What We Did:
We determined the extent to which the DoD has made the preparations necessary to transition from a trusted foundry model for procuring custom microelectronics to a quantifiable assurance method for procuring custom microelectronics from the commercial market.
What We Found:
The OUSD(R&E) developed plans to transition from a trusted foundry model to a quantifiable assurance method for procuring custom state-of-the-art microelectronics from the commercial market. However, t the OUSD(R&E) is behind schedule for establishing trusted supply chain and operational security standards by the January 1, 2021, deadline, as required by the NDAA for FY 2020.
Specifically, programs and policies already established included:
• a Joint Federated Assurance Center (JFAC) Charter and Concept of Operations (CONOPS),
• a JFAC Coordination Center and ticketing portal to route requests for assistance from the program offices,
• a program to fund the J FAC’s work, and
• JFAC laboratories designated to support implementation of the quantifiable assurance method.
However, the JFAC Charter and CONOPS predate the creation of the OUSD(R&E) and the OUSD(R&E)’s Principal Director for Microelectronics. The JFAC CONOPS does not provide the Principal Director for Microelectronics with authorities to resolve competing priorities between the program offices requesting JFAC support and insufficient capacity among the JFAC service providers.
In addition, the OUSD(R&E) intended to designate the Naval Surface Warfare Center-Crane Division and the National Security Agency (NSA) as the two co-leads for establishing the quantifiable assurance method. The Naval Surface Warfare Center-Crane Division is managing several prototype projects that test quantifiable assurance procedures. The NSA would provide an analysis of potential threats. However, in April 2021, the Director of the NSA’s Cyber Security Directorate declined the designation of the NSA as a co-lead for the quantifiable assurance method because the NSA could not increase its mission capability in the timeframes required by the OUSD(R&E). NSA personnel acknowledged the need for coordination between the OUSD(R&E) and the Office of the Under Secretary of Defense for Intelligence and Security (OUSD[I&S]) to determine the NSA’s role in the quantifiable assurance method.
In addition, the OUSD(R&E) did not meet the January 2021 deadline established in the FY 2020 NDAA and is still developing the standards and instructions necessary to implement a quantifiable assurance method to procure custom microelectronics. Specifically, the OUSD(R&E) was still establishing:
• new standards for DoD Custom Integrated Circuits,
• updates to DoD Instruction 5200.44, and
• a new DoD policy to implement the quantifiable assurance method.
OUSD(R&E) officials told us that these delays occurred because:
• the transition to the quantifiable assurance method started in July 2020 and the OUSD(R&E) encountered difficulties in developing and staffing new processes and procedures by the January 1, 2021 deadline established in the FY 2020 NDAA;
• the coronavirus disease–2019 (COVID-19) pandemic created challenges; and
• there was turnover of key personnel at the OUSD(R&E) and the NSA.
As a result, the OUSD(R&E) did not establish trusted supply chain and operational security standards for procuring custom microelectronics by January 1, 2021, as required by the NDAA for FY 2020.
What We Recommend:
We recommend that the USD(R&E) update the JFAC Charter and the JFAC Concept of Operations and develop a process to prioritize the quantifiable assurance method efforts of the supporting DoD laboratories.
We also recommend that the USD(R&E), in coordination with the Under Secretary of Defense for Intelligence and Security (USD[I&S]), identify the resources required to support the NSA’s role in the threat analysis for quantifiable assurance or identify another DoD organization capable of performing the role currently assigned to the NSA.