Kevin Gholston - CVG Strategy

AUKUS Final Rule Creates Defense Trade Opportunities

January 9, 2026January 8, 2026 by Kevin Gholston

The Directorate of Defense Trade Controls (DDTC), under the Department of State, has released the AUKUS Final Rule. This amendment, under part 126 of the International Traffic in Arms Regulations (ITAR) was published and became effective on December 30, 2025. This exemption will greatly facilitate defense trade between defense trade between the United States, the United Kingdom, and Australia.

AUKUS Final Rule Evolution

AUKUS was initiated as a strategic initiative to enhance the defense capabilities of all three nations. It was created in response to national security threats posed by the Peoples Republic of China (PRC) and Russia. Its initial priority, under Pillar 1, was to facilitate the Royal Australian Navy’s acquisition of nuclear-powered submarines.

AUKUS Pillar 2 was later initiated to develop advanced military capabilities between the three nations. Its focus includes artificial intelligence, quantum technologies, and undersea capabilities. Pillar 2 is considered a crucial element in maintaining a competitive edge in the Indo-Pacific region. Future developments in this effort may include Japan and South Korea.

Pillar 1 went through a temporary halt as the program underwent a Pentagon review to address capability concerns. It was felt that the agreement would leave the U.S. with insufficient submarine assets. These concerns were mitigated when the U.K. agreed to increase its shipbuilding and service industries.

Participating in AUKUS Pillar 2

The AUKUS defense trade and cooperation exemption applies to specific articles and defense services, and dual-use items. It allows the export, reexport, retransfer or temporary import to designated countries without individual licenses. Items not allowed under this exemption can be found under the Excluded Technology List. Organizations in participating countries desiring to participate in the program must be registered Authorized Users.

AUKUS Revisions Affecting the EAR

The Bureau of Industry and Security (BIS) had published an interim final rule in April 2024 to remove license requirements for exports, reexports, and in-country transfers between the three countries. In May 2024 the BIS made corrections to that publication to footnote 9. This change, while easing licensing and end use requirements for most items would leave in place license requirements for firearms-related items and other CC controlled items.

These items include ECCNs 0A501 (except 0A501.y), 0A502, 0A503, 0A504, 0A505.a, .b, and .x, 0A981, 0A982, 0A983, 0D501, 0D505, 0E501, 0E502, 0E504, 0E505, and 0E982.

CVG Strategy Export Compliance Management Programs

The AUKUS final rule illustrates the everchanging risks and opportunities for organizations involved in the export of ITAR regulated products. Remaining informed and having an effective export compliance program is essential for maintain a competitive edge.

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization. They ensure that essential processes are performed to prevent violations. They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy can help you understand export regulations, and help you establish a coherent and effective export compliance program. We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.

IA9100 Series Standards Due for Release in 2026

November 7, 2025 by Kevin Gholston

The IA9100 Series Standards are due for release in 2026. The International Aerospace Quality Group (IAQG) is conducting comprehensive revisions of AS9100, AS9110, AS9120 and AS9145. The transition period for organizations to adopt the new standards will likely extend until 2029.

AS9100 Standard History and Overview

AS9100 Quality Management Systems – Requirements for Aviation, Space, and Defense Organizations, is an international standard for quality management systems in the aerospace industry. It was first published in 1999 by the Society of Automotive Engineers (SAE) to unify and improve quality standards across the aerospace and defense sectors. The first edition was based on ISO 9001: 1994 to provide a unified aerospace Quality Management System for the industry’s products and services.

The AS9100 standard provides key components for the aerospace sector where reliability and consistent high quality is crucial. These include provisions for configuration management to address a product’s performance throughout it life cycle. It addresses a product realization process from design to delivery.

AS9100 and its associated standards require organizations to identify and address risks involved with quality and safety. It also requires aerospace supplier management and implements provisions for the prevention of counterfeit parts.

Anticipated Changes in Standard Revisions

Emphasis on Validation for Operational Planning and Process Controls

It is expected that many revisions will be included in this latest roll out of IA9100 and IA9110. Quality Magazine reports that emphasis will be placed on validating processes with data driven decision making. These will required for Key Product Characteristics, Statistical Process Control, Measurement System Analysis, Comprehensive Control Plans, Design Experiments, and Process Capability Studies.

Product Safety

The importance Product Safety is being increased in both IA9100 and IA9110. It will now be a requirement in both standards. Product safety will now need to include anonymous internal reporting mechanisms. It will also need to be included in all major QMS functions such as audits and risk management processes.

Environmental Considerations

It is predicted that the revised standards will include sustainability and environmental aspects in an effort to align with changes in other QMS standards. These changes trace there way back to ISO 14001. The ISO 14000 family is a set of international standards for environment management systems. The goal of these standards is to help organizations minimize how their operations negatively affect the environment.

Supplier Management

IA9100 is expected to have more requirements for vendor management to address concerns about supply chain disruptions and counterfeit parts. This may include remote auditing of suppliers. It is also expected to include provisions for sub-suppliers which will increase the need for meeting requirements further down the supply chain.

Information Security

It is not surprising that cybersecurity is expected to be included in the revised standards given the growing prevalence of cyber attacks. Cybersecurity is of special concern for manufacturing facilities where increased use of technologies, especially Internet of Things (IoT) devices can create vulnerabilities.

Challenges for Management

The modern c-suite faces growing challenges in balancing risks involved in many areas at the same time. Product safety, cybersecurity, export compliance and other regulatory responsibilities require that management take a broad and strategic view in setting a business course. This requires reviewing and interpreting vast amounts of data and remaining open for communication across tiers.

Additionally, as in aspect of an organization, excellence starts at the top. Management must establish and enforce policies that support IA9100 series standards, other QMS requirements, and regulatory programs and ensure that they are adequately resourced.

CVG Strategy Quality Management Experts

CVG Strategy can assist your organization in implementing the IA9100 series standards. We can also work with you in upgrading your current QMS to the upgraded revisions. Our Exemplar Global Lead Auditor Consultants can also help you with integrating multiple management systems. CVG Strategy has prepared, trained and implemented management systems for manufacturing companies in many business sectors.

Our process based quality strategy helps clients new to Quality Management Systems quickly set up a custom system.. CVG Strategy Quality Experts have experience with ISO 9001: 2015, IA9100, ISO 13485: ISO 27001:and Association of American Railroads (AAR) M-1003.

CVG Strategy is a consultancy providing coaching, mentoring, training and program development. Our focus includes Business Process Improvement, Export Compliance, Cyber Security and Product Test and Evaluation.

Technology in QMS – Trends and Concerns

October 20, 2025 by Kevin Gholston

The growth of utilization of technology in QMS provides many advantages but also raises critical concerns. This growth is occurring as a result of technological advancements and changes in the global manufacturing marketplace. While these developments have the potential for increasing customer satisfaction and continuous improvement of business processes they also present added complexity to decision making and cybersecurity.

Industry 4.0, a term used to describe modern manufacturing, has introduced enhanced advancements in automation, Artificial Intelligence (AI), and the Internet of Things (IoT). These technologies enable real-time data analysis, predictive maintenance, and smarter production processes. Robotics have also become an essential part of today’s manufacturing floor. Robotic process automation can be used in dangerous or monotonous production processes to improve safety, efficiency and product quality.

Data Based Decision-Making

An abundance of data allows for nearly instant decision-making when using advanced analytics and AI. This can lead to identifying issues in processes before they become issues, reducing defects and nonconformities. IoT devices allow for increased interconnectedness and monitoring allowing for rapid responses. These advantages can extend beyond the manufacturing floor to insights into supply chain optimization to reduce supply chain disruptions while maintaining quality of raw materials.

Potential Quality Issues

The implementation of technology in QMS processes can change the scope of the overall program. If this change in scope is not effectively documented and relevant revisions made to process procedures the QMS can be out of step. This can create a disconnect at management levels where resourcing decisions are critical. Additionally, a large amount of data, while useful for tactical decision making can obscure the strategic vision that is critical for an organization’s long term success.

Cybersecurity Concerns

Internet of Things and cloud based technology in QMS create risk profiles that should be carefully evaluated before implementation. The number of devices required can create an overwhelming task for already overburdened IT staff. Cyber attacks on IoT devices is on the rise. One in three data breaches occur on an IoT device and 60% of those breaches occur due to outdated software.

Manufacturing companies are increasingly targeted by cyber attacks, particularly ransomware, due to their reliance on interconnected systems and valuable data. These attacks can lead to significant financial losses, operational disruptions, and theft of intellectual property.

Upper Management Commitment

As with any management system, upper management commitment is the key to success. The modern C-Suite must measure and weigh a number of risk factors. Over focus on QMS processes can open the door to cyber vulnerabilities. To much emphasis on cybersecurity protocols can result in a loss of availability of data critical to business processes. All major decisions must be weighed and considered with the long view in mind.

CVG Strategy Consultants

Quality Management

CVG Strategy quality consultancy team can help your organization implement an integrated business management system effectively and painlessly. Our consulting services will guide you through all phases of QMS, from assessment and development to the certification process.

CVG Strategy also provides the inclusion of statutory requirements for export compliance into your program. Ask our experts how we can provide this feature into your quality management system. Additionally, CVG Strategy can provide you with Quality Management training courses that will empower your team to achieve in a QMS environment.

CVG Strategy has experience in a large number of quality management systems standards. In addition to ISO 13485:2016 our Global Exemplar Lead Auditors can assist you designing and implementing a QMS to the following standards:

AS9100
ISO 27001
BS EN 13485:2016
FDA Title 21 Part 820
EN ISO 14971:2019

CVG Strategy can provide a QMS that incorporates multiple quality standards. This includes incorporating management strategies for ensuring compliance to industry regulations such as EU Directive 98/79EC for medical devices.

CVG Strategy Export Compliance Solutions

While many export compliance providers offer programs geared toward compliance with a single set of regulations, CVG Strategy offers a harmonized program that will ensure that your company is compliant to ITAR, EAR and international regulations. Furthermore we consolidate this program in a collection of documents that can be integrated into a quality management system.

Cyber Security Consulting

CVG consultants have over a decade of experience with ISMS, Quality Management Systems (QMS) and Export Compliance. We understand that each business has a unique set of requirements that demand tailored solutions.

Cybersecurity Trends for 2025 – Significant Challenges

October 3, 2025 by Kevin Gholston

Cybersecurity trends for 2025 show multiple areas of concern in a time of growing risks. A Cybersecurity Assessment Report from Bitdefender reveals findings from 1,200 cyber professionals that define key areas for improvement. These areas include reduction of attack surfaces, complexity of disparate tools, c suite perceptions, and cyber professional burnout.

Reporting Incidents

In the United States, various regulations mandate the reporting of cyber incidents for certain sectors and types of organizations. These sectors include publicly traded companies, various entities in the financial sector, critical infrastructure, and contractors for the Department of War. Many CISOs and CIOs however, are receiving pressure to remain silent for fear of loss of reputation or regulatory impacts of noncompliance.

Burn Out and Lack of Qualified Personnel

An increasing number of cyber professionals are experience burnout due to the constant pressures of the tasks at hand. Endless triage, response to threats at all hours, and incessant monitoring is leading to errors, lower vigilance, and position turnovers.In many cases this turnover results in organizations failing to meet cyber program initiatives.

The lack of qualified cybersecurity professionals is a significant issue, with a talent gap of approximately 225,200 skilled workers in the U.S. alone, driven by rapid technological advancements and a mismatch between industry needs and educational outcomes. This shortage affects businesses of all sizes, making it challenging to maintain effective security measures against increasing cyber threats.

Complexity of Cybersecurity Tools and Methods

The vast array of tools designed to protect critical data from threat actors has created gaps and overlaps in data protection. In many cases this can lead to false detections causing alert fatigue. In addition, the complexity of an increasing number of cybersecurity standards has created confusion with regards to scope of programs. This is particularly the case when standards provide vague definitions as to what information must receive maximum protections.

Many cyber teams are moving towards a proactive defense to reduce the threat landscape. This involves eliminating unused applications and administrator accounts can reduce access to threat actors that are using Living Off the Land (LOTL) strategies to gain entry. LOTL depends on accessing existing utilities to avoid detection on networks.

C-Suite Disconnect

A large number of participants cited that upper management had unrealistically high confidence in the ability of their organization’s cybersecurity capabilities. It is essential that management be informed through regular updates and assessments of cybersecurity risks and organizational cyber capabilities. This allows for adequate resourcing, informed risk mitigation, and appropriate program improvements.

CVG Strategy CMMC Consultants

Cybersecurity trends for 2025 reveal that many small businesses are facing challenges meeting CMMC requirements because of limited budgets, a lack of qualified personnel, and the complexity of NIST standards. CVGS can provide guidance and help your organization understand and implement CMMC.

We are dedicated to helping small businesses navigate federal regulations and contract requirements for Quality Management, Cybersecurity, Export Compliance, and Test and Evaluation. We can help you meet your information security management system goals. CVG Strategy QMS experts can provide the training required to understand and engage in a ISMS and make it meet desired objectives.

Identify CUI Areas with CVG Strategy Signs

CVG Strategy provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.

DFARS Implementing CMMC Finalized by DoD

September 10, 2025 by Kevin Gholston

The Defense Federal Acquisition Regulation Supplement (DFARS) implementing the Cybersecurity Maturity Model Certification (CMMC) program has been finalized. This rule, available on the Federal Register, will become effective November 10, 2025. This action by the Department of Defense (DoD) (now the Department of War) will make CMMC compliance a contractual requirement on all solicitations and contracts.

DFARS 252.204-7021 is a regulation that outlines the Cybersecurity Maturity Model Certification (CMMC) requirements for Department of Defense contracts. It mandates that defense contractors maintain a specific CMMC level to ensure compliance with cybersecurity requirements. The CMMC was implemented to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). A class deviation had been issued to postpone the CMMC compliance requirement being issued by contracting officers on DoD contracts.

Department CIO Sets Expectations

The Department of War’s chief information officer stated that the expectation was that defense contractors put U.S. national security at a high priority. The CMMC has been created and modified to provide the defense industrial base with a consistent methodology for cybersecurity requirements. The CMMC program has faced numerous delays due to the complex rulemaking process and a phase implementation approach. Many have argued that it imposes significant compliance cost that impose unrealistic burdens on small businesses.

CMMC Implementation Timelines

CMMC assessments are conducted by Certified Third-Party Assessment Organization (C3PAO) based on DoD contracting requirements. These requirements for CMMC programs fall under three levels:

Level 1: Requires an annual self-assessment and affirmation of compliance with 15 basic security requirements.
Level 2: Involves a more comprehensive assessment every three years, focusing on 110 security requirements from NIST SP 800-171.
Level 3: Similar to Level 2 but includes additional requirements to protect against advanced persistent threats.

The CMMC is being rolled out in phases to enhance cybersecurity among defense contractors. Starting November 10th requirements will be added to new contracts, RFPs, and RFIs for CMMC Level 1. By October 31, 2026 Phase 2 will require Level 2 contractors to be compliant. Phase 3 is slated to begin 24 months after the initial roll out. Full implementation is expected 36 months after the commencement of Phase 1.

CVG Strategy CMMC Consultants

After significant delays, the DFARS Implementing CMMC requirements for DoD contractors and subcontractors is here. Many small businesses face challenges meeting CMMC requirements because of limited budgets and lack of qualified personnel. CVGS can provide guidance and help your organization understand and implement CMMC.

Identify CUI Areas with CVG Strategy Signs

Export Regulations Effectiveness – An Assessment

September 9, 2025 by Kevin Gholston

Export regulations effectiveness in the protection of U.S. national security and promotion of foreign policy objectives has become a growing concern given the pace of regulatory changes. Recently, the Foundation for Defense of Democracies and the Center for Strategic and International Studies have published reviews of their findings on the issue.

U.S. Semiconductor Controls

Center to this assessment are controls put in place by the Department of Commerce to limit access of semiconductor manufacturing equipment and components with Artificial Intelligence (AI) capabilities to Chinese companies. While some would argue that export controls on the semiconductor industry cut into U.S. corporate profits, it can also be argued that long term protection of technological leadership and national security issues are far more crucial.

Cutting edge AI chips that are subject to export control are still available to international partners. This hold true for other emerging technologies such as biotechnology and high-bandwidth memory components. Restricting these technologies from adversaries, most especially China, slows their ability to replicate or militarize them. While some might contend that this will lead to China developing its own technological base, the fact remains that China remains the largest importer of semiconductors despite a sustained effort to develop a competitive technological base.

The Future of Export Controls

Export regulations effectiveness is essential in protecting national security and promoting foreign policy objectives, but their success often depends on proper enforcement and the specific context in which they are applied. It is crucial that the Departments of State and Commerce clearly target strategic emerging technologies that effect national security. These efforts should be conducted in concert with international partners and allies to achieve best results.

It is also essential that U.S. producers of technology realize the long term consequences of sales to foreign competitors. While short term gains may be achieved, the loss of technological leadership will lead to large scale loss of marketplace as products are copied and sold elsewhere.

Many in the export compliance industry have expressed a concern about using export controls as a bargaining tool. The concern is, as Navin Girishankar and Matt Borman point out in their CSIS publication, that export controls remain a tool that is principled in nature rather than a transactional bargaining tool.

National Security Issues

In recent years, the U.S. has expanded its export controls, particularly against Russia and China. This has included enhanced restrictions on technology exports to Russia following its invasion of Ukraine and regulations targeting Chinese capabilities in artificial intelligence and semiconductors. These effort have faced enforcement challenges such as increased global smuggling and evasion networks and underinvestment in enforcement technologies to monitor and control exports effectively.

Though not prominently featured in massed media, the United States and its partners and allies face critical security issues. Export controls are an essential tool for maintaining national security. They must be prioritized in their use to prevent the proliferation of weapons of mass destruction, Restrict access to advanced technologies by adversaries, and protect sensitive information and technologies from being exploited by hostile nations.

The Challenges Ahead for Businesses Involved in Export

U.S. businesses face increasing challenges from export regulations due to rising geopolitical tensions and complex compliance requirements. These events can disrupt market strategies and supply chains. As an result, businesses must navigate an everchanging landscape of restrictions that can affect their ability to compete globally and manage costs effectively.

CVG Strategy Export Compliance Management Programs

Organizations involved with export must adhere to regulations regardless of export regulations effectiveness. Remaining informed and having an effective export compliance program is essential for avoiding criminal and civil penalties.

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization. They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation. They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy can help you understand revisions to the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR), and help you establish a coherent and effective export compliance program. We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.

DoD Class Deviation Postpones CMMC

September 4, 2025 by Kevin Gholston

A Department of Defense (DoD) class deviation has postponed the CMMC compliance requirement originally set for October 1, 2025. This requirement, effective as of September 3, 2025, notifies contracting officers that they are not to use the DFARS 252.204-7021 contract clause in new solicitations and contracts. This class deviation will remain in effect until the date of the final rule for DFARS Case 2019-D041 or until rescinded.

What is DFARS 252.204-7021

DFARS 252.204-7021 is a regulation that outlines the Cybersecurity Maturity Model Certification (CMMC) requirements for Department of Defense contractors. It mandates that contractors maintain a specific CMMC level to ensure compliance with cybersecurity standards to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Background on CMMC

CMMC establishes a tiered framework of cybersecurity standards based on NIST SP 800-171 controls. Final release of the program has repeatedly been delayed as new interim requirements and versions of the requirements have been released. Despite the fact that a final release is still pending, the DoD has repeatedly encouraged the Defense Industrial Base (DIB) and associated supply chain organizations to move ahead with their programs.

CMMC assessments are conducted by Certified Third-Party Assessment Organization (C3PAO) based on DoD contracting requirements. These requirements for CMMC programs fall under three levels:

Level 1: Requires an annual self-assessment and affirmation of compliance with 15 basic security requirements.
Level 2: Involves a more comprehensive assessment every three years, focusing on 110 security requirements from NIST SP 800-171.
Level 3: Similar to Level 2 but includes additional requirements to protect against advanced persistent threats.

The CMMC program has faced numerous delays due to the complex rulemaking process and a phase implementation approach. Many have argued that it imposes significant compliance cost that impose unrealistic burdens on small businesses. Additionally, there are insufficient assessors available for certifications for organizations attempting to get CMMC certification.

CVG Strategy Information Security Management System Consultants

The DoD class deviation will delay the CMMC final rule but will, in all likelihood, not remove the requirement for DoD contractors and subcontractors. Many small businesses face challenges meeting CMMC requirements due to limited budgets and lack of qualified personnel. CVGS can provide guidance and help your organization understand and implement CMMC.

Identify CUI Areas with CVG Strategy Signs

AUKUS Nuclear Submarine Under Pentagon Review

September 3, 2025 by Kevin Gholston

The AUKUS nuclear submarine program is under a Pentagon review to access if the agreement will leave the U.S. Navy with sufficient submarine fleet assets to address its national security requirements. There have been concerns that the current agreement would leave the United States with a shortage of Virginia class boats due to challenges in constructing and maintaining the vessels. As a result, the Australian Submarine Agency will now be required to upgrade its Collins-class submarines.

U.S. and U.K. Submarine Industrial Bases

The U.S. Navy currently aims to produce three submarines annually by 2028, including one Columbia-class and two Virginia-class submarines. It is facing delays in these programs, with production rates hovering around 1.1 to 1.2 boats per year. Congress has allocated billions to support submarine production, emphasizing the need to meet both domestic and allied demands.

The U.K. also faces significant challenges, including delays in production and a diminished workforce with the necessary skills. Addressing these issues will require strategic investments, workforce development, and improved management of supply chains to ensure the UK can meet its submarine production goals effectively.

AUKUS Background

The AUKUS agreement is a trilateral security partnership between Australia, the United Kingdom, and the United States that was initiated in 2021. Its initial priority was to facilitate the Royal Australian Navy’s acquisition of U.S.-made Virginia-class submarines. This action was taken in response to China’s threat presence in the Indo-Pacific region in the past decade.

The partnership is also developing a new class of nuclear-powered submarines known as the SSN-AUKUS submarines, with the UK planning to build up to 12 submarines and Australia planning to build five. These attack submarines are expected to enter service in the late 2030s for the UK and early 2040s for Australia, replacing their current submarine classes.

AUKUS and US Export Regulation

The strategic partnership has also involved information sharing, counter-hypersonic technologies, cyber capabilities, artificial intelligence quantum technologies and additional undersea capabilities. AUKUS defense trade rule changes were implemented in 2024 to ease International Traffic in Arms Regulations (ITAR) export policies on these military articles and technologies.

The Bureau of Industry and Security (BIS) which administers the Export Administration Regulations (EAR) had published an interim final rule in April 2024 to remove license requirements for exports, reexports, and in-country transfers for most items between the three countries.

Repercussions for the AUKUS

While defense trade aspects of the arrangement are likely to remain in place the viability of the submarine program remains in doubt. In an appearance before the Senate Arms Services Committee, Adm. Daryl Caudle stated that the U.S. industrial base must grow to a capability of building 2.33 attack submarines per year while maintaining output of Columbia class nuclear ballistic submarines to maintain supplying Australia with submarines.

Caudle endorsed working with international partners for maintenance and repair requirements for U.S. ships. He also stressed minimizing attrition at shipyard to address what amounts to a desired doubling of shipbuilding capabilities.

CVG Strategy Export Compliance Management Programs

The AUKUS Nuclear Submarine program review illustrates the everchanging risks and opportunities for organizations involved in the export of ITAR regulated products. Remaining informed and having an effective export compliance program is essential for maintain a competitive edge.

CVG Strategy can help you understand revisions to ITAR and EAR, and help you establish a coherent and effective export compliance program. We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.

Microsoft Used Chinese Engineers for DoD Work

August 29, 2025 by Kevin Gholston

Microsoft has been using Chinese engineers to assist with the maintenance of the Department of Defense’s (DoD) cloud systems, supervised by U.S. personnel known as “digital escorts.” This arrangement, which dates back decades, involved using U.S. citizen Microsoft employees with security clearances to oversee work being done on highly sensitive databases. In many cases these escorts lacked sufficient technical knowledge to provide required protections of national security.

Secretary of Defense Terminates Practice

Secretary of Defense Pete Hegseth stated that the cloud service program put the DoD at unacceptable risk. Hegseth has terminated this activity after conducting a review of the program. A letter of concern has been sent to Microsoft about this practice and a third party audit will be conducted. This audit will not be conducted using federal funding.

A separate review will be conducted by the DoD of the digital escort system and the Chinese nationals involved in the program to determine the potential impacts to national security and determine if malicious code had been introduced.

Secretary Hegseth went on to announce that all software vendors contracted by the DoD will terminate the use of Chinese nationals and put United States security interests ahead of profit maximization. He stated that this action is a common sense approach to a situation that should have never been allowed to occur.

Impact Level 4 and 5 Data at Risk

ProPublica reported that Level 4 and 5 data that falls under the classified data category was at risk. This data, if breeched could result in severe or catastrophic effects on operations, individuals, and assets. In the article, former Chief Information Officer under the Biden administration, John Sherman, stated that he should have known about this and that the situation warranted a thorough review by all stakeholders.

The Defense Information Systems Agency (DISA) commented that cloud service providers are required establish and maintain protocols for vetting personnel. Various people involved in the program at Microsoft had expressed concerns about inherent risks.

Federal Government and Industry Leaders Must Set Example

It is important, in a time when so many businesses are scrambling to meet federal requirements for cybersecurity, that government set an example by exercising basic risk prevention measures with its own data. Additionally, industry leaders such as Microsoft, who is a major provider of FedRamp storage, should be leading the way in safe cyber practices.

Hopefully, this blatant disregard for security protocols will result in improvements in cybersecurity practices and bring about increased transparency requirements for contractors and subcontractors. These requirements already are present in export regulations under the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR).

It is common knowledge that China remains a top information security threat to the United States and its allies. That Microsoft used Chinese engineers on DoD systems is an egregious affront to international security.

CVG Strategy Information Security Management System Consultants

CVG Strategy can assist your organization meet the challenges in meeting the CMMC final rule. We are dedicated to helping small businesses navigate federal regulations and contract requirements for Quality Management, Cybersecurity, Export Compliance, and Test and Evaluation. We can help you meet your information security management system goals. CVG Strategy QMS experts can provide the training required to understand and engage in a ISMS and make it meet desired objectives.

Identify CUI Areas with CVG Strategy Signs

Revisions to ITAR and USML for 2025

August 28, 2025 by Kevin Gholston

Revisions to the International Traffic in Arms Regulations (ITAR) and the United States Munitions List (USML) have been released to streamline compliance and enhance national security while facilitating trade with United States allies. The Department of State Directorate of Defense Trade Controls (DDTC) has released these changes to clarify the ITAR and remove defense articles from the USML that no longer warrant inclusion.

The DDTC has also added items to the USML to reflect advancements in technology and changes in defense needs. These changes will be in effect as of September 15, 2025.

Items Moved from ITAR to EAR Jurisdiction

The Department of State has removed items from the USML that no longer warrant inclusion. These items will likely be picked by the Bureau of Industry and Security (BIS). Organizations conducting license applications for items transitioning from the USML to the Commerce Control List (CCL) should refer to General Order No. 5 in supplement no. 1 to part 736 of the EAR. Parties currently holding licenses, agreements or approvals from the DDTC for transitioning items will not be affected by this change for a period of three years.

Revisions to the ITAR USML Categories

The following are highlights of changes to the USML. The latest revision of the USML should be consulted for classifications and licensing concerns..

USML Category III – Ammunition and Ordnance

Under provisions for enhanced projectile tips, the USML now excludes steel or tungsten shotgun pellets with diameters less than or equal to 0.230 inches. This exclusion pertains to lead free bird shot and therefore does not have a specific military function.

USML Category IV – Launch Vehicles, Guided Missiles, Rockets, Torpedoes, Bombs, and Mines

The USML now includes new license exemptions for large Unmanned Underwater Vehicles (UUVs) for UUVs having military, scientific, and commercial applications. The USML will now authorize temporary exports, reexports, and temporary imports of UUVs having a weight of up to 8,000 pounds.

USML Category V – Explosives and Energetic Materials, Propellants, Incendiary Agents and their Constituents

Various pyrotechnic, binders, additives, and chemical precursors were added to this category of the USML. The Department notes CAS numbers indicated on the USML may not cover all substances and mixtures described in the associated USML entries.

USML Category VII – Ground Vehicles

Changes were made to define ITAR controlled vehicles as any vehicle meeting control parameters regardless of surface of operation, vehicle control type, or mode of locomotion.

USML Category VIII – Aircraft and Related Articles

The definition for AESA fire control radar on foreign advanced aircraft was revised to avoid the inadvertent inclusion of minor parts and components. The recently announced F-47, the Air Force’s Next Generation Platform was also added to the aircraft list is paragraph (h)(1). Additionally, descriptions for “specially designed” for foreign advanced military aircraft were expanded.

USML Category XI – Military Electronics

The description of counter-jamming equipment in USML Category XI(a)(4)(iii) now excludes GNSS anti-jam and GNSS anti-spoofing systems. The standard addresses Controlled Reception Pattern Antennas (CRPAs) that are applicable in military and critical applications where accurate positioning is essential.

USML Category XIX – Gas Turbine Engines and Associated Parts

AGT1500, CTS800, GE38, GE3000, HPW3000, MT7, T55, T408, or T700 engines are now licensed by the Department of Commerce when intended use is for aircraft controlled under ECCN 9A610 but are to be are to be controlled under the ITAR for all other circumstances. Various other engine types were added to the USML.

USML Category XX – Submersible Vessels and Related Articles

A new exemption will be available for the temporary export, reexport, and temporary import of UUVs described in USML Category XX(a)(10) under 8,000 pounds. This includes provisions for defense services for those UUVs, when used for civil purposes.

USML Category XXI – Articles, Technical Data, and Defense Services not Otherwise Enumerated

A note was added stating that the Director, Office of Defense Trade Control Policy reserves the right to designate catch-alls, exclusions, or designations of Significant Military Equipment (SME) for articles under this category.

CVG Strategy Export Compliance Management Programs

Revisions to the ITAR reflect a proactive approach to adapting to technological advancements and international security dynamics. ITAR developments are continuing to add complexity for businesses engaged in sales of items that are intended for international sales international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.

NIST AI Control Overlays Concept Paper

August 19, 2025 by Kevin Gholston

The National Institute of Standards and Technology (NIST) is developing control overlays for securing Artificial Intelligence (AI) systems to help organizations manage cybersecurity risks associated with various AI use cases, including generative AI and predictive AI. These overlays are designed to help organizations manage cybersecurity risks associated with various AI applications.

The NIST AI control overlays are part of a Cyber AI Profile that is being developed to guide organizations in managing cybersecurity risks associated with artificial intelligence. This profile also includes the NIST AI Risk Management Framework (AI RMF) which provides structured guidance throughout the AI lifecycle, from development to deployment and decommissioning.

Proposed AI Use Cases

The overlays are being developed in a structured approach to address security risks associated specific use cases. The study has proposed five use cases in this initial release.

Adapting and Using Generative AI – Assistant/Large Language Model (LLM)

This case represents organizations utilizing AI for content generation. In this case content is created based on user prompts and pattern recognition involving large datasets. The outputs could include summaries and analysis of data using on-premise or third-party LLM.

Using and Fine-Tuning Predictive AI

Predictive AI can be used to analyze historical data to predict future outcomes. Applications for this case could include recommendation services, resume reviews, and credit underwriting. When utilizing these workflow automations, model training, deployment, and maintenance risks should be addressed.

Using AI Agent Systems (AI Agents) – Single Agent

Single-agent AI systems utilize one intelligent agent to perform tasks or make decisions independently. They can be used for focused analysis of datasets such as managing customer service inquiries or in the performance of repetitive tasks that do not require collaboration or complex decision-making. Other applications include providing contextual insights or coding assistance.

Using AI Agent Systems (AI Agents) – Multi-Agent

Multi-Agent systems are composed of multiple intelligent agents that interact and collaborate to achieve specific goals. Each agent operates autonomously but works together with others to solve complex problems that a single agent might struggle with. Typical applications could include expense reimbursement or optimizing production processes.

Security Controls for AI Developers

It is essential that AI developers utilize implement security controls that mitigate risk by using secure coding practices, and regular risk assessments. This includes best practices outlined in NIST SP 800-218 Secure Software Development Framework. SP 800-218 stresses core practices for software development and deployment of secure code.

SP 800-53 Security and Privacy Controls

NIST is proposing using SP 800-53 controls for AI security controls. This standard provides a comprehensive catalog of security and privacy controls for information systems. Initially designed for U.S. federal agencies, it has since been adapted for broader use across various sectors. NIST sites this organizational familiarity as justification for adoption of this standard for secure AI.

Addressing Information Security Concerns

AI is transforming the business landscape by enhancing efficiency, productivity, and decision-making. However, The use of AI raises concerns about the security and ethical handling of sensitive data. AI systems often connect with various data sources, APIs, and devices, creating more opportunities for cybercriminals to exploit vulnerabilities. Additionally, AI can circumvent established security measures, making it harder to enforce policies.

AI adds a new dimension to the already growing demands of cybersecurity responsibilities on small to medium businesses but given the rapid rate of adoption in most sectors, security concerns must be addressed. This can be a challenge given the complexity of requirements and the limited supply of personnel qualified to address these tasks.

CVG Strategy Information Security Management System Consultants

Identify CUI Areas with CVG Strategy Signs

BIS License Delays Raising Concerns

August 19, 2025August 18, 2025 by Kevin Gholston

The Bureau of Industry and Security (BIS) has recently paused the processing of new export license applications, leading to significant delays. This pause, which affects applications submitted after February 5, 2025, has raised concerns about the impact on business. The pause is part of an internal review of licensing policies initiated by Undersecretary Jeffrey Kessler and other officials.

No formal announcement has been made regarding the expected duration of this pause, leaving the industry without clear standards for processing applications. Industry officials express concern that these delays could negatively impact American companies and their ability to operate effectively.

Under Secretary of Commerce Jeffrey Kessler

Jeffrey Kessler, was appointed Under Secretary of Commerce for Industry and Security under President Donald Trump. His focus, to this point has been on reforming the Bureau of Industry and Security (BIS) to enhance United States national security, particularly regarding advanced American technologies and export controls related to China. He has also faced scrutiny over budget requests and the effectiveness of existing regulations like the AI Diffusion Rule.

Kessler has defended the Bureau of Industry and Security’s (BIS) budget request, which seeks a 50% increase. He plans to hire nearly 200 additional Export Enforcement Special Agents and expand the number of Export Control Officers stationed overseas.

Kessler’s actions have been driven in part by criticism of the BIS for failures in safeguarding national security and preventing adversaries from accessing critical defense goods and technologies. This includes a lack of transparency in license approval rationale in cases where sensitive technologies have been sold to China despite a publicly stated presumption of denial policy.

An Uncertain Road Ahead

BIS license delays are a subject of concern and apprehension for US businesses involved in export transactions. There have been notable reductions in public statements from the agency since the beginning of the Trump administration. Previous to Kessler’s leadership, license applications took, on average, 28 days for approval.

Other concerns have been voiced over Kessler’s micromanagement approach delaying drafted changes to the Export Administration Regulations (EAR) and appointment of necessary personnel within the bureau. The Bureau of Industry and Security (BIS) has faced several challenges and shortcomings. These have included enforcement activities being hampered by outdated technologies and insufficient resources, underinvestment in technology, lack of proactive initiatives, and limited coordination with the Department of Defense Trade Controls (DDTC).

While it is important that the BIS no longer “rubber stamp” license approvals, frustration among exporters could be eased by increased communications. Many license approvals to allied countries are occurring and, according to Reuters, communications with some companies is being maintained.

CVG Strategy Export Compliance Expertise

The DDTC, the BIS, and the OFAC, along with international partners have greatly increased their activities in the generation and enforcement of regulations. This increases the likelihood of a non-egregious violation occurring even in a company with a well-run export compliance program. CVG Strategy can assist organizations through the Voluntary Self Disclosure process and guide you through these difficult procedures.

If you are part of a large corporation or a small company with a part-time compliance person, CVG Strategy has the compliance and training programs to help you meet International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) rules and requirements. As the BIS place controls on a growing number of technologies it becomes increasing difficult for smaller businesses to stay abreast of regulatory developments. Because of this, we provide Export Compliance Management Programs (ECMP) for businesses of all sizes.

CVG Strategy, LLC is recognized the world over as the premier provider of Export Compliance Consulting and Export Compliance Programs for businesses involved in export in the U.S. and Canada. We also provide the essential training that ensures that your team is up to date on governmental regulations, including the Export Administration Regulations (EAR), the International Traffic in Arms Regulations (ITAR), the Canadian Controlled Goods Program, and Office of Foreign Asset Controls (OFAC) and other regulatory agencies and more.

Export Control Transparency Act Calls for Oversight

August 19, 2025July 30, 2025 by Kevin Gholston

The US Senate has approved the Export Control Transparency Act in an effort to enhance oversight of the Bureau of Industry and Security (BIS) dual use export controls. This Act will require the BIS to submit quarterly reports to Congress detailing export licensing requests. This reporting would include aggregate statistics on all license applications and other requests for authorization. The Act would also require the BIS to provide information of enforcement activities and end-use checks.

Criticism has been leveled against the BIS for failures in safeguarding national security and preventing adversaries from accessing critical defense goods and technologies. This includes a lack of transparency in license approval rationale in cases where sensitive technologies have been sold to China despite a publicly stated presumption of denial policy.

Challenges Facing the Bureau of Industry and Security (BIS)

This legislation is part of on going effort to address the Bureau’s challenges in developing effective regulatory export controls for sensitive technologies. The Bureau of Industry and Security (BIS) has faced several challenges and shortcomings in its previous actions regarding export controls. These have included enforcement activities being hampered by outdated technologies and insufficient resources, underinvestment in technology, lack of proactive initiatives, and limited coordination with the Department of Defense Trade Controls (DDTC).

Conclusions

The Export Control Transparency Act seeks to amend the export control reform act of 2018 in maintaining American superiority in technology and protecting United States national security. Hopefully this will result in regulatory requirements that effectively target specific threats without placing unnecessary restrictions on legitimate exports. Additionally, congressional oversight could provide license approvals consistent with the agency’s regulations.

CVG Strategy Export Compliance Expertise

BIS is considering a 50% Rule for Listed Entities

July 11, 2025 by Kevin Gholston

The Bureau of Industry and Security (BIS) is considering a 50% rule to address loopholes that are being used by subsidiaries of parent organizations on the BIS entity list. The proposed regulation would be similar to current to regulations enacted by the Office of Foreign Asset Controls (OFAC). This action would impose licensing requirements across corporate structures to parent companies and sister companies.

Restricting Exports of Advanced Technologies to China

The United States has implemented strict export controls to limit China’s access to advanced technology, particularly in the semiconductor and artificial intelligence (AI) sectors. These measures aim to protect national security and maintain U.S. technological leadership. China has implemented several strategies including having Chinese entities create subsidiaries to circumvent export controls. Currently BIS sanctions do not apply to to distinct legal entities such as separate subsidiaries.

Implications of the Proposed Rule

The draft regulation is a needed enforcement action to prevent evasion of export controls. It will however, require increased due diligence from organizations involved in the export of regulated items and technologies to avoid unintended violation of export regulations. Increased scrutiny will be required in the screening of potential customers to ensure that they are not associated with listed entities. Many in export compliance agree that the BIS may release an enhanced version of the BIS Entity List.

Denied Parties Screening

The U.S. Government maintains multiple screening lists of sanctioned entities and individuals that are updated on a regular basis. These updates should be checked against an organization’s current database of customers, suppliers, employees (to include consultants and contractors), and visitors, to determine if any new matches may exist. Records of these screenings should be maintained for a minimum of five years.

Performing effective screening programs can be a challenge for smaller organizations. Many opt to rely on the Consolidated Screening List which is maintained by the United States Government. While this provides basic tools for screening, it is not easily implemented into business systems and databases.

CVG Strategy recommends that Restricted Party Screening tools supplied by private vendors be used. These tools can perform automatic rescreenings and provide alerts for any change in previously screened entities’ status.

Conclusions

Businesses will need to develop plans to react to the potential for increased risk while the BIS is considering this 50% rule. This may include review and amendment of the organization’s export policies and procedures and a review of required resources to address the complexities involved with enhanced denied party screening.

In the last decade, enforcement authorities actions in sanction cases have resulted in billions of dollars in civil and criminal penalties. This is because many businesses are lax in ensuring that parties they are engaging in transactions are not on denied parties lists.

CVG Strategy Export Compliance Expertise

Self Disclosure and Cooperation Leads to Non-Prosecution

June 18, 2025 by Kevin Gholston

Self disclosure and cooperation in the investigation of export regulation violations by an entity’s acquiror has led to a waiver of prosecution against the acquiring company (White Deer Management LLC). The Department of Justice’s National Security Division and the Southern District of Texas’s United States Attorney’s Office have also decided to decline prosecution of the acquired company Unicat Catalyst Technologies LLC.

Federal agencies have instead opted to file criminal prosecution against Unicat’s former CEO and co-founder, Mani Erfan. Efran has pled guilty to conspiring to violate sanctions, concealment, and money laundering. According to Department of Justice (DOJ) records Erfan sold controlled catalysts used in petroleum refining and steel production to entities in Cuba, Syria, Venezuela, and Iran in violation of US sanctions.

US Export Sanctions

U.S. export sanctions are legal restrictions imposed by the government to control the export of goods, services, and technology to certain countries or entities, primarily for national security and foreign policy reasons. These sanctions can prohibit all transactions or target specific items and require exporters to obtain licenses for compliance. Targeted areas for sanctions include bans on the export of arms and controls over items classified as dual use.

The International Traffic in Arms Regulations (ITAR) proscribe prohibited and denied countries in Section 126.1 of the regulations. The Bureau of Industry and Security (BIS) maintains a list of embargoed countries under Supplement 1 Part 740 of the Export Administration Regulations (EAR). The BIS also maintains lists for Military End Use (MEU) items, General Embargoed Countries List, and a list of countries sanctioned in conjunction with UN embargoes.

Mergers, Acquisitions, and Export Compliance

Export compliance assessment is crucial during mergers and acquisitions (M&A) to avoid inheriting liabilities from the acquired company, such as violations of export regulations. It is essential therefore, that acquirers conduct thorough audits of entities they intend on purchasing before finalizing agreements. Failure to detect previous violations can result in penalties, increased scrutiny from regulatory agencies, loss of business reputation, and restriction from future exports. If irregularities are suspected self disclosure and cooperation with appropriate agencies should take place.

Voluntary Self-Disclosure

A Voluntary Self-Disclosure (VSD) is conducted when an organization recognizes that violations or suspected violations of export regulations of the United States have occurred. Voluntary self-disclosure to the Bureau of Industry and Security (BIS) is encouraged for parties who believe they may have violated export control regulations. Submitting a VSD in good faith can be a mitigating factor in determining administrative sanctions. These actions should include full cooperation and remediation with all applicable agencies.

Federal enforcement agencies consider cases where self disclosure and cooperation have not occurred as aggravating circumstances when considering criminal and civil prosecution. Examples of a failure of complete disclosure include not voluntarily self disclosing misconduct of employees, suppliers, and members of the leadership, and witholding relevant documents.

CVG Strategy Export Compliance Expertise

The DDTC, the BIS, and the OFAC, along with international partners have greatly increased their activities in the generation and enforcement of regulations. This increases the likelihood of a non-egregious violation occurring even in a company with an effective compliance program. CVG Strategy can assist organizations through the Voluntary Self Disclosure process and guide you through these difficult procedures.

DoD Acquisition Nominee and CMMC

April 22, 2025 by Kevin Gholston

DoD Acquisition nominee Michael Duffy plans to review Cybersecurity Maturity Model Certification (CMMC) implementation in an effort to balance a need for security and excessive regulation. Duffy also recognized the need for affordability for the Defense Industrial Base (DIB) to maintain cybersecurity best practices to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Duffy said that he also plans to to review accreditation procedures and actively explore the feasibility of current and potential methodologies for assessing compliance to Department of Defense (DoD) cybersecurity requirements.

Michael Duffey is President Donald Trump’s nominee for Under Secretary of Defense for Acquisition and Sustainment. He is an American journalist and author, known for his work as an opinions editor at large for the Washington Post and as a former Pentagon correspondent for Time magazine. He has also co-authored notable books, including “The Presidents Club: Inside the World’s Most Exclusive Fraternity.”

SCIFs for Small and Medium Sized Businesses

Small and medium sized businesses face resource constraints in achieving secure facilities. To address this Duffey has suggested providing access to shared Sensitive Compartmented Information Facilities (SCIF) to ensure equitable access to classified information. An SCIF is a secure area used to process and discuss classified information, designed to prevent unauthorized access and eavesdropping. These facilities can be permanent or temporary and are often used by government and military personnel.

Expectations for CMMC in the Near Future

Deregulatory efforts currently underway are not expected to derail CMMC implementation. There are however, still points of contention regarding financial burdens for small and medium sized businesses. Additionally, there are concerns about inadequate numbers of C3PAO auditors to perform certification.

Most importantly, organizations are not ready for CMMC. DIB members, both large and small, site costs, a lack of technical expertise, and confusing information from the DoD as challenges for Cybersecurity Maturity Model Certification (CMMC) compliance.

Adversaries in the the Defense Supply Chain

Duffey promoted a “whole of nation” approach to incentivizing onshore supply chains and expanding domestic manufacturing to counter reliance on China and other adversaries. This would involve the implementation of export controls strategically through both the Department of Defense and the Department of Commerce.

Actions would also take place to address adversarial capital in the Defense Industrial Base which threatens to compromise supply chains and endanger sensitive technologies and ultimately national security. Duffey sited the use of existing tools to counter these threats such as the Committee for Foreign Investment in the United States, Team Telecom, and further export controls.

CVG Strategy Information Security Management System Consultants

The DoD Acquisition Nominee’s confirmation hearing comments on CMMC underline the importance of developing effective cybersecurity programs. CVG Strategy can assist your organization meet the challenges in meeting the CMMC final rule.