Chip Security Act
The Chip Security Act would direct the Secretary of Commerce to establish standards for chip security mechanisms on integrated circuit (IC) products and to implement a phased approach to requiring these security features for exports, reexports, and in-country transfers. The bill creates a two-tiered framework: (1) a set of primary security requirements (location verification) to be applied within about six months of enactment, and (2) a potential set of secondary security mechanisms that could be added later based on a formal assessment and congressional reporting. It also strengthens enforcement and reporting obligations for exporters and requires ongoing assessment and reporting on new chip security innovations for several years, with an emphasis on privacy and security of supply chains, export controls, and national security objectives. In short, the bill aims to harden U.S.-made or U.S.-exported ICs against tampering, diversion, and unauthorized use by mandating verifiable security features, expanding oversight, and building a dynamic, Congress-reviewed plan for additional protections and export-control flexibility.
Key Points
- 1Primary chip security requirement: Within 180 days, every covered IC product must include chip security mechanisms that implement location verification before export, reexport, or in-country transfer to a foreign country.
- 2Reporting for licensees: Within 180 days, exporters with licenses under the Export Control Reform Act must promptly report if a product ends up somewhere other than the licensed location, is diverted to an unintended user, or has been tampered with or had security mechanisms disabled or spoofed.
- 3Development of secondary mechanisms: Within one year, the Secretary must assess additional security mechanisms (beyond the primary location-verification requirement) to improve export-control compliance, deter unauthorized use, detect smuggling, and support national security goals; if appropriate, the Secretary must develop requirements for these secondary mechanisms.
- 4Evaluation framework: The assessment must analyze feasibility, reliability, effectiveness, costs (including performance impact and potential new vulnerabilities), benefits (including increased compliance and deterrence), and vulnerabilities to tampering or manipulation. It also must estimate costs to implement at-scale.
- 5Reporting on secondary mechanisms: The Secretary must provide a Congress report within one year (unclassified with a possible classified annex) identifying which secondary mechanisms, if any, should be added and outlining a roadmap for implementation.
- 6Implementation timeline for secondary mechanisms: If mechanisms are deemed appropriate, they must be required for all covered IC products within two years of completing the assessment, with privacy and confidentiality prioritized.
- 7Enforcement and record-keeping: The Secretary may verify ownership and location of exported or transferred products, maintain records including location and end-user, and require licensees to supply needed information to maintain those records.
- 8Ongoing vigilance: For three years, the Secretary must conduct annual assessments of new chip security mechanisms developed in the prior year and report to Congress on findings, including whether new mechanisms should replace or augment existing secondary measures, and recommendations to modify export controls to allow more flexible exports to allied countries when security mechanisms are in place.
- 9Sense of Congress: The bill expresses broad intent that U.S. technology should underpin AI globally, support allies, protect hardware from diversion and tampering, improve export-control compliance, and enable broader, safer international distribution of advanced computing hardware.