What the CHIPS and Science Act implies for the semiconductor industry's future
Improving the Nation's Cybersecurity
This year is turning out to be a big one for making semiconductors in the U.S. During a global chip shortage and record inflation, U.S. President Biden signed into law the CHIPS and Science Act, which gave chip makers $52 billion in subsidies to build fabrication plants in the U.S. This was the biggest boost to U.S. semiconductor manufacturing in history. The CHIPS Act seems to be a good sign for making things in the United States.
But an executive order from the president called "Improving the Nation's Cybersecurity" that came out earlier this year could be a problem for semiconductor design shops that want to work on national security projects. This executive order came out a few months before the CHIPS Act was signed. It sets parameters that will force the U.S.
software companies to change their long-standing development and design processes if they want to follow federal rules about how the government and private sector share information. Let's look at how these two measures are related, what they mean for semiconductor companies, and why the highs and lows of American semiconductor manufacturing come down to one thing: security.
Semiconductor chips are made in the United States
The CHIPS and Science Act of 2022 gives chip makers $52 billion to help them build factories in the U.S. To put that in perspective, only 12% of all semiconductor chips are made in the United States right now. The Act comes at a time when the world economy is going down, and lawmakers are hoping that chips made in the United States will solve security and supply chain problems. In short, this is something that the U.S. needs to do to reclaim its historic role in making semiconductors.
National security is one of the most important reasons and benefits of using semiconductors made in the United States. Recent instability in geopolitics has made people worry about IP leakage and theft. The U.S. Department of Defense (DoD) needs a safe and trusted ecosystem for designing and making semiconductors. But since most manufacturing takes place overseas now, the DoD has had a hard time getting its national security projects done.
Sensitive intellectual property (IP) within U.S. borders
Another industry that will benefit from a trusted domestic ecosystem and a stronger supply chain is the auto industry. As we move toward self-driving cars, bad people could use compromised parts to take control of the system and damage or hurt people. In these and other situations, it's clear that component and IP provenance, as well as geofencing, are needed to make security breaches less likely. Keeping sensitive intellectual property (IP) within U.S. borders can help solve this problem by making domestic manufacturing more competitive and accessible.
The private sector and the U.S. government share information
This executive order on cybersecurity was made because of recent data breaches. It tries to fix problems with how the private sector and the U.S. government share information. This means that companies will have to pay more attention to security during the whole process of making embedded software. This means that developers need to keep a closer eye on their code and keep track of any security holes throughout the lifecycle. This executive order makes a number of recommendations and requirements to deal with this problem.
These include better-defined processes for cybersecurity incidents, a higher level of awareness about permissions ("zero trust"), and the idea of a software bill of materials (SBOM), which should be delivered as part of the software implementation to allow for higher levels of traceability and provenance. This SBOM should make it easier for system integrators to understand their exposure to security risks in delivered code by keeping track of the software versions, where they came from, and where they came from in the supply chain. This makes it easier to trace the design.
IP-centric design practices in the semiconductor space
An SBOM will be in the form of a hierarchical tree of components. Each component will include the versioned implementation and important metadata about its state, license, compliance with standards, and other information. This SBOM should be in a format that can be read by machines so that it can be used in the development and testing of traceability methods. In short, the SBOM should be a complete list of all the software that comes with the project and how it is working right now.
With the rise of IP-centric design practices in the semiconductor space, the hardware bill of materials (HBOM), which keeps track of the IP component versions that make up an SoC and material metadata, is already widely used. Since most SoCs today have embedded software, this new government SBOM requirement suggests that SoC developers should manage the unified platform SBOM/HBOM as part of the development life cycle and, in some cases, ship it with the final product to make it easier to track and find threats in the target system integration.
U.S. semiconductor manufacturing to safeguard the domestic market
With the CHIPS and Science Act and the Improving the Nation's Cybersecurity executive order, the U.S. government has begun two important projects. The CHIPS Act will bring back the manufacturing of semiconductors in the U.S. to protect the domestic semiconductor supply chain and ease concerns about designs related to national security. The executive order will enforce software development practices that make cyberattacks less likely. Software can't run without hardware, and it's important to know how software and hardware work together.
By applying the SBOM mandate to the entire SoC manifest with a unified software/hardware BOM, we can help make sure that the best practices outlined in the executive order will be used for the whole component tree for a given SoC. This is something that a lot of companies have already started to do, even without any government programs. Even though this is now a requirement to be able to work on DoD software development projects, one could argue that without a complete BOM that shows the full set of software and hardware components in an SoC, we are not fully addressing provenance and security issues in the design. In short, the hope is that the
CHIPS Act will help fix the problem with the semiconductor industry's supply chain that has caused a bottleneck. By using the best practices for both secure manufacturing and development, we have a much better chance of improving our semiconductor supply chain and giving our national security projects a reliable source of parts.