Section 224 defines “security standards” as standards that systemize best practices relevant to six categories: (1) manufacturing location; (2) company ownership; (3) workforce composition; (4) access to the product during manufacturing, suppliers’ design, sourcing, packaging, and distribution processes; (5) reliability of the supply chain; and (6) other matters germane to supply chain and operational security. Military standards or specifications that specify individual features for microelectronics products and wireless network services or that inhibit the acquisition of securely manufactured, commercially available products by the DOD are excluded from the definition.

Section 224’s required security standards are to be developed in consultation with civilian agencies and industry to ensure that differing perspectives will be considered. The Departments of Homeland Security, State, and Commerce, and the National Institute of Standards and Technology; suppliers of microelectronics products and wireless network services from the United States and allies and partners of the United States; representatives of major U.S. sectors that rely on a trusted supply chain and the operational security of microelectronics products and wireless network services; and representatives from the U.S. insurance industry will collaborate with the DOD to develop the security standards contemplated. The goal of this collaboration is to maintain competition and innovation in the industrial microelectronics and wireless network services supply base. To that end, section 224 requires the SECDEF to ensure, to the greatest extent practicable, that microelectronic and wireless network technology suppliers are incentivized to sell their products commercially as well as to governments that are allies and partners of the United States. Furthermore, all suppliers (manufacturers, distributers, and resellers) will be required to ensure that microelectronics and wireless technology supplies are produced on the same production lines as the products purchased by the DOD. This requirement will likely drive changes to the manufacturing practices of many supplies.

Contractors that sell, or wish to sell, microelectronics and wireless network technology products and services to the DOD should be prepared for the imposition of the security standards developed under this program. While the security standards likely will not be enforced until January of 2023, they are required to be developed and effective by January 2021. This statutorily prescribed time frame will give contractors approximately two years to evaluate the impact of the new standards and to take appropriate steps to come into compliance. As a result of the anticipated standards, microelectronic and wireless network technology manufacturers, and their supply chain, may have to evaluate possible changes required to come into compliance. Such changes may include the relocation of manufacturing facilities and adjustments to company ownership and workforce composition, among others, to meet the microelectronic and wireless network technology security standards that will ultimately be imposed. Reed Smith will continue to monitor the information related to the establishment of these security standards and provide updated client alerts as new information becomes available.

 Client Alert 2020-047