genetic” records of each item without obfuscation by the “manufacturer” or supplier. Authentic “provenance” or heritage records are critical. This kind of caveat from a large manufacturer of ignition switches is no longer acceptable: “…..NOTE: ^?^?^?^ inc. partners with other manufacturers to supply the parts you car was originally built wit. This product is in a ^?^?^?^ inc. package, however the part may have been manufactured by an independent supplier and could have a different color or shape than the product image above.”….

    Different day. Everybody’s accountable. Service’s now have teeth.

  2. Henry, excellent analysis highlighting need for clarification. However what is clear that professional adherence to counterfeit avoidance technology is necessary and testing, training, certification, and procurement diligence is an ongoing and critical obligation to be a Trusted Supplier.

  3. Dan Deisz says:

    I was glad to see Authorized Aftermarket Manufacturers clearly called out in this ruling. I noticed that “Obsolete” now means when it is no longer available from an authorized source. This may have nothing to do with when a semiconductor company says EOL because of Authorized Aftermarket Manufacturers. AVL’s need to include more authorized options for some of the DoD OEM’s.

  4. The expanded definition of “electronic part” is, for me, the most interesting part of the Final Order. We see a subtle morphing of a regulatory focus from hardware (dating back to the survey of the industrial base done by the Department of Commerce for NAVAIRSYSCOM) to now include “added functionality”(a euphemism for designed-in malware).

    Most of the risk assessment and risk mitigation strategies that work for hardware will not work for designed-in malware. They are two very different problems – one a supply chain issue, and the other a rather exotic cyber security issue – both currently sharing dockets. That in itself is problematic. Is there any truth to the old proverb: “if a dog tries to chase two rabbits at the same time, he won’t get either?’

  5. Phil Bail says:

    Even when rulings on various issues are “clear” interpretation is often all over the place. When a government Contractor Purchasing System Review (CPSR) audit team asks to see the counterfeit parts “policy” for a company, it is doubtful if the auditor will even know if a policy meets these requirements.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: