October 4, 2022

The CHIPS and Science Act, Cybersecurity, and Semiconductor Manufacturing

IP Lifecycle Management

This year is proving to be a momentous one for U.S. semiconductor manufacturing. During a global chip shortage and record inflation, President Biden signed into effect the CHIPS and Science Act – which so far is the greatest boon to U.S. semiconductor manufacturing in history, with $52 billion in subsidies for chip manufacturers to build fabrication plants in the U.S.

The CHIPS Act seems like a green light for domestic manufacturing. However, another piece of legislation passed earlier in the year may be a stumbling block for semiconductor design shops eager to serve national security projects. Enter Executive Order 14028, “Improving the Nation’s Cybersecurity.”

Rolled out several months before the CHIPS Act was signed, this Executive Order defines parameters that will force U.S-based software companies to change long-established development and design processes if they want to comply with federal regulations regarding information-sharing between the government and the private sector.

Here we examine how these two pieces of legislation relate, what they mean for semiconductor companies, and why the highs and lows of American semiconductor manufacturing boil down to one thing: security.

Protect Your IP

Methodics IPLM is the single source of truth for all your chip IP. See how you can protect your team's IP from design through verification.


The CHIPS and Science Act of 2022

The CHIPS and Science Act of 2022 provides $52 billion in subsidies for chip manufacturers to build fabrication plants in the U.S. For reference, currently only 12% of all semiconductor chips are made in the U.S.

This Act comes amidst a global economic downturn, with lawmakers hoping that American-made chips will solve security and supply chain issues. In short, this is something the U.S. needs to reassert its historical influence on semiconductor manufacturing.

Security Considerations

One of the biggest considerations, and benefits, to domestic-made semiconductors is national security. Recent geopolitical instability has caused concern over potential IP leakage and theft. For the U.S. Department of Defense (DoD), it is imperative to have a secure and trusted ecosystem for the design and manufacture of semiconductors. But with most of today’s manufacturing done overseas, the DoD have had major challenges executing their national security-related projects.

The automotive industry is another area that will benefit from a trusted domestic ecosystem and a more resilient supply chain. As we progress towards autonomous vehicles, compromised components could be used by malicious parties to take control of the system and cause damage and injury.

In these cases (and others), it’s clear that there is a need for component and IP provenance, along with geofencing, to reduce the likelihood of security breaches. More competitive and accessible domestic manufacturing can help solve this by keeping sensitive IP within the borders of the U.S.

Executive Order 14028: “Improving the Nation’s Cybersecurity”

The Executive Order on cybersecurity stemmed from recent data breaches, with the attempt to patch vulnerabilities in sharing between the private sector and the U.S. government. For companies, this means a brighter light will now be shone on security throughout the embedded software development process. For developers, this signifies a greater need to maintain visibility into their code and keep track of any vulnerabilities throughout the lifecycle.

To tackle this, a number of recommendations/requirements have been put forward by this Executive Order, including better defined processes around cyber security incidents, a higher level of awareness around permissions (“Zero Trust”) and the concept of a Software Bill of Materials (SBOM), which should be delivered as part of the software implementation to enable higher levels of traceability and provenance.

This SBOM should enable system integrators to understand their exposure to security concerns in delivered code via documentation of the software versions delivered, their provenance, and the originating supply chain source, all of which allow for better traceability in the design.

The Unified BOM

An SBOM will take the form of a hierarchical tree of components where each component includes the versioned implementation and important metadata that infer its state, license, compliance with standards, and other pieces of data. This SBOM should be in machine-readable format for integration into development and test traceability methodologies.

In short, the SBOM should be a complete manifest of the software delivered with the project and its current state. With the advent of IP-centric design practices in the semiconductor space, we have already seen widespread adoption of the hardware BOM (HBOM) that records the IP component versions that implement an SoC and material metadata.

Since a large portion of today’s SoCs include an embedded software component, this new governmental SBOM requirement suggests SoC developers should be managing the unified platform SBOM/HBOM as part of the development life cycle, and in some cases delivering with the final product shipment to facilitate traceability and threat detection in the target system integration.

The "Unified" BOM: A Complete Software/Hardware Manifest

The U.S. government has started two important initiatives with the CHIPS and Science Act and Executive Order 14028. The CHIPS Act will revitalize U.S.-based semiconductor manufacturing to secure the domestic semiconductor supply chain and mitigate concerns with national security related designs, while Executive Order 14028 enforces software development practices that reduce the likelihood of cyberattacks.

Software needs hardware to run and understanding the interdependence of software and hardware is important. By applying the SBOM mandate to the entire system on a chip (SoC) manifest with a unified software/hardware BOM, we can help to ensure that the best practices outlined in the Executive Order will be applied to the entire component tree for a given SoC.

This is something that many companies have started to adopt anyway, independent of any government initiative. Although, Executive Order 14028 now mandates this as a requirement to be able to engage in DoD software development projects. One could argue that without a complete BOM to reflect the full set of software and hardware components in an SoC, we’re not fully addressing provenance and security issues in the design.

Wrap-up: Improving Cybersecurity Through Secured Supply Chain

In summary, the hope is that the $52 billion CHIPS Act will help mitigate the supply chain bottleneck plaguing the semiconductor industry. By combining secure manufacturing with secure development best practices, we have a much higher likelihood of improving our semiconductor supply chain and providing a trusted source of components for our national security projects.

Leverage CHIPS Funding With Methodics IPLM

Methodics IPLM provides a scalable IP lifecycle management platform that tracks IP and its metadata across projects, providing end-to-end traceability, and facilitating IP reuse. With a tool such as Methodics IPLM in hand, companies can setup the infrastructure called for by the CHIPS Act and smooth the transition to state-of-the-art U.S.-based semiconductor manufacturing.

Connect with Perforce IP experts to learn more about Methodics.