NIST Special Publication 800-53 Controls

NIST Special Publication 800-53
NIST Special Publication 800-53

NIST Special Publication 800-53 is a catalog of security and privacy controls released by the National Institute of Standards and Technology for U.S. federal information systems.  It includes key steps in the Risk Management Framework for the selection of appropriate security controls for information systems.  This framework standards and guidelines is a requirement for federal agencies and federal contractors under the Federal Information Processing Standard (FIPS) 200.

This catalog of security and privacy controls are harmonized with controls in  Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171) which a requirement for businesses doing business with the federal government to protect Controlled Unclassified Information (CUI).  SP 800-53 has two companion guidelines, SP 800-53A provides implementation guidance for each step of the Risk Management Framework and SP800-53B assists in management framework security control selection.

SP 800-53A is also applicable to NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations which addresses the risks to information systems and operational technology presented by information exchanges with suppliers, acquirers, and external service providers.  This standard utilizes Cybersecurity Supply Chain Risk Management (C-SCRM) processes to assess appropriate procedures, processes, policies, and strategies.

Control Families

The NIST Special Publication 800-53 families of controls designed to safeguard system and information integrity, and organizational operations and assets are as follows:

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Control Assessments (CA)
  • Configuration Management (CM)
  • Contingency Planning (CP)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Physical and Environmental Protection (PE)
  • Planning (PL)
  • Program Management (PM)
  • Personnel Security (PS)
  • Personally Identifiable Information Processing and Transparency (PT)
  • Risk Assessment (RA)
  • Systems and Services Acquisition (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)
  • Supply Chain Risk Management (SR)

Patch Released to Address Minor Changes

In November of 2023 NIST released a patch to address minor changes in the standard.  The change adds enhancement Identification and Authentication control family to provide for the protection of cryptographic keys, verification of identity assertions and access tokens, and token management.  Organizations already implementing SP 800-53r5 are not mandated to implement these changes.

CMMC Requirements

In 2013 the Defense Federal Acquisition Regulation Supplemental (DFARS) 252-204-7000 went into effect in an effort to establish requirements for safeguarding Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) held by DoD contractors in the Defense Industrial base.  This was followed by the DFARS clause 7012 in 2016, which established NIST-SP-800-171 as the mechanism for providing this desired protection. 

In 2019 the Department of Defense (DoD) announced the Cybersecurity Maturity Model Certification (CMMC) to provide an external mechanism for certifying levels of cyber hygiene of an organization.  Following industry professionals’ concerns for the complexity, cost, and proposed timeline, the DoD released CMMC 2.0 in 2021.  Among other changes, the levels for compliance were reduced from five to three.  

Currently CMMC 2.0 requirements are divided into three levels of compliance:

  • CMMC Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
  • CMMC Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle CUI.  It requires that a third-party assessment by conducted every three years for information deemed critical for national security.  It also requires an annual internal assessment.
  • CMMC Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls.  There is also a requirement for triennial assessments conducted by government representatives. 

CVG Strategy Information Security Management System Consultants

An increasing number of businesses are finding that they are required to meet challenging information security levels to meet the requirements of conducting business with governmental agencies.  To assist businesses to meet the challenges in adopting a variety of NIST Special Publication 800-53 and CMMC 2.0 requirements, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

It involves processes, facility security, people, and IT systems to engage in best practices. It also involves a constant improvement approach so that threats can be continually assessed and addressed as they evolve. This business system can help your organization remain vigilant against economic espionage and cyberattacks conducted by China and other nation states.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Photo courtesy R. Jacobson/NIST

Statute of Limitation for Sanctions Extended to Ten Years

Statute of Limitation for Sanctions
Statute of Limitation for Sanctions
Photo by Aaron Kittredge

President Biden signed H.R. 815 into law on April 24, 2024 to address specific foreign policy and national security issues.  This legislation includes an extension (Section 3111) for the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) from five to ten years.  This statute of limitations is applicable to criminal and civil violations of sanction regulations administered under multiple agencies.

The specific verbiage of the law is as follows:  “An action, suit, or proceeding for the enforcement of any civil fine, penalty, or forfeiture, pecuniary or otherwise, under this section shall not be entertained unless commenced within 10 years after the latest date of the violation upon which the civil fine, penalty, or forfeiture is based“.  The law will also further harmonize United States sanctions specific to Russia with those imposed by the UK and EU.

This new legislation will affect nearly all existing U.S. Sanctions.  The IEEPA is the authority overseeing sanction programs enforced by the Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Bureau of Industry and Security (BIS).  The law does not specify if this change is retroactive.  

Possible Concerns for Organizations Involved in Export

This change in export regulation enforcement poses numerous concerns for businesses involved in the export of regulated items with regards to this change in the statute of limitations. 

  1. Moving forward businesses will likely be required to retain records for at least ten years. For conservative practices twelve years may be appropriate.
  2. Businesses currently under investigation may experience increased scrutiny for export activities that overlap or proceed the previous five-year limitation.
  3. Merger and acquisition activities currently underway or being planned should adjust the scope of their audit activities to reflect this increased liability.
  4. Revisions of existing legal agreements between companies may need to be made.
  5. Immediate adjustments will be required for organizations’ export compliance programs to ensure due diligence.

CVG Strategy Export Compliance Management Programs

As  these latest changes to the statute of limitation for sanctions violations illustrate, export compliance is a growing and dynamic concern for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization.  They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation.  They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. 

Cyber-Intrusion and Data Exfiltration Concerns for BIS

Cyber-Intrusion and Data Exfiltration
Cyber-Intrusion and Data Exfiltration
Photo by Freepik

Cyber-intrusion and data exfiltration are subjects of increased concern for the Bureau of Industry and Security (BIS).  In its March 2024 release of Don’t Let This Happen to You!, BIS reiterates its growing role in export enforcement to protect U.S. national security and foreign policy concerns.  It emphasizes the importance of developing effective export compliance programs for organizations involved transactions subject to the Export Administration Regulations (EAR).  

This report also contained concerns about the prevention of data exfiltration and the incorporation of of cybersecurity protocols into an organization’s Export Compliance Program (ECP).  Specifically, the report recommends the documentation of protocols for notifying the BIS of security incidents that result in data loss or data leakage of controlled technologies.  

It is noted that notifications of exfiltration of data is separate and distinct from the filing of a Voluntary Self Disclosure (VSD) and that the reporting of data theft allows the BIS to work with its interagency partners to identify and prosecute malicious actors.

Protection of Controlled Technology

While it is incumbent for organizations involved in export to protect controlled technology from “Deemed Exports”, the BIS does not define specific cyber security controls for data security.  Deemed exports are events that result in the release of technology or source code subject to the EAR to a foreign national in the United States.  Situations that can involve release of U.S technology or software include:

  • Tours of facilities with foreign visitors
  • Foreign national employees involved in certain research, development, and manufacturing activities (I-9 Work Visa, DACA)
  • Foreign students or scholars conducting research

NIST Cybersecurity Framework

The BIS, in an effort to address the need for cyber security measures, is recommending that organizations refer to the National Institute of Standards and Technology (NIST) National Cybersecurity Framework to establish plans for implementing, improving, and maintaining an information security program.  The NIST Cybersecurity Framework (CSF) 2.0, released in February of 2024, provides guidance on practices and controls for data protection applicable for managing risks.

This framework was designed to help organizations and industries in all sectors and of all sizes.  It is targeted towards a broad audience including executives, managers, and cybersecurity professionals to assist organizations in reaching their desired level of security. 

The document is comprised of three major components CSF Core for outlining  high level activities to define requirements, Organizational Profiles for tailoring a program based on an organization’s objectives, expectations, and threat landscape, and CSF Tier for establishment of level of risk management.

CSF Core

The CSF Core outlines high-level functions for the creation and organization of a cybersecurity program.  These core functions are:

    • Govern (GV) – These are policy level activities that are critical for implementing cybersecurity into the organizations enterprise risk management (ERM).  They include the establishment, communications, and monitoring of cybersecurity risk.
    • Identify (ID) – Identification issues include the documentation of assets such as data, hardware, systems, people, and suppliers.  This function aids in the formation of adequate policies and processes for cybersecurity.
    • Protect (PR) – This includes a large number of controls and activities including authentication, access control, data security, and training.
    • Detect (DE) – This activity includes the detection prevention, and analysis of incidents of unauthorized access to sensitive information.
    • Respond (RS) – This category includes incident management activities including management, analyses, communication, and mitigation.
    • Recovery (RC) – These activities are aimed at reduction of down time when responding to cyber events.  They include plan execution and recovery and communication.

CSF Profiles

Profiles can be created to tailor and prioritize an organization’s cyber requirements.  These profiles can be created to reflect the current profile of an organization, a targeted profile of desired outcomes, and a community profile that is used for a specific sector.   Profiles can assist in gap analysis and the generation of a Plan of Action and Milestones (POA&M) to be instituted in a program of continual improvement.  NIST provides an organizational profile template spreadsheet.  

CSF Tiers

Cybersecurity Framework Tiers establish a required level for prevention of cyber-intrusion and data exfiltration at an organization.  There are four defined tiers: Partial, Risk Informed, Repeatable, and Adaptive.  The highest level, Adaptive, involves an organization-wide approach to risk management and includes decision making based on current and predictive risk and the incorporation of continuous improvement methodologies.

Existing Cybersecurity Requirements for Government Contracts

Numerous requirements are already in effect for those companies engaged in business with the Federal Government.  For those involved with contracts with the Department of Defense, CMMC 2.0 will be required.

Currently CMMC 2.0 requirements are divided into three levels of compliance:

  • CMMC Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
  • CMMC Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle Controlled Unclassified Information (CUI).  It requires that a third-party assessment by conducted every three years for information deemed critical for national security.  It also requires an annual internal assessment
  • CMMC Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls.  There is also a requirement for triennial assessments conducted by government representatives. 

CVG Strategy Export Compliance Management Programs

As this BIS publication point out, export compliance is a growing and dynamic concern for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

CVG Strategy Information Security Management System Consultants

Cyber-intrusion and data exfiltration are a concern to organizations of all sizes.   While those in business leadership roles are increasing aware of the importance of cyber resilience, resources and necessary talent are often in short supply.  To assist businesses to meet the challenges in adopting a variety of requirements, including NIST and CMMC 2.0, CVG Strategy has developed an approach that combines these requirements with ISO 27001 Information Security Management System.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

Global Challenges for Cybersecurity Resilience

Global Challenges for Cybersecurity
Global Challenges for Cybersecurity
Photo by benzoix

Global challenges for cybersecurity resilience were outlined in a recent report from the World Economic Forum.  The report, Global Cybersecurity Outlook 2024, analyzes the state of inequity in achieving cyber security, the impacts of geopolitics on the cyber risk landscape, the effects of emerging technologies such as Artificial Intelligence (AI), and the shortage of qualified people to address these security challenges.

Cyber Inequity on the Rise

The report stresses that there is a growing divide between organizations that have developed mature systems for protecting sensitive data and those struggling to develop effective defenses from cyber threats.  Small and medium enterprises (SME) are among those most affected by this disparity, especially those located in underdeveloped economies.

Aside from having less than adequate cyber resilience, only 25% of SMEs carry cyber insurance as compared with 85% for organizations with 100,000 or more employees.  This should cause alarm given the number of data breaches occurring and the fact that many SMEs fail to recover from these cyber attacks.

Geopolitical Influences and the Threat Environment

Numerous nations are involved in nefarious activities aimed at global supply chains and critical infrastructure.  This is causing CISOs to adapt their cybersecurity postures and strategies.  Geopolitical influences are also targeting societal and political entities with deepfakes and phishing campaigns weaponized against elections. Areas of concern outside of the private sector are misinformation, automated disinformation, data privacy, and algorithmic manipulation of social media data.

Skills Gap in Cybersecurity Landscape

There is a worldwide supply deficiency of a capable workforce for the design, implementation, and maintenance of systems for the protection of sensitive information.  In the report 20% stated that they do not have the necessary skills in their organization to accomplish their cyber objectives.  Additionally, there is an ongoing challenge of retaining what skilled personnel an organization has in its employ.

Organizations are opting for certifications and short educational courses in lieu of formal university education fill this gap.  Many small organizations who face revenue issues are encouraging employees to upskill because they cannot afford to hire qualified personnel.  

A Changing Risk Environment

Organizational leaders are concerned about loss of access to goods and services and cyber extorsion.  Of those polled, 29% stated that their companies had experienced such situations in the last year.  This is especially of concern because more than 60% of these leaders outside of Europe and North America do not carry cyber insurance.

Other perceived risk of high concern were loss of money or data, identity theft, and being monitored.  When queried as to significant barriers to achieving cyber resilience business leaders cited lack of resources, cost of evolving from legacy systems, cultural resistance, not knowing where to start, lack of executive support, and a perception that the risk does not warrant the investment.

Emerging Technologies

A number of emerging technologies have created challenges for cyber resilience.  Most industry leaders reported that they felt more exposed to cybercrime than in previous years.  The use of new technologies by cybercriminals increase both the speed and adaptability of their attacks.  Despite these trends most cyber leadership queried stated that they would maintain their focus on established cyber practices.

Top Management Buy In

A positive take away from this study was in the numbers of business leaders that are concerned about cybersecurity and are actively engaged with their information security programs.  Over 90% of cybersecurity leaders trust their CEOs to communicate externally about cyber issues.  This is important because an essential component to a cyber resilience program is its integration into the enterprise risk management processes.

Governance Issues

While many governments are actively promoting cyber resilience many critical gaps still exist that have yet to be addressed.  One such issue is the imbalance of responsibility for security between technology producers and consumers.  There is a real need for shifting responsibility for ensuring for safety from organizations and individuals who purchase technology to the producers of these technologies.

The current status is representative of immature industries.  As in other sectors, governance will have to step in to ensure that players in technology play an appropriate part in the necessary maintenance of trust of goods throughout their life cycles.

Moving Towards a Better Future

Collaboration is a key factor in bettering the cyber environment.  Organizations must share responsibility with suppliers, partners, regulators, and industry peers.  The entire structure is only as strong as its weakest link.  Most industry leaders are not optimistic about such collaboration in the immediate future.  

Views on regulations are positive with regard to reduction of risk in their organization.  Unfortunately, many leaders felt that regulations were too numerous and often conflicting internationally.  They also stated that often the requirements were too technically difficult to achieve and required excessive resources.

Supply Chain Cyber Resilience

Given that collaboration is essential in maintaining information security, it is concerning to note that 54% of parties queried felt that they had insufficient knowledge vulnerabilities in their supply chain.  Again this cyber maturity gap was more pronounced in medium and small companies.  The importance of this issue was illustrated in that 41% of the organizations had experienced a cyber incident that originated from a third party.

Take Aways from the Report

Global challenges for cybersecurity will remain a concern for the foreseeable future.  The struggle for medium and small organizations to design, implement, and maintain effective solutions to the threat landscape will effect all in the global economy.  There are no simple solutions to these issues.  In all probability the an organization’s ability to adopt best practices and be a trusted partner will determine its long term survivability.  

CVG Strategy Information Security Management System Consultants

Global challenges for cybersecurity are a concern to organizations of all sizes.   While those in business leadership roles are increasing aware of the importance of cyber resilience, resources and necessary talent are often in short supply.  To assist businesses to meet the challenges in adopting a variety of requirements, including NIST and CMMC 2.0, CVG Strategy has developed an approach that combines these requirements with ISO 27001 Information Security Management System.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

It involves processes, facility security, people, and IT systems to engage in best practices. It also involves a constant improvement approach so that threats can be continually assessed and addressed as they evolve. This business system can help your organization remain vigilant against economic espionage and cyberattacks conducted by China and other nation states.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Nicaragua Export Restrictions Increased by U.S.

Nicaragua Export Restrictions
Nicaragua Export Restrictions
Photo by Sascha Hormel

Nicaragua export restrictions have been increased by both the Directorate of Defense Trade Controls (DDTC) and the Bureau of Industry and Security (BIS) as of March of 2024.  These actions were taken in response to United States national security and foreign policy concerns regarding the continuing deterioration of the nation’s human rights, civil institutions, and Nicaragua’s increased cooperation with Russia.

DDTC Specific Regulatory Changes

The DDTC, which under the authority of the Department of State, administers the International Traffic in Arms Regulations (ITAR), has added Nicaragua to the list of countries for which it, by policy, denies approvals for export or import of defense articles and services.  Under this revision of ITAR, Nicaragua has been added to the list of countries detailed in 22 CFR 126.1 Prohibited exports, imports, and sales to or from certain countries

This policy of denial is applicable to all defense articles and services.  The only exception to this policy are imports or exports where military equipment are  intended solely for humanitarian assistance, including natural disaster relief.  These exceptions for license applications are issued on a case-by-case basis.   

Further restrictions were added under 22 CFR 129.7 Policy on embargoes and other proscriptions.  These action prohibits brokering activities to specific countries.  As the effect of this rulemaking is perceived to have minimal consequences for federal agencies or private organizations and groups, these restrictions do not require interagency analysis.

BIS Specific Regulatory Changes

The BIS, which administers the Export Administration Regulations (EAR), has moved Nicaragua from the Country Group B List to Country Group D5.  Group B countries are countries for which licensing is generally available.  Group D countries have fewer license exemptions and include around 50 countries such as Syria, Russia, Iran Yemen, and Venezuela.  This group is divided into five areas of concern: D: 1, National Security, D: 2 Nuclear, D:3 Chemical & Biological, D: 4 Missile Technology, and D: 5 U.S. Arms Embargoed Countries.

This new level of restriction effects the export, reexport, and transfer of items subject to the EAR including commodities, software and technology.  Previous actions taken by the BIS include the addition of the Nicaraguan National Police to the Entity List and restriction of items to the country’s security and military agencies.  The BIS has taken these actions as part of an ongoing effort to promote human rights and democracy.  

A Call to Actions for Businesses Involved in Export

Export regulations have been in a constant state of flux for the last decade as the Federal Government has used these powerful tools to pursue its national security and foreign policy objectives.

Enforcement activities have resulted in more severe civil and criminal penalties.  In 2023, these activities have resulted in a record number of convictions, and denial orders.  Additionally, numerous parties were placed on the Specially Designated Nationals, Blocked Persons, and Entity Lists, effectively ending their ability to conduct lawful business.

Businesses must ensure that they do not violate export regulations by enacting viable Export Compliance Management Programs (ECMP).   These programs are a requirement for both the Export Administration Regulations and the International Traffic in Arms Regulations (ITAR).  While most businesses involved with the ITAR have been proactive in compliance, many involved with the export of dual-use goods enumerated in the EAR have been less diligent.

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization.  They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation.  They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy Export Compliance Management Programs

As these latest Nicaragua export restrictions illustrate, export compliance is a growing and dynamic concern for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

Foreign Based Businesses and U.S. Export Compliance

foreign based businesses
foreign based businesses
Photo by Vlada Karpovich

Foreign based businesses and persons involved in the reexport of items controlled under the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR) are subject to the regulations and associated sanctions.  This also holds true for foreign producers of items that incorporate threshold percentages (de minimis) of controlled items in their products and producers that utilize U.S. technology, software, or production equipment.  

Tri-Seal Compliance Note Stresses Foreign Based Persons Obligations

This message was reinforced in a recent Tri-Seal Compliance Note from the United States Department of Commerce, Department of Treasury, and Department of Justice.  Agencies under these departments in this report included the Bureau of Industry and Security (BIS) and the Office of Foreign Assets Control (OFAC).  The intent of this release was to enhance awareness of these obligations and help organizations outside of the United States mitigate risks of non-compliance.

Applicability of Sanctions to Foreign Persons

Certain U.S. sanction programs are applicable to foreign persons.  Violations of these sanctions can result in civil or criminal penalties.  These economic and trade sanctions are targeted towards foreign jurisdictions, regimes, entities, and individuals involved with terrorism, narcotics, weapons of mass destructions, and other acts threatening U.S. national security and foreign policy interests.

Non-U.S. persons may be prosecuted for conspiring to cause U.S. entities or persons to engage in violation or evasion of these sanctions.  The OFAC has been actively involved in this aspect of export enforcement in cases involving hiding references of sanctioned entities in financial transactions, misleading U.S. persons on ultimate destination of controlled goods, or routing prohibited transactions through U.S. financial institutions.  Settlements in these cases have resulted in multi-million dollar penalties against the involved parties.

Bureau of Industry and Security and the EAR

The Bureau of Industry and Security (BIS) administers and enforces the Export Administration Regulations (EAR).  These regulations control the export of commodities by prohibiting or placing licensing requirements on specific items.  The term commodities can include software, technology, and intellectual properties. 

These regulations differ from the export regulations of many nations in that these controls can extend to articles controlled in any nation and to the foreign based businesses involved in transactions with them.  This extended regulatory reach exists to ensure that controlled articles are not surreptitiously transferred to a third party that would normally be barred from the transaction. 

Items subject to the EAR also include products manufactured with U.S. origin components or software that is controlled.  Determination of licensing requirements are determined by De minimis calculations to determine the value of controlled U.S.-origin content in a non-U.S. finished product. 

This is done by identifying any controlled components in a bill of material and calculating the percentage of fair market value of those components in the overall product.  Threshold percentages vary according to the components classifications.

Controls also exist to control the use of advanced manufacturing equipment and software.  This is especially applicable for the manufacture of semiconductor devices.  Controls of this nature have been enacted to restrict the supply of certain items to China, Russia, Belarus, and Iran.  The result of this regulatory extension is that licenses for semiconductors may be required for semiconductor components regardless of where they were manufactured.

BIS Enforcement Actions

Enforcement actions have resulted in major penalties for businesses.  In April of 2023  300-million-dollar penalty was imposed on Seagate Technology, LCC,  and included a five-year suspended Denial Order, which if activated, would terminate the organization’s ability to conduct export business under the EAR.

The BIS has also imposed restrictions on types of aircraft allowed to fly into Russia if they include more than 25% de minimis amounts of U.S. origin controlled content.  This includes Airbus planes and effects a large number of airlines servicing Russia including Nordwind, I-Fly, and Meridian Air.

Department of Justice Involvement in U.S. Sanction and Export Regulations

The Department of Justice (DOJ) brings criminal prosecutions against parties involved in willful violations of U.S. sanctions and export regulations.  Recent actions have included the indictment of Latvian nations and a Latvian company involved in the attempted smuggling of dual-use production machinery.  As a result, fines in excess of $825,000 were levied against the defendants.  

Actions were taken against an Iran based person and a Chinese national for attempting to obtain controlled microelectronics for UAV production.  The defendants are alleged to having provided false information concerning the ultimate end users of the devices to U.S. manufacturers.

In November of 2023 a guilty plea was entered by Binance Holdings Ltd. (a cryptocurrency exchange for knowingly having a large number of users from sanctioned regimes.  Penalties for the infractions included a $4.3 billion dollar penalty with additional payments for civil liabilities of $968,618,825.

CVG Strategy Export Compliance Programs

As Developments in Export Administration Regulations illustrate, export compliance is a growing concern for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can assist foreign based businesses meet U.S. export requirements by creating a tailored export compliance program.   We can also perform export control classifications, perform audits, assist in export licenses requirements and educate your team.  Regardless of whether your exports falls under EAR or ITAR, CVG Strategy has the expertise to help.  

Disruptive Technology Task Force Enforcement Actions

Disruptive Technology Task Force Enforcement Actions
Disruptive Technology Task Force Enforcement Actions
Photo by Nicolas Foster

The Disruptive Technology Task Force was launched in February of 2023 by the Department of Commerce, the Department of Justice, and the Federal Bureau of Investigation in an effort to prevent the unlawful acquisition of advanced technologies by foreign adversaries.  To date this effort has resulted in numerous cases being filed against parties involved in sanctions and export control violations.  These offenses involved the unlawful transfer of sensitive information, articles, and military-grade technology to China, Iran, and Russia.

Disruptive Technology Task Force Cases in 2023

Half of the task force cases in the last year involved the attempted export of controlled semiconductors and microelectronics to Russia.  Many of these included components for guided missile systems, Unmanned Aerial Vehicles (UAVs), components for weaponry, components used in cryptography, and nuclear weapons testing.

Cases involving exports to Russia were accomplished by the task force in partnership with the interagency law enforcement group, Task Force KleptoCapture.  This group is comprised of agencies in the United States and its allies

Three cases involved individuals attempting to procure controlled technologies for Iran or Iranian end users.  These cases involved items and technologies associated with military products, aerospace, firefighting, UAV’s, and materials used for weapons of mass destruction.

In an additional three cases, the task force charged former employees of U.S. companies with stealing proprietary and confidential information.  These cases were all related to attempts to transfer advanced technologies to the People’s Republic of China.  Technologies involved in these cases included missile detection equipment, advanced manufacturing software, and Apple source code.  A fourth case involving a Belgian national, involved the export of military grade accelerometers.

Measures Taken to Enhance Enforcement

A number of partnerships have been formed to further enhance enforcement efforts. 

  • The Disruptive Task Force added the Defense Criminal Investigative Service as a formal partner.
  • It added multi-agency enforcement teams to specific areas in the United States where critical technology industries are present.
  • The Strike Force created a partnership with the Ukrainian Prosecutor General to curb the illegal flow of advanced technology to Russia.
  • The Department of Commerce, Department of Justice, along with leaders from Japan and South Korea established a Disruptive Technology Protection Network to expand information sharing and best enforcement practices.
  • The strike force fostered partnerships with the private sector to engage directly with companies involved in the manufacture and export of controlled items.
  • Five Eyes export control agreement was formed to enhance the security concerns of Australia, Canada, New Zealand, the United Kingdom, and the United States by formally committing to coordinate export control enforcement efforts.

A Call to Actions for Businesses Involved in Export

The continued vigilance of the Disruptive Technology Strike Force enforcement illustrates the Bureau of Industry and Security’s (BIS) commitment protecting sensitive technologies.  Besides partnering with U.S. enforcement agencies, the Commerce Department has shown a commitment to working with international agencies to protect national security and foreign policy concerns. 

Enforcement activities have resulted in more severe civil and criminal penalties.  In 2023, these activities have resulted in a record number of convictions, and denial orders.  Additionally, numerous parties were placed on the Specially Designated Nationals, Blocked Persons, and Entity Lists, effectively ending their ability to conduct lawful business.

Businesses must ensure that they do not violate export regulations by enacting viable Export Compliance Management Programs (ECMP).   These programs are a requirement for both the Export Administration Regulations and the International Traffic in Arms Regulations (ITAR).  While most businesses involved with the ITAR have been proactive in compliance, many involved with the export of dual-use goods enumerated in the EAR have been less diligent.

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization.  They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation.  They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy Export Compliance Management Programs

Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with export control laws can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding Export Administration Regulations and establishing a coherent and effective export compliance system.   We can perform export control classifications, perform audits, and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  Contact Us with you export regulation questions.

Lockbit Extorsion Operation Interrupted by Operation Cronos

lockbit extorsion operation
lockbit extorsion operation
Photo by Kevin Ku

The Lockbit extorsion operation was taken down by an international law enforcement effort called “Operation Cronos”.  This action included participation of the FBI, the National Crime Agency of the UK (NCA), and Europol among other organizations. 

Actions taken include the UK,s National Crime Agency taking control of the ransomware’s site and the arrest of at least four individuals.  Two individuals were arrested in Poland and Ukraine and two others had been detained in the U.S.  Two other Russian nationals are still at large.

Operation a Major Blow to Lockbit

The strike included gaining control of the central infrastructure of the organization and the seizing of source code.  The agencies also obtained encryption keys that will assist victims decrypt their data and retrieve their data.  Europol reported that enforcement efforts had resulted in the take down of over thirty servers in nine different countries.

History of Cybercriminal Group

Lockbit is a network of cybercriminals that has targeted thousands of organizations in a variety of sectors including manufacturing, government, energy, financial services, and health care.  To date, Lockbit had hacked into over 2,000 systems and raked in over $120 million dollars in ransom from their victims.

Lockbit has been the most common form of ransomware in the last two years.  The group has run a Ransomware as a sophisticated and highly organized Ransomware as a Service (RaaS) operation since 2020.  RaaS platforms offer ransomware products on subscription or commission basis.

The organization is thought by many experts, to have originated in Russia, though the group has claimed no national affiliation and has claimed to only be engaged in its activities for financial gain.  The group operates by recruiting hackers to use Lockbit’s various tactics, techniques, and procedures to compromise major organizations worldwide.

Many victims of the Lockbit extorsion operation have been additionally extorted by threats to publish sensitive information.  The resulting ransom payments are usually made in cryptocurrencies which makes tracing the payments difficult.

Ransomware a Growing Concern

Ransomware is the largest cyberattack threat to industrial organizations in North America.  There has been a continuing growth in the number of attacks in the last several years.  While the Lockbit ransomware group has been the leader in this area, a number of other actors such as 8Base, Akira, and Black Blasta have been active players. 

It is expected that this trend will continue to escalate as these groups utilize AI in increasingly targeted attacks in conjunction with social engineering and phishing techniques.  Targeted entities tend to be government agencies and large business concerns.  Experts expect that increased attacks will occur in the health, education, and energy sectors.

Enforcement Agencies Respond

The Department of Justice in conjunction with other law enforcement agencies have been engaged in the infiltration of cybercrime groups.  In the United States, the FBI has been particularly active in these efforts with successes against the Hive network in 2023.  As with the actions taken against Lockbit, the FBI partnered with law enforcement agencies in other countries.  The Hive infiltration involved ransoms of $130 million and also resulted in the capture of decryption keys which were made available to victims to retrieve stolen data.

CVG Strategy Cybersecurity 

While the disruption of the Lockbit extorsion operation is a promising development, the successes of ransomware attacks illustrate the vulnerabilities of organizational information.  Successful hacks of this sort are often the result of exploiting humans into opening infected emails or visiting infected sites. 

Businesses and government agencies must develop effective data protection strategies.  These strategies should include policies that incorporate risk assessment, training, and management review.  CVG Strategy consultants provide training to make your entire team aware of cyberattacks and how to employ processes to prevent these threats.  We can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.

Our ISMS consulting services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS).  Our team of experts bring extensive experience and deep information security process control expertise (including certifications as Exemplar Global Lead Auditor ISO/IEC 27001:2013 Lead Auditor) to ensure that you achieve ISO 27001 certification—on time and on budget.

CVG Strategy is also committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure.  As industry leaders in cybersecurity, ITAR, and risk-based management systems.  We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

KV Botnet Disrupted by FBI in Infected SOHO Routers

KV Botnet
KV Botnet
Photo by Ken Tomita:

The FBI has disrupted a KV botnet malware infection instigated by Volt Typhoon, a state sponsored threat actor affiliated with the People’s Republic of China (PRC).  The KV botnet was first identified in December of 2023.  It targeted Cisco and NetGear routers that were were no longer supported by manufacturer software updates.  The court-authorized operation, conducted by the Federal Bureau of Investigation (FBI), deleted the KV botnet cyber threat from hundreds of U.S. small business information technology devices. 

Botnet Used to Conceal Hacking Activities 

This Volt Typhoon malware enable China to hide origins of future malicious activity on small business and home office SOHO routers.  A SOHO router is a broadband device used in small offices and home offices.  They use an internet service to connect with a local area network. 

The botnet, which is part of a larger set of malware targeted at U.S. infrastructure, has been active since February of 2022.   The FBI remotely issued commands to the routers to delete the botnet.  The devices were cleared of the malware and provided temporary protection from reinfection.  Devices should be updated with software patches before being rebooted.  These actions were undertaken after informing owners of the infected router devices. 

The operation performed was extensively tested on routers before being performed on the infected devices.  The action did not effect the performance of the devices or compromise the confidentiality, integrity, or availability of any data in those systems.

U.S. Infrastructure Being Targeted

China is targeting U.S. infrastructure with cyberattacks in a continuing effort to increase its ability to disable critical systems.  These targets include facilities involved with energy, transportation and water purification.  Targeted organizations include a water utility in Hawaii, maritime ports, a Texas power grid, and an oil and gas pipeline.  These efforts are part of a long term strategy that is continuing to develop in scope and sophistication.

The effort is thought to be an attempt to disable U.S. efforts in a potential conflict between the two nations.  China is positioning itself to threaten the physical safety of U.S. citizens.  The FBI stated that the agency will continue to work with partners to disable PRC threats.  Speaking on the incident, Attorney General Merrick B. Garland pointed out that these actions illustrate the importance of partnering with the public and the private sector to enable the dismantling of malicious cyber operations.

Chinese Espionage Effects All Sectors

As developments in the DV botnet story illustrate, China is conducting a global cyber espionage program disrupt infrastructure, and steal trade secrets, intellectual property, and sensitive information from companies in North America, Europe, and Asia. Many organizations that have suffered these data breaches, are not even aware that their computer networks have been compromised. 

These attacks have exploited a wide array of vulnerabilities.  Often multi-stage infection chains are used to avoid detection. Other attacks have involved more standard forms of malicious software including spear-phishing emails.

While China is not the sole nation to threaten U.S. interests with cyberattacks, its activities have, unlike others, focused on economic espionage and intellectual property theft. Clearly China intends to be a dominant economic global force by any and all means available. U.S. businesses therefore must engage in effective strategies to protect their interests and remain vigilant.

CVG Strategy Information Security Management System Consultants

An increasing number of businesses are finding that they are required to meet challenging information security levels to meet the requirements of conducting business with governmental agencies.  To assist businesses to meet the challenges in adopting a variety of NIST and CMMC 2.0 requirement, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

It involves processes, facility security, people, and IT systems to engage in best practices. It also involves a constant improvement approach so that threats can be continually assessed and addressed as they evolve. This business system can help your organization remain vigilant against economic espionage and cyberattacks conducted by China and other nation states.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Developments in Export Administration Regulations for 2024

Export Administration Regulation Developments
Export Administration Regulation Developments

As 2024 begins, it will be interesting to note how developments in Export Administration Regulations (EAR) will unfold.  The previous year has seen tightening of export controls, increased enforcement activities, increased penalties, and co-operation of the Bureau of Industry and Security (BIS) with enforcement agencies in this nation and abroad.

What are Export Administration Regulations

Export Administration Regulations (EAR) regulates the export of commodities by prohibiting or placing licensing requirements on specific items.  the term commodities can include software, technology, and intellectual properties.  The specific regulations of the EAR can be found in 15 CFR §730.

The EAR are administered by the Department of Commerce and enforced by the Bureau of Industry and Security (BIS).  Items controlled under the EAR are listed in the Commerce Control List (CCL), and identified by a unique Export Control Classification Number (ECCN).  Prohibition of export or requirements for licensing are based on the classification of the item, the destination of export, the end user, and the end use of the item. 

Important Developments in 2023

Disruptive Task Force

Early in 2023 the Department of Commerce initiated the Disruptive Technology Strike Force which partnered the Bureau of Industry and Security (BIS) with the Department of Justice (DoJ) in the enforcement of the Export Administration Regulations (EAR).  These actions were focused on the export of semiconductors and technologies related to the manufacture of these devices.

Civil Space Industrial Base Assessments

The Bureau of Industry and Security (BIS) conducted an assessment of the civil space industrial base in the United States to better understand this important supply chain network. This study collected data from U.S. organizations involved in the research, design, and manufacture of space related products and services.  The study involved research centers, commercial entities, universities, and laboratories.

BIS Enhancing Enforcement and Prosecution

The BIS changed the scope of enforcement policies  to address the increased complexities of the international political arena.  To more effectively enforce the EAR, BIS increased its focus on the use of sanctions and denied parties lists to protect sensitive technologies. Enforcement actions in 2023 resulted in the a record number of convictions, and denial orders.  

To enhance its international enforcement prowess, a Five Eyes export control agreement was completed to enhance the security concerns of Australia, Canada, New Zealand, the United Kingdom, and the United States by formally committing to coordinate export control enforcement efforts.

Focus of China

BIS placed numerous restrictions on technologies to the PRC to limit China’s ability to enhance its military capabilities through its use of its Military Commercial Fusion strategy.  This strategy aims to aggressively advance its military objectives by eliminating the barriers between the nation’s civil and military research and commercial sectors. 

This effectively renders an export of technical items to commercial entities in China as an export to the People’s Liberation Army (PLA).  Key technologies being targeted by China include quantum computing, semiconductors, advanced nuclear technology, 5G, aerospace technology, and AI.  Responses from the U.S. in 2023 included the National Security Guardrails for CHIPS to encourage enhance the international semiconductor supply chain.

Criticisms of BIS Ability to Mitigate Chinese Threats

A 2023 report from the U.S. House of Representatives stressed the importance of Bureau of Industry and Security (BIS) export controls to mitigate threats economic and national security threats from China.  The bipartisan report stressed that China is using military, economic strength, and it technological base to further an agenda of global domination.  It further advocated for modernizations at the Department of Commerce’s BIS to reverse the trend of promoting short-term profit in the technology sector at the expense of U.S. technological leadership.

The bipartisan report stressed that the U.S. can no longer depend on a reactive export control bureaucracy, but must develop controls that preemptively safeguard against technology transfers that may threaten national and economic security. This will require the licensing bureaucracy governing the Export Administration Regulations (EAR) to move away from its post-Cold war mentality.

Moving Forward

As 2024 opens developments in Export Administration Regulations are already underway.  The BIS has announced that more stringent penalties will be levied against companies violating export regulations. 

The agency has also announced further enhancements to its Voluntary Self Disclosure policies to ease resolution of minor infractions.   This will allow the agency to allocate more resources in the investigation and prosecution of serious violations.

A recent congressional hearing on Protecting Emerging Technologies for Peace an Stability in the Indio-Pacific addressed further need for the protection of these technologies from being obtained by China.  Witnesses to this hearing were representatives from the Bureau of Cyberspace and Digital Policy, the Bureau of International Security and Nonproliferation, and Thea Kendler from the BIS.

The take away from this congressional hearing was that technological supply chain diversification is essential and that important technologies and the investments made in their development must not be allowed to fall in the hands of China’s military.

CVG Strategy Export Compliance Management Programs

As Developments in Export Administration Regulations illustrate, export compliance is a growing concern for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance system.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

China is Targeting U.S. Infrastructure with Cyberattacks

China Targeting U.S. Infrastructure
China Targeting U.S. Infrastructure
Photo by Sabian Mahmud

The Washington Post reported that China is targeting U.S. infrastructure with cyberattacks in a continuing effort to increase its ability to disable critical systems.  The Cybersecurity and Infrastructure Security Agency (CISA) first announced these attacks in May of 2023.  CISA identified the source as Volt Typhoon, a state sponsored hacking group affiliated with China.

Chinese Military Targets in the U.S.

The People’s Liberation Army is targeting power grids, water utilities, and transportation networks in the United States.  Chinese hackers have penetrated over twenty computer systems in strategic entities in the last year in an effort to compromise the ability of the U.S. to respond to events in the event of a conflict with China. 

Organizations effected include a water utility in Hawaii, maritime ports, a Texas power grid, and an oil and gas pipeline.  These efforts are part of a long term strategy that is continuing to develop in scope and sophistication.  

Chinese Espionage Effects All Sectors

China is conducting a global cyber espionage program to steal trade secrets, intellectual property, and sensitive information from companies in North America, Europe, and Asia. Many organizations that have suffered these data breaches, are not even aware that their computer networks have been compromised. 

These attacks have exploited a wide array of vulnerabilities.  Often multi-stage infection chains are used to avoid detection. Other attacks have involved more standard forms of malicious software including spear-phishing emails.

While China is not the sole nation to threaten U.S. interests with cyberattacks, its activities have, unlike others, focused on economic espionage and intellectual property theft. Clearly China intends to be a dominant economic global force by any and all means available. U.S. businesses therefore must engage in effective strategies to protect their interests and remain vigilant.

Mitigating Cyber-Attacks

The National Security Agency (NSA) has issued some basic guidance for mitigating the threats to targeted critical infrastructure.  These include the use of robust multifactor authentication, enforcing password protocols, updating software and operating systems, and educating personnel against phishing scams.  While these issues may seem basic in nature, the reality is that may organizations, both public and private, have insufficient information security management programs.  

Organizations in the private sector have begun to realize the enormous threat that cyberattacks pose. Their responses however, have been slow, and the levels of cybersecurity maturity attained thus far are leaving proprietary and sensitive data vulnerable. While numerous advances in IT tools are available in assisting organizations in their fight against cyberattacks, organizations require management tools to evaluate risks, implement plans, and coordinate control mechanisms.

China is targeting U.S. infrastructure as well as key industries in the private sector.  For many small to medium businesses, a severe data breach could spell the end of their enterprises. Their challenges are confounded by the need to share data with suppliers, customers and other third parties.  

Clearly, the path forward is not likely to get easier for those involved in the protection of data. It is therefore the duty of all organizations to assume responsibility for their best interests and shape their entities to protect their futures.

CVG Strategy Information Security Management System Consultants

To assist businesses to meet the challenges in adopting CMMC 2.0 standards, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

It involves processes, facility security, people, and IT systems to engage in best practices. It also involves a constant improvement approach so that threats can be continually assessed and addressed as they evolve. This business system can help your organization remain vigilant against economic espionage and cyberattacks conducted by China and other nation states.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Identify Areas With CUI with CVG Strategy Signs

CVG Strategy provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.

BIS Export Controls and China

BIS Export Controls and the CCP
BIS Export Controls
Photo by Karolina Grabowska

A 2023 report from the U.S. House of Representatives stressed the importance of Bureau of Industry and Security (BIS) export controls to mitigate threats economic and national security threats from China.  The bipartisan report stressed that China is using military, economic strength, and it technological base to further an agenda of global domination.  It further advocated for modernizations at the Department of Commerce’s BIS to reverse the trend of promoting short-term profit in the technology sector at the expense of U.S. technological leadership.

Concern for Emerging Technologies

Dual-use emerging technologies have both commercial and military uses.  These wide ranging technologies include Artificial Intelligence (AI) and quantum computing.  According to assessments made by the United States intelligence community, China is continuing to take the lead in these technologies.  This lead is more often than not, accomplished through access to technologies developed in the U.S.  The report stresses that the U.S. must invest in innovation while ensuring that export control laws effectively deny China access to these innovations.

The bipartisan report stressed that the U.S. can no longer depend on a reactive export control bureaucracy, but must develop controls that preemptively safeguard against technology transfers that may threaten national and economic security.  This will require the licensing bureaucracy governing the Export Administration Regulations (EAR) to move away from its post-Cold war mentality.

The Growing Threat Posed by China

Recent  military actions along with a history of violations of international agreements and ongoing human right violations in Xinjiang illustrate the growing threat China poses to international security and stability.  It is important to understand the direct link between any PRC commercial entity and the People’s Liberation Army (PLA).

It is estimated that China steals up to $600 billion of U.S, intellectual property.    Dual-use technologies acquired by these companies can and will be used, when applicable, for the development of weapons of mass destruction.  During the last decade General Secretary Xi has has developed legal and regulatory mechanisms that requires partners to transfer private sector technology to the Chinese government.  

This can create scenarios where recipients of U.S. technologies while being required by U.S. law to not allow access to sensitive technologies may be forced under China’s laws to share these technologies with the Chinese military.  It is important therefore, that export agencies adopt a presumption that exported items will not be used for purposes stated in licensing agreements.

Specific Failures of Export Controls

Instances were given where export controls failed to proactively prevent the transfer of critical technologies to the PRC’s development of hypersonic weapons.  In one such case controls of a Chinese company was placed on the BIS entity list only after an expose was published by the Washington Post.  The agency also failed to prevent the export of Intel and Nvidia semiconductor devices to a Chinese nuclear weapons lab. 

Additionally, the agency has been reluctant to preemptively identify emerging and foundational technologies and licensing requirements in an effort to combat the CCP’s Military-Civil Fusion Strategy (MCF).  The report did not indicate that these failures were due to a lack of resources.  Instead, these failures have been linked to a failure of the BIS to reconcile its mission to protect national security with objectives for promoting exports.  The report called for a major reformation of the BIS’s organizational structure and policies to remedy these deficiencies.

Recommendations to Enhance National Security Priorities of BIS Export Controls

The U.S. House of Representative’s Foreign Affairs Committee (House Committee) report outlined several recommendations to improve the performance of the BIS in national security issues.  These included:

  1. Doing away with strict Operating Committee timelines for escalation of licensing to the Advisory Committee on Export Policy (ACEP) and Export Advisory Review Board (EARB) to allow sufficient time for necessary analysis.
  2. Instituting a majority vote system in the Operating Committee for all licenses it reviews.
  3. Mandating that the BIS be required to refer license applications to other appropriate agencies.
  4. Imposition of a “policy of denial” of all national security controlled items to China.
  5. Review of EAR99 technologies and control or re-control items on the Commerce Control List.
  6. Application of a presumption of denial for all companies on the Entity List.  This denial should be clearly stated in the EAR.
  7. The Entity List should reflect the scope of military end-users that my pose threats to national security or foreign policy interests.
  8. Standardize the agency’s definition of Military End User (MEU).
  9. Enhancing international agreements for harmonizing legal and regulatory requirements.
  10. Legislation of new standards for criminal prosecutions.
  11. Having the DoC renegotiate its end-use agreement with China or impose increased export restrictions on that country.
  12. Requiring the BIS to regularly report information required for basic oversight.
  13. Reformation of National Security Directive 189 to provide adequate controls for fundamental research.
  14. Allowing BIS to charge fees on certain licenses to provide resources for the agency.
  15. Updating definitions to close loopholes that allow China access to standard-setting bodies.

CVG Strategy Export Compliance Management Programs

Given the focus places on BIS export controls it can be expected that further changes will be made to the Export Administration Regulations and that heightened attention will be placed on license requirements.  This places further responsibilities on organizations involved in export to maintain effective export compliance programs. 

Export Compliance Programs are required by law by both the BIS and the International Traffic in Arms Regulations (ITAR).  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance system.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

DHS Cybersecurity Assessment Criteria Announced

DHS Cybersecurity Assessment Criteria
DHS Cybersecurity Assessment Criteria
Photo by Tima Miroshnichenko

DHS cybersecurity assessment criteria has been released that will set the bar for businesses seeking contract awards from the agency.  The U.S. Department of Homeland Security has released this information to ensure that appropriate levels of “cyber readiness” are in place by its vendors.  The DHS plan, released by Chief Information Security Officer Kenneth Bible, is being provided to its supply chain to facilitate feedback from industry business leaders prior to final roll out of the program.

Cybersecurity Readiness Factor Program

The Cybersecurity Readiness Factor program chosen by DHS differs from the the Cybersecurity Maturity Model Certification (CMMC) program approach embraced by the Department of Defense (DoD) in that it strives to create a more economically feasible solution for small businesses.  Instead of requiring a certification process, the DHS is planning to use statistical analysis of questionnaire responses to determine contractor cybersecurity abilities to protect Controlled Unclassified Information (CUI).  These questionnaire will query organizations on their ability to meet the security requirements of NIST SP 800-171r2 and NIST SP 800-172. 

NIST SP 800-172 Enhanced Requirements

NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information is a supplement to SP 900-171 that contains recommended security enhancements for the protection of CUI that specifically address the entire Confidentiality, Integrity, Availability (CIA) triangle.  While SP 800-171 focuses on confidentiality, SP 800-172 adds security controls to data integrity and availability to help achieve cyber resiliency and survivability.. This is achieved by detailing controls for penetration-resistant architectures and damage-limiting operations. 

The standard describes the approaches used in the development of the enhanced security requirements.  It then describes in detail the 14 families of security requirements.  Supporting information is supplied in appendices including mapping tables and references.  The figure below illustrates the relationships between NIST SP 800-171 and NIST SP 800-172.

NIST SP 800-172

DHS Criteria for Assessment

The proposed criteria for DHS assessments will rate businesses on perceived levels of readiness to protect CUI based on the numbers an types of security requirements in place.  Levels of compliance are categorized as fully satisfied, partially satisfied, or not satisfied.  Statistical analysis then provides three categories for likelihood for compliance:

  • High Likelihood of Cybersecurity Readiness – The organization has implemented and understands the required technical controls for the protection of CUI.
  • Likelihood of Cybersecurity Readiness – Organizations in this category are found to be between the fifteenth percentile and mean of DHS contractors engaged in the handling of CUI.
  • Low Likelihood of Cybersecurity Readiness –  This category comprises businesses in the lower fifteenth percentile of DHS contractors engaged in the handling of CUI.

Use of the Assessments at Present

The Cybersecurity Readiness Factor will be provided to the DHS Contracting Officer (CO) to aid the Source Selection Official in assessing contractor readiness.  Because this methodology is comparative in nature, there is no strict pass/fail criteria and no offerors will be excluded from award eligibility.  As such the evaluation will be used to conduct a best value tradeoff in decisions to award contracts.  There may however, be requirements for submittal of a Plan of Action and Milestones (PoAM) after receiving contracts if the DHS has information security concerns.

Conclusions

Cybersecurity requirements for businesses involved with contracts with the federal government are going to continue to evolve.  While clearly, the need to protect information is more important than ever, requirements can and are putting smaller business out of the game.  This latest effort to reduce cost through the elimination of certification requirements is an interesting development but the costs associated with effectively implementing cybersecurity controls are still high.

CVG Strategy Information Security Management System Consultants

To assist businesses to meet the challenges in meeting DHS Cybersecurity Assessment criteria, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system.  This provides a coherent methodology for implementing and maintaining essential cyber security for businesses of any size.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Identify Areas With CUI with CVG Strategy Signs

CVG Strategy also provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.

Export Control Classifications & Due Diligence

Export Control Classifications
Export Control Classifications
Photo by Vojtech Okenka

Performance of export control classifications is a requirement for businesses conducting sales of products and services, even if the sale is conducted within the United States, because the customer may be a non-U.S. person.  Classification of products provides a determination that a proposed transaction is allowed under federal regulations, is prohibited, or requires licensing or other such authorizations.

Performance of Due Diligence

It is ultimately the responsibility of the exporter to be aware of, and remain in compliance of all export transactions.  A classification should therefore be performed even if the exporter is distributing a product not created by the company.  While referencing the manufacturers classification is a good starting point, the exporter should perform their own classification to ensure that that classification is correct and that the classification reflects current regulations.  

Sequence of Operation in Product Classification

When classifying a product or service it is often advisable to obtain insight from someone with specific technical expertise.  

ITAR

When performing a classification, the first step is to determine if the product, service, or technical information falls under the jurisdiction of the International Traffic in Arms Regulations (ITAR).  The ITAR are regulations stipulated by the U.S. Department of State and regulated by the Directorate of Defense Trade Controls (DDTC).  Defense articles controlled under the ITAR are enumerated in the United States Munitions List (USML).  

EAR

Export Administration Regulations (EAR) control the export of commodities enumerated as described in15 CFR §730.  The EAR are administered and enforced by the Bureau of Industry and Security (BIS) under the auspices of the Department of Commerce.  These regulations are in place to advance the national security and foreign policy objectives of the United States Government.  Items controlled under the EAR are listed in the Commerce Control List (CCL) and identified by a unique Export Control Classification Number (ECCN).

Next Steps

If a classification has been found there will often be an associated classification for the technical data for that item.  This classification should also be performed.  If no classification has been found the item is classified as EAR99.  All classifications should be approved by the organization’s Export Control Officer.

CVG Strategy Export Compliance Management Programs

Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. 

National Security Guardrails for CHIPS

National Security Guardrails for CHIPS
National Security Guardrails for CHIPS
Photo by Sergei Starostin

The National Security Guardrails for CHIPS have been established by the U.S. Department of Commerce in an effort to prevent manufacturing subsidies for semiconductor manufacturing from being diverted into nations considered to be national security threats.  The CHIPS and Science Act, originally published in March of 2023 is an incentive to enhance global supply chain resilience.   

Secretary of Commerce Gina Raimondo stated that CHIPS for America is intended to be a national security initiative and that it was important to ensure that funds allocated do not undermine that security.  She went on to say that the U.S. would continue to work with our allies and partners in the expansion of semiconductor manufacturing to strengthen global supply chains and build a collective security.

Specific Provisions for CHIPS Recipients

The guardrails to strengthen national security include the following:

  • It is prohibited to use funds from the CHIPS program to construct, modify, or improve a semiconductor facility outside of the U.S.
  • Recipients of funds cannot invest in foreign semiconductor manufacturing for a period of ten years from receiving funds from the program
  • Limitations on specified joint research or technologies licensing with foreign entities.  These limitations restricts transactions with entities owned or controlled by countries identified by the Bureau of Industry and Security’s (BIS) Entity List or by the Treasury Department’s Chinese Military-Industrial Complex Companies List (NS-CMIC).
  • Empowers the Department of Commerce to withdraw funds from parties that violate these provisions.

This final rule includes the addition of cleanroom or other physical space as manufacturing capacity and limits any expansion of a foreign facility’s production capacity to five percent.  It also stablishes a process for notifying the Department of any plans to expand manufacture of legacy chip in foreign countries (also known as mature node chips) that could raise national security concerns.  

The statute also classifies a list of semiconductors as critical to national security and places higher restrictions on them.  This includes chips used for quantum computing, devices capable of operating in environments with high levels of radiation, and any semiconductors deemed critical to U.S. national security needs.

CVG Strategy Export Compliance Management Programs

Managing an Export Compliance Program is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance system.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

Lawsuit Filed Against Penn State for Cybersecurity Claims

Lawsuit Filed Against Penn State
Lawsuit Filed Against Penn State
Photo by Shreyas Sane

A lawsuit filed against Penn State University by the U.S. Department of Justice illustrates the challenges the government faces in instituting effective protection of data.  The suit filed under the False Claims Act (FCA) alleges, that the university misrepresented its adherence to required cybersecurity protocols in the handling of Controlled Unclassified Information (CUI) required.   

Specifically the U.S. Government contends that the university presented false evidence of compliance to Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, DFARS 252.204-7019, and NIST 800-171 in its submission of Department of Defense’s Supplier Performance Risk System (SPRS).  The lawsuit further alleges that internal complaints made to upper management at Penn State were repeatedly ignored.

U.S. Government Requirements for Data Protection

The Department of Defense (DoD) has implemented, under executive orders, cybersecurity requirements for organizations that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  Under these DFARS, contractors are required to implement specific cybersecurity controls.  These include the encryption of sensitive data, restricting access to sensitive systems, and conducting risk assessments.

  • As defined in 48 CFR 52.204-21, FCI refers to information provided or generated by the U.S. government that is not intended for public release.  This information is generally created in the development of a contract for a product or service. 
  • CUI as defined in 32 CFR 2002.4, is information that the U.S. government creates or possesses, or any information created for the Government, that is controlled by a law or regulation.  The CUI definition does not include classified information.  It would therefore include, unclassified information that falls under the jurisdiction of the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).

At a minimum, current security requirements include the implementation of NIST 800-171 as a condition of receiving a Department of Defense (“DoD”) contract. All contractors must carry out a Basic Assessment of NIST 800-171 and submit their score to the DoD.  While there is no official audit procedure to determine compliance, contactors must conduct a self-assessment and make an attestation to its compliance.

CMMC Requirements

The Federal Government has outlined further requirements for contractors under Cybersecurity Maturity Model Certification (CMMC) 2.0.  CMMC 2.0 has three different levels of CMMC compliance.  While Level 3 compliance is reserved for programs that the DoD considers of high priority, Level 1 and 2 determinations are based on the type of information an organization is using, Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Level Requirements

  • Level 1 (Foundational) applies to organizations that deal solely with FCI.  Level 1 requirements for cybersecurity are based on requirements detailed in FAR 52.204-21.  These 17 controls protect contractor information systems by limiting their access to authorized users.
  • Level 2 (Advanced) applies to organizations that work with CUI.  Level 2 requirements include the 14 levels and 110 controls contained in NIST 800-171.  
  • Level 3 (Expert) applies to organizations working on high priority projects critical to U.S. national security.  Level 3 will include the controls for Level 2 along with additional controls that have yet to be announced.  These controls will be designed to reduce the risk from Advanced Persistent Threats (APTs). 

CVG Strategy Cybersecurity 

As the lawsuit filed against Penn State shows, the U.S, government is serious in its pursuit for protection of CUI.  CVG Strategy information security consulting services help organizations develop comprehensive programs to meet U.S. government cybersecurity requirements.  We can assist in establishing customized programs to address:

  • NIST 800-171
  • CMMC 2.0
  • NIST 800-161
  • NIST 800-53

We can also provide training to make your entire team aware of cyber threats, keep them informed on best practices, and the specific policies of your organization.  Additionally, we can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.

 CVG Strategy is committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure.  As industry leaders in cybersecurity, ITAR, and risk-based management systems,  we understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.