At a recent symposium in Washington D.C. both Senator John McCain and former Attorney General Eric Holder addressed the procurement and enforcement challenges faced by the government and contractors, and several panels of leading experts discussed a wide variety of topics ranging from cybersecurity developments to contractor responsibility. The full-day program also offered a series of break-out sessions focused on operational business considerations, including the increasing importance of contractor supply chain management. That topic now appears to have been particularly timely in light of DoD’s September 21, 2015 announcement of a new proposed rule addressing counterfeit electronic parts in contractor supply chains.
The new proposed rule is further implementation of section 818 of the 2012 National Defense Authorization Act (“NDAA”), which required the Secretary of Defense to assess DoD’s “acquisition policies and systems for the detection and avoidance of counterfeit electronic parts.” As discussed below, because the proposed rule would impose new substantive sourcing requirements and apply far more broadly than existing regulations, it would, if adopted, further increase the overall compliance burden on the defense contracting community.
Existing Counterfeit Electronic Parts Rule
On May 6, 2014, the Department of Defense issued a final rule, codified in at DFARS 252.246-7007, that required covered DoD contractors to establish a risk-based counterfeit electronic part detection and avoidance system. As we have previously outlined, the rule requires these detection and avoidance systems to address twelve enumerated areas, each of which supports the overarching goal of keeping counterfeit electronic parts out of the supply chains of DoD contractors. The existing rule does not provide detailed guidance for how a contractor should implement each of these twelve areas. In response to comments from contractors that additional guidance would be helpful, DoD stated that the responsibility for implementation falls on the contractor who must “establish[] a risk-based counterfeit detection and avoidance system” that reflects its unique circumstances. If a covered contractor fails to meet these minimum system criteria, its purchasing system may be disapproved and/or payments may be withheld for an inadequate business system.
The inclusion of DFARS 252.246-7007 is mandatory for all DoD contracts for the procurement of electronic parts (or end items and components containing electronic parts) and related services, but the rule’s requirements are operable only where the prime contractor is subject to full or modified coverage under the Cost Accounting Standards (“CAS”).[1] Notably, the existing rule expressly does not apply to contracts that are set aside for small business concerns.
Substance of Proposed Rule
The new proposed rule, if adopted, would have a significant impact on the DoD contracting community because it adds substantive sourcing restrictions to the existing requirement to develop a detection and avoidance system for counterfeit electronic parts. At the heart of these restrictions is the requirement that DoD contractors obtain electronic parts only from “trusted suppliers.” The trusted supplier concept would be new to the DFARS, and the proposed rule defines it to mean any of the following four categories of suppliers:
-
The part’s original manufacturer;
-
The part’s “authorized dealer” (also a new concept, defined to mean “a supplier with . . . a contractual arrangement with the original manufacturer . . . to buy, stock, re-package, sell, and distribute its product lines”);
-
Any supplier that obtains the part exclusively from the part’s original component manufacturer or an authorized dealer; and
-
Any “supplier that a contractor or subcontractor has identified as a trustworthy supplier, using DoD-adopted counterfeit prevention industry standards and processes.”
The only exception to the “trusted supplier” requirement would arise where it is “not possible” to obtain electronic parts from a trusted supplier. In that event, the proposed rule requires a contractor to notify the cognizant Contracting Officer and then assume responsibility for the “inspection, testing, and authentication, in accordance with existing applicable industry standards,” of any electronic parts obtained from sources other than a trusted supplier. The proposed rule also contemplates further rulemaking to establish qualification requirements pursuant to which DoD may identify trusted suppliers, and a second DFARS case, “DoD Use of Trusted Suppliers for Electronic Parts,” has been opened for this purpose.
Aside from the “trusted supplier” sourcing requirement, the proposed rule also offers additional clarification on the traceability expectations for DoD contractors. Existing regulations provide that covered DoD contractors must be able to trace their supply chain of electronic parts back to the original manufacturer, but DoD intentionally did not mandate specific traceability processes or standards when promulgating those regulations. Consistent with the approach taken by the existing rule, the proposed rule would clarify that the processes used by DoD contractors to establish traceability must be “risk based,” taking into consideration the probability of receiving a counterfeit electronic part, the probability that inspection or testing will detect a counterfeit electronic part, and the potential negative consequences of a counterfeit part being installed. The proposed rule further provides that if a Contractor cannot establish traceability from the original manufacturer for a specific part, it must “complete an evaluation that includes consideration of alternative parts or utilization of test and inspections commensurate with the risk.” The proposed rule does not provide specific guidance on what must be considered in these evaluations.
Applicability and Scope of Proposed Rule
Although the proposed rule’s substance can be summed up by the “trusted supplier” and traceability concepts, its applicability and scope may well generate more discussion—and consternation—among those in the defense contracting community. The existing counterfeit electronic parts regulations apply only to CAS-covered contractors and their subs and were expressly not applicable to small business set-aside acquisitions. In contrast, the proposed rule would apply to all contracts and subcontracts for electronic parts, of any size and at any tier, regardless of the applicability of CAS. There is no carve-out for small business set-asides, and the announcement accompanying the proposed rule explicitly states that it applies even to contracts below the simplified acquisition threshold and for commercial or COTS items. The inevitable consequence is that the obligation to avoid counterfeit electronic parts into the supply chain is now the responsibility of all contractors, from the largest of the major primes to the tiniest of lower-tier subs supplying components for commercial items.
But the news for DoD contractors is not all bad. Although the proposed rule would significantly expand the applicability of counterfeit electronic parts regulations, it also would narrow the scope of the obligations imposed on contractors in one important respect. One of the more troublesome aspects of the existing regulations is that the term “electronic part” is defined to include “embedded software or firmware,” a definitional quirk that industry representatives have consistently assailed as overly broad and unworkable. The proposed rule, however, would remove this clause from the definition of electronic part—both for the existing regulations and the proposed rule—in recognition of the fact that “[f]urther industry standards are still under development to address testing of embedded software or firmware in electronic parts.” This change, which DoD acknowledges was prompted by “robust discussion” at a 2014 public meeting, underscores the value of and potential impact of industry engagement in the rulemaking process.
Next Steps
The proposed rule is certain to be the subject of interest and debate in the coming months, and DoD is accepting comments on the rule until November 20, 2015. Moreover, there is little doubt that further action in this area is coming. As noted above, a second DFARS case has been opened to establish qualification requirements for trusted suppliers, and a status report on that effort is due October 21, 2015. Members of the defense contracting community would be well advised to continue to closely monitor developments and to assess the need to calibrate their operations and compliance programs accordingly.
[1] But note that if the prime contractor is CAS covered, every lower-tier contractor is also bound by the rule, regardless of the lower-tier contractors’ CAS status.