The Chip Security Act directs the Secretary of Commerce to create standards for ‘‘chip security mechanisms’’ on advanced integrated circuits and products that contain them. The statute frames these mechanisms as tools to reduce diversion, detect tampering, and generally make exports of sensitive computing hardware easier to monitor and manage.
If implemented, the law would reposition embedded device controls as a complement to legal export restrictions: the goal is to make it feasible to send higher volumes of computing hardware to trusted partners while retaining the ability to track ownership and detect misuse. For exporters and manufacturers this means new engineering, compliance, and reporting obligations tied to export licensing regimes.
At a Glance
What It Does
The bill requires covered integrated circuit products to include chip security mechanisms that implement location verification and other protections, and it orders Commerce to assess and, if appropriate, require additional secondary mechanisms. It also creates reporting obligations for licensees and gives Commerce authority to verify locations, maintain records of devices, and collect information from exporters.
Who It Affects
Semiconductor companies, OEMs that embed advanced chips, and any person or firm that holds an export or reexport authorization for products classified under ECCNs listed in the bill (notably 3A090, 3A001.z, 4A090, 4A003.z and successors). It also touches BIS/Commerce staff, export compliance teams, and firms that provide security tooling for devices.
Why It Matters
This is a technical regulatory lever that could change the shape of export controls: by tying physical and firmware-level protections to licensing, it creates a pathway to ease destination restrictions for trusted partners while shifting substantial implementation costs and security responsibilities to industry.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Act defines a covered integrated circuit product by reference to specific export-control classification numbers and any successors, and it defines ‘‘chip security mechanism’’ broadly to include software, firmware, hardware, or physical protections. That framing means the obligations apply not only to bare chips but to end-products and systems whose ECCN places them in scope.
For initial implementation Commerce must move quickly: within a statutory short window the Department must set baseline requirements that ensure exported covered products are fitted with mechanisms enabling location verification prior to export, reexport, or in-country transfer. The bill also creates an immediate reporting duty for license holders: if they obtain credible information that an exported unit is in the wrong place, was diverted, or was tampered with, they must report promptly to BIS leadership.Beyond the baseline, the statute requires Commerce to perform a structured assessment (within one year) of additional mechanisms—examples mentioned in the bill include anti-tampering, workload verification, and ways to alter functionality in illicitly acquired units.
That assessment must examine feasibility, reliability, cost, performance impacts, and susceptibility to new vulnerabilities; Commerce must report its findings (with an optional classified annex) and, where appropriate, create a roadmap to mandate secondary protections.If Commerce decides secondary mechanisms are warranted, the agency must require implementation within a two-year window after completing the assessment and is instructed to prioritize confidentiality when designing requirements. The Act also gives Commerce enforcement tools: it may verify device ownership and locations, keep a record of covered products and end‑users, and compel licensees to provide information needed to populate and maintain those records.
Finally, the statute mandates a follow-on review cycle—starting two years after enactment and continuing annually for three years—to evaluate new mechanisms and recommend export-control adjustments that could expand destinations for protected devices.
The Five Things You Need to Know
Commerce must issue initial standards within 180 days after enactment requiring covered products to support location verification before export, reexport, or in‑country transfer.
Licensees who hold export authorizations must promptly notify the Under Secretary of Industry and Security if they obtain credible information of diversion, tampering, or mislocation of a covered product.
Within one year Commerce must complete an assessment of potential secondary mechanisms—examining feasibility, cost, performance impact, and susceptibility to tampering—and report the findings (with a possible classified annex) to Congress.
If Commerce selects secondary mechanisms, it must require their implementation no later than two years after finishing the assessment and must prioritize confidentiality in rules and standards.
The Secretary may verify locations, maintain records of covered products and end‑users, require information from licensees to populate those records, and must run annual assessments of new chip security mechanisms for three years beginning two years after enactment.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Establishes the Act's name as the 'Chip Security Act.' This is a formal provision but signals congressional intent to create a focused statutory regime linking chip-level protections to export policy.
Sense of Congress
Sets the policy rationale: U.S.-developed computing should underpin allied AI systems, and protecting exported hardware from diversion and tampering is necessary both for national security and to enable greater allied access. While nonbinding, the findings frame subsequent sections and provide administrative interpreters with statutory objectives to weigh when drafting standards and guidance.
Definitions and scope (ECCNs and terms)
Defines key terms including 'chip security mechanism,' 'covered integrated circuit product,' and borrows statutory meanings for export and reexport from the Export Control Reform Act. By tying coverage to specific ECCNs (3A090, 3A001.z, 4A090, 4A003.z) and successors, the provision uses export-classification law to set subject-matter scope—so any reclassification or successor ECCN will matter for compliance scope and enforcement.
Baseline requirements, reporting, and the assessment mandate
Requires Commerce quickly to establish baseline standards that, at minimum, require location verification features on covered products prior to outbound transfer, and it binds licensees to a prompt reporting duty when they acquire credible intelligence about diversion, tampering, or mislocation. It also directs a comprehensive one-year assessment into additional mechanisms—what they are, costs and benefits, impact on product performance, and their susceptibility to manipulation—and requires a public/unclassified report with a possible classified annex to Congress.
Implementation, enforcement authority, and continuing reviews
If Commerce selects secondary protections, the agency must phase them in within two years of completing the assessment and keep confidentiality a priority. The Secretary is given operational authorities: verify ownership and location of exported devices, maintain a registry of products and end‑users, and compel reporting information from licensees. The statute also creates a multi‑year surveillance loop—assessments of new mechanisms starting two years after enactment and annual reports for three years—intended to keep standards current and to identify opportunities to relax export destinations for devices that meet the standards.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- U.S. national security and export policymakers — gain additional technical tools to monitor and deter diversion, improving enforcement and potentially enabling more permissive export decisions to trusted partners.
- Allied governments and vetted partners — could receive larger or streamlined shipments of advanced hardware if devices meet Commerce's security standards and export controls are relaxed accordingly.
- Export compliance teams at U.S. firms — obtain clearer technical criteria to demonstrate protection measures, which may translate into more predictable licensing outcomes for some destinations.
Who Bears the Cost
- Semiconductor manufacturers and OEMs — must design, validate, and deploy hardware/firmware-level mechanisms (location verification, anti‑tamper) which impose engineering, testing, and unit-cost increases and may affect performance.
- Exporters and license holders — take on new monitoring and reporting duties and may face supply-chain disruption while devices are retrofitted or redesigned to meet standards.
- Department of Commerce/BIS — faces resource and technical staffing demands to perform assessments, maintain device records, and conduct verification and oversight without an explicit funding mechanism in the text.
Key Issues
The Core Tension
The central dilemma is this: enforcing device-level controls can enable more liberalized exports to trusted partners by making diversion and tampering easier to detect, but mandating embedded security mechanisms imposes technical costs, can degrade performance or usability, and risks creating new vulnerabilities and privacy concerns—so the policy trades expanded diplomatic and economic flexibility for engineering burdens and potential security tradeoffs with no guaranteed payoff.
The Act creates ambitious technical mandates but leaves several implementation questions unanswered. Location verification is feasible in some architectures (e.g., devices with persistent network connectivity and secure location attestation), but many covered products operate in constrained environments or offline; the bill’s one-size scope tied to ECCNs could sweep in devices for which reliable, tamper-resistant location proofs are impractical.
Mandating in-device mechanisms also risks introducing new attack surfaces—poorly implemented firmware or hardware attestations can be spoofed or exploited, potentially weakening security rather than strengthening it.
The statute asks Commerce to weigh costs, performance impacts, and susceptibility to manipulation, but it does not specify liability standards, testing regimes, or interoperability expectations. That opens practical tensions: manufacturers will seek clear, testable standards and conformance labs; allies will demand assurances that the mechanisms respect operational privacy and data protection; and exporters will need guidance on how reporting obligations interact with commercial confidentiality.
Finally, the effectiveness of any device-level control depends on global uptake—adversaries can still access capability via illicit markets—so the bill’s ambition to unlock broader exports rests on uncertain assumptions about enforceability and international coordination.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.