Report | May 2, 2022

Evaluation of the Department of Defense’s Transition From a Trusted Foundry Model to a Quantifiable Assurance Method for Procuring Custom Microelectronics (DODIG-2022-084)

Evaluation

Publicly Released: May 4, 2022

Objective

We determined the extent to which the DoD has made the preparations necessary to transition from a trusted foundry model for procuring custom microelectronics to a quantifiable assurance method for procuring custom microelectronics from the commercial market.

 

Background

Microelectronics refers to the design and manufacturing of extremely small electronic components, often in the form of microchips and microcircuits. A foundry is a microchip fabrication facility. Microelectronics are one of the DoD’s top technology modernization priorities.

Section 224 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2020 requires the DoD to establish trusted supply chain and operational security standards for the purchase of microelectronics products by January 1, 2021. Section 224 also requires microelectronics products or services that the DoD purchases on or after January 1, 2023, to meet those standards. Quantifiable assurance is the DoD’s method to achieve these requirements for custom, state-of-the-art microelectronics.

In May 2020, the Director of Defense Research and Engineering for Modernization within the Office of the Under Secretary of Defense for Research and Engineering (OUSD[R&E]) stated that the current method for acquiring custom microelectronics from a trusted supplier (trusted foundry) had failed. The Director further stated that to access state-of-the art microelectronics, the DoD decided to move to a quantifiable assurance method that can leverage commercial industry while maintaining hardware security.

Quantifiable assurance is a method being developed to measurably protect the integrity and confidentiality of custom state-of-the-art microelectronic components. The quantifiable assurance method consists of:

  • a quantitative risk analysis of potential threats;
  • a quantitative risk plan to implement mitigations, and a program justification for residual risks; and
  • an evaluation of the quantitative risk analysis and the quantitative risk plan for completeness and correctness.

 

Finding

The OUSD(R&E) developed plans to transition from a trusted foundry model to a quantifiable assurance method for procuring custom state-of-the-art microelectronics from the commercial market. However, t the OUSD(R&E) is behind schedule for establishing trusted supply chain and operational security standards by the January 1, 2021, deadline, as required by the NDAA for FY 2020.

Specifically, programs and policies already established included:

  • a Joint Federated Assurance Center (JFAC) Charter and Concept of Operations (CONOPS),
  • a JFAC Coordination Center and ticketing portal to route requests for assistance from the program offices,
  • a program to fund the J FAC’s work, and
  • JFAC laboratories designated to support implementation of the quantifiable assurance method.

However, the JFAC Charter and CONOPS predate the creation of the OUSD(R&E) and the OUSD(R&E)’s Principal Director for Microelectronics. The JFAC CONOPS does not provide the Principal Director for Microelectronics with authorities to resolve competing priorities between the program offices requesting JFAC support and insufficient capacity among the JFAC service providers.

In addition, the OUSD(R&E) intended to designate the Naval Surface Warfare Center-Crane Division and the National Security Agency (NSA) as the two co-leads for establishing the quantifiable assurance method. The Naval Surface Warfare Center-Crane Division is managing several prototype projects that test quantifiable assurance procedures. The NSA would provide an analysis of potential threats. However, in April 2021, the Director of the NSA’s Cyber Security Directorate declined the designation of the NSA as a co-lead for the quantifiable assurance method because the NSA could not increase its mission capability in the timeframes required by the OUSD(R&E). NSA personnel acknowledged the need for coordination between the OUSD(R&E) and the Office of the Under Secretary of Defense for Intelligence and Security (OUSD[I&S]) to determine the NSA’s role in the quantifiable assurance method.

In addition, the OUSD(R&E) did not meet the January 2021 deadline established in the FY 2020 NDAA and is still developing the standards and instructions necessary to implement a quantifiable assurance method to procure custom microelectronics. Specifically, the OUSD(R&E) was still establishing:

  • new standards for DoD Custom Integrated Circuits,
  • updates to DoD Instruction 5200.44, and
  • a new DoD policy to implement the quantifiable assurance method.

OUSD(R&E) officials told us that these delays occurred because:

  • the transition to the quantifiable assurance method started in July 2020 and the OUSD(R&E) encountered difficulties in developing and staffing new processes and procedures by the January 1, 2021 deadline established in the FY 2020 NDAA;
  • the coronavirus disease–2019 (COVID-19) pandemic created challenges; and
  • there was turnover of key personnel at the OUSD(R&E) and the NSA.

As a result, the OUSD(R&E) did not establish trusted supply chain and operational security standards for procuring custom microelectronics by January 1, 2021, as required by the NDAA for FY 2020.

 

Recommendations

We recommend that the USD(R&E) update the JFAC Charter and the JFAC Concept of Operations and develop a process to prioritize the quantifiable assurance method efforts of the supporting DoD laboratories.

We also recommend that the USD(R&E), in coordination with the Under Secretary of Defense for Intelligence and Security (USD[I&S]), identify the resources required to support the NSA’s role in the threat analysis for quantifiable assurance or identify another DoD organization capable of performing the role currently assigned to the NSA.

 

Management Comments and Our Response

On February 18, 2022, the OUSD(R&E) Director of Defense Research and Engineering for Modernization, responding on behalf of the USD(R&E), agreed with both recommendations. The Director of Defense Research and Engineering for Modernization stated that to support these recommendations, in October 2021, the Principal Director for Microelectronics added the position of Assistant Deputy Director for Microelectronics for Assurance Standards. Additionally, the Principal Director for Microelectronics updated the strategy for quantifiable assurance policy, guidance, and standards that included feedback from the National Defense Industry Association and the DoD.

On April 21, 2022, the Deputy Under Secretary of Defense for Research and Engineering provided us with a memorandum with additional management comments that he stated are necessary to understand the potential of the quantifiable assurance method. The Deputy Under Secretary stated that it is not possible to create a plan for a transition to a quantifiable assurance methodology until such time as the methodology has been proven to effectively provide required levels of protection. According t o t he Deputy Under Secretary, the impacts on cost, schedule, and performance for programs of record remain to be evaluated. For the complete comments, see the Management Comments appendix at the end of this report.

Additionally, the Deputy Under Secretary stated that we mischaracterized the effectiveness of the trusted foundry model. However, in our report we do not discuss the effectiveness of either the trusted foundry or quantifiable assurance models. Our report focused on the DoD’s transition from the trusted foundry model to the quantifiable assurance method.

Furthermore, documents that OUSD(R&E) officials provided to us at the outset of this evaluation stated that they would “replace outdated security protocols based on ‘Trusted Foundry’ with Quantitative Assurance and Microelectronics Security Standards,” and that the Defense Microelectronics Activity created a team of engineers to help transition the organization to quantifiable assurance and that the trusted certification approach was being phased out. The Deputy Under Secretary did not provide us with any documentary evidence to the contrary.

Lastly, in this report we make no determination on what the DoD’s microelectronics procurement policies should be. We evaluated the status of the OUSD(R&E)’s quantifiable assurance efforts. The conclusions set forth in this report are based on the evidence provided by officials from the OUSD(R&E), the NSA, and the Naval Surface Warfare Center-Crane Division.

The OUSD(I&S) Director for Defense Intelligence, Counterintelligence, Law Enforcement, and Security, responding on behalf of the USD(I&S), agreed to collaborate with the OUSD(R&E) to identify either the resources required to support the NSA’s role, or identify another agency capable of performing that role.

Therefore, both recommendations are resolved, but will remain open. We will close the recommendations when we verify that the actions to implement the recommendations are completed.

 

This report is a result of Project No. D2021-DEV0SI-0003.000