PROTECTING MICROELECTRINICSProtecting DoD Microelectronics from Adversary Influence

The National Security Agency’s Joint Federated Assurance Center (JFAC) Hardware Assurance Lab publicly released four Cybersecurity Technical Reports to help the Department of Defense protect field-programmable gate array (FPGA)-based systems from adversary influence.

The reports below were created to help secure FPGAs — a form of programmable microelectronic components — during manufacturing, acquisition, programming, and first attachment of the devices:

·  Field-Programmable Gate Array (FPGA) Overall Assurance Process

Outlines the process NSA JFAC used to develop threat categories and mitigations. This enables teams to mimic the same assurance work for other types of microelectronic devices.

·  Field-Programmable Gate Array Best Practices —Threat Catalog

Describes the high-level threat categories that relate to FPGA devices at each Level of Assurance. This is part of the Trusted Systems and Networks stage of the DoD Program Protection Plan.

·  Field-Programmable Gate Array Level of Assurance 1 Best Practices

Provides mitigations for each relevant FPGA threat category at Level of Assurance 1.

·  Third-Party IP Review Process for Level of Assurance 1

Details a methodology for performing an engineering review of third-party intellectual property that is included in an FPGA design for Trojan detection.

NSA is part of a federation of DoD organizations that promote and enable software and hardware assurance through the Joint Federated Assurance Center. NSA JFAC, which strengthens and supports microelectronics hardware assurance for DoD programs by providing vulnerability detection, analysis, and remediation capabilities, drafted the report as follow up to its introductory guide, “DoD Microelectronics: Levels of Assurance Definitions and Applications.”

The JFAC is available to assist DoD programs throughout this process and can be contacted through https://jfac.navy.mil (CAC-enabled website). The reports will also be posted there.