Tuesday, July 5, 2016

OMB Approves Counterfeit Parts ICR

Last Friday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that they had approved the information collection request (ICR) for the DAR final rule implementing further congressional requirements to prevent the use of counterfeit electronic parts in DOD equipment. I briefly described OIRA’s approval of that final rule on Saturday.

Again, I am not trying to turn this blog into a discussion of DOD acquisition rules, but counterfeit electronic parts do provide an alternative route of attack on control systems so some attention to this rule is warranted in this blog.

According to the data submitted [.DOC download] to OIRA by DOD the new final rule will require (pg 1) “contractors and subcontractors that are not the original manufacturer of or an authorized supplier for an electronic part to make available to the Government, upon request, the following:

“Documentation of traceability from the original manufacturer of electronic parts; or

“When traceability of electronic parts cannot be established, documentation of the inspection, testing, and authentication performed in accordance with industry standards.”

The ICR documentation breaks the burden estimates into two parts, reporting and recordkeeping. The table below shows the burden estimates for each of these activities. It should be noted that the number of responses for the recordkeeping portion of the ICR is based is based upon the number of sub-contractors (average 11.89 per contractor) that will be required to maintain records to support the DOD reporting requirements.


Respondents
Responses
Hours
Cost
Reporting
6,624
8.01
53,040
$2.0 M
Recordkeeping
6,624
11.89
2,363,190
$75.6 M
ICR Total
6,624
20
2,407,050
$77.6 M

The ICR addresses the requirements to maintain records and make reports to DOD. It does not include the time and expense of doing any required ‘inspection, testing and authentication’. The total cost of using electronic parts that are not properly vetted is quite high as a consequence of this new rule. Which is of course the intent; if the cost of using low cost parts is raised to higher than using OEM parts, then there is no incentive to use the ‘low cost’ parts.

DOD, of course, can get away with adding this language to their acquisition contracts because they were required to do so by Congress. This requirement, of course (GRIN), means that Congress has accepted the higher cost of using OEM parts on all of the DOD acquisition contracts.


It might be a tad bit harder to convince a corporate board to pay the higher capital acquisition costs associated with adopting a similar standard in corporate contracts. The question that must be taken into account is what are the potential costs of remediating a corporate breach based upon network penetration via counterfeit electronic parts? A risk-based response to that question could lead to carefully selecting which systems would require a similar process for preventing the acquisition of counterfeit parts.

No comments:

 
/* Use this with templates/template-twocol.html */