Regulatory compliance and standards

The Cybersecurity Maturity Model Certification framework, administered by the US Department of Defense, requires defense contractors and their supply chains to demonstrate that controlled unclassified information is protected across their operations. Physical hardware security — specifically, the ability to verify that components and assemblies have not been tampered with or substituted — is an increasingly explicit concern within CMMC Level 2 and Level 3 requirements, particularly in the context of supply chain risk management (SCRM) controls drawn from NIST SP 800-161. DUST supports CMMC compliance in two ways: by providing verifiable chain-of-custody evidence for hardware that enters controlled facilities, and by enabling tamper detection at the component level that documents whether physical access or substitution occurred. The DICE platform's air-gapped deployment option ensures that authentication infrastructure can operate within classified or controlled environments without network connectivity requirements.

The EU Digital Product Passport (DPP) is a regulatory framework being implemented under the EU Ecodesign for Sustainable Products Regulation (ESPR), requiring products sold in the European Union to carry a machine-readable data carrier — typically a QR code or RFID tag — linked to a standardized digital record containing product information, sustainability credentials, material composition, repairability data, and end-of-life instructions. The DPP is being phased in by product category from 2026 onward, starting with batteries and textiles, and eventually extending to most physical goods. DUST enables DPP compliance by providing the physical authentication layer that links the product to its digital passport record. Without a physics-based anchor, a DPP-linked QR code or RFID tag can be removed and reattached to a non-compliant product. DUST ensures that the digital passport is permanently and verifiably bound to the physical item it describes. Dust Identity's DICE platform has been designed to support the DPP data structure and is integrated with workflows for ESG reporting and sustainability credential management.

Section 818 of the National Defense Authorization Act, codified in the Defense Federal Acquisition Regulation Supplement (DFARS) clauses 252.246-7007 and 252.246-7008, requires defense contractors to implement counterfeit electronic part detection and avoidance systems, report suspect counterfeit parts to the Government-Industry Data Exchange Program (GIDEP), and maintain traceability documentation through their supply chains. DUST directly addresses these requirements by providing a physics-based authentication method that detects counterfeits at incoming inspection, generates verifiable chain-of-custody records that satisfy traceability documentation requirements, and creates an audit trail that supports GIDEP reporting when suspect parts are identified. The A4 Data framework — Available, Accurate, Attributable, and Anchored — maps directly to the documentation integrity requirements of DFARS 252.246-7007.

FAA Form 8130-3, the Airworthiness Approval Tag, is the primary documentation accompanying certified aircraft parts through the aftermarket. It is also one of the most frequently forged or fraudulently reused documents in aerospace supply chains. The form certifies that a part meets airworthiness standards and was manufactured or overhauled in compliance with applicable regulations — but the form itself has no cryptographic or physical link to the specific part it accompanies. A genuine 8130-3 can be detached from a certified part, reused, or digitally cloned and paired with a non-conforming part. DUST permanently marks the authorized part at point of manufacture or certification, making the part and its documentation inseparable: any scan of the physical part confirms whether it matches the enrolled record and its associated 8130-3. Distributors, MROs, and operators can perform this check in seconds, replacing manual visual inspection with physics-based authentication.

Environmental, social, and governance reporting increasingly requires organizations to verify claims about material provenance, manufacturing conditions, and environmental impact across their supply chains — not merely to document them. DUST provides the physical anchor that makes these claims verifiable at the level of the individual item. A conflict-mineral declaration, a recycled content certification, or a low-carbon manufacturing credential becomes a verifiable assertion — tied to a specific batch or item — rather than a self-reported document. The DICE platform supports ESG data fields alongside standard supply chain documentation, and workflow automation enables compliance reporting for frameworks including the Corporate Sustainability Reporting Directive (CSRD), the Task Force on Climate-related Financial Disclosures (TCFD), and the EU Digital Product Passport. For luxury goods and fashion brands, this dimension is particularly commercially significant. Sustainability credentials — verified material origin, ethical manufacturing attestations, recycled content certifications — are increasingly a purchasing factor for luxury consumers and a differentiator in the secondary market. A DUST scan that simultaneously authenticates the product and surfaces its verified sustainability provenance gives brands a way to convert ESG investment into a tangible consumer-facing value proposition, not merely a compliance checkbox. In the resale context, sustainability credentials attached to the physical item — rather than to a QR code that can be detached and reassigned — retain their credibility through every ownership transfer.

Section 1502 of the Dodd-Frank Wall Street Reform and Consumer Protection Act requires SEC-reporting companies to investigate and disclose whether their products contain conflict minerals — tantalum, tin, tungsten, and gold — originating from the Democratic Republic of Congo or adjoining countries. Compliance typically relies on supplier questionnaires and chain-of-custody certifications, which are self-reported and not independently verifiable at the individual component level. DUST enables traceability from raw material batch through processing and manufacturing by anchoring the identity of material stock at the point of origin. A smelter can DUST-tag certified conflict-free mineral batches; every downstream processor, component manufacturer, and OEM can verify the provenance of the material they receive by scanning the DUST marking — not by trusting a paper certificate.

The DICE platform is available in an air-gapped, on-premise deployment specifically designed for classified and ITAR-controlled environments. In this configuration, no authentication data leaves the controlled network: scans, fingerprint records, custody events, and associated documentation are stored locally with no cloud connectivity. The DUST coating material itself is a commercially available industrial product with no ITAR classification. The scanner hardware is similarly commercially sourced. Customers operating in classified environments should work with Dust Identity's government programs team to configure a deployment that meets their specific facility security requirements, including potential integration with existing classified networks and compliance with applicable DoD information security policies.

Yes. FDA recall requirements under 21 CFR Part 806 and CPSC corrective action requirements mandate that manufacturers be able to identify affected product lots, notify downstream supply chain participants, and track the status of recalled items. DUST enables this by creating a per-unit digital record that logs every custody transfer, allowing a manufacturer to identify exactly which units shipped to which distributors and retailers, and to confirm — by scanning returned units — that recalled items have been physically returned rather than simply reported as destroyed. The DICE platform includes built-in recall workflow support that enables notifications, tracks response status, and generates audit-ready documentation. For pharmaceutical and medical device manufacturers, DUST also supports the unique device identification (UDI) and drug supply chain security requirements under DSCSA, providing a physics-based authentication layer alongside the required barcode and electronic records.

The CHIPS and Science Act of 2022 includes requirements for recipients of CHIPS Act funding to maintain documentation of their semiconductor supply chains and to implement measures against the introduction of counterfeit or malicious components. DUST addresses this at two levels. At the wafer and die level, the DUST Epoxy Molding Compound (in development) incorporates identity tags directly into semiconductor packaging at manufacture, enabling authentication of individual ICs through their lifecycle. At the board and system level, DUSTed conformal coatings allow electronics manufacturers to tag assembled PCBs and systems at the point of domestic manufacture, creating verifiable evidence that boards assembled in a trusted facility have not been tampered with or had components substituted in transit. This is particularly relevant for the defense and critical infrastructure supply chains that CHIPS Act funding is designed to re-shore.