The Chip Security Act directs the Secretary of Commerce to require covered integrated circuit products to include chip security mechanisms that implement location verification within 180 days of enactment and to compel licensees to report credible information of diversion, tampering, or bypass attempts. The bill ties coverage to specific Export Control Classification Numbers (including 3A090/3A001.z and 4A090/4A003.z and successors), gives Commerce broad verification and recordkeeping authority, and launches a one-year assessment to identify additional (secondary) mechanisms to bolster export control compliance.
Those secondary mechanisms, if recommended, must be phased in within two years after the assessment; Commerce must prioritize confidentiality in implementation and provide reports (unclassified with optional classified annexes) to congressional committees. The measure creates a new compliance regime that will affect chip designers, manufacturers, licensed exporters, and U.S. export-control operations — with direct consequences for product design, costs, data handling, and the potential to relax export restrictions where robust mechanisms are demonstrable.
At a Glance
What It Does
The bill requires covered integrated circuits and certain computers to be outfitted with chip security mechanisms that enable location verification before export, reexport, or in‑country transfer, and it requires licensees to report credible information of diversion or tampering. It directs Commerce, in coordination with Defense, to assess and possibly mandate additional security mechanisms and gives Commerce authority to verify device location and maintain records.
Who It Affects
Semiconductor designers and manufacturers whose products fall under ECCNs 3A090/3A001.z and 4A090/4A003.z (and successors), companies holding ECRA export licenses, U.S. export-control agencies, and foreign recipients of advanced computing hardware. Customs, border enforcement, and allied procurement agencies will also see operational impacts.
Why It Matters
This bill effectively embeds export‑control policy into hardware design: security features become compliance prerequisites rather than optional mitigations. That shifts compliance costs onto manufacturers and exporters and creates a pathway where verified hardware could support looser export controls — altering incentives across supply chains and government licensing.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill starts by establishing why Congress cares: U.S.-developed technology should underpin allied AI and national security objectives and must be protected from diversion and tampering. It then defines the program’s scope by pointing to specific Export Control Classification Numbers (ECCNs) and any substantially similar successor codes — the practical trigger for whether a given integrated circuit or system is covered.
The first operative requirement is immediate and narrow: within 180 days of enactment Commerce must require covered products to include chip security mechanisms that implement location verification using techniques ‘‘feasible and appropriate’’ on that date. Separately, any person with an export license under the Export Control Reform Act must promptly report credible information that the product is in a different location than declared, was diverted to an unauthorized user, or has been tampered with — including attempts to disable or spoof the verification.Work on broader measures follows a staged process.
Within one year Commerce, coordinating with the Department of Defense, must assess what additional mechanisms could strengthen compliance and deter misuse — from tamper-resistance and workload verification to ways of modifying functionality in illicitly acquired devices. The assessment must analyze feasibility, reliability, costs (including performance impacts), and susceptibility to countermeasures.
Commerce must deliver an unclassified report to the identified congressional committees (with an optional classified annex) that names any recommended secondary mechanisms and, if applicable, a roadmap for implementation.If Commerce identifies additional mechanisms, the bill requires manufacturers to outfit covered products with those mechanisms within two years of completing the assessment. Commerce also gains explicit enforcement tools: it may verify device ownership and location, maintain records that include current location and end-user, and compel licensees to supply information needed for those records.
Finally, Commerce must do an annual technology sweep for three years — assessing newly developed chip security mechanisms and recommending whether to add or replace prior requirements and whether export controls should be adjusted to permit wider shipments when security measures are present.
The Five Things You Need to Know
Within 180 days of enactment, Commerce must require covered products to include chip security mechanisms that implement location verification prior to export, reexport, or in‑country transfer.
The bill uses ECCNs as the coverage trigger: integrated circuits under 3A090 or 3A001.z and computers under 4A090 or 4A003.z, plus substantially similar successor classifications.
Licensees must promptly report credible information that a licensed product is in a different location than declared, was diverted to an unauthorized user, or has been tampered with or subjected to circumvention attempts.
Commerce, coordinating with DoD, must complete a one‑year assessment of additional mechanisms (feasibility, costs, tamper resistance, workload verification, and susceptibility to manipulation) and produce an unclassified report with an optional classified annex.
If Commerce designates secondary mechanisms, manufacturers must implement them no later than two years after the assessment; Commerce can verify locations, keep records of end‑users and locations, and require licensees to provide the information needed.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Sense of Congress framing export-security objectives
This section states Congress’s policy goals: that U.S. technology should undergird allied AI capabilities, and that exported advanced circuits must be protected from diversion, theft, and unauthorized use. While not legally binding, it signals that security measures embedded in hardware are a desired route to both protect national security and enable broader export cooperation with partners.
Definitions and coverage triggers
Section 3 fixes the program’s scope by defining key terms: who counts as the ‘‘Secretary,’’ what a ‘‘chip security mechanism’’ can encompass (software, firmware, hardware, or physical measures), and what products are covered — explicitly tethered to ECCNs 3A090/3A001.z and 4A090/4A003.z or successors. That reliance on ECCNs means the policy applies to items already mapped to export control lists, but it also imports any downstream reclassification or successor code changes.
Primary requirement: location verification and reporting
This subsection imposes the immediate requirement: within 180 days Commerce must require location verification capability on covered products before export. It also imposes a prompt reporting duty on licensees who obtain credible information of mislocation, diversion, or tampering — including manipulation or attempts to defeat verification. Practically, license holders will need monitoring processes and incident triage protocols, and manufacturers will need to commit to feasible verification approaches at the time of enactment.
Secondary requirements: DoD‑coordinated assessment and phased mandates
Commerce must carry out a one‑year, DoD‑coordinated assessment identifying additional mechanisms (tamper-resistance, workload verification, methods to alter illicit devices, etc.) and analyzing costs, performance impacts, and susceptibility to manipulation. The bill requires an unclassified report to the designated congressional committees (with a classified annex option) naming any mechanisms to be mandated; if Commerce designates secondary mechanisms, manufacturers must implement them within two years. The provision also directs Commerce to prioritize confidentiality when implementing secondary measures, signaling attention to sensitive data and defense considerations.
Enforcement, verification, and recordkeeping powers
Commerce gains express authority to verify, as it finds appropriate, the ownership and location of exported covered products, to maintain a record that includes product location and current end‑user, and to compel licensed exporters to provide the information necessary for that record. Those powers give Commerce operational tools but also create new data collection and retention duties with attendant security and privacy implications.
Ongoing technology reviews and reporting
Starting two years after enactment and annually for three years, Commerce (with DoD) must assess new chip security mechanisms developed in the prior year and report whether any should be added to or replace existing secondary requirements. The reports must also consider whether export controls should be modified to allow wider exports when products meet the security standards, creating a mechanism by which technical safeguards could translate into licensing flexibility.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- U.S. export-control and national security agencies — gain tools to verify device location and end‑user status, improving detection of diversion and the ability to target enforcement actions.
- Allied governments and authorized recipients — receive hardware with built-in security controls that reduce the risk of local compromise, potentially making them eligible for larger or streamlined shipments if mechanisms meet Commerce standards.
- Organizations that require provenance and chain-of-custody (defense contractors, critical infrastructure operators) — obtain hardware with stronger assurances about location and tamper resistance, lowering operational risk and supply-chain uncertainty.
- Manufacturers that can certify and sell compliant devices — may obtain a competitive advantage if Commerce links certified security to looser export restrictions and expanded market access.
- Licensed exporters who build monitoring and reporting processes — could benefit from clearer expectations and the potential for regulatory relief if devices demonstrably reduce diversion risk.
Who Bears the Cost
- Semiconductor designers and manufacturers — must invest in design, testing, and manufacturing changes to embed location verification and any secondary mechanisms, raising unit costs and complicating product roadmaps.
- Exporters and licensees under ECRA — face ongoing monitoring and prompt-reporting obligations that increase compliance overhead and require processes to evaluate and escalate credible intelligence of diversion or tampering.
- Department of Commerce and Department of Defense — must allocate staff, technical expertise, and program resources to conduct assessments, verify locations, maintain records, and manage classified annexes without an explicit appropriation in the text.
- Foreign customers and partners — may experience operational constraints or privacy concerns from receiving devices with embedded verification features, and some markets may resist accepting such hardware for regulatory or political reasons.
- Data security and privacy actors — will shoulder the indirect costs of securing the centralized records Commerce is authorized to maintain, and of addressing legal concerns where embedded telemetry intersects with foreign privacy laws.
Key Issues
The Core Tension
The bill balances two legitimate goals that pull in opposite directions: tighten control over exported high‑end chips by embedding verifiable security, and preserve commercial access and alliance interoperability by enabling potential easing of export restrictions — but strong embedded security raises costs, privacy issues, and new technical risks that can reduce adoption and limit the very export flexibility the law seeks to enable.
Several implementation frictions stand out. First, the bill relies on ‘‘location verification’’ as a near‑term, broadly applicable requirement but leaves ‘‘feasible and appropriate’’ techniques undefined; what constitutes reliable location verification on low‑power or legacy devices is technically unsettled.
Second, embedding new security features can alter device performance and create fresh attack surfaces — a mechanism intended to prevent diversion could itself become an exploitation vector if not designed, audited, and updated securely. Third, the bill requires Commerce to collect and maintain records about device locations and end‑users; those records will be highly sensitive and raise data‑protection, classification, and cross‑border law‑enforcement questions that the statute does not address.
There is also a practical enforcement gap: Commerce can ‘‘verify, in a manner the Secretary determines appropriate’’ but the bill does not prescribe how verification occurs overseas or how Commerce will compel cooperation from foreign recipients. The provision that security measures could justify relaxed export controls creates a circular pressure: stricter technical requirements raise costs and time‑to‑market, which can slow adoption and therefore delay any regulatory relief intended to follow.
Finally, the reliance on unclassified reports with optional classified annexes balances transparency against national security, but it risks providing insufficient public guidance for industry while keeping operational details opaque to many affected stakeholders.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.