Defense Export Handbook – An Overview for Businesses

defense export handbook
defense export handbook
Photo: Marine Corps Lance Cpl. Moses Lopez Franco

The International Trade Administration (ITA) has released the 2025 Defense Export Handbook to provide an overview of U.S. trade laws governing the export of defense products.  This handbook also gives guidance to new-to-market exporters on evaluating international markets and includes contact information for export control, trade promotion, and licensing. 

The publication describes U.S. statutes that control defense trade between the United States and its foreign allies such as the Arms Export Control Act (AECA) and the Foreign Assistance Act (FAA).  It then provides a brief description of the International Traffic in Arms Regulations (ITAR) which are administered by the Directorate of Defense Trade Controls (DDTC) under the State Department, and the Export Administration Regulations which are administered by the Bureau of Industry and Security (BIS) under the Department of Commerce.

The handbook also provides important information regarding multilateral export regimes including the Missile Technology Control Regime, The Australia Group, and the Wassenaar Arrangement.

Defense Trade Transfer Types

The Defense Export Handbook defines and differentiates Foreign Military Sales (FMS) and Direct Commercial Sales (DCS).  These two modalities of sale require different methods of approval and licensing.  Generally, with DCS the foreign customer works directly with a U.S. company in acquiring the end item, technical data, of defense service, whereas with an FMS the customer must interface with the U.S. government.

Guidance in Identifying and Pursuing Opportunities

Perhaps, the most beneficial information for emerging defense businesses is a compilation of programs and services that provide marketing information.  This list begins with the author of the handbook, the International Trade Administration which can help defense exporters address challenges. Other resources include The U.S, Foreign Commercial Service which can assist businesses in finding potential customers and overseas partners.  Additionally, the U.S. government’s Advocacy Center can help in the procurement process by using overseas resources to meet with foreign decision-makers

Determination of Licensing Requirements

Exporters face an array of export licensing requirements based on the classification of the article, technology, or service of intended export.  Additionally, controls exist for various nations an entities sanctioned by the Department of Treasury.  The classification process begins by determining is the item is listed in the United States Munitions List (USML).  The USML enumerates defense articles regulated under the ITAR.  If the intended export does not fall under the ITAR then it must be classified under the Commerce Control List (CCL) which enumerates items regulated by the EAR.

If the classified item falls under the ITAR the business must register with the Directorate of Defense Trade Controls (DDTC) and then apply for the appropriate license, agreement or other authorization.  The handbook introduces readers to the this process and describes Commodity Jurisdictions (CJs) and other levels of interaction with the agency.

The handbook then provides guidance for businesses exporting items, services, training, and technologies that fall under the jurisdiction of the EAR.  This guidance includes license submissions to the Bureau of Industry and Security and Commodity Classification Requests.  It also explains how to file for license exceptions.

Export Management and Compliance Plan (EMCP)

The handbook then explains the importance of establishing and maintaining effective Export Management systems to establish a culture of compliance and prevent export control violations.  It then provides links to recommended elements of an EMCP as defined by the DDTC and BIS.  Links are also provided to other associated agencies involved with export regulation such as the Department of Treasury and the Department of Justice.

Conclusion

The 2025 Defense Export Handbook is a good primer for businesses that are considering entrance in to defense export.  It provides a good overview of how to navigate the regulatory environment and informs businesses about certain governmental resources for business promotion and market evaluation.  It does not however, address the complexities in creating a tailored export compliance program that meets all the requirements of the U.S. government and the exporting business.

CVG Strategy Export Compliance Management Programs

The 2025 Defense Export Handbook provides an overview of the export compliance challenges facing businesses in the defense industry.  Failure to comply with these export regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization.  They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation.  They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. 

ITAR Developments and U.S. Foreign Policy

Developments in the ITAR
Developments in the ITAR
Air Force Staff Sgt. Brittany E. N. Murphy

AUKUS Pillar I and Pillar II

ITAR developments continue as the U.S. responds to national security threats with strategic trade controls and security partnerships. In recent news, AUKUS Pillar II has greatly eased the transfer of defense articles and technologies between Australia, the United Kingdom, and the United States. This trilateral security partnership was created to address Indo-Pacific threats from China.  

The agreement between AUKUS partners initially pertained to the transfer of nuclear propulsion technology.  Under Pillar II, it now includes cyber capabilities, quantum technologies, artificial intelligence, and additional underwater capabilities.  Licensing requirements have been greatly reduced for the transfer of defense articles between parties registered in the Defense Export Control and Compliance System (DECCS). 

The resulting International Traffic in Arms Regulations (ITAR) exemption as defined in 22 CFR part 126.7 applies to transfers within the physical territories of the three countries to authorized users that are registered with the Directorate of Defense Trade Controls (DDTC).  These exemptions came about as Australia and the UK reformed their export control regimes to align with U.S. requirements and add key restrictions and enforcement mechanisms.

As detailed in the Journal of Strategic Trade Control October 2024 report this security partnership could result in the creation plurilateral export control regime that could rival the Wassenaar Arrangement and serve to augment U.S. geopolitical security interests.

Revisions to Reexports and Requirements for Foreign Companies

The DDTC is planning to redefine the export and reexport of technical data to foreign nationals such that any release in or outside the United States is deemed to be an export or reexport to all countries to which the recipient holds citizenship or permanent residence.  The ITAR is extraterritorial in that any reexport of a controlled article, service, or technology requires relicensing and providing detailed information concerning end-users.

This revision further calls for end-users or consignees to have in place adequate processes for screening employees for intra-company, intra-organization, and intra-governmental transfers.  This screening must include a risk assessment that considers a foreign person’s substantive contacts with contacts with restricted or prohibited countries.

Revisions to Defense Services

This proposed revision of the ITAR would change the definition of Defense Service (22 CFR 120.32) to include items currently specified in design, engineering and manufacturing definitions.  It also includes clarification that the disrupting a nation’s military capability by the disabling or degradation of defense articles is to remain a controlled activity.  The term training is proposed to include the term consulting.

Category IX of the USML is proposed to include two now entries and the entire category is to be renamed “Military Training Equipment, Intelligence Defense Services, and Military Defense Services”.  The proposed new text states that defense services pertaining to intelligence assistance do not necessarily include defense articles.  This is to further stipulate that the ITAR does regulate intelligence services including “assistance on tactics, techniques, procedures, and other types of training that enables the intelligence activities a foreign government, unit, or force, or their proxy or agent”.

Further ITAR developments with regards to defense services deal with catch and release functions as they pertain to U.S. persons drafted into the armed forces of a foreign nation.  This is to clarify that the Department of State intends to regulate the activities of such draftees.

Revisions to the USML

The United States Munitions List (USML), which is part of the ITAR, enumerates articles, services, and technologies that are defense or space related and therefore fall under export regulations.  Numerous areas with Categories IV, V, VIII XI, and XV will be revised to provide more concise descriptions of regulated items and address comments received.

Many of the proposed changes will involve circuit boards and semiconductors that could be utilized in launch vehicles, ballistic missiles, night vision equipment, spacecraft, or nuclear weapons.

CVG Strategy Export Compliance Management Programs

ITAR developments are continuing to add complexity for businesses engaged in sales of items that are intended for international sales international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization.  They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation.  They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. 

Validated End User (VEU) Program Expanded

Validated End User
Validated End User
Photo by Google DeepMind

The Bureau of Industry and Security (BIS) has expanded its Validated End User (VEU) Program to include controls for data centers in an effort to create a trusted ecosystem for artificial intelligence (AI) development.  The VEU will now review applicants data centers to ensure application of appropriate safeguards and security measures.  This update to the Export Administration Regulations (EAR) is being made to mitigate risks to U.S. and global security concerns.

Artificial Intelligence as Dual-Use Technology

Artificial Intelligence and machine learning have the potential for advanced military and intelligence capabilities.  These include aid in the development of biological, chemical, and nuclear weapons.  It also has applications for increased capabilities in planning and logistics.  Additionally, AI can enhance the capabilities of electronic warfare, mass surveillance, and signals intelligence.  For these reasons it is essential that access to this technology be controlled to further security interests.

Data Center VEU Authorization

This amendment to the EAR adds special requirements to the Data Center VEU Authorization in addition to those in place under the General VEU Authorization.  While all VEU authorizations allow exports and reexports to VEUs separate authorizations are required for exports to third parties.  With Data Center VEUs however, transfers in country are not permitted unless the transfer is to VEU at the same location. 

Authorization for data centers will be permitted after review from the End-User Review Committee (ERC).  The ERC is an interagency committee comprised by officials from the Departments of Commerce, Energy, Defense and Department of State.  Each applicant must apply required safeguards for the protection of U.S. technology.  Applicants may also be required to undergo on-site compliance reviews to inspect levels of physical and logical security as well as specific reporting requirements.

Eligibility and Application Requirements

Requests for authorization should include a list of current and potential customers, an overview of business activities and relationships, descriptions of physical and logical security requirements for each location, descriptions of policies, and an overview of the data center facility’s information security plan.  The information security plan should include:

  • Relevant NIST standards for cybersecurity plan
  • Monitoring and Logging Plan
  • Technology control plan detailing required computation for various end uses
  • Baseline cloud configurations with identity and access management processes
  • Personnel security plan
  • Incident, identification, investigation and reporting plan

The ERC evaluations will consider if the VEU host country has provided assurance that safe and secure use of the technology will be provided.  A review will be conducted to evaluate the parties history of compliance with U.S. export controls and its ability to comply with VEU requirements.  The national government of parties interested in engaging in the VEU data center program should contact the Commerce and State Departments of the U.S. to make assurances that required security will be met.

VEU Reporting Requirements

Exporters and reexporters are required to obtain certifications from validated end-users regarding their compliance to VEU requirements.  These certifications and all related records must be maintained per the recordkeeping requirements detailed in CFR 15 Part 762 of the EAR.  Reexporters using the Data Center VEU must file semiannual reports to the BIS.  Additionally, Data Center VEU users must allow review of relevant records including information from on-site reviews.

New Cybersecurity Requirements for Export Compliance

The federal government has placed cybersecurity requirements for organizations under contractual agreement such as NIST SP 800-161 and CMMC for several years now.  During this time export compliance regimes have intimated cybersecurity requirements but have not defined them with as much detail.  Noting that both the Departments of Commerce and State have involvement in this Validated End User amendment, it can be expected that cybersecurity is entering the export regulatory realm.

CVG Strategy Information Security Management System Consultants

Changes to the Validated End User (VEU) program adds to a growing list of government cyber requirements. To assist businesses to meet the challenges in adopting a variety of requirements, including NIST and CMMC 2.0, CVG Strategy has developed an approach that combines these requirements with ISO 27001 Information Security Management System.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

CVG Strategy Export Compliance Management Programs

Export compliance requirements are a growing in complexity for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization.  They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation.  They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. 

Voluntary Self Disclosure Process Changed by BIS

Voluntary Self Disclosure Process
Voluntary Self Disclosure Process
Photo by August de Richelieu

The Bureau of Industry and Security (BIS) has amended the Voluntary Self Disclosure (VSD) process in the Export Administration Regulations (EAR).  The newly released amendment to CFR 15 Section 764.5 and Supplement No. 1 to part 766 provides guidance for settlement determinations of penalties for administrative enforcement cases.  This action evolved from a series of policy changes that began in 2022 to encourage organizations to report potential violations.

BIS Policy Changes Leading Up to Amendment

In 2023 the BIS announced policy updates encouraging voluntary disclosures of potential violations of the EAR.  These announcements also stated that when these disclosures are conducted in a timely and comprehensive manner with full cooperation, that the BIS would substantially reduce civil penalties.  This would include cases where controlled items, technology, had been transferred or transactions that have involved boycott violations.

The BIS also announced a dual-track system whereby minor or technical infractions would be processed within 60 days of final submission.  This would include an issuance of a warning or a no-action letter from the Office of Export Enforcement (OEE).  The agency announced that it considers a deliberate nondisclosure an aggravating factor when determining severity of penalties.  Additionally, the BIS considers the existence of an adequate and engaged export compliance program a factor in case settlements.

Changes in BIS Penalty Guidelines for Administrative Actions

The BIS is making it clear in these revisions to the EAR that the submission on a VSD is a mitigating factor in the consideration of penalties.  In such cases it is the OEE’s preference to bolster an organization’s compliance program to ensure that such violations do not reoccur.  The revisions also provide guidelines for the calculation of penalties so that penalties are more appropriate to the nature and seriousness of the offense.

Previously Section 764.5 had not included non-disclosure of violations an aggravating factor.  Now however, a non-disclosure not only bypasses mitigation credits but incurs a possibility of increase in penalties.  This reflects the serious consequences to United States national security that occurs when the government is prevented from taking mitigation.  

Dual Track Processing of VSDs

Section 764.5 of the EAR had previously only one method for the processing of VSDs.  The final rule now in place creates two tracks, one for minor or technical violations and another for significant violations.  The track for minor or technical violations includes where and how to submit an abbreviated narrative for the VSD.  This revision is intended to reduce the workload of organizations in submitting notification of minor violations.

The process for filing Voluntary Self-Disclosures for significant violations remains for the most part unchanged.  The BIS has however, defined a significant violation as one that involves one or more aggravated factors as detailed in the BIS Penalty Guidelines.  If an organization is unsure as to whether a violation is minor or significant it should file as required for a significant violation.

The new general policy for the BIS is to resolve minor or technical violations within 60 days.  This is to be accomplished by informing the organization that the BIS intends to take no action or by submitting a warning letter.  For significant violations the agency will conduct an investigation and take appropriate action as quickly as circumstances permit.

Under the revised regulations, parties in possession or with an interest in an illegally exported item can notify the OEE that a violation has occurred and request permission for the item to be returned to the United States without being in violation of 15 CFR 764.2(e).  Previously this was limited to parties filing submitting the Voluntary Self-Disclosure.

Changes to BIS Penalty Guidelines

This rule makes several changes to the BIS Penalty Guidelines in supplement no. 1 to part 766 regarding penalty calculations, mitigating factors, and aggravating factors.  It also adds a list of non-monetary settlements the BIS may take as actions against violations.  The change also removes the applicable schedule amount definition and the base penalty matrix in an effort to make administrative penalties more in line of the overall transaction value.

Non monetary actions include warning letters or non action letters to parties involving non-egregious conduct that has not resulted in a compromise to national security.  These actions also include sanctions requiring an organization to implement improvements to its compliance program.

CVG Strategy Export Compliance Expertise

The DDTC, the BIS, and the OFAC, along with international partners have greatly increased their activities in the generation and enforcement of regulations.  This increases the likelihood of a non-egregious violation occurring even in a company with a well-run export compliance program.  CVG Strategy can assist organizations through the Voluntary Self Disclosure process and guide you through these difficult procedures.  

If you are part of a large corporation or a small company with a part-time compliance person, CVG Strategy has the compliance and training programs to help you meet International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) rules and requirements.  As the BIS place controls on a growing number of technologies it becomes increasing difficult for smaller businesses to stay abreast of regulatory developments.  Because of this, we provide Export Compliance Management Programs (ECMP) for businesses of all sizes.  

CVG Strategy, LLC is recognized the world over as the premier provider of Export Compliance Consulting and Export Compliance Programs for businesses involved in export in the U.S. and Canada.  We also provide the essential training that ensures that your team is up to date on governmental regulations, including the Export Administration Regulations (EAR), the International Traffic in Arms Regulations (ITAR), the Canadian Controlled Goods Program, and Office of Foreign Asset Controls (OFAC) and other regulatory agencies and more.

DFAR Amendment for Contractor Implementation

DFAR Amendment for Contractor Implementation
DFAR Amendment for Contractor Implementation
Air Force Senior Airman James Kennedy

The Department of Defense (DoD) has proposed a Defense Federal Acquisition Regulation Supplement (DFAR) amendment for contractor implementation of Cybersecurity Maturity Model Certification (CMMC).  DFARS case 2019-D041 was first published in September 2020 with an effective date of November 20, 2020 to allow for the development of CMMC 2.0.  CMMC 2.0 establishes a framework for assessing the implementation of contractor cybersecurity requirements to protect Controlled Unclassified Information (CUI) in the defense industrial base supply chain.

Proposed Rule Changes

The proposed rule changes include requirements for contractors to achieve and maintain a requisite level of CMMC security for the duration of a contract.  The contractor will be required to annually affirm continuous compliance with security requirements for all information systems used in the performance of the contract that will store, process, or transmit Federal Contract Information (FCI) or CUI and report in the any changes or incidents within 72 hours.  

The changes include requirements for contracting officers to require that the results of current CMMC certification or self-assessment to be at a minimum level for the consideration of a contract.  These required levels are to be provided to offerors through the Supplier Performance Risk System (SPRS).  Apparently successful offerors will then be required to applicable DoD Unique Identification (UIDs) for all FCI or CUI information systems.  Offerors will not be eligible for award of contract if they do not have a CMMC certificate or self-assessment entered int the SPRS.

In addition, contractors must include a contract clause detailing the requirements of this DFAR in contractual documents to lower tier subcontractors and suppliers to ensure information security throughout the supply chain.  

Public Comments in Response to Rule Changes

As has been the case since the initial roll out of CMMC, concern has been raised as to the impacts of these rule on small businesses that comprise a significant percentage of the DoD supply chain.  The DoD has responded to this concern by pointing out that the CMMC is to implement a phased roll-out and that these requirements are expected to apply to only about one-thousand small businesses in the first year.

Various comments inquired as to how contractors are to know what CMMC requirements are.  The responses stated that requirements will be identified in the solicitations and contracts unless the contract is exclusively for Commercial Off the Shelf items (COTS).

There was some concern as to a uniform definition of Controlled Unclassified Information.  The DoD is referring concerned parties to CFR Part 2002 Controlled Unclassified Information (CUI) for clarification.

Phased Implementation of CMMC

The expected phased implementation of the CMMC is expected to take three years.  During this period a number of phases will be implemented.  Emphasis will be placed on CMMC levels one and two in the initial phases with the DoD include level three requirements later on.  There have been numerous alterations and pauses in this process and the end results will have consequences for many organizations.

CVG Strategy Information Security Management System Consultants

To assist businesses to meet the challenges in meeting DFAR amendments for contractor implementation, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system.  This provides a coherent methodology for implementing and maintaining essential cyber security for businesses of any size.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Identify Areas With CUI with CVG Strategy Signs

CVG Strategy also provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.

Suit Filed Against Georgia Tech by U.S. Government

Suit Filed Against Georgia Tech
Suit Filed Against Georgia Tech
Photo by panumas nikhomkhai

A suit filed against Georgia Tech by the United States Government alleges that the university’s affiliate, Georgia Tech Research Corporation (GTRC) knowingly failed to meet its cybersecurity requirements for the Department of Defense (DoD).  The suit was initiated by a whistleblower complaint from members of Georgia Tech’s Cybersecurity team.  

The lawsuit alleges that the Georgia Institute of Technology’s Astrolavos Lab failed to institute a System Security Plan as is stipulated in DoD cybersecurity regulations until 2020.  When a System Security Plan was finally initiated, it failed to include in its scope all information assets.   Additionally, the lab, in violation of its own cyber policies, refused to install antivirus software on laptops, desktops, and servers at the behest of demands put forth by the professor who headed the lab.  Additionally, the lawsuit alleges that false cybersecurity assessment scores were submitted to the DoD by Georgia Tech and the GTRC.  

The suit was filed under the False Claims Act which was created as a mechanism for private parties to file suits in behalf of the federal government and to receive a share of any recoveries.  The Civil Cyber-Fraud Initiative was designed to identify contractors that fail to protect confidential information or protected government secrets.

Importance of Safeguarding U.S. Information

In comments regarding the issue, U.S. Attorney Ryan K. Buchanan for the Northern District of Georgia stated that the government expects contractors to meet cybersecurity requirements in their contracts and grants regardless of the size of the organization or the number of contracts involved.  The case is being taken by the Justice Department’s Civil Division by Senior Trial Counsel Jake M. Shields and U.S. Attorney Adam Nugent and Melanie Hendry.

Academia Facing Challenges in Security

Universities have been facing a growing number of issues with cybersecurity and export compliance regulations from the federal government.  There have been multiple violations of export regulations that have led to Voluntary Self-Disclosures to the Bureau of Industry and Security (BIS).  These have included unauthorized exports of biohazards, genetic materials, and information regarding aerospace propulsion, and telecommunications.

CVG Strategy Cybersecurity 

As the suit filed against Georgia Tech Research Corp. shows, the U.S, government is serious in its pursuit for protection of CUI.  CVG Strategy information security consulting services help organizations develop comprehensive programs to meet U.S. government cybersecurity requirements.  We can assist in establishing customized programs to address:

  • NIST 800-171
  • CMMC 2.0
  • NIST 800-161
  • NIST 800-53

We can also provide training to make your entire team aware of cyber threats, keep them informed on best practices, and the specific policies of your organization.  Additionally, we can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.

 CVG Strategy is committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure.  As industry leaders in cybersecurity, ITAR, and risk-based management systems,  we understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

AUKUS Defense Trade Moves Forward

AUKUS Defense Trade

AUKUS Defense Trade

Courtesy Australia Department of Defense

The U.S. Department of State announced on August 15, 2024 that progress had been made in the AUKUS defense trade integration. This has resulted in an interim final rule amendment to the International Traffic in Arms Regulations (ITAR) that will facilitate billions of dollars in secure license-free defense trade between Australia, the United Kingdom, and the United States. The Department of State will now implement a 90-day public comment period to allow industry to provide refinements to the rulemaking process.

Results of New ITAR Rules

These AUKUS defense trade rule changes were implemented largely due to revisions Australia put in place to strengthen its export policies with regards to military articles and technologies.  Under the new rules most military goods will be able to be shared between the three countries.  This will shorten the approval process of exports to AUKUS participants of ITAR articles and technology.  Normally the Directorate of Defense Trade Controls (DDTC) which administers the ITAR, operates on a policy of denial for licensing which has caused delays in processing exports.

The resulting exemption as defined in 22 CFR part 126.7 will go into effect on September 1, 2024.  The exemption applies to transfers within the physical territories of the three countries to authorized users that are registered with the DDTC, A U.S. government department, or UK or Australian users identified in the DECCS system.  The exemption will be allowed for most defense articles with the exception of those items found in the Excluded Technology List (ETL).  ETL items will include chemical, biological, and nuclear weapons for which licensing requirements will stay in place.

AUKUS Background and History

AUKUS is a trilateral security partnership between Australia, the United Kingdom, and the United States that was initiated in 2021. Its initial priority was to facilitate the Royal Australian Navy’s acquisition of nuclear-powered submarines to address threats from China in the Indo-Pacific arena. The strategic partnership has also involved information sharing, counter-hypersonic technologies, cyber capabilities, artificial intelligence quantum technologies and additional undersea capabilities.

In May of 2024 the partnership published proposed changes to defense trade controls to create license exemptions for billions of dollars of cutting edge defense technologies between the neighbor states.  A more complete easing of restrictions in export regulations was hindered by a perception of differences between the participant countries’ export control system.  The U.S. Department of State has now determined that the control systems of Australia and the UK are sufficiently comparable to move forward with easing of restrictions.

AUKUS Revisions Affecting the EAR

Export Administration Regulations (EAR) control the export of commodities by prohibiting or placing licensing requirements on specific items.  the term commodities can include software, technology, and intellectual properties.  The EAR are administered and enforced by the Bureau of Industry and Security (BIS).  Items controlled under the EAR are listed in the Commerce Control List (CCL), and identified by a unique Export Control Classification Number (ECCN).  Prohibition of export or requirements for licensing are based on the classification of the item, the destination of export, the end user, and the end use of the item. 

The Bureau of Industry and Security (BIS) had published an interim final rule in April 2024 to remove license requirements for exports, reexports, and in-country transfers between the three countries.  In May 2024 the BIS made corrections to that publication to footnote 9. This change, while easing licensing and end use requirements for most items would leave in place license requirements for firearms-related items and other CCL items.

CVG Strategy Export Compliance Management Programs

AUKUS defense trade integration will ease export restrictions between the nations of the trilateral security partnership, however, export compliance remains a dynamic concern for businesses engaged in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

Academia Research Export Compliance Challenges

Academia Research Export Compliance
Academia Research Export Compliance
Photo by George Pak

The Bureau of Industry and Security (BIS) has released guidance on improving academia research export compliance programs. This guidance is based on recent trends in Voluntary Self-Disclosures conducted by academic institutions where Export Administration Regulations (EAR) violations occurred .

Voluntary Self-Disclosures

A Voluntary Self-Disclosure (VSD) is conducted when an organization recognizes that violations or suspected violations of United States export regulations have occurred.  It is the responsibility of the organization to report such findings in a timely and transparent manner to the appropriate federal agency.  The three major sets of U.S. regulations for export compliance are, the International Traffic in Arms Regulations (ITAR), the Export Administration Regulations (EAR), and the Office of Foreign Assets Control (OFAC).  

The BIS encourages voluntary disclosures of potential violations of the EAR. When these disclosures are conducted in a timely and comprehensive manner with full cooperation, the BIS will substantially reduce civil penalties. This includes cases where controlled items, technology, have been transferred or transactions that have involved boycott violations.

Unauthorized Export of Biohazards

Several unauthorized exports of biohazards have occurred at universities due to a lack of knowledge of specific requirements of export control requirements detailed in the Commerce Control List.  A variety of microorganisms and toxins were thus exported including Dengue-2 virus, pseudorabies virus strains and genetically modified viruses.

Unauthorized Export to Parties on Entity List

Genetic materials and modified organisms were exported along with an element commonly used in nuclear reactor control rods to parties on the Entity List.  The Entity List is a list of parties ( persons, entities, and governments) for which trade restrictions are in place.

Deemed Export Violations

Academic institutions disclosed that unauthorized releases of EAR controlled technologies had occurred in the areas of aerospace propulsion, telecommunications, and electronics.  Analysis of the incidents pointed to a lack of awareness of deemed export regulations and insufficient controls.  

Temporary Imports, Export, Reexports, and Transfers

Two voluntary self-disclosures involved improper use of TMP licenses involving the hand-carrying of infrared cameras out of country.  TMP licensed are used for temporary imports, exports, reexports of controlled items and have a limit of one year before which, the article must be returned.  Again analysis showed a lack of understanding regarding the use of TMP licenses.

Electronic Export Information

A number of academic institutions reported that they had failed to file exports in the Automated Export System and had listed values of exports below actual cost.  A lack of documented procedures and insufficient training were cited as causes for the incident.

Recordkeeping

Three incidents involved failure to maintain accurate records of exports.  Export records are to be maintained for a minimum of five years though seven years is often recommended as a conservative measure.  Insufficient training on the importance of recordkeeping practices was cited as the cause of the violations.

The Importance of Proper Training

Regular training is a requirement by the Directorate of Defense Trade Controls (DDTC) and the BIS for all persons involved in an export compliance program.  Export compliance is not just the responsibility of a few team members.  In order to avoid violations of export regulations, every individual having access to or involved in the export of a regulated article or technology must aware of these regulations and their responsibility to adhere to them.  

CVG Strategy Export Compliance Management Programs

The BIS guidance on academia research export compliance illustrates the increasingly dynamic nature of export regulations. Organizations involved in export activities must therefore develop more substantive export compliance programs Keeping in step with these changes. 

Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. Aggravating factors for export enforcement include the lack of a documented and executed export compliance management program.

CVG Strategy can help you in understanding the International Traffic in Arms Regulations (ITAR) and the EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help you develop robust solutions.

Integrating Physical Security Requirements for Businesses

Integrating Physical Security Requirements
Integrating Physical Security Requirements
Photo by Pixabay

Integrating physical security requirements is an area of growing concern for organizations of all sizes.  Aside from insuring basic safety for personnel and physical assets, businesses are faced with security requirements for cybersecurity and export compliance.  This necessitates a non-siloed approach to an often overlooked management function.

Basic Physical Security Measures

Every organization should ensure that basic security risks are addressed to protect personnel, assets, and property.  This can include not only security against human instigated threat but plans and mechanisms to protect property and life against acts of nature  such as tornadoes and earthquakes.  To address these, management should create and implement security policies and procedures.

Security Measures for Export Compliance

Businesses involved with the export of products that are controlled under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR) are required to protect articles and associated technology from access from foreign persons.  While details for required security is not specified, it is necessary that organizations perform risk assessments, document necessary controls, perform audits, and detect and report violations.

Cybersecurity Requirements for Physical Environmental Protection

Cybersecurity is a requirement for most businesses, especially for those involved in export controlled items.  These requirements usually center on one or more NIST standards including NIST SP 800-171, NIST SP 800-161, and NIST SP 800-53.  For many, CMMC which incorporates NIST SP-800-171, is a work in progress to meet Department of Defense contractual requirements for conducting business.

There are numerous provisions for physical and environmental security in these standards:

  • Policy and Procedure – Policies and procedures must be in place that provide scope, security strategy, implementation, assignment of roles and responsibilities, and that define review and updates.
  • Physical Access Authorizations – Documented list of persons with authorized access.
  • Physical Access Control – Controlling ingress, egress, and sensitive areas to ensure that only authorized personnel can obtain access
  • Access Control for Transmission – Control of physical access to system distribution and transmission lines on the facility
  • Access Control for Output Devices – Prevention of unauthorized access to output of information.
  • Monitoring for Physical Access – Monitor and review physical access.
  • Monitoring Physical Access (Intrusion Alarms and Surveillance).
  • Visitor Access Records
  • Numerous controls for power, lighting, fire, environment, water, shipping, work sites, monitoring and tracing of assets, component marking, and electromagnetic pulse protection.

CISA Cybersecurity and Physical Security Convergence

The  Cybersecurity & Infrastructure Security Agency (CISA) has released guidance on Cybersecurity and Physical Security Convergence.  It cites a more resilient ability to reduce the risks to security threats and better respond to security incidents when Chief Information Security Officer (CISO) and Chief Security Officer (CSO) functions are converged.

Convergence case studies conducted between 2017 and 2020 showed improvements in communication, coordination, and collaboration when physical and cyber security functions were coordinated.  This has been of special value in connected operating environments where Internet of Things (IoT), Industrial Internet of Things (IIoT) are in use.  

The short term complications of enacting this convergence may seem daunting but integrated threat management can result in more flexible and sustainable strategies and practices to prevent exposure of proprietary information, economic damage, exposure of controlled articles and technology, and loss of life.

CVG Strategy Information Security Management System Consultants

Integrating physical security requirements is a concern for organizations of all sizes.   While those in business leadership roles are increasing aware of the importance of cyber resilience, resources and necessary talent are often in short supply.  To assist businesses to meet the challenges in adopting a variety of requirements, including NIST and CMMC 2.0, CVG Strategy has developed an approach that combines these requirements with ISO 27001 Information Security Management System.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

CVG Strategy Export Compliance Management Programs

Export compliance requirements are a growing in complexity for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization.  They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation.  They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. 

 

New Export Screening List for Diversion Risks

New Export Screening List
New Export Screening List
Photo by Mykhailo Volkov

The Bureau of Industry and Security (BIS) has issued guidance that recommends using a new export screening list as additional due diligence to prevent diversion risks.  This new database, The Trade Integrity Project has been released by the Open Source Center, which is based in the United Kingdom.  This list focuses on entities involved in the diversion of goods related to the Common High Priority Items List (CHPL).

Common High Priority Items List

Since Russia began its invasion of Ukraine in January of 2022, the Department of Commerce has implemented stringent export controls through the Export Administration Regulations (EAR) to restrict Russian access to certain technologies.  CHPL items include items designated in the CCL certain EAR99 designated electronic component parts and assemblies.  These Common High Priority Items include:

  • Tier 1:  Items critical to the production of precision-guided weapon systems.
  • Tier 2:  Dual-use electronic components associated with regeneration of voice, images, or other data, radar and radio navigation apparatus, tantalum capacitors, ceramic dielectric multilayer capacitors, and electrical parts.
  • Tier 3A:  Electrical parts, certain passive components, antennas, cameras, transducers, photosensitive semiconductors, transistors, crystals, and components.
  • Tier 3B: Mechanical components used in Russian weapon systems
  • Tier 4A:  Equipment for the production, manufacturing, or quality control of electrical components, modules, or circuit boards.
  • Tier 4B:  Computer Numerically Controlled (CNC) equipment, and components.

Other Screening Lists

The United States Government maintains the Consolidated Screening List (CSL) as an online consolidation of multiple export screening lists.  The CSL is updated daily and includes tools that can optimize results such as a “fuzzy name search”.  These tools allow for searches without knowing exact spelling of names.  The CSL provides downloadable files that are date stamped to allow accurate record keeping.

The CSL includes screening lists from the Department of State, the Department of Commerce, and the Department of Treasury.  These lists are updated daily and include “fuzzy name search” capabilities that can generate searches for variations in spelling or for names translated into English from non-Latin alphabets.  Lists specific to the EAR include:

  • Denied Persons List – This is a list of entities and individuals that have been debarred from export transactions by the BIS.
  • Unverified List – End-users on this list have are entities that the BIS has been unable to verify in previous transactions.  If a party to a potential transaction is found on this list it should serve as a “Red Flag” that indicates a level of risk that should be addressed before proceeding with a transaction.
  • Entity List – If a party is found on this list it indicates that license requirements under the EAR.
  • Military End User (MEU) List – Parties on this list indicate license requirements under supplement number 2 to part 744 of the EAR.

While the CSL provides some benefits to an organization it does not provide automation or easy implementation into business systems and databases.  Private vendors supply Restricted Party Screening solutions that are affordable and modular. They can provide these screenings automatically and alert users to changes in status.  They also provide more thorough searches across wider sets of list than the CSL.

CVG Strategy Export Compliance Management Programs

This new export screening list is yet another example of the increased level of complexities involved for organizations involved in export.  Export compliance remains a dynamic concern for businesses engaged in international trade.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the International Traffic in Arms Regulations (ITAR) and the EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

AUKUS Eases Export Restrictions Under ITAR and EAR

AUKUS Eases Export Restrictions
AUKUS Eases Export Restrictions
Photo By: Navy Petty Officer 3rd Class Gray Gibson

AUKUS eases export restrictions under ITAR and EAR for certain defense related articles and technologies between the United States, Australia, and the United Kingdom.  This strategic initiative has been taken to enhance the defense capabilities of all three nations to respond to national security threats posed by the Peoples Republic of China (PRC) and Russia.

AUKUS is now instituting its pillar 2 objectives to enable Australia to defend its borders and interests in the Indo-Pacific.  This involves implementation of operational and regulatory frameworks to drive collaboration in governmental, academic, and industrial sectors to bolster and modernize Australian defense capabilities.

AUKUS History

AUKUS is a trilateral security partnership between Australia, the United Kingdom, and the United States that was initiated in 2021.  Its initial priority was to facilitate the Royal Australian Navy’s acquisition of nuclear-powered submarines.  The strategic partnership has also involved information sharing, counter-hypersonic technologies, cyber capabilities, artificial intelligence quantum technologies and additional undersea capabilities.  

In May of 2024 the partnership published proposed changes to defense trade controls to create license exemptions for billions of dollars of cutting edge defense technologies between the neighbor states.  This would effect both the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR).

AUKUS Revisions Affecting the EAR

The Bureau of Industry and Security (BIS) had published an interim final rule in April 2024 to remove license requirements for exports, reexports, and in-country transfers between the three countries.  In May 2024 the BIS made corrections to that publication to footnote 9. This change, while easing licensing and end use requirements for most items would leave in place license requirements for firearms-related items and other CC controlled items.

These items include ECCNs 0A501 (except 0A501.y), 0A502, 0A503, 0A504, 0A505.a, .b, and .x, 0A981, 0A982, 0A983, 0D501, 0D505, 0E501, 0E502, 0E504, 0E505, and 0E982. 

AUKUS Revisions Affecting the ITAR

The ITAR has often been viewed by many in the business community as a choke point for this shared defense innovation.  This has often been caused by a perceived disconnect of policy makers towards the challenges businesses face in dealing with in exporting defense technologies.  Many involved in the development, manufacture, and export of defense items find the greatest project delays have been because of ITAR licensing requirements.

The Directorate of Defense Trade Controls (DDTC) currently exempts permanent and temporary export of designated unclassified items to Canada.  This was created in part because the Canadian government has instituted a compliance control regime that is largely harmonized to that of the Arms Export Control Act of the United States.

While current levels exemption exist at present for Australia, they do not cover all technologies envisioned by AUKUS.  At present many transactions are occurring under Foreign Military Sales (FMS) which is a government to government transaction.  To move past these barriers, interim changes have been made to provide frameworks for Direct Commercial Sales (DCS).  

Further steps will be taken to identify programs specific to AUKUS, identify technologies not eligible, and identify which communities in each country would have access to technologies to prevent unwanted diversions.  The final approach to will be reached between the Department of State and congress.  Additionally, the Department will be seeking commitments from partners on shared standards for protecting exchanged materials and information.

Australian Initiatives for Breakthroughs

In 2023 Australian Deputy Prime Minister Richard Marles stated that Australia was innovation within their regulatory system while pursuing legislative change and international agreements.  The country has made progress in aligning its export and trade regulations to streamline processes.

CVG Strategy Export Compliance Management Programs

As AUKUS eases export restrictions between the nations of the trilateral security partnership, export compliance remains a dynamic concern for businesses engaged in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

NIST Special Publication 800-53 Controls

NIST Special Publication 800-53
NIST Special Publication 800-53

NIST Special Publication 800-53 is a catalog of security and privacy controls released by the National Institute of Standards and Technology for U.S. federal information systems.  It includes key steps in the Risk Management Framework for the selection of appropriate security controls for information systems.  This framework standards and guidelines is a requirement for federal agencies and federal contractors under the Federal Information Processing Standard (FIPS) 200.

This catalog of security and privacy controls are harmonized with controls in  Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171) which a requirement for businesses doing business with the federal government to protect Controlled Unclassified Information (CUI).  SP 800-53 has two companion guidelines, SP 800-53A provides implementation guidance for each step of the Risk Management Framework and SP800-53B assists in management framework security control selection.

SP 800-53A is also applicable to NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations which addresses the risks to information systems and operational technology presented by information exchanges with suppliers, acquirers, and external service providers.  This standard utilizes Cybersecurity Supply Chain Risk Management (C-SCRM) processes to assess appropriate procedures, processes, policies, and strategies.

Control Families

The NIST Special Publication 800-53 families of controls designed to safeguard system and information integrity, and organizational operations and assets are as follows:

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Control Assessments (CA)
  • Configuration Management (CM)
  • Contingency Planning (CP)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Physical and Environmental Protection (PE)
  • Planning (PL)
  • Program Management (PM)
  • Personnel Security (PS)
  • Personally Identifiable Information Processing and Transparency (PT)
  • Risk Assessment (RA)
  • Systems and Services Acquisition (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)
  • Supply Chain Risk Management (SR)

Patch Released to Address Minor Changes

In November of 2023 NIST released a patch to address minor changes in the standard.  The change adds enhancement Identification and Authentication control family to provide for the protection of cryptographic keys, verification of identity assertions and access tokens, and token management.  Organizations already implementing SP 800-53r5 are not mandated to implement these changes.

CMMC Requirements

In 2013 the Defense Federal Acquisition Regulation Supplemental (DFARS) 252-204-7000 went into effect in an effort to establish requirements for safeguarding Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) held by DoD contractors in the Defense Industrial base.  This was followed by the DFARS clause 7012 in 2016, which established NIST-SP-800-171 as the mechanism for providing this desired protection. 

In 2019 the Department of Defense (DoD) announced the Cybersecurity Maturity Model Certification (CMMC) to provide an external mechanism for certifying levels of cyber hygiene of an organization.  Following industry professionals’ concerns for the complexity, cost, and proposed timeline, the DoD released CMMC 2.0 in 2021.  Among other changes, the levels for compliance were reduced from five to three.  

Currently CMMC 2.0 requirements are divided into three levels of compliance:

  • CMMC Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
  • CMMC Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle CUI.  It requires that a third-party assessment by conducted every three years for information deemed critical for national security.  It also requires an annual internal assessment.
  • CMMC Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls.  There is also a requirement for triennial assessments conducted by government representatives. 

CVG Strategy Information Security Management System Consultants

An increasing number of businesses are finding that they are required to meet challenging information security levels to meet the requirements of conducting business with governmental agencies.  To assist businesses to meet the challenges in adopting a variety of NIST Special Publication 800-53 and CMMC 2.0 requirements, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

It involves processes, facility security, people, and IT systems to engage in best practices. It also involves a constant improvement approach so that threats can be continually assessed and addressed as they evolve. This business system can help your organization remain vigilant against economic espionage and cyberattacks conducted by China and other nation states.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Photo courtesy R. Jacobson/NIST

Statute of Limitation for Sanctions Extended to Ten Years

Statute of Limitation for Sanctions
Statute of Limitation for Sanctions
Photo by Aaron Kittredge

President Biden signed H.R. 815 into law on April 24, 2024 to address specific foreign policy and national security issues.  This legislation includes an extension (Section 3111) for the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) from five to ten years.  This statute of limitations is applicable to criminal and civil violations of sanction regulations administered under multiple agencies.

The specific verbiage of the law is as follows:  “An action, suit, or proceeding for the enforcement of any civil fine, penalty, or forfeiture, pecuniary or otherwise, under this section shall not be entertained unless commenced within 10 years after the latest date of the violation upon which the civil fine, penalty, or forfeiture is based“.  The law will also further harmonize United States sanctions specific to Russia with those imposed by the UK and EU.

This new legislation will affect nearly all existing U.S. Sanctions.  The IEEPA is the authority overseeing sanction programs enforced by the Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Bureau of Industry and Security (BIS).  The law does not specify if this change is retroactive.  

Possible Concerns for Organizations Involved in Export

This change in export regulation enforcement poses numerous concerns for businesses involved in the export of regulated items with regards to this change in the statute of limitations. 

  1. Moving forward businesses will likely be required to retain records for at least ten years. For conservative practices twelve years may be appropriate.
  2. Businesses currently under investigation may experience increased scrutiny for export activities that overlap or proceed the previous five-year limitation.
  3. Merger and acquisition activities currently underway or being planned should adjust the scope of their audit activities to reflect this increased liability.
  4. Revisions of existing legal agreements between companies may need to be made.
  5. Immediate adjustments will be required for organizations’ export compliance programs to ensure due diligence.

CVG Strategy Export Compliance Management Programs

As  these latest changes to the statute of limitation for sanctions violations illustrate, export compliance is a growing and dynamic concern for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization.  They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation.  They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. 

Cyber-Intrusion and Data Exfiltration Concerns for BIS

Cyber-Intrusion and Data Exfiltration
Cyber-Intrusion and Data Exfiltration
Photo by Freepik

Cyber-intrusion and data exfiltration are subjects of increased concern for the Bureau of Industry and Security (BIS).  In its March 2024 release of Don’t Let This Happen to You!, BIS reiterates its growing role in export enforcement to protect U.S. national security and foreign policy concerns.  It emphasizes the importance of developing effective export compliance programs for organizations involved transactions subject to the Export Administration Regulations (EAR).  

This report also contained concerns about the prevention of data exfiltration and the incorporation of of cybersecurity protocols into an organization’s Export Compliance Program (ECP).  Specifically, the report recommends the documentation of protocols for notifying the BIS of security incidents that result in data loss or data leakage of controlled technologies.  

It is noted that notifications of exfiltration of data is separate and distinct from the filing of a Voluntary Self Disclosure (VSD) and that the reporting of data theft allows the BIS to work with its interagency partners to identify and prosecute malicious actors.

Protection of Controlled Technology

While it is incumbent for organizations involved in export to protect controlled technology from “Deemed Exports”, the BIS does not define specific cyber security controls for data security.  Deemed exports are events that result in the release of technology or source code subject to the EAR to a foreign national in the United States.  Situations that can involve release of U.S technology or software include:

  • Tours of facilities with foreign visitors
  • Foreign national employees involved in certain research, development, and manufacturing activities (I-9 Work Visa, DACA)
  • Foreign students or scholars conducting research

NIST Cybersecurity Framework

The BIS, in an effort to address the need for cyber security measures, is recommending that organizations refer to the National Institute of Standards and Technology (NIST) National Cybersecurity Framework to establish plans for implementing, improving, and maintaining an information security program.  The NIST Cybersecurity Framework (CSF) 2.0, released in February of 2024, provides guidance on practices and controls for data protection applicable for managing risks.

This framework was designed to help organizations and industries in all sectors and of all sizes.  It is targeted towards a broad audience including executives, managers, and cybersecurity professionals to assist organizations in reaching their desired level of security. 

The document is comprised of three major components CSF Core for outlining  high level activities to define requirements, Organizational Profiles for tailoring a program based on an organization’s objectives, expectations, and threat landscape, and CSF Tier for establishment of level of risk management.

CSF Core

The CSF Core outlines high-level functions for the creation and organization of a cybersecurity program.  These core functions are:

    • Govern (GV) – These are policy level activities that are critical for implementing cybersecurity into the organizations enterprise risk management (ERM).  They include the establishment, communications, and monitoring of cybersecurity risk.
    • Identify (ID) – Identification issues include the documentation of assets such as data, hardware, systems, people, and suppliers.  This function aids in the formation of adequate policies and processes for cybersecurity.
    • Protect (PR) – This includes a large number of controls and activities including authentication, access control, data security, and training.
    • Detect (DE) – This activity includes the detection prevention, and analysis of incidents of unauthorized access to sensitive information.
    • Respond (RS) – This category includes incident management activities including management, analyses, communication, and mitigation.
    • Recovery (RC) – These activities are aimed at reduction of down time when responding to cyber events.  They include plan execution and recovery and communication.

CSF Profiles

Profiles can be created to tailor and prioritize an organization’s cyber requirements.  These profiles can be created to reflect the current profile of an organization, a targeted profile of desired outcomes, and a community profile that is used for a specific sector.   Profiles can assist in gap analysis and the generation of a Plan of Action and Milestones (POA&M) to be instituted in a program of continual improvement.  NIST provides an organizational profile template spreadsheet.  

CSF Tiers

Cybersecurity Framework Tiers establish a required level for prevention of cyber-intrusion and data exfiltration at an organization.  There are four defined tiers: Partial, Risk Informed, Repeatable, and Adaptive.  The highest level, Adaptive, involves an organization-wide approach to risk management and includes decision making based on current and predictive risk and the incorporation of continuous improvement methodologies.

Existing Cybersecurity Requirements for Government Contracts

Numerous requirements are already in effect for those companies engaged in business with the Federal Government.  For those involved with contracts with the Department of Defense, CMMC 2.0 will be required.

Currently CMMC 2.0 requirements are divided into three levels of compliance:

  • CMMC Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
  • CMMC Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle Controlled Unclassified Information (CUI).  It requires that a third-party assessment by conducted every three years for information deemed critical for national security.  It also requires an annual internal assessment
  • CMMC Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls.  There is also a requirement for triennial assessments conducted by government representatives. 

CVG Strategy Export Compliance Management Programs

As this BIS publication point out, export compliance is a growing and dynamic concern for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

CVG Strategy Information Security Management System Consultants

Cyber-intrusion and data exfiltration are a concern to organizations of all sizes.   While those in business leadership roles are increasing aware of the importance of cyber resilience, resources and necessary talent are often in short supply.  To assist businesses to meet the challenges in adopting a variety of requirements, including NIST and CMMC 2.0, CVG Strategy has developed an approach that combines these requirements with ISO 27001 Information Security Management System.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

Global Challenges for Cybersecurity Resilience

Global Challenges for Cybersecurity
Global Challenges for Cybersecurity
Photo by benzoix

Global challenges for cybersecurity resilience were outlined in a recent report from the World Economic Forum.  The report, Global Cybersecurity Outlook 2024, analyzes the state of inequity in achieving cyber security, the impacts of geopolitics on the cyber risk landscape, the effects of emerging technologies such as Artificial Intelligence (AI), and the shortage of qualified people to address these security challenges.

Cyber Inequity on the Rise

The report stresses that there is a growing divide between organizations that have developed mature systems for protecting sensitive data and those struggling to develop effective defenses from cyber threats.  Small and medium enterprises (SME) are among those most affected by this disparity, especially those located in underdeveloped economies.

Aside from having less than adequate cyber resilience, only 25% of SMEs carry cyber insurance as compared with 85% for organizations with 100,000 or more employees.  This should cause alarm given the number of data breaches occurring and the fact that many SMEs fail to recover from these cyber attacks.

Geopolitical Influences and the Threat Environment

Numerous nations are involved in nefarious activities aimed at global supply chains and critical infrastructure.  This is causing CISOs to adapt their cybersecurity postures and strategies.  Geopolitical influences are also targeting societal and political entities with deepfakes and phishing campaigns weaponized against elections. Areas of concern outside of the private sector are misinformation, automated disinformation, data privacy, and algorithmic manipulation of social media data.

Skills Gap in Cybersecurity Landscape

There is a worldwide supply deficiency of a capable workforce for the design, implementation, and maintenance of systems for the protection of sensitive information.  In the report 20% stated that they do not have the necessary skills in their organization to accomplish their cyber objectives.  Additionally, there is an ongoing challenge of retaining what skilled personnel an organization has in its employ.

Organizations are opting for certifications and short educational courses in lieu of formal university education fill this gap.  Many small organizations who face revenue issues are encouraging employees to upskill because they cannot afford to hire qualified personnel.  

A Changing Risk Environment

Organizational leaders are concerned about loss of access to goods and services and cyber extorsion.  Of those polled, 29% stated that their companies had experienced such situations in the last year.  This is especially of concern because more than 60% of these leaders outside of Europe and North America do not carry cyber insurance.

Other perceived risk of high concern were loss of money or data, identity theft, and being monitored.  When queried as to significant barriers to achieving cyber resilience business leaders cited lack of resources, cost of evolving from legacy systems, cultural resistance, not knowing where to start, lack of executive support, and a perception that the risk does not warrant the investment.

Emerging Technologies

A number of emerging technologies have created challenges for cyber resilience.  Most industry leaders reported that they felt more exposed to cybercrime than in previous years.  The use of new technologies by cybercriminals increase both the speed and adaptability of their attacks.  Despite these trends most cyber leadership queried stated that they would maintain their focus on established cyber practices.

Top Management Buy In

A positive take away from this study was in the numbers of business leaders that are concerned about cybersecurity and are actively engaged with their information security programs.  Over 90% of cybersecurity leaders trust their CEOs to communicate externally about cyber issues.  This is important because an essential component to a cyber resilience program is its integration into the enterprise risk management processes.

Governance Issues

While many governments are actively promoting cyber resilience many critical gaps still exist that have yet to be addressed.  One such issue is the imbalance of responsibility for security between technology producers and consumers.  There is a real need for shifting responsibility for ensuring for safety from organizations and individuals who purchase technology to the producers of these technologies.

The current status is representative of immature industries.  As in other sectors, governance will have to step in to ensure that players in technology play an appropriate part in the necessary maintenance of trust of goods throughout their life cycles.

Moving Towards a Better Future

Collaboration is a key factor in bettering the cyber environment.  Organizations must share responsibility with suppliers, partners, regulators, and industry peers.  The entire structure is only as strong as its weakest link.  Most industry leaders are not optimistic about such collaboration in the immediate future.  

Views on regulations are positive with regard to reduction of risk in their organization.  Unfortunately, many leaders felt that regulations were too numerous and often conflicting internationally.  They also stated that often the requirements were too technically difficult to achieve and required excessive resources.

Supply Chain Cyber Resilience

Given that collaboration is essential in maintaining information security, it is concerning to note that 54% of parties queried felt that they had insufficient knowledge vulnerabilities in their supply chain.  Again this cyber maturity gap was more pronounced in medium and small companies.  The importance of this issue was illustrated in that 41% of the organizations had experienced a cyber incident that originated from a third party.

Take Aways from the Report

Global challenges for cybersecurity will remain a concern for the foreseeable future.  The struggle for medium and small organizations to design, implement, and maintain effective solutions to the threat landscape will effect all in the global economy.  There are no simple solutions to these issues.  In all probability the an organization’s ability to adopt best practices and be a trusted partner will determine its long term survivability.  

CVG Strategy Information Security Management System Consultants

Global challenges for cybersecurity are a concern to organizations of all sizes.   While those in business leadership roles are increasing aware of the importance of cyber resilience, resources and necessary talent are often in short supply.  To assist businesses to meet the challenges in adopting a variety of requirements, including NIST and CMMC 2.0, CVG Strategy has developed an approach that combines these requirements with ISO 27001 Information Security Management System.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

It involves processes, facility security, people, and IT systems to engage in best practices. It also involves a constant improvement approach so that threats can be continually assessed and addressed as they evolve. This business system can help your organization remain vigilant against economic espionage and cyberattacks conducted by China and other nation states.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Nicaragua Export Restrictions Increased by U.S.

Nicaragua Export Restrictions
Nicaragua Export Restrictions
Photo by Sascha Hormel

Nicaragua export restrictions have been increased by both the Directorate of Defense Trade Controls (DDTC) and the Bureau of Industry and Security (BIS) as of March of 2024.  These actions were taken in response to United States national security and foreign policy concerns regarding the continuing deterioration of the nation’s human rights, civil institutions, and Nicaragua’s increased cooperation with Russia.

DDTC Specific Regulatory Changes

The DDTC, which under the authority of the Department of State, administers the International Traffic in Arms Regulations (ITAR), has added Nicaragua to the list of countries for which it, by policy, denies approvals for export or import of defense articles and services.  Under this revision of ITAR, Nicaragua has been added to the list of countries detailed in 22 CFR 126.1 Prohibited exports, imports, and sales to or from certain countries

This policy of denial is applicable to all defense articles and services.  The only exception to this policy are imports or exports where military equipment are  intended solely for humanitarian assistance, including natural disaster relief.  These exceptions for license applications are issued on a case-by-case basis.   

Further restrictions were added under 22 CFR 129.7 Policy on embargoes and other proscriptions.  These action prohibits brokering activities to specific countries.  As the effect of this rulemaking is perceived to have minimal consequences for federal agencies or private organizations and groups, these restrictions do not require interagency analysis.

BIS Specific Regulatory Changes

The BIS, which administers the Export Administration Regulations (EAR), has moved Nicaragua from the Country Group B List to Country Group D5.  Group B countries are countries for which licensing is generally available.  Group D countries have fewer license exemptions and include around 50 countries such as Syria, Russia, Iran Yemen, and Venezuela.  This group is divided into five areas of concern: D: 1, National Security, D: 2 Nuclear, D:3 Chemical & Biological, D: 4 Missile Technology, and D: 5 U.S. Arms Embargoed Countries.

This new level of restriction effects the export, reexport, and transfer of items subject to the EAR including commodities, software and technology.  Previous actions taken by the BIS include the addition of the Nicaraguan National Police to the Entity List and restriction of items to the country’s security and military agencies.  The BIS has taken these actions as part of an ongoing effort to promote human rights and democracy.  

A Call to Actions for Businesses Involved in Export

Export regulations have been in a constant state of flux for the last decade as the Federal Government has used these powerful tools to pursue its national security and foreign policy objectives.

Enforcement activities have resulted in more severe civil and criminal penalties.  In 2023, these activities have resulted in a record number of convictions, and denial orders.  Additionally, numerous parties were placed on the Specially Designated Nationals, Blocked Persons, and Entity Lists, effectively ending their ability to conduct lawful business.

Businesses must ensure that they do not violate export regulations by enacting viable Export Compliance Management Programs (ECMP).   These programs are a requirement for both the Export Administration Regulations and the International Traffic in Arms Regulations (ITAR).  While most businesses involved with the ITAR have been proactive in compliance, many involved with the export of dual-use goods enumerated in the EAR have been less diligent.

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization.  They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation.  They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy Export Compliance Management Programs

As these latest Nicaragua export restrictions illustrate, export compliance is a growing and dynamic concern for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.