SBOM and Supply Chain Verification Nearly Impossible for Defense Hardware

The DoD procures millions of electronic components annually for weapons systems, many of which pass through opaque supply chains with components manufactured in China, assembled in Southeast Asia, and sold through multiple distributors before reaching a defense contractor. Verifying that a microchip or circuit board is authentic and free of hardware trojans or backdoors is technically difficult and rarely done comprehensively. The Government Accountability Office has repeatedly found counterfeit electronic parts in defense systems, including in missile defense radars and aircraft avionics. Counterfeit or compromised hardware in weapons systems is not a theoretical risk — it is a demonstrated one. A counterfeit transistor that fails under stress could cause a radar to go blind at the worst possible moment. A hardware trojan implanted in a processor could exfiltrate classified data or disable a system on command. The entire premise of deterrence depends on adversaries believing that American weapons systems will work as designed. Supply chain compromise undermines that certainty in ways that may not be discovered until combat. The problem persists because the global semiconductor supply chain was optimized for cost, not security. American defense contractors source from the same global supply chains as commercial manufacturers because domestic production of many component types does not exist. The CHIPS Act is investing $52 billion in domestic semiconductor manufacturing, but this addresses cutting-edge logic chips (14nm and below) — the vast majority of defense-critical components are mature-node chips (28nm and above) that are not covered. Even with domestic fabrication, assembly, testing, and packaging (ATP) overwhelmingly occurs in Asia. The DoD's current approach relies on the Trusted Foundry Program and DMEA (Defense Microelectronics Activity), but these cover only a tiny fraction of the components the DoD needs. The Trusted Foundry Program has been criticized as expensive, slow, and technologically lagging. More fundamentally, no testing methodology can guarantee the absence of a hardware trojan in a complex integrated circuit — the problem is computationally intractable for modern chip designs with billions of transistors. The DoD is left relying on supply chain risk management processes that reduce but cannot eliminate the risk.