January 2021

Background on Karlton Johnson

Karlton Johnson, a decorated combat veteran, served as the Chief Information Officer (CIO) for the Multinational Security Transition Command-Iraq building ICT capabilities for a variety of agencies of the Iraqi government. He then went on to serve as the senior U.S. cyber executive for South Korea. In 2014 Johnson retired from the United States Air Force after 26 years of service as a Colonel.

From military service, Johnson engaged in the private sector where he specialized in overseeing large-scale initiatives from the concept phase to full implementation. More recently Johnson originally served as vice chair of the accreditation body CMMC-AB and as the acting chair since September 2020.

Challenges Moving Forward

Now that Karlton Johnson chairs the CMMC-AB, it is expected that stability on the board will ensue. This is based on numerous supportive statements of fellow board members. This stability will be required to successfully provide accreditation for the large number of cyber security certified assessors needed for implementing CMMC for Department of Defense (DoD) contractors and subcontractors. This must occur while CMMC requirements are still being finalized.

Background on CMMC

CMMC was created by the Office of the Under Secretary of Defense for Acquisition & Sustainment as an effective means of implementing risk based management approaches to cybersecurity. It is a cooperative effort between the DoD and industry and is coordinated by the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB).

The CMMC was enacted to place cybersecurity requirements on DoD contractors to achieve levels of cybersecurity maturity to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) in the defense industrial base supply chain. Katie Arrington is the current director of CMMC and has stated the necessity of creating an enterprise centric solution for the protection of CUI.

Current Status of CMMC

As of this posting, interim ruling, DFARS 252.204-7012 Interim Rule, has placed immediate cybersecurity requirements on Department of Defense (DoD) supply chain contractors. Among the changes is a requirement for vendors to complete security compliance with NIST SP 800-171 DoD assessment methodology. This assessment must be completed by the contractor before DoD contracts can be awarded.

This assessment is based on a scoring methodology of security requirements. The methodology is comprised of three levels (basic, medium and high). The interim rule requires a basic level self-assessment to be completed by the contractor.

What Lies Ahead?

When the CMMC-AB approves the registration bodies, there will be a set of Third Party Assessment Organizations (C3PAOs) approved. These Third party organizations are accredited by the official CMMC Accreditation Body and will then be authorized to conduct CMMC assessments and grant CMMC certifications.

CVG Strategy Can Help

Meeting cybersecurity requirements is proving to be a challenge for DoD contractors, especially smaller businesses involved in subcontracting. CVG Strategy can provide pre-assessment training, implementation and subject matter support. We can also provide integrated solutions for CMMC implementation using proven business management approaches.

BIS Adds Military End User List (MEU) to the EAR

The U.S. Department of Commerce announced on December 21, 2020 that the Bureau of Industry and Security (BIS) will add a Military End User List (MEU) to the Export Administration Regulations (EAR). The MEU can be found in supplement 7 to part 744. The list’s first tranche of entities include one hundred and three military end users, which are from China, Russia, or Venezuela.

Entities listed as Military End Users, as defined in § 744.21, are considered to be directly related to the national armed services of their respective nations. As such, exports, reexports, or transfers (in country) destined to these entities will require a license due to unacceptable risk of diversion to a military force. Applications submitted for license to MEUs will be reviewed with a presumption of denial.

This action by the BIS will assist exporters by notifying them of known entities for which export will likely be prohibited. It does not however, infer that, entities not on the list are cleared. Parties involved in export, reexport, or transfer of goods must still execute due diligence in ensuring that they are not doing business with military end users.

MEU Revised to Add Skyrizon

On January 14, 2021, the Bureau of Industry and Security announced that the Chinese National Offshore Oil Corporation (CNOOC) had been added to the Entity List for intimidation of China’s neighbors in the South China Seas.

It was also announced that Skyrizon had been added to the Military End User List for its continued efforts to acquire foreign military technologies. This action is seen as a direct threat to the U.S. national security and foreign policy.

Further MEU Revisions

The End-User Review Committee, which is comprised of representatives from The Department of Defense (DoD), Department of State, Department of Energy, Department of Commerce, and the Treasury, will convene to add or remove entities to the MEU. Parties named on the MEU will have the opportunity to file petitions as to why they are not military end users or affiliated with military end users.

Related EAR Actions Concerning China

Removal of Hong Kong as Separate Destination

The creation of the MEU was concurrent to the removal of Hong Kong’s status as a distinct EAR destination. On the same day as the MEU announcement, the Federal Register announced that it had implemented amendments to Sections 2 and 3 of Executive Order 13936 had removed Hong Kong’s special status.

This effectively places the region on the same status as the People’s Republic of China, Country Group D, and curtails the export of sensitive U.S. technologies to the region. These actions were taken because, actions taken by China, towards Hong Kong, have undermined Hong Kong Special Administrative Region’s (HKSAR) autonomy. Here again the risk of export to Communist Chinese Military Companies was the overriding concern.

Department of State Sanctions on Fourteen Individuals

On January 22, 2021 the State Department announced that fourteen individuals who are or have been involved in the implementation of China’s National Security law undermining Hong Kong autonomy, are subject to blocking of properties or interests with in United States.

Conclusions Concerning the DEU

The international political stage is in a very dynamic state as China and Russia continue to engage in hostile actions. The MEU provides the U.S. government with an effective tool for exposing entities engaged or cooperating in those actions. As such it serves as a notification to those entities of the immediate consequence of those actions. It also serves as an additional tool for businesses engaged in export, reexport, or in country transfers to screen prospective customers.

CVG Strategy Export Compliance Expertise

CVG Strategy consultants can tailor an export compliance program that meets your organization’s specific requirements. We have extensive experience in ITAR, EAR, Anti-Boycott Regulations, Export Control Classifications, and the Canadian Controlled Goods Program (CGP). We provide a number of services to businesses of all sizes including: Export Compliance Training, Technical Assistance Agreements, and answering your export compliance questions.

Karlton Johnson Chairs CMMC Accreditation Body