Simon Butler
This year is proving to be momentous for U.S. semiconductor manufacturing. During a global chip shortage and record inflation, U.S. President Biden signed into effect the CHIPS and Science Act, the greatest boon to U.S. semiconductor manufacturing in history, with $52 billion in subsidies for chip manufacturers to build fabrication plants in the U.S.
The CHIPS Act seems like a green light for domestic manufacturing. However, a presidential executive order (Improving the Nation’s Cybersecurity) published earlier in the year may be a stumbling block for semiconductor design shops eager to serve national security projects.
Rolled out several months before the CHIPS Act was signed, this executive order defines parameters that will force U.S.-based software companies to change long-established development and design processes if they want to comply with federal regulations regarding information sharing between the government and the private sector.
Let’s take a look at how these two measures relate, what they mean for semiconductor companies, and why the highs and lows of American semiconductor manufacturing boil down to one thing: Security.
The CHIPS Act
The CHIPS and Science Act of 2022 provides $52 billion in subsidies for chip manufacturers to build fabrication plants in the U.S. To put that into perspective, consider that currently only 12% of all semiconductor chips are made in the U.S.
This Act comes amidst a global economic downturn, with lawmakers hoping that American-made chips will solve security and supply chain issues. In short, this is something the U.S. needs to reassert its historical influence on semiconductor manufacturing.
One of the biggest considerations, and benefits, for domestic-made semiconductors is national security. Recent geopolitical instability has caused concern over potential IP leakage and theft. For the U.S. Department of Defense (DoD), it is imperative to have a secure and trusted ecosystem for the design and manufacture of semiconductors.
But with most of today’s manufacturing happening overseas, the DoD has had major challenges executing its national security-related projects.
The automotive industry is another area that will benefit from a trusted domestic ecosystem and a more resilient supply chain. As we progress toward autonomous vehicles, compromised components could be used by malicious parties to take control of the system to cause damage and injury.
In these cases (and others), it’s clear that there is a need for component and IP provenance, along with geofencing, to reduce the likelihood of security breaches. More competitive and accessible domestic manufacturing can help solve this by keeping sensitive IP within the borders of the U.S.
Improving the Nation’s Cybersecurity
This executive order on cybersecurity stemmed from recent data breaches and includes an attempt to patch vulnerabilities in sharing between the private sector and the U.S. government. For companies, this means a brighter spotlight will now be cast on security throughout the embedded software development process. For developers, this signifies a greater need to maintain visibility into their code and keep track of any vulnerabilities throughout the lifecycle.
To tackle this, a number of recommendations/requirements have been put forward by this executive order, including better defined processes around cybersecurity incidents, a higher level of awareness around permissions (“zero trust”), and the concept of a software bill of materials (SBOM), which should be delivered as part of the software implementation to enable higher levels of traceability and provenance.
This SBOM should enable system integrators to understand their exposure to security concerns in delivered code via documentation of the software versions delivered, their provenance and the originating supply chain source, all of which allow for better traceability in the design.
The unified BOM
An SBOM will take the form of a hierarchical tree of components, where each component includes the versioned implementation and important metadata that infer its state, license, compliance with standards and other pieces of data. This SBOM should be in machine-readable format for integration into development and test traceability methodologies.
In short, the SBOM should be a complete manifest of the software delivered with the project, and its current state. With the advent of IP-centric design practices in the semiconductor space, we have already seen widespread adoption of the hardware BOM (HBOM), which records the IP component versions that implement an SoC and material metadata.
Since a large portion of today’s SoCs include an embedded software component, this new governmental SBOM requirement suggests SoC developers should be managing the unified platform SBOM/HBOM as part of the development life cycle, and in some cases, delivering with the final product shipment to facilitate traceability and threat detection in the target system integration.
The “unified” BOM: A complete software/hardware manifest
The U.S. government has started two important initiatives with the CHIPS and Science Act and the Improving the Nation’s Cybersecurity executive order. The CHIPS Act will revitalize U.S.-based semiconductor manufacturing to secure the domestic semiconductor supply chain and mitigate concerns with national security-related designs, while the executive order enforces software development practices that reduce the likelihood of cyberattacks.
Software needs hardware to run, and understanding the interdependence of software and hardware is important. By applying the SBOM mandate to the entire SoC manifest with a unified software/hardware BOM, we can help ensure that the best practices outlined in the executive order will be applied to the entire component tree for a given SoC.
This is something that many companies have started to adopt anyway, independent of any government initiatives. Although the executive order now mandates this as a requirement to be able to engage in DoD software development projects, one could argue that without a complete BOM to reflect the full set of software and hardware components in an SoC, we’re not fully addressing provenance and security issues in the design.
In summary, the hope is that the CHIPS Act will help mitigate the supply chain bottleneck plaguing the semiconductor industry. By combining secure manufacturing with secure development best practices, we have a much higher likelihood of improving our semiconductor supply chain and providing a trusted source of components for our national security projects.
Comment