Section 5949 of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (“FY2023 NDAA”) contains two significant prohibitions regarding the procurement and use of semiconductor products and services from specific Chinese companies and other foreign countries of concern (the “Semiconductor Prohibitions”). Although many aspects of the prohibitions remain unclear, the legislation portends noteworthy obligations in the coming years for government contractors, their suppliers, and those who may be interested in entering into agreements with the United States.
A timeline of noteworthy events and requirements associated with the Semiconductor Prohibitions is available here.
I. The Prohibitions
A. Prohibition Text
The Semiconductor Prohibitions are divided into two subsections:
- Section 5949(a)(1)(A) (“Part A”) provides that the head of an executive agency may not “procure or obtain, or extend or renew a contract to procure or obtain, any electronic parts, products, or services that include covered semiconductor products or services.”
- Section 5949(a)(1)(B) (“Part B”) provides that the head of an executive agency may not “enter into a contract (or extend or renew a contract) with an entity to procure or obtain electronic parts or products that use any electronic parts or products that include covered semiconductor products or services.”
B. Application of Prohibitions
Part A appears to prohibit the procurement of electronic parts, products, or services that include covered semiconductors. As a result, this prohibition is likely to encompass many commercial-item goods and services – e.g., a laptop computer that includes a covered part. Of note, Part A uses the phrase “procure or obtain,” which suggests that its prohibition could apply to agreements outside of the traditional procurement context, such as Other Transaction Authority agreements.
Part B appears to go a step further by prohibiting the procurement of electronic parts and products that “use” other parts or products that include covered semiconductor products or services. This distinction in language appears to prohibit an agency from purchasing a part or product even if the particular part or product does not include covered semiconductor products or services, and instead, uses another part or product that is otherwise prohibited by Part A. However, “use” is not defined – thus, it is unclear how closely the “use” of a covered part must be tied to, or incorporated in, a product or service being procured for it to fall within the scope of the prohibition.
Additionally, although Part B is broader in scope than Part A in some ways, the Part B prohibition only applies to “critical systems.” A critical system is defined by the legislation to generally mean a system hosting military or intelligence-related telecommunications or information systems. A “critical system” typically does not include systems for routine administrative and business applications. Further, unlike Part A, which expressly incorporates references to “services” in the prohibition, Part B does not contain the same express incorporation.
Given the relative lack of clarity on the scope of application, contractors will need to carefully consider how electronic parts or products sold to the Government may include or use covered electronic parts, products or services (even if those electronic parts, products, or services are not specifically line items in a contract). In many cases, we would expect these to be fact-specific inquiries requiring engagement with a contractor’s suppliers – an exercise that is likely not unfamiliar to contractors in light of similar supply chain prohibitions in recent years. In the nearer term, contractors should consider whether there may be opportunities to provide input regarding Government efforts to bolster the domestic semiconductor supply chain, particularly as the various studies required under this legislation are conducted over the next year (see discussion in Part V below).
II. The Prohibited Products
The legislation is aimed at restricting procurement of semiconductors and related services from three Chinese companies. Specifically, the legislation defines the prohibited “covered semiconductor product or services” as a “semiconductor, a semiconductor product, a product that incorporates a semiconductor product, or a service that utilizes such a product, that is designed, produced or provided” by Semiconductor Manufacturing International Corporation (“SMIC”), ChangXin Memory Technologies (“CXMT”), or Yangtze Memory Technologies Corp (“YMTC”), or any of their subsidiaries, affiliates, or successor entities.
The legislation also defines this term to include any of the components that are produced or provided by an entity owned, controlled by, or otherwise connected to the government of a foreign country of concern, as determined by the Secretaries of Defense or Commerce, in consultation with the Directors of National Intelligence or Federal Bureau of Investigation. The legislation defines “country of concern” consistent with definitions set forth in other Federal laws. The covered nations include North Korea, China, Russia, Iran, and any country that is deemed to be engaged in conduct that is detrimental to the national security or foreign policy of the United States. The Joint Explanatory Statement accompanying the FY2023 NDAA suggests that Congress intends to cover any foreign countries of concern that threaten national security.
III. Waivers and Exceptions
The legislation establishes a number of noteworthy exceptions to the Semiconductor Prohibitions. For instance, the legislation does not require removal or replacement of covered semiconductors that are in place before this prohibition becomes effective or the use of such semiconductors throughout their lifecycles. Rather, the Government is prohibited from acquiring these products or services.
Additionally, as described above, Part B currently applies only to critical systems. Given the breadth of Part B, this carve out is noteworthy, even though the statutory definitions suggest that what will constitute a “critical system” could eventually include a broader range of communications and other technologies.
Agencies also may waive the Semiconductor Prohibitions under certain circumstances. The legislation provides authority for the Secretary of Defense, Director of National Intelligence, Secretary of Commerce, Secretary of Homeland Security, and Secretary of Energy to waive the prohibitions if doing so is in the critical national security interests of the United States. Although what constitutes “the critical national security interest” is not expressly defined, the Joint Explanatory Statement suggests that critical national security interests may include protecting the United States’ economic security and its technological competitiveness relative to strategic competitors.
Heads of executive agencies may also waive the requirements of the Semiconductor Prohibitions, in consultation with the Secretary of Defense or the Director of National Intelligence, and the Secretary of Commerce, when: (1) there is no compliant product or service available at United States market prices or at a price that is not considered prohibitively expensive; and (2) the waiver could not reasonably be expected to compromise the critical national security interests of the United States. Such a waiver may be provided for two years, but it is renewable. Similar to waiver authorities set forth in other laws addressing supply chain security, agencies that grant this waiver authority must report the waiver to Congress within 30 days.
Although the availability of this waiver may provide contractors with some relief, it is not clear how Federal agencies will apply the pricing analysis required to grant the waiver, including how the head of the agency and the Secretary of Commerce will determine the market price of a product or the level at which a price will be deemed prohibitively expensive (which could become a point of contention between an agency and a contractor under a fixed price contract). It is also not clear how widely this exception will be used (e.g., for specific products, for classes of products, or for entire sectors), especially given the congressional notice requirement.
By the end of 2025, the FAR Council must prescribe regulations to implement the Semiconductor Prohibitions. The regulations must include a number of prescriptions, including:
- A requirement for prime contractors to incorporate the substance of the Semiconductor Prohibitions and applicable implementing contract clauses into contracts for the supply of electronic parts or products;
- A requirement for contractors who supply a Federal agency with electronics parts or products to:
- Certify that those parts or products do not contain prohibited semiconductors;
- Detect and avoid the use or inclusion of prohibited semiconductors; and
- Rework or take corrective action to remedy the use or inclusion of prohibited semiconductors.
- A requirement for companies that develop semiconductors or purchase prohibited semiconductors from others to disclose to direct customers when prohibited semiconductors are included in parts, products, or services, with the understanding that a failure to disclose renders that entity responsible for rework or corrective action, the costs of which cannot be included in a Federal contract; and
- A requirement that companies or Federal contractors or subcontractors who becomeaware, or have reason to suspect, that any part of a critical system procured by or for the Federal Government contains prohibited semiconductors notify appropriate Federal authorities in writing within 60 days and that those authorities, in turn, notify Congress within 120 days.
It remains unclear what level of diligence will be required of contractors and suppliers to identify prohibited semiconductors in their supply chains and to certify compliance with these prohibitions. Additionally, when prohibited semiconductors are identified in a contractor’s supply chain, the notification and disclosure requirements will be important considerations – including the level of investigation contractors will be able to undertake before a disclosure is required and who bears the costs and potential liability for corrective action.
Contractors may have an opportunity to provide comments as part of this rulemaking process, which typically provides contractors 30-60 days (sometimes up to 180 days for complex rulemakings) to offer comments on the Government’s proposed rule.
V. Required Studies
The legislation establishes a number of studies and opportunities for private industry input regarding the semiconductor supply chain and its potential vulnerabilities. The Secretary of Commerce, the Federal Acquisition Security Council, and a new Government-wide microelectronics traceability and diversification initiative will undertake efforts to explore and recommend approaches to mitigate supply chain vulnerabilities, with various requirements to obtain industry and stakeholder feedback.
A. Analysis, Assessment, and Strategy
By June 2023, the Secretary of Commerce must convey to the Federal Acquisition Security Council, in coordination with the Secretary of Defense, Secretary of Homeland Security, Director of National Intelligence, and Secretary of Energy, a study on semiconductor design and manufacturing in the United States and by allied nations, as well as risks posed by prohibited semiconductors in the Federal and non-Federal systems. This report is further intended to develop a strategy to improve the availability of domestic semiconductor design and production capacity, improve supply chain traceability, and certify the feasibility of implementing required prohibitions or exercising waiver authority to ensure uninterrupted semiconductor access.
B. Federal Acquisition Security Council
By December 2024, the Federal Acquisition Security Council must issue recommendations to the FAR Council and the heads of executive agencies for any needed regulations to mitigate supply chain risks. Notably, the legislation directs the Federal Acquisition Security Council to engage with the private sector concerning these recommendations, and the Joint Explanatory Statement underscores this point – urging the Federal Acquisition Security Council to consult with relevant industry stakeholders, as required by law, in developing recommendations to mitigate supply chain security risks.
C. Traceability and Diversification Initiative
By December 2024, the Secretary of Commerce must establish a microelectronics traceability and diversification initiative, in consultation with the Secretary of Homeland Security, Secretary of Defense, Director of National Intelligence, Director of the Office of Management and Budget, and Director of the Office of Science and Technology Policy, as well as industry. The initiative will coordinate analysis of and response to microelectronics supply chain vulnerabilities.
The initiative will develop an assessment framework to inform Federal decisions on sourcing microelectronics, considering chain of custody and traceability, intellectual property, and security risks, among other elements. The initiative will identify best practices for refining microelectronics standards and develop recommendations to identify and mitigate microelectronics supply chain risks. And the initiative will develop a process for provenance and traceability from design to disposal of microelectronics components and intellectual property to improve reporting, data analysis, and tracking. The initiative will involve coordination among the National Science and Technology Council Subcommittee on Microelectronics Leadership, Department of Commerce Semiconductor Industrial Advisory Committee, White House Coordinator for CHIPS Implementation, Federal Acquisition Security Council, Government-Industry Working Group on Microelectronics, Joint Defense Manufacturing Technology Panel, and standards development organizations.
 A “critical system” means the same thing as “national security system” in section 11103(a)(1) of title 40, United States Code. See Section 5949(j)(4)(A). The term “national security system” is defined under 40 U.S.C. 11103(a)(1) as: “a telecommunications or information system operated by the Federal Government, the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system;” or may be critical to the direct fulfillment of military or intelligence missions.
 The legislation provides that “payroll, finance, logistics, and personnel management applications” are “includ[ed]” in the category of routine administrative and business applications. Section 5949(j)(4)(D).
 The legislation states that the term “foreign country of concern” is defined consistent with paragraph (7) of section 9901 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (15 U.S.C. 4651), as added by section 103(a)(4) of the CHIPS Act of 2022 (division A of Public Law 117–167). Section 5949(j)(5). The CHIPS Act incorporates the “covered nation” definition of “foreign countries of concern” to mean the Democratic People’s Republic of North Korea, the People’s Republic of China, the Russian Federation, and the Islamic Republic of Iran, as well as any country deemed to be “engaged in conduct that is detrimental to the national security or foreign policy of the United States.”