Kevin Gholston, Author at CVG Strategy

Global Challenges for Cybersecurity Resilience

April 11, 2024 by Kevin Gholston

Global challenges for cybersecurity resilience were outlined in a recent report from the World Economic Forum. The report, Global Cybersecurity Outlook 2024, analyzes the state of inequity in achieving cyber security, the impacts of geopolitics on the cyber risk landscape, the effects of emerging technologies such as Artificial Intelligence (AI), and the shortage of qualified people to address these security challenges.

Cyber Inequity on the Rise

The report stresses that there is a growing divide between organizations that have developed mature systems for protecting sensitive data and those struggling to develop effective defenses from cyber threats. Small and medium enterprises (SME) are among those most affected by this disparity, especially those located in underdeveloped economies.

Aside from having less than adequate cyber resilience, only 25% of SMEs carry cyber insurance as compared with 85% for organizations with 100,000 or more employees. This should cause alarm given the number of data breaches occurring and the fact that many SMEs fail to recover from these cyber attacks.

Geopolitical Influences and the Threat Environment

Numerous nations are involved in nefarious activities aimed at global supply chains and critical infrastructure. This is causing CISOs to adapt their cybersecurity postures and strategies. Geopolitical influences are also targeting societal and political entities with deepfakes and phishing campaigns weaponized against elections. Areas of concern outside of the private sector are misinformation, automated disinformation, data privacy, and algorithmic manipulation of social media data.

Skills Gap in Cybersecurity Landscape

There is a worldwide supply deficiency of a capable workforce for the design, implementation, and maintenance of systems for the protection of sensitive information. In the report 20% stated that they do not have the necessary skills in their organization to accomplish their cyber objectives. Additionally, there is an ongoing challenge of retaining what skilled personnel an organization has in its employ.

Organizations are opting for certifications and short educational courses in lieu of formal university education fill this gap. Many small organizations who face revenue issues are encouraging employees to upskill because they cannot afford to hire qualified personnel.

A Changing Risk Environment

Organizational leaders are concerned about loss of access to goods and services and cyber extorsion. Of those polled, 29% stated that their companies had experienced such situations in the last year. This is especially of concern because more than 60% of these leaders outside of Europe and North America do not carry cyber insurance.

Other perceived risk of high concern were loss of money or data, identity theft, and being monitored. When queried as to significant barriers to achieving cyber resilience business leaders cited lack of resources, cost of evolving from legacy systems, cultural resistance, not knowing where to start, lack of executive support, and a perception that the risk does not warrant the investment.

Emerging Technologies

A number of emerging technologies have created challenges for cyber resilience. Most industry leaders reported that they felt more exposed to cybercrime than in previous years. The use of new technologies by cybercriminals increase both the speed and adaptability of their attacks. Despite these trends most cyber leadership queried stated that they would maintain their focus on established cyber practices.

Top Management Buy In

A positive take away from this study was in the numbers of business leaders that are concerned about cybersecurity and are actively engaged with their information security programs. Over 90% of cybersecurity leaders trust their CEOs to communicate externally about cyber issues. This is important because an essential component to a cyber resilience program is its integration into the enterprise risk management processes.

Governance Issues

While many governments are actively promoting cyber resilience many critical gaps still exist that have yet to be addressed. One such issue is the imbalance of responsibility for security between technology producers and consumers. There is a real need for shifting responsibility for ensuring for safety from organizations and individuals who purchase technology to the producers of these technologies.

The current status is representative of immature industries. As in other sectors, governance will have to step in to ensure that players in technology play an appropriate part in the necessary maintenance of trust of goods throughout their life cycles.

Moving Towards a Better Future

Collaboration is a key factor in bettering the cyber environment. Organizations must share responsibility with suppliers, partners, regulators, and industry peers. The entire structure is only as strong as its weakest link. Most industry leaders are not optimistic about such collaboration in the immediate future.

Views on regulations are positive with regard to reduction of risk in their organization. Unfortunately, many leaders felt that regulations were too numerous and often conflicting internationally. They also stated that often the requirements were too technically difficult to achieve and required excessive resources.

Supply Chain Cyber Resilience

Given that collaboration is essential in maintaining information security, it is concerning to note that 54% of parties queried felt that they had insufficient knowledge vulnerabilities in their supply chain. Again this cyber maturity gap was more pronounced in medium and small companies. The importance of this issue was illustrated in that 41% of the organizations had experienced a cyber incident that originated from a third party.

Take Aways from the Report

Global challenges for cybersecurity will remain a concern for the foreseeable future. The struggle for medium and small organizations to design, implement, and maintain effective solutions to the threat landscape will effect all in the global economy. There are no simple solutions to these issues. In all probability the an organization’s ability to adopt best practices and be a trusted partner will determine its long term survivability.

CVG Strategy Information Security Management System Consultants

Global challenges for cybersecurity are a concern to organizations of all sizes. While those in business leadership roles are increasing aware of the importance of cyber resilience, resources and necessary talent are often in short supply. To assist businesses to meet the challenges in adopting a variety of requirements, including NIST and CMMC 2.0, CVG Strategy has developed an approach that combines these requirements with ISO 27001 Information Security Management System. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

It involves processes, facility security, people, and IT systems to engage in best practices. It also involves a constant improvement approach so that threats can be continually assessed and addressed as they evolve. This business system can help your organization remain vigilant against economic espionage and cyberattacks conducted by China and other nation states.

We can help you meet your information security management system goals. CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors. We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.

Nicaragua Export Restrictions Increased by U.S.

April 5, 2024 by Kevin Gholston

Nicaragua export restrictions have been increased by both the Directorate of Defense Trade Controls (DDTC) and the Bureau of Industry and Security (BIS) as of March of 2024. These actions were taken in response to United States national security and foreign policy concerns regarding the continuing deterioration of the nation’s human rights, civil institutions, and Nicaragua’s increased cooperation with Russia.

DDTC Specific Regulatory Changes

The DDTC, which under the authority of the Department of State, administers the International Traffic in Arms Regulations (ITAR), has added Nicaragua to the list of countries for which it, by policy, denies approvals for export or import of defense articles and services. Under this revision of ITAR, Nicaragua has been added to the list of countries detailed in 22 CFR 126.1 Prohibited exports, imports, and sales to or from certain countries.

This policy of denial is applicable to all defense articles and services. The only exception to this policy are imports or exports where military equipment are intended solely for humanitarian assistance, including natural disaster relief. These exceptions for license applications are issued on a case-by-case basis.

Further restrictions were added under 22 CFR 129.7 Policy on embargoes and other proscriptions. These action prohibits brokering activities to specific countries. As the effect of this rulemaking is perceived to have minimal consequences for federal agencies or private organizations and groups, these restrictions do not require interagency analysis.

BIS Specific Regulatory Changes

The BIS, which administers the Export Administration Regulations (EAR), has moved Nicaragua from the Country Group B List to Country Group D5. Group B countries are countries for which licensing is generally available. Group D countries have fewer license exemptions and include around 50 countries such as Syria, Russia, Iran Yemen, and Venezuela. This group is divided into five areas of concern: D: 1, National Security, D: 2 Nuclear, D:3 Chemical & Biological, D: 4 Missile Technology, and D: 5 U.S. Arms Embargoed Countries.

This new level of restriction effects the export, reexport, and transfer of items subject to the EAR including commodities, software and technology. Previous actions taken by the BIS include the addition of the Nicaraguan National Police to the Entity List and restriction of items to the country’s security and military agencies. The BIS has taken these actions as part of an ongoing effort to promote human rights and democracy.

A Call to Actions for Businesses Involved in Export

Export regulations have been in a constant state of flux for the last decade as the Federal Government has used these powerful tools to pursue its national security and foreign policy objectives.

Enforcement activities have resulted in more severe civil and criminal penalties. In 2023, these activities have resulted in a record number of convictions, and denial orders. Additionally, numerous parties were placed on the Specially Designated Nationals, Blocked Persons, and Entity Lists, effectively ending their ability to conduct lawful business.

Businesses must ensure that they do not violate export regulations by enacting viable Export Compliance Management Programs (ECMP). These programs are a requirement for both the Export Administration Regulations and the International Traffic in Arms Regulations (ITAR). While most businesses involved with the ITAR have been proactive in compliance, many involved with the export of dual-use goods enumerated in the EAR have been less diligent.

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization. They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation. They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy Export Compliance Management Programs

As these latest Nicaragua export restrictions illustrate, export compliance is a growing and dynamic concern for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program. We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.

Foreign Based Businesses and U.S. Export Compliance

March 7, 2024 by Kevin Gholston

Foreign based businesses and persons involved in the reexport of items controlled under the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR) are subject to the regulations and associated sanctions. This also holds true for foreign producers of items that incorporate threshold percentages (de minimis) of controlled items in their products and producers that utilize U.S. technology, software, or production equipment.

Tri-Seal Compliance Note Stresses Foreign Based Persons Obligations

This message was reinforced in a recent Tri-Seal Compliance Note from the United States Department of Commerce, Department of Treasury, and Department of Justice. Agencies under these departments in this report included the Bureau of Industry and Security (BIS) and the Office of Foreign Assets Control (OFAC). The intent of this release was to enhance awareness of these obligations and help organizations outside of the United States mitigate risks of non-compliance.

Applicability of Sanctions to Foreign Persons

Certain U.S. sanction programs are applicable to foreign persons. Violations of these sanctions can result in civil or criminal penalties. These economic and trade sanctions are targeted towards foreign jurisdictions, regimes, entities, and individuals involved with terrorism, narcotics, weapons of mass destructions, and other acts threatening U.S. national security and foreign policy interests.

Non-U.S. persons may be prosecuted for conspiring to cause U.S. entities or persons to engage in violation or evasion of these sanctions. The OFAC has been actively involved in this aspect of export enforcement in cases involving hiding references of sanctioned entities in financial transactions, misleading U.S. persons on ultimate destination of controlled goods, or routing prohibited transactions through U.S. financial institutions. Settlements in these cases have resulted in multi-million dollar penalties against the involved parties.

Bureau of Industry and Security and the EAR

The Bureau of Industry and Security (BIS) administers and enforces the Export Administration Regulations (EAR). These regulations control the export of commodities by prohibiting or placing licensing requirements on specific items. The term commodities can include software, technology, and intellectual properties.

These regulations differ from the export regulations of many nations in that these controls can extend to articles controlled in any nation and to the foreign based businesses involved in transactions with them. This extended regulatory reach exists to ensure that controlled articles are not surreptitiously transferred to a third party that would normally be barred from the transaction.

Items subject to the EAR also include products manufactured with U.S. origin components or software that is controlled. Determination of licensing requirements are determined by De minimis calculations to determine the value of controlled U.S.-origin content in a non-U.S. finished product.

This is done by identifying any controlled components in a bill of material and calculating the percentage of fair market value of those components in the overall product. Threshold percentages vary according to the components classifications.

Controls also exist to control the use of advanced manufacturing equipment and software. This is especially applicable for the manufacture of semiconductor devices. Controls of this nature have been enacted to restrict the supply of certain items to China, Russia, Belarus, and Iran. The result of this regulatory extension is that licenses for semiconductors may be required for semiconductor components regardless of where they were manufactured.

BIS Enforcement Actions

Enforcement actions have resulted in major penalties for businesses. In April of 2023 300-million-dollar penalty was imposed on Seagate Technology, LCC, and included a five-year suspended Denial Order, which if activated, would terminate the organization’s ability to conduct export business under the EAR.

The BIS has also imposed restrictions on types of aircraft allowed to fly into Russia if they include more than 25% de minimis amounts of U.S. origin controlled content. This includes Airbus planes and effects a large number of airlines servicing Russia including Nordwind, I-Fly, and Meridian Air.

Department of Justice Involvement in U.S. Sanction and Export Regulations

The Department of Justice (DOJ) brings criminal prosecutions against parties involved in willful violations of U.S. sanctions and export regulations. Recent actions have included the indictment of Latvian nations and a Latvian company involved in the attempted smuggling of dual-use production machinery. As a result, fines in excess of $825,000 were levied against the defendants.

Actions were taken against an Iran based person and a Chinese national for attempting to obtain controlled microelectronics for UAV production. The defendants are alleged to having provided false information concerning the ultimate end users of the devices to U.S. manufacturers.

In November of 2023 a guilty plea was entered by Binance Holdings Ltd. (a cryptocurrency exchange for knowingly having a large number of users from sanctioned regimes. Penalties for the infractions included a $4.3 billion dollar penalty with additional payments for civil liabilities of $968,618,825.

CVG Strategy Export Compliance Programs

As Developments in Export Administration Regulations illustrate, export compliance is a growing concern for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.

CVG Strategy can assist foreign based businesses meet U.S. export requirements by creating a tailored export compliance program. We can also perform export control classifications, perform audits, assist in export licenses requirements and educate your team. Regardless of whether your exports falls under EAR or ITAR, CVG Strategy has the expertise to help.

Disruptive Technology Task Force Enforcement Actions

February 26, 2024 by Kevin Gholston

The Disruptive Technology Task Force was launched in February of 2023 by the Department of Commerce, the Department of Justice, and the Federal Bureau of Investigation in an effort to prevent the unlawful acquisition of advanced technologies by foreign adversaries. To date this effort has resulted in numerous cases being filed against parties involved in sanctions and export control violations. These offenses involved the unlawful transfer of sensitive information, articles, and military-grade technology to China, Iran, and Russia.

Disruptive Technology Task Force Cases in 2023

Half of the task force cases in the last year involved the attempted export of controlled semiconductors and microelectronics to Russia. Many of these included components for guided missile systems, Unmanned Aerial Vehicles (UAVs), components for weaponry, components used in cryptography, and nuclear weapons testing.

Cases involving exports to Russia were accomplished by the task force in partnership with the interagency law enforcement group, Task Force KleptoCapture. This group is comprised of agencies in the United States and its allies

Three cases involved individuals attempting to procure controlled technologies for Iran or Iranian end users. These cases involved items and technologies associated with military products, aerospace, firefighting, UAV’s, and materials used for weapons of mass destruction.

In an additional three cases, the task force charged former employees of U.S. companies with stealing proprietary and confidential information. These cases were all related to attempts to transfer advanced technologies to the People’s Republic of China. Technologies involved in these cases included missile detection equipment, advanced manufacturing software, and Apple source code. A fourth case involving a Belgian national, involved the export of military grade accelerometers.

Measures Taken to Enhance Enforcement

A number of partnerships have been formed to further enhance enforcement efforts.

The Disruptive Task Force added the Defense Criminal Investigative Service as a formal partner.
It added multi-agency enforcement teams to specific areas in the United States where critical technology industries are present.
The Strike Force created a partnership with the Ukrainian Prosecutor General to curb the illegal flow of advanced technology to Russia.
The Department of Commerce, Department of Justice, along with leaders from Japan and South Korea established a Disruptive Technology Protection Network to expand information sharing and best enforcement practices.
The strike force fostered partnerships with the private sector to engage directly with companies involved in the manufacture and export of controlled items.
Five Eyes export control agreement was formed to enhance the security concerns of Australia, Canada, New Zealand, the United Kingdom, and the United States by formally committing to coordinate export control enforcement efforts.

A Call to Actions for Businesses Involved in Export

The continued vigilance of the Disruptive Technology Strike Force enforcement illustrates the Bureau of Industry and Security’s (BIS) commitment protecting sensitive technologies. Besides partnering with U.S. enforcement agencies, the Commerce Department has shown a commitment to working with international agencies to protect national security and foreign policy concerns.

CVG Strategy Export Compliance Management Programs

Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with export control laws can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.

CVG Strategy can help you in understanding Export Administration Regulations and establishing a coherent and effective export compliance system. We can perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. Contact Us with you export regulation questions.

Lockbit Extorsion Operation Interrupted by Operation Cronos

February 26, 2024 by Kevin Gholston

The Lockbit extorsion operation was taken down by an international law enforcement effort called “Operation Cronos”. This action included participation of the FBI, the National Crime Agency of the UK (NCA), and Europol among other organizations.

Actions taken include the UK,s National Crime Agency taking control of the ransomware’s site and the arrest of at least four individuals. Two individuals were arrested in Poland and Ukraine and two others had been detained in the U.S. Two other Russian nationals are still at large.

Operation a Major Blow to Lockbit

The strike included gaining control of the central infrastructure of the organization and the seizing of source code. The agencies also obtained encryption keys that will assist victims decrypt their data and retrieve their data. Europol reported that enforcement efforts had resulted in the take down of over thirty servers in nine different countries.

History of Cybercriminal Group

Lockbit is a network of cybercriminals that has targeted thousands of organizations in a variety of sectors including manufacturing, government, energy, financial services, and health care. To date, Lockbit had hacked into over 2,000 systems and raked in over $120 million dollars in ransom from their victims.

Lockbit has been the most common form of ransomware in the last two years. The group has run a Ransomware as a sophisticated and highly organized Ransomware as a Service (RaaS) operation since 2020. RaaS platforms offer ransomware products on subscription or commission basis.

The organization is thought by many experts, to have originated in Russia, though the group has claimed no national affiliation and has claimed to only be engaged in its activities for financial gain. The group operates by recruiting hackers to use Lockbit’s various tactics, techniques, and procedures to compromise major organizations worldwide.

Many victims of the Lockbit extorsion operation have been additionally extorted by threats to publish sensitive information. The resulting ransom payments are usually made in cryptocurrencies which makes tracing the payments difficult.

Ransomware a Growing Concern

Ransomware is the largest cyberattack threat to industrial organizations in North America. There has been a continuing growth in the number of attacks in the last several years. While the Lockbit ransomware group has been the leader in this area, a number of other actors such as 8Base, Akira, and Black Blasta have been active players.

It is expected that this trend will continue to escalate as these groups utilize AI in increasingly targeted attacks in conjunction with social engineering and phishing techniques. Targeted entities tend to be government agencies and large business concerns. Experts expect that increased attacks will occur in the health, education, and energy sectors.

Enforcement Agencies Respond

The Department of Justice in conjunction with other law enforcement agencies have been engaged in the infiltration of cybercrime groups. In the United States, the FBI has been particularly active in these efforts with successes against the Hive network in 2023. As with the actions taken against Lockbit, the FBI partnered with law enforcement agencies in other countries. The Hive infiltration involved ransoms of $130 million and also resulted in the capture of decryption keys which were made available to victims to retrieve stolen data.

CVG Strategy Cybersecurity

While the disruption of the Lockbit extorsion operation is a promising development, the successes of ransomware attacks illustrate the vulnerabilities of organizational information. Successful hacks of this sort are often the result of exploiting humans into opening infected emails or visiting infected sites.

Businesses and government agencies must develop effective data protection strategies. These strategies should include policies that incorporate risk assessment, training, and management review. CVG Strategy consultants provide training to make your entire team aware of cyberattacks and how to employ processes to prevent these threats. We can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.

Our ISMS consulting services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS). Our team of experts bring extensive experience and deep information security process control expertise (including certifications as Exemplar Global Lead Auditor ISO/IEC 27001:2013 Lead Auditor) to ensure that you achieve ISO 27001 certification—on time and on budget.

CVG Strategy is also committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure. As industry leaders in cybersecurity, ITAR, and risk-based management systems. We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

KV Botnet Disrupted by FBI in Infected SOHO Routers

February 6, 2024 by Kevin Gholston

The FBI has disrupted a KV botnet malware infection instigated by Volt Typhoon, a state sponsored threat actor affiliated with the People’s Republic of China (PRC). The KV botnet was first identified in December of 2023. It targeted Cisco and NetGear routers that were were no longer supported by manufacturer software updates. The court-authorized operation, conducted by the Federal Bureau of Investigation (FBI), deleted the KV botnet cyber threat from hundreds of U.S. small business information technology devices.

Botnet Used to Conceal Hacking Activities

This Volt Typhoon malware enable China to hide origins of future malicious activity on small business and home office SOHO routers. A SOHO router is a broadband device used in small offices and home offices. They use an internet service to connect with a local area network.

The botnet, which is part of a larger set of malware targeted at U.S. infrastructure, has been active since February of 2022. The FBI remotely issued commands to the routers to delete the botnet. The devices were cleared of the malware and provided temporary protection from reinfection. Devices should be updated with software patches before being rebooted. These actions were undertaken after informing owners of the infected router devices.

The operation performed was extensively tested on routers before being performed on the infected devices. The action did not effect the performance of the devices or compromise the confidentiality, integrity, or availability of any data in those systems.

U.S. Infrastructure Being Targeted

China is targeting U.S. infrastructure with cyberattacks in a continuing effort to increase its ability to disable critical systems. These targets include facilities involved with energy, transportation and water purification. Targeted organizations include a water utility in Hawaii, maritime ports, a Texas power grid, and an oil and gas pipeline. These efforts are part of a long term strategy that is continuing to develop in scope and sophistication.

The effort is thought to be an attempt to disable U.S. efforts in a potential conflict between the two nations. China is positioning itself to threaten the physical safety of U.S. citizens. The FBI stated that the agency will continue to work with partners to disable PRC threats. Speaking on the incident, Attorney General Merrick B. Garland pointed out that these actions illustrate the importance of partnering with the public and the private sector to enable the dismantling of malicious cyber operations.

Chinese Espionage Effects All Sectors

As developments in the DV botnet story illustrate, China is conducting a global cyber espionage program disrupt infrastructure, and steal trade secrets, intellectual property, and sensitive information from companies in North America, Europe, and Asia. Many organizations that have suffered these data breaches, are not even aware that their computer networks have been compromised.

These attacks have exploited a wide array of vulnerabilities. Often multi-stage infection chains are used to avoid detection. Other attacks have involved more standard forms of malicious software including spear-phishing emails.

While China is not the sole nation to threaten U.S. interests with cyberattacks, its activities have, unlike others, focused on economic espionage and intellectual property theft. Clearly China intends to be a dominant economic global force by any and all means available. U.S. businesses therefore must engage in effective strategies to protect their interests and remain vigilant.

CVG Strategy Information Security Management System Consultants

An increasing number of businesses are finding that they are required to meet challenging information security levels to meet the requirements of conducting business with governmental agencies. To assist businesses to meet the challenges in adopting a variety of NIST and CMMC 2.0 requirement, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

Developments in Export Administration Regulations for 2024

April 15, 2024January 23, 2024 by Kevin Gholston

Export Administration Regulation Developments

As 2024 begins, it will be interesting to note how developments in Export Administration Regulations (EAR) will unfold. The previous year has seen tightening of export controls, increased enforcement activities, increased penalties, and co-operation of the Bureau of Industry and Security (BIS) with enforcement agencies in this nation and abroad.

What are Export Administration Regulations

Export Administration Regulations (EAR) regulates the export of commodities by prohibiting or placing licensing requirements on specific items. the term commodities can include software, technology, and intellectual properties. The specific regulations of the EAR can be found in 15 CFR §730.

The EAR are administered by the Department of Commerce and enforced by the Bureau of Industry and Security (BIS). Items controlled under the EAR are listed in the Commerce Control List (CCL), and identified by a unique Export Control Classification Number (ECCN). Prohibition of export or requirements for licensing are based on the classification of the item, the destination of export, the end user, and the end use of the item.

Important Developments in 2023

Disruptive Task Force

Early in 2023 the Department of Commerce initiated the Disruptive Technology Strike Force which partnered the Bureau of Industry and Security (BIS) with the Department of Justice (DoJ) in the enforcement of the Export Administration Regulations (EAR). These actions were focused on the export of semiconductors and technologies related to the manufacture of these devices.

Civil Space Industrial Base Assessments

The Bureau of Industry and Security (BIS) conducted an assessment of the civil space industrial base in the United States to better understand this important supply chain network. This study collected data from U.S. organizations involved in the research, design, and manufacture of space related products and services. The study involved research centers, commercial entities, universities, and laboratories.

BIS Enhancing Enforcement and Prosecution

The BIS changed the scope of enforcement policies to address the increased complexities of the international political arena. To more effectively enforce the EAR, BIS increased its focus on the use of sanctions and denied parties lists to protect sensitive technologies. Enforcement actions in 2023 resulted in the a record number of convictions, and denial orders.

To enhance its international enforcement prowess, a Five Eyes export control agreement was completed to enhance the security concerns of Australia, Canada, New Zealand, the United Kingdom, and the United States by formally committing to coordinate export control enforcement efforts.

Focus of China

BIS placed numerous restrictions on technologies to the PRC to limit China’s ability to enhance its military capabilities through its use of its Military Commercial Fusion strategy. This strategy aims to aggressively advance its military objectives by eliminating the barriers between the nation’s civil and military research and commercial sectors.

This effectively renders an export of technical items to commercial entities in China as an export to the People’s Liberation Army (PLA). Key technologies being targeted by China include quantum computing, semiconductors, advanced nuclear technology, 5G, aerospace technology, and AI. Responses from the U.S. in 2023 included the National Security Guardrails for CHIPS to encourage enhance the international semiconductor supply chain.

Criticisms of BIS Ability to Mitigate Chinese Threats

A 2023 report from the U.S. House of Representatives stressed the importance of Bureau of Industry and Security (BIS) export controls to mitigate threats economic and national security threats from China. The bipartisan report stressed that China is using military, economic strength, and it technological base to further an agenda of global domination. It further advocated for modernizations at the Department of Commerce’s BIS to reverse the trend of promoting short-term profit in the technology sector at the expense of U.S. technological leadership.

The bipartisan report stressed that the U.S. can no longer depend on a reactive export control bureaucracy, but must develop controls that preemptively safeguard against technology transfers that may threaten national and economic security. This will require the licensing bureaucracy governing the Export Administration Regulations (EAR) to move away from its post-Cold war mentality.

Moving Forward

As 2024 opens developments in Export Administration Regulations are already underway. The BIS has announced that more stringent penalties will be levied against companies violating export regulations.

The agency has also announced further enhancements to its Voluntary Self Disclosure policies to ease resolution of minor infractions. This will allow the agency to allocate more resources in the investigation and prosecution of serious violations.

A recent congressional hearing on Protecting Emerging Technologies for Peace an Stability in the Indio-Pacific addressed further need for the protection of these technologies from being obtained by China. Witnesses to this hearing were representatives from the Bureau of Cyberspace and Digital Policy, the Bureau of International Security and Nonproliferation, and Thea Kendler from the BIS.

The take away from this congressional hearing was that technological supply chain diversification is essential and that important technologies and the investments made in their development must not be allowed to fall in the hands of China’s military.

CVG Strategy Export Compliance Management Programs

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance system. We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.

China is Targeting U.S. Infrastructure with Cyberattacks

January 4, 2024 by Kevin Gholston

The Washington Post reported that China is targeting U.S. infrastructure with cyberattacks in a continuing effort to increase its ability to disable critical systems. The Cybersecurity and Infrastructure Security Agency (CISA) first announced these attacks in May of 2023. CISA identified the source as Volt Typhoon, a state sponsored hacking group affiliated with China.

Chinese Military Targets in the U.S.

The People’s Liberation Army is targeting power grids, water utilities, and transportation networks in the United States. Chinese hackers have penetrated over twenty computer systems in strategic entities in the last year in an effort to compromise the ability of the U.S. to respond to events in the event of a conflict with China.

Organizations effected include a water utility in Hawaii, maritime ports, a Texas power grid, and an oil and gas pipeline. These efforts are part of a long term strategy that is continuing to develop in scope and sophistication.

Chinese Espionage Effects All Sectors

China is conducting a global cyber espionage program to steal trade secrets, intellectual property, and sensitive information from companies in North America, Europe, and Asia. Many organizations that have suffered these data breaches, are not even aware that their computer networks have been compromised.

Mitigating Cyber-Attacks

The National Security Agency (NSA) has issued some basic guidance for mitigating the threats to targeted critical infrastructure. These include the use of robust multifactor authentication, enforcing password protocols, updating software and operating systems, and educating personnel against phishing scams. While these issues may seem basic in nature, the reality is that may organizations, both public and private, have insufficient information security management programs.

Organizations in the private sector have begun to realize the enormous threat that cyberattacks pose. Their responses however, have been slow, and the levels of cybersecurity maturity attained thus far are leaving proprietary and sensitive data vulnerable. While numerous advances in IT tools are available in assisting organizations in their fight against cyberattacks, organizations require management tools to evaluate risks, implement plans, and coordinate control mechanisms.

China is targeting U.S. infrastructure as well as key industries in the private sector. For many small to medium businesses, a severe data breach could spell the end of their enterprises. Their challenges are confounded by the need to share data with suppliers, customers and other third parties.

Clearly, the path forward is not likely to get easier for those involved in the protection of data. It is therefore the duty of all organizations to assume responsibility for their best interests and shape their entities to protect their futures.

CVG Strategy Information Security Management System Consultants

To assist businesses to meet the challenges in adopting CMMC 2.0 standards, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

Identify Areas With CUI with CVG Strategy Signs

CVG Strategy provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.

BIS Export Controls and China

December 12, 2023 by Kevin Gholston

BIS Export Controls — Photo by Karolina Grabowska

Concern for Emerging Technologies

Dual-use emerging technologies have both commercial and military uses. These wide ranging technologies include Artificial Intelligence (AI) and quantum computing. According to assessments made by the United States intelligence community, China is continuing to take the lead in these technologies. This lead is more often than not, accomplished through access to technologies developed in the U.S. The report stresses that the U.S. must invest in innovation while ensuring that export control laws effectively deny China access to these innovations.

The Growing Threat Posed by China

Recent military actions along with a history of violations of international agreements and ongoing human right violations in Xinjiang illustrate the growing threat China poses to international security and stability. It is important to understand the direct link between any PRC commercial entity and the People’s Liberation Army (PLA).

It is estimated that China steals up to $600 billion of U.S, intellectual property. Dual-use technologies acquired by these companies can and will be used, when applicable, for the development of weapons of mass destruction. During the last decade General Secretary Xi has has developed legal and regulatory mechanisms that requires partners to transfer private sector technology to the Chinese government.

This can create scenarios where recipients of U.S. technologies while being required by U.S. law to not allow access to sensitive technologies may be forced under China’s laws to share these technologies with the Chinese military. It is important therefore, that export agencies adopt a presumption that exported items will not be used for purposes stated in licensing agreements.

Specific Failures of Export Controls

Instances were given where export controls failed to proactively prevent the transfer of critical technologies to the PRC’s development of hypersonic weapons. In one such case controls of a Chinese company was placed on the BIS entity list only after an expose was published by the Washington Post. The agency also failed to prevent the export of Intel and Nvidia semiconductor devices to a Chinese nuclear weapons lab.

Additionally, the agency has been reluctant to preemptively identify emerging and foundational technologies and licensing requirements in an effort to combat the CCP’s Military-Civil Fusion Strategy (MCF). The report did not indicate that these failures were due to a lack of resources. Instead, these failures have been linked to a failure of the BIS to reconcile its mission to protect national security with objectives for promoting exports. The report called for a major reformation of the BIS’s organizational structure and policies to remedy these deficiencies.

Recommendations to Enhance National Security Priorities of BIS Export Controls

The U.S. House of Representative’s Foreign Affairs Committee (House Committee) report outlined several recommendations to improve the performance of the BIS in national security issues. These included:

Doing away with strict Operating Committee timelines for escalation of licensing to the Advisory Committee on Export Policy (ACEP) and Export Advisory Review Board (EARB) to allow sufficient time for necessary analysis.
Instituting a majority vote system in the Operating Committee for all licenses it reviews.
Mandating that the BIS be required to refer license applications to other appropriate agencies.
Imposition of a “policy of denial” of all national security controlled items to China.
Review of EAR99 technologies and control or re-control items on the Commerce Control List.
Application of a presumption of denial for all companies on the Entity List. This denial should be clearly stated in the EAR.
The Entity List should reflect the scope of military end-users that my pose threats to national security or foreign policy interests.
Standardize the agency’s definition of Military End User (MEU).
Enhancing international agreements for harmonizing legal and regulatory requirements.
Legislation of new standards for criminal prosecutions.
Having the DoC renegotiate its end-use agreement with China or impose increased export restrictions on that country.
Requiring the BIS to regularly report information required for basic oversight.
Reformation of National Security Directive 189 to provide adequate controls for fundamental research.
Allowing BIS to charge fees on certain licenses to provide resources for the agency.
Updating definitions to close loopholes that allow China access to standard-setting bodies.

CVG Strategy Export Compliance Management Programs

Given the focus places on BIS export controls it can be expected that further changes will be made to the Export Administration Regulations and that heightened attention will be placed on license requirements. This places further responsibilities on organizations involved in export to maintain effective export compliance programs.

Export Compliance Programs are required by law by both the BIS and the International Traffic in Arms Regulations (ITAR). Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.

DHS Cybersecurity Assessment Criteria Announced

November 6, 2023 by Kevin Gholston

DHS cybersecurity assessment criteria has been released that will set the bar for businesses seeking contract awards from the agency. The U.S. Department of Homeland Security has released this information to ensure that appropriate levels of “cyber readiness” are in place by its vendors. The DHS plan, released by Chief Information Security Officer Kenneth Bible, is being provided to its supply chain to facilitate feedback from industry business leaders prior to final roll out of the program.

Cybersecurity Readiness Factor Program

The Cybersecurity Readiness Factor program chosen by DHS differs from the the Cybersecurity Maturity Model Certification (CMMC) program approach embraced by the Department of Defense (DoD) in that it strives to create a more economically feasible solution for small businesses. Instead of requiring a certification process, the DHS is planning to use statistical analysis of questionnaire responses to determine contractor cybersecurity abilities to protect Controlled Unclassified Information (CUI). These questionnaire will query organizations on their ability to meet the security requirements of NIST SP 800-171r2 and NIST SP 800-172.

NIST SP 800-172 Enhanced Requirements

NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information is a supplement to SP 900-171 that contains recommended security enhancements for the protection of CUI that specifically address the entire Confidentiality, Integrity, Availability (CIA) triangle. While SP 800-171 focuses on confidentiality, SP 800-172 adds security controls to data integrity and availability to help achieve cyber resiliency and survivability.. This is achieved by detailing controls for penetration-resistant architectures and damage-limiting operations.

The standard describes the approaches used in the development of the enhanced security requirements. It then describes in detail the 14 families of security requirements. Supporting information is supplied in appendices including mapping tables and references. The figure below illustrates the relationships between NIST SP 800-171 and NIST SP 800-172.

DHS Criteria for Assessment

The proposed criteria for DHS assessments will rate businesses on perceived levels of readiness to protect CUI based on the numbers an types of security requirements in place. Levels of compliance are categorized as fully satisfied, partially satisfied, or not satisfied. Statistical analysis then provides three categories for likelihood for compliance:

High Likelihood of Cybersecurity Readiness – The organization has implemented and understands the required technical controls for the protection of CUI.
Likelihood of Cybersecurity Readiness – Organizations in this category are found to be between the fifteenth percentile and mean of DHS contractors engaged in the handling of CUI.
Low Likelihood of Cybersecurity Readiness – This category comprises businesses in the lower fifteenth percentile of DHS contractors engaged in the handling of CUI.

Use of the Assessments at Present

The Cybersecurity Readiness Factor will be provided to the DHS Contracting Officer (CO) to aid the Source Selection Official in assessing contractor readiness. Because this methodology is comparative in nature, there is no strict pass/fail criteria and no offerors will be excluded from award eligibility. As such the evaluation will be used to conduct a best value tradeoff in decisions to award contracts. There may however, be requirements for submittal of a Plan of Action and Milestones (PoAM) after receiving contracts if the DHS has information security concerns.

Conclusions

Cybersecurity requirements for businesses involved with contracts with the federal government are going to continue to evolve. While clearly, the need to protect information is more important than ever, requirements can and are putting smaller business out of the game. This latest effort to reduce cost through the elimination of certification requirements is an interesting development but the costs associated with effectively implementing cybersecurity controls are still high.

CVG Strategy Information Security Management System Consultants

To assist businesses to meet the challenges in meeting DHS Cybersecurity Assessment criteria, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system. This provides a coherent methodology for implementing and maintaining essential cyber security for businesses of any size.

Identify Areas With CUI with CVG Strategy Signs

CVG Strategy also provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.

Export Control Classifications & Due Diligence

November 6, 2023October 26, 2023 by Kevin Gholston

Performance of export control classifications is a requirement for businesses conducting sales of products and services, even if the sale is conducted within the United States, because the customer may be a non-U.S. person. Classification of products provides a determination that a proposed transaction is allowed under federal regulations, is prohibited, or requires licensing or other such authorizations.

Performance of Due Diligence

It is ultimately the responsibility of the exporter to be aware of, and remain in compliance of all export transactions. A classification should therefore be performed even if the exporter is distributing a product not created by the company. While referencing the manufacturers classification is a good starting point, the exporter should perform their own classification to ensure that that classification is correct and that the classification reflects current regulations.

Sequence of Operation in Product Classification

When classifying a product or service it is often advisable to obtain insight from someone with specific technical expertise.

ITAR

When performing a classification, the first step is to determine if the product, service, or technical information falls under the jurisdiction of the International Traffic in Arms Regulations (ITAR). The ITAR are regulations stipulated by the U.S. Department of State and regulated by the Directorate of Defense Trade Controls (DDTC). Defense articles controlled under the ITAR are enumerated in the United States Munitions List (USML).

EAR

Export Administration Regulations (EAR) control the export of commodities enumerated as described in15 CFR §730. The EAR are administered and enforced by the Bureau of Industry and Security (BIS) under the auspices of the Department of Commerce. These regulations are in place to advance the national security and foreign policy objectives of the United States Government. Items controlled under the EAR are listed in the Commerce Control List (CCL) and identified by a unique Export Control Classification Number (ECCN).

Next Steps

If a classification has been found there will often be an associated classification for the technical data for that item. This classification should also be performed. If no classification has been found the item is classified as EAR99. All classifications should be approved by the organization’s Export Control Officer.

CVG Strategy Export Compliance Management Programs

Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.

National Security Guardrails for CHIPS

November 6, 2023October 3, 2023 by Kevin Gholston

The National Security Guardrails for CHIPS have been established by the U.S. Department of Commerce in an effort to prevent manufacturing subsidies for semiconductor manufacturing from being diverted into nations considered to be national security threats. The CHIPS and Science Act, originally published in March of 2023 is an incentive to enhance global supply chain resilience.

Secretary of Commerce Gina Raimondo stated that CHIPS for America is intended to be a national security initiative and that it was important to ensure that funds allocated do not undermine that security. She went on to say that the U.S. would continue to work with our allies and partners in the expansion of semiconductor manufacturing to strengthen global supply chains and build a collective security.

Specific Provisions for CHIPS Recipients

The guardrails to strengthen national security include the following:

It is prohibited to use funds from the CHIPS program to construct, modify, or improve a semiconductor facility outside of the U.S.
Recipients of funds cannot invest in foreign semiconductor manufacturing for a period of ten years from receiving funds from the program
Limitations on specified joint research or technologies licensing with foreign entities. These limitations restricts transactions with entities owned or controlled by countries identified by the Bureau of Industry and Security’s (BIS) Entity List or by the Treasury Department’s Chinese Military-Industrial Complex Companies List (NS-CMIC).
Empowers the Department of Commerce to withdraw funds from parties that violate these provisions.

This final rule includes the addition of cleanroom or other physical space as manufacturing capacity and limits any expansion of a foreign facility’s production capacity to five percent. It also stablishes a process for notifying the Department of any plans to expand manufacture of legacy chip in foreign countries (also known as mature node chips) that could raise national security concerns.

The statute also classifies a list of semiconductors as critical to national security and places higher restrictions on them. This includes chips used for quantum computing, devices capable of operating in environments with high levels of radiation, and any semiconductors deemed critical to U.S. national security needs.

CVG Strategy Export Compliance Management Programs

Managing an Export Compliance Program is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.

Lawsuit Filed Against Penn State for Cybersecurity Claims

September 26, 2023 by Kevin Gholston

A lawsuit filed against Penn State University by the U.S. Department of Justice illustrates the challenges the government faces in instituting effective protection of data. The suit filed under the False Claims Act (FCA) alleges, that the university misrepresented its adherence to required cybersecurity protocols in the handling of Controlled Unclassified Information (CUI) required.

Specifically the U.S. Government contends that the university presented false evidence of compliance to Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, DFARS 252.204-7019, and NIST 800-171 in its submission of Department of Defense’s Supplier Performance Risk System (SPRS). The lawsuit further alleges that internal complaints made to upper management at Penn State were repeatedly ignored.

U.S. Government Requirements for Data Protection

The Department of Defense (DoD) has implemented, under executive orders, cybersecurity requirements for organizations that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Under these DFARS, contractors are required to implement specific cybersecurity controls. These include the encryption of sensitive data, restricting access to sensitive systems, and conducting risk assessments.

As defined in 48 CFR 52.204-21, FCI refers to information provided or generated by the U.S. government that is not intended for public release. This information is generally created in the development of a contract for a product or service.
CUI as defined in 32 CFR 2002.4, is information that the U.S. government creates or possesses, or any information created for the Government, that is controlled by a law or regulation. The CUI definition does not include classified information. It would therefore include, unclassified information that falls under the jurisdiction of the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).

At a minimum, current security requirements include the implementation of NIST 800-171 as a condition of receiving a Department of Defense (“DoD”) contract. All contractors must carry out a Basic Assessment of NIST 800-171 and submit their score to the DoD. While there is no official audit procedure to determine compliance, contactors must conduct a self-assessment and make an attestation to its compliance.

CMMC Requirements

The Federal Government has outlined further requirements for contractors under Cybersecurity Maturity Model Certification (CMMC) 2.0. CMMC 2.0 has three different levels of CMMC compliance. While Level 3 compliance is reserved for programs that the DoD considers of high priority, Level 1 and 2 determinations are based on the type of information an organization is using, Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Level Requirements

Level 1 (Foundational) applies to organizations that deal solely with FCI. Level 1 requirements for cybersecurity are based on requirements detailed in FAR 52.204-21. These 17 controls protect contractor information systems by limiting their access to authorized users.
Level 2 (Advanced) applies to organizations that work with CUI. Level 2 requirements include the 14 levels and 110 controls contained in NIST 800-171.
Level 3 (Expert) applies to organizations working on high priority projects critical to U.S. national security. Level 3 will include the controls for Level 2 along with additional controls that have yet to be announced. These controls will be designed to reduce the risk from Advanced Persistent Threats (APTs).

CVG Strategy Cybersecurity

As the lawsuit filed against Penn State shows, the U.S, government is serious in its pursuit for protection of CUI. CVG Strategy information security consulting services help organizations develop comprehensive programs to meet U.S. government cybersecurity requirements. We can assist in establishing customized programs to address:

NIST 800-171
CMMC 2.0
NIST 800-161
NIST 800-53

We can also provide training to make your entire team aware of cyber threats, keep them informed on best practices, and the specific policies of your organization. Additionally, we can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.

CVG Strategy is committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure. As industry leaders in cybersecurity, ITAR, and risk-based management systems, we understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

Export Law and Immigration Discrimination

September 5, 2023 by Kevin Gholston

Integrating compliance of export law and immigration discrimination requirements under the Immigration and Nationality Act (INA) can be challenging. Employers who export items controlled under the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) must prevent the deemed export of technical data to non U.S. Persons while avoiding employment discrimination. Recently, both SpaceX and General Motors have come under fire from the Department of Justice (DoJ) for failing to consider INA prohibitions.

General Motors Settlement

The Department of Justice secured a settlement with General Motors (GM) to resolve determinations that GM discriminated against non-citizens in violation of the INA. These actions occurred as a result of the company’s actions taken to comply with their export compliance program. These actions included unnecessarily requiring lawful permanent residents to provide unexpired foreign passports to gain employment. This action improperly combined processes for verifying workers’ permission to work in the United States with export compliance assessments.

GM, under the terms of the settlement must revise its employment policies an retrain personnel on INA requirements. The company has agreed to pay $365,000 in civil penalties, will be monitored by the Department of Justice, and be subject to reporting requirements. Most importantly, GM is required to separate its export compliance processes from its Form I-9 processes.

SpaceX Administrative Lawsuit

SpaceX was found to have misinterpreted export law and immigration discrimination in its assertion that it could not hire asylees and refugees. These actions were too broad an implementation of export control law requirements. The DoJ is seeking the courts to cease this employment practice and pay a civil penalty to the U.S. government. It is alleged that SpaceX required green cards for positions with no exposure to controlled items or associated technical information.

This is not the first run in SpaceX has had with the government concerning its labor practices. In 2021, the company faced actions for failing to comply with a subpoena for discrimination in hiring.

Department of Justice Fact Sheet Recommendations

The DoJ has released a fact sheet to provide guidance for employers in avoiding discriminatory practices. This document states that employers generally should not use national origin, citizenship or immigration status as a criteria for employment unless stipulated by a regulation, law, executive order, or government contract. It further advises that citizenship, immigration status or national origin requirements not be mentioned in job advertisements.

It states that the ITAR or EAR should not be used to limit jobs because of citizenships, national origins, or immigration statuses and that employers and job candidates should understand that U.S. Persons definitions include more than natural born persons. U.S. Persons and Foreign Persons are defined under the ITAR and EAR as follows:

ITAR U.S. Person Definition

A person who is a lawful permanent resident as defined by 8 U.S.C. 1101(a)(20) or who is a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any corporation, business association, partnership, society, trust, or any other entity, organization, or group that is incorporated to do business in the United States. It also includes any governmental (Federal, state, or local) entity. It does not include any foreign person as defined in § 120.63.A Citizen of the United States.

EAR U.S. Person Definition

Any individual who is a citizen of the United States, a permanent resident alien of the United States, or a protected individual as defined by 8 U.S.C. 1324b(a)(3); any juridical person organized under the laws of the United States or any jurisdiction within the United States, including foreign branches; and any person in the United States.

ITAR Foreign Person Definition

The ITAR definition of foreign person is delineated in 22 CFR 120.63. It states that a foreign person is:

Any natural person who is not a lawful permanent resident as defined by 8 U.S.C. 1101(a)(20) or who is not a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any foreign corporation, business association, partnership, trust, society, or any other entity or group that is not incorporated or organized to do business in the United States, as well as international organizations, foreign governments, and any agency or subdivision of foreign governments (e.g., diplomatic missions).

EAR Foreign Person Definition

“Foreign person” is synonymous with “foreign national,” as used in the International Traffic in Arms Regulations (22 CFR 120.16). This definition does not apply to part 760 of the EAR (Restrictive Trade Practices or Boycotts).

Proper Use of I-9 Form

Form I-9 is used to review documentation to assess if a person has permission to work in the United States. The form is not intended for export compliance assessments. Employers are not allowed to limit a person’s choice of documents from the Lists of Acceptable Documents, require other documents than required or necessary for determination, or reject valid documentation. If organizations engage in these practices they are potentially violating the INA.

Department of Justice Best Practices

The following are recommended best practices when making assessments for export compliance purposes:

Only perform assessments for employees who will work with controlled items.
When requesting documentation for employees who require export compliance assessment, inform them of the purpose of the assessment.
Maintain separate procedures for Form I-9 and export compliance assessments.
Do not use Form I-9 document for proof of citizenship.
Do not make notes on Form I-9 documents with regards to export compliance.
Store export compliance documents separately from Form I-9 documents.
Ensure that personnel handling onboarding processes are properly trained on citizenship based discrimination.
Explain the separation between Form I-9 and export compliance processes.

CVG Strategy Export Compliance Management Programs

Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.

A well developed export compliance program can help in integrating export law and immigration discrimination regulations. Such a program defines policies and procedures to harmonize regulatory requirements in a manner that can be regularly reviewed and improved.

CUI Document Marking Requirements and CMMC 2.0

September 1, 2023 by Kevin Gholston

Controlled Unclassified Information (CUI) document marking requirements apply to a wide range of users who access information related to the U.S. government. CUI is unclassified information that requires safeguards or dissemination controls in accordance with governmental regulations and policies. CUI is categorized into 20 “Organizational Index Groupings” to address sectors such as Defense, Export Control, Legal, and Immigration. Each of these groupings is further divided into 124 specific “CUI Categories”.

CUI designated information can be shared for lawful government purposes only. Each agency can place additional limits on the dissemination of CUI beyond this scope. There are ten classifications of Limited Dissemination Controls, each with its own marking. For example, information designated for federal employees and contractors only is to be marked “FEDCON”.

Department of Defense CUI Marking Requirements

The Department of Defense (DoD) has requirements for the marking of the various types of CUI for government contractors and organizations in the defense industrial base. Information covered under these requirements includes information associated with DoD contracts, work products, and emails. Classified information and information not created by or under the control of the U.S. Government does not qualify as CUI.

The CUI designation replaces the DoD’s legacy For Official Use Only (FOUO) marking as an interagency standardized approach to information controls. CUI categories for defense include:

Controlled Technical Information
DoD Critical Infrastructure Security Information
Naval Nuclear Propulsion Information
Unclassified Controlled Nuclear Information – Defense

CMMC Requirements

DoD contractors under Defense Federal Acquisition Regulations (DFAR) 252.204.7021 are now required to achieve Cybersecurity Maturity Model Certification (CMMC) to protect CUI. The current level, CMMC 2.0 utilizes NIST SP 800-171 to establish minimum requirements and guidelines for this protection.

NIST SP 800-171 requires CUI document marking requirements. The standard states that visually identifying CUI is a basic tenet of information security so that authorized users understand which handling controls to apply. Labeling is identified as the use of security attributes for internal system data structures. Labelling is to be applied to digital media and non-digital media such as paper and microfilm.

CVG Strategy Information Security Management System Consultants

Identify Areas With CUI with CVG Strategy Signs

Managing an Export Compliance Program

August 28, 2023 by Kevin Gholston

Managing an Export Compliance Program (ECP) properly ensures its effectiveness. These programs are essential to the sustainability of a business. However, any plan, no matter how well conceived, is only as effective as its execution.

Planning the Export Compliance Program

Specific requirements for an Export Compliance Program are contingent on the types of products an organization exports, the size of the organization, the number of exports, where articles are to be exported, and the end-use of the exported items. Each product or service to be exported should be classified to determine the United States Government agency involved in regulating the export.

The Directorate of Defense Trade Controls (DDTC), under the jurisdiction of the Department of State, controls defense articles and services categorized on the United States Munitions List (USML) These items are regulated under the International Traffic in Arms Regulations (ITAR).

The Bureau of Industry and Security (BIS) under the auspices of the Department of Commerce administers the Export Administration Regulations (EAR). The EAR control the export of commodities enumerated in the Commerce Control List (CCL) with a unique Export Control Classification Number (ECCN). Prohibition of export or requirements for licensing are based on the classification of the item, the destination of export, the end user, and the end use of the item.

Program Creation

A properly designed export compliance program should be tailored to the unique requirements of the business. These requirements should include the size of the business, the percentage of sales that are export controlled, and the expected growth of the organization. The plan should be kept current with changes in regulations and should include procedures to handle compliance issues.

Essential Elements of an ECP

Requirements for Managing an Export Compliance Program vary between these two agencies and organizations should refer to current requirements to create and maintain their program. However, these key elements are critical for any program.

Management

The management team has ultimate responsibility for the ECP. As such it should create and maintain a program, provide sufficient resources for its functions, and communicate its commitment through a written policy statement. Once initiated, management should regularly review and update the program as required for its proper function and foster a culture of compliance within the organization.

Management should also appoint and train Empowered Officials (EO) and Export Compliance Officers as required. These officers are responsible for overseeing activities of the program including classification, licensing, and restricted party screening.

Registration

Registration with the DDTC is a requirement for organizations falling under the ITAR. Program documentation should include instructions for registration and maintenance of registration.

Risk Assessment

Processes should be in place to assess risks associated with:

- Exporting a controlled item without a required export license
- A deemed export caused by the unauthorized release of sensitive information or controlled technologies
- Servicing of items outside of the United States

Restricted Party Screening

It is the responsibility of the exporter to ensure that exports do not end up in the hands of prohibited end-users. Procedures should be in place to verify the legitimacy of the buyer, obtain end-use statements, screen all involved parties against denied parties lists, and ensure that shipping documentation notifies all parties of the nature of the export.

Record Retention

Retention of documents pertaining to export activities should be maintained for a minimum period of five years. For electronic documentation, care should be taken to ensure confidentiality, integrity, and availability of information. Specific roles and responsibilities for maintaining these records should be assigned.

Training

Any Export Compliance Program is only as resilient as its weakest link. Training is mandatory for all members of an organization that are involved with controlled items. This training should provide job specific knowledge, communicate responsibilities, and impart accountability for compliance. This training should be periodically reviewed to ensure knowledge and update personnel on changes in regulations or policies.

Audits

The export compliance program should be regularly audited to assess its effectiveness. Audits should be conducted on specific functional levels as well as the program level. While these audits can be conducted internally, it is considered a best practice to conduct an audit with an outside auditor.

Handling Export Violations and Taking Corrective Actions

Violations can occur even in a well-executed export compliance program. In the event of a violation, procedures should be in place to address the investigation, corrective action processes, and voluntary disclosure. An organizational culture should be in place that encourages employees to suspected violations and ensures a safe environment for doing so.

Compliance Manual

Elements of the Export Compliance Program should be detailed in a manual that is available to all employees. This manual should stress the importance of compliance to the organization and provide a summary of relevant export laws and regulations. It should explain the functions of the compliance program and identify roles and responsibilities within the program.

The manual should reference policies and procedures necessary for the performance of functions within the program and contain necessary templates for communicating with relevant agencies. This manual should be updated regularly in response to changes in regulations, organizational knowledge obtained in maintaining the program, and vulnerabilities and key risk areas identified in program review processes.