Faulty Processes Can Be Expensive And Put Your Ability To Export At Risk
By Odyssey E. Gray, III, Associate, FD Associates, Inc.
A successful and lawful export should be the product of a series of internal processes conducted by persons responsible for trade compliance that help determine/answer pertinent and relevant questions concerning the export. Exporters should be sure to continually review and evaluate internal processes for compliance to the various export regulations.
A baseline starting point is for exporters to be able to answer certain questions about each transaction:
- Who? – who are you doing business with? Who are the other parties in the transaction?
- What? – what is the commodity and associated export controls?
- Why? – what is the end use?
- Where? – where is it going?
Failure to address any one of these things can lead to an unlawful export with negative ramifications ranging from civil penalties such as fines to debarment and imprisonment. It is crucial that exporters have established processes in place to manage compliance requirements with the International Traffic In Arms Regulations (“ITAR”), Export Administration Regulations (“EAR”), Office of Foreign Assets Control (“OFAC”) and Foreign Trade Regulations (“FTR”).
Cryofab, Inc. (“Cryofab”), of Kenilworth, NJ, was recently fined $35,000 by the Department of Commerce, Bureau of Industry and Security (“BIS”), for export transactions that had a total value of $21,570. That’s right, the fines exceeded the value of the transactions. How did this occur? Cryofab exported EAR99 items (liquid helium storage container and accessory; liquid nitrogen storage container and operating tool) as No License Required (“NLR”) to Bhabha Atomic Research Center (BARC), an Indian Department of Atomic Energy entity located in Mumbai, India. BARC is listed as a party on the Department of Commerce Entity List requiring licenses for all commodities exported to BARC. BIS charged Cryofab with failure to screen the Entity List and failure to seek or obtain the licenses required for export.
Had Cryofab conducted a Denied Party List (“DPL”) screening, using either the free government tool, or a paid service, or even just reading the EAR at Supplement 4 to Part 744, it would have been
alerted to the fact that its end user was listed on the Entity List and Cyrofab would have known of the associated licensing requirements under the EAR for this direct hit on the Denied Parties List.
The Entity List in the EAR specifies the license requirements for each listed person or entity. Those license requirements are independent of, and in addition to, license requirements imposed elsewhere in the EAR. Requirements to export, reexport or transfer (in-country) an EAR99 item to a listed entity are specified in the “License Requirement” column of the Entity List. If that column indicates “all items subject to the EAR,” then a license is required to export, reexport or transfer (in-country) the item, even though EAR99 items may be exported to the country of destination as NLR.
Due to its failure to screen parties to the transaction, Cryofab was fined 62% in excess of any profits it may have received for these transactions, and they must pay the fine in a timely fashion to avoid further penalties and interest and risk debarment.
Under the EAR, exporters should be mindful of the ten general prohibitions (Part 736) in connection with an export transaction by considering five facts: classification, destination, end user, end use and conduct. Note the questions above center on consideration of these facts. Cryofab’s exports constituted a violation of General Prohibition Five:
“Export or reexport to prohibited end-uses or end-users (End-Use End-User). You may not, without a license, knowingly export or reexport any item subject to the EAR to an end-user or end-use that is prohibited by part 744 of the EAR.”
A DPL screening should be embedded in the export processes/procedures when vetting/analyzing the scope of a proposed transaction. The screening should be completed for all parties to the transaction, not just the end user.
In this instance, the failure to conduct the DPL screening directly cost the exporter significantly more money than could have been made on the transaction than the preventive measure of screening as part of the company’s processes, quotation, order processing and shipping. Long term repercussions
can include the ability to make future exports, additional scrutiny by government agencies and the company reputation sullied.
Learn from others mistakes by ensuring that you have the correct exporter processes in place. In this instance, Cryofab missed the DPL screening step and focused on the where but not the who. The end result (and penalty) reinforces the need for exporters to understand that with regard to matters of export compliance, it’s in the company’s best interests to be as thorough as possible to avoid penalties such as those described above.
Does Your IT Infrastructure Comply with the Current DoD Rules for Cybersecurity Protections?
The DoD Rules for Protecting Data Generated or Received as Part of Your DoD Contract or Subcontract Goes Into Effect in Four Short Months
By: Keil J. Ritterpusch, Esq. – Senior Compliance Associate, FD Associates, Inc.
Over the past few years the U.S. Federal Government has been working to establish a regulatory system to ensure that U.S. companies and individuals who are involved with U.S. Government contracts institute sufficient protections for information that they receive or produce in furtherance of their government contracts. Over this period, there have been numerous proposed rules in the Federal Register by various agencies involved with government contracting and the protection of data pertaining to these government contracts.
On June 18, 2015, the U.S. Government, operating through its National Institute of Standards and Technology (“NIST”), published the first major guidance on the security protocols that persons doing business with the U.S. Federal Government should implement to protect data in which the U.S. Federal Government has a vested interest: NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (“NIST SP 800-171”).
The U.S. Department of Defense (“DoD”) then published proposed rules in the Federal Register in August and December 2015 proposing to implement a security system for prime contractors and subcontractors working under contracts with DoD to protect Controlled Unclassified Information (“CUI”). Through the notice and comment rulemaking process, DoD substantially modified its proposal for contractors to protect CUI and in turn directed the NIST to revise the NIST SP 800-171.
What resulted from the revision of NIST SP 800-171 and the 2015 proposed rules for the protection of CUI was a DoD Final Rule, 81 Fed Reg 72986, issued on October 21, 2016, and Revision 1 of NIST SP 800-171, published in December 2016. The DoD final rule provided pertinent revisions of Defense Federal Acquisition Regulations (“DFARS”) 252.204-7000 and 252.204.7012, meanwhile the revision of NIST SP 800-171 was mainly through the insertion of clarifying language.
While this regulatory change was published in October 2016, with NIST SP 800-171 being revised in December 2016, the DFARS CyberSecurity rules go into full effect on December 31, 2017. By this date, only four short months from now, all U.S. DoD Contractors and Subcontractors must have fully implemented the cybersecurity protocols dictated by DFARS 252.204-7000 and 252.204-7012.
A failure to have properly implemented the system is grounds for DoD to void any prime contract held by the entity failing to comply with the DFARS requirement or to any subcontractor to whom DFARS 252.204-7012 has been flowed down.
The key tenets of the DFARS Cybersecurity rules are as follows:
- • Contractors MUST establish a system in compliance with NIST SP 800-171 for the protection of “Covered Defense Information” (“CDI”), which is defined as unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—
- o (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- o (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
- • Based on this definition of CDI, the terms CDI and CUI are essentially synonymous. As a result, for the remainder of this article, we refer to the term as CDI/CUI. While there is a minor distinction between what is CUI and what is CDI, the distinction is pertinent more to the US Government and its policies for retaining and protecting data than it is to the contractor community
- • This definition for what contractors MUST protect (CDI/CUI) is extraordinarily broad, as defense contractors and their subcontractors working under contracts with DoD do not need to protect only “export controlled information”, but all other information that is “collected,” “developed,” “received,” “transmitted” “used,” or “stored” in the performance of a DoD contract or subcontract.
- • Extrapolating out the definition for CDI/CUI, it could include, for example, the attendees at a meeting with U.S. Army personnel related to the bathrooms for a new base being constructed – not the technical details related to the effort, but the actual attendees, as the list of attendees (for a meeting that is required for the fulfillment of a contractual obligation to DoD) will have been generated “in support of the performance of the [DoD] contract.”
- • CDI/CUI does not need to contain a single piece of data that would be export controlled in order for a pertinent defense contractor who merely possesses the attendee list to be required to have instituted an information security system in furtherance of the NIST SP 800-171 requirements. DFARS 252.204-7012.
- • Pursuant to DFARS 252.204-7000(a), contractors must not release any CDI/CUI to “anyone outside the Contractor’s organization, regardless of medium (e.g., film,, tape, document), pertaining to any part of [the DoD] contract or any program related to [the DoD] contract” unless the Contracting Officer has given approval or the information is in the public domain.
- • As a result, Contractors must establish a system for protecting CDI/CUI from being accessed by persons who do not have the legal authority to access or possess the CDI/CUI. This includes foreign parents and affiliates of US contractors and subcontractors to DoD.
- • If the U.S. contractor allows the foreign parent or foreign affiliate to govern its network storage solutions, for example, the U.S. contractor could be unwittingly permitting the disclosure of CDI/CUI to persons without a right to have access to said information – foreign persons no less.
- • This is not permissible under the NIST SP 800-171 publication or the DFARS cybersecurity protection requirements.
- • A failure to prevent foreign person control/access to a contractor’s IT infrastructure could result not only in a violation of the ITAR or the EAR, if the information managed by the foreign parent or affiliate is export-controlled, but also in sanctions under the DFARS, including the possibility of the contractor losing its contracting privileges with DoD for failing to comply with the DFARS Cybersecurity rules.
- • Even more cumbersome for US contractors is that they cannot permit their foreign parents of affiliates to manage their email systems, for the US contractors cannot predict the type of information that will be received by them related to their performance of pertinent DoD contracts – which information would be received by their foreign parent or affiliate in the course of managing the mail servers of the US subsidiary or affiliate.
- • If the US contractor permits its mail systems to be administered by foreign persons in any way, the US contractor will not be in compliance with the NIST SP 800-171 and DFARS 252.204-7012 requirement for the protection of CDI/CUI, for the US contractor will be allowing the foreign person to have access to CDI/CUI, including both export-controlled and non-export-controlled information.
- • Along these lines, we note that the use of GOOGLE for email or other document creation and storage is not compliant with the DFARS Cybersecurity rules, as GOOGLE has clearly stated that its servers and services are commercial and that GOOGLE uses foreign persons in the management of its Information Technology (“IT”) infrastructure, such that GOOGLE cannot certify that CDI/CUI housed in GOOGLE would only be accessed by US persons on US-based servers.
- • Fortunately for contractors and subcontractors, NIST SP 800-171 offers significant flexibility for how the contractors meet the basic and derived security requirements in the policy document.
- • NIST and DoD are not concerned with how contractors achieve the security requirements. They do not require any specific technological solution, do not require that contractors purchase (or refrain from purchasing) any particular hardware or software, and do not require that contractors overhaul their existing systems – per se.
- • Rather, the requirements of the DFARS rules and the NIST policy document allow contractors to adequately protect CDI/CUI “using the systems they already have in place, rather than trying to use government-specific approaches.” Of course, not all contractors presently have systems in place that can achieve the NIST requirements, and the burden is on the contractor to ensure that it meets its legal and contractual obligations to the government for handling CDI/CUI. Contractors whose work involves CDI/CUI, therefore, should promptly conduct an assessment of their existing systems that effectively:
- o Identifies whether they possess or are likely to possess CDI/CUI;
- o Analyzes their current practices, systems and solutions for protecting that data and monitoring data security to determine if they can meet applicable standards, including, but not limited to their federal contract(s) clauses, NIST SP 800-53 and NIST SP 800-171; and
- o Develops an effective incident response plan and implements processes for responding to security incidents and mitigating any negative effects of security incidents.
- • The NIST SP 800-171 focuses on minimum standards and best practices within 14 “Security Requirement Families” and provides detailed lists of basic and derived security requirements contractors need to employ to meet each of the standards. As “minimum” standards, they attempt to set the base against which efforts and requirements are made; contractors are free to exceed these expectations through heightened efforts. The following is a list of just a few representative requirements for each of the 14 standards:
1. Access Control
- • Limit information system access to authorized users
- • Separate the duties of individuals to reduce the risk of malevolent collusion
- • Limit unsuccessful login attempts
- • Require encryption and authentication of various devices (including mobile devices), and route remote access through managed access control points
- • Require multi-factor account access for system administrators
2. Awareness and Training
- • Educate managers, systems administrators and users about security risks associated with their activities and applicable policies, standards and procedures
- • Provide security awareness training on recognizing and reporting potential indicators of insider threat
3. Audit and Accountability
- • Use automated mechanisms to integrate and correlate audit and reporting processes
- • Support on-demand analysis and reporting
4. Configuration Management
- • Limit the types of programs users can install
- • Control and monitor all user-installed software
5. Identification and Authentication
- • Prevent reuse of identifiers for a defined period
- • Disable identifiers after a defined period of inactivity
- • Enforce minimum password complexity, i.e., “smart passwords”
6. Incident Response
- • Develop and test an incident response plan
- • Ensure equipment removed off-site is sanitized of any CDI/CUI
- • Require multifactor authentication to establish nonlocal maintenance sessions
8. Media Protection
- • Protect (i.e., physically control and securely store) information system media (paper and digital) containing CDI/CUI
- • Sanitize or destroy information system media containing CDI/CUI before disposal or release for reuse
9. Personnel Security
- • Screen individuals prior to authorizing access to systems containing CDI/CUI
10. Physical Protection
- • Maintain audit logs of physical access
- • Control and manage physical access devices
11. Risk Assessment
- • Scan for and remediate vulnerabilities in the information system and applications
12. Security Assessment
- • Periodically assess and monitor the security controls for effectiveness in their applications
- • Develop and implement plans of action designed to correct deficiencies and reduce/eliminate vulnerabilities
13. System and Communications Protection
- • Separate user functionality from information system management functionality
- • Implement cryptographic mechanisms to prevent unauthorized disclosure of UCTI during transmission
- • Control and monitor the use of Voice over Internet Protocol technologies
14. System and Information Integrity
- • Update malicious code protection mechanisms when new releases are available
- • Identify unauthorized use of the information system
Beyond the specific requirements for protecting CDI/CUI, the final rule published by DoD includes clarification on the security standards applicable to cloud-computing services and capabilities. Cloud Service Providers (CSPs), when storing or transmitting CDI should meet the Federal Risk and Authorization Management Program (“FedRAMP”) standard for “moderate” compliance, as well as the DFARS Cybersecurity rules’ incident reporting requirement. Contractors should note these requirements under the DFARS for CSPs and review their CSP agreements to determine if any revision of the CSP agreements are required to ensure compliance with the DFARS Cybersecurity rules.
With regard to reporting requirements under the DFARS Cybersecurity rules, DFARS 252.204-7000(c) imposes a requirement on contractors (and CSPs) to notify DoD at http://dibnet.dod.mil -- using a “Medium Assurance Certificate” obtained from DoD (http://iase.disa.mil/pki/eca/Pages/index.aspx) for security of the notification -- when the contractor:
… discovers a cyber incident that affects covered contractor information systems or CDI residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract.
The contractor must conduct a review for evidence of compromise of CDI, including, but not limited to, identifying comprised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information systems that were part of the cyber incident, as well as other information systems on the contractor’s networks that may have been accessed as a result of the incident in order to identify compromised CDI, or that affect the contractor’s ability to provide operationally critical support.
While DFARS 252.204-7000(c)(ii) provides that contractors shall issue secure cyber incident reports to DoD at the web address above rapidly (i.e., within seventy-two (72 hours) of discovering the cyber incident), it is not clear that a contractor is required to issue a full cyber incident report in this 72 hour period. As significant forensic work is often required to perform the full investigation dictated by DFARS 252-204-7000(c), we recommend the filing of a preliminary report with DoD within 72 hours of discovering a cyber incident, with a full report to follow in a reasonable period of time, or as is expressly directed by DoD.
In parallel with the filing of the cyber incident report to DoD, we recommend that the contractor file an Initial Voluntary Disclosure with the Department of State’s Directorate of Defense Trade Controls (“DDTC”) if any ITAR technical data was or may have been accessed in the breach as well as an Initial Voluntary Self-Disclosure with the Department of Commerce’s Bureau of Industry & Security (“BIS”) if any EAR technology was or may have been accessed in the breach.*
Presentation of DSP-61 and DSP-73 Licenses For CBP Decrementation No Longer Required
By Odyssey E. Gray, III, Associate, FD Associates, Inc.
Pursuant to a Final Rule issued in the Federal Register (Public Notice 9811, 82 FR 15 January 3 2017), with an effective date of December 31, 2016, exporters are no longer required to present their DSP-61 Temporary Import and DSP-73 Temporary Export licenses with Customs and Border Protection (“CBP”), prior to export, or import, to facilitate the physical decrementation of the licenses for the hardware that is the subject of the authorization. The decrementation is now electronic in the Automated Commercial Environment (ACE), in the same manner as when exports of hardware are made under authority of a DSP-5 Permanent Export license.
This action supports an Executive Order and the SAFE Port Act which called for electronic submission of data by businesses to import or export cargo. This rule was actioned by the Directorate of Defense Trade Controls (“DDTC”) amending the ITAR pursuant to implementation by CBP of the International Trade Data System (“ITDS”). This system permits exporters and importers to electronically submit the data referenced above.
DSP-61 and DSP-73
Exporters require, from time to time, the ability to temporarily import or temporarily export ITAR-controlled or ITAR regulated hardware into and from the United States for several types of business activities. The DSP-61 and DSP-73 are the licensing vehicles used by DDTC to authorize these activities.
Temporary imports may be required, for example, to allow a business to conduct activities such as product demonstrations to potential customers, to participate in trade shows or to provide a manufacturing process to a foreign produced defense article. The DSP-61 is the licensing vehicle to facilitate this.
Temporary exports may be required for many of the same reasons – marketing, trade shows or temporary use abroad to support a particular activity. The DSP-73 is the licensing vehicle used for this purpose.
As part of its national security responsibility, DDTC must oversee the transfer of ITAR controlled or ITAR regulated commodities to ensure that U.S. controlled technology and hardware is not provided to unauthorized parties or entities. DDTC’s licensing system is critical to the success of this objective.
Previously, when a temporary export or import was made against either an approved DSP-73 (export) or DSP-61 (import), exporters had to physically present their respective authorization to CBP so that the license could be pen and ink “decremented.” This decrementation (marking the license, e.g., date, description, initial of the CBP personnel) was CBP’s physical verification that what was authorized to ship was being exported or imported. CBP would decrement (verify) the temporary export or import license for the item(s) listed on the license when transiting a specific port.
While this manner of decrementation was effective in accomplishing the goals of DDTC in tracking the transit of ITAR controlled or ITAR regulated hardware in and out of the United States, it put an enormous burden on exporters and CBP in terms of managing the logistics of the movement of the actual hardware, as well as, coordinating delivery of the paper license for decrementation. Copies of the original license were not acceptable for decrementation purposes, and, thus, non-compliant with the ITAR. A lack of pre-coordination with a freight forwarder at port of entry or departure could lead to enormous difficulties, and, on occasion, administrative violations of the ITAR.
Electronic Submission is the Solution
The final rule incorporates the use of the Automated Export System in ACE for exports against DSP-61s and DSP-73s to electronically decrement the DSP-61 or DSP-73, while using the import portal within ACE for imports against DSP-61s and DSP-73s. As a result, the DSP-61s and DSP-73s are now automatically decremented by ACE import entries and AES Electronic Export Information (EEI) submissions in ACE.
With the elimination of the need to present DSP-61 and DSP-73 licenses for decrementation, consistent with the goals of the referenced legislation, exporters will likely manage more efficient operations in connection with their temporary export and temporary import licensing requirements.
Exporters’ recordkeeping requirements remain intact, and, in fact, the weight of those responsibilities may have increased a notch or two as expectations for complete import records is added to the export records generated from AES in ACE. As an example of the more stringent requirements, exporters must ensure that complete PGA Message Set information is included as part of their electronic filing for imports. The PGA Message Set includes information such as License / Exemption type, the DDTC Registration number, and the Anticipated Arrival Date. You will need to ask your freight forwarder not only for your complete AES record for exports, but also the ACE filing for imports including screen shots of the actual PGA Message Set information.
The upside is exporters no longer have to be concerned with returning original licenses appropriately decremented to DDTC per ITAR 123.22, just like the DSP-5. Nor do they need to worry about a shipment departing over the weekend not properly clearing CBP.
DDTC’s duties to track ITAR-controlled hardware has not lessened nor has the exporters duty to exert due diligence in connection with their export practices. Changes such as these, however, may result in better controls and management of controlled commodities being temporarily imported and exported.
Post Script Update
As astute reader pointed out that transactions involving the use of a carnet document (duty relief for certain countries including the U.S. when hardware is for demonstration/marketing purposes) is not eligible for this procedure and the temporary licenses must still be presented to CBP for endorsement at time of import into the United States and export from the United States.
Additionally, readers should be aware that although the ITAR was amended to not require the presentation of the DSP-73 or DSP-61, not all ports are following the new requirements, thus while you can tell the CBP presentation for pen and ink decrementation is not required, you should remain prepared to present the license if requested by CBP.
POTENTIAL FOR FORFEITURE OF ELECTRONICS IN CERTAIN MIDDLE EASTERN COUNTRIES
As you may be aware the Trump administration levied a restriction on electronics to be carried on board from certain airports in the following cities and countries in the Middle East:
Kuwait City, Kuwait
Riyadh and Jeddah, Saudi Arabia;
Dubai, United Arab Emirates
Travelers may also experience issues in the above listed airports when in transit, if required to clear customs in that country.
FD Associates has learned of a situation that occurred recently where in transit U.S. Travelers at the Abu Dhabi airport clearing U.A.E. Customs were required to forfeit all electronics when travelling to the United States. This includes laptops, ipads, tablets, cell phones, and batteries from e-cigarettes. It is not clear if this action of forfeiture was in connection with the U.S. Restriction on electronic carry on items on flights bound to the United States from the above countries.
As exporters might travel with electronics that store ITAR or EAR controlled data on them, although both sets of export regulations provide exemptions for travelers and their personal use of such data, there is no exemption for the forfeiture of your electronic device to a foreign government. The forfeiture is an export.
Should you be required to forfeit your electronics with export controlled or government data on your devices, you have an obligation to notify DOS, BIS and/or DOD of any controlled or government owned data or hardware forfeited. It is our understanding that DOD has recommended persons subject to forfeiture of government owned or issued electronics destroy the electronics before forfeiting.
Travel routes should be carefully planned for future travel and arrangements to store your electronic devices with shipped luggage is recommended if your travel includes any of these destinations assuming that the forfeiture only applies to carryon items and not checked luggage as well. We recommend all travelers with U.S. Government issued electronics verify with their customer the protocol to be used if encountering such a situation.