DFARS 252.246-7007 Documentation for Parts from Non-Authorized Sources
What DFARS 252.246-7007 actually requires
The Defense Federal Acquisition Regulation Supplement clause 252.246-7007, Contractor Counterfeit Electronic Part Detection and Avoidance System, applies to contracts for electronic parts and assemblies under 10 U.S.C. 2320. It flows down to subcontractors and suppliers at all tiers.
- Establish and maintain a documented system for detecting and avoiding counterfeit electronic parts
- Purchase from OCM (Original Component Manufacturer) or authorized distributors when possible
- When purchasing from non-authorized sources: conduct and document a risk-based review before the transaction
- Maintain traceability records that can be retrieved during government audits
- Flow down these requirements to lower-tier suppliers
The critical phrase is "risk-based." The regulation acknowledges that authorized sources are not always available — especially in maintenance, repair, and overhaul (MRO) scenarios where legacy parts, end-of-life components, or urgent production needs push buyers toward brokers, surplus dealers, or secondary markets. What it requires in those cases is not refusal to buy, but documented evidence that the risk was assessed before money changed hands.
The documentation gap most contractors miss
Most DoD contractors have a written counterfeit avoidance policy. Far fewer have a retrievable, timestamped record for each individual non-authorized source purchase showing what was checked, who accepted the risk, and when.
In a DCSA (Defense Contract Security Agency) or customer audit, the auditor does not ask to see your policy document. The auditor asks:
"Show me the record for this specific purchase from this broker on this date. What due diligence was performed? Who approved it?"
An internal email chain does not reliably satisfy this question. Emails can be written after the fact, have no standardized format, are not independently verifiable, and often do not capture the structured risk signals the regulation implies (seller traceability, part authentication signals, price anomaly flags).
The risk is real: Under DFARS 252.246-7007(f), contractors are required to report counterfeit parts to GIDEP (Government-Industry Data Exchange Program) and to the contracting officer. Inadequate documentation processes are a finding in contractor purchasing system reviews (CPSR) and can affect contract award decisions.
AS9100D and the same requirement in aerospace
Outside the DoD supply chain, AS9100D Clause 8.1.4 (Prevention of Counterfeit Parts) imposes materially identical requirements on aerospace and defense manufacturers: a documented process for managing the risk of counterfeit or suspect parts, with particular attention to parts sourced outside the original manufacturer's authorized network.
AS9100D does not specify the exact format of the documentation. It requires that the documentation be objective evidence — meaning it must be independently verifiable, not self-asserted by the purchasing organization.
What "supporting evidence for a risk-based sourcing decision" looks like
Neither DFARS nor AS9100D mandates a specific form. What they require is a record that demonstrates, at minimum:
| Evidence element | What it shows |
|---|---|
| Seller identity and traceability signals | The source was evaluated before purchase |
| Part number / MPN match verification | The listed part matches the required specification |
| Price anomaly flag | The price was checked against market references |
| Image re-use / fraud signals | Basic authentication signals were assessed |
| Timestamp of review | The review occurred before the transaction |
| Named approver | A responsible person accepted the risk |
| Independent verifiability | The record exists outside the buyer’s own systems |
The last element — independent verifiability — is what distinguishes a defensible record from an internal email. When an auditor can retrieve a record via a public Case ID and confirm its timestamp server-side, the documentation argument holds. When the only evidence is a self-authored email in the buyer's own inbox, it does not.
CT creates this record before the transaction
Supplier Exception Record: third-party generated, server-side timestamped, publicly verifiable via Case ID. Designed to support documented risk-based sourcing decisions required by DFARS 252.246-7007, AS9100D and related frameworks.
Create Supplier Exception Record →CMMC 2.0 and supply chain controls
Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 includes supply chain risk management practices (SA.L2-3.14.1 through SA.L2-3.14.7) that reference the identification and management of supply chain risks, including counterfeit or tampered components entering the supply chain.
While CMMC focuses primarily on information systems rather than physical parts, the underlying principle is identical: documented evidence of risk assessment before a procurement decision, retrievable for audit purposes.
Practical steps for contractors
- Establish a written trigger: Define in your purchasing procedures what constitutes a "non-authorized source purchase" and what documentation is required before the PO is raised.
- Require a Case ID, not an email: Require buyers to attach an independently generated, timestamped exception record to every non-authorized source transaction above a defined threshold (e.g. $500).
- Ensure retrievability: The record must be accessible during a CPSR or AS9100D audit, years after the transaction. It cannot live only in a personal email inbox.
- Flow down the requirement: Your sub-tier suppliers sourcing parts on your behalf have the same obligation. Require evidence from them as part of your supplier qualification process.
What CT does — and what it does not do
CT creates supporting evidence for a documented risk-based sourcing decision. CT does not prove DFARS compliance alone. DFARS 252.246-7007 compliance requires a system-level process — training, inspection protocols, GIDEP reporting, flow-down requirements — of which pre-purchase documentation is one element. CT supports the documentation element of that broader process. CT does not physically inspect, authenticate, certify, insure or guarantee any part.
The correct framing: "CT creates supporting evidence for the documented risk-based sourcing decisions required by DFARS 252.246-7007, AS9100D Clause 8.1.4, and related frameworks."