Alert

DoD Considers Certification-Based Framework for Restricting Certain Printed Circuit Boards in Defense Systems

July 7, 2026

WHAT: The U.S. Department of Defense (DoD) issued an advance notice of proposed rulemaking (ANPR) seeking input on an anticipated Defense Federal Acquisition Regulation Supplement (DFARS) rule implementing 10 U.S.C. § 4873, which incorporates Section 841 of the National Defense Authorization Act (NDAA) for Fiscal Year 2021 and Section 851 of the FY 2022 NDAA and prohibits DoD from acquiring “covered printed circuit boards” from entities located in or controlled by China, Russia, Iran, or North Korea. Any rulemaking would also implement Section 224 of the FY 2020 NDAA, which requires DoD to establish trusted supply chain and operational security standards for the procurement of microelectronics and associated printed circuit boards.

WHEN: DoD issued the ANPR on July 2, 2026. Comments are due August 31, 2026.

WHAT IT MEANS FOR INDUSTRY: This ANPR is the first step in the rulemaking process through which DoD will restrict the acquisition of certain printed circuit boards in defense procurement. The ANPR previews a compliance regime that could impose significant certification, traceability, and flow-down obligations on defense contractors and their supply chains. These obligations would affect contractors that manufacture, integrate, or supply printed circuit boards for defense systems.

The eventual proposed rule would implement 10 U.S.C. § 4873, which (effective January 1, 2027) prohibits DoD from acquiring “covered printed circuit boards” from entities located in or controlled by China, Russia, Iran, or North Korea. DoD intends to focus the prohibition on the geographic point of fabrication for bare or partially manufactured boards. The prohibition turns on three interlocking statutory definitions in 10 U.S.C. § 4873(c), which the ANPR anticipates adopting without change:

  • Covered printed circuit board” is any “specified type” that either performs a mission critical function in a non-commercial product or service, or is a component of a “defense security system”;
  • Specified type” is a printed circuit board that facilitates “the routing, connecting, transmitting or securing of data” and is commonly connected to a network; and
  • Defense security system” is an information system used by or on behalf of DoD involving command and control, weapon systems, or the direct fulfillment of military missions (excluding routine administrative applications).

The ANPR explains that DoD’s adoption of the statutory definitions is meant to emphasize that the prohibition does not restrict acquisition of commercial products or commercially available off-the-shelf (COTS) items generally, but only printed circuit boards integrated into systems in which a compromise could directly threaten military missions, warfighter safety, or national security.

The Independent Hardware Assurance Framework

The ANPR contemplates a “rigorous, evidence-based waiver process” to address potential market unavailability and urgent operational needs. The waiver process will not rely on attestations from suppliers, however, because “facilities within covered nations cannot legally or practically guarantee the protection of controlled unclassified information (CUI).” Instead, contractors seeking waivers would need to demonstrate compliance with a four-pillar framework as the primary means of obtaining waivers:

  • A current ISO/IEC 20243 (Open Trusted Technology Provider Standard) certification;
  • Machine-level manufacturing traceability data under IPC-1782 (Level 3 or 4) documenting the origin of base materials and fabrication machinery;
  • Routing of any covered board through a domestic or approved allied nation IPC-1791 Trusted Assembler (or DoD Hardware Assurance Laboratory) for independent testing before system integration; and
  • Protection of all unclassified digital design data as CUI.

The ANPR anticipates that contractors seeking a waiver would need to submit a comprehensive waiver request package to the contracting officer, including “valid, third-party certifications demonstrating full compliance with the Independent Hardware Assurance Framework.” The DoD component head will determine whether a Trusted Assembler verification report is sufficient, or whether the data and hardware must be submitted to a DoD Hardware Assurance Lab for additional validation. If the Trusted Assembler is a subsidiary, affiliate, or otherwise financially affiliated with the contractor, validation by a DoD Hardware Assurance Lab will be required before the component head can sign and submit a waiver request.

Data Delivery, Retention, and Inspection Rights

The ANPR anticipates contractors being required, upon Government request, to deliver traceability logs and test reports in machine-readable format, and to grant the Government the right to access that data for compliance verification. Although the ANPR expects that the Government will treat this data as proprietary, it notes that contractor “assertions of proprietary information or trade secrets” must not “restrict or delay” verification efforts. DoD also anticipates requiring contractors to retain all verification imagery and traceability logs for at least 10 years following final delivery or the operational lifespan of the defense security system, whichever is longer.

Mandatory Flow-Downs

The ANPR expects contractors will be required to flow down the resulting DFARS clause in subcontracts at every tier, including subcontracts for commercial products and services. Primes would retain “affirmative, ultimate responsibility” for collecting, verifying, and maintaining certifications and traceability data from all lower-tier suppliers.

Request for Comment

The ANPR seeks input on the following topics:

  • The clarity of the statutory definitions;
  • The financial burden of the four-pillar framework;
  • The accuracy of DoD’s certification timeline estimates (8 to 16 months for IPC-1791; 3 to 11 months for the other standards);
  • The ability of COTS manufacturers to support IPC-1782 data logging “without causing severe economic disruption”;
  • Applicability of IPC-1791 to physical facilities and ISO/IEC 20243 to the contractor’s enterprise and whether that bifurcation may create conflicting contractor obligations;
  • Protection of CUI under NIST SP 800-171 when transmitting manufacturing requirements to a facility in a covered nation under an approved waiver;
  • Whether DoD’s proposed limits on its data rights sufficiently protect proprietary manufacturing processes;
  • Whether combining IPC-1791 and IPC 1782 is a feasible strategy to meet the operational security requirements of Section 224 of the FY 2020 NDAA; and
  • The percentage of commercial information technology vendors’ current DoD sales that would fall under the definition of a “defense security system” compared to sales related to routine business systems.

Feedback at the ANPR stage can meaningfully shape the eventual proposed rule, so contractors and suppliers potentially affected by the new requirements, waiver process, or flow-down obligations should take advantage of this opportunity to comment.

Wiley’s Government Contracts; Telecom, Media & Technology; National Security; and Privacy, Cyber & Data Governance practices will continue to monitor these issues and keep contractors apprised of new developments.

Read Time: 5 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek