Last Friday the OMB’s Office of Information and Regulatory
Affairs (OIRA) announced
that they had approved the information collection request (ICR) for the DAR
final rule implementing further congressional requirements to prevent the use
of counterfeit electronic parts in DOD equipment. I briefly
described OIRA’s approval of that final rule on Saturday.
Again, I am not trying to turn this blog into a discussion
of DOD acquisition rules, but counterfeit electronic parts do provide an
alternative route of attack on control systems so some attention to this rule
is warranted in this blog.
According to the data
submitted [.DOC download] to OIRA by DOD the new final rule will require (pg
1) “contractors and subcontractors that are not the original manufacturer of or
an authorized supplier for an electronic part to make available to the
Government, upon request, the following:
“Documentation of traceability from
the original manufacturer of electronic parts; or
“When traceability of electronic
parts cannot be established, documentation of the inspection, testing, and
authentication performed in accordance with industry standards.”
The ICR documentation breaks the burden estimates into two
parts, reporting and recordkeeping. The table below shows the burden estimates
for each of these activities. It should be noted that the number of responses
for the recordkeeping portion of the ICR is based is based upon the number of
sub-contractors (average 11.89 per contractor) that will be required to
maintain records to support the DOD reporting requirements.
|
|
Respondents
|
Responses
|
Hours
|
Cost
|
|
Reporting
|
6,624
|
8.01
|
53,040
|
$2.0 M
|
|
Recordkeeping
|
6,624
|
11.89
|
2,363,190
|
$75.6 M
|
|
ICR Total
|
6,624
|
20
|
2,407,050
|
$77.6 M
|
The ICR addresses the requirements to maintain records and
make reports to DOD. It does not include the time and expense of doing any
required ‘inspection, testing and authentication’. The total cost of using
electronic parts that are not properly vetted is quite high as a consequence of
this new rule. Which is of course the intent; if the cost of using low cost
parts is raised to higher than using OEM parts, then there is no incentive to
use the ‘low cost’ parts.
DOD, of course, can get away with adding this language to
their acquisition contracts because they were required to do so by Congress.
This requirement, of course (GRIN), means that Congress has accepted the higher
cost of using OEM parts on all of the DOD acquisition contracts.
It might be a tad bit harder to convince a corporate board
to pay the higher capital acquisition costs associated with adopting a similar
standard in corporate contracts. The question that must be taken into account
is what are the potential costs of remediating a corporate breach based upon
network penetration via counterfeit electronic parts? A risk-based response to
that question could lead to carefully selecting which systems would require a
similar process for preventing the acquisition of counterfeit parts.
Posts
No comments:
Post a Comment