Does Your IT Infrastructure Comply With The Current DOD Rules For Cybersecurity Protections?

The DoD Rules for Protecting Data Generated or Received as Part of Your DoD Contract or Subcontract Goes Into Effect in Four Short Months

By:   Keil J. Ritterpusch, Esq. – Senior Compliance Associate, FD Associates, Inc.

Over the past few years the U.S. Federal Government has been working to establish a regulatory system to ensure that U.S. companies and individuals who are involved with U.S. Government contracts institute sufficient protections for information that they receive or produce in furtherance of their government contracts.  Over this period, there have been numerous proposed rules in the Federal Register by various agencies involved with government contracting and the protection of data pertaining to these government contracts.

On June 18, 2015, the U.S. Government, operating through its National Institute of Standards and Technology (“NIST”), published the first major guidance on the security protocols that persons doing business with the U.S. Federal Government should implement to protect data in which the U.S. Federal Government has a vested interest:  NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (“NIST SP 800-171”).

The U.S. Department of Defense (“DoD”) then published proposed rules in the Federal Register in August and December 2015 proposing to implement a security system for prime contractors and subcontractors working under contracts with DoD to protect Controlled Unclassified Information (“CUI”).  Through the notice and comment rulemaking process, DoD substantially modified its proposal for contractors to protect CUI and in turn directed the NIST to revise the NIST SP 800-171.

What resulted from the revision of NIST SP 800-171 and the 2015 proposed rules for the protection of CUI was a DoD Final Rule, 81 Fed Reg 72986, issued on October 21, 2016, and Revision 1 of NIST SP  800-171, published in December 2016.  The DoD final rule provided pertinent revisions of Defense Federal Acquisition Regulations (“DFARS”) 252.204-7000 and 252.204.7012, meanwhile the revision of NIST SP 800-171 was mainly through the insertion of clarifying language.

While this regulatory change was published in October 2016, with NIST SP 800-171 being revised in December 2016, the DFARS CyberSecurity rules go into full effect on December 31, 2017.  By this date, only four short months from now, all U.S. DoD Contractors and Subcontractors must have fully implemented the cybersecurity protocols dictated by DFARS 252.204-7000 and 252.204-7012.

A failure to have properly implemented the system is grounds for DoD to void any prime contract held by the entity failing to comply with the DFARS requirement or to any subcontractor to whom DFARS 252.204-7012 has been flowed down.

The key tenets of the DFARS Cybersecurity rules are as follows:

  • •Contractors MUST establish a system in compliance with NIST SP 800-171 for the protection of “Covered Defense Information” (“CDI”), which is defined as unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—
    • o(1)  Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
    • o(2)  Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
    • •Based on this definition of CDI, the terms CDI and CUI are essentially synonymous.  As a result, for the remainder of this article, we refer to the term as CDI/CUI.  While there is a minor distinction between what is CUI and what is CDI, the distinction is pertinent more to the US Government and its policies for retaining and protecting data than it is to the contractor community
    • •This definition for what contractors MUST protect (CDI/CUI) is extraordinarily broad, as defense contractors and their subcontractors working under contracts with DoD do not need to protect only “export controlled information”, but all other information that is “collected,” “developed,” “received,” “transmitted” “used,” or “stored” in the performance of a DoD contract or subcontract.
    • •Extrapolating out the definition for CDI/CUI, it could include, for example, the attendees at a meeting with U.S. Army personnel related to the bathrooms for a new base being constructed – not the technical details related to the effort, but the actual attendees, as the list of attendees (for a meeting that is required for the fulfillment of a contractual obligation to DoD) will have been generated “in support of the performance of the [DoD] contract.”
    • •CDI/CUI does not need to contain a single piece of data that would be export controlled in order for a pertinent defense contractor who merely possesses the attendee list to be required to have instituted an information security system in furtherance of the NIST SP 800-171 requirements.  DFARS 252.204-7012.
    • •Pursuant to DFARS 252.204-7000(a), contractors must not release any CDI/CUI to “anyone outside the Contractor’s organization, regardless of medium (e.g., film,, tape, document), pertaining to any part of [the DoD] contract or any program related to [the DoD] contract” unless the Contracting Officer has given approval or the information is in the public domain.
    • •As a result, Contractors must establish a system for protecting CDI/CUI from being accessed by persons who do not have the legal authority to access or possess the CDI/CUI.  This includes foreign parents and affiliates of US contractors and subcontractors to DoD.
    • •If the U.S. contractor allows the foreign parent or foreign affiliate to govern its network storage solutions, for example, the U.S. contractor could be unwittingly permitting the disclosure of CDI/CUI to persons without a right to have access to said information – foreign persons no less.
    • •This is not permissible under the NIST SP 800-171 publication or the DFARS cybersecurity protection requirements.
    • •A failure to prevent foreign person control/access to a contractor’s IT infrastructure could result not only in a violation of the ITAR or the EAR, if the information managed by the foreign parent or affiliate is export-controlled, but also in sanctions under the DFARS, including the possibility of the contractor losing its contracting privileges with DoD for failing to comply with the DFARS Cybersecurity rules.
    • •Even more cumbersome for US contractors is that they cannot permit their foreign parents of affiliates to manage their email systems, for the US contractors cannot predict the type of information that will be received by them related to their performance of pertinent DoD contracts – which information would be received by their foreign parent or affiliate in the course of managing the mail servers of the US subsidiary or affiliate.
    • •If the US contractor permits its mail systems to be administered by foreign persons in any way, the US contractor will not be in compliance with the NIST SP 800-171 and DFARS 252.204-7012 requirement for the protection of CDI/CUI, for the US contractor will be allowing the foreign person to have access to CDI/CUI, including both export-controlled and non-export-controlled information.
    • •Along these lines, we note that the use of GOOGLE for email or other document creation and storage is not compliant with the DFARS Cybersecurity rules, as GOOGLE has clearly stated that its servers and services are commercial and that GOOGLE uses foreign persons in the management of its Information Technology (“IT”) infrastructure, such that GOOGLE cannot certify that CDI/CUI housed in GOOGLE would only be accessed by US persons on US-based servers.
    • •Fortunately for contractors and subcontractors, NIST SP 800-171 offers significant flexibility for how the contractors meet the basic and derived security requirements in the policy document.
    • •NIST and DoD are not concerned with how contractors achieve the security requirements. They do not require any specific technological solution, do not require that contractors purchase (or refrain from purchasing) any particular hardware or software, and do not require that contractors overhaul their existing systems – per se.
    • •Rather, the requirements of the DFARS rules and the NIST policy document allow contractors to adequately protect CDI/CUI “using the systems they already have in place, rather than trying to use government-specific approaches.” Of course, not all contractors presently have systems in place that can achieve the NIST requirements, and the burden is on the contractor to ensure that it meets its legal and contractual obligations to the government for handling CDI/CUI. Contractors whose work involves CDI/CUI, therefore, should promptly conduct an assessment of their existing systems that effectively:
    • oIdentifies whether they possess or are likely to possess CDI/CUI;
    • oAnalyzes their current practices, systems and solutions for protecting that data and monitoring data security to determine if they can meet applicable standards, including, but not limited to their federal contract(s) clauses, NIST SP 800-53 and NIST SP 800-171; and
    • oDevelops an effective incident response plan and implements processes for responding to security incidents and mitigating any negative effects of security incidents.
  • •The NIST SP 800-171 focuses on minimum standards and best practices within 14 “Security Requirement Families” and provides detailed lists of basic and derived security requirements contractors need to employ to meet each of the standards. As “minimum” standards, they attempt to set the base against which efforts and requirements are made; contractors are free to exceed these expectations through heightened efforts. The following is a list of just a few representative requirements for each of the 14 standards:

1. Access Control

  • •Limit information system access to authorized users
  • •Separate the duties of individuals to reduce the risk of malevolent collusion
  • •Limit unsuccessful login attempts
  • •Require encryption and authentication of various devices (including mobile devices), and route remote access through managed access control points
  • •Require multi-factor account access for system administrators

2. Awareness and Training

  • •Educate managers, systems administrators and users about security risks associated with their activities and applicable policies, standards and procedures
  • •Provide security awareness training on recognizing and reporting potential indicators of insider threat

3. Audit and Accountability

  • •Use automated mechanisms to integrate and correlate audit and reporting processes
  • •Support on-demand analysis and reporting

4. Configuration Management

  • •Limit the types of programs users can install
  • •Control and monitor all user-installed software

5. Identification and Authentication

  • •Prevent reuse of identifiers for a defined period
  • •Disable identifiers after a defined period of inactivity
  • •Enforce minimum password complexity, i.e., “smart passwords”

6. Incident Response

  • •Develop and test an incident response plan

7. Maintenance

  • •Ensure equipment removed off-site is sanitized of any CDI/CUI
  • •Require multifactor authentication to establish nonlocal maintenance sessions

8. Media Protection

  • •Protect (i.e., physically control and securely store) information system media (paper and digital) containing CDI/CUI
  • •Sanitize or destroy information system media containing CDI/CUI before disposal or release for reuse

9. Personnel Security

  • •Screen individuals prior to authorizing access to systems containing CDI/CUI

10. Physical Protection

  • •Maintain audit logs of physical access
  • •Control and manage physical access devices

11. Risk Assessment

  • •Scan for and remediate vulnerabilities in the information system and applications

12. Security Assessment

  • •Periodically assess and monitor the security controls for effectiveness in their applications
  • •Develop and implement plans of action designed to correct deficiencies and reduce/eliminate vulnerabilities

13. System and Communications Protection

  • •Separate user functionality from information system management functionality
  • •Implement cryptographic mechanisms to prevent unauthorized disclosure of UCTI during transmission
  • •Control and monitor the use of Voice over Internet Protocol technologies

14. System and Information Integrity

  • •Update malicious code protection mechanisms when new releases are available
  • •Identify unauthorized use of the information system

Beyond the specific requirements for protecting CDI/CUI, the final rule published by DoD includes clarification on the security standards applicable to cloud-computing services and capabilities.  Cloud Service Providers (CSPs), when storing or transmitting CDI should meet the Federal Risk and Authorization Management Program (“FedRAMP”) standard for “moderate” compliance, as well as the DFARS Cybersecurity rules’ incident reporting requirement. Contractors should note these requirements under the DFARS for CSPs and review their CSP agreements to determine if any revision of the CSP agreements are required to ensure compliance with the DFARS Cybersecurity rules.

With regard to reporting requirements under the  DFARS Cybersecurity rules, DFARS 252.204-7000(c) imposes a requirement on contractors (and CSPs) to notify DoD at http://dibnet.dod.mil -- using a “Medium Assurance Certificate” obtained from DoD (http://iase.disa.mil/pki/eca/Pages/index.aspx) for security of the notification -- when the contractor:

… discovers a cyber incident that affects covered contractor information systems or CDI residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract.

The contractor must conduct a review for evidence of compromise of CDI, including, but not limited to, identifying comprised computers, servers, specific data, and user accounts.  This review shall also include analyzing covered contractor information systems that were part of the cyber incident, as well as other information systems on the contractor’s networks that may have been accessed as a result of the incident in order to identify compromised CDI, or that affect the contractor’s ability to provide operationally critical support.

While DFARS 252.204-7000(c)(ii) provides that contractors shall issue secure cyber incident reports to DoD at the web address above rapidly (i.e., within seventy-two (72 hours) of discovering the cyber incident), it is not clear that a contractor is required to issue a full cyber incident report in this 72 hour period.  As significant forensic work is often required to perform the full investigation dictated by DFARS 252-204-7000(c), we recommend the filing of a preliminary report with DoD within 72 hours of discovering a cyber incident, with a full report to follow in a reasonable period of time, or as is expressly directed by DoD.

In parallel with the filing of the cyber incident report to DoD, we recommend that the contractor file an Initial Voluntary Disclosure with the Department of State’s Directorate of Defense Trade Controls (“DDTC”) if any ITAR technical data was or may have been accessed in the breach as well as an Initial Voluntary Self-Disclosure with the Department of Commerce’s Bureau of Industry & Security (“BIS”) if any EAR technology was or may have been accessed in the breach.*

Does Your IT Infrastructure Comply With The Current DOD Rules For Cybersecurity Protections? Read More »

Updated Version – Presentation Of DSP-61 And DSP-73 Licenses For CBP Decrementation No Longer Required

By Odyssey E. Gray, III, Associate, FD Associates, Inc.

Pursuant to a Final Rule issued in the Federal Register (Public Notice 9811, 82 FR 15 January 3 2017), with an effective date of December 31, 2016, exporters are no longer required to present their DSP-61 Temporary Import and DSP-73 Temporary Export licenses with Customs and Border Protection (“CBP”), prior to export, or import, to facilitate the physical decrementation of the licenses for the hardware that is the subject of the authorization.  The decrementation is now electronic in the Automated Commercial Environment (ACE), in the same manner as when exports of hardware are made under authority of a DSP-5 Permanent Export license.

This action supports an Executive Order and the SAFE Port Act which called for electronic submission of data by businesses to import or export cargo.  This rule was actioned by the Directorate of Defense Trade Controls (“DDTC”) amending the ITAR pursuant to implementation by CBP of the International Trade Data System (“ITDS”).  This system permits exporters and importers to electronically submit the data referenced above.

DSP-61 and DSP-73

Exporters require, from time to time, the ability to temporarily import or temporarily export ITAR-controlled or ITAR regulated hardware into and from the United States for several types of business activities.  The DSP-61 and DSP-73 are the licensing vehicles used by DDTC to authorize these activities.

Temporary imports may be required, for example, to allow a business to conduct activities such as product demonstrations to potential customers, to participate in trade shows or to provide a manufacturing process to a foreign produced defense article.  The DSP-61 is the licensing vehicle to facilitate this.

Temporary exports may be required for many of the same reasons – marketing, trade shows or temporary use abroad to support a particular activity.  The DSP-73 is the licensing vehicle used for this purpose.

Decrementation

As part of its national security responsibility, DDTC must oversee the transfer of ITAR controlled or ITAR regulated commodities to ensure that U.S. controlled technology and hardware is not provided to unauthorized parties or entities.  DDTC’s licensing system is critical to the success of this objective.

Previously, when a temporary export or import was made against either an approved DSP-73 (export) or DSP-61 (import), exporters had to physically present their respective authorization to CBP so that the license could be pen and ink “decremented.”  This decrementation (marking the license, e.g., date, description, initial of the CBP personnel) was CBP’s physical verification that what was authorized to ship was being exported or imported.  CBP would decrement (verify) the temporary export or import license for the item(s) listed on the license when transiting a specific port.

While this manner of decrementation was effective in accomplishing the goals of DDTC in tracking the transit of ITAR controlled or ITAR regulated hardware in and out of the United States, it put an enormous burden on exporters and CBP in terms of managing the logistics of the movement of the actual hardware, as well as, coordinating delivery of the paper license for decrementation.  Copies of the original license were not acceptable for decrementation purposes, and, thus, non-compliant with the ITAR.  A lack of pre-coordination with a freight forwarder at port of entry or departure could lead to enormous difficulties, and, on occasion, administrative violations of the ITAR.

Electronic Submission is the Solution

The final rule incorporates the use of the Automated Export System in ACE for exports against DSP-61s and DSP-73s to electronically decrement the DSP-61 or DSP-73, while using the import portal within ACE for imports against DSP-61s and DSP-73s.  As a result, the DSP-61s and DSP-73s are now automatically decremented by ACE import entries and AES Electronic Export Information (EEI) submissions in ACE.

With the elimination of the need to present DSP-61 and DSP-73 licenses for decrementation, consistent with the goals of the referenced legislation, exporters will likely manage more efficient operations in connection with their temporary export and temporary import licensing requirements.

Exporters’ recordkeeping requirements remain intact, and, in fact, the weight of those responsibilities may have increased a notch or two as expectations for complete import records is added to the export records generated from AES in ACE.  As an example of the more stringent requirements, exporters must ensure that complete PGA Message Set information is included as part of their electronic filing for imports.  The PGA Message Set includes information such as License / Exemption type, the DDTC Registration number, and the Anticipated Arrival Date.  You will need to ask your freight forwarder not only for your complete AES record for exports, but also the ACE filing for imports including screen shots of the actual PGA Message Set information.

The upside is exporters no longer have to be concerned with returning original licenses appropriately decremented to DDTC per ITAR 123.22, just like the DSP-5.  Nor do they need to worry about a shipment departing over the weekend not properly clearing CBP.

DDTC’s duties to track ITAR-controlled hardware has not lessened nor has the exporters duty to exert due diligence in connection with their export practices.  Changes such as these, however, may result in better controls and management of controlled commodities being temporarily imported and exported.

Post Script Update

As astute reader pointed out that transactions involving the use of a carnet document (duty relief for certain countries including the U.S. when hardware is for demonstration/marketing purposes) is not eligible for this procedure and the temporary licenses must still be presented to CBP for endorsement at time of import into the United States and export from the United States.

Additionally, readers should be aware that although the ITAR was amended to not require the presentation of the DSP-73 or DSP-61, not all ports are following the new requirements, thus while you can tell the CBP presentation for pen and ink decrementation is not required, you should remain prepared to present the license if requested by CBP.

Updated Version – Presentation Of DSP-61 And DSP-73 Licenses For CBP Decrementation No Longer Required Read More »

Final Round Of Export Control Reform Revisions Related To Spacecraft

By Paul Croarkin, Senior Associate

Keil Ritterpusch, Senior Compliance Associate

On January 10, 2017, the Department of State and the Department of Commerce published final rules to further refine the control of spacecraft and related items controlled for export by the International Traffic in Arms Regulations (“ITAR”) and the Export Administration Regulations (“EAR”).  The final rules are part of the continuing revision of the ITAR through the Export Control Reform (“ECR”) initiative.  For copies of the Federal Register Notices publishing the final rules, please see http://pmddtc.state.gov/FR/2017/82FR2889.pdf and https://www.bis.doc.gov/index.php/documents/regulations-docs/federal-register-notices/federal-register-2017/1630-82-fr-2875/file.

The revision of the ITAR’s United States Munitions List Category XV and the EAR’s Export Control Classification Number 9X515 went into effect on January 15, 2017.  Unlike prior ECR revisions of the ITAR, this latest revision had a very short interval from final rule to effective date because the changes involved had already been published through Notice and Comment rulemaking and had received favorable comments from the public.

The revised rules include the following notable changes requested by the commercial space industry and advocated by the Department of Commerce, including:

  • Moved certain remote sensing satellites from control by ITAR to control by the EAR:
  • spacecraft with an aperture of equal or less than 0.5 m are now controlled by the EAR under ECCN 9A515.a.1
  • spacecraft with remote sensing capabilities beyond NIR (i.e., SWIR, MWIR, and LWIR) that are not otherwise enumerated on the ITAR’s United States Munitions List (“USML”) are now controlled by the EAR under ECCN 9A515.a.2,
  • spacecraft with radar remote sensing capabilities (e.g., EASA, SAR, and ISAR) having a center frequency equal to or greater than 1 GHz but less than 10 GhZ and having a bandwidth between 100 MHz and 300 MHz are now controlled by the EAR under ECCN 9A515.a.3
  • Specifically, for the export of spacecraft and components for the aircraft in ECCNs 9A515.a.1 through a.4, the prospective exporter must submit a request to the Department of Commerce pursuant to Section 740.20(g) of the EAR for export of these more sensitive spacecraft and related components per the License Exception STA.
  •  In parallel with the movement of these spacecraft and components to control by the EAR, the Department of Commerce created a new mechanism to approve the export of these spacecraft and components without an export license pursuant to a revision to the EAR’s Strategic Trade Authorization (“STA”) License Exception set forth in Section 740.20 of the EAR
  •  Moved components of the spacecraft in ECCNs 9A515.a.1 through a.4 to control on the EAR under ECCN 9A515.g
  • Moved spacecraft providing space based logistics, assembly, or servicing of other “spacecraft” that are not enumerated on the USML to the EAR under ECCN 9A515.a.4.
  • Clarified that the USML does not control spacecraft automatically because the spacecraft supports human habitation.  Only spacecraft with the characteristics expressly enumerated in USML Category XV are ITAR-controlled.
  • Redefined several controls based on technical capabilities rather than end use of the spacecraft.  For example, the final rule provides that spacecraft that perform real-time autonomous detection and tracking of moving objects, other than celestial bodies, are ITAR-controlled, but that this control does not apply to systems that can track fixed points to determine their own movement based on the relative position of the fixed points over time.
  • Removed and replaced confusing criteria concerning integrated propulsion and attitude control, providing specific technical parameters for the types of spacecraft propulsion systems and attitude control apparatus that make a spacecraft ITAR-controlled.
    • Along these lines, the James Webb Space Telescope (“JWST”) was removed from the ITAR for control under 9A004.u, the same ECCN that governs exports of the International Space Station.
    • Despite having thrusters for attitude control and movement, unlike satellites, the Department of State ruled that the JWST and other scientific spacecraft that are able to alter their position in orbit should not automatically be controlled for export under the ITAR, and should be controlled under the EAR.

Final Round Of Export Control Reform Revisions Related To Spacecraft Read More »

Changes To USML Categories VIII And XIX And Their Bookend ECCNS 9A610 And 9A619

By John Herzo, Senior Associate

Odyssey Gray, Associate

Jenny Hahn, Partner

As part of the continuing review of the U.S. Munitions List (“USML”) and the Commerce Control List (“CCL”) 600 / 500 Series Export Control Classification Numbers (“ECCN”) as part of Export Control Reform, on November 21, 2016 the Department of State, Directorate of Defense Trade Controls (“DDTC”) published its Final Rule regarding refresher changes to USML Category VIII which pertains to military aircraft and related articles and USML Category XIX which pertains to military gas turbine engines and related articles and the Department of Commerce, Bureau of Industry and Security (“BIS”) also published its Final Rule related to the bookend changes to ECCN 9A610 for military aircraft transitioned to the CCL and ECCN 9A619 for military gas turbine engines transitioned to the CCL.  These changes go into effect on December 31, 2016.

Changes To USML Categories VIII And XIX And Their Bookend ECCNS 9A610 And 9A619 Read More »

DDTC IT Modernization – “Are You Ready?”

By Odyssey E. Gray, III, Associate, FD Associates, Inc.

Change.  It’s the universal constant.  In all matter of things, change is ongoing, necessary and undeniable.  In the world of IT, it is a hallmark of the industry.  Technology changes occur daily as individuals, businesses, corporations and Governments seek more efficient and productive ways to do things.

As exporters develop and work towards more efficient processes to better manage, run and execute their activities, the Directorate of Defense Trade Controls (“DDTC”) has sought to do the same.

Step one was to overhaul and update its regulations under Export Control Reform (“ECR”) to more accurately reflect current technology and necessary controls for exporters’ commodities and services in today’s world.  This is still ongoing.

The next step is to overhaul and update its processes related to adjudication of all manner of DDTC requests and authorizations.  This is reflected in upcoming changes for exporters in how one obtains an ITAR registration, files Commodity Jurisdiction (“CJ”) requests, submits General Correspondence (“GC”) requests and submits requests for export authorization of hardware, technical data and defense services.

DDTC recognizes that its DTrade electronic licensing system is, in today’s world, an antiquated system.  As such, there are gaps and shortcomings in its processes which make for additional work by exporters and USG personnel, which, with current technology, can be improved via automation or eliminated altogether.

Over time, different processes have been developed to try to address activities by exporters requiring DDTC authorization.  Examining its infrastructure, DDTC understands that in today’s IT environment, these processes prove to be inefficient and unsatisfactory.  For example, under the current system, if a company changes addresses, why must an exporter be responsible for printing out a web notice and forwarding this with their shipment?  Why doesn’t the system simply update its existing records?  What if the exporter does not include the web notice?  How many calls and how much time is expended to address this?  Or more accurately, how much time is wasted to address this breakdown due to lack of IT modernization?

Thus, DDTC seeks to address these and similar issues with its IT modernization plan to not only benefit exporters, but to improve its own capabilities to better track, manage and control commodities (including identification of parties to transactions), furthering its ultimate mission to protect national security.  At the same time, these changes should help to allow industry to operate more efficiently and redirect resources to further engage and develop business opportunities.

IT modernization begins with how exporters interact with DDTC.  Therefore, the interfaces between industry and DDTC are changing.  DTrade, the use of digital certificates, the Electronic Filing System (EFS), the Electronic Licensing Entry System (ELLIE) and MARY are going away.  A web-based, single online interface named the Defense Export and Control and Compliance System (“DECCS”) is coming.  This system will feature data collection consolidation, improved security, use of a Government cloud and compatibility with multiple browsers.  Instead of digital certificates, users will use a new 2-factor authentication process.  Currently, only the ELISA database, the means of tracking requests, will remain unchanged.

How is this IT modernization going to occur?  Consolidate and automate.  As mentioned previously, one interface for exporters to submit requests.  One form for exporters to request acuthorization for different export activities/requests, or notifications.  In practice, this will be the use of one form for registrations, mergers and acquisitions; one form for CJs; one form for disclosures; one form for agreements, GCs and license requests and one form for Advisory Opinions.

When will this IT modernization occur?  The new form for CJs goes into effect (“live”) November 21, 2016.  The new registration form review process is finalizing so the form should be issued in early 2017.  The other forms are in various stages of review, however, expectation is issuance and use of all the new forms by April 2017 in the current DTrade system.  Overall migration from DTrade to DECCS is slated for June 2017.

How to prepare for IT modernization?  Review DDTC’s goals and information related to these proposed changes, similar to the way exporters reviewed changes to the USML for ECR.  Exporters can review the new forms on the DDTC website and any related notices and evaluate your internal processes in line with this IT modernization.

If you have questions, ask DDTC, response team or DTrade Help Desk, or contact FD Associates.

Don’t be intimidated.  Remember it’s in the Government’s interest that exporters understand the new processes.  Remember, it’s not about being new, but being better.

DDTC IT Modernization – “Are You Ready?” Read More »

Updates To The Department Of State’s Agreement Guidelines

By John Herzo, Senior Associate

On August 11, 2016, the Department of State, Directorate of Defense Trade Controls (DDTC) published its latest iteration of the Guidelines For Preparing Agreements (guidelines). DDTC updated the guidelines based on the changes to certain definitions and other sections of the ITAR that were published in the Federal Register on June 2, 2016, which go into effect on September 1, 2016. A majority of the changes to the guidelines are editorial and will not affect an applicant’s submission (DSP-5 vehicle, transmittal letter and agreement) of a proposed agreement/amendment to the Department of State for review.

Firstly, there are no changes to the guidance on how to prepare the DSP-5 Vehicle.

There is only one change required to the transmittal letter. The June 2, 2016 changes to the ITAR deleted the 22 CFR § 124.16 dual/third country national requirements. Therefore, § 124.12(a)(10) of the transmittal letter pertaining to § 124.16 should be deleted.

A summary of the main changes to the guidelines related to the preparation of the proposed agreement/amendment are as follows:

  • If the applicant wishes to export EAR controlled technology under the proposed agreement the § 124.7(2) section of your agreement must identify that EAR controlled technology will be transferred and will be used in or with the ITAR technical data to be transferred under the agreement.
  • The U.S. sub-licensing clause has changed slightly due to the addition of the definitions of reexports and retransfers to the ITAR. The U.S. sub-licensing clause should read as follows:

“This agreement authorizes sublicensing to U.S. Persons. Exports, reexports, retransfers or temporary imports by the U.S. sublicensee must be conducted as part of a separate authorization initiated by the U.S. Person.”

  • As stated above, the June 3, 2016 changes to the ITAR deleted the § 124.16 dual/third country national requirements, therefore the proposed agreement should no longer contain the § 124.16 language
  • While the § 124.16 language was deleted, the essence of § 124.16 was added to the § 126.18 dual/third country national exemption. It is not a requirement to include any language pertaining to § 126.18 in your proposed agreement/amendment, however FD Associates believes such a reference is a best practice as it puts the foreign licensee(s) on notice that they may utilize the exemption and will provide the foreign licensee(s) with information regarding the requirements of the exemption, which they are allowed to use.
  • Included with the changes to authorizing dual/third country nationals was the removal of DDTC’s consideration of country of birth when dual/third country national authorization is vetted by DDTC via § 124.8(5) (Option 2 from the guidelines). When determining nationality, DDTC will now consider all countries in which a foreign person has held or holds citizenship or holds permanent residency.
  • Lastly the verbatim § 124.8(5) language (USG clauses) was changed and should read as follows:

“The technical data or defense service exported from the United States in furtherance of this agreement and any defense article which may be produced or manufactured from such technical data or defense service may not be transferred to a foreign person except pursuant to §126.18, as specifically authorized in this agreement, or where prior written approval of the Department of State has been obtained.”

All changes to current agreements pursuant to the changes to the ITAR and the guidelines do not have to be made until the applicant submits its next major amendment to DDTC.


DDTC will accept new agreements with the required changes prior to September 1, 2016, the date of implementation of the changes to the ITAR. Any agreement/amendment submitted without any of the required changes after August 11, 2016, but before September 1, 2016 will be reviewed by DDTC. In such instances the applicant will be required to make the required changes to the agreement/amendment prior to execution pursuant to Provisos to the agreement/amendment. Starting on September 1, 2016 all agreements/amendments must be submitted to DDTC in accordance with the changes to the ITAR and the guidelines.

Updates To The Department Of State’s Agreement Guidelines Read More »

DDTC Rescinds Notice From May 6, 2016 Regarding The Use Of The Current Version Of The DSP-83

By John Herzo, Senior Associate

June 8, 2016 -  Effective IMMEDIATELY any expired DSP-83 forms the Department of State receives with export license applications will be processed. In addition, any client who received a proviso directing the upload of a new DSP-83 form as part of the condition to make exports is advised by the department of State that they may disregard the proviso by citing the June 8, 2016 notice.

The Department of State strongly urges all companies to use the latest DSP-83 form on their website.

DSP-83 Form Change

In November of 2015 the Department of State updated the DSP-83 Non-transfer and Use Certificate required for applications involving the permanent export of Significant Military Equipment. There were no changes to the wording of the form, the only change made was the extension of the expiration date until May 31, 2018 on the bottom of the form. At that time the Department of State published a web notice that stated that earlier versions of the form would be rejected after review by a licensing officer as the DTrade system cannot reject a submission based on the expiration date of supporting documentation.

The Department of State continued to receive expired DSP-83 forms as supporting documentation with DTrade submissions. In the interim in March 2016, DDTC published a revised DSP-83 form which updated the expiration date at both the top of the document and the bottom. Due to its obligation to accept only non-expired forms, on May 6, 2016 the Department of State issued a web notice which identified the following:

  • Any license application pending with DDTC using an unexpired DSP-83 form (prior to DDTC revision) will be processed as normal;
  • Any license application in process with the prior DSP-83 form will be processed as normal, but will require completion of an updated DSP-83 form by all parties before July
    1, 2016; which must be uploaded to DTrade;
  • Beginning on May 14, 2016, the Department of State will not accept license applications using the expired DSP-83 form, unless the applicant submits a formal letter signed by the
    Empowered Official with the application stating that the applicant understands that it must obtain new DSP-83 forms prior to DDTC approval of the license application. Any license application that does not contain a new DSP-83 by July 1, 2016 will be Returned Without Action;
  • Starting on July 1, 2016 all license applications submitted with an expired DSP-83 will be Returned Without Action by the Department of State.

Got questions, contact your FD Associates’ consultant!

DDTC Rescinds Notice From May 6, 2016 Regarding The Use Of The Current Version Of The DSP-83 Read More »

DOJ Issues Guidance On Pursuing Individual Accountability For Corporate Wrongdoing

By Keil J. Ritterpusch, Esq., Senior Associate

In a memorandum and accompanying speech in September 2015, U.S. Deputy Attorney General Sally Quillian Yates, the Department of Justice (“DOJ”) announced a major new initiative designed to target and pursue “accountability from the individuals” who “perpetrate corporate wrongdoing.”   The memorandum is published at http://www.justice.gov/dag/file/769036/download.

This DOJ memorandum provides insight into a new initiative within the Obama Administration for the investigation of wrong-doing by corporate entities, with the aim of pursuing investigations and civil and criminal actions against individuals within companies who are responsible for corporations committing violations of U.S. laws and/or regulations, including the Arms Export Control Act (“AECA”), the International Traffic in Arms Regulations (“ITAR”), the Export Administration Act (“EAA”), the Export Administration Regulations (“EAR”), the Office of Foreign Asset Control (“OFAC”) Regulations, and the Foreign Trade Regulations (“FTR”). While the DOJ memorandum does not expressly pertain to export compliance activities of companies, the memorandum applies generally to any law enforcement activity that may involve the DOJ or law/regulatory enforcement personnel, including personnel working for the Departments of State and Commerce, U.S. Customs and Border Protection, and the U.S. Census Bureau.

Specifically, the DOJ memorandum provides six specific policy instructions to DOJ attorneys, both in Washington D.C. and the U.S. Attorneys’ Offices, on the investigation and resolution of criminal and civil enforcement matters involving corporations and their employees. The memorandum applies to alleged violations of any U.S. law or regulation by corporations and the pursuit of actions/investigations against key employees of the corporations. Media reports described the memorandum as the first major policy announcement by the new Attorney General, Loretta E. Lynch.

As a foundational matter, the DOJ memorandum acknowledged the substantial challenges to pursuing individuals who “perpetrate corporate wrongdoing.” Deputy Attorney General Yates further stated in a speech regarding the policy: “These cases can present unique challenges for DOJ’s agents and attorneys: there are complex corporate hierarchies, enormous volumes of electronic documents, and a variety of legal and practical challenges that can limit access to the evidence we need.”[1]  Deputy Attorney General Yates further explained that “In modern corporations, where responsibility is often diffuse, it can be extremely difficult to identify the single person or group of people who possessed the knowledge or criminal intent necessary to establish proof beyond a reasonable doubt. This is particularly true of high-level executives, who are often insulated from the day-to-day activity in which the misconduct occurs.”

The DOJ memorandum cites the following six steps in pursuit of individual corporate wrongdoing:

Where a corporation’s continued cooperation is necessary post-resolution, the “plea or settlement agreement should include a provision that requires the company to provide information about all culpable individuals and that is explicit enough so that a failure to provide the information results in specific consequences, such as stipulated penalties and/or a material breach.”

Any such release of criminal or civil liability must be due to “extraordinary circumstances” and must be “personally approved in writing by the relevant Assistant Attorney General or United States Attorney.” There may also be exceptions for approved Departmental policies such as the Antitrust Division’s Corporate Leniency Policy.

If, at the conclusion of the investigation, a decision is made not to bring civil claims or criminal charges against individuals, the reasons for that decision must also be memorialized and approved by the U.S. Attorney or relevant Assistant Attorney General.

Implications of the DOJ Policy

While the DOJ memorandum is not binding law, it is a source of practical guidance for DOJ attorneys and law enforcement agents and will involve several changes to the U.S. Attorneys’ Manual and other Departmental guidance. It remains to be seen how significant a change these policy directives will have on individual prosecutions and corporate civil and criminal resolutions.

However, one thing is clear: DOJ is trying to send a message to the public and to agents and prosecutors across the country that punishment and deterrence of unlawful conduct will not be served unless individuals, as well as companies, are held accountable for corporate wrongdoing.

We view the memorandum as reflecting a significant change in DOJ policy for civil cases, though not as much in criminal cases. This makes the new policy particularly pertinent in civil agency, law enforcement, and DOJ enforcement of cases involving civil/regulatory matters.

Deputy Attorney General Yates specifically declared in her speech announcing the new policy that the memorandum represents a “substantial shift from our prior practice,” providing that “we’re not going to let corporations plead ignorance.” Yet the memorandum reflects practices that are already employed by numerous DOJ components and U.S. Attorneys’ offices, and reflects prior DOJ guidance, such as a September 2014 speech by Criminal Division leadership declaring that “Voluntary disclosure of corporate misconduct does not constitute true cooperationif the company avoids identifying the individuals who are criminally responsible. Even the identification of culpable individuals is not true cooperation, if the company fails to locate and provide facts and evidence at their disposal that implicate those individuals.”[2]

In regulatory cases, the memorandum appears to have a pronounced effect. Its apparent prohibition on the release of individual liability within corporate settlement agreements may complicate the negotiation and execution of corporate resolutions. In certain civil settlement agreements, for example, DOJ has agreed to release employees from at least civil liability. Yet the new guidance would appear to mark a shift in this practice, providing that “absent extraordinary circumstances, the United States should not release claims related to the liability of individuals based on corporate settlement releases,” and that any such releases must be personally approved in writing by the relevant Assistant Attorney General or U.S. Attorney.

The memorandum may also produce increased civil enforcement action against present and former company employees, even if the individual has few resources to satisfy any demand, judgment, or claim for payment.

It appears that “purely civil” corporate investigations may become less likely, and that clients ought to consider whether and how criminal prosecutors may become involved in such investigations. As noted above, the guidance requires civil and criminal attorneys to be in “routine” communication with one another throughout an investigation. The major lasting impact of these policy changes may in fact be increased civil enforcement, as opposed to additional individual criminal guilty pleas.

As the Deputy Attorney General acknowledged in her speech: “Less corporate cooperation could mean fewer settlements and potentially smaller overall recoveries by the government. However, individuals facing long prison terms or large civil penalties may be more inclined to roll the dice before a jury. Therefore, we could see fewer guilty pleas.

Implication for Regulatory Investigations

Only time will tell as to how the DOJ policy will affect investigations in regulatory matters, particularly in export compliance matters. There is clear direction from the Departments of State and Commerce and the Census Bureau for parties who have violated the ITAR, the EAR, or the FTR to self-disclose their violations. However, although stipulated in the regulations to name the parties involved, it has not industry practice to name the individual persons within the company who were involved with unauthorized conduct under the relevant regulations. With this new DOJ policy, though, it appears that companies will be expected to provide specifics on who within the company were involved with pertinent violations of regulatory requirements.

While the DOJ memorandum expressly applies to the investigation of criminal and civil violations by the DOJ community, it is not clear that the investigators at the Departments of State and Commerce, U.S. Customs and Border Protection, or the U.S. Census Bureau are mandated to follow the dictates of the DOJ memorandum. Nevertheless, for any violation of applicable export laws where DOJ becomes involved with an investigation, it is clear that DOJ will be pursuing investigations of key persons within companies who were responsible for the violations of applicable export rules.

As such, we recommend that companies involved with investigations of export violations fully disclose the names of individuals involved with purported violations of export rules, as well as the applicable managers and senior level executives overseeing compliance, to the government agencies involved with enforcing the violations. Only by doing so will corporations be able to limit or lessen their criminal liability for misconduct.

[1] Deputy Attorney General Sally Quillian Yates Delivers Remarks at New York University School of Law Announcing New Policy on Individual Liability in Matters of Corporate Wrongdoing

[2] See text of speech given by Principal Deputy Assistant Attorney General for the Criminal Division Marshall L. Miller on September 17, 2014: http://www.justice.gov/opa/speech/remarks-principal-deputyassistant-attorney-general-criminal-division-marshall-l-miller.

DOJ Issues Guidance On Pursuing Individual Accountability For Corporate Wrongdoing Read More »

Client Notice: DDTC Waives Requirement For Exporters To Lodge DSP-5 Permanent Export Licenses With CBP, Effective Immediately

DDTC announced on 12/21/2015 that it has waived the requirement for the industry to lodge DSP-5 permanent export licenses for hardware with CPB. This decision was made in anticipation of the implementation of the U.S. Customs and Border Patrol (CBP) Automated Commercial Environment (ACE) and because DDTC has been electronically sending CBP registration and licensing data on a daily basis. Since CBP port officials will have access to the DDTC registration and licensing data through ACE, DDTC has determined that is no longer necessary for exporters to lodge DSP-5 permanent export licenses with CBP.

The ITAR will be updated accordingly. The notice is found on the DDTC home page.

If you have any questions, please contact us at 703-847-5801.

Client Notice: DDTC Waives Requirement For Exporters To Lodge DSP-5 Permanent Export Licenses With CBP, Effective Immediately Read More »

Time To Update Your Records – Customs And Census Update HTS And Schedule B Codes For 2016

By Keil J. Ritterpusch, Esq., Senior Associate

With the ringing in of 2016, it’s time to update your Harmonized Tariff System (“HTS”) and Schedule B codes for your export and import shipments. While we were busy ushering in the New Year, U.S. Customs and Border Protection (“CBP”) and the U.S. Census Bureau (“Census”) were busy making changes to the HTS and Schedule B codes. Every year, these two agencies discontinue certain codes and establish new codes.

Many changes that are applied to HTS codes do not translate to Schedule B codes (and vice versa), so it is imperative that you check each schedule to verify any changes and ensure compliance before importin g or exporting. Luckily for importers and exporters, there is a thirty (30) day grace period in which the Automated Export System (“AES”) will still accept the old 2015 codes. This grace period ends 30 days after December 31, 2015 (or on January 30, 2016). After that date, using expired HTS or Schedule B codes will result in a fatal error in AES.

AESDirect (http://aesdirect.census.gov) will still accept 2015 HTS and Schedule B codes. However, the system has been updated to reflect the 2016 changes so exporters can begin using the updated codes now.  AESPcLinkusers will need to update their AESDirect code table before the grace period expires.  AESDirect websiteusers will have the table automatically updated; so, no action is required.

Here are some important links concerning the updates:

CBP updated the list of valid HTS codes for importing. Meanwhile, Census updated the list of valid Schedule B codes for exporting.

Both the 2016 Schedule B and HTS tables are available for downloading at:
http://www.census.gov/foreign-trade/aes/documentlibrary/#concordance

The current list of HTS codes that are not valid for AES are available at:
http://www.census.gov/foreign-trade/aes/documentlibrary/concordance/hts-not-for-aes.html

Please contact FD Associates if you have questions or need assistance in applying these changes across your organization. We’re ready to help you with any of your export compliance requirements.

Time To Update Your Records – Customs And Census Update HTS And Schedule B Codes For 2016 Read More »