Companies Added to Entity List for Building Military Islands

Companies Added to Entity List
Companies Added to Entity List

The Bureau of Industry and Security added 24 companies added to list entity list for their involvement in constructing artificial military islands for the Chinese military.  China has been building these islands since 2013.  This announcement was made by the U.S Department of Commerce on August 26, 2020. 

The islands have been condemned by the United States and nations in the South China Seas.  The islands allow for the military control of some of the busiest shipping lanes in the world.

International Reaction to China’s Island Building

The World Court ruled that the building of islands violated the sovereign rights of the Philippines.  This was due to the fact that the Chinese military islands have interfered with Philippines fishing and petroleum industries.  This ruling has been supported by Japan, Vietnam, and Australia who also contest China’s assertion of claims to the waters.

Companies Added to Entity List

A number of Chinese companies have been added to the entity list of late.  Most of these have been high tech companies.  This has been partially the result of China’s actions with regard to Hong Kong and cybersecurity concerns about the products of companies like Huawei.  This latest group of companies however include companies involved in construction and dredging. 

What is the Entity List?

The BIS uses the entity list to restrict the export, re-export, and transfer (in-country) of items subject to the Export Administration Regulations (EAR).  These restrictions can apply to individuals, organizations, or businesses.  Restrictions are applied to entities that are involved in activities contrary to the national security or foreign policy interests of the United States.  As a result, exports to those on the list are significantly limited. 

Effect of BIS Ruling on U.S. Businesses

Companies added to the Entity List are subject to export restrictions.  It is the responsibility of all businesses in the United States to comply with all export law.  To fulfill these requirements it is necessary to conduct an Export Control Classification of items to be exported. 

This classification should begin with an examination of the United States Munitions List that categorizes military articles and services controlled by the International Traffic in Arms Regulations (ITAR).  If the item is not covered under ITAR it should next be categorized by its Export Control Classification Number (ECCN) which is controlled by the Export Administration Regulations (EAR). 

Restrictions may still apply even if an item does not fall under these classifications.  These restrictions can be the result of sanctions.  They can also apply to exports destined to parties on the Entity List.

CVG Strategy Export Compliance Consultants

Complying to ever changing export laws is complicated.  Not complying to these laws and regulations can result in severe fines, penalties, and even inprisonment.  CVG Strategy can help you develop an export compliance program.  We can also provide the training essential to keeping your entire team current on all parts of these important regulations. 

Military Cybersecurity Strategies Applicable for Businesses

Military Cybersecurity Strategies
Military Cybersecurity Strategies

Military cybersecurity strategies have developed in the last decade.  General Paul Nakasone, Commander of United States Cyber Command and Director of the National Security Agency recently shared his perspectives on how to approach cyberspace in Foreign Affairs magazine.

Employing Proactive Cybersecurity Approaches

Cyber Command was established in 2010 to protect military operations networks from cyber attacks.  Since that time the organization has moved away from reactive strategies to provide information security to the Department of Defense.  It has moved beyond securing network perimeters to actively hunting for malware.  As a result, the agency’s protection teams have developed the ability to detect quarantine and eject intruders from its networks.

Zero Trust Cyber Strategy

Cyber Command utilizes a zero trust approach to cyber security.  This approach is widely embraced in the cyber security community. Zero trust architecture secures data by inspecting all network traffic.  It works on an assumption that all connections to the network are hostile. 

As General Nakasone stated “We aim to prevent toeholds from turning into beachheads so that a single compromise will not threaten the military’s ability to accomplish its mission.”

Cultivating an Accountability Mindset

An accountability mindset is being promoted among military commanders.  This mindset treats military cybersecurity strategies as an essential requirement and not an afterthought.  Because of this, leadership must now consider cybersecurity as a mission-critical component in any undertaking.  This “command-centric” perspective gives commanders improved comprehension of threats and necessary measures to counter them.

Lessons to be Learned From Military Cybersecurity Strategies

Much can be learned by businesses from studying military cybersecurity strategies.  The private sector is under increased threats by actors who seek to compromise data and endanger critical infrastructure.  Many military cyber strategies are beyond the scope of business enterprises.  However, much can be accomplished by maintaining a proactive cyber security stance. 

Accountable management in cyber security requirements , maintaining vigilant detection and response, and employing zero trust strategies are all effective measures. 

CVG Strategy Cyber Security Consultants

CVG Strategy can help your organization develop and maintain effective Information Security Management Systems (ISMS) that are tailored to your organizational requirements.  Our experts can create ISO 27001 and NIST 800-171 that provide security architecture, detective controls, and preventative controls.  We can also help you prepare for Cybersecurity Maturity Model Certification (CMMC).  Contact us today to see how we can help.

Training Requirements for ITAR – Knowledge is Power

Training Requirements for ITAR
Training Requirements for ITAR

Training Requirements for ITAR (International Traffic in Arms Regulations) are often overlooked by companies working with defense articles and defense services.  In truth, the day to day challenges of developing product, conducting testing, advancing sales opportunities, and meeting deadlines consume most of our time.  The reality however, is that well designed and intentioned export compliance programs are only as effective as the weakest team member.  As a result, infractions can occur that can endanger the success of our enterprises.

Technical Data

A major vulnerability for any compliance program is the handling of technical data.  This data is available to most members of a company’s personnel.  It includes information dealing with the design, manufacture, testing, repair, quality control, or installation. 

Sharing this data in any manner with a foreign person is considered a deemed export.  If this transfer occurs without a license it is considered a violation under ITAR and Export Administration Regulations (EAR).  Therefore, all personnel should receive regular training to reinforce proper data management.

Training Requirements and Your Compliance Program

Export compliance programs change as businesses evolve.  Often changes are required as a result of a program audits or voluntary disclosures.  These changes must however be put into practice to be effective. 

These process and procedure changes must be communicated on a regular basis to all involved for a business to remain ITAR compliant.  Ineffective implementation of changes meant to address known inadequacies in a program can result in prosecution when violations are found. 

Changes in Export Regulations

There have been many changes in ITAR in 2020.  Changes will quite likely continue to take place in light of developments in international relations.  As often mentioned with regard to export regulations, “Ignorance of the law is not a defense”.  Keeping current with these developments is the responsibility of everybody in an organization, starting with the executives. 

Fines and prison sentences are certainly not to be taken lightly, but neither should be the loss of reputation and trust within an organization’s customers and suppliers.

CVG Strategy and Export Compliance Training

Regular training is a requirement for all employees in an export compliance program.  This is a requirement by both the Bureau of Industry and Security (BIS) and the Department of Defense Trade Controls (DDTC). 

Our comprehensive and engaging course provides training that is of value to those with experience in export law because it allows them to keeping current on changes in regulations and reinforces best practices for achieving compliance.   It also provides those new to export compliance with an overview of the involved agencies and laws so that they can understand how to access these regulations.

CVG Strategy understands the importance of ITAR training requirements.  We provide engaging, informative, and effective training for ITAR, EAR, and Canadian export regulations.  We can also help establish an effective export compliance program that meets your organizations requirements.  Our experts can also provide audits to monitor your programs performance and provide metrics for improvement. 

Visit our ITAR store for badges, signs, and other items to assist in your facility security.  We also provide quick answers to any pressing export compliance questions you might have.

Course Description

This one-day ITAR Training Basics live webinar provides a fundamental overview of the U.S. International Traffic in Arms (ITAR), the U.S. Export Administration Regulations.  It includes instruction and exercises on how to classify articles (product and tech data).  Additionally, it explains the key principals in the regulatory and statutory framework involved in export compliance.

Subjects covered in this training include:

  • ITAR and United States Munitions List (USML)
  • EAR and CCL (Commerce Control List)
  • How to Register with the DDTC
  • ITAR and EAR technical data controls
  • ITAR and EAR licenses
  • Compliance and enforcement
  • Transition of hardware and technical data from the Munitions List (USML) to the Export Administration Regulations (EAR)
  • Regulation of brokering activities
  • Two sections on how to classify articles
  • Use of classifications to organize necessary controls under US Law.

Arrests for Export Dual Use Violations Announced

arrests for export dual use violations
arrests for export dual use violations

The U.S. Department of Justice announced arrests for export dual use violations of Chong Sik Yu, and Yunseo Lee.  These two individuals are executives of America Tecma Inc..  The charges involve exporting electronic components with military applications to Hong Kong and China.  They are also charged with conspiracy to commit wire fraud, bank fraud, and money laundering. 

Efforts to Evade U.S. Export Controls

The arrests for export dual use violations occurred August 6, 2020.  Evidence including emails indicate that the defendants conspired with others to ship what they knew to be export-controlled items to Hong Kong and China.  These items included electronics components which are export-controlled under the Commerce Control List (CCL).  Yu and Lee allegedly sought to evade law enforcement by, transshipping packages through South Korea, and by using a separate company to send shipments to Hong Kong.

U.S Committed to Strict Enforcement of Export Law

Assistant Attorney General for National Security John C. Demers was quoted as saying “The Department’s fight against illegal technology transfer to China is no more critical than in areas like those involved in this case — controlled items used in missile and nuclear technology.  We will do everything in our power to disrupt illegal exports like these that jeopardize our national security.  Together with the Commerce Department and all of our law enforcement partners, we will continue to protect our national security by preventing dual-use technologies from being sent abroad without the required licenses.” 

Dual Use and Export Administration Regulations

Export Administration Regulations (EAR) are administered by the Bureau of Industry and Security (BIS).  Items deemed “dual use” (applicable for military and commercial end use), are classified with an Export Control Classification Number (ECCN).  Because of this export of these items are controlled.  As a result, authorization to export these items is based on the export control classification, where it is going, who the end users are, and what the end use of the item will be.

CVG Strategy Export Control Expertise

CVG Strategy export control experts can help your organization establish effective export compliance programs.  We have assisted businesses with EAR and International Traffic in Arms (ITAR) for over a decade.  We can assist with export control classifications.  Our ITAR training provides interesting and engaging education that will keep your team up to date on the latest regulations. 

Check out our ITAR store for signs, badges, and visitor guides to keep your campus secure.

 

Russian Cyber Espionage Malware

Russian Cyber Espionage Malware
Russian Cyber Espionage Malware

The National Security Agency and the Department of Defense have issued a warning about Russian cyber espionage malware known as Drovorub.  This malware provides file download and upload capabilities to external actors when deployed on a victim Linux system.  It utilizes a number of means of concealing itself once implanted and is resilient to rebooting.  Drovorub is proprietary malware developed for use by the Russian General Staff Main Intelligence Directorate (GRU).

Recommended Mitigations

To mitigate Russian cyber espionage malware The NSA has made the following recommendations:

  • System administrators should continually check for and run the latest version of vendor-supplied software for their computer systems.  This should include updating to Linux Kernel 3.7 or later in order to take full advantage of kernel signing enforcement. 
  • System owners are advised to configure systems to load only modules with a valid digital signature. 
  • UEFI Secure Boot should be activated to ensure that only signed kernel modules can be loaded.

Nation State Sponsored Cyber Espionage

China has been in the spotlight of late on the subject of state sponsored cyber attacks.  This attention is well deserved.  China has been responsible for more than 90 percent of cyber espionage in the United States.  Furthermore this activity has increased since the beginning of 2020 as tensions in trade have ramped up between the two countries.  China, however is not the only player in this game.  Russia, North Korea, and Iran are major players as well.

Russia and China has both targeted organizations involved with corona virus vaccine development in the United, States, United Kingdom, and Canada.  This activity is widely believed to be an effort to steal intellectual properties and disrupt organizations’ activities.  Of course the medical community is not the only sector at threat.  Commercial, governmental, and defense related cyber espionage is growing rapidly.  This results in losses in the trillions of dollars annually. 

CVG Strategy

CVG Strategy provides cybersecurity solutions for businesses.  We can assist in establishing Information Security Management Systems (ISMS) that meet your organization’s requirements.  Our experts in ISO 27001 and NIST 800-171 provide effective consultant services.  We can also help your with CMMC CertificationContact Us to see how we can help.

 

Understanding MIL STD 810 and How to Use It

Understanding MIL STD 810
Understanding MIL STD 810

Understanding MIL STD 810 is essential for proper developmental evaluation of the environmental effects on equipment.  CVG Strategy has been helping our customers use this valuable standard to create test programs for over a decade.  In this time we have seen a number of commonly held misconceptions about the standard and how to use it. 

What is MIL STD 810?

MIL STD 810 is used to evaluate the influences of environmental effects on equipment during all phases of its life cycle.  It includes 29 methods for analysis of those effects.  These methods include climatic (temperature, humidity, solar, etc.) and dynamic (e.g. vibration, shock, pyroshock).  With the exception of one of these methods, there are no established severities or pass/fail criteria.  Why?  Because these variables are dependent on the type of equipment being tested and where it is to be used.  Using high temperature as an example; the appropriate high temperature for equipment intended for a vehicle crew compartment is very different than one for an engine compartment or the exterior of a supersonic aircraft.

How to Use the Standard

The secret to using the MIL STD 810 is in the seldom read Part 1 of the standard.  Part 1 establishes a process for evaluating the relevant environmental stressors likely to be encountered in the product’s life time.  This includes storage, transport, and operational configurations.  It provides a tailoring process to create realistic design parameters and test methods.

One tool that this tailoring process entails is the creation of a Life Cycle Environmental Profile (LCEP).  This process identifies all the environmental stresses from shipping dock to end of life.  Metrics can then be fed into an Environmental Issues/Criteria List (EICL) that can be used as design and test parameters.  When measured data for a given stress is known, that data should be used.  When a value is not known, guidance is provided in the standard for realistic evaluation based on climatic and measured dynamic variables.

Developing a Plan

The first task is to create a Test and Evaluation Master Plan (TEMP) that outlines all the testing to be performed.  This can include multiple tests for each method.  Using high temperature again as an example,  it is often prudent to perform testing for transport, storage and operational tests, each with its specific values and temperature profiles.  Each of these tests should have a Detailed Environmental Test Plan (DETP) to exactly specify how the test is to be conducted.  This description should include required operational tests, data to be recorded, and pass/fail criteria.  People often ask test labs to create test plans.  This is not the best solution as the lab does not have a thorough understanding of the equipment and cannot perform the LCEP and EICL steps of the tailoring process.

Operational Testing and MIL STD 810

MIL STD 810 has, with increasing intensity, stressed the importance of operational testing.  Climatic and dynamic stressors can often cause intermittent failures of equipment.  It is therefore of great importance to create operational testing that exercises all modes of operation.  It is also important to create equipment that can monitor the equipment and capture those failures.  This process is one that is often overlooked.  As a result, testing performed does not provide substantive evaluation of the test item.

CVG Strategy Can Help

We provide a variety of services to help you garner the most from your test and evaluation program.  CVG Strategy offers webinars to increase your understanding of MIL STD 810.  These courses stress the importance of the tailoring process and empower you to create appropriate test programs.  We can create LCEPs and EICLs that reflect your product’s needs.  We provide EZ-Test Plan Templates for product segments such as Ground Mobile, Shipboard Controlled, and Aircraft Military.  Our test and evaluation experts can also create custom test plans for your product requirements.

To assist your product development during this Covid-19 crisis we offer test program management and test program witnessing.  This frees your team from travel requirements and ensures that testing is performed as specified.  CVG Strategy is partnered with labs in the Florida area to help you. 

Contact Us today to see how we can help you.

 

Manufacturing Technology and Quality Management

manufacturing technology and quality management
manufacturing technology and quality management

The Only Constant is Change in Manufacturing

Advances in manufacturing technology is affecting quality management strategies.  Companies are reassessing their manufacturing requirements, and many are reshoring to the United States.  According to studies conducted by the McKinsey Global Institute, the United States could boost annual manufacturing  as much as 20% by 2025.   To accomplish this, manufacturing processes must utilize technology to create better products with higher efficiency and lower costs.  As a result, quality management systems must evolve to embrace the changes advanced technologies will bring.

New Frontiers in Manufacturing Technology

There are many emerging technologies that will effect industry in the coming years.  These technologies will allow for higher quality production with increased process control.  This increase in automation will result in smaller more capable workforce.  Some of these advancing technologies include:

  • Automated CNC.
  • Analytics and machine learning.
  • Precision robotics for assembly and quality inspection.  The number of industrial robots in the U.S increased by more than 15% last year.
  • Additive manufacturing technologies such as 3-D printing.
  • AI for real-time monitoring and control of processes and asset maintenance.
  • Internet of Things (IoT) sensors for process control and maintenance monitoring.
  • Advances in human/machine interfaces such as Extended Reality (XR) to present data in a spatially relevant perspective.

New Perspectives for Quality Management

As the manufacturing floor changes so too must approaches to quality management.  An important step will be to implement quality as an organization-wide function.  This will require a transition from a silo perspective to one that will provide collaborative exchanges among all stakeholders.  Quality will also have to be much more action based to respond to increases in capabilities of data capturing and analytics.  This enhanced feedback will ensure more timely continuous improvement processes.

Responding to Risks

Intelligent change must identify and mitigate risks.  Because all of the technologies mentioned here are vulnerable to cyberattacks, effective cybersecurity to prevent industrial espionage and theft of intellectual properties should be implemented.  Information Security Management Systems (ISMS) are excellent mechanisms for accomplishing this.  They ensure that risks are identified, mitigation processes created, and incident response procedures are in place.

CVG Strategy

CVG Strategy understands the importance of manufacturing technology and quality management.  We support development of manufacturing in the U.S.  We offer consultant services for quality management systems that fit your organization’s requirements.  Our consultants provide expertise in ISO 9001:2015 and AS9100.  We also provide services for ISMS cybersecurity solutions including ISO 27001 and NIST-800-171Contact Us today to see how we can help.

Ransomware a Growing Problem for Businesses

Ransomware a Growing Problem
Ransomware a Growing Problem

Ransomware is a growing problem for organizations.  The rate of increase in incidents is skyrocketing in governmental agencies and small to medium businesses.  The Cybersecurity and Infrastructure Security Agency (CISA) estimates that a ransomware incident occurs every 14 seconds.  While the average costs of ransoms are increasing the real cost to an organization is downtime and loss of reputation.

What is Ransomware

Ransomware is malicious code that denies access to data stored on a computer or system.  Access to data is denied until a ransom is paid in cryptocurrency.  There is no guarantee that data will be restored once ransom demands are met.  Because ransomware is typically spread by phishing emails or visiting infected sites it is difficult to mitigate through IT solutions alone.  Effective preventive measures require organizational awareness and regular training of all personnel.

Recent Incidents of Ransomware in the News

  • The Washington Times reported that The George W. Bush Presidential Center was hacked on August 1, 2020.  A ransom was paid by Blackbaud, a third party data management service to retrieve unencrypted donor data.
  • The city of Lafayette Colorado was hacked on August 5, 2020.  As a result city emails, phones, and online payment portals were disabled until a $45,000 ransom was paid. 
  • Canon confirmed that it was hit with a ransom for their photo and video storage service on August 6, 2020.  This resulted in the site being down for over six days.

Precautions and Mitigations

CISA recommends that users keep software and operating systems up to date.  It advises that data backups be performed on a regular basis.  It also advises to not click on attachments in unsolicited emails and to practice safe internet browsing habits.  These are excellent recommendations but difficult for an organization to effectively implement. 

Effective protection of data requires the implementation of an Information Security Management System (ISMS).  ISMS such as ISO 27001 and NIST 800-171 incorporate risk assessment and incident management plans and procedures.  They also include asset management and include scheduled training for all personnel. 

CVG Strategy is aware that ransomware is a growing problem and is committed to helping organizations protect themselves and their data.  Our consultants can tailor an ISMS that meets your organizations requirements.  Contact Us today to see how we can help.

Electronics Supply Chain Challenges for U.S. Companies

Electronics Supply Chain Challenges
Electronics Supply Chain Challenges

Supply Chain Challenges in a Changing Global Market

COVID-19 has introduced additional electronics supply chain challenges.  This is especially the case for the electronics industry.  As a result companies will have to:

  • Reconsider product designs. 
  • Develop new procurement strategies.
  • Provide effective risk management for data security.
  • Further guard against counterfeit parts.

Electronic products require a large volume of components.  These components are being produced all over the world.  In the last forty years, manufacturing has been established where labor is the cheapest.  China is a country that has exploited this opportunity to create immense economic growth.  Unfortunately, it has often done this by using forced labor and creating environmental hazards.  It has also conducted cybercrime to steal intellectual materials to further its growth. 

In light of China’s actions during this crisis the U.S., E.U., and the United Kingdom are invoking tariffs and bans.  As a result many products sectors that China has dominated will be in short supply.  Semiconductors and lithium ion batteries are products of special concern.  Legislation in the United States, such as the CHIPS for America Act are attempting to strengthen and secure a stable domestic supply line.

Supply Chain Cyber Crime

The supply chain has always been a vulnerability for information security.  It is often difficult to identify and mitigate risks when multiple organizations are working together.  Because of this, counterfeit products, tampering, theft, insertion of malicious software and hardware, can result.  These incidents have historically increased during times of component shortages.

As the National Institute of Science and Technology (NIST) has consistently reported, organizations are at increased risk of compromise through their supply lines.  These attacks are often carried out by nation states such as China, Russia, and North Korea. 

Quality and the Supply Chain

Prompt delivery of quality product is threatened by an inconsistent supply chain.  Risk assessments of a new design’s ability to be manufactured should be taken into consideration.  Enhanced product quality testing should be planned for to mitigate the release of product with counterfeit components. 

CVG Strategy Solutions for Electronics Supply Chain Challenges

CVG Strategy offers quality and cybersecurity solutions to businesses of all sizes to help guide you through electronics supply chain challenges.  We provide consulting in ISO 9001 and AS9100D quality management systems.  We also specialize in helping organizations establish effective Information Security Management Systems (ISMS) to protect your vital information.