In a fusion of a sub-theme from the OODA Almanac 2024 – Computation is the Ultimate First Principle – and several of the implications from our OODA Stratigame – Scenario Planning for Global Computer Chip Supply Chain Disruption, one thing has become clear: proper national security at the technological level will only be achieved through the 100% quantifiable assurance of the true provenance and global tracking of the components and subcomponent part of vital physical layer elements of the global It supply chain – especially semiconductors. The National Defense Industrial Association Electronics Division took a deep dive into Zero Trust for Hardware Supply Chains and On-Shoring Critical Semiconductor Production, Securing the Supply Chain and Providing Access to the Industrial Base.  Details here.   

Zero Trust for Hardware Supply Chains: Challenges in Application of Zero Trust Principles to Hardware

A discussion by the Electronics Division of Zero Trust and Quantifiable Assurance concepts as related to microelectronics to promote broader dialog on the complexities facing the Defense Industrial Base regarding these controversial topics.

This white paper facilitates a broader understanding of Zero Trust and the challenges for application to hardware and supply chain assurance. Its purpose is to facilitate a high-level understanding of zero trust principles, to foster necessary dialog for understanding what it will take to apply these principles to the microelectronics domain, including the need to demonstrate and prove techniques, prior to implementing specific guidance in acquisition policy.

Executive Summary

Overview

The NDIA Electronics Division, Defense Industrial Base and Policy subcommittee solicited feedback from our traditional and non-traditional defense industry members based on a set of questions developed from recent engagements with the US Government (USG) Office of the Secretary of Defense (OSD) Microelectronics Stakeholders and Congressional Staffers. These included Ms. Nicole Petta (Principal Director for Microelectronics at Research & Engineering (R&E)), Dr. Christine Michienzi (Chief Technology Officer for Industrial Policy at Acquisition & Sustainment ), Dr. Matthew Kay (Air Force Research Lab Trusted & Assured Microelectronics Project Lead, Strategic Rad Hard Electronics Council Executive Secretariat, OUSD R&E), Jon Cardinal (Office of Senator Chuck Schumer), Flynn Rico-Johnson (Office of Congresswoman Doris Matsui), Claire Sanderson (Office of Senator John Cornyn), and others. Several key U.S. Government (USG or Government) interests and opportunities for industry members to provide feedback were identified.

These include improving commercial industry engagements, leveraging public-private Partnerships (PPP), and supporting the simplification of DoD Procurement standards and metrics. Actions based on the

• American Foundries Act,
• CHIPS For America Act; and
• 2021 National Defense Authorization Act… were also discussed.

These bills represent a watershed moment for USG investments in strengthening domestic Microelectronics capabilities and supply chains with potential funding levels of tens of billions of dollars. The USG and NDIA Electronics Division members recognize that the significant gap between on and offshore U.S. Microelectronics capabilities, particularly in key areas, such as leading-edge lithographic node semiconductor fabrication, packaging, and test capabilities, present severe risks to U.S. national security and competitiveness. In addition, the coronavirus pandemic has further exposed existing grave supply chain weaknesses, including heavy U.S. reliance on high risk, off-shore sources for critical parts and materials. The major role that adversarial foreign nations, in particular China, play in our critical supply chains is in direct conflict with domestic critical infrastructure security, economic interests and U.S. national security.

Major Recommendations

To address these challenges, we propose a close collaboration among Government and commercial industry partners to address the following recommendations:

• Take concrete steps to better align USG business and funding practices with those of commercial Industry,
• Create processes to consolidate and forecast USG full lifecycle demand and technology needs at least semi-annually to better align with commercial industry planning cycles.
• Identify ways that USG Federal Acquisition Regulations, DoD procurement standards, logistics, export control, security requirements, etc. can be simplified without legislative action; assist the Executive Branch in making these changes within six months
• Achieve comprehensive Export Control reform.
• Develop clear and well-defined supply chain protection and security standards.
• Restrict USG contract awards to trusted and assured on-shore supply chains, inclusive of sub-tiers, when available.
• Improve intellectual property ownership and use rights to better incent commercial industry to partner with the Government for robust IP portfolio development, while addressing USG needs for IP protection for critical mission application.
• Implement procurement standards and metrics that define targeted security requirements and drive actions to incent adjacent commercial market demands and require secure products for use in critical infrastructure, AI, 5G, and related markets for use in the United States.
• Expand existing and develop new, pre-competitive Public-Private Partnership organizations in workforce development, R&D, design, fabrication, packaging, and test infrastructure involving both academia and industry (small and large).
• Fully leverage existing onshore assets and take better advantage of current infrastructure and workforce to optimize investment outcome.
• Identify and prioritize semiconductor and advanced packaging, assembly and test needs, gaps, and investments across the lifecycle for all semiconductor processes and nodes.
• Ensure that the defense industrial base is represented on all advisory panels and technology councils mentioned in the CHIPS for America Act, The American Foundries Act, and the FY2021 NDAA.
• Explore opportunities to collaborate with allied nations in semiconductor R&D, design, and manufacturing to fill critical gaps.
• Increase coordination of semiconductor R&D and manufacturing programs conducted across various government agencies.
• Build on The Decadal Plan for Semiconductors, which outlines semiconductor research priorities across seismic shifts and recommends an additional federal investment of $3.4 billion annually across these five areas.
• Build a portfolio strategy for ensuring the integrity of DoD system custom ICs that includes appropriate use of the Trusted Supplier Program and Quantifiable Assurance techniques,
• Fully fund CHIPS/AFA so the legislation may be implemented rapidly.

For this full NDIA report, see  Zero Trust for Hardware Supply Chains: Challenges in Application of Zero Trust Principles to Hardware.

How to On-Shore Critical Semiconductor Production, Secure the Supply Chain, and Provide Access for the Industrial Base

This White Paper addresses US Government and Semiconductor Industry shared interest to establish a robust, on-shore, supply chain. Findings include increased flexibility in acquisition and commercialization of Government and Industry critical technologies and a recommendation for rapid update of policies, along with closely coordinated actions, to counter global realities and mitigate and reverse off-shoring trends.

Holistic demand signals and improved industry standards are necessary to optimize the domestic ecosystem. This paper is is for the purpose of stimulating constructive dialog does not represent an official position of member companies or NDIA.

Recommendations 

Recommendations are based on input from NDIA Electronics Division members and organized to align with the findings in the previous section. These include suggestions to align Industry and Government business practices, improving Public-Private Partnerships, and optimizing DoD Procurement Standards:

1. Need for Speed: Establish a New Paradigm and Better Alignment for Commercial Industry and DoD Business Practices;
2. Create Public-Private Partnerships That Meet the Needs of the Full Microelectronics Ecosystem; and 
3. Need for Clarity: Develop and Implement Comprehensive Government (including DoD) Microelectronic Procurement Standards and Metrics.

Conclusions

Through this document, suggestions from NDIA Electronics Division Stakeholders representing commercial Industry were presented to provide a clear set of actions, which when put into practice, will lead to better outcomes and cooperation. Specifically, we suggest:

• Tight coordination of policy and actions across commercial Industry and Government
• Rapid update of policies to match current global realities
• Seek out and exploit technology adjacency where possible and cover the cost of additional deviation
• Increased flexibility in acquisition, execution, protection, and commercialization of Government and commercial Industry critical technologies
• New and improved industry standards, which accurately and thoroughly describe requirements to achieve demand for an optimal domestic production ecosystem.

If these recommendations are implemented, holistically and comprehensively, through open dialogue and coordination between, and across, Government with commercial industry, the Nation can accelerate sustained long-term leadership and technological dominance. This will directly improve nationally-critical infrastructure, national security, and technological posture while accelerating, reinforcing, and growing the domestic capabilities necessary for leadership and sustained Microelectronics domination.

What Next?

The Future of Zero Trust for Hardware Supply Chains, Onshoring Production of Semiconductors and Scenario Planning for Global Computer Chip Supply Chain Disruption

The future of Zero Trust in hardware supply chains and the onshoring of semiconductor production are not just about mitigating immediate risks but are fundamentally about reshaping the strategic landscape of technology and national security: 

1. Starting with Zero Trust, its application extends beyond software and IT environments to the very heart of hardware supply chains. The principle of “never trust, always verify” is crucial when considering the complex networks involved in semiconductor manufacturing. Zero Trust in this context means ensuring that every component, every transaction, and every access point in the supply chain is verified and secure. This approach is essential for preventing espionage and sabotage and ensuring the integrity and reliability of the hardware components critical to everything from consumer electronics to national defense systems.  
2. The implementation of Zero Trust in hardware supply chains requires a multifaceted strategy.  It involves securing the manufacturing processes, validating the authenticity of components, and implementing rigorous access controls and continuous monitoring systems. These measures help mitigate risks such as counterfeit components or tampering during manufacturing, which can have severe implications for functionality and security.
3. Conversely, the onshoring of semiconductor production represents a strategic shift aimed at reducing dependency on foreign sources, which has been highlighted as a significant vulnerability for the U.S.  The push for onshoring is driven by the need for greater control over the supply chain, enhanced economic security, and the fostering of domestic technological capabilities. This move is about mitigating risks and seizing the opportunity to bolster the U.S. position in global technology leadership.

Further OODA Loop Scenarios

Scenario planning for global computer chip supply chain disruption, as we’ve conducted in our Stratigame, involves considering various future states where these strategies might play out:

• For instance, one scenario might involve a successful transition to a predominantly onshored semiconductor industry in the U.S., supported by robust Zero Trust protocols that effectively secure the supply chain from external threats and internal vulnerabilities. This scenario would likely lead to enhanced national security and economic stability.
• Another scenario could consider the challenges and potential failures in implementing these strategies. This might include resistance from global partners, trade conflicts, or technological hurdles that delay or diminish the effectiveness of onshoring and Zero Trust measures. Such a scenario would necessitate reevaluating strategies and possibly a greater emphasis on international cooperation and new technological solutions.

The implications for policy, industry, and national security are profound in both scenarios. Decisions made today regarding the implementation of Zero Trust and the onshoring of semiconductor production will shape the technological landscape and strategic capabilities of the U.S. for years to come.

Further OODA Loop Resources

Decision Intelligence for Optimal Choices: Numerous disruptions complicate situational awareness and can inhibit effective decision-making. Every enterprise should evaluate its data collection methods, assessment, and decision-making processes  – for more insights: Decision Intelligence.

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. Remembering cybersecurity isn’t solely the IT department’s or the CISO’s responsibility – it’s a collective effort involving the entire leadership. Relying solely on governmental actions isn’t advised, given its inconsistent approach toward aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Businesses also confront unpredictable external threats besides traditional competitive challenges. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. Regardless of size, all organizations should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning

Track Technology-Driven Disruption: Businesses should examine technological drivers and future customer demands. A multidisciplinary knowledge of tech domains is essential for effective foresight. See Disruptive and Exponential Technologies.

Planning for a Continuous Pandemic Landscape: COVID-19’s geopolitical repercussions are evident, with recent assessments pointing to China’s role in its spread. Regardless of the exact origins, the conditions that allowed COVID-19 to become a pandemic persist today. Therefore, businesses must be prepared for consistent health disruptions, implying that a substantial portion of the workforce might always operate remotely, even though face-to-face interactions remain vital for critical decisions. See: COVID Sensemaking

The Inevitable Acceleration of Reshoring and its Challenges: The momentum towards reshoring, nearshoring, and friendshoring signals a global shift towards regional self-reliance. Each region will emphasize local manufacturing, food production, energy generation, defense, and automation. Reshoring is a complex process, with numerous examples of failures stemming from underestimating intricacies. Comprehensive analyses encompassing various facets, from engineering to finance, are essential for successful reshoring endeavors. See: Opportunities for Advantage

For this full NDIA report, see How to On-Shore Critical Semiconductor Production, Secure the Supply Chain, and Provide Access for the Industrial Base.