[Federal Register Volume 91, Number 126 (Thursday, July 2, 2026)]
[Proposed Rules]
[Pages 40508-40511]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2026-13375]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
48 CFR Parts 212, 225, and 252
[Docket DARS-2026-0298]
RIN 0750-AL62
Defense Federal Acquisition Regulation Supplement: Modifications
to Printed Circuit Board Acquisition Restrictions (DFARS Case 2022-
D011)
AGENCY: Defense Acquisition Regulations System, Department of Defense
(DoD).
ACTION: Advance notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: DoD is seeking information that will assist in the development
of a revision to the Defense Federal Acquisition Regulation Supplement
(DFARS) to implement sections of the National Defense Authorization
Acts for Fiscal Years 2021 and 2022 that address the prohibition on the
acquisition of covered printed circuit boards from a covered nation.
DATES: Comments on the advance notice of proposed rulemaking should be
submitted in writing to the address shown below on or before August 31,
2026, to be considered in the formation of any proposed rule.
ADDRESSES: Submit written comments identified by DFARS Case 2022-D011,
using either of the following methods:
Federal eRulemaking Portal: https://www.regulations.gov.
Search for DFARS Case 2022-D011. Select ``Comment'' and follow the
instructions to submit a comment. Please include ``DFARS Case 2022-
D011'' on any attached documents.
Email: [email protected]. Include DFARS Case 2022-D011 in
the subject line of the message.
Comments received generally will be posted without change to
https://www.regulations.gov, including any personal information
provided. To confirm receipt of your comment(s), please check https://www.regulations.gov, approximately two to three days after submission
to verify posting.
FOR FURTHER INFORMATION CONTACT: Kelsey Bramschreiber, telephone 948-
245-1544.
SUPPLEMENTARY INFORMATION:
I. Background
DoD is seeking information from experts and interested parties in
Government and the private sector that will assist in the development
of a revision to the DFARS to implement section 841 of the National
Defense Authorization Act (NDAA) for Fiscal Year (FY) 2021 (Pub. L.
116-283) and section 851 of the NDAA for FY 2022 (Pub. L. 117-81).
Section 841 adds 10 U.S.C. 2533d, which prohibits the acquisition of
covered printed circuit boards from a covered nation. Section 851
amends 10 U.S.C. 2533d, subsequently renumbered as 10 U.S.C. 4873.
Section 841 of the NDAA for FY 2021 and section 851 of the NDAA for
FY 2022 (10 U.S.C. 4873) require the Department of Defense to mitigate
supply chain risks by prohibiting the procurement of covered printed
circuit boards from entities located in or controlled by a covered
nation (i.e., the People's Republic of China, the Russian Federation,
the Islamic Republic of Iran, the Democratic People's Republic of North
Korea). DoD intends to implement this prohibition by focusing on the
geographic point of fabrication for bare boards or partially
manufactured boards and by utilizing a tiered trust architecture.
Furthermore, any rulemaking that may follow this advance notice of
proposed rulemaking (ANPR) would put into operation the mandate in
section 224 of the NDAA for FY 2020, which requires DoD to establish
trusted supply chain and operational security standards for the
procurement of microelectronics and their associated printed circuit
boards. By coupling the geographic prohibitions of 10 U.S.C. 4873 with
rigorous technical standards, developed through strong Government/
industry partnerships, DoD establishes a comprehensive hardware
assurance posture that satisfies both statutory directives.
II. Discussion and Analysis
The following is a summary of DoD's proposed approach and the
feedback DoD is seeking from industry and the public.
[[Page 40509]]
A. Defining the Scope: Statutory Thresholds
DoD seeks public comment on a proposed regulatory framework, the
Independent Hardware Assurance Framework, that utilizes industry
standards ISO/IEC 20243, IPC-1782, and IPC-1791 as the foundational
requirements for granting statutory exceptions and waivers. Crucially,
this framework uses the statutory definitions of the following terms:
``covered printed circuit boards,'' ``specified type,'' and ``defense
security systems.'' This approach ensures the protection of national
security while minimizing impact on the commercial marketplace.
To ensure any regulation that may follow this ANPR does not impose
unreasonable restrictions on the procurement of commercial products,
including commercially available off-the-shelf (COTS) items, DoD adopts
the strict statutory definitions provided in 10 U.S.C. 4873(c). DoD
emphasizes that this proposed framework is not a blanket prohibition on
specific commercial products, including COTS items, or commercial
services. These stringent Independent Hardware Assurance Framework
requirements are only placed on covered printed circuit boards being
integrated into systems in which a compromise could directly threaten
military mission, warfighter safety, or national security. For
procurements that fall within this critical scope, DoD has established
a rigorous, evidence-based waiver process (see section II.B. of this
ANPR) to address circumstances of market unavailability and urgent
operational need.
B. Proposed Framework for Exceptions and Waivers
For covered printed circuit boards requiring a waiver to source
from a covered nation under 10 U.S.C. 4873, DoD proposes establishing
an Independent Hardware Assurance Framework to satisfy the statutory
requirement of 10 U.S.C. 4873(b)(1). This statutory requirement demands
a written determination that there are no significant national security
concerns regarding counterfeiting, quality, or unauthorized access.
Recognizing that facilities within covered nations cannot legally or
practically guarantee the protection of controlled unclassified
information (CUI), this waiver process will not rely on attestations
from suppliers.
While contractors may propose alternative mitigation strategies,
DoD assesses that compliance with a four-pillar framework, which
ensures supply chain security, data traceability, facility trust and
secure handling, and cybersecurity, provides the standardized
evidentiary baseline necessary to satisfy these statutory waiver
criteria. Furthermore, this framework meets or exceeds the trusted
supply chain and operational security requirements mandated by section
224 of the NDAA for FY 2020. Therefore, DoD proposes that demonstrating
compliance with the following four pillars will serve as the primary
mechanism for contractors seeking a waiver:
1. Enterprise-Level Supply Chain Integrity (ISO/IEC 20243). The
Open Trusted Technology Provider Standard (O-TTPS) is an international
standard that establishes best practices for secure product
development, secure engineering, supply chain security, and lifecycle
management to prevent maliciously tainted and counterfeit products. For
any printed circuit board requiring a waiver, the contractor must hold
a current ISO/IEC 20243 (O-TTPS) certification. This ensures the
contractor utilizes secure engineering practices and aggressive
downstream supplier vetting to mitigate the risk of maliciously tainted
raw materials and COTS subcomponents entering the bare board
fabrication process.
2. Granular Provenance and Traceability (IPC-1782). IPC-1782 is a
comprehensive traceability standard that strengthens electronics supply
chain integrity, supports counterfeit prevention, and provides a
flexible framework for capturing and analyzing critical manufacturing
and component data. For any covered printed circuit board requiring a
waiver, the contractor must deliver standardized, machine-level
manufacturing traceability data in accordance with IPC-1782 (Level 3 or
4). This evidentiary audit trail must document the origin of the
board's base materials (e.g., laminate, copper foil) and the specific
machinery used during fabrication. This data will be heavily
scrutinized by DoD to verify the exact geographic points of
manufacturing.
3. Facility Trust and Secure Handling (IPC-1791). DoD's strong
preference is that facilities involved in the design, fabrication, and
assembly of covered printed circuit boards be certified to IPC-1791
(Trusted Electronic Designer, Fabricator and Assembler Requirements).
IPC-1791 provides minimum requirements, policies, and procedures for
facilities to become trusted sources for markets requiring high levels
of confidence in the integrity of delivered products. These trusted
sources must ensure quality, supply chain risk management, security
(information and physical), and chain of custody.
IPC-1791 certification is only available to non-U.S. facilities via
sponsorship. A facility in a covered nation likely cannot achieve IPC-
1791 certification. Therefore, any bare board granted an exception and
imported from a covered nation must be routed through a domestic (or
approved allied) facility certified as an IPC-1791 Trusted Assembler,
or a DoD Hardware Assurance Laboratory, prior to system integration.
This Trusted Facility will utilize the IPC-1782 data to conduct
independent, blind hardware assurance testing (e.g., automated optical
inspection, x-ray) to verify the manufactured printed circuit board
exactly matches the trusted digital design files and that no
unauthorized modifications were introduced during fabrication in a
covered nation.
4. Protection of Digital Design Data (Cybersecurity). The
contractor must identify and protect all unclassified digital design
data (e.g., Gerber files, netlists, schematics) associated with the
covered printed circuit board as CUI. To qualify for a waiver, the
contractor and all applicable lower-tier subcontractor facilities
handling this unclassified digital data must comply with the applicable
contract cybersecurity requirements. (Note: The manufacture of
classified printed circuit boards remains subject to the National
Industrial Security Program Operating Manual (NISPOM) and is ineligible
for foreign sourcing waivers under this framework).
DoD recognizes that standards evolve. However, for the purposes of
qualifying for a waiver under 10 U.S.C. 4873, the contractor (including
facilities) must actively hold the formal, third-party certifications
(ISO/IEC 20243 and IPC-1791) and generate the standardized data schemas
(IPC-1782). The contractor's attestation or claims of internal
corporate equivalency will not satisfy the requirements of the
Independent Hardware Assurance Framework.
To support the Secretary of Defense's waiver determination under 10
U.S.C. 4873(b), DoD anticipates that contractors seeking a waiver will
be required to submit a comprehensive waiver request package to the
contracting officer. In addition to providing valid, third-party
certifications demonstrating full compliance with the Independent
Hardware Assurance Framework (ISO/IEC 20243 and IPC-1791), as well as
complete traceability data pursuant to IPC-1782, a waiver request must
include the following: a Trusted Assembler verification report, market
[[Page 40510]]
availability justification, component identification (IPC-1782
Traceability), system application and impact, transition strategy, and
waiver scope.
For any bare printed circuit board manufactured or partially
manufactured in a covered nation, the waiver request must include a
certified verification report from a domestic or allied IPC-1791
Trusted Assembler. This report must demonstrate that the board
underwent blind testing and validation prior to population or final
assembly to ensure no unauthorized logic, malicious alterations, or
counterfeits are present.
The DoD component head (or their designated official) will have the
discretion to determine whether this Trusted Assembler verification
report is sufficient, or if the report (including IPC-1782 traceability
data), verification imagery, digital design files, and/or associated
hardware must be submitted to a DoD Hardware Assurance Lab for
supplementary validation prior to signing and submitting the waiver to
the Secretary of Defense.
If the Trusted Assembler is a subsidiary, an affiliate, or
otherwise under the corporate control or influence of the contractor,
then the verification report, all verification imagery, digital design
files, and/or associated physical hardware must be submitted to a DoD
Hardware Assurance Lab for independent validation prior to the DoD
component head signing and submitting the waiver request. This
validation may be conducted by a designated DoD Hardware Assurance
activity, the National Security Agency (NSA), Department of Energy
National Laboratories, Federally Funded Research and Development
Centers (FFRDCs), or University Affiliated Research Centers (UARCs), at
the Government's discretion (DoD component head or Hardware Assurance
Lab).
If the Trusted Assembler is a wholly independent third party with
no financial or corporate affiliation with the contractor, the DoD
component head retains the discretion to accept the report or require a
DoD Hardware Assurance Lab review. This discretionary validation will
be conducted by a designated DoD Hardware Assurance activity, which may
leverage the NSA, National Laboratories, FFRDCs, or UARCs to execute
the review.
The market availability justification must include documented
evidence that printed circuit boards of satisfactory quality and
sufficient quantity cannot be procured from non-covered nations at a
reasonable cost or within the required timeframe. The component
identification (IPC-1782 Traceability) must include specific part
numbers, quantities, and the exact facility and covered nation of
origin for the requested printed circuit boards. With regard to system
application and impact, the end-item defense security system must be
identified. There must also be a detailed assessment of the schedule
and cost impacts to the program if the waiver is denied. The transition
strategy must include a time-phased plan detailing the contractor's
strategy to qualify alternative domestic or allied sources and
eliminate reliance on covered nations for future production. The scope
of the waiver must identify the requested duration of the waiver or
specific production lot to which the waiver will apply.
C. Data Delivery, Retention, and Inspection Rights
To ensure the Government maintains visibility, auditability, and
the ability to verify compliance with the Independent Hardware
Assurance Framework, DoD proposes the following data requirements. Upon
request by the contracting officer, the DoD Program or DoD Hardware
Assurance Laboratories, or as specified in the Contract Data
Requirements List (CDRL), the contractor must deliver IPC-1782
manufacturing traceability logs and IPC-1791 independent hardware
assurance test reports in a standardized, machine-readable format
within a specified timeframe (e.g., five business days).
The contractor must grant the Government the right to access,
duplicate, analyze, and utilize the generated provenance, traceability,
and verification data strictly for the purposes of inspection, audit,
and verifying compliance with 10 U.S.C. 4873 and section 224 of the
NDAA for FY 2020. DoD will treat this data as proprietary and will not
use it for competitive reprocurement. Contractor assertions of
proprietary information or trade secrets will not restrict or delay the
Government's verification efforts. At the discretion of the DoD
component head or the designated DoD Hardware Assurance activity, this
data and the associated Trusted Assembler reports may be shared with
the NSA, FFRDCs, UARCs, and Department of Energy National Laboratories
supporting DoD hardware assurance, provided such entities are bound by
appropriate nondisclosure obligations.
The contractor and the independent verification facility must
retain all verification imagery (e.g., automated optical inspection, x-
ray) and traceability logs for a period of not less than 10 years
following final delivery of the covered printed circuit board, or for
the operational lifespan of the defense security system, whichever is
longer. In addition, the contractor must provide the Government direct
access to audit these records upon request.
D. Mandatory Flow-Down Requirement
To ensure the prohibitions of 10 U.S.C. 4873 are enforced
throughout the entire supply chain, any resulting DFARS contract clause
will include a strict, mandatory flow-down requirement. The contractor
will be required to insert the substance of the contract clause into
all subcontracts and other contractual instruments at every tier,
including subcontracts for the acquisition of commercial products and
commercial services.
The contractor will not merely flow down this requirement, but will
retain affirmative, ultimate responsibility for collecting, verifying,
and maintaining valid, third-party certifications (ISO/IEC 20243 and
IPC-1791) and complete IPC-1782 traceability data from all lower-tier
suppliers and/or facilities prior to integrating covered printed
circuit boards into end-item deliverables. This requirement legally
obligates all commercial lower-tier entities--including bare board
fabricators, contract manufacturers, and independent testing
facilities--to comply with the geographic restrictions and technical
standards, ensuring a secure, unbroken, and verifiable supply chain
from initial materials to final system integration.
The requirement to flow down commercial certifications (ISO/IEC
20243, IPC-1791, IPC-1782) will not apply to subcontracts, interagency
agreements, or direct utilization of designated DoD Hardware Assurance
Laboratories, FFRDCs, or UARCs performing independent verification
testing under this framework. These entities operate under superseding
Federal security and assurance directives.
III. Specific Questions for Public Comment
DoD invites input on the following specific questions, particularly
from the defense industrial base, commercial printed circuit board
manufacturers, and standards bodies:
Definitional Clarity: Do the intersecting definitions of
``covered printed circuit board,'' ``specified type'' (focusing on data
routing/networking), and ``defense security system'' provide an
unambiguous boundary that protects standard commercial/COTS supply
[[Page 40511]]
chains from unreasonable regulatory burden?
Certification Burden: What is the estimated financial and
operational burden for a facility to maintain the proposed four-pillar
framework (ISO/IEC 20243, IPC-1782, and IPC-1791) specifically for
covered printed circuit board production lines?
Certification Timelines: DoD estimates that achieving IPC-
1791 certification requires 8 to 16 months, while IPC-1782 and ISO/IEC
20243 require 3 to 11 months. Are these estimates accurate? What phase-
in period (e.g., 12, 18, or 24 months) should DoD consider before
making these standards a mandatory condition for an exception?
COTS Item Applicability: ISO/IEC 20243 is widely adopted
in the commercial sector. However, to what extent can COTS bare board
manufacturers support the data logging requirements of IPC-1782 Level 3
or 4 without causing severe economic disruption?
Facility vs. Enterprise: DoD proposes that IPC-1791 would
apply to the specific physical verification facility, while ISO/IEC
20243 would apply to the contractor's enterprise. Does this bifurcation
create conflicting obligations for multinational original equipment
manufacturers (OEMs)?
Data Sovereignty: How will contractors ensure the
protection of CUI (bare board design data) in accordance with NIST SP
800-171 when transmitting manufacturing requirements to a facility
located in a covered nation under an approved waiver?
Data Rights and Inspection: DoD proposes limiting its data
rights for IPC-1782 traceability logs and IPC-1791 hardware assurance
reports strictly to inspection and compliance verification, rather than
seeking Government purpose rights (see the clause at DFARS 252.227-
7013, -7014, or -7018 for the definition of Government purpose rights).
This is applicable to printed circuit boards manufactured or partially
manufactured in a covered nation, without IPC-1791 certification. Does
this limitation sufficiently protect proprietary manufacturing
processes while allowing the Government to audit supply chain
provenance?
Waiver Mitigation and Section 224 Compliance: Does the
requirement for independent verification at an IPC-1791 facility,
combined with IPC-1782 traceability, constitute a feasible and
sufficient strategy to meet the operational security requirements of
section 224 of the NDAA for FY 2020 when sourcing from a high-risk
geographic location?
Market Segmentation: DoD requests that commercial
information technology vendors provide the percentage of their current
DoD sales that would likely fall under the statutory definition of a
``defense security system,'' versus the percentage used for routine
business applications that would be exempt from the definition of this
term.
List of Subjects in 48 CFR Parts 212, 225, and 252
Government procurement.
Kimberly R. Ziegler,
Editor/Publisher, Defense Acquisition Regulations System.
[FR Doc. 2026-13375 Filed 7-1-26; 8:45 am]
BILLING CODE 6001-FR-P