G

Summarization of Relevant Past Reports on USAF and DoD Microelectronic Supply Chain

DEFENSE SCIENCE BOARD TASK FORCE ON HIGH-PERFORMANCE MICROCHIP SUPPLY REPORT (2005)

A 2005 report from the Defense Science Board (DSB) examined the U.S. microelectronics supply chain and focused on leading-edge microelectronics with defense applications.¹ The DSB task force found that the Department of Defense (DoD) and its suppliers “face a major integrated circuit supply dilemma that threatens the security and integrity of classified and sensitive circuit design information, the superiority and correct functioning of electronics systems, system reliability, continued supply of long system-life and special technology components.” The task force emphasized the need to make semiconductor technology and manufacturing leadership a national priority. The report’s recommendations are summarized below.

• DoD must determine classes of integrated circuits (ICs) incorporated in its weapon systems and other key mission products that require trusted sources and how many such circuits are needed. This requires that DoD identify device and technology types of microelectronics devices that require trusted sources as well as the length of time it will need such special

___________________

¹ U.S. Department of Defense, 2005, Defense Science Board Task Force on High-Performance Microchip Supply Report, February, https://www.acq.osd.mil/dsb/.

• supply arrangements. This identification must include the full range of technologies needed for DoD as well as its suppliers.

• Accurate characterization and assessment of adversaries’ “dirty tricks” is essential to develop an effective U.S. counter-tamper strategy. The task force addressed many of these issues relative to the security challenges of information sharing, but opportunities, methods, and threats change continuously. The Under Secretary of Defense for Research and Engineering (DDR&E) in conjunction with the Intelligence Community should develop risk-mitigating technical approaches to support the risk management function. DDR&E should take the lead in defining the requirements and making the necessary investments to realize the needed security breakthroughs.
• To assure DoD access to leading-edge trusted manufacturing facilities, the United States needs a broad national effort to offset foreign policies designed to encourage movement of leading-edge semiconductor manufacturing facilities to offshore locations. A coherent U.S. policy response to counter the extensive intervention by foreign governments to encourage local investment in the semiconductor industry.
• The task force recommends that DoD, directed by the Secretary and the Undersecretary for Acquisition, Technology, and Logistics, lead in guaranteeing that its needs are supported by ensuring that U.S. policy and industry together transform and enhance the U.S. position in onshore microelectronics. Providing for assured supplies by DoD contracts with today’s trusted foundries helps solve the immediate problem but is only a temporary measure; foundry agreements will not address the structural issue of funding research that will sustain our information superiority. Long-term national security depends upon U.S.-based competitiveness in research, development, design, and manufacturing. DoD should advocate that these are not only DoD objectives but also national priorities.
• Led by the Under Secretary of Defense for Acquisition and Sustainment (USD(AT&L)), DoD and its military departments/agencies, working with their system suppliers, must develop a plan of action that encompasses both short- and long-term technology, acquisition, and manufacturing capabilities needed to assure ongoing availability of supplies of trusted microelectronic components. This plan of action requires both a steady-state vision and implementation plans for both standard and special technology components.
• The Wassenaar Arrangement covering exports of sensitive, leading-edge semiconductor manufacturing equipment (SME) is not an effective tool for assuring that potential adversaries do not have access to leading-edge design and wafer fabrication equipment, technology, and cell libraries. The United States should act to strengthen export rules.

• Semiconductor technology and manufacturing leadership is a national priority that must be maintained if the U.S. military is to continue to lead in applying electronics to support the warfighter. An integral part of that leadership is the close coupling of manufacturing with the development of advanced technology and the design of leading-edge ICs. This can best be achieved if development and manufacturing are co-located.
• DDR&E should take another look at application-specific integrated circuit (ASIC) production and formulate a program to address barriers to low-to medium-volume custom IC production. This program will require a dedicated joint effort by all participants in ASIC production—designers, fabricators, and equipment makers. Such an effort could be similar to SE-MATECH, the industry-initiated, DARPA-supported consortium.
• Continued development of new programmable technologies is key to sustaining U.S. leadership. To support these developments, DoD should:
  • Partner with industry and with other government agencies, especially the National Science Foundation (NSF) and Homeland Security, to fund university research that will ensure the domestic supply of scientists and engineers who are skilled in the development and use of programmable hardware;
  • Foster the voluntary exchange of best counter-tampering practices for assuring trust of standard programmable hardware among government and U.S. commercial semiconductor developers through the creation of courseware and industry information exchange programs; and
  • Institute a targeted program in the area of firmware integrity to rapidly develop, disseminate, and encourage adoption of improvements to this trust-related aspect of programmable parts, and in conjunction with the above, initiate a research program on “design for trust evaluation” along the lines of prior successful efforts on “design for testability.”
• DoD must continue to support research and development (R&D) of the special technologies it requires. This includes ongoing radiation-hardened and electromagnetic pulse (EMP)-resistant component design and process development. The emergence of requirements for trustworthiness requires new efforts in technologies to embed, assure, and protect component trust. DoD will require additional technology development efforts, including:
  • Reducing barriers to radiation-tolerant “standard” designs;
  • Increasing efforts to develop tamper protection technology; and
  • Developing design and production techniques for disguising the true function of ICs.

DEFENSE SCIENCE BOARD TASK FORCE ON CYBER SUPPLY CHAIN REPORT (2017)

A 2017 report from the Defense Science Board Task Force on Cyber Supply Chain assessed the “organization, missions, and authorities that encompass the use of microelectronics and components in DoD weapons systems.”² The report found that DoD’s weapons systems are at risk from malicious insertion of defects or malware and the potential exploitation of those vulnerabilities. The report also found that the “capital costs of maintaining a DoD-owned Trusted Foundry is not a feasible expense” and that cyber-awakening exercises are key to helping to identify and classify system vulnerabilities. The report’s recommendations are summarized below.

• Military Service Chiefs, with Military Deputies of the Service Acquisition Executives, conduct at least one cyber-awakening exercise per year and use the results of these assessments, in timely training of acquisition, operational, and sustainment personnel.
• USD(AT&L) explore avenues to improve training and standards:
  • The Deputy Assistant Secretary of Defense for Systems Engineering (DASD[SE]) should set standards for criticality that are appropriate for mission assurance.
  • Program managers responsible for program protection plans (PPPs) should complete training (such as DAU ACQ 160) prior to taking command.
• The Defense Intelligence Agency (DIA) coordinate with the Joint Acquisition Protection and Exploitation Cell (JAPEC) to focus its resources on specific targeted, adversarial collection activities.
• USD(AT&L) direct the Defense Standardization Program Office to modernize the Government-Industry Data Exchange Program (GIDEP) reporting system and extend GIDEP to provide information to the Joint Federated Assurance Center (JFAC).
• USD(AT&L) ensure that DoDI 5000.02 makes secure design and realistic risk assessment a core element of PPPs:
  • Each program manager should develop a rigorous security model (naming potential attacks) for weapons systems during specification with mandatory analysis of efficacy verifying that design and implementation will meet security requirements with high assurance.

___________________

² U.S. Department of Defense, 2017, Report of the Defense Science Board Task Force on Cyber Supply Chain, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, Washington, DC, February.

• • Each program manager should incorporate a funded in-depth security review of critical systems at key points pre-initial operational capability and during operations with the aims of remediating security flaws and improving acquisition, engineering, operational, or sustainment security. Such reviews should be conducted by a specialized organization or organizations to be established in or endorsed by JFAC.
• USD(AT&L) ensure that DoDI 5000.02 anticipates the need for resilience, ongoing evaluation, and upgrades:
  • Each program manager should specify design elements supporting resiliency, including well-defined interfaces for encapsulated subsystems allowing substitution of alternative or newly hardened implementations as well as procedures and testing to ensure the viability of substitution and upgrade.
  • Each program manager should establish design elements and processes to identify and replace parts or subsystems with known or recently discovered vulnerabilities.
• Deputy Secretary of Defense update the JFAC charter to:
  • Establish JFAC as a DoD-wide hardware and software assurance organization with a mandate to support program management offices, program executive offices, and sustainment activities.
  • Develop prescriptive standards and requirements for hardware and software assurance processes and tools.
  • Provide the program manager and the JFAC Steering Committee with an independent perspective on risk articulated by a peer-level official in JFAC in cases where a program is unable to adhere to standards or requirements.
• USD(AT&L), in coordination with the Military Service Chiefs, require development of a sustainment PPP for designated fielded systems.
• USD(AT&L) direct the establishment of a Hardware CERT to track the reporting and remediation of vulnerabilities in COTS hardware and embedded firmware.
• ASD(L&MR) and DASD(SE) develop and promulgate guidance for the content of the sustainment PPP and the implementation in sustainment processes.
• USD(AT&L) direct programs to acquire a gold standard to test reference parts, and acquire hardware and software data rights for use in diagnosing malicious tampering.
• DASD(SE) should direct JFAC to:
  • Develop a vulnerability database fed by multiple sources (DoD programs, commercial databases, DIA, contractor reports, Hardware CERT analyses).

• • Use data analytics to support detection and characterization of nefarious activity.
  • Incorporate monitoring input and intelligence received from JAPEC regarding exfiltrated design data.
• The task force recommends that USD(AT&L) strengthen life cycle protection policies, enterprise implementation support, and R&D programs. Such efforts will ensure that systems are designed, fielded, and sustained in a way that reduces the likelihood and consequence of cyber supply chain attacks.
• USD(AT&L) work to promulgate new regulations to eliminate the disincentives for industry self-reporting of counterfeits.
• USD(AT&L) and USD(I) charter, fund, and staff JAPEC to:
  • Coordinate intelligence collection requirements for acquisition programs.
  • Coordinate and provide briefings of specific threat activities to targeted programs.
• USD(AT&L) promote PPPs that encompass cradle-to-grave protection for new and existing systems:
  • Assistant Secretary of Defense for Sustainment (ASD(L&MR))³ should revise the Logistics Assessment Guide to include program protection as one of the areas to be reviewed periodically after initial operational capability (IOC).
  • Each PPP should be transitioned to the program manager responsible for sustainment and disposal.
• The task force recommends that USD(AT&L) direct development of sustainment PPPs for critical fielded weapons systems. Military Service Chiefs should designate fielded weapons systems for development of initial sustainment PPPs to demonstrate their effectiveness.
• DARPA and IARPA continue R&D efforts to demonstrate a fully capable solution for split fabrication.
• DASD(SE) issue guidance to ensure the integrity of the design tool chain.
• DMEA continue to provide non-state-of-the-art parts that cannot be obtained commercially without compromising mission performance that also integrate transparently with existing hardware and software.

___________________

³ Formerly known as the Assistant Secretary of Defense for Logistics and Materiel Readiness.

COUNTERFEIT PARTS: DOD NEEDS TO IMPROVE REPORTING AND OVERSIGHT TO REDUCE SUPPLY CHAIN RISK (2016)

A Government Accountability Office (GAO) report from 2016 reviewed DoD efforts to secure its supply from counterfeit parts and the use of the Government-Industry Exchange Program (GIDEP) from 2011 to 2015 and its effectiveness.⁴ The report found that the DoD is not conducting oversight to ensure that defense agencies are reporting as required and that there is no standardized process for establishing how much evidence is needed before reporting suspect counterfeit parts in GIDEP. Furthermore, defense agencies typically limit access of suspect counterfeit GIDEP reports to government agencies, so industry is not aware of the potential counterfeiting issues identified. DoD policy does not include guidance about when access to these reports should be limited. The report’s recommendations are summarized below.

• Develop a standardized process for determining the level of evidence needed to report a part as suspect counterfeit in GIDEP, such as a tiered reporting structure in GIDEP that provides an indication of where the suspect part is in the process of being assessed.
• Establish mechanisms for department-wide oversight of defense agencies’ compliance with the GIDEP reporting requirement.
• Develop guidance for when access to GIDEP reports should be limited to only government users or made available to industry.
• Clarify for industry the criteria by which DoD will assess contractor counterfeit detection and avoidance systems.

AIR FORCE SPACE COMMAND SUPPLY CHAIN RISK MANAGEMENT OF STRATEGIC CAPABILITIES (2018)

A report from the DoD Inspector General’s Office from 2018 assessed whether the USAF’s Space Command “implemented an adequate supply chain risk management program for critical strategic systems”—Space-Based Infrared System, USAF Satellite Control Network, Advanced Beyond Line-of-Sight Terminals, and the Global Positioning System.⁵ The report found that Space Command, while establishing some initiatives, did not fully implement the DoD supply chain risk management policy. Specifically, Space Command did not take the necessary steps to:

___________________

⁴ U.S. Government Accountability Office, 2016, Counterfeit Parts: DoD Needs to Improve Reporting and Oversight to Reduce Supply Chain Risk, Washington, DC, February.

⁵ U.S. Department of Defense, Inspector General, 2018, Air Force Space Command Supply Chain Risk Management of Strategic Capabilities, Washington, DC, August.

• Establish controls and oversight necessary to conduct a thorough criticality analysis and identify all critical components and associated suppliers to manage risks to the system.
• Submit complete and accurate requests for threat assessments on critical components.
• Require the purchase of all application-specific integrated circuits from trusted suppliers using trusted processes that are accredited.
• Ensure the use of rigorous test and evaluation capabilities.

The overarching recommendation of the report is that the USAF develop and execute a plan of action to comply with DoD supply chain risk management policy. The report’s recommendations are summarized below.

• The Air Force Space Command Commander develop a plan of action, with milestones, for the Space-Based Infrared System to comply with DoD supply chain risk management policy.
• Establish controls and oversight and require personnel to develop internal procedures or establish contract requirements to improve the accuracy of the requests for supplier threat assessments and require the prioritization of the critical components on the requests and the inclusion of all key information needed by [REDACTED] to conduct the assessments.
• Establish controls and oversight and require personnel to develop internal procedures or establish contract requirements to ensure the use of rigorous test and evaluation capabilities, including developmental, acceptance, and operational testing … and require establishment of verification and validation procedures for critical logic-bearing hardware, software, and firmware.
• Establish controls and oversight and require personnel to develop internal procedures or establish contract requirements to improve the accuracy of the critical components list to manage risks to the Space-Based Infrared System throughout its life cycle and require the identification of all critical logic-bearing hardware, software, and firmware, and the associated suppliers.
• Establish controls and oversight and require personnel to develop internal procedures or establish contract requirements to determine the risk posture and potential mitigations for all ASICs not procured from a trusted supplier using trusted processes that are accredited.

DELIVER UNCOMPROMISED: A STRATEGY FOR SUPPLY CHAIN SECURITY AND RESILIENCE IN RESPONSE TO THE CHANGING CHARACTER OF WAR (2018)

A 2018 report from the MITRE Corporation examined DoD’s microelectronics supply chain.⁶ The report found that “cyber and supply chain vulnerability extends well beyond DoD, across government and into the private sector” but that “DoD has potentially decisive influence in this space.” The report also identified legislation as a critical, and often neglected, element and adversaries as “actively exploiting seams and shortcomings in areas such as information sharing, threat detection, and acquisition transparency.” The report calls on DoD to “articulate an end-state or strategic endpoint to serve as a ‘North Star’ to guide and measure progress.” The report’s recommendations are summarized below.

• Execute a campaign for education, awareness, and ownership of risk.
• Elevate security as a primary metric in DoD acquisition and sustainment.
• Establish independently implemented automated assessment and continuous monitoring of defense industrial base (DIB) software.
• Institute innovative protection⁷ of DoD system design and operational information.
• Institute industry-standard information technology (IT) practices in all software developments.
• Require vulnerability monitoring, coordinating, and sharing across the supply chain of command.
• For resilience, employ failsafe mechanisms to backstop mission assurance.
• Form a whole-of-government National Supply Chain Intelligence Center (NSIC).
• Identify and empower a chain of command for supply chain with accountability for security and integrity to the Deputy Secretary of Defense DEPSECDEF.
• Centralize Supply Chain Rick Management–Threat Assessment Cell (SCRM-TAC) with the industrial security/CI mission owner under DSS and extend DSS authority.
• Increase DoD leadership recognition and awareness of asymmetric warfare via blended operations.
• Advocate for litigation reform and liability protection.
• Ensure supplier security and use contract terms.

___________________

⁶ MITRE Corporation, 2018, Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War, August, https://www.mitre.org.

⁷ “Innovative protection” refers to the adoption of industry’s mindset (i.e., processes, procedures, and concepts) when considering IP protection.

• Extend the 2015 National Defense Authorization Act (NDAA) Section 841, Authorities, for “Never Contract with the Enemy.”
• Advocate for tax incentives and private insurance initiatives.

CYBER VULNERABILITIES OF EMBEDDED SYSTEMS ON AIR AND SPACE SYSTEMS (2015)

A 2015 study by the USAF Scientific Advisory Board (SAB) assessed the use of embedded systems and potential vulnerabilities and specific attack vectors that could affect them.⁸ The SAB, in conducting the report, considered the difficulties of implementing specific attacks and how such attacks may be identified and mitigated. The report found that embedded systems face distinct challenges separate from networked IT and commercial embedded systems (e.g., auto, aircraft, industrial control) but can leverage their lessons learned. Conventional protective strategies are insufficient to mitigate current cyber vulnerabilities. The Air Force does not currently have sufficient embedded system expertise to provide long-term vulnerability mitigation across the acquisition life cycle against an adaptive threat. While the panel concluded that there is no silver-bullet solution, there is a broad-based set of immediate actions that can significantly mitigate embedded system cyber risk above and beyond basic hygiene. The report’s recommendations are summarized below.

• Ensure software integrity: Employ digital signatures/code signing. Require future systems to cryptographically verify all software/firmware as it is loaded onto embedded devices.
• Employ hardware/software isolation and randomization to reduce embedded cyber risk and improve software agility even for highly integrated systems.
• Develop and deploy continuously verifiable software techniques (e.g., dynamic attestation).
• Mandate inclusion of software assurance tools/processes and independent verification and validation using appropriate standards as part of future contracts for all USAF systems. Use best commercial code tools and languages.
• Adapt Air Force Life Cycle Management Center cyber-resiliency requirements process to embedded systems.

___________________

⁸ Air Force Scientific Advisory Board, 2015, Cyber Vulnerabilities of Embedded Systems on Air and Space Systems, https://www.scientificadvisoryboard.af.mil/.

• Protect design/development information. Implement security procedures sufficiently early that protection against exfiltration and exploitation is consistent with the eventual criticality of the fielded system.
• The Air Force should work with defense microelectronics agencies to deploy trusted methods compatible with offshore manufacturing.
• Develop situational awareness hardware and analysis tools to establish baseline embedded operational patterns and inform best mitigation strategies.
• Develop and deploy formal-method software assurance tools and processes specific to USAF embedded systems.