The Department of Defense (DoD) has recently proposed to amend its rules governing counterfeit electronic part detection systems, and finalized its rule governing supply chain risk. Regardless of whether you supply parts and equipment to the Government directly, or if you are a vendor in the supply chain, you must be aware of these rules because they will affect how you do business. Comments on the proposed amendments to the rule on counterfeit electronic parts are due by December 11, 2015.

DoD's Proposed Amendments to Counterfeit Electronic Parts Detection Rules

As Venable reported last year, DFARS clause 252.247-7007 has been implemented to require a prime contractor subject to the Cost Accounting Standards (CAS) to develop and impose on the contractor's supply chain a Counterfeit Electronic Part Detection and Avoidance System. The requirement must be flowed down throughout the supply chain, regardless of whether the subcontractors or suppliers are small businesses or commercial items providers. The proposed amendments call for an additional clause, Sources of Electronic Parts, requiring DoD contractors and subcontractors to acquire electronic parts from trusted suppliers.

DoD Is Focusing on Trusted Sources of Electronic Parts and Traceability

Unlike the clause on Counterfeit Electronic Parts Detection Systems, the new clause is not strictly limited to CAS-covered prime contractors, and will expressly apply to all tiers of contractors and subcontractors that are providing electronic parts. Under the new clause, the contractor must:

  • Obtain current parts from original manufacturers, authorized dealers, or suppliers that obtain parts exclusively from the original manufacturers or authorized dealers.
  • Obtain parts no longer in production or stock from "trusted suppliers," provided the
    • Contractor uses industry standards to identify the trusted suppliers;
    • Contractor assumes responsibility for part authenticity; and
    • The Contractor's selection is subject to audit and review.
    • "Trusted suppliers" include those that are identified using DOD-adopted counterfeit prevention industry standards and processes. The proposed rule does not further detail what standards may be relied upon for that purpose.
  • Also, a contractor that is not an original manufacturer or authorized dealer must have a risk-based process that:
    • Enables tracking of electronic parts from the OEMs to the Government, and
    • If traceability cannot be established the contractor must document an evaluation considering alternative parts or use test and inspections commensurate with risk.

DoD Is Removing "Software" and "Firmware" From the Definition of Electronic Parts

DoD also proposes to remove from the definition of the term "electronic part" any embedded software or firmware. This significant reduction in scope of the term "electronic part" reflects that the rule is more applicable to hardware, and further industry standards are still under development to address testing of embedded software or firmware in electronic parts.

DoD Has Finalized the Requirements Relating to Supply Chain Risk

As Venable reported earlier, the DoD in 2013 issued an interim rule allowing for consideration of supply chain risk in procurements related to national security systems. That rule has been finalized, so contractors should take this opportunity to consider the rule's implications.

The rule still allows authorized decision makers to mitigate supply chain risk by: excluding sources of supply from covered procurements for failing to meet qualification standards or for failing to satisfy evaluation factors; or withholding consent for prime contractors to use certain subcontractors.

DoD Requires Evaluation Factors for Acquiring IT Supplies or Services Related to Covered National Security Systems

In finalizing the rule, DoD clarified that the rule applies to a specific subset of "covered" national security systems. As part of its finalization, DoD has emphasized that its components are required to incorporate an evaluation factor (and notice of the same) in solicitations for information technology, whether acquired as a service or as an item of supply, that is a covered system, is part of a covered system, or is in support of a covered system.[1] "Covered systems" include those that: support intelligence activities; are critical to direct fulfilment of military or intelligence missions, or are protected as classified.

Support intelligence activities; cryptologic activities related to national security; the Another key change reflected in the final rule is the removal of flow down obligations from the Supply Chain Risk clause found at DFARS 252.239-7018.