Sign up now for our fall ITAR Export Traning Webinars & Workshops!
More Information about our Training Webinars & Workshops

US Department Of Commerce Publishes Rules That Greatly Expand The Requirement For Obtaining EAR Licenses

By:  Keil J. Ritterpusch, Senior Compliance Associate, and Jenny Hahn, President

On April 28, 2020, the U.S. Department of Commerce’s Bureau of Industry & Security (“BIS”) published two new final rules and one proposed rule to the Export Administration Regulations (“EAR”) which substantially affect U.S. exporters of goods to China, Russia, and Venezuela.  In general, the rule:

  • Broadens license requirements in EAR Section 744.21 to apply to military end users in China and expands the scope of items in the List of Items Subject to the Military End-Use License Requirement of Section 744.21 (Supplement No. 2 to Part 744);
  • Adopts a license review presumption of denial in Section 744.21(e);
  • Broadens the definition of “military end use” by expanding the definition to include any item that supports or contributes to the operation, installation, maintenance, repair, overhaul, refurbishing, “development,” or [emphasis added] “production” of military items;
  • Clarifies the controls on exports of “600 series” .y and 9x515.y Export Control Classification Numbers (“ECCNs”) to China, Russia, or Venezuela by relocating them from Section 744.21 to the License Requirements sections of each ECCN;
  • Designates regional stability (“RS”) as the reason for control of these items; and
  • Expands Electronic Export Information (“EEI”) filing requirements for exports to China, Russia, and Venezuela.

The regulatory changes that will affect the greatest number of exporters is the requirement to file EEI for all exports to China, Russia, and Venezuela regardless of value (or end use or end user) of products on the EAR’s Commerce Control List (“CCL”) and to provide the correct export classification on such EEI submissions.  The EEI filing requirement for EAR99 items, which are by definition not included on the CCL, remains the same:  EEI submissions are required for exports of EAR99 items only when the value of the export is $2,500 or more per Harmonized Tariff Schedule (“HTS”) code on the EEI.  We believe the consequence of this regulatory revision is even more widespread than the expanded requirements for obtaining export licenses (and the presumption of denial) for exports to military end uses and military end users in China, Russia, and Venezuela.

The following are some of the key points for exporters related to the regulatory changes:

EEI Submissions for ALL Exports to China, Russia, and Venezuela (Except EAR99 Items):

Effective June 29, 2020, exporters will need to file EEI submissions in the Automated Export System (“AES”) portal within the Automated Commerce Environment (“ACE”) website – ace.cbp.dhs.gov – for ALL exports of items listed on the CCL to China, Russia, or Venezuelaregardless of value, end use, or end user.  Prior to this final rule being published (82 FR 23459), exports that were designated as No License Required (“NLR”) did not require the filing of EEI unless the value of the export transaction was $2,500 or more per HTS code.  Now, only EAR99 items below the $2,500 threshold do not require EEI submissions, per FTR Section 30.37(a).

Correct Export Classification is Required for ALL Exports to China, Russia, and Venezuela:

In addition to requiring EEI submissions for ALL exports of items on the CCL to China, Russia, or Venezuela, the new rule provides that exporters must include the correct Export Control Classification Number (“ECCN”) for each item listed on EEI for exports to China, Russia, and Venezuela.  This new requirement underscores the responsibility U.S. exporters have to correctly classify the products they export.

Currently, for exports to China, Russia, and Venezuela, exporters may state on export documents and in the EEI filing (when required by the EAR) that their products are No License Required (“NLR”) – citing license code “C33” on the EEI.  These exporters were not required, by either the EAR or the Foreign Trade Regulations (“FTR”), to provide the exact export classification of the items being exported if the products do not require a license.

Going forward, exporters should not assume that their products that were classified as “NLR” are classified as EAR99 items.  Over the years we have encountered many instances where exporters have believed that “NLR” means “EAR99”.  While all EAR99 products are, in fact, NLR to all worldwide end users, except prohibited end users and sanctioned countries, “”NLR” is not an export classification.  “NLR” is a conclusion under the EAR that results from first determining the export classification, then reviewing the reasons for control for export of products under the ECCN, and, then, determining that No License is Required for the export.  Only after establishing the proper ECCN can one arrive at a conclusion of “NLR”.

It would be a grave mistake for a U.S. exporter to unilaterally state that its products are EAR99 after June 29, without first revalidating the export classification for any export to China, Russia, or Venezuela, because misstatements of export classification on an EEI and failure to file EEI each subject the exporter to a $10,000 fine per violation under the FTR.  Exporters must perform appropriate export classification analysis to avoid substantial risk of misclassification.

Export Licensing is Required for Exports of Most Commodities to China, Russia, or Venezuela Where The End Use is Military or End User is Military … With Presumption of Denial of Said Licenses:

The EAR now requires an export license to be obtained prior to exports to China, Russia, and Venezuela of items that are currently only restricted to terrorism supporting countries under Anti-Terrorism (“AT”) controls of the EAR, when the export is to a military end user or for a military end use.  Moreover, there is an express policy of denial for such export license applications.

Products falling under the following ECCNs will require licenses for export to military end users and military end uses in China, Russia, and Venezuela beginning June 29, 2020:

  • 3A991,
  • 3A992,
  • 3A999,
  • 4A994,
  • 4D994,
  • 5A991,
  • 5B991,
  • 5A992,
  • 5D992,
  • 6A991,
  • 6A993,
  • 6A995,
  • 6A996,
  • 7A994,
  • 8A992, and
  • 9A991.

Beyond the broad expansion of the products that require a license for export to military end uses and military end users in China, Russia, and Venezuela, the new rules also greatly expand the definition of what is a “military end use”.  The new definition is so open-ended that FD Associates would not be surprised to see BIS issue clarifying Frequently Asked Questions (“FAQs”) or narrow the definition before the new rule goes into effect on June 29, 2020.  Under the new rule, any product that is exported that “supports or contributes to the operation, installation, maintenance, repair, overhaul, refurbishing, “development,” or [emphasis added] “production” of any military item is a “military end use”.  There is no limitation for products that are for use both for non-military end uses and military uses.  So, for example, if software that is controlled under ECCN 5D992 – having encryption built-in, but being available for export on a “mass market” basis – is used in China to aid a Chinese company that manufactures both military aircraft parts and commercial aircraft parts, it is arguable that the software would be for a “military end use” under the revised rule.

Recommendations for Exporters:

Potential concerns for exporters arise in product misclassification and failure to conduct appropriate due diligence when conducting business with China, Russia and Venezuela.  While both product classification and transactional due diligence are core tenets of a company compliance program, exporters are on notice that the government is watching and the risks of export violations, government queries, inspections, detentions, seizures, and fines are substantially magnified for transactions involving China, Russia and Venezuela.

In light of the substantial increase in potential liability for exporters, FD Associates, Inc. strongly encourages all exporters who export products to China, Russia and/or Venezuela to evaluate all products that they have self-classified as EAR99 and revalidate the export classification per the Order of Review in the EAR, before exporting to China, Russia and/or Venezuela.

FD Associates, Inc. also recommends that exporters perform added due diligence, including the collection of detailed end use and end user statements and associated research and screening of the end users and end uses of their products in China, Russia, and Venezuela, to validate the actual end users and end uses.  This is especially critical, as a significant percentage of US exports to China, in particular, do not go to the end user or directly to the end use, but instead go through a distributor or a re-seller.  Since exports of otherwise NLR products that are for end use by military end users (or parties on behalf of them) or are for “military end uses” in these countries now requires a license from BIS, it is imperative that  exporters have a sufficient “paper trail” related to the end users and end uses of products they sell to China (as well as Russia and Venezuela).

To speak to FD Associates, Inc. about the new rules for exports to China, Russia, and/or Venezuela, please call (703) 847-5801 or send an email to info@fdassociates.net.

US Department Of Commerce Publishes Rules That Greatly Expand The Requirement For Obtaining EAR Licenses Read More »

DDTC Announces New Policies And Changes Affecting ITAR Registrations, Licensing, Part 130 Reporting, And DDTC Management

COVID 19 has impacted our daily lives. DDTC is no exception. Between the DECCS rollout and COVID 19 telework, DDTC is impacted and has responded with the following policies and changes intended to aid industry and ease the burden on exporters that may be hampered during this period to make filings in accordance with the ITAR timelines or existing export authorizations.

Registrations

  • Effective March 13, 2020, a temporary suspension of the requirement in ITAR Parts 122 and 129 to renew registration as a manufacturer, exporter, and/or broker and pay a fee on an annual basis by extending ITAR registrations expiring on February 29, March 31, April 30, May 31, and June 30, 2020 for two months from the original date of expiration.
  • DDTC is also pursuing a one-time temporary reduction in registration fees for certain categories of DDTC registrants. More information on any change will be provided on DDTC's website.

Voluntary disclosures

  • Voluntary Disclosures can be filed electronically to DTCC-CaseStatus@state.gov
  • DDTC Compliance is now granting an additional 30 days for responses to its request-for-information letters related to voluntary and directed disclosure matters. DDTC Compliance is also considering extensions for the submission of full voluntary disclosures on a case-by-case basis. Extension requests should be sent via email to DTCC-CaseStatus@state.gov on company letterhead in PDF format.

Licensing

Validity period of export licenses

  • Effective March 13, 2020, a temporary suspension, modification, and exception to the limitations on the duration of ITAR licenses contained in ITAR Parts 120-130, including but not necessarily limited to ITAR §§ 123.5(a) (temporary exports), 123.21(a) (duration of licenses), and 129.6(e) (validity of brokering approval), to extend any license that expires between March 13, 2020, and May 31, 2020, for six (6) months from the original date of expiration so long as there is no change to the scope or value of the authorization and no Name/Address changes are required. This six (6) month extension is warranted in light of the unique challenges applicants face in the current environment when attempting to coordinate with U.S. and foreign business partners regarding the scope of applications.

Note: this extension is automatic and requires no action by the license holder

Remote work by company and long term contract employees defined by ITAR 120.39

  • To support remote work in this extraordinary period, effective March 13, 2020, a temporary suspension, modification, and exception to the requirement that a regular employee, for purposes of ITAR § 120.39(a)(2), work at the company's facilities, to allow the individual to work at a remote work location, so long as the individual is not located in Russia or a country listed in ITAR § 126.1. This suspension, modification, and exception shall terminate on July 31, 2020, unless otherwise extended in writing.

Remote work by regular employees (ITAR 120.39) of foreign signatories to TAAs/MLAs or ITAR exemptions

  • Effective March 13, 2020, authorization for regular employees of licensed entities who are working remotely in a country not currently authorized by a TAA, MLA, or exemption to send, receive, or access any technical data authorized for export, reexport, or retransfer to their employer via a TAA, MLA, or exemption so long as the regular employee is not located in Russia or a country listed in ITAR § 126.1. This suspension, modification, and exception shall terminate on July 31, 2020, unless otherwise extended in writing.

Paper filings with DDTC, adjudication of filing will be emailed to the applicant

  • DDTC is implementing new procedures and will send to the contact listed on the application email scans of final action letters for General Correspondence requests submitted in writing. If email information was not provided, final actions will continue to be mailed back to the applicant.
  • DDTC is implementing new procedures and will send to the applicant email scans of unclassified final action letters for DSP-85s submitted in writing. If email information was not provided, final actions will continue to be mailed back to the applicant. The Defense Counterintelligence and Security Agency (DCSA) will continue to receive original sealed copies through the mail.

Note: Approvals for DSP-5, DSP-61, DSP-73, and TAAs/MLAs/WDAs in DECCS, DDTC's electronic portal and can be retrieved via DECCS 

Expedited requests for licensing in support of U.S Operations

  • DDTC is re-issuing guidance for the expedited authorization of requests submitted in support of U.S. Operations (USOP) at DTCL SOP - USOPS Guidance. Refer to the DDTC website

DDTC to file Congressional Notifications electronically

  • In coordination with Congress and DOD, DDTC has moved to electronic submissions of Congressional Notifications of proposed Direct Commercial Sales (DCS) and Foreign Military Sales (FMS) to the Congress.

Other

  • DDTC is leveraging updated staffing protocols to ensure streamlined interagency licensing reviews.

Part 130 Reporting

Updated information repoints of contact

  • To facilitate timely responses to inquiries from the public and regulated industry, DDTC has added additional points of contact on the Key Personnel tab of the About DDTC page on the DDTC website, and additional staffing and IT resources have been added to its Response Team and Help Desk functions.

DDTC Announces New Policies And Changes Affecting ITAR Registrations, Licensing, Part 130 Reporting, And DDTC Management Read More »

DECCS Is Here!

Don’t Panic, Just Enroll

If you are registered as an exporter or manufacturer of defense articles with the Department of State, Directorate of Defense Trade Controls (“DDTC”), you have by now probably noted reference to “DECCS”, the Defense Export Control and Compliance System, either on the DDTC website or in correspondence from or with DDTC.

Do you know what DECCS is?

More importantly, do you understand your responsibilities with DECCS today?

DECCS is DDTC’s new electronic portal for Export Licensing, Registration, Commodity Jurisdictions, Advisory Opinions, Retransfer Requests and in the future for Voluntary Disclosures.

DECCS is borne out of DDTC’s IT Modernization effort which began almost five years ago. After much testing, discussion and work, all of which is still underway, DECCS will formally deploy on Tuesday February 18, 2020.  Per DDTC, DTrade will cease to be available as of 6 PM EST February 14, 2020.

Don’t worry! All registrant information, licensing and digital certificate information tied to your company registrant’s registration code will be migrated to your account in DECCS. NOTHING will be lost.

If you have a valid ITAR registration with DDTC, you need to enroll in DECCS to continue your ITAR licensing or registration activities.

Over the last few weeks DDTC has contacted all registrants and holders of digital certificates via a 3rd party (OKTA) about registering in DECCS. Upon reviewing the email, you will find your user ID for DECCS and a link to start your enrollment process in DECCS.

Unfortunately, as the email did not come from DDTC, but rather OKTA, and references an application program “MyApps”, many exporters have either believed it is junk/spam and deleted it or the email was automatically filtered to junk/spam.

To add some more bad news, the email link/window to register with the link in the window was only 7 days from the date OKTA sent it.  This means if you cannot find the email and have not actioned it by the time you are reading this communique you will have missed the window to respond.  Do not fear! You can easily resolve this problem by contacting the DDTC DTrade/DECCS Help Desk and requesting that the email be resent.  See email addresses below to make this request.

So now that you have completed step 1, your in the DECCS enrollment page, what comes next?

You will provide your user ID and first/last name and phone number.

Click Enroll!

You then will get a notification on the DECCS page that an email is forthcoming from OKTA to complete the DECCS enrollment.

The second email from OKTA will prompt users to create a password and provide a phone number to enable two factor authentications for access to DECCS through the DECCS portal.

Now you are all set… almost! Like any IT system conduct validation testing

Log in and see the two-factor authentication process work.

Once complete you will be able to log into the DECCS portal and conduct business with DDTC, whether it is managing your account and users, preparing or tracking license status, filing registrations.

And the good news is, all licenses submitted in DTrade prior to the conversion will continue to process, as will any registrations that have been submitted. When complete, they will be issued in DECCS.

The phone numbers to call DDTC and request resending of the initial email are 202-663-2838 or 202-663-1282.  To submit requests to DDTC via email, we recommend submitting to the following:

deccspmddtc@midatl.service-now.comDDTCResponseTeam@state.gov; and dtradehelpdesk@state.gov.

DECCS Is Here! Read More »

Traveling With Electronic Devices – Are You Ready?

By Odyssey E. Gray, III, Associate, FD Associates, Inc.

Today’s world is a “smart” world, a world of various electronic devices that provide ever expanding connectivity and access.  As a result of this age of “connectivity,” employers may require their employees to travel internationally, conducting business on their behalf while carrying electronic devices with them.  What if your business involves ITAR controlled products?  Will you receive or hand-carry ITAR regulated technical data on laptops, smart phones or other electronic devices?  Are you remotely logging in to your company server while abroad to access ITAR regulated technical data?  Are there controls in place to protect this data from being accessed by foreign persons while you are abroad?  Is the ITAR technical data being accessed for individual use without further export, or, will you share the ITAR regulated technical data with foreign persons?  Most importantly, does your company understand the authorizations required to allow the export of ITAR technical data on devices being carried internationally? Any export of ITAR controlled technical data requires ITAR authorization for the export.

What if the data being carried internationally is not ITAR regulated?  Would this would mean no controls and thus, no USG authorization required?  This is a common mistake by many who believe that if the data is not ITAR regulated, it is not export controlled.  In fact, if the data is not ITAR controlled, then it is, or may be, subject to the Export Administration Regulations (“EAR”) and, if subject, the applicable ECCN for the information (technology) will determine whether Department of Commerce approval or EAR license exception is required for its export.

The good news for international travelers is that both the ITAR and the EAR have clear provisions for the license-free export of technical data and technology for employee use abroad under applicable ITAR license exemption and EAR license exception.  The ITAR license exemption is available at ITAR 125.4(b)(9).  The EAR has two applicable license exceptions at EAR Part 740.9 (TMP license exception) and EAR Part 740.14 (BAG license exception).  These authorizations are commonly referred to as “personal use.”

The “personal use exemption” at ITAR Section 125.4(b)(9) authorizes the export, reexport or retransfer of ITAR controlled technical data, including classified information, without a license, by or to a U.S. person, or a foreign person employee of a U.S. person (who has been authorized to receive ITAR regulated technical data under an ITAR DSP-5 employment license) travelling or on temporary assignment abroad for their personal use.

The EAR “personal use exception” at EAR Part 740.9 – TMP (Temporary Imports, Exports, Reexports, And Transfers (In-Country), authorizes the export, reexport or transfer of EAR controlled technology, without a license, by or to a U.S. person, or a foreign person employee of a U.S. person travelling or on temporary assignment abroad for their personal use.

The EAR “personal use exception” at EAR Part 740.14 – BAG (Baggage), authorizes individuals leaving the United States either temporarily (i.e., traveling) or longer-term (i.e., moving) to take to any destination, as personal baggage, the classes of commodities, software and EAR controlled technology described pursuant to this license exception.  License exception BAG authorizes the export of technology as “Tools of Trade” for use in the trade, occupation, employment, vocation, or hobby of the traveler.  License exception BAG also authorizes the export of encryption commodities and software subject to EI controls, if for personal use.

Once you know where your data falls jurisdictionally, you can cite the proper export authority, contingent upon meeting all of the stated requirements of using either ITAR 125.4(b)(9) license exemption or the EAR license exceptions TMP or BAG.

Both the ITAR and EAR require that security precautions (e.g., encryption of the data; firewalls; use of secure network connections or other access restrictions on the electronic device on which the data is stored, e.g., passwords, etc.) are in place on the electronic device to prevent unauthorized access to the controlled information by foreign persons.

The most secure method for access abroad by an employee is the use of a secure encrypted tunnel into the company server (e.g., secure VPN), whereupon data may be viewed and accessed by the employee who is using either a company laptop / electronic device or a personal electronic device.  All technical data remains on the company server and is not downloaded to the local device, except for viewing in an encrypted window.

If the company provides or allows its employee to use a company laptop or electronic device for hand-carry and use abroad while on travel, the device may already be loaded with ITAR controlled information/files (the hard drive should be encrypted and/or password protected).  The company device should contain software that allows the device to be remotely wiped in case of theft or loss.  The employee must maintain positive control and access of the company device with stored information so as not to allow unauthorized access.  If the employee will not keep the laptop with them, at all times, they should plan to store the laptop in a secure place such as a hotel safe.

The company should have a written travel policy, including written processes and procedures, to provide guidance and instruction to all employees traveling to ensure that all regulatory requirements are met to remain compliant with the export of controlled information to the company employee.

Procedures should exist not only for the use of the applicable ITAR exemption or EAR license exception, but as a means to document the information released, to whom it was released, the manner in which the transfer occurred, as well as information concerning the device used to access/carry the data, whether it be a personal device or company device.

It is recommended that the traveler have a proforma invoice describing the device, the data or software installed, to include, any hard copies of data previously exported, and, the applicable ITAR license, license exemption / EAR license, license exception with them at the time of travel.

In addition to the actual export, the regulations require that records for each export be maintained by the exporter (e.g., description of the technical data that was exported; name of the recipient(s); date and time of export; method of transmission, i.e. facsimile, courier, email, meeting).  The same record-keeping requirements that exist for any license approval for exports to foreign parties are the same as those for the use of any ITAR exemption or EAR license exception for exports to employees traveling internationally.

Any exports made beyond the scope of ITAR 125.4(b)(9) or EAR license exceptions TMP or BAG, i.e., not for “personal use,” are subject to the usual export licensing rules under the ITAR or EAR.  In other words, if one seeks to provide controlled data to foreign persons, that export/transfer requires separate authorization, e.g., license approval, ITAR license exemption or EAR license exception.

Fines and penalties for any violation of the ITAR or EAR are applicable, thus, use of these “personal use” authorizations must be within the scope as cited in the ITAR or EAR, respectively.

While these steps might seem burdensome to a small company, did you know that the U.S. Customs and Border Protection (“CBP”) issued a new directive in January of this year (2018) which authorizes and provides guidance to CBP in its procedures for “…searching, reviewing, retaining, and sharing information contained in computers, tablets, removable media, disks, drives, tapes, mobile phones, cameras, music and other media players, and any other communication, electronic, or digital devices…”  CBP has authority to search the contents of any electronic device leaving or entering the United States at their discretion.  In 2017 alone, CBP conducted 30,000 searched of electronic devices.

CBP searches are authorized to facilitate border security.  In practice, this means CBP may review and/or copy any information on any electronic device, even those items that are encrypted or password protected.  CBP may make copies of any of the information on the device.  If the information is not accessible, CBP may detain or seize the device to ship it off-site for further analysis and to facilitate CBP review of all information therein.

Even information marked as “Attorney-Client privileged” is subject to review and/or copy.  Individuals, however, should alert and advise CBP if such information exists on the device and its status as “Attorney-Client privileged,” so that CBP is aware that this is protected information.  A best practice would be to utilize the same procedures for confidential business information.  Note, however, CBP may not use the electronic device to access information stored remotely.  This directive is applicable only to the information stored on the actual electronic device.

Consistent with CBP policy, no specific cause is needed for CBP to conduct the search of the device.  The directive does instruct that “CBP will protect the rights of individuals against unreasonable search and seizure and ensure privacy protections while accomplishing its enforcement mission.”   Should CBP wish to review your device, you want to be able to provide CBP with evidence you have complied with applicable U.S. export laws.  A copy of a completed traveler form that identifies the device, the applicable ITAR license exemption / EAR license exception, the reason for travel and the information being carried abroad is a good tool to demonstrate to CBP that you have not violated U.S. export laws.

The primary mission of both the ITAR and the EAR is national security and safeguarding U.S.-origin technology.  The regulations recognize that company employees may require the use of export-controlled data to perform work assignments while abroad, thus, the ITAR 125.4(b)(9) license exemption and EAR license exceptions TMP and BAG for “personal use” permit this type of export.

There is one notable exclusion to the use of the ITAR 125.4(b)(9) exemption.  It cannot be used for the carrying of ITAR controlled data to proscribed countries per ITAR 126.1 (e.g., China, Venezuela, etc.).  Therefore, if a person is travelling to China or Venezuela, for example, on business, or even on personal travel, with their company issued device or a personal device that can access company information, they must know that they cannot lawfully carry or access ITAR technical data or EAR 600-series technical data while they are in ITAR 126.1 countries.  Not only is there no applicable exemption under the ITAR or EAR, but there is a policy of denial for exports to these countries.

In today’s “smart” world, businesses should have travel policies and procedures that comply with the exemptions/exceptions available and protect the export of ITAR technical data or EAR controlled technology.  If you need help with developing a travel policy, FD Associates stands by to assist you.

Traveling With Electronic Devices – Are You Ready? Read More »

Export Compliance Red Flags

By John Herzo, Senior Associate

Everyone involved in export compliance understands that the cornerstone of corporate compliance is a strong export compliance program. A sign that your export compliance program is functioning properly is the ability of your employees to identify and prevent potential export compliance violations before they occur. One essential tool for an effective export compliance program is employee training on the recognition and remediation of "red flags" in export transactions. The goal of this article is to explain what is meant by "red flags" and the forms in which the "red flags" present themselves in prospective export transactions.

Scenario - Missiles, Inc., of the U.S. (Your Company) received a purchase order from ABC GmbH of Germany for sophisticated missile engine components. Per your company's Export Compliance Manual, Missiles, Inc., performed its due diligence on the new customer ABC GmbH. The due diligence determined the following facts about ABC GmbH:

  • ABC GmbH has no company website;
  • ABC GmbH's purchase order was sent to you via a Gmail email account;
  • ABC GmbH's asked if Missiles, Inc., would accept a cash payment for the missile engine components;
  • ABC GmbH's purchase order did not request any ongoing support, which is customary for these products;
  • ABC GmbH is listed on several investment websites as a book store;
  • A Google Earth search identified ABC GmbH at the street address provided and the store front appears to be a book store;
  • Missiles, Inc., ran a denied party screening of ABC GmbH against U.S. Government denied party lists and revealed a hit for ABC GmbH of Germany, but the address is slightly different than the address for ABC GmbH;
  • ABC GmbH asked for the missile engine components to be sent to their freight forwarder in the U.S., and did not note delivery to their address in Germany; but identified for the freight forwarder to contact ABC GmbH for delivery instructions
  • Lastly, ABC GmbH refused to provide an end use statement regarding its intended use of the missile engine components.

Let's analyze the information Missiles, Inc., is presented with:

Denied Party Screening

Red Flag - ABC GmbH's address is similar to one of the parties found on BIS', the Office of Foreign Assets Control's ("OFAC") or other U.S. Government agency's denied parties/persons lists.

The existence of this "red flag" means that Missiles, Inc., will need to perform additional due diligence, e.g., research, to confirm that ABC GmbH is not the party on the subject denied party list. This is a difficult "red flag" to overcome, particularly when viewed in conjunction with the other "red flags" explained below. Missiles, Inc., must have persuasive evidence, not merely a statement in writing, that ABC GmbH is an entirely different organization from the listed entity at a different address. As companies who are prohibited from receiving U.S. exports will take significant steps to conceal their "prohibited" status, Missiles, Inc., must conduct extensive due diligence to overcome this "red flag".

End-Use Statement

Red Flag - ABC GmbH refused to provide an end-use statement regarding how it will utilize the missile engine components after Missiles, Inc., requested the end-use statement.

This "red flag" is a very serious one, particularly in light of the sensitive end use and extensive controls applicable worldwide on missile components. Detailed end-use statements are absolutely essential for items like missile components given that the U.S. Government will only approve export to vetted Governmental end users in "friendly" countries. This "red flag" may also present itself in other obvious ways such as the customer providing limited information on end-use when requested. If the potential customer or purchasing agent understands U.S. export regulations and believes it knows the classification of your product, they may try and tell you that there is no licensing requirement for the export of your product to their country. Therefore, end-use information is not required. The correct response, per EAR Part 744, or the ITAR (if applicable) is that the U.S. Government prohibits sales of any item if it will be used in nuclear production or any unsafeguarded nuclear facility; or any missile or unmanned aerial vehicle capable of a range of 300km or greater; or any chemical or biological end-use. Thus, your company requires end-use information to rule out the requirement for a license per EAR Part 744.

or the ITAR

Product Capability Vs. Customer's Line Of Business

Red Flag - Your due diligence revealed that ABC GmbH is a book store, therefore the product's capabilities, sophisticated missile engine components, does not fit ABC GmbH's line of business.

This is a really impossible "red flag" to overcome. The purchase of sensitive items, like missile components by those not in the same line of business is risky, given the high possibility of diversion to unauthorized end users. The fact that ABC GmbH is a book store was corroborated by Missiles, Inc.'s Google Earth search. As a result, Missiles, Inc. needs additional information for any possibility of overcoming this "red flag".

Technical Level Of End-Use Country

Red Flag - The item ordered is incompatible with the technical level of the country to which it is being shipped.

This "red flag" did not present itself in the scenario above because ABC GmbH is from Germany a highly technical country with active missile development end users. This type of "red flag" typically presents itself when the due diligence reveals export controlled equipment is being requested for purchase and shipment to a country that has no known capability to field or use the equipment.

Payment In Cash

Red Flag - ABC GmbH asked if Missiles, Inc., would accept cash for the missile engine components. The missile engine components are very expensive and would normally call for financing.

This "red flag" is indicative of an entity not wanting a "paper trail" and a sign of possible diversion. Your company's business development and sales force should be able to identify this "red flag" during sales meetings and contract negotiations.

Payment By Another Company

Red Flag - A secondary party requests to pay for another party's purchase.

This "red flag" did not present itself in this scenario. This "red flag" will present itself during the negotiation of the sale or after the sale has been negotiated, but prior to payment. Typically, a U.S. entity requests to pay for the purchase of a foreign entity. In some cases, the foreign customer / end user is from a proscribed country, such as Venezuela. The payment through another party may be a way to avert economic sanction regulations or to otherwise avoid being a party to a transaction. This "red flag" may implicate compliance issues with the OFAC regulations and the Foreign Corrupt Practices Act.

Little Or No Business Background

Red Flag - The customer has little or no business background.

This "red flag" also did not directly present itself in the scenario above. This "red flag" will typically present itself during the negotiation of the sale. Your company's business development personnel or sales force should be able to identify this "red flag" readily through bid and proposal discussions.

Unfamiliar With Product's Performance Characteristics

Red Flag - The customer is unfamiliar with the product's performance characteristics but still wants the product.

This "red flag" did not present itself in our scenario above. This "red flag" typically presents itself during the negotiation of the sale. Your company's business development personnel or sales force should also be able to identify this "red flag" as performance characteristics are essential for applications like missiles.

Decline Of Routine Installation, Training, Or Maintenance Services

Red Flag - ABC GmbH's purchase order did not request maintenance information or a warranty.

This "red flag" presented itself in ABC GmbH's email that contained its purchase order for the missile engine components. The failure to request installation, training or maintenance support where it is ordinarily requested can be a "red flag" indicating diversion to a prohibited end use as the ultimate end user would be denied the ability to receive this support, as well as the parts. This "red flag" typically presents itself during the negotiation of the sale. Your company's business development personnel or sales force should also be able to identify this "red flag".

Delivery Requirements

Red Flag - Delivery dates are vague, or deliveries are planned for out of the way destinations.

This "red flag" did not present itself in the scenario above. Typically, this "red flag" will present itself during the negotiation of the sale. Your company's business development personnel or sales force should be able to differentiate between vague delivery dates for valid business reasons as opposed to vague delivery dates that are "red flags". Deliveries to out of the way destinations will present themselves during the due diligence phase when your company is screening the potential customer. For instance, the customer's address is in the United Arab Emirates, but they are asking for delivery to Uganda. This is a "red flag" that is often able to be overcome when the purchaser is able to explain the logical reasoning behind its request. This "red flag" will need to be addressed in the export license application as verification of address is important.

Delivery To Freight Forwarder

Red Flag - ABC GmbH requested that the missile engine components be delivered to its freight forwarder in the U.S. and did not state to deliver to ABC GmbH in Germany.

Is this a "red flag"? It is often customary for the foreign customer to identify the freight forwarder if they pay the freight charge. This can be a red flag if the purchase order doesn't identify to make the shipment from the U.S. direct to ABC GmbH in Germany. In this scenario, the requirement for the freight forwarder to get instructions for delivery information at a later time is another red flag. Is this a routed transaction, where the responsibility for licensing of controlled exports is placed on the U.S. freight forwarder? If yes, receive and review a copy of their export license before you make delivery to the freight forwarder. This allows you to verify the bona fides of the parties to the export transaction. This "red flag" should be identified by your company's business development personnel, sales force or shipping department as it is not typical to ship missile engine components to only the U.S. freight forwarder without knowledge of direct shipment to the foreign customer.

Shipping Route

Red Flag - The shipping route is abnormal for the product and destination.

This "red flag" did not present itself in the scenario above. This "red flag" presents itself during the negotiation of the sale and the shipping process. Your company's business development personnel, sales force and shipping department should be able to identify this "red flag". This is a risk of diversion when the product is transported on an unusual route.

Packaging

Red Flag - Packaging is inconsistent with the stated method of shipment or destination.

This "red flag" did not present itself in our scenario above. The "red flag" presents itself during the shipping process. Your company's shipping department should be able to identify this "red flag". This "red flag" often indicates a product will be diverted and party maybe used to obfuscate the country of export.

Evasive Customer

Red Flag - When questioned, the buyer is evasive and especially unclear about whether the purchased product is for domestic use, for export, or for reexport.

This "red flag" did not specifically present itself in the scenario above. However, ABC GmbH did refuse to provide an end-use statement, which is a form of evasiveness. This "red flag" may arise during the negotiation of the sale. This is very serious given the strict rules on end use of these types of items. Your company's business development personnel or sales force should also be able to identify this "red flag".

Website

Red Flag - Missiles, Inc.'s due diligence into the bona fides of ABC GmbH revealed that ABC GmbH does not have a company website. While not every company has a website, most companies involved in the use of missile engine components have a website. The failure of your customer to have a website is a "red flag" that your company should perform additional due diligence to determine the bona fides of the customer.

This "red flag" presented itself in the scenario during the performance of Missiles, Inc.'s due diligence. Your company's business development personnel or sales force should also be able to identify this "red flag".

Email Address

Red Flag - ABC GmbH's email to Missiles, Inc., came from a gmail email account as opposed to an ABC GmbH corporate email account. While not every customer will have a corporate email account, most companies involved in the use of missile engine components have a corporate email account. Your customer's failure to have a corporate email account is a "red flag" that your company should perform additional due diligence to determine the bona fides of the customer.

This "red flag" presents itself at the inquiry stage of the sales process. This "red flag" is easily identifiable by your company's customer service, business development and sales personnel.

Conclusion

With the preponderance of red flags present in this scenario, should Missiles, Inc., proceed with the order? What would your company do?

There can be many different "red flags" to export transactions that should put your company on notice that a given transaction has the potential to lead to an export violation and diversion of goods. It is your company's responsibility to address these "red flags" as they present themselves to different departments within your company from business development to shipping. Having a well-established export compliance program that includes specific departmental export compliance training and specific procedures that include "red flag" alerts and reviews will allow your personnel to identify potentially suspect export transactions and further research them to ensure the transaction is valid before proceeding.

We have utilized the "red flags" published on the Department of Commerce, Bureau of Industry and Security's ("BIS")[1] webpage as a guide for this article.

Export Compliance Red Flags Read More »

Violations Of The Foreign Trade Regulations, Easy To Do, Costly To Resolve

By Jenny Hahn, President

Your company exports commodities to locations all over the world. Sometimes you file your own Automated Export System (AES) records and other times your company contracts with freight forwarders to do these filings on your behalf.

 Recently your company received a demand letter from US Customs for $10,000 payment of a fine associated with an AES filing that your company made. The demand letter advised you used the wrong port of export code in the AES filing.

Can you really be fined $10,000 for such a simple error?

The answer is yes.

US Customs and Border Patrol (CBP) has the legal authority via the Foreign Trade Regulations (FTR) to impose fines against companies who report incorrect information in the AES system. (Note: AES is converting to ACE February 28, 2016).

Under the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR), exporters are obligated to electronically file Electronic Export Information (EEI) regarding their transactions in addition to the requirement in the FTR. Each EEI submission must contain a myriad of information per the FTR, including:

  • The United States Principal Party in Interest (USPPI) – usually the seller in the United States;
  • The USPPI Federal Employee Identification Number (EIN);
  • The address for the USPPI
  • The Carrier and its Standard Carrier Alpha Code;
  • The Authorized Agent of the USPPI – if the EEI is not being filed by the USPPI;
  • The Ultimate Consignee (Foreign Party) – the Foreign Principal Party in Interest (FPPI);
  • The address for the FPPI;
  • The Intermediate Consignee (Foreign Party), if any;
  • The address for the Intermediate Consignee, if there is one;
  • The Country that your exporting to;
  • The State of Origin of the export shipment;
  • The Schedule B # for the commodity/commodities being exported;
  • The Commodity Description, quantity, weight, and US$ value (based on sales price);
  • The origin of the commodity (domestic or foreign);
  • The US export classification of the commodity (e.g., USML Category XI(a)(5)(i), ECCN 3A611.a, or EAR99;
  • ITAR specific information related to the commodity, if applicable (i.e., USML classification, DDTC registration number)
  • The License #, code or license exception;
  • The Port of Export;
  • The Mode of Transportation (e.g., Air, Vessel, Ground/Truck);
  • Whether the Export is a “Routed Transaction”?
  • Whether the Export is between “Related Companies”?

There are different filing timelines imposed in the ITAR versus the EAR and exporters should be aware of the requirements for each.

Companies using AESDirect (where they file the AES record themselves) should have an internal process to verify that the information they file is accurate, since the export will actually take place after the freight leaves the company dock. The exporter at the time of preparation of the AES record, may not be specifically aware of what the flight or vessel details will be, including what the port of export will be.

The FTR provides exporters with up to 24 hours to correct any of the data fields in the AES filing after the export has occurred.

After that timeframe, any correction to the AES Record could cause CBP to impose a fine of $10,000 on your company per EEI submission. The fine amount can quickly escalate if you have more than one AES violation. To mitigate such penalties, it is recommended that your company file a Voluntary Self-Disclosure (VSD) with the Census Bureau as soon as possible after learning that the company may have submitted erroneous EEI or failed to submit EEI where it was required under the FTR.

Depending on the nature of the AES correction, disclosure to the Department of State or Commerce (BIS Office of Export Enforcement) may also be required.

As noted above, there are many fields that can be completed incorrectly. Audits of shipments where EEI submission was required have resulted in the identification of common errors in the following EEI fields:

  • Port of Exit;
  • License Code;
  • Commodity Classifications under the EAR;
  • Schedule B;
  • Foreign Consignees; and
  • Ultimate Consignees.

And what about not filing AES when you should have? That is a much more complicated and significant issue. Remember, AES is required for all ITAR and 600/500 series ECCNs, regardless of value or destination. *The rules for filing AES on other EAR controlled commodities differ depending on whether you are using a BIS license or BIS license exception, exporting as No License Required (NLR), if the value is below $2,500 and if the destination is in a proscribed country. There is clearly a lot to know about a set of regulations that have the potential to cause significant fines for simple errors.

Performing AES reviews by trade compliance personnel is an important part of your overall compliance program. If shipping clerks in your company are authorized AESDirect users, the shipping supervisor should review within 24 hours after shipment to verify the accuracy of the EEI submitted. Internal Trade Compliance personnel should also make a thorough inspection of the AES data an integral part of their periodic shipment reviews.

Don’t let AES filing errors cost your company big dollars in fines! Ensure your shipping and compliance personnel are properly trained on the FTR requirements and conduct periodic reviews.

*This article doesn’t address OFAC or NRC license requirements for AES filings. However, should you have such exports, ensure that EEI is submitted through AES/ACE.

Violations Of The Foreign Trade Regulations, Easy To Do, Costly To Resolve Read More »

Bureau Of Industry And Security, Department Of Commerce Final Rule Amendments To The Export Administration Regulations Affecting The Licensing Policy For Cuba

By Odyssey E. Gray, III

The Department of Commerce, Bureau of Industry and Security issued a final rule, published in the Federal Register, effective November 9, 2017, which enumerated amendments to the Export Administration Regulations (“EAR”) in connection with implementation of U.S. policy in accordance with the National Security Presidential Memorandum on Strengthening the Policy of the United States Towards Cuba (“NSPM”), issued under the current administration on June 16, 2017.

The NSPM’s stated goals are “to enhance compliance with United States law; hold the Cuban regime accountable for oppression and human rights abuses; further the national security and foreign policy interests of the United States and the interests of the Cuban people; and lay the groundwork for empowering the Cuban people to develop greater economic and political liberty.”  The NSPM makes limited changes to the historic policy changes towards Cuba enacted under the Obama administration that are intended to benefit U.S. commerce and the citizens of Cuba, not its governmental regime.

It is important to note that the statutory embargo of Cuba remains in place whereby items subject to the EAR are subject to a general policy of denial unless the transactions are eligible for review as provided in Part 746 of the EAR, Embargoes and Other Special Controls.  Specifically, § 746.2(b) provides policy guidance under the EAR with respect to Cuba.

This final rule makes revisions to § 746.2 of the EAR by amending the Note 2 to paragraph (b)(3)(i) in connection with licensing policy for Cuba, amending License Exceptions found at §§ 740.12, 740.19 and 740.21 (Gift Parcels and Humanitarian Donations (“GFT”), Consumer Communications Devices (“CCD”), and Support for the Cuban People (“SCP”)), respectively, of the EAR to conform with the Office of Foreign Assets Control (“OFAC”) amendment which defines what are “prohibited officials of the Government of Cuba,” and revises § 740.21 (License Exception SCP) to further support free enterprise in Cuba.

In accordance with section 3(a) of the NSPM, Note 2 to EAR 746.2(b)(3)(i) clarifies that BIS will deny license applications for export or reexport to Cuba which include certain entities or subentities the State Department identifies on its List of Restricted Entities and Subentities associated with Cuba, also referred to as the “Cuba Restricted List,” unless the transactions are consistent with the policy and criteria specified in the NSPM.  The Cuba Restricted List is now available in the Federal Register and the Department of State website at https://www.state.gov/e/eb/tfs/spi/cuba/cubarestrictedlist/index.htm.

Also in accordance with section 3(a) of the NSPM, sections of the EAR License Exceptions GFT, CCD, and SCP are amended pursuant to the aforementioned OFAC amendment to include certain additional individuals that would be deemed ineligible Cuban government officials which, in turn, would exclude the use of the GFT, CCD, and SCP License Exceptions for exports and reexports to Cuba.

License Exception SCP (§ 740.21) authorizes the export and reexport of certain items to Cuba that

are intended to improve the living conditions of the Cuban people; support independent economic activity and strengthen civil society in Cuba; and improve the free flow of information to, from, and among the Cuban people.  Three times since its inception, License Exception SCP has been amended to add additional categories of commodities for export and reexport.

Under this final rule, and to expand opportunities for free enterprise in Cuba pursuant to section 2(d) of the Cuba NSPM, the EAR language identifying specific items, activities and end use activities eligible for License Exception SCP has been simplified and expanded to a single provision that authorizes “the export and reexport to Cuba of items, without specifying types, for use by the Cuban private sector for private sector economic activities.”  Limitations of SCP are crafted to ensure any revenue generated is not to the benefit of the state or state-owned facilities.  In addition, no exports or reexports may contribute to the operation of the state.  Eligible items for export or reexport under the provisions of this license exception continue to be only those items designated as EAR99 or controlled for Anti-Terrorism reasons only.

With these changes, more opportunities exist for U.S. exporters related to commerce in Cuba, however, these opportunities also implement additional layers of scrutiny to ensure that only eligible parties, items and end uses are the basis of proposed transactions.  Exporters are advised that they should fully research the many restrictions on exports or reexports to Cuba, particularly when contemplating use of one of the EAR License Exceptions for proposed transactions.

As reported in the media, travel restrictions for U.S. citizens are enhanced based on the limitations that such activities benefit the Cuban government who owns a large number of the hotels in Cuba.

Bureau Of Industry And Security, Department Of Commerce Final Rule Amendments To The Export Administration Regulations Affecting The Licensing Policy For Cuba Read More »

Faulty Processes Can Be Expensive And Put Your Ability To Export At Risk

By Odyssey E. Gray, III, Associate, FD Associates, Inc.

A successful and lawful export should be the product of a series of internal processes conducted by persons responsible for trade compliance that help determine/answer pertinent and relevant questions concerning the export.  Exporters should be sure to continually review and evaluate internal processes for compliance to the various export regulations.

A baseline starting point is for exporters to be able to answer certain questions about each transaction:

  • Who? – who are you doing business with? Who are the other parties in the transaction?
  • What? – what is the commodity and associated export controls?
  • Why? – what is the end use?
  • Where? – where is it going?

Failure to address any one of these things can lead to an unlawful export with negative ramifications ranging from civil penalties such as fines to debarment and imprisonment.  It is crucial that exporters have established processes in place to manage compliance requirements with the International Traffic In Arms Regulations (“ITAR”), Export Administration Regulations (“EAR”), Office of Foreign Assets Control (“OFAC”) and Foreign Trade Regulations (“FTR”).

Cryofab, Inc. (“Cryofab”), of Kenilworth, NJ, was recently fined $35,000 by the Department of Commerce, Bureau of Industry and Security (“BIS”), for export transactions that had a total value of $21,570.  That’s right, the fines exceeded the value of the transactions.  How did this occur?  Cryofab exported EAR99 items (liquid helium storage container and accessory; liquid nitrogen storage container and operating tool) as No License Required (“NLR”) to Bhabha Atomic Research Center (BARC), an Indian Department of Atomic Energy entity located in Mumbai, India.  BARC is listed as a party on the Department of Commerce Entity List requiring licenses for all commodities exported to BARC.  BIS charged Cryofab with failure to screen the Entity List and failure to seek or obtain the licenses required for export.

Had Cryofab conducted a Denied Party List (“DPL”) screening, using either the free government tool, or a paid service, or even just reading the EAR at Supplement 4 to Part 744, it would have been

alerted to the fact that its end user was listed on the Entity List and Cyrofab would have known of the associated licensing requirements under the EAR for this direct hit on the Denied Parties List.

The Entity List in the EAR specifies the license requirements for each listed person or entity.  Those license requirements are independent of, and in addition to, license requirements imposed elsewhere in the EAR.   Requirements to export, reexport or transfer (in-country) an EAR99 item to a listed entity are specified in the “License Requirement” column of the Entity List.  If that column indicates “all items subject to the EAR,” then a license is required to export, reexport or transfer (in-country) the item, even though EAR99 items may be exported to the country of destination as NLR.

Due to its failure to screen parties to the transaction, Cryofab was fined 62% in excess of any profits it may have received for these transactions, and they must pay the fine in a timely fashion to avoid further penalties and interest and risk debarment.

Under the EAR, exporters should be mindful of the ten general prohibitions (Part 736) in connection with an export transaction by considering five facts: classification, destination, end user, end use and conduct.  Note the questions above center on consideration of these facts.  Cryofab’s exports constituted a violation of General Prohibition Five:

“Export or reexport to prohibited end-uses or end-users (End-Use End-User). You may not, without a license, knowingly export or reexport any item subject to the EAR to an end-user or end-use that is prohibited by part 744 of the EAR.”

A DPL screening should be embedded in the export processes/procedures when vetting/analyzing the scope of a proposed transaction.  The screening should be completed for all parties to the transaction, not just the end user.

In this instance, the failure to conduct the DPL screening directly cost the exporter significantly more money than could have been made on the transaction than the preventive measure of screening as part of the company’s processes, quotation, order processing and shipping.  Long term repercussions

can include the ability to make future exports, additional scrutiny by government agencies and the company reputation sullied.

Learn from others mistakes by ensuring that you have the correct exporter processes in place.  In this instance, Cryofab missed the DPL screening step and focused on the where but not the who.  The end result (and penalty) reinforces the need for exporters to understand that with regard to matters of export compliance, it’s in the company’s best interests to be as thorough as possible to avoid penalties such as those described above.

Faulty Processes Can Be Expensive And Put Your Ability To Export At Risk Read More »

Does Your IT Infrastructure Comply With The Current DOD Rules For Cybersecurity Protections?

The DoD Rules for Protecting Data Generated or Received as Part of Your DoD Contract or Subcontract Goes Into Effect in Four Short Months

By:   Keil J. Ritterpusch, Esq. – Senior Compliance Associate, FD Associates, Inc.

Over the past few years the U.S. Federal Government has been working to establish a regulatory system to ensure that U.S. companies and individuals who are involved with U.S. Government contracts institute sufficient protections for information that they receive or produce in furtherance of their government contracts.  Over this period, there have been numerous proposed rules in the Federal Register by various agencies involved with government contracting and the protection of data pertaining to these government contracts.

On June 18, 2015, the U.S. Government, operating through its National Institute of Standards and Technology (“NIST”), published the first major guidance on the security protocols that persons doing business with the U.S. Federal Government should implement to protect data in which the U.S. Federal Government has a vested interest:  NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (“NIST SP 800-171”).

The U.S. Department of Defense (“DoD”) then published proposed rules in the Federal Register in August and December 2015 proposing to implement a security system for prime contractors and subcontractors working under contracts with DoD to protect Controlled Unclassified Information (“CUI”).  Through the notice and comment rulemaking process, DoD substantially modified its proposal for contractors to protect CUI and in turn directed the NIST to revise the NIST SP 800-171.

What resulted from the revision of NIST SP 800-171 and the 2015 proposed rules for the protection of CUI was a DoD Final Rule, 81 Fed Reg 72986, issued on October 21, 2016, and Revision 1 of NIST SP  800-171, published in December 2016.  The DoD final rule provided pertinent revisions of Defense Federal Acquisition Regulations (“DFARS”) 252.204-7000 and 252.204.7012, meanwhile the revision of NIST SP 800-171 was mainly through the insertion of clarifying language.

While this regulatory change was published in October 2016, with NIST SP 800-171 being revised in December 2016, the DFARS CyberSecurity rules go into full effect on December 31, 2017.  By this date, only four short months from now, all U.S. DoD Contractors and Subcontractors must have fully implemented the cybersecurity protocols dictated by DFARS 252.204-7000 and 252.204-7012.

A failure to have properly implemented the system is grounds for DoD to void any prime contract held by the entity failing to comply with the DFARS requirement or to any subcontractor to whom DFARS 252.204-7012 has been flowed down.

The key tenets of the DFARS Cybersecurity rules are as follows:

  • •Contractors MUST establish a system in compliance with NIST SP 800-171 for the protection of “Covered Defense Information” (“CDI”), which is defined as unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—
    • o(1)  Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
    • o(2)  Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
    • •Based on this definition of CDI, the terms CDI and CUI are essentially synonymous.  As a result, for the remainder of this article, we refer to the term as CDI/CUI.  While there is a minor distinction between what is CUI and what is CDI, the distinction is pertinent more to the US Government and its policies for retaining and protecting data than it is to the contractor community
    • •This definition for what contractors MUST protect (CDI/CUI) is extraordinarily broad, as defense contractors and their subcontractors working under contracts with DoD do not need to protect only “export controlled information”, but all other information that is “collected,” “developed,” “received,” “transmitted” “used,” or “stored” in the performance of a DoD contract or subcontract.
    • •Extrapolating out the definition for CDI/CUI, it could include, for example, the attendees at a meeting with U.S. Army personnel related to the bathrooms for a new base being constructed – not the technical details related to the effort, but the actual attendees, as the list of attendees (for a meeting that is required for the fulfillment of a contractual obligation to DoD) will have been generated “in support of the performance of the [DoD] contract.”
    • •CDI/CUI does not need to contain a single piece of data that would be export controlled in order for a pertinent defense contractor who merely possesses the attendee list to be required to have instituted an information security system in furtherance of the NIST SP 800-171 requirements.  DFARS 252.204-7012.
    • •Pursuant to DFARS 252.204-7000(a), contractors must not release any CDI/CUI to “anyone outside the Contractor’s organization, regardless of medium (e.g., film,, tape, document), pertaining to any part of [the DoD] contract or any program related to [the DoD] contract” unless the Contracting Officer has given approval or the information is in the public domain.
    • •As a result, Contractors must establish a system for protecting CDI/CUI from being accessed by persons who do not have the legal authority to access or possess the CDI/CUI.  This includes foreign parents and affiliates of US contractors and subcontractors to DoD.
    • •If the U.S. contractor allows the foreign parent or foreign affiliate to govern its network storage solutions, for example, the U.S. contractor could be unwittingly permitting the disclosure of CDI/CUI to persons without a right to have access to said information – foreign persons no less.
    • •This is not permissible under the NIST SP 800-171 publication or the DFARS cybersecurity protection requirements.
    • •A failure to prevent foreign person control/access to a contractor’s IT infrastructure could result not only in a violation of the ITAR or the EAR, if the information managed by the foreign parent or affiliate is export-controlled, but also in sanctions under the DFARS, including the possibility of the contractor losing its contracting privileges with DoD for failing to comply with the DFARS Cybersecurity rules.
    • •Even more cumbersome for US contractors is that they cannot permit their foreign parents of affiliates to manage their email systems, for the US contractors cannot predict the type of information that will be received by them related to their performance of pertinent DoD contracts – which information would be received by their foreign parent or affiliate in the course of managing the mail servers of the US subsidiary or affiliate.
    • •If the US contractor permits its mail systems to be administered by foreign persons in any way, the US contractor will not be in compliance with the NIST SP 800-171 and DFARS 252.204-7012 requirement for the protection of CDI/CUI, for the US contractor will be allowing the foreign person to have access to CDI/CUI, including both export-controlled and non-export-controlled information.
    • •Along these lines, we note that the use of GOOGLE for email or other document creation and storage is not compliant with the DFARS Cybersecurity rules, as GOOGLE has clearly stated that its servers and services are commercial and that GOOGLE uses foreign persons in the management of its Information Technology (“IT”) infrastructure, such that GOOGLE cannot certify that CDI/CUI housed in GOOGLE would only be accessed by US persons on US-based servers.
    • •Fortunately for contractors and subcontractors, NIST SP 800-171 offers significant flexibility for how the contractors meet the basic and derived security requirements in the policy document.
    • •NIST and DoD are not concerned with how contractors achieve the security requirements. They do not require any specific technological solution, do not require that contractors purchase (or refrain from purchasing) any particular hardware or software, and do not require that contractors overhaul their existing systems – per se.
    • •Rather, the requirements of the DFARS rules and the NIST policy document allow contractors to adequately protect CDI/CUI “using the systems they already have in place, rather than trying to use government-specific approaches.” Of course, not all contractors presently have systems in place that can achieve the NIST requirements, and the burden is on the contractor to ensure that it meets its legal and contractual obligations to the government for handling CDI/CUI. Contractors whose work involves CDI/CUI, therefore, should promptly conduct an assessment of their existing systems that effectively:
    • oIdentifies whether they possess or are likely to possess CDI/CUI;
    • oAnalyzes their current practices, systems and solutions for protecting that data and monitoring data security to determine if they can meet applicable standards, including, but not limited to their federal contract(s) clauses, NIST SP 800-53 and NIST SP 800-171; and
    • oDevelops an effective incident response plan and implements processes for responding to security incidents and mitigating any negative effects of security incidents.
  • •The NIST SP 800-171 focuses on minimum standards and best practices within 14 “Security Requirement Families” and provides detailed lists of basic and derived security requirements contractors need to employ to meet each of the standards. As “minimum” standards, they attempt to set the base against which efforts and requirements are made; contractors are free to exceed these expectations through heightened efforts. The following is a list of just a few representative requirements for each of the 14 standards:

1. Access Control

  • •Limit information system access to authorized users
  • •Separate the duties of individuals to reduce the risk of malevolent collusion
  • •Limit unsuccessful login attempts
  • •Require encryption and authentication of various devices (including mobile devices), and route remote access through managed access control points
  • •Require multi-factor account access for system administrators

2. Awareness and Training

  • •Educate managers, systems administrators and users about security risks associated with their activities and applicable policies, standards and procedures
  • •Provide security awareness training on recognizing and reporting potential indicators of insider threat

3. Audit and Accountability

  • •Use automated mechanisms to integrate and correlate audit and reporting processes
  • •Support on-demand analysis and reporting

4. Configuration Management

  • •Limit the types of programs users can install
  • •Control and monitor all user-installed software

5. Identification and Authentication

  • •Prevent reuse of identifiers for a defined period
  • •Disable identifiers after a defined period of inactivity
  • •Enforce minimum password complexity, i.e., “smart passwords”

6. Incident Response

  • •Develop and test an incident response plan

7. Maintenance

  • •Ensure equipment removed off-site is sanitized of any CDI/CUI
  • •Require multifactor authentication to establish nonlocal maintenance sessions

8. Media Protection

  • •Protect (i.e., physically control and securely store) information system media (paper and digital) containing CDI/CUI
  • •Sanitize or destroy information system media containing CDI/CUI before disposal or release for reuse

9. Personnel Security

  • •Screen individuals prior to authorizing access to systems containing CDI/CUI

10. Physical Protection

  • •Maintain audit logs of physical access
  • •Control and manage physical access devices

11. Risk Assessment

  • •Scan for and remediate vulnerabilities in the information system and applications

12. Security Assessment

  • •Periodically assess and monitor the security controls for effectiveness in their applications
  • •Develop and implement plans of action designed to correct deficiencies and reduce/eliminate vulnerabilities

13. System and Communications Protection

  • •Separate user functionality from information system management functionality
  • •Implement cryptographic mechanisms to prevent unauthorized disclosure of UCTI during transmission
  • •Control and monitor the use of Voice over Internet Protocol technologies

14. System and Information Integrity

  • •Update malicious code protection mechanisms when new releases are available
  • •Identify unauthorized use of the information system

Beyond the specific requirements for protecting CDI/CUI, the final rule published by DoD includes clarification on the security standards applicable to cloud-computing services and capabilities.  Cloud Service Providers (CSPs), when storing or transmitting CDI should meet the Federal Risk and Authorization Management Program (“FedRAMP”) standard for “moderate” compliance, as well as the DFARS Cybersecurity rules’ incident reporting requirement. Contractors should note these requirements under the DFARS for CSPs and review their CSP agreements to determine if any revision of the CSP agreements are required to ensure compliance with the DFARS Cybersecurity rules.

With regard to reporting requirements under the  DFARS Cybersecurity rules, DFARS 252.204-7000(c) imposes a requirement on contractors (and CSPs) to notify DoD at http://dibnet.dod.mil -- using a “Medium Assurance Certificate” obtained from DoD (http://iase.disa.mil/pki/eca/Pages/index.aspx) for security of the notification -- when the contractor:

… discovers a cyber incident that affects covered contractor information systems or CDI residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract.

The contractor must conduct a review for evidence of compromise of CDI, including, but not limited to, identifying comprised computers, servers, specific data, and user accounts.  This review shall also include analyzing covered contractor information systems that were part of the cyber incident, as well as other information systems on the contractor’s networks that may have been accessed as a result of the incident in order to identify compromised CDI, or that affect the contractor’s ability to provide operationally critical support.

While DFARS 252.204-7000(c)(ii) provides that contractors shall issue secure cyber incident reports to DoD at the web address above rapidly (i.e., within seventy-two (72 hours) of discovering the cyber incident), it is not clear that a contractor is required to issue a full cyber incident report in this 72 hour period.  As significant forensic work is often required to perform the full investigation dictated by DFARS 252-204-7000(c), we recommend the filing of a preliminary report with DoD within 72 hours of discovering a cyber incident, with a full report to follow in a reasonable period of time, or as is expressly directed by DoD.

In parallel with the filing of the cyber incident report to DoD, we recommend that the contractor file an Initial Voluntary Disclosure with the Department of State’s Directorate of Defense Trade Controls (“DDTC”) if any ITAR technical data was or may have been accessed in the breach as well as an Initial Voluntary Self-Disclosure with the Department of Commerce’s Bureau of Industry & Security (“BIS”) if any EAR technology was or may have been accessed in the breach.*

Does Your IT Infrastructure Comply With The Current DOD Rules For Cybersecurity Protections? Read More »

Updated Version – Presentation Of DSP-61 And DSP-73 Licenses For CBP Decrementation No Longer Required

By Odyssey E. Gray, III, Associate, FD Associates, Inc.

Pursuant to a Final Rule issued in the Federal Register (Public Notice 9811, 82 FR 15 January 3 2017), with an effective date of December 31, 2016, exporters are no longer required to present their DSP-61 Temporary Import and DSP-73 Temporary Export licenses with Customs and Border Protection (“CBP”), prior to export, or import, to facilitate the physical decrementation of the licenses for the hardware that is the subject of the authorization.  The decrementation is now electronic in the Automated Commercial Environment (ACE), in the same manner as when exports of hardware are made under authority of a DSP-5 Permanent Export license.

This action supports an Executive Order and the SAFE Port Act which called for electronic submission of data by businesses to import or export cargo.  This rule was actioned by the Directorate of Defense Trade Controls (“DDTC”) amending the ITAR pursuant to implementation by CBP of the International Trade Data System (“ITDS”).  This system permits exporters and importers to electronically submit the data referenced above.

DSP-61 and DSP-73

Exporters require, from time to time, the ability to temporarily import or temporarily export ITAR-controlled or ITAR regulated hardware into and from the United States for several types of business activities.  The DSP-61 and DSP-73 are the licensing vehicles used by DDTC to authorize these activities.

Temporary imports may be required, for example, to allow a business to conduct activities such as product demonstrations to potential customers, to participate in trade shows or to provide a manufacturing process to a foreign produced defense article.  The DSP-61 is the licensing vehicle to facilitate this.

Temporary exports may be required for many of the same reasons – marketing, trade shows or temporary use abroad to support a particular activity.  The DSP-73 is the licensing vehicle used for this purpose.

Decrementation

As part of its national security responsibility, DDTC must oversee the transfer of ITAR controlled or ITAR regulated commodities to ensure that U.S. controlled technology and hardware is not provided to unauthorized parties or entities.  DDTC’s licensing system is critical to the success of this objective.

Previously, when a temporary export or import was made against either an approved DSP-73 (export) or DSP-61 (import), exporters had to physically present their respective authorization to CBP so that the license could be pen and ink “decremented.”  This decrementation (marking the license, e.g., date, description, initial of the CBP personnel) was CBP’s physical verification that what was authorized to ship was being exported or imported.  CBP would decrement (verify) the temporary export or import license for the item(s) listed on the license when transiting a specific port.

While this manner of decrementation was effective in accomplishing the goals of DDTC in tracking the transit of ITAR controlled or ITAR regulated hardware in and out of the United States, it put an enormous burden on exporters and CBP in terms of managing the logistics of the movement of the actual hardware, as well as, coordinating delivery of the paper license for decrementation.  Copies of the original license were not acceptable for decrementation purposes, and, thus, non-compliant with the ITAR.  A lack of pre-coordination with a freight forwarder at port of entry or departure could lead to enormous difficulties, and, on occasion, administrative violations of the ITAR.

Electronic Submission is the Solution

The final rule incorporates the use of the Automated Export System in ACE for exports against DSP-61s and DSP-73s to electronically decrement the DSP-61 or DSP-73, while using the import portal within ACE for imports against DSP-61s and DSP-73s.  As a result, the DSP-61s and DSP-73s are now automatically decremented by ACE import entries and AES Electronic Export Information (EEI) submissions in ACE.

With the elimination of the need to present DSP-61 and DSP-73 licenses for decrementation, consistent with the goals of the referenced legislation, exporters will likely manage more efficient operations in connection with their temporary export and temporary import licensing requirements.

Exporters’ recordkeeping requirements remain intact, and, in fact, the weight of those responsibilities may have increased a notch or two as expectations for complete import records is added to the export records generated from AES in ACE.  As an example of the more stringent requirements, exporters must ensure that complete PGA Message Set information is included as part of their electronic filing for imports.  The PGA Message Set includes information such as License / Exemption type, the DDTC Registration number, and the Anticipated Arrival Date.  You will need to ask your freight forwarder not only for your complete AES record for exports, but also the ACE filing for imports including screen shots of the actual PGA Message Set information.

The upside is exporters no longer have to be concerned with returning original licenses appropriately decremented to DDTC per ITAR 123.22, just like the DSP-5.  Nor do they need to worry about a shipment departing over the weekend not properly clearing CBP.

DDTC’s duties to track ITAR-controlled hardware has not lessened nor has the exporters duty to exert due diligence in connection with their export practices.  Changes such as these, however, may result in better controls and management of controlled commodities being temporarily imported and exported.

Post Script Update

As astute reader pointed out that transactions involving the use of a carnet document (duty relief for certain countries including the U.S. when hardware is for demonstration/marketing purposes) is not eligible for this procedure and the temporary licenses must still be presented to CBP for endorsement at time of import into the United States and export from the United States.

Additionally, readers should be aware that although the ITAR was amended to not require the presentation of the DSP-73 or DSP-61, not all ports are following the new requirements, thus while you can tell the CBP presentation for pen and ink decrementation is not required, you should remain prepared to present the license if requested by CBP.

Updated Version – Presentation Of DSP-61 And DSP-73 Licenses For CBP Decrementation No Longer Required Read More »