Emerging Supply Chain Cybersecurity requirements, government acronyms, and actual security. Learn about the current state of mandates such as Cybersecurity Maturity Model Certification (CMMC) and its impending impact on Supply Chain Security. Equally as important, learn how to achieve Cybersecurity Maturity Model Certification on a limited budget, improve your security, and ensure both operational (OT) environments are protected while your IT systems are evaluated for certification.

Industry and government are reacting to cybersecurity threats through new policies and regulations, both at a state, federal, and international level. Companies are requiring that their supply chains have procedures in place to address cybersecurity. Industry standards, like IPC-1791, are being incorporated into supplier qualification requirements. The US government has several initiatives based on our National Security and economic interests that are focused on what is being referenced as "controlled unclassified information". Federal acquisition regulations, both in civilian and defense markets, are including requirements like Cybersecurity Maturity Model Certification as well as NIST SP 800-171 and 800-172, to mandate conformance to specific cyber-security requirements. This session will focus on providing insight into the current state of these current or emerging regulatory requirements, their applicability to the markets that IPC members represent, and some of the approaches one can take to achieve certification on a limited budget while improving security for both IT and OT environments. Regarding some of the approaches, this discussion will include cloud based approaches, and lessons learned, to help provide insight into actionable steps an organization can take to affordably improve security while working to achieve compliance.

This paper presents the concerns on trustworthiness for printed circuit board (PrCB) design, fabrication, and assembly sources for national defense systems, specifically products on the United States Munitions List (USML) that are vulnerable to theft, tampering, and supply disruption.

Trustworthiness is defined and the implementation of a new industry standard, IPC-1791 Trusted Electronic Designer, Fabricator and Assembler Requirements, is presented. The flaws of DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting are also outlined, including the lack of oversight, the absence of third-party certification, and the use of a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M) in lieu of full compliance.

In light of these concerns, this paper illustrates how the Cybersecurity Maturity Model Certification (CMMC) can solve these problems, specifically focusing on CMMC Level 3 as this level is required for contractors handling Controlled Unclassified Information (CUI). The parallels between CMMC Level 3 and NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations requirements are also discussed.

While focusing on the positive attributes of CMMC, this paper also examines the challenges that CMMC may cause. Studies have found that even without the added costs of CMMC, many small companies struggle to absorb the cost of some NIST SP 800-171 requirements. The additional financial challenge of CMMC for smaller companies could result in DoD and primes loosing critical suppliers who choose not to be certified. Prime contractors have the benefit of a cost allowance, but this does not flow down to the small companies who are competitively bidding on PrCBs or assemblies at a fixed unit price.

This slide show discusses the cybersecurity risks associated with network integration.  The supply chain is the most vulnerable, especially sub suppliers.  A particular risk is when bad actor suppliers build in controlling components by changing the Gerber file.  This allows worms to infiltrate sensitive networks.  The number of threats are increasing and the DoD has been taking steps to enforce security on it's suppliers. Remote diagnostics and automation also increases the scope of vulnerability.

Current policies and regulations intended to protect supply chains from cyber threats, especially the supply chain to the US DoD, have proven ineffective. Nearly $1 trillion in intellectual property and controlled unclassified information (CUI) is stolen very year by foreign adversaries. The “who” it is being stolen from is you, whether you know it or not. Suppliers and sub-contractors, according to DoD Under Secretary of Defense for Acquisition and Sustainment Ellen Lord, are the Achilles heel of national security. [need reference]

In response, both government and industry are taking action that will impact your business. Cybersecurity Maturity Model Certification (CMMC), a new US DoD regulation will affect companies beginning in 2021. [need reference] CMMC places new mandatory requirements on every organization participating in the supply chain to the DoD, whether contractor, subcontractor, or supplier. In parallel, Industry is increasingly looking at its supply chain through a risk lens, seeking to control the amount of risk they are willing to accept. For suppliers, this means compliance continues to be necessary but may no longer be sufficient. CMMC is envisaged as a global initiative that will move beyond DoD to commercial supply chains and service industries. This paper will describe the shortcoming and impact of current policies and regulations and contrast them with emerging regulations like CMMC. It will detail the process and timeline for CMMC’s role out; describe CMMC’s different certification levels and how to determine which will be required of your organization; explain the certification and re- certification processes; and provide a list of helpful resources.

Every company today is threatened – present company not excluded. CMMC is a call to action and organizations needs to be acting now.

Published stories in 2015 of a maliciously altered server motherboard have made clear that the circuit board is vulnerable to hardware attacks. To demonstrate their vulnerability, a circuit board's Gerber file was edited to show how easily a component could be added to a design that would make the system vulnerable to attack, either by logging data or by inserting false commands on a control bus. Importantly, this component was added after the schematic and layout had been completed, emulating the behavior of a bad actor who wanted to make unnoticed changes to a complete design. The "before" and "after" designs can be compared to see the extent to which such an attack would be likely to go unnoticed, and highlight the vulnerability of board design files once they have exited the company that designed them. A secure and reliable supply chain must take this type of possible attack into account.

To counter such attacks, one must consider sources of possible circuit-board alterations, ways that components added to a board could be placed onto the board surreptitiously, and which elements of modern systems are most vulnerable to this type of attack. Previous research in the area of counterattacks will be reviewed.

This paper will discuss from an operational perspective what companies are or aren’t doing now and what steps companies can take to secure their overall IT enterprise which will logically help secure their Operational Technology (OT). It will address the need for all businesses to think about cyber security; what actions are needed to secure their systems; how the U.S. Government (lead by the Department of Defense (DoD)) is requiring compliance to specific cybersecurity standards (NIST 800 series & Cybersecurity Maturity Model Certification (CMMC)); how well companies are doing from SeraBrynn’s perspective from the field; and what actions can be taken by companies to secure their systems and be compliant. The goal of the paper is for the participants to understand the potential threats to their company and customers, what standards they could he held accountable, and some specific actions they can take to enhance their company’s cybersecurity posture.

High Density Interconnect (HDI) Printed Circuit Boards (PCBs) and assemblies are essential to allow space projects to benefit from the ever-increasing functionality of modern integrated circuits. The European Space Agency (ESA) in collaboration with its industrial partners have been updating their standards for PCB design, qualification, and procurement, which also include advanced PCB technologies such as microvias. Results from a wide range of microvia reliability testing have been obtained, which include modelling, assembly simulation, chamber thermal cycling, current induced cycling, and various other accelerated coupons tests.

In complement to the efforts on design, testing and modelling of various microvia configurations, the manufacturing processes have been reviewed in-depth as a result of weak microvia failures. This has been done in close collaboration with qualified PCB manufacturers and their chemistry suppliers. Corrective actions and various other recommendations have been listed in microvia process guidelines [1]. This can also be used for conducting a process audit with a level of detail that is still appropriate for general engineers without detailed chemical background. This paper presents the content of these microvia process guidelines, with the intention to provide support for the review of these complex processes.

This slide show discusses Automation of IST testing.  It utilizes Dielectric estimation laminate assessment method (DELAM).  The slides utilizes thermo-graphics to locate the failure in microvias.  The microvias are tested using IST standard X design and Reflow cycling.    Different Microvia structures were tested and compared.  This includes stacked and semi stacked microvia structures.  

The push for faster data rates and increased signal density in printed circuit boards (PCBs) increases the risk of signal crosstalk on high-speed communication busses which can be highly detrimental to system performance. Interlayer crosstalk between vertical layers is a significant contributor to eye degradation and overall signal quality. This phenomenon can occur when signal traces are routed above/below plated through hole (PTH, also referenced herein as “vias” or “pins”) antipad on the adjacent reference planes, exposing traces on neighboring signal layers to each other. This interlayer crosstalk can be minimized by reducing manufacturing driven layer-to-layer misregistration and reducing the antipad diameter around back drilled PTHs. However, implementing these improvements in the PCB manufacturing process adds cost and raises potential reliability concerns. For example, reducing the PTH antipad diameter on the planes through which backdrilling will occur increases the probability of copper plane exposure after backdrilling. This could pose a shorting risk due conductive anodic filament growth, electrochemical migration, or copper burrs.

This paper provides a cost-benefit analysis of PCB process improvements to reduce interlayer crosstalk, including a reduction in the allowable misregistration between adjacent cores and reduced antipad diameter around back drilled holes. As a part of this analysis, the signal integrity (SI) improvements gained by reducing core-to-core misregistration from 127 µm (5 mil) down to 76.2 – 101.6 µm (3 - 4 mil) were modeled as well as the SI improvements gained from reducing back drilled hole antipad diameter from 0.76 mm (30 mil) to 0.71 mm (28 mil) or even less for a 0.3 mm (11.8 mil) primary drill. The relative cost adder of these improvements was estimated based on PCB manufacturer input. Further, the reliability of backdrill exposed ground and/or power planes with and without hole fill was evaluated through temperature/humidity/bias testing and micro-sectioning of PCB coupons. It was found that reducing the antipad diameter around back drilled PTHs had more impact on crosstalk reduction than reducing the core-to-core misregistration. Taking signal/power integrity benefits, reliability, and cost into consideration, recommendations for pursing reduced core-to-core misregistration and smaller antipads around backdrilled holes are provided.