The US is investing heavily in microelectronics. (Photo by Rudolfs Klintsons via Pexels)
WASHINGTON — The Defense Department should invest more in a data-centric approach called quantifiable assurance to mitigate risks found in the commercial supply chain of microelectronics, while also creating a standards board with the National Security Agency to further the development of the method, according to a new study from the Air Force’s chief scientist.
The congressionally mandated study included a panel of 27 experts to review the office of the under secretary of defense for research and engineering (USD R&E)’s quantifiable assurance efforts — “an emerging approach that includes independent, data centric checks on commercial processes to provide additional assurance” — for microelectronics, which are found in virtually every advanced weapon system.
“To stay ahead of our competitors, the Department of Defense needs access to the commercial supply chain of microelectronics,” William LaPlante, under secretary of defense for acquisition and sustainment (USD A&S) said in a press release. “It is absolutely essential, but it comes with inherent risks. The independent panel review is helping us better understand the risk-based approach we need to take.”
The panel found that a combination of the quantifiable assurance method and the trusted foundry method, which is a more mature approach DoD has been using that “adds security overlays to assure that classified information is not disclosed to unauthorized parties,” are needed to meet the department’s needs.
To put it simply, the trusted foundry method is more human-centric approach that only focuses on the fabrication stage, while the quantifiable assurance approach is data-centric and encompasses the entire lifecycle of microelectronics, according to the report.
RELATED: Better, but still ‘whack-a-mole’: IT industry adapts to supply chain problems, for now
“The human centric approach of [trusted foundry] leaves it vulnerable to integrity and confidentiality violations,” the report says. “This shortcoming can be remedied by requiring [quantifiable assurance] on the underlying commercial process.”
While both methods are needed, there’s still work to be done on quantifiable assurance. The main challenges that DoD faces with this approach is a strategy lacking clearly defined goals, figuring out what specific data is needed, how long the approach takes and the cost, according to the report.
The report points to a pilot program called the Rapid Assured Microelectronics Prototypes (RAMP) as being the department’s “most significant investment to develop and pilot” the quantifiable assurance approach. RAMP aims to “develop a secure design and prototyping capability to demonstrate how the DoD can securely leverage State-Of-The-Art (SOTA) microelectronics technologies without depending on a closed security architecture fabrication process or facility.”
But quantifiable approach “activities as part of the RAMP program are under resourced,” according to the report. “Combined with a lack of a roadmap, this seriously hampers development of the approach.” According to the report, the RAMP pilot began in November 2021 and has extended up to this month.
The panel recommended that DoD should invest more in the quantifiable approach since it can partly address the riskiest stages of microelectronics lifecycle (design, packaging, programming and others), but invest less in the trusted foundry approach, which can partly address the least riskiest stages.
Recommendations aimed at accelerating quantifiable assurance development from the panel included DoD working with the semiconductor intellectual property community “to establish cost effective method to support the evaluation of assurance” and coordinating its development with the CHIPS and Science Act, meant to help onshore microelectronics manufacturing and strengthen the microelectronics supply chain. The CHIPS and Science Act allocated $2 billion specifically for DoD microelectronics, although a year later industry is still awaiting real outcomes from the legislation.
The report also found that no microelectronics assurance executive agent exists “to connect DoD programs with the supply of suitable commercially sourced parts” and that there isn’t a dedicated group focused on “creating, piloting and deploying [microelectronics] assurance standards across the national security community.”
To address these governance gaps, the panel recommended creating a microelectronics assurance executive agent and standards board that would be led by the National Security Agency in partnership with USD R&E, A&S and the military services. The board would be comprised of government officials, the defense industrial base, the semiconductor industry and academia and would work with the executive agent to “evaluate deployment and support evaluation,” among other goals.
