Comments on the Proposed Rule Under DFARS Case 2014-D005 –“Detection and Avoidance of Counterfeit Electronic Parts — Further Implementation”

A draft notice was published 21 September in the Federal Register concerning a revision to the counterfeit electronic parts DFARS on counterfeit electronic parts.[1] This proposed rule revises DFARS 212.301, 246.870 and DFARS clause 252.246-7007, which is limited to contractors subject to government cost accounting standards (CAS); and the proposed rule introduces a new clause, 252.246-70XX, that is not limited to contractors subject to CAS and will apply to small business set-asides.

The proposed rule under DFARS Case 2014-D005 aligns with recommendations from industry subject matter experts in key areas, and goes a long way to help align DoD and defense contractors on (1) where counterfeit electronic parts risk lie, and (2) where to direct risk-based processes. Aspects of the proposed rule that industry should view favorably include the following:

• Counterfeit parts risk is a function of the sources one uses to acquire parts; risk-based process are directed accordingly
• Modified definition for ‘electronic part’ (the removal of ‘embedded software and firmware’)
• Requirement to obtain electronic parts that are in production or currently available in stock from original manufacturers, authorized dealers, or suppliers that obtain such parts exclusively from the original manufacturers or their authorized dealers
• Appropriate expectation for traceability

However, the proposed rule leaves other issues unresolved and introduces significant ambiguities:

• Broad, dynamic and problematic definition for the term ‘trusted supplier’
• Ambiguous requirements for the use of ‘trusted suppliers’
• Continued disparity between counterfeit detection and avoidance expectations to be applied by industry versus those to be applied by DoD
• Lack of acceptance of counterfeit part prevention requirements flowdown from the COTS electronic assembly industry

The Objective of the Proposed Rule

The stated objective of the proposed rule is an important development that will help align DoD and defense contractors on (1) where counterfeit electronic parts risk lie, and (2) where to direct risk-based processes. The proposed rule acknowledges that exposure to counterfeit parts risk is a function of the sources one uses to acquire parts. The notice clearly states the objective of the proposed rule is to “avoid acquisition of counterfeit electronic parts by requiring DoD contractors and subcontractors, except in limited circumstances, to buy electronic parts from trusted suppliers, in accordance with section 818(c)(3) of the NDAA for FY 2012”. The proposed rule directs risk-based processes to electronic parts obtained from riskier suppliers.

Embedded Software and Firmware

DoD acknowledges that industry standards are still being developed to address embedded software and firmware and proposes to remove ‘embedded software and firmware’ from the definition of ‘electronic part’. This will focus the regulation on hardware where a more clearly defined and understood threat exists; and where avoidance and detection methods are more clearly defined.

Traceability

The proposed rule adopts an approach recommended by industry subject matter experts. Where traceability to the original manufacturer cannot be established, the contractor or subcontractor must complete an evaluation that includes uses of alternative parts, and apply its risk-based systems, including tests and inspections commensurate with risk.

There is a caveat here. If the contractor (and presumably its subcontractors) must use ‘non-trusted suppliers’, the contractor must notify the Contracting Officer and identify the specific assemblies where the parts are used (see discussion on “Purchases from ‘Non-Trusted Suppliers’ ”)

Sources of Electronic Parts

Proposed DFARS clause 252.246-70XX, Sources of Electronic Parts, is to be used by DoD “for the acquisition of commercial items, when procuring—

(1) Electronic parts;

(2) End items, components, parts, or assemblies containing electronic parts; or

(3) Services, if the contractor will supply electronic parts or components, parts, or assemblies containing electronic parts as part of the service.”

This new clause would also be used by CAS covered contractors in conjunction with the proposed revision to DFARS clause 252.246-7007.

Proposed DFARS clause 252.246-70XX would require source selection practices consistent with recommendations from industry subject matter experts. Contractors and subcontractors must “obtain electronic parts that are in production or currently available in stock from—

(i) The original manufacturers of the parts;

(ii) Their authorized dealers; or

(iii) Suppliers that obtain such parts exclusively from the original manufacturers of the parts or their authorized dealers”.

Use of other suppliers would be limited to (a) obsolete parts and (b) parts that are not currently available in stock from original manufacturers, authorized dealers, or suppliers that obtain parts exclusively from the original manufacturers or their authorized dealer. The contractor or subcontractor may “obtain electronic parts that are not in production, or not currently available in stock, from suppliers identified by the Contractor as trusted suppliers, provided that—

(i) The Contractor uses established counterfeit prevention industry standards and processes, including testing, for identifying such trusted suppliers;

(ii) The Contractor assumes responsibility for the authenticity of parts provided by such suppliers (see DFARS 231.205-71); and

(iii) The Contractor’s selection of such trusted suppliers is subject to review and audit by appropriate Department of Defense officials.”

The proposed rule, however, introduces a definition for the term ‘trusted supplier’ that is broad and dynamic. Furthermore, the definition is ambiguous in its application within proposed clause 252.246-70XX.

Proposed definition of a ‘Trusted Supplier’

The proposed rule introduces a definition for the term ‘trusted supplier’ that would not necessarily drive consistent and effective supplier selection or counterfeit avoidance and detection testing practices among the contractor community, nor consistent assessment by the Government.

The first three categories of the proposed definition for the term ‘trusted supplier’ to be used by industry are clear, meaningful, appropriate, and consistent with recommendations from industry subject matter experts. ….

“(1) The original manufacturer of a part;

(2) An authorized dealer for the part;

(3) A supplier that obtains the part exclusively from the original component manufacturer of the part or an authorized dealer; …”

The fourth category, however, is broad and dynamic ….

“(4) A supplier that a contractor or subcontractor has identified as a trustworthy supplier, using DoD-adopted counterfeit prevention industry standards and processes, including testing (see https://assist.dla.mil).” [2]

The current state of industry standards, including those currently adopted by DoD, allows for a broad range of supplier selection practices and counterfeit detection protocols. The current version of SAE Standard AS5553, for example, requires the organization to develop and implement a ten point counterfeit parts control plan. While AS5553 includes a significant amount of valuable information to aid the user in establishing and implementing robust counterfeit detection and avoidance practices, this information is presented as guidance; and its inclusion in a control plan is left to the discretion of individual organization. Work is underway to improve industry standards, to clearly define criteria for a suitable counterfeit detection and avoidance system that aligns with DFARS clause 252.246-7007, and to define specific test and inspection protocols that are suitable for detecting counterfeit electronic parts. It is premature, however, to speculate on the outcome of this work in process. In the meantime, counterfeit electronic part detection and avoidance practices are broad-ranging and dynamic yielding mixed results.

Industry reports illustrate mixed results in applying counterfeit electronic part detection and avoidance practices. GIDEP reports describe suspect counterfeit electronic parts discovered by the application of industry counterfeit avoidance and detection standards, including those currently adopted by DoD. Many of these reports describe instances where these standards and processes were applied and suspect counterfeit parts were intercepted before they would have otherwise been put into inventory or subsequently used. On the other hand, many other GIDEP reports described instances where a contractor, subcontractor, or subcontractor appointed ‘trusted supplier’ claims to have applied the same standards, but suspect counterfeit parts escaped detection.

The proposed new clause for ‘Sources of Electronic Parts’ (252.246-70XX) includes an ambiguous application of the proposed definition of ‘trusted supplier’. According to clause, some ‘trusted suppliers’ can only be used under limited circumstances and under specific conditions. A contractor may “obtain electronic parts that are not in production, or not currently available in stock, from suppliers identified by the Contractor as trusted suppliers, provided that—

(i) The Contractor uses established counterfeit prevention industry standards and processes, including testing, for identifying such trusted suppliers;

(ii) The Contractor assumes responsibility for the authenticity of parts provided by such suppliers (see DFARS 231.205-71); and

(iii) The Contractor’s selection of such trusted suppliers is subject to review and audit by appropriate Department of Defense officials.”

In effect, the proposed rule suggests that some ‘trusted suppliers’ are less trustworthy than others and the contractor must dissect this definition in its application between current production parts versus obsolete parts. While the due diligence expected for a contractor appointed trusted supplier is prudent and consistent with industry subject matter expert recommendations, it would also be prudent to exclude these suppliers from the definition of ‘trusted supplier’ altogether in order to avoid this ambiguity and potential confusion.

Suppliers of electronic assemblies will be subjected to different and potentially conflicting requirements for contractors and subcontractors versus requirements from DoD. DFARS clause 252.246-7007 directed to CAS covered contractors calls for the contractor to implement and flow down the twelve element ‘system’ requirements, as well as the new DFARS clause 252.246-70XX. When DoD applies proposed DFARS clause 252.246-70XX, however, the supplier will be subject to only one of the twelve elements of the ‘system’ required of CAS contractors (“Use of trusted suppliers…”). The supplier will not be subject to quarantine and reporting requirements or other counterfeit prevention practices required by DFARS clause 252.246-7007 or other practices described in DoD adopted industry standards.

When digesting this proposed rule as a whole, it can be difficult to understand the purpose or benefit of applying the term ‘trusted supplier’ as presently defined. DoD should confine the term ‘trusted supplier’ to:

“(i) The original manufacturers of the parts;

(ii) Their authorized dealers; or

(iii) Suppliers that obtain such parts exclusively from the original manufacturers of the parts or their authorized dealers”

This more limited definition better aligns with the expectations of Section 818 of the NDAA for fiscal year 2012, and would be consistent with recommendations from industry subject matter experts.

Purchases from ‘Non-Trusted Suppliers’

The proposed rule would require the contractor to notify the Contracting Officer if it is not possible to obtain an electronic part from a ‘trusted supplier’. If an entire lot of assemblies requires an obsolete part, the contractor may submit one notification for the entire lot, providing the contractor identifies the assemblies containing these parts (e.g. serial numbers). This requirement will call for contractors to (1) establish and implement methods to trace parts acquired from ‘non-trusted’ sources to the specific assemblies where these parts are used, and (2) establish and implement mechanisms to trigger customer notification of purchases from other than ‘trusted suppliers’.

This notification requirement will present a significant challenge in cases where a subcontractor will not accept counterfeit avoidance and detection requirements included in DFARS clause 252.246-7007, particularly when dealing with COTS electronic assembly providers. How can a contractor know of its subcontractor’s purchases from ‘non-trusted suppliers’ if the subcontractor did not agree to requirements flowdown from the contractor or agree to the contractor’s different interpretation of which suppliers should be considered trustworthy?

Parts acquired from the Federal Supply Schedule

According to the proposed rule, the requirements concerning ‘sources of electronic parts’ would apply to parts acquired from the Federal Supply Schedule. The contractor or subcontractor will be responsible to establish the trustworthiness suppliers of parts acquired from the Federal Supply Schedule and assumes responsibility for the authenticity of those parts. According to the proposed rule, the requirements concerning ‘sources of electronic parts’ would apply to parts acquired from the Federal Supply Schedule. The proposed rule states that qualification requirements for ‘trusted suppliers’ to be used by DoD will be addressed in DFARS Case 2015-D020, DoD Use of Trusted Suppliers for Electronic Parts. In the meantime, there are no apparent counterfeit prevention requirements that the Government applies to items, or their sources, before listing them on the Federal Supply Schedule.

Though not specifically addressed within this proposed rule, one might surmise a similar expectation of contractors would also apply to the use of electronic parts acquired from/through other other government sources, such as DLA, government sponsored shopping sites, and government furnished material.

COTS Parts vs COTS Assemblies

This proposed rule continues to require the flow down of counterfeit prevention requirements to suppliers and producers of COTS electronic assemblies. While the rationale within the proposed rule may be appropriate for COTS electronic parts, the proposed rule does not address the dilemma industry continually faces concerning the general lack of acceptance of counterfeit part prevention requirements flowdown from COTS electronic assembly producers and their authorized dealers. DoD, itself however, escapes this dilemma for its own purchases of electronic assemblies, both because it drafted DFARS 252.246-7007 to apple only to CAS covered contractors (thus allowing it direct purchases from COTS suppliers that are not CAS covered) and now by using the new clause 252.246-70XX which does not call for the flow down of counterfeit avoidance and detection requirements directed to CAS contractors.

CONCLUSION

The proposed rule under DFARS Case 2014-D005 aligns with recommendations from industry subject matter experts in key areas. It goes a long way to help align DoD and defense contractors on where risks lie and where to focus risk-based processes. Unfortunately, a number of unresolved issues remain and significant ambiguities have been introduced.

Henry Livingston

---

[1] Federal Register Vol. 80, No. 182 at pp. 56939 – 56944, Defense Federal Acquisition Regulation Supplement: Detection and Avoidance of Counterfeit Electronic Parts—Further Implementation (DFARS Case 2014–D005)

[2] Industry counterfeit prevention standards adopted by DoD are …

• AS5553 – Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition
• AS6081 – Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition – Distributors
• AS6174 – Counterfeit Materiel; Assuring Acquisition of Authentic and Conforming Materiel
• AS6462 – AS5553A, Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition Verification Criteria