The ENIG finish is one of the most common final finishes finding broad acceptance in the market for decades. ENIG is the abbreviation for “electroless nickel – immersion gold” where it is the nature of the gold plating step to include an immersion reaction. Even with conventional and simple immersion gold electrolytes having a high degree of displacement reaction, the resulting Ni corrosion does not necessarily cause issues in the solderability or reliability of the coating. Nevertheless the corrosive attack is seen as a critical parameter mainly driven by OEM’s so that acceptance criteria are defined in the latest version of the IPC 4552.

Key target for the development of immersion gold electrolytes is therefore always, to create a solution with lowest possible corrosive attack. Avoiding the creation of wide areas of surface corrosion, which might cause defects in soldering and bonding applications is obligatory. Over the recent years different generations of electrolytes were developed which differ in the plating mechanisms and the corrosion performance that can be achieved.

In this paper it is shown and described, which types of gold electrolytes are available in the market and what their characteristic corrosion attack look like. To allow a proper base line definition, this was done based on a thorough hypercorrosion evaluation. It is discussed, which types of corrosion can be really critical for the final application and where to focus on in the evaluation. Aim of this study is to compare the different types and generations of gold electrolytes and compare them in regards to handling, performance and reliability of the final finish

This study has been supported by a leading global PCB manufacturer allowing representative results and a comprehensive insight into the status of ENIG corrosion at the manufacturing process.

Key Words ENIG, Nickel Corrosion, IPC 4552, Immersion reaction

Field Programmable Gate Arrays (FPGA) allow customers the flexibility to configure devices after they have been manufactured. The demand for higher speed requires higher pin counts to provide greater functionality of the different I/O blocks in optimized FPGA devices. In order to achieve faster speeds, back drilling will be required for finer pitch FPGA PCB designs. Back drilling is the process whereby plated through holes (PTH) are drilled from the bottom of the PCB with a larger drill diameter (i.e. back drill) to a specified depth in order to reduce the stub length for improved signal integrity performance by minimizing interference or signal loss from excess travel length. Current industry back drilling capabilities have supported 1 mm pitches with minimum drill to metal spacing greater than 0.150 mm. For 0.92 mm pitches, signal layers require a 0.050 mm overlap between ground layers in order to avoid crosstalk from adjacent signal layers. Having a 0.050 mm overlap in the design means that the drill to metal spacing will need to be reduced to less than 0.150 mm. This in turn means that primary drill diameters, trace widths, and spaces will also need to scale down. These changes pose manufacturability challenges with primary drill (PD) registration and higher aspect ratios (i.e., PCB thickness/PD = ~5 mm/0.25 mm = 20/1). Reduced spacing compounded with drill registration issues can result in exposed copper, slivers/clipped traces, and layer-to-layer misregistration due to lack of PCB manufacturing experience with these finer pitches. Next generation FPGA platforms will push the limits of the PCB industry’s current capabilities, creating a need to identify and provide solutions to enable future manufacturing technologies for FPGAs requiring 0.92 mm pitch PCB designs. This paper will assess PCB vendor drill registration capability and will also evaluate PCB reliability using electrochemical migration (i.e., conductive anodic filament or CAF) and via reliability (i.e. interconnect stress testing or IST) testing. PCB manufacturing capability will be characterized as a function of back drill-to-metal gap capability. The paper will share recommendations with potential solution paths to enable PCB suppliers on fabrication of reliable 0.92 mm pitch thick PCBs (aspect ratio > 20:1) for FPGA applications.

Emerging Supply Chain Cybersecurity requirements, government acronyms, and actual security. Learn about the current state of mandates such as Cybersecurity Maturity Model Certification (CMMC) and its impending impact on Supply Chain Security. Equally as important, learn how to achieve Cybersecurity Maturity Model Certification on a limited budget, improve your security, and ensure both operational (OT) environments are protected while your IT systems are evaluated for certification.

Industry and government are reacting to cybersecurity threats through new policies and regulations, both at a state, federal, and international level. Companies are requiring that their supply chains have procedures in place to address cybersecurity. Industry standards, like IPC-1791, are being incorporated into supplier qualification requirements. The US government has several initiatives based on our National Security and economic interests that are focused on what is being referenced as "controlled unclassified information". Federal acquisition regulations, both in civilian and defense markets, are including requirements like Cybersecurity Maturity Model Certification as well as NIST SP 800-171 and 800-172, to mandate conformance to specific cyber-security requirements. This session will focus on providing insight into the current state of these current or emerging regulatory requirements, their applicability to the markets that IPC members represent, and some of the approaches one can take to achieve certification on a limited budget while improving security for both IT and OT environments. Regarding some of the approaches, this discussion will include cloud based approaches, and lessons learned, to help provide insight into actionable steps an organization can take to affordably improve security while working to achieve compliance.

This paper presents the concerns on trustworthiness for printed circuit board (PrCB) design, fabrication, and assembly sources for national defense systems, specifically products on the United States Munitions List (USML) that are vulnerable to theft, tampering, and supply disruption.

Trustworthiness is defined and the implementation of a new industry standard, IPC-1791 Trusted Electronic Designer, Fabricator and Assembler Requirements, is presented. The flaws of DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting are also outlined, including the lack of oversight, the absence of third-party certification, and the use of a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M) in lieu of full compliance.

In light of these concerns, this paper illustrates how the Cybersecurity Maturity Model Certification (CMMC) can solve these problems, specifically focusing on CMMC Level 3 as this level is required for contractors handling Controlled Unclassified Information (CUI). The parallels between CMMC Level 3 and NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations requirements are also discussed.

While focusing on the positive attributes of CMMC, this paper also examines the challenges that CMMC may cause. Studies have found that even without the added costs of CMMC, many small companies struggle to absorb the cost of some NIST SP 800-171 requirements. The additional financial challenge of CMMC for smaller companies could result in DoD and primes loosing critical suppliers who choose not to be certified. Prime contractors have the benefit of a cost allowance, but this does not flow down to the small companies who are competitively bidding on PrCBs or assemblies at a fixed unit price.

This slide show discusses the cybersecurity risks associated with network integration.  The supply chain is the most vulnerable, especially sub suppliers.  A particular risk is when bad actor suppliers build in controlling components by changing the Gerber file.  This allows worms to infiltrate sensitive networks.  The number of threats are increasing and the DoD has been taking steps to enforce security on it's suppliers. Remote diagnostics and automation also increases the scope of vulnerability.

Current policies and regulations intended to protect supply chains from cyber threats, especially the supply chain to the US DoD, have proven ineffective. Nearly $1 trillion in intellectual property and controlled unclassified information (CUI) is stolen very year by foreign adversaries. The “who” it is being stolen from is you, whether you know it or not. Suppliers and sub-contractors, according to DoD Under Secretary of Defense for Acquisition and Sustainment Ellen Lord, are the Achilles heel of national security. [need reference]

In response, both government and industry are taking action that will impact your business. Cybersecurity Maturity Model Certification (CMMC), a new US DoD regulation will affect companies beginning in 2021. [need reference] CMMC places new mandatory requirements on every organization participating in the supply chain to the DoD, whether contractor, subcontractor, or supplier. In parallel, Industry is increasingly looking at its supply chain through a risk lens, seeking to control the amount of risk they are willing to accept. For suppliers, this means compliance continues to be necessary but may no longer be sufficient. CMMC is envisaged as a global initiative that will move beyond DoD to commercial supply chains and service industries. This paper will describe the shortcoming and impact of current policies and regulations and contrast them with emerging regulations like CMMC. It will detail the process and timeline for CMMC’s role out; describe CMMC’s different certification levels and how to determine which will be required of your organization; explain the certification and re- certification processes; and provide a list of helpful resources.

Every company today is threatened – present company not excluded. CMMC is a call to action and organizations needs to be acting now.

Published stories in 2015 of a maliciously altered server motherboard have made clear that the circuit board is vulnerable to hardware attacks. To demonstrate their vulnerability, a circuit board's Gerber file was edited to show how easily a component could be added to a design that would make the system vulnerable to attack, either by logging data or by inserting false commands on a control bus. Importantly, this component was added after the schematic and layout had been completed, emulating the behavior of a bad actor who wanted to make unnoticed changes to a complete design. The "before" and "after" designs can be compared to see the extent to which such an attack would be likely to go unnoticed, and highlight the vulnerability of board design files once they have exited the company that designed them. A secure and reliable supply chain must take this type of possible attack into account.

To counter such attacks, one must consider sources of possible circuit-board alterations, ways that components added to a board could be placed onto the board surreptitiously, and which elements of modern systems are most vulnerable to this type of attack. Previous research in the area of counterattacks will be reviewed.

This paper will discuss from an operational perspective what companies are or aren’t doing now and what steps companies can take to secure their overall IT enterprise which will logically help secure their Operational Technology (OT). It will address the need for all businesses to think about cyber security; what actions are needed to secure their systems; how the U.S. Government (lead by the Department of Defense (DoD)) is requiring compliance to specific cybersecurity standards (NIST 800 series & Cybersecurity Maturity Model Certification (CMMC)); how well companies are doing from SeraBrynn’s perspective from the field; and what actions can be taken by companies to secure their systems and be compliant. The goal of the paper is for the participants to understand the potential threats to their company and customers, what standards they could he held accountable, and some specific actions they can take to enhance their company’s cybersecurity posture.

High Density Interconnect (HDI) Printed Circuit Boards (PCBs) and assemblies are essential to allow space projects to benefit from the ever-increasing functionality of modern integrated circuits. The European Space Agency (ESA) in collaboration with its industrial partners have been updating their standards for PCB design, qualification, and procurement, which also include advanced PCB technologies such as microvias. Results from a wide range of microvia reliability testing have been obtained, which include modelling, assembly simulation, chamber thermal cycling, current induced cycling, and various other accelerated coupons tests.

In complement to the efforts on design, testing and modelling of various microvia configurations, the manufacturing processes have been reviewed in-depth as a result of weak microvia failures. This has been done in close collaboration with qualified PCB manufacturers and their chemistry suppliers. Corrective actions and various other recommendations have been listed in microvia process guidelines [1]. This can also be used for conducting a process audit with a level of detail that is still appropriate for general engineers without detailed chemical background. This paper presents the content of these microvia process guidelines, with the intention to provide support for the review of these complex processes.