On May 6, 2014, the U.S. Department of Defense (DOD) published its first set of final regulations imposing specific obligations on defense contractors and their suppliers for the detection and avoidance of counterfeit electronic parts. These final regulations represent the culmination of a rulemaking process initiated almost a year ago, with DOD’s release of its proposed regulations implementing Section 818 of the fiscal year (FY) 2012 National Defense Authorization Act (NDAA). Section 818 had directed DOD to issue regulations making certain “covered” defense contractors responsible for detecting and avoiding the use or inclusion of counterfeit electronic parts in the products they supply to DOD. DOD’s final regulations revise or supplement several aspects of the proposed regulations to address issues noted by industry in its comments on the proposed regulations, but leave other troublesome aspects of the unchanged. Moreover, with DOD’s clarification that the onerous counterfeit detection and avoidance requirements must be flowed down to all subcontractors and suppliers, including suppliers of commercial items and small business suppliers, defense contractors must confront the reality that many commercial or small business suppliers will refuse to supply products on those terms and may exit the defense sector altogether.
Accordingly, while the final regulations represent an improvement over DOD’s initial proposal, they continue to expose contractors and their suppliers to significant compliance burdens and risks, essentially placing the entire risk of counterfeit detection and avoidance on contractors and establishing what amounts to a strict liability regime for counterfeit escapes. DOD itself acknowledges that “many issues associated with management of the counterfeit parts problem remain to be resolved,” and the final regulations defer the development of much-needed guidance regarding how DOD intends to evaluate contractor counterfeit detection and avoidance systems to the Defense Contract Management Agency (DCMA). Thus, while these regulations are “final” (and therefore immediately effective), they are far from the final word from DOD on contractor responsibility for addressing the problem of counterfeit electronic parts in the defense supply chain.
This Legal Alert highlights key provisions in the final regulations, focusing on changes from the proposed regulations, and identifies important near-term considerations for defense contractors and suppliers given the immediate effective date of the final regulations.
Summary of Key Changes in Final Rules
Revised Definition of Counterfeit Parts
The proposed regulations had included three separate definitions of “counterfeit parts,” with the third definition arguably extending “counterfeit” treatment to garden-variety quality issues by encompassing parts that do not meet “the performance requirements for the intended use.” In response to a number of comments taking issue with the proposed definitions, DOD has narrowed the definition of “counterfeit” parts, adopting a single definition that is limited to electronic parts. DOD’s revised definition also helpfully clarifies that intent to mislead or misrepresent is a key element of the definition.
The final regulations define “counterfeit electronic part” as:
an unlawful or unauthorized reproduction, substitution, or alteration that has been knowingly mismarked, misidentified, or otherwise misrepresented to be an authentic, unmodified electronic part from the original manufacturer, or a source with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer. Unlawful or unauthorized substitution includes used electronic parts represented as new, or the false identification of grade, serial number, lot number, date code, or performance characteristics.
DOD’s revised definition should ensure that, absent evidence of a knowing misrepresentation, genuine parts that have quality issues or are otherwise out of specification will not be treated as a “counterfeits,” or subjected to the onerous obligations attendant to counterfeit electronic parts under DOD’s rules (e.g., reporting and quarantining requirements, cost unallowability of remediation/repair, etc.).
Revised Definition of “Suspect Counterfeit Parts”
The final regulations also slightly revise the definition of “suspect counterfeit electronic part” to clarify that a part’s “suspect” status should be based on “credible evidence (including, but not limited to, visual inspection or testing) [that] provides reasonable doubt that the electronic part is authentic.” DOD characterized its addition of the phrase “credible evidence” as an effort “to strengthen the fact-based approach” to the definition of “suspect counterfeit” parts, which should provide some reassurance to contractors that they will not be expected to characterize a part as a “suspect counterfeit” without some credible, “fact-based” evidence that the part may be inauthentic.
Addition of Embedded Software/Firmware to Definition of Electronic Parts
The proposed regulations adopted the same definition of “electronic part” found in Section 818(f) of the 2012 NDAA. Under that definition, an electronic part is “an integrated circuit, a discrete electronic component (including, but not limited to, a transistor, capacitor, resistor, or diode), or a circuit assembly.” The final regulations retain the statutory definition, but clarify that the definition of “electronic part” also “includes any embedded software or firmware” in an electronic part. Note that the duty to detect and avoid counterfeit electronic parts applies not only to companies that supply individual “electronic parts” (as that term is defined in the final regulations), but also to companies that supply products containing electronic parts.
Express Endorsement of Risk-Based Counterfeit Detection and Avoidance Systems
One of the key criticisms of DOD’s proposed regulations was that the regulations did not expressly acknowledge that an effective counterfeit detection and avoidance system can be, and actuallyshould be, risk-based – in other words, that an effective system focuses its counterfeit detection and avoidance efforts on mission-critical and safety-related parts, or parts at a higher risk of being counterfeit, over parts that are at low risk of counterfeiting or pose a low risk to mission performance or safety. In its final regulations, DOD responds to that criticism by explicitly recognizing and endorsing a risk-based approach by contractors to counterfeit detection and avoidance. The final rule now states that “[a] counterfeit electronic part detection and avoidance system shall include risk-based policies and procedures.” DFARS 246.870-2(b).
The final rule also describes the risk-based analysis contractors will be expected to undertake when determining what tests and inspections they will perform on electronic parts. Contractors will be required to select tests and inspections “based on minimizing risk to the Government.” DFARS 252.246-7007(c)(2). Factors to be considered in making that risk assessment include: “the assessed probability of receiving a counterfeit electronic part; the probability that the inspection or test selected will detect a counterfeit electronic part; and the potential negative consequences of a counterfeit electronic part being installed (e.g., human safety, mission success) where such consequences are made known to the Contractor.”
The final rule’s reference to “risk-based policies and procedures” and endorsement of risk-based testing and inspection determinations are beneficial to contractors, because they signal that a contractor system that allocates detection and avoidance resources based on risk will not be deemed inadequate. Indeed, the final rule eases the concern that contractors would be required to test and inspect all electronic parts. DOD’s clarification that the rule “does not require all electronic parts to be treated equally” is significant and should permit contractors to allocate their limited testing and inspection resources in a manner that focuses on the parts most at risk of being counterfeit.
The benefits of this revision are mitigated somewhat, however, by DOD’s continued imposition of what amounts to strict liability on contractors for the escape of any counterfeit or suspect counterfeit parts into the defense supply chain. That is, while DOD’s final rule indicates that an effective counterfeit detection and avoidance system includes risk-based policies and procedures, adhering to those policies and procedures will not insulate a contractor from liability for a counterfeit or suspect counterfeit electronic part that escapes into the defense supply chain — even when DOD has reviewed and approved the contractor’s system as effectively “minimizing risk to the Government.”
Additional Criteria for Contractor Counterfeit Detection and Avoidance Systems
The proposed regulations identified nine required elements of a contractor’s counterfeit electronic part detection and avoidance system, reciting the nine elements listed in Section 818. In its final rules, DOD added three new elements to the nine statutorily required elements: (1) a process for “keeping continually informed of current counterfeiting information and trends”; (2) a process for screening Government-Industry Data Exchange Program (GIDEP) reports and other credible sources of information regarding reported discoveries of counterfeit or suspect counterfeit electronic parts; and (3) processes to control obsolete electronic parts.
The new system criterion requiring contractors to stay “continually informed of current counterfeiting information and trends” appears primarily designed to ensure that contractors are monitoring the adoption and evolution of industry standards regarding counterfeit detection and avoidance techniques. Contractors will be expected to stay abreast of changes to industry standards and to upgrade their own internal processes accordingly as those standards evolve. This new system criterion also likely substantially overlaps with the second new criterion requiring active screening of GIDEP and other credible sources of information regarding discovery of counterfeit parts — as keeping informed as to which parts have been detected by other companies as counterfeits or suspected counterfeits, and the identity of the suppliers who provided those parts, would also presumably be an element of “keeping continually informed of current counterfeiting information and trends.”
With regard to the third new system criterion, implementation of a process to “control obsolete electronic parts,” the final rules provide a definition of “obsolete electronic part,” but otherwise do not offer guidance regarding what measures contractors will be expected to take to “control” obsolete parts. An “obsolete electronic part” is “an electronic part that is no longer in production by the original manufacturer or an aftermarket manufacturer that has been provided express written authorization from the current design activity or original manufacturer.” These out-of-production parts represent a particular challenge in counterfeit prevention, because the primary (and most efficient) counterfeit mitigation technique – buying the part directly from the original manufacturer or one of its authorized distributors – is often unavailable. The challenge of addressing obsolete parts is particularly acute in the defense sector, because the production life cycle for many semiconductors is measured in months, whereas the production life cycle for many defense systems and platforms is measured in decades. While several commenters sought additional guidance from DOD regarding how they will be expected to mitigate the risks inherent with obsolete parts, DOD declined to provide such guidance, claiming that it would be “outside the scope” of the final regulations. DOD also declined to provide a mechanism for contractors to seek and obtain direction from DOD on how to proceed with purchasing of obsolete parts that may not be traceable back to the original manufacturer. Thus, the final rule essentially saddles contractors and their suppliers with the full burden of managing parts obsolescence and the attendant risks of counterfeits in out-of-production electronic parts.
Under the final regulations, a contractor’s counterfeit electronic part detection and avoidance system must address:
- The training of personnel.
- The inspection and testing of electronic parts, including criteria for acceptance and rejection of parts. Tests and inspections “shall be performed in accordance with accepted Government- and industry-recognized techniques.”
- Processes to abolish counterfeit parts proliferation.
- Processes for maintaining electronic part traceability (such as item unique identification) that enable tracking of the supply chain back to the original manufacturer, whether the parts are supplied as discrete electronic parts or are contained in assemblies.
- Use of suppliers that are the original manufacturer, sources with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer or suppliers that obtain parts exclusively from one or more of these sources.
- The reporting and quarantining of counterfeit electronic parts and suspect counterfeit electronic parts.
- Methodologies to identify suspect counterfeit parts and to rapidly determine if a suspect counterfeit part is, in fact, counterfeit.
- The design, operation, and maintenance of systems to detect and avoid counterfeit electronic parts and suspect counterfeit electronic parts.
- The flow down of counterfeit detection and avoidance requirements, including applicable system criteria, to subcontractors at all levels in the supply chain that are responsible for buying or selling electronic parts or assemblies containing electronic parts, or for performing authentication testing.
- A process for keeping continually informed of current counterfeiting information and trends.
- A process for screening GIDEP reports and other credible sources of counterfeiting information.
- Control of obsolete electronic parts.
The final rule supplements the propose rule by providing additional guidance regarding the “traceability” and “reporting/quarantining” criteria. Contractors’ traceability process “shall include certification and traceability documentation developed by manufacturers in accordance with Government and industry standards; clear identification of the name and location of supply chain intermediaries from the manufacturer to the direct source of the product for the seller; and where available, the manufacturer’s batch identification for the electronic part(s), such as date codes, lot codes or serial numbers.” DFARS 252.246-7007(c)(4). Contractors may use item unique identification (IUID) as the traceability mechanism, but — if they do so — they must comply with the marking requirements of DFARS 252.211-7003, Item Unique Identification and Valuation.
Reporting of counterfeit or suspect counterfeit electronic parts must be made to the contracting officer and to the Government-Industry Data Exchange Program (GIDEP), and the trigger for reporting is “when the Contractor becomes aware of, or has reason to suspect that, any electronic part or end item, component, part, or assembly containing electronic parts purchased by the DOD, or purchased by a Contractor for delivery to, or on behalf of, the DOD, contains counterfeit electronic parts or suspect counterfeit electronic parts.” DFARS 252.246-7007(c)(6). Thus, a contractor would be required to report the discovery of a counterfeit or suspect counterfeit part even if the item containing the part at issue has not yet been delivered to the Government, so long as the item containing the part was “purchased for delivery to” DOD.
The proposed regulations did not describe the standards DOD would use to evaluate contractor systems for compliance with the system criteria, and DOD again declined to provide that guidance to contractors as part of the final regulations. Instead, DOD advised contractors seeking more guidance on the approval standards for counterfeit electronic parts detection and avoidance systems to await the publication of the ‘‘Counterfeit Detection and Avoidance System Checklist’’ that is still being developed by DCMA. It does not appear from the discussion accompanying the final regulations that DOD intends to follow notice-and-comment rulemaking procedures in adopting the DCMA “Counterfeit Detection and Avoidance System Checklist,” which would be necessary to afford contractors an opportunity to weigh in on, and possibly help shape, the standards against which their systems will be evaluated.
Clarification of Coverage of Commercial Item Subcontracts and Small Business Subcontractors
The contract clauses imposing the requirement for a counterfeit electronic parts detection and avoidance system apply directly only to contracts covered by the Cost Accounting Standards (CAS). Yet that limitation does not insulate smaller companies or companies that are not themselves subject to CAS coverage from the impact of these rules. One of the requirements of the regulations is that CAS-covered contractors flow these anti-counterfeiting requirements down throughout their supply chains. The final rules clarify that this flowdown requirement applies to all subcontracts for electronic parts or assemblies containing electronic parts, including subcontracts for commercial items and subcontracts with small businesses.
Thus, any company supplying electronic parts, or products containing electronic parts, to one of the major defense contractors – or even to a company that is in one of the major defense contractors’ supply chains — will be confronted with purchase order terms and conditions requiring the adoption and implementation of similarly complex procedures to detect and avoid counterfeit electronic parts. Those purchase order terms and conditions will likely also include requirements that the supplier provide certifications of authenticity of supplied parts, provide information tracing the “pedigree” of the part back to the original manufacturer (to comply with the system criterion on electronic part traceability), and indemnify the upstream customer for any damages resulting from the later discovery of a counterfeit or suspect counterfeit electronic part in the products supplied, a degree of potential liability that many downstream suppliers (particularly smaller firms or commercial item suppliers) may not be willing to assume.
This broad flowdown requirement poses several issues for contractors that are not fully resolved by the final rule. Given the mandatory nature of the flowdown requirement, contractors may not be able to use commercial item suppliers who refuse to accept the flowdown requiring the supplier to adopt a counterfeit electronic part detection and avoidance system meeting the twelve system criteria specified in the DFARS final rule. Thus, the flowdown requirement could deprive contractors (and DOD) of access to the benefits of commercial technology and products. Nor does the final rule provide guidance regarding how contractors will be expected to monitor their suppliers’ compliance with the flowdown requirements. Contractors themselves will have their counterfeit electronic parts detection and avoidance systems reviewed by DCMA; will contractors be expected to perform their own reviews of subcontractor systems?
DOD Declines to Expand the Limited and Ineffectual “Safe Harbor” Provided by Congress
One of the more disappointing aspects of the final regulations was DOD’s unwillingness to expand the proposed regulations’ limited “safe harbor” provision. Contractors sought an expanded “safe harbor” provision to protect them from the harsh application of the new cost principle establishing as unallowable the cost of counterfeit electronic parts and suspect counterfeit electronic parts, and the cost of rework or corrective action that may be required to remedy the use or inclusion of such parts. DOD contended its hands were tied by Congress, and that it could not expand the limited “safe harbor” provision Congress provided in Section 833 of the FY 2013 NDAA.
Under that limited “safe harbor” provision, a contractor can recover the costs of rework or corrective action related to a counterfeit or suspect counterfeit electronic part only if: (i) the counterfeit or suspect counterfeit electronic part was provided to the contractor as Government-furnished property (GFP); (ii) the contractor has in place a DOD-reviewed and –approved system to detect and avoid counterfeit and suspect counterfeit parts; and (iii) the contractor provides timely (i.e., within 60 days after the contractor becomes aware) notice to the Government of the discovery of the counterfeit or suspect counterfeit part. The use of the conjunctive “and,” rather than the disjunctive “or,” indicates that this “safe harbor” is only available if all three of the conditions are met.
This “safe harbor” provision is better than nothing — but only marginally so. Even under this “safe harbor” provision, a contractor remains liable for the cost of repairing and replacing a counterfeit partthat the Government itself furnished to the contractor as GFP, if the contractor has not already had its counterfeit electronic parts detection and avoidance system reviewed and approved by DOD, a process that could take several years given the number of contractors DCMA will need to review and the current lack of a DCMA checklist to conduct the evaluation.
While DOD arguably has the authority to expand upon the limited “safe harbor” Congress carved out in the FY 2013 NDAA, it is clear from DOD’s discussion of comments on the “safe harbor” provision that DOD feels constrained by Congress’s unwillingness to legislate a broader “safe harbor.” Thus, contractors seeking a more effective “safe harbor” provision will need to focus their efforts on Congress.
Immediate Implications for Defense Contractors and Suppliers
Final Rules Immediately Effective For New Contracts
The final rule is effective immediately, meaning that these contract clauses will be incorporated in newly awarded CAS-covered contracts. However, as discussed below, these provisions will not apply — absent a contract modification — to contracts awarded prior to May 6, 2014. To ensure their ability to comply with the requirements of the final rule in newly awarded contracts, contractors should immediately review their existing counterfeit electronic parts detection and avoidance systems against the system criteria required under DFARS 252.246-7007. If a contractor is not already registered as a member of GIDEP, it should do so immediately in order to be able to monitor reports regarding discovery of counterfeit electronic parts and file its own reports if the need arises.
Impact on Existing Inventory of Electronic Parts
In its response to comments on the proposed regulations, DOD indicated that it intends to apply the new rules regarding traceability and authentication to a contractor’s existing inventory of electronic parts, except for parts that were “procured in connection with a previous DOD contract.” DOD’s refusal to “grandfather” electronic parts already on the shelf from the new traceability and authentication requirements may limit contractors’ ability to use existing electronic parts inventory on newly awarded DOD contracts, given that contractors may not be able to demonstrate the required traceability of such parts through the various intermediaries in the supply chain.
Application to Existing Contracts Through Contract Modification
While the new contract clauses do not automatically apply to contracts awarded prior to May 6, 2014, contractors may face requests by DOD to incorporate the new clauses into existing contracts through a contract modification. If faced with such a request, contractors should carefully consider the cost impact and feasibility of including these new requirements in an existing contract — particularly given that contractors may not be able to establish compliance with all twelve system criteria for electronic parts contractors purchased before the final rules were adopted. Given the substantial new burdens imposed on contractors and their suppliers by these new final rules, contractors should resist efforts by DOD to characterize the incorporation of the new clauses into an existing contract as a “no-cost” administrative modification.