DFAR Amendment for Contractor Implementation

DFAR Amendment for Contractor Implementation
DFAR Amendment for Contractor Implementation
Air Force Senior Airman James Kennedy

The Department of Defense (DoD) has proposed a Defense Federal Acquisition Regulation Supplement (DFAR) amendment for contractor implementation of Cybersecurity Maturity Model Certification (CMMC).  DFARS case 2019-D041 was first published in September 2020 with an effective date of November 20, 2020 to allow for the development of CMMC 2.0.  CMMC 2.0 establishes a framework for assessing the implementation of contractor cybersecurity requirements to protect Controlled Unclassified Information (CUI) in the defense industrial base supply chain.

Proposed Rule Changes

The proposed rule changes include requirements for contractors to achieve and maintain a requisite level of CMMC security for the duration of a contract.  The contractor will be required to annually affirm continuous compliance with security requirements for all information systems used in the performance of the contract that will store, process, or transmit Federal Contract Information (FCI) or CUI and report in the any changes or incidents within 72 hours.  

The changes include requirements for contracting officers to require that the results of current CMMC certification or self-assessment to be at a minimum level for the consideration of a contract.  These required levels are to be provided to offerors through the Supplier Performance Risk System (SPRS).  Apparently successful offerors will then be required to applicable DoD Unique Identification (UIDs) for all FCI or CUI information systems.  Offerors will not be eligible for award of contract if they do not have a CMMC certificate or self-assessment entered int the SPRS.

In addition, contractors must include a contract clause detailing the requirements of this DFAR in contractual documents to lower tier subcontractors and suppliers to ensure information security throughout the supply chain.  

Public Comments in Response to Rule Changes

As has been the case since the initial roll out of CMMC, concern has been raised as to the impacts of these rule on small businesses that comprise a significant percentage of the DoD supply chain.  The DoD has responded to this concern by pointing out that the CMMC is to implement a phased roll-out and that these requirements are expected to apply to only about one-thousand small businesses in the first year.

Various comments inquired as to how contractors are to know what CMMC requirements are.  The responses stated that requirements will be identified in the solicitations and contracts unless the contract is exclusively for Commercial Off the Shelf items (COTS).

There was some concern as to a uniform definition of Controlled Unclassified Information.  The DoD is referring concerned parties to CFR Part 2002 Controlled Unclassified Information (CUI) for clarification.

Phased Implementation of CMMC

The expected phased implementation of the CMMC is expected to take three years.  During this period a number of phases will be implemented.  Emphasis will be placed on CMMC levels one and two in the initial phases with the DoD include level three requirements later on.  There have been numerous alterations and pauses in this process and the end results will have consequences for many organizations.

CVG Strategy Information Security Management System Consultants

To assist businesses to meet the challenges in meeting DFAR amendments for contractor implementation, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system.  This provides a coherent methodology for implementing and maintaining essential cyber security for businesses of any size.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Identify Areas With CUI with CVG Strategy Signs

CVG Strategy also provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.

Suit Filed Against Georgia Tech by U.S. Government

Suit Filed Against Georgia Tech
Suit Filed Against Georgia Tech
Photo by panumas nikhomkhai

A suit filed against Georgia Tech by the United States Government alleges that the university’s affiliate, Georgia Tech Research Corporation (GTRC) knowingly failed to meet its cybersecurity requirements for the Department of Defense (DoD).  The suit was initiated by a whistleblower complaint from members of Georgia Tech’s Cybersecurity team.  

The lawsuit alleges that the Georgia Institute of Technology’s Astrolavos Lab failed to institute a System Security Plan as is stipulated in DoD cybersecurity regulations until 2020.  When a System Security Plan was finally initiated, it failed to include in its scope all information assets.   Additionally, the lab, in violation of its own cyber policies, refused to install antivirus software on laptops, desktops, and servers at the behest of demands put forth by the professor who headed the lab.  Additionally, the lawsuit alleges that false cybersecurity assessment scores were submitted to the DoD by Georgia Tech and the GTRC.  

The suit was filed under the False Claims Act which was created as a mechanism for private parties to file suits in behalf of the federal government and to receive a share of any recoveries.  The Civil Cyber-Fraud Initiative was designed to identify contractors that fail to protect confidential information or protected government secrets.

Importance of Safeguarding U.S. Information

In comments regarding the issue, U.S. Attorney Ryan K. Buchanan for the Northern District of Georgia stated that the government expects contractors to meet cybersecurity requirements in their contracts and grants regardless of the size of the organization or the number of contracts involved.  The case is being taken by the Justice Department’s Civil Division by Senior Trial Counsel Jake M. Shields and U.S. Attorney Adam Nugent and Melanie Hendry.

Academia Facing Challenges in Security

Universities have been facing a growing number of issues with cybersecurity and export compliance regulations from the federal government.  There have been multiple violations of export regulations that have led to Voluntary Self-Disclosures to the Bureau of Industry and Security (BIS).  These have included unauthorized exports of biohazards, genetic materials, and information regarding aerospace propulsion, and telecommunications.

CVG Strategy Cybersecurity 

As the suit filed against Georgia Tech Research Corp. shows, the U.S, government is serious in its pursuit for protection of CUI.  CVG Strategy information security consulting services help organizations develop comprehensive programs to meet U.S. government cybersecurity requirements.  We can assist in establishing customized programs to address:

  • NIST 800-171
  • CMMC 2.0
  • NIST 800-161
  • NIST 800-53

We can also provide training to make your entire team aware of cyber threats, keep them informed on best practices, and the specific policies of your organization.  Additionally, we can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.

 CVG Strategy is committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure.  As industry leaders in cybersecurity, ITAR, and risk-based management systems,  we understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

AUKUS Defense Trade Moves Forward

AUKUS Defense Trade

AUKUS Defense Trade

Courtesy Australia Department of Defense

The U.S. Department of State announced on August 15, 2024 that progress had been made in the AUKUS defense trade integration. This has resulted in an interim final rule amendment to the International Traffic in Arms Regulations (ITAR) that will facilitate billions of dollars in secure license-free defense trade between Australia, the United Kingdom, and the United States. The Department of State will now implement a 90-day public comment period to allow industry to provide refinements to the rulemaking process.

Results of New ITAR Rules

These AUKUS defense trade rule changes were implemented largely due to revisions Australia put in place to strengthen its export policies with regards to military articles and technologies.  Under the new rules most military goods will be able to be shared between the three countries.  This will shorten the approval process of exports to AUKUS participants of ITAR articles and technology.  Normally the Directorate of Defense Trade Controls (DDTC) which administers the ITAR, operates on a policy of denial for licensing which has caused delays in processing exports.

The resulting exemption as defined in 22 CFR part 126.7 will go into effect on September 1, 2024.  The exemption applies to transfers within the physical territories of the three countries to authorized users that are registered with the DDTC, A U.S. government department, or UK or Australian users identified in the DECCS system.  The exemption will be allowed for most defense articles with the exception of those items found in the Excluded Technology List (ETL).  ETL items will include chemical, biological, and nuclear weapons for which licensing requirements will stay in place.

AUKUS Background and History

AUKUS is a trilateral security partnership between Australia, the United Kingdom, and the United States that was initiated in 2021. Its initial priority was to facilitate the Royal Australian Navy’s acquisition of nuclear-powered submarines to address threats from China in the Indo-Pacific arena. The strategic partnership has also involved information sharing, counter-hypersonic technologies, cyber capabilities, artificial intelligence quantum technologies and additional undersea capabilities.

In May of 2024 the partnership published proposed changes to defense trade controls to create license exemptions for billions of dollars of cutting edge defense technologies between the neighbor states.  A more complete easing of restrictions in export regulations was hindered by a perception of differences between the participant countries’ export control system.  The U.S. Department of State has now determined that the control systems of Australia and the UK are sufficiently comparable to move forward with easing of restrictions.

AUKUS Revisions Affecting the EAR

Export Administration Regulations (EAR) control the export of commodities by prohibiting or placing licensing requirements on specific items.  the term commodities can include software, technology, and intellectual properties.  The EAR are administered and enforced by the Bureau of Industry and Security (BIS).  Items controlled under the EAR are listed in the Commerce Control List (CCL), and identified by a unique Export Control Classification Number (ECCN).  Prohibition of export or requirements for licensing are based on the classification of the item, the destination of export, the end user, and the end use of the item. 

The Bureau of Industry and Security (BIS) had published an interim final rule in April 2024 to remove license requirements for exports, reexports, and in-country transfers between the three countries.  In May 2024 the BIS made corrections to that publication to footnote 9. This change, while easing licensing and end use requirements for most items would leave in place license requirements for firearms-related items and other CCL items.

CVG Strategy Export Compliance Management Programs

AUKUS defense trade integration will ease export restrictions between the nations of the trilateral security partnership, however, export compliance remains a dynamic concern for businesses engaged in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

Academia Research Export Compliance Challenges

Academia Research Export Compliance
Academia Research Export Compliance
Photo by George Pak

The Bureau of Industry and Security (BIS) has released guidance on improving academia research export compliance programs. This guidance is based on recent trends in Voluntary Self-Disclosures conducted by academic institutions where Export Administration Regulations (EAR) violations occurred .

Voluntary Self-Disclosures

A Voluntary Self-Disclosure (VSD) is conducted when an organization recognizes that violations or suspected violations of United States export regulations have occurred.  It is the responsibility of the organization to report such findings in a timely and transparent manner to the appropriate federal agency.  The three major sets of U.S. regulations for export compliance are, the International Traffic in Arms Regulations (ITAR), the Export Administration Regulations (EAR), and the Office of Foreign Assets Control (OFAC).  

The BIS encourages voluntary disclosures of potential violations of the EAR. When these disclosures are conducted in a timely and comprehensive manner with full cooperation, the BIS will substantially reduce civil penalties. This includes cases where controlled items, technology, have been transferred or transactions that have involved boycott violations.

Unauthorized Export of Biohazards

Several unauthorized exports of biohazards have occurred at universities due to a lack of knowledge of specific requirements of export control requirements detailed in the Commerce Control List.  A variety of microorganisms and toxins were thus exported including Dengue-2 virus, pseudorabies virus strains and genetically modified viruses.

Unauthorized Export to Parties on Entity List

Genetic materials and modified organisms were exported along with an element commonly used in nuclear reactor control rods to parties on the Entity List.  The Entity List is a list of parties ( persons, entities, and governments) for which trade restrictions are in place.

Deemed Export Violations

Academic institutions disclosed that unauthorized releases of EAR controlled technologies had occurred in the areas of aerospace propulsion, telecommunications, and electronics.  Analysis of the incidents pointed to a lack of awareness of deemed export regulations and insufficient controls.  

Temporary Imports, Export, Reexports, and Transfers

Two voluntary self-disclosures involved improper use of TMP licenses involving the hand-carrying of infrared cameras out of country.  TMP licensed are used for temporary imports, exports, reexports of controlled items and have a limit of one year before which, the article must be returned.  Again analysis showed a lack of understanding regarding the use of TMP licenses.

Electronic Export Information

A number of academic institutions reported that they had failed to file exports in the Automated Export System and had listed values of exports below actual cost.  A lack of documented procedures and insufficient training were cited as causes for the incident.

Recordkeeping

Three incidents involved failure to maintain accurate records of exports.  Export records are to be maintained for a minimum of five years though seven years is often recommended as a conservative measure.  Insufficient training on the importance of recordkeeping practices was cited as the cause of the violations.

The Importance of Proper Training

Regular training is a requirement by the Directorate of Defense Trade Controls (DDTC) and the BIS for all persons involved in an export compliance program.  Export compliance is not just the responsibility of a few team members.  In order to avoid violations of export regulations, every individual having access to or involved in the export of a regulated article or technology must aware of these regulations and their responsibility to adhere to them.  

CVG Strategy Export Compliance Management Programs

The BIS guidance on academia research export compliance illustrates the increasingly dynamic nature of export regulations. Organizations involved in export activities must therefore develop more substantive export compliance programs Keeping in step with these changes. 

Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. Aggravating factors for export enforcement include the lack of a documented and executed export compliance management program.

CVG Strategy can help you in understanding the International Traffic in Arms Regulations (ITAR) and the EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help you develop robust solutions.

Integrating Physical Security Requirements for Businesses

Integrating Physical Security Requirements
Integrating Physical Security Requirements
Photo by Pixabay

Integrating physical security requirements is an area of growing concern for organizations of all sizes.  Aside from insuring basic safety for personnel and physical assets, businesses are faced with security requirements for cybersecurity and export compliance.  This necessitates a non-siloed approach to an often overlooked management function.

Basic Physical Security Measures

Every organization should ensure that basic security risks are addressed to protect personnel, assets, and property.  This can include not only security against human instigated threat but plans and mechanisms to protect property and life against acts of nature  such as tornadoes and earthquakes.  To address these, management should create and implement security policies and procedures.

Security Measures for Export Compliance

Businesses involved with the export of products that are controlled under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR) are required to protect articles and associated technology from access from foreign persons.  While details for required security is not specified, it is necessary that organizations perform risk assessments, document necessary controls, perform audits, and detect and report violations.

Cybersecurity Requirements for Physical Environmental Protection

Cybersecurity is a requirement for most businesses, especially for those involved in export controlled items.  These requirements usually center on one or more NIST standards including NIST SP 800-171, NIST SP 800-161, and NIST SP 800-53.  For many, CMMC which incorporates NIST SP-800-171, is a work in progress to meet Department of Defense contractual requirements for conducting business.

There are numerous provisions for physical and environmental security in these standards:

  • Policy and Procedure – Policies and procedures must be in place that provide scope, security strategy, implementation, assignment of roles and responsibilities, and that define review and updates.
  • Physical Access Authorizations – Documented list of persons with authorized access.
  • Physical Access Control – Controlling ingress, egress, and sensitive areas to ensure that only authorized personnel can obtain access
  • Access Control for Transmission – Control of physical access to system distribution and transmission lines on the facility
  • Access Control for Output Devices – Prevention of unauthorized access to output of information.
  • Monitoring for Physical Access – Monitor and review physical access.
  • Monitoring Physical Access (Intrusion Alarms and Surveillance).
  • Visitor Access Records
  • Numerous controls for power, lighting, fire, environment, water, shipping, work sites, monitoring and tracing of assets, component marking, and electromagnetic pulse protection.

CISA Cybersecurity and Physical Security Convergence

The  Cybersecurity & Infrastructure Security Agency (CISA) has released guidance on Cybersecurity and Physical Security Convergence.  It cites a more resilient ability to reduce the risks to security threats and better respond to security incidents when Chief Information Security Officer (CISO) and Chief Security Officer (CSO) functions are converged.

Convergence case studies conducted between 2017 and 2020 showed improvements in communication, coordination, and collaboration when physical and cyber security functions were coordinated.  This has been of special value in connected operating environments where Internet of Things (IoT), Industrial Internet of Things (IIoT) are in use.  

The short term complications of enacting this convergence may seem daunting but integrated threat management can result in more flexible and sustainable strategies and practices to prevent exposure of proprietary information, economic damage, exposure of controlled articles and technology, and loss of life.

CVG Strategy Information Security Management System Consultants

Integrating physical security requirements is a concern for organizations of all sizes.   While those in business leadership roles are increasing aware of the importance of cyber resilience, resources and necessary talent are often in short supply.  To assist businesses to meet the challenges in adopting a variety of requirements, including NIST and CMMC 2.0, CVG Strategy has developed an approach that combines these requirements with ISO 27001 Information Security Management System.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

CVG Strategy Export Compliance Management Programs

Export compliance requirements are a growing in complexity for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization.  They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation.  They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. 

 

New Export Screening List for Diversion Risks

New Export Screening List
New Export Screening List
Photo by Mykhailo Volkov

The Bureau of Industry and Security (BIS) has issued guidance that recommends using a new export screening list as additional due diligence to prevent diversion risks.  This new database, The Trade Integrity Project has been released by the Open Source Center, which is based in the United Kingdom.  This list focuses on entities involved in the diversion of goods related to the Common High Priority Items List (CHPL).

Common High Priority Items List

Since Russia began its invasion of Ukraine in January of 2022, the Department of Commerce has implemented stringent export controls through the Export Administration Regulations (EAR) to restrict Russian access to certain technologies.  CHPL items include items designated in the CCL certain EAR99 designated electronic component parts and assemblies.  These Common High Priority Items include:

  • Tier 1:  Items critical to the production of precision-guided weapon systems.
  • Tier 2:  Dual-use electronic components associated with regeneration of voice, images, or other data, radar and radio navigation apparatus, tantalum capacitors, ceramic dielectric multilayer capacitors, and electrical parts.
  • Tier 3A:  Electrical parts, certain passive components, antennas, cameras, transducers, photosensitive semiconductors, transistors, crystals, and components.
  • Tier 3B: Mechanical components used in Russian weapon systems
  • Tier 4A:  Equipment for the production, manufacturing, or quality control of electrical components, modules, or circuit boards.
  • Tier 4B:  Computer Numerically Controlled (CNC) equipment, and components.

Other Screening Lists

The United States Government maintains the Consolidated Screening List (CSL) as an online consolidation of multiple export screening lists.  The CSL is updated daily and includes tools that can optimize results such as a “fuzzy name search”.  These tools allow for searches without knowing exact spelling of names.  The CSL provides downloadable files that are date stamped to allow accurate record keeping.

The CSL includes screening lists from the Department of State, the Department of Commerce, and the Department of Treasury.  These lists are updated daily and include “fuzzy name search” capabilities that can generate searches for variations in spelling or for names translated into English from non-Latin alphabets.  Lists specific to the EAR include:

  • Denied Persons List – This is a list of entities and individuals that have been debarred from export transactions by the BIS.
  • Unverified List – End-users on this list have are entities that the BIS has been unable to verify in previous transactions.  If a party to a potential transaction is found on this list it should serve as a “Red Flag” that indicates a level of risk that should be addressed before proceeding with a transaction.
  • Entity List – If a party is found on this list it indicates that license requirements under the EAR.
  • Military End User (MEU) List – Parties on this list indicate license requirements under supplement number 2 to part 744 of the EAR.

While the CSL provides some benefits to an organization it does not provide automation or easy implementation into business systems and databases.  Private vendors supply Restricted Party Screening solutions that are affordable and modular. They can provide these screenings automatically and alert users to changes in status.  They also provide more thorough searches across wider sets of list than the CSL.

CVG Strategy Export Compliance Management Programs

This new export screening list is yet another example of the increased level of complexities involved for organizations involved in export.  Export compliance remains a dynamic concern for businesses engaged in international trade.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the International Traffic in Arms Regulations (ITAR) and the EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

AUKUS Eases Export Restrictions Under ITAR and EAR

AUKUS Eases Export Restrictions
AUKUS Eases Export Restrictions
Photo By: Navy Petty Officer 3rd Class Gray Gibson

AUKUS eases export restrictions under ITAR and EAR for certain defense related articles and technologies between the United States, Australia, and the United Kingdom.  This strategic initiative has been taken to enhance the defense capabilities of all three nations to respond to national security threats posed by the Peoples Republic of China (PRC) and Russia.

AUKUS is now instituting its pillar 2 objectives to enable Australia to defend its borders and interests in the Indo-Pacific.  This involves implementation of operational and regulatory frameworks to drive collaboration in governmental, academic, and industrial sectors to bolster and modernize Australian defense capabilities.

AUKUS History

AUKUS is a trilateral security partnership between Australia, the United Kingdom, and the United States that was initiated in 2021.  Its initial priority was to facilitate the Royal Australian Navy’s acquisition of nuclear-powered submarines.  The strategic partnership has also involved information sharing, counter-hypersonic technologies, cyber capabilities, artificial intelligence quantum technologies and additional undersea capabilities.  

In May of 2024 the partnership published proposed changes to defense trade controls to create license exemptions for billions of dollars of cutting edge defense technologies between the neighbor states.  This would effect both the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR).

AUKUS Revisions Affecting the EAR

The Bureau of Industry and Security (BIS) had published an interim final rule in April 2024 to remove license requirements for exports, reexports, and in-country transfers between the three countries.  In May 2024 the BIS made corrections to that publication to footnote 9. This change, while easing licensing and end use requirements for most items would leave in place license requirements for firearms-related items and other CC controlled items.

These items include ECCNs 0A501 (except 0A501.y), 0A502, 0A503, 0A504, 0A505.a, .b, and .x, 0A981, 0A982, 0A983, 0D501, 0D505, 0E501, 0E502, 0E504, 0E505, and 0E982. 

AUKUS Revisions Affecting the ITAR

The ITAR has often been viewed by many in the business community as a choke point for this shared defense innovation.  This has often been caused by a perceived disconnect of policy makers towards the challenges businesses face in dealing with in exporting defense technologies.  Many involved in the development, manufacture, and export of defense items find the greatest project delays have been because of ITAR licensing requirements.

The Directorate of Defense Trade Controls (DDTC) currently exempts permanent and temporary export of designated unclassified items to Canada.  This was created in part because the Canadian government has instituted a compliance control regime that is largely harmonized to that of the Arms Export Control Act of the United States.

While current levels exemption exist at present for Australia, they do not cover all technologies envisioned by AUKUS.  At present many transactions are occurring under Foreign Military Sales (FMS) which is a government to government transaction.  To move past these barriers, interim changes have been made to provide frameworks for Direct Commercial Sales (DCS).  

Further steps will be taken to identify programs specific to AUKUS, identify technologies not eligible, and identify which communities in each country would have access to technologies to prevent unwanted diversions.  The final approach to will be reached between the Department of State and congress.  Additionally, the Department will be seeking commitments from partners on shared standards for protecting exchanged materials and information.

Australian Initiatives for Breakthroughs

In 2023 Australian Deputy Prime Minister Richard Marles stated that Australia was innovation within their regulatory system while pursuing legislative change and international agreements.  The country has made progress in aligning its export and trade regulations to streamline processes.

CVG Strategy Export Compliance Management Programs

As AUKUS eases export restrictions between the nations of the trilateral security partnership, export compliance remains a dynamic concern for businesses engaged in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

NIST Special Publication 800-53 Controls

NIST Special Publication 800-53
NIST Special Publication 800-53

NIST Special Publication 800-53 is a catalog of security and privacy controls released by the National Institute of Standards and Technology for U.S. federal information systems.  It includes key steps in the Risk Management Framework for the selection of appropriate security controls for information systems.  This framework standards and guidelines is a requirement for federal agencies and federal contractors under the Federal Information Processing Standard (FIPS) 200.

This catalog of security and privacy controls are harmonized with controls in  Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171) which a requirement for businesses doing business with the federal government to protect Controlled Unclassified Information (CUI).  SP 800-53 has two companion guidelines, SP 800-53A provides implementation guidance for each step of the Risk Management Framework and SP800-53B assists in management framework security control selection.

SP 800-53A is also applicable to NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations which addresses the risks to information systems and operational technology presented by information exchanges with suppliers, acquirers, and external service providers.  This standard utilizes Cybersecurity Supply Chain Risk Management (C-SCRM) processes to assess appropriate procedures, processes, policies, and strategies.

Control Families

The NIST Special Publication 800-53 families of controls designed to safeguard system and information integrity, and organizational operations and assets are as follows:

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Control Assessments (CA)
  • Configuration Management (CM)
  • Contingency Planning (CP)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Physical and Environmental Protection (PE)
  • Planning (PL)
  • Program Management (PM)
  • Personnel Security (PS)
  • Personally Identifiable Information Processing and Transparency (PT)
  • Risk Assessment (RA)
  • Systems and Services Acquisition (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)
  • Supply Chain Risk Management (SR)

Patch Released to Address Minor Changes

In November of 2023 NIST released a patch to address minor changes in the standard.  The change adds enhancement Identification and Authentication control family to provide for the protection of cryptographic keys, verification of identity assertions and access tokens, and token management.  Organizations already implementing SP 800-53r5 are not mandated to implement these changes.

CMMC Requirements

In 2013 the Defense Federal Acquisition Regulation Supplemental (DFARS) 252-204-7000 went into effect in an effort to establish requirements for safeguarding Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) held by DoD contractors in the Defense Industrial base.  This was followed by the DFARS clause 7012 in 2016, which established NIST-SP-800-171 as the mechanism for providing this desired protection. 

In 2019 the Department of Defense (DoD) announced the Cybersecurity Maturity Model Certification (CMMC) to provide an external mechanism for certifying levels of cyber hygiene of an organization.  Following industry professionals’ concerns for the complexity, cost, and proposed timeline, the DoD released CMMC 2.0 in 2021.  Among other changes, the levels for compliance were reduced from five to three.  

Currently CMMC 2.0 requirements are divided into three levels of compliance:

  • CMMC Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
  • CMMC Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle CUI.  It requires that a third-party assessment by conducted every three years for information deemed critical for national security.  It also requires an annual internal assessment.
  • CMMC Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls.  There is also a requirement for triennial assessments conducted by government representatives. 

CVG Strategy Information Security Management System Consultants

An increasing number of businesses are finding that they are required to meet challenging information security levels to meet the requirements of conducting business with governmental agencies.  To assist businesses to meet the challenges in adopting a variety of NIST Special Publication 800-53 and CMMC 2.0 requirements, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

It involves processes, facility security, people, and IT systems to engage in best practices. It also involves a constant improvement approach so that threats can be continually assessed and addressed as they evolve. This business system can help your organization remain vigilant against economic espionage and cyberattacks conducted by China and other nation states.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Photo courtesy R. Jacobson/NIST

Statute of Limitation for Sanctions Extended to Ten Years

Statute of Limitation for Sanctions
Statute of Limitation for Sanctions
Photo by Aaron Kittredge

President Biden signed H.R. 815 into law on April 24, 2024 to address specific foreign policy and national security issues.  This legislation includes an extension (Section 3111) for the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) from five to ten years.  This statute of limitations is applicable to criminal and civil violations of sanction regulations administered under multiple agencies.

The specific verbiage of the law is as follows:  “An action, suit, or proceeding for the enforcement of any civil fine, penalty, or forfeiture, pecuniary or otherwise, under this section shall not be entertained unless commenced within 10 years after the latest date of the violation upon which the civil fine, penalty, or forfeiture is based“.  The law will also further harmonize United States sanctions specific to Russia with those imposed by the UK and EU.

This new legislation will affect nearly all existing U.S. Sanctions.  The IEEPA is the authority overseeing sanction programs enforced by the Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Bureau of Industry and Security (BIS).  The law does not specify if this change is retroactive.  

Possible Concerns for Organizations Involved in Export

This change in export regulation enforcement poses numerous concerns for businesses involved in the export of regulated items with regards to this change in the statute of limitations. 

  1. Moving forward businesses will likely be required to retain records for at least ten years. For conservative practices twelve years may be appropriate.
  2. Businesses currently under investigation may experience increased scrutiny for export activities that overlap or proceed the previous five-year limitation.
  3. Merger and acquisition activities currently underway or being planned should adjust the scope of their audit activities to reflect this increased liability.
  4. Revisions of existing legal agreements between companies may need to be made.
  5. Immediate adjustments will be required for organizations’ export compliance programs to ensure due diligence.

CVG Strategy Export Compliance Management Programs

As  these latest changes to the statute of limitation for sanctions violations illustrate, export compliance is a growing and dynamic concern for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization.  They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation.  They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. 

Cyber-Intrusion and Data Exfiltration Concerns for BIS

Cyber-Intrusion and Data Exfiltration
Cyber-Intrusion and Data Exfiltration
Photo by Freepik

Cyber-intrusion and data exfiltration are subjects of increased concern for the Bureau of Industry and Security (BIS).  In its March 2024 release of Don’t Let This Happen to You!, BIS reiterates its growing role in export enforcement to protect U.S. national security and foreign policy concerns.  It emphasizes the importance of developing effective export compliance programs for organizations involved transactions subject to the Export Administration Regulations (EAR).  

This report also contained concerns about the prevention of data exfiltration and the incorporation of of cybersecurity protocols into an organization’s Export Compliance Program (ECP).  Specifically, the report recommends the documentation of protocols for notifying the BIS of security incidents that result in data loss or data leakage of controlled technologies.  

It is noted that notifications of exfiltration of data is separate and distinct from the filing of a Voluntary Self Disclosure (VSD) and that the reporting of data theft allows the BIS to work with its interagency partners to identify and prosecute malicious actors.

Protection of Controlled Technology

While it is incumbent for organizations involved in export to protect controlled technology from “Deemed Exports”, the BIS does not define specific cyber security controls for data security.  Deemed exports are events that result in the release of technology or source code subject to the EAR to a foreign national in the United States.  Situations that can involve release of U.S technology or software include:

  • Tours of facilities with foreign visitors
  • Foreign national employees involved in certain research, development, and manufacturing activities (I-9 Work Visa, DACA)
  • Foreign students or scholars conducting research

NIST Cybersecurity Framework

The BIS, in an effort to address the need for cyber security measures, is recommending that organizations refer to the National Institute of Standards and Technology (NIST) National Cybersecurity Framework to establish plans for implementing, improving, and maintaining an information security program.  The NIST Cybersecurity Framework (CSF) 2.0, released in February of 2024, provides guidance on practices and controls for data protection applicable for managing risks.

This framework was designed to help organizations and industries in all sectors and of all sizes.  It is targeted towards a broad audience including executives, managers, and cybersecurity professionals to assist organizations in reaching their desired level of security. 

The document is comprised of three major components CSF Core for outlining  high level activities to define requirements, Organizational Profiles for tailoring a program based on an organization’s objectives, expectations, and threat landscape, and CSF Tier for establishment of level of risk management.

CSF Core

The CSF Core outlines high-level functions for the creation and organization of a cybersecurity program.  These core functions are:

    • Govern (GV) – These are policy level activities that are critical for implementing cybersecurity into the organizations enterprise risk management (ERM).  They include the establishment, communications, and monitoring of cybersecurity risk.
    • Identify (ID) – Identification issues include the documentation of assets such as data, hardware, systems, people, and suppliers.  This function aids in the formation of adequate policies and processes for cybersecurity.
    • Protect (PR) – This includes a large number of controls and activities including authentication, access control, data security, and training.
    • Detect (DE) – This activity includes the detection prevention, and analysis of incidents of unauthorized access to sensitive information.
    • Respond (RS) – This category includes incident management activities including management, analyses, communication, and mitigation.
    • Recovery (RC) – These activities are aimed at reduction of down time when responding to cyber events.  They include plan execution and recovery and communication.

CSF Profiles

Profiles can be created to tailor and prioritize an organization’s cyber requirements.  These profiles can be created to reflect the current profile of an organization, a targeted profile of desired outcomes, and a community profile that is used for a specific sector.   Profiles can assist in gap analysis and the generation of a Plan of Action and Milestones (POA&M) to be instituted in a program of continual improvement.  NIST provides an organizational profile template spreadsheet.  

CSF Tiers

Cybersecurity Framework Tiers establish a required level for prevention of cyber-intrusion and data exfiltration at an organization.  There are four defined tiers: Partial, Risk Informed, Repeatable, and Adaptive.  The highest level, Adaptive, involves an organization-wide approach to risk management and includes decision making based on current and predictive risk and the incorporation of continuous improvement methodologies.

Existing Cybersecurity Requirements for Government Contracts

Numerous requirements are already in effect for those companies engaged in business with the Federal Government.  For those involved with contracts with the Department of Defense, CMMC 2.0 will be required.

Currently CMMC 2.0 requirements are divided into three levels of compliance:

  • CMMC Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
  • CMMC Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle Controlled Unclassified Information (CUI).  It requires that a third-party assessment by conducted every three years for information deemed critical for national security.  It also requires an annual internal assessment
  • CMMC Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls.  There is also a requirement for triennial assessments conducted by government representatives. 

CVG Strategy Export Compliance Management Programs

As this BIS publication point out, export compliance is a growing and dynamic concern for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

CVG Strategy Information Security Management System Consultants

Cyber-intrusion and data exfiltration are a concern to organizations of all sizes.   While those in business leadership roles are increasing aware of the importance of cyber resilience, resources and necessary talent are often in short supply.  To assist businesses to meet the challenges in adopting a variety of requirements, including NIST and CMMC 2.0, CVG Strategy has developed an approach that combines these requirements with ISO 27001 Information Security Management System.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

Global Challenges for Cybersecurity Resilience

Global Challenges for Cybersecurity
Global Challenges for Cybersecurity
Photo by benzoix

Global challenges for cybersecurity resilience were outlined in a recent report from the World Economic Forum.  The report, Global Cybersecurity Outlook 2024, analyzes the state of inequity in achieving cyber security, the impacts of geopolitics on the cyber risk landscape, the effects of emerging technologies such as Artificial Intelligence (AI), and the shortage of qualified people to address these security challenges.

Cyber Inequity on the Rise

The report stresses that there is a growing divide between organizations that have developed mature systems for protecting sensitive data and those struggling to develop effective defenses from cyber threats.  Small and medium enterprises (SME) are among those most affected by this disparity, especially those located in underdeveloped economies.

Aside from having less than adequate cyber resilience, only 25% of SMEs carry cyber insurance as compared with 85% for organizations with 100,000 or more employees.  This should cause alarm given the number of data breaches occurring and the fact that many SMEs fail to recover from these cyber attacks.

Geopolitical Influences and the Threat Environment

Numerous nations are involved in nefarious activities aimed at global supply chains and critical infrastructure.  This is causing CISOs to adapt their cybersecurity postures and strategies.  Geopolitical influences are also targeting societal and political entities with deepfakes and phishing campaigns weaponized against elections. Areas of concern outside of the private sector are misinformation, automated disinformation, data privacy, and algorithmic manipulation of social media data.

Skills Gap in Cybersecurity Landscape

There is a worldwide supply deficiency of a capable workforce for the design, implementation, and maintenance of systems for the protection of sensitive information.  In the report 20% stated that they do not have the necessary skills in their organization to accomplish their cyber objectives.  Additionally, there is an ongoing challenge of retaining what skilled personnel an organization has in its employ.

Organizations are opting for certifications and short educational courses in lieu of formal university education fill this gap.  Many small organizations who face revenue issues are encouraging employees to upskill because they cannot afford to hire qualified personnel.  

A Changing Risk Environment

Organizational leaders are concerned about loss of access to goods and services and cyber extorsion.  Of those polled, 29% stated that their companies had experienced such situations in the last year.  This is especially of concern because more than 60% of these leaders outside of Europe and North America do not carry cyber insurance.

Other perceived risk of high concern were loss of money or data, identity theft, and being monitored.  When queried as to significant barriers to achieving cyber resilience business leaders cited lack of resources, cost of evolving from legacy systems, cultural resistance, not knowing where to start, lack of executive support, and a perception that the risk does not warrant the investment.

Emerging Technologies

A number of emerging technologies have created challenges for cyber resilience.  Most industry leaders reported that they felt more exposed to cybercrime than in previous years.  The use of new technologies by cybercriminals increase both the speed and adaptability of their attacks.  Despite these trends most cyber leadership queried stated that they would maintain their focus on established cyber practices.

Top Management Buy In

A positive take away from this study was in the numbers of business leaders that are concerned about cybersecurity and are actively engaged with their information security programs.  Over 90% of cybersecurity leaders trust their CEOs to communicate externally about cyber issues.  This is important because an essential component to a cyber resilience program is its integration into the enterprise risk management processes.

Governance Issues

While many governments are actively promoting cyber resilience many critical gaps still exist that have yet to be addressed.  One such issue is the imbalance of responsibility for security between technology producers and consumers.  There is a real need for shifting responsibility for ensuring for safety from organizations and individuals who purchase technology to the producers of these technologies.

The current status is representative of immature industries.  As in other sectors, governance will have to step in to ensure that players in technology play an appropriate part in the necessary maintenance of trust of goods throughout their life cycles.

Moving Towards a Better Future

Collaboration is a key factor in bettering the cyber environment.  Organizations must share responsibility with suppliers, partners, regulators, and industry peers.  The entire structure is only as strong as its weakest link.  Most industry leaders are not optimistic about such collaboration in the immediate future.  

Views on regulations are positive with regard to reduction of risk in their organization.  Unfortunately, many leaders felt that regulations were too numerous and often conflicting internationally.  They also stated that often the requirements were too technically difficult to achieve and required excessive resources.

Supply Chain Cyber Resilience

Given that collaboration is essential in maintaining information security, it is concerning to note that 54% of parties queried felt that they had insufficient knowledge vulnerabilities in their supply chain.  Again this cyber maturity gap was more pronounced in medium and small companies.  The importance of this issue was illustrated in that 41% of the organizations had experienced a cyber incident that originated from a third party.

Take Aways from the Report

Global challenges for cybersecurity will remain a concern for the foreseeable future.  The struggle for medium and small organizations to design, implement, and maintain effective solutions to the threat landscape will effect all in the global economy.  There are no simple solutions to these issues.  In all probability the an organization’s ability to adopt best practices and be a trusted partner will determine its long term survivability.  

CVG Strategy Information Security Management System Consultants

Global challenges for cybersecurity are a concern to organizations of all sizes.   While those in business leadership roles are increasing aware of the importance of cyber resilience, resources and necessary talent are often in short supply.  To assist businesses to meet the challenges in adopting a variety of requirements, including NIST and CMMC 2.0, CVG Strategy has developed an approach that combines these requirements with ISO 27001 Information Security Management System.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

It involves processes, facility security, people, and IT systems to engage in best practices. It also involves a constant improvement approach so that threats can be continually assessed and addressed as they evolve. This business system can help your organization remain vigilant against economic espionage and cyberattacks conducted by China and other nation states.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Nicaragua Export Restrictions Increased by U.S.

Nicaragua Export Restrictions
Nicaragua Export Restrictions
Photo by Sascha Hormel

Nicaragua export restrictions have been increased by both the Directorate of Defense Trade Controls (DDTC) and the Bureau of Industry and Security (BIS) as of March of 2024.  These actions were taken in response to United States national security and foreign policy concerns regarding the continuing deterioration of the nation’s human rights, civil institutions, and Nicaragua’s increased cooperation with Russia.

DDTC Specific Regulatory Changes

The DDTC, which under the authority of the Department of State, administers the International Traffic in Arms Regulations (ITAR), has added Nicaragua to the list of countries for which it, by policy, denies approvals for export or import of defense articles and services.  Under this revision of ITAR, Nicaragua has been added to the list of countries detailed in 22 CFR 126.1 Prohibited exports, imports, and sales to or from certain countries

This policy of denial is applicable to all defense articles and services.  The only exception to this policy are imports or exports where military equipment are  intended solely for humanitarian assistance, including natural disaster relief.  These exceptions for license applications are issued on a case-by-case basis.   

Further restrictions were added under 22 CFR 129.7 Policy on embargoes and other proscriptions.  These action prohibits brokering activities to specific countries.  As the effect of this rulemaking is perceived to have minimal consequences for federal agencies or private organizations and groups, these restrictions do not require interagency analysis.

BIS Specific Regulatory Changes

The BIS, which administers the Export Administration Regulations (EAR), has moved Nicaragua from the Country Group B List to Country Group D5.  Group B countries are countries for which licensing is generally available.  Group D countries have fewer license exemptions and include around 50 countries such as Syria, Russia, Iran Yemen, and Venezuela.  This group is divided into five areas of concern: D: 1, National Security, D: 2 Nuclear, D:3 Chemical & Biological, D: 4 Missile Technology, and D: 5 U.S. Arms Embargoed Countries.

This new level of restriction effects the export, reexport, and transfer of items subject to the EAR including commodities, software and technology.  Previous actions taken by the BIS include the addition of the Nicaraguan National Police to the Entity List and restriction of items to the country’s security and military agencies.  The BIS has taken these actions as part of an ongoing effort to promote human rights and democracy.  

A Call to Actions for Businesses Involved in Export

Export regulations have been in a constant state of flux for the last decade as the Federal Government has used these powerful tools to pursue its national security and foreign policy objectives.

Enforcement activities have resulted in more severe civil and criminal penalties.  In 2023, these activities have resulted in a record number of convictions, and denial orders.  Additionally, numerous parties were placed on the Specially Designated Nationals, Blocked Persons, and Entity Lists, effectively ending their ability to conduct lawful business.

Businesses must ensure that they do not violate export regulations by enacting viable Export Compliance Management Programs (ECMP).   These programs are a requirement for both the Export Administration Regulations and the International Traffic in Arms Regulations (ITAR).  While most businesses involved with the ITAR have been proactive in compliance, many involved with the export of dual-use goods enumerated in the EAR have been less diligent.

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization.  They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation.  They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy Export Compliance Management Programs

As these latest Nicaragua export restrictions illustrate, export compliance is a growing and dynamic concern for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

Secure Software Development Attestation Form Released

secure software development attestation
secure software development attestation
Photo by Startup Stock Photos

A secure software development attestation form has been approved by the Federal Government in an attempt to ensure that contracted developers of software assume responsibility for the security risks in the protection of federal information.  The form was released by the Cybersecurity and Infrastructure Security Agency (CISA) Office of Management and Budget (OMB) on April 1, 2024.  

This release follows Executive Order 14028 which the Biden administration enacted following the Sunburst supply chain attack of 2021 that effected government, telecom, consulting, and technology organizations world wide.  Following this Memo 22-18 stipulated that federal agencies must receive attestation from their software providers.  The term software includes firmware, operating systems, and applications.

Required Information in the Form

The Secure Software Development Attestation Form requires the producer to provide a description of the software and the organization.  This form must be signed by the CEO or their designee.  This signing attests that the software meets the requirements of M-22-18. 

The form must be submitted for any software developed or significantly upgraded after September 14, 2022.  Failure to provide information may result in loss of contract.  If an agency cannot obtain this attestation the agency may still use the software if producer identifies practices not in place and submits a Plan of Actions and Milestones (POA&M) to address these issues.

Extant Software Development Requirements

NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, is a requirement for organizations involved in contracts with federal agencies to ensure that their supply chains adequately protect controlled information.  These requirements include secure coding and manufacturing practices. 

Additionally, the Department of Defense (DoD) is requiring all suppliers to perform a NIST SP 800-171, and ISMS implementation as a contractual requirement.  This will also include Cybersecurity Maturity Model Certification 2.0 (CMMC) which is expected to be a requirement by 2026.

CVG Strategy Information Security Management System Consultants

An increasing number of businesses are finding that they are required to meet challenging information security levels to meet the requirements of conducting business with governmental agencies.  To assist businesses to meet the challenges in adopting a variety of NIST and CMMC 2.0 requirements, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

It involves processes, facility security, people, and IT systems to engage in best practices. It also involves a constant improvement approach so that threats can be continually assessed and addressed as they evolve. This business system can help your organization remain vigilant against economic espionage and cyberattacks conducted by China and other nation states.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Foreign Based Businesses and U.S. Export Compliance

foreign based businesses
foreign based businesses
Photo by Vlada Karpovich

Foreign based businesses and persons involved in the reexport of items controlled under the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR) are subject to the regulations and associated sanctions.  This also holds true for foreign producers of items that incorporate threshold percentages (de minimis) of controlled items in their products and producers that utilize U.S. technology, software, or production equipment.  

Tri-Seal Compliance Note Stresses Foreign Based Persons Obligations

This message was reinforced in a recent Tri-Seal Compliance Note from the United States Department of Commerce, Department of Treasury, and Department of Justice.  Agencies under these departments in this report included the Bureau of Industry and Security (BIS) and the Office of Foreign Assets Control (OFAC).  The intent of this release was to enhance awareness of these obligations and help organizations outside of the United States mitigate risks of non-compliance.

Applicability of Sanctions to Foreign Persons

Certain U.S. sanction programs are applicable to foreign persons.  Violations of these sanctions can result in civil or criminal penalties.  These economic and trade sanctions are targeted towards foreign jurisdictions, regimes, entities, and individuals involved with terrorism, narcotics, weapons of mass destructions, and other acts threatening U.S. national security and foreign policy interests.

Non-U.S. persons may be prosecuted for conspiring to cause U.S. entities or persons to engage in violation or evasion of these sanctions.  The OFAC has been actively involved in this aspect of export enforcement in cases involving hiding references of sanctioned entities in financial transactions, misleading U.S. persons on ultimate destination of controlled goods, or routing prohibited transactions through U.S. financial institutions.  Settlements in these cases have resulted in multi-million dollar penalties against the involved parties.

Bureau of Industry and Security and the EAR

The Bureau of Industry and Security (BIS) administers and enforces the Export Administration Regulations (EAR).  These regulations control the export of commodities by prohibiting or placing licensing requirements on specific items.  The term commodities can include software, technology, and intellectual properties. 

These regulations differ from the export regulations of many nations in that these controls can extend to articles controlled in any nation and to the foreign based businesses involved in transactions with them.  This extended regulatory reach exists to ensure that controlled articles are not surreptitiously transferred to a third party that would normally be barred from the transaction. 

Items subject to the EAR also include products manufactured with U.S. origin components or software that is controlled.  Determination of licensing requirements are determined by De minimis calculations to determine the value of controlled U.S.-origin content in a non-U.S. finished product. 

This is done by identifying any controlled components in a bill of material and calculating the percentage of fair market value of those components in the overall product.  Threshold percentages vary according to the components classifications.

Controls also exist to control the use of advanced manufacturing equipment and software.  This is especially applicable for the manufacture of semiconductor devices.  Controls of this nature have been enacted to restrict the supply of certain items to China, Russia, Belarus, and Iran.  The result of this regulatory extension is that licenses for semiconductors may be required for semiconductor components regardless of where they were manufactured.

BIS Enforcement Actions

Enforcement actions have resulted in major penalties for businesses.  In April of 2023  300-million-dollar penalty was imposed on Seagate Technology, LCC,  and included a five-year suspended Denial Order, which if activated, would terminate the organization’s ability to conduct export business under the EAR.

The BIS has also imposed restrictions on types of aircraft allowed to fly into Russia if they include more than 25% de minimis amounts of U.S. origin controlled content.  This includes Airbus planes and effects a large number of airlines servicing Russia including Nordwind, I-Fly, and Meridian Air.

Department of Justice Involvement in U.S. Sanction and Export Regulations

The Department of Justice (DOJ) brings criminal prosecutions against parties involved in willful violations of U.S. sanctions and export regulations.  Recent actions have included the indictment of Latvian nations and a Latvian company involved in the attempted smuggling of dual-use production machinery.  As a result, fines in excess of $825,000 were levied against the defendants.  

Actions were taken against an Iran based person and a Chinese national for attempting to obtain controlled microelectronics for UAV production.  The defendants are alleged to having provided false information concerning the ultimate end users of the devices to U.S. manufacturers.

In November of 2023 a guilty plea was entered by Binance Holdings Ltd. (a cryptocurrency exchange for knowingly having a large number of users from sanctioned regimes.  Penalties for the infractions included a $4.3 billion dollar penalty with additional payments for civil liabilities of $968,618,825.

CVG Strategy Export Compliance Programs

As Developments in Export Administration Regulations illustrate, export compliance is a growing concern for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can assist foreign based businesses meet U.S. export requirements by creating a tailored export compliance program.   We can also perform export control classifications, perform audits, assist in export licenses requirements and educate your team.  Regardless of whether your exports falls under EAR or ITAR, CVG Strategy has the expertise to help.  

Disruptive Technology Strike Force Enforcement Actions

Disruptive Technology Task Force Enforcement Actions

Disruptive Technology Task Force Enforcement Actions

Photo by Nicolas Foster

The Disruptive Technology Strike Force was launched February 16, 2023 by the Department of Commerce, the Department of Justice, and the Federal Bureau of Investigation in an effort to prevent the unlawful acquisition of advanced technologies by foreign adversaries.  To date this effort has resulted in numerous cases being filed against parties involved in sanctions and export control violations.  These offenses involved the unlawful transfer of sensitive information, articles, and military-grade technology to China, Iran, and Russia.

Disruptive Technology Strike Force Cases in 2023

Half of the strike force cases in the last year involved the attempted export of controlled semiconductors and microelectronics to Russia.  Many of these included components for guided missile systems, Unmanned Aerial Vehicles (UAVs), components for weaponry, components used in cryptography, and nuclear weapons testing.

Cases involving exports to Russia were accomplished by the strike force in partnership with the interagency law enforcement group, Task Force KleptoCapture.  This group is comprised of agencies in the United States and its allies

Three cases involved individuals attempting to procure controlled technologies for Iran or Iranian end users.  These cases involved items and technologies associated with military products, aerospace, firefighting, UAV’s, and materials used for weapons of mass destruction.

In an additional three cases, the task force charged former employees of U.S. companies with stealing proprietary and confidential information.  These cases were all related to attempts to transfer advanced technologies to the People’s Republic of China.  Technologies involved in these cases included missile detection equipment, advanced manufacturing software, and Apple source code.  A fourth case involving a Belgian national, involved the export of military grade accelerometers.

Measures Taken to Enhance Enforcement

A number of partnerships have been formed to further enhance enforcement efforts. 

  • The Disruptive Strike Force added the Defense Criminal Investigative Service as a formal partner.
  • It added multi-agency enforcement teams to specific areas in the United States where critical technology industries are present.
  • The Strike Force created a partnership with the Ukrainian Prosecutor General to curb the illegal flow of advanced technology to Russia.
  • The Department of Commerce, Department of Justice, along with leaders from Japan and South Korea established a Disruptive Technology Protection Network to expand information sharing and best enforcement practices.
  • The Strike Force fostered partnerships with the private sector to engage directly with companies involved in the manufacture and export of controlled items.
  • Five Eyes export control agreement was formed to enhance the security concerns of Australia, Canada, New Zealand, the United Kingdom, and the United States by formally committing to coordinate export control enforcement efforts.

Continuing Enforcement Activity 

Assistant Attorney General Matthew Axelrod pointed out at the unveiling of the strike force that the strike force would focus on the investigation and prosecution of U.S. export controls to prevent the use of sensitive technologies for purposes malignant to national security.  This has proven to be the case with a number of cases being prosecuted internationally against individuals and businesses.

Cases have been leveled against U.S. companies resulting in fines for millions of dollars.  Individuals have been interdicted in attempts to export military equipment to Iran, Russia, North Korea, and China.  Press releases are showing an endless stream of cases illustrating the activity level and perseverance of this interagency effort.

A Call to Actions for Businesses Involved in Export

The continued vigilance of the Disruptive Technology Strike Force enforcement illustrates the Bureau of Industry and Security’s (BIS) commitment protecting sensitive technologies.  Besides partnering with U.S. enforcement agencies, the Commerce Department has shown a commitment to working with international agencies to protect national security and foreign policy concerns. 

Enforcement activities have resulted in more severe civil and criminal penalties.  In 2023, these activities have resulted in a record number of convictions, and denial orders.  Additionally, numerous parties were placed on the Specially Designated Nationals, Blocked Persons, and Entity Lists, effectively ending their ability to conduct lawful business.

Businesses must ensure that they do not violate export regulations by enacting viable Export Compliance Management Programs (ECMP).   These programs are a requirement for both the Export Administration Regulations and the International Traffic in Arms Regulations (ITAR).  While most businesses involved with the ITAR have been proactive in compliance, many involved with the export of dual-use goods enumerated in the EAR have been less diligent.

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization.  They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation.  They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy Export Compliance Management Programs

Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with export control laws can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding Export Administration Regulations and establishing a coherent and effective export compliance system.   We can perform export control classifications, perform audits, and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  Contact Us with you export regulation questions.

Lockbit Extorsion Operation Interrupted by Operation Cronos

lockbit extorsion operation
lockbit extorsion operation
Photo by Kevin Ku

The Lockbit extorsion operation was taken down by an international law enforcement effort called “Operation Cronos”.  This action included participation of the FBI, the National Crime Agency of the UK (NCA), and Europol among other organizations. 

Actions taken include the UK,s National Crime Agency taking control of the ransomware’s site and the arrest of at least four individuals.  Two individuals were arrested in Poland and Ukraine and two others had been detained in the U.S.  Two other Russian nationals are still at large.

Operation a Major Blow to Lockbit

The strike included gaining control of the central infrastructure of the organization and the seizing of source code.  The agencies also obtained encryption keys that will assist victims decrypt their data and retrieve their data.  Europol reported that enforcement efforts had resulted in the take down of over thirty servers in nine different countries.

History of Cybercriminal Group

Lockbit is a network of cybercriminals that has targeted thousands of organizations in a variety of sectors including manufacturing, government, energy, financial services, and health care.  To date, Lockbit had hacked into over 2,000 systems and raked in over $120 million dollars in ransom from their victims.

Lockbit has been the most common form of ransomware in the last two years.  The group has run a Ransomware as a sophisticated and highly organized Ransomware as a Service (RaaS) operation since 2020.  RaaS platforms offer ransomware products on subscription or commission basis.

The organization is thought by many experts, to have originated in Russia, though the group has claimed no national affiliation and has claimed to only be engaged in its activities for financial gain.  The group operates by recruiting hackers to use Lockbit’s various tactics, techniques, and procedures to compromise major organizations worldwide.

Many victims of the Lockbit extorsion operation have been additionally extorted by threats to publish sensitive information.  The resulting ransom payments are usually made in cryptocurrencies which makes tracing the payments difficult.

Ransomware a Growing Concern

Ransomware is the largest cyberattack threat to industrial organizations in North America.  There has been a continuing growth in the number of attacks in the last several years.  While the Lockbit ransomware group has been the leader in this area, a number of other actors such as 8Base, Akira, and Black Blasta have been active players. 

It is expected that this trend will continue to escalate as these groups utilize AI in increasingly targeted attacks in conjunction with social engineering and phishing techniques.  Targeted entities tend to be government agencies and large business concerns.  Experts expect that increased attacks will occur in the health, education, and energy sectors.

Enforcement Agencies Respond

The Department of Justice in conjunction with other law enforcement agencies have been engaged in the infiltration of cybercrime groups.  In the United States, the FBI has been particularly active in these efforts with successes against the Hive network in 2023.  As with the actions taken against Lockbit, the FBI partnered with law enforcement agencies in other countries.  The Hive infiltration involved ransoms of $130 million and also resulted in the capture of decryption keys which were made available to victims to retrieve stolen data.

CVG Strategy Cybersecurity 

While the disruption of the Lockbit extorsion operation is a promising development, the successes of ransomware attacks illustrate the vulnerabilities of organizational information.  Successful hacks of this sort are often the result of exploiting humans into opening infected emails or visiting infected sites. 

Businesses and government agencies must develop effective data protection strategies.  These strategies should include policies that incorporate risk assessment, training, and management review.  CVG Strategy consultants provide training to make your entire team aware of cyberattacks and how to employ processes to prevent these threats.  We can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.

Our ISMS consulting services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS).  Our team of experts bring extensive experience and deep information security process control expertise (including certifications as Exemplar Global Lead Auditor ISO/IEC 27001:2013 Lead Auditor) to ensure that you achieve ISO 27001 certification—on time and on budget.

CVG Strategy is also committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure.  As industry leaders in cybersecurity, ITAR, and risk-based management systems.  We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.