DoD proposes anti-counterfeit IT measures

Tools

The Defense Department has proposed updating its acquisition regulations to require major contractors subject to cost accounting standards – and their large subcontractors – to have anti-counterfeit avoidance and detection systems in place for electronic parts.

The long-awaited proposal, issued mid-May, would implement requirements from the fiscals 2012 and 2013 national defense authorization acts, passed amid concern that counterfeit milspec electronic parts have made their way into weapons systems, potentially undermining their reliability or making them open to a remote cyber attack – although cybersecurity experts have said the risk presented by the latter possibility is relatively low.

The proposal would require companies with cost-reimbursement contracts subject to cost-accounting standards (a requirement that can't be valid for contracts worth less than $700,000) to mount an acceptable anti-counterfeiting effort that would include training, inspection, parts traceability, use of "trusted suppliers" and a methodology to rapidly determine whether a suspect part is, in fact, counterfeit. The proposed rule doesn't define what a trusted supplier would be.

Covered contractors – which automatically excludes small businesses, since under federal regulations, they can never be subject to cost accounting standards, no matter the size of any cost-reimbursement contract they may have – would have to flow those requirements to subcontractors (again, excepting small businesses).

The rule would also prohibit companies from claiming the cost of counterfeit parts as a legitimate cost and make companies liable for the cost of corrective actions or rework. There would be an exception for companies with a Defense Department-approved detection and avoidance system, provided they also gave timely notice to the department about the counterfeit part.

The proposal's definition of a "counterfeit part" has come under some contractor community criticism for being overly-broad, since it includes genuine items that have been misrepresented "by any source to the end-user as meeting the performance requirements for the intended use."

Comments on the rule are due by July 15.

For more:
- go to the proposed rule on the Federal Register

Related Articles:
Counterfeit milspec electronics easily bought online
Global telecom supply chain cyber-attack risk considered low
Country of origin bad heuristic for supply chain risk