Kevin Gholston, Author at CVG Strategy

Voluntary Self-Disclosure Policy Updates

August 1, 2023July 28, 2023 by Kevin Gholston

Voluntary Self-Disclosure policy updates were issued jointly by the Department of Commerce, Department of Treasury, and the Department of Justice. Under the moniker of Tri-Seal, the three agencies provided information about the self-disclosure process for violations of sanctions, export regulations, and other national security laws.

These three agencies have been increasingly coordinating efforts to prevent sensitive U.S. technologies and goods from being acquired from U.S. adversaries and to prevent abuses of the financial system by sanctioned parties. This announcement further details a memorandum previously released by the Bureau of Industry and Security (BIS) in May of 2023,

Defining a Voluntary Self-Disclosure

A Voluntary Self-Disclosure (VSD) is conducted when an organization recognizes that violations or suspected violations of U.S. regulations have occurred. It is the responsibility of the organization to report such findings in a timely and transparent manner to the appropriate federal agency. The three major sets of U.S. regulations for export compliance are, the International Traffic in Arms Regulations (ITAR), the Export Administration Regulations (EAR), and the Office of Foreign Assets Control (OFAC).

Increased Regulatory and Enforcement Activity

There has been increased activity from the BIS, which enforces the EAR, and OFAC in terms of increased regulations and enforcement activity in recent years. These actions have been in response to developments in the international arena in an effort to protect U.S. foreign policy and national security interests. This continuing change in regulations and sanctions lists increases the likelihood of a business involved in export to inadvertently transfer controlled goods or information to a restricted country, person, or entity.

Summary of Comments

Department of Justice’s National Security Division (NSD)

The NSD restated its updated policy to incentivize organizations to promptly disclose potential violations of U.S. sanctions or export regulations. In cases where organizations do perform a disclosure, the NSD will generally not pursue prosecution and the company will not need to pay a fine. This NSD policy also applies to other corporate criminal matters such as enforcement of the Foreign Agents Registration Act, laws prohibiting support to terrorists.

Bureau of Industry and Security

The BIS encourages voluntary disclosures of potential violations of the EAR. When these disclosures are conducted in a timely and comprehensive manner with full cooperation, the BIS will substantially reduce civil penalties. This includes cases where controlled items, technology, have been transferred or transactions that have involved boycott violations.

The BIS had formerly announced a dual-track system whereby minor or technical infractions are processed within 60 days of final submission. This would include an issuance of a warning or a no-action letter from the Office of Export Enforcement (OEE).

The agency considers a deliberate nondisclosure an aggravating factor when determining severity of penalties. Furthermore, organizations cannot engage in self-blinding behavior in cases where violations may have occurred. Additionally, the BIS considers the existence of an adequate and engaged export compliance program a factor in case settlements.

Department of Treasury’s Office of Foreign Assets Controls (OFAC)

The OFAC considers a voluntary self-disclosure to be a mitigating factor in the determination of enforcement actions. In cases involving civil monetary fines, a properly performed VSD can result in significant reduction of fines. As with the BIS these disclosures must be self-initiated and not include false or misleading information.

CVG Strategy Export Compliance Management Programs

As these Voluntary Self-Disclosure policy updates illustrate, the federal government is accelerating its regulatory and enforcement activities. It is essential that businesses involved with export have effective compliance programs in place that can conduct internal investigations, and, if required timely and appropriately remediate deficient processes.

Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance system. We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.

Five Eyes Export Control Agreement

July 25, 2023 by Kevin Gholston

A Five Eyes export control agreement seeks to enhance the security concerns of Australia, Canada, New Zealand, the United Kingdom, and the United States by formally committing to coordinate export control enforcement efforts. Matthew S. Axelrod, Assistant Secretary of Commerce for Export Enforcement, stated that this will result in detentions, public identification, and penalties for actors who evade export controls.

This joint effort will serve to minimize gaps in export compliance investigations and enforcement. It will also leverage enforcement resources to expand the participating nations’ enforcement capacity. Additionally, these nations will engage members in private industry sectors to mitigate export diversions.

The restriction of technologies that could be used for the proliferation of weapons by Russia against the Ukraine were specifically mentioned by Axelrod in his comments, though recent comments have also been focused on China.

Continuing Efforts by the Bureau of Industry and Security

These international efforts coordinate with recent efforts by the Bureau of Industry and Security (BIS) to enforce the Export Administration Regulations (EAR). These regulations from the Department of Commerce, have in recent years sought to further secure technologies that are being sought by Russia and China through illicit procurement methods.

This is not the first mention of international coordination by the United States. The U.S. has worked with Japan recently in efforts to mitigate circumvention and evasion of sanctions leveled against Russia. Actions by the Office of Foreign Assets Control (OFAC) have recently engaged international partners to enforce sanctions and prosecute money laundering operations.

Aside from international efforts, U.S. agencies involved in export compliance have joined forces to combat illicit export of sensitive technologies. These efforts are combining the capabilities of the Department of Justice, the FBI, and Homeland Security Investigations into the Disruptive Technology Strike Force.

The History of Five Eyes

Early beginnings of this alliance can be traced to cooperative efforts between code breakers of the United States and the United Kingdom during World War II in 1941. This took place at Bletchley Park and preceded official U.S. involvement in the conflict.

Five Eyes was formalized after the war and shifted its efforts in response to cold war threats posed by the Soviet Union and China. The agreement was later signed by Canada, Australia, and New Zealand. This agreement, though in effect for decades, was not made known to the public until 2010.

As the cold war receded with the fall of the Soviet Union, the alliance continued to be repurposed to support international security concerns. During the 1990’s, participating agencies focused their efforts on the “war on terror”. Their efforts have continued in the fields of signals intelligence, defense intelligence, and human intelligence.

There is a great deal of controversy surrounding Five Eyes over its methods, as it monitors worldwide communications, even on its own citizens. It remains, however, to be an extremely powerful espionage alliance.

A Five Eyes working group was hosted by the Canada Border Services Agencey to focus on controls and sanctions in June of 2023. These discussions focused on the integration of methods for export compliance integration between the participating countries.

Increased Risks for Businesses Exporting Controlled Technologies

The Five Eyes export control agreement, while furthering the national security interests of the involved nations, creates additional risks for businesses involved in the export of controlled technologies that may unintentionally export goods to restricted parties. This applies to export by means of an exchange of information or actual shipment to foreign nationals.

Businesses must ensure that they do not violate export regulations by enacting viable Export Compliance Programs (ECP). These programs are a requirement for both the Export Administration Regulations and the International Traffic in Arms Regulations (ITAR). While businesses involved with the ITAR have been proactive in compliance, many involved with the export of dual-use goods enumerated in the EAR have been less diligent.

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization. They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation. They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy Export Compliance Management Programs

DoD is Addressing Foreign Influence in Academia

July 18, 2023July 14, 2023 by Kevin Gholston

The Department of Defense (DoD) is addressing foreign influence in academia with the publication a foreign entities list that includes threats to U.S. national security. This was announced in an address from Heidi Shyu, Under Secretary of Defense for Research and Engineering (USD R&E).

By adding this requirement for screening of potential partners, the Pentagon is attempting to ensure money is not going to projects that involve one of the blacklisted entities that harvest U.S. technology secrets or have relationships with intelligence organizations in the Peoples Republic of China and Russia.

The release of this list was a requirement under the 2019 Defense Authorization Act. This action was specifically undertaken to ensure that research and development initiatives funded by the DoD remain secure and that information gained is not stolen by foreign governments. The DoD is encouraging academic institutions, the research community, and industry partners to remain vigilant and exercise caution when selecting research partners.

Entity List Part of a Continuing Effort

This latest effort by the DoD is part of a continuing to protect the integrity of science and technology research. In June of 2023 Shyu signed in a policy that directs research enterprises engaged in DoD research projects to evaluate potential financial conflicts of interest or commitments.

Additionally, the National Science Foundation’s (NSF) has released list of documents that outline procedures for risk assessments for preventing the misappropriation of research and development efforts. These actions set disclosure requirements for participants in federally funded research, to reveal potential conflicts of interest or commitment. They also provide “clear messaging” about what constitutes acceptable behavior with regard to foreign interests.

In December of 2020, the Government Accountability Office (GAO) released a report calling for enhanced policies for addressing foreign influence in federal research. It sought to find means for combat undue foreign influence while maintaining an open research environment.

U.S. federal agencies have thwarted numerous attempts by China to steal U.S. defense sector technologies. Recent enforcement activities as reported by Military Times, included the indictment of Chinese nationals who were involved in a campaign to turn U.S. citizens into spies. These individuals are part of an entity defined in this released list.

Addressing Soft Power Espionage

The federal government is also addressing indirect espionage by Trojan Horse institutions that encourage research organizations to disclose sensitive information. The Confucius Institutes is such an organization in that it attempts to attain information by convincing professors and students that China does not pose a threat and can benefit their research initiatives.

Confucius Institutes have been sponsored by the Chinese government since 2004 in universities around the world in an effort to carry out a number of propaganda objectives. While many have closed as a consequence of governmental actions, they have often later reappeared under various titles.

Complexities Involved in Maintaining Compliance

Universities and research laboratories face numerous regulatory boundaries with regard to export controls on information. However, additional compliance requirements are invoked by the Department of Defense. These requirements may vary across departments or agencies within the DoD. As such these institutions should exercise due diligence with regard to the risks involved in any research activities.

CVG Strategy Export Compliance Management Programs

The DoD is addressing foreign influence in academia to protect U.S. national and economic interests. These threats are present in all sectors including developers of defense items and items with dual-use capabilities. It is the responsibility of all organizations involved in export or deemed exports to seriously consider export compliance requirements.

If you are part of a large corporation or a small company with a part-time compliance person, CVG Strategy has the compliance and training programs to help you meet International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) rules and requirements. As the BIS place controls on a growing number of technologies it becomes increasing difficult for smaller businesses to stay abreast of regulatory developments. Because of this, we provide Export Compliance Management Programs (ECMP) for businesses of all sizes.

CVG Strategy, LLC is recognized the world over as the premier provider of Export Compliance Consulting and Export Compliance Programs for businesses involved in export in the U.S. and Canada. We also provide the essential training that ensures that your team is up to date on governmental regulations, including the Export Administration Regulations (EAR), the International Traffic in Arms Regulations (ITAR), the Canadian Controlled Goods Program, and Office of Foreign Asset Controls (OFAC) and other regulatory agencies and more.

DOJ Stressed Export Compliance Diligence

July 5, 2023 by Kevin Gholston

During a recent address at the Ethics and Compliance Initiative Impact Conference, Marshall Miller, the Principal Associate Deputy Attorney General at the Department of Justice (DOJ), stressed Export Compliance diligence in ensuring compliance with export regulations. He further stated that as the agency continues enforcement efforts connected to United States national security investigations that they are increasingly encountering corporate crime.

These crimes have varied from money laundering to sanction violations and even involvement in terrorist organizations. Corporations involved in these acts have included companies involved in construction, agriculture, telecommunications sectors, and financial institutions. Many were established, publicly traded entities such as LaFarge who was penalized $750 million for funneling monies to terrorist groups such as ISIS.

DOJ Increasing its Enforcement of Export Activity

The DOJ has dramatically increased its export control and sanctions enforcement activities. Previously the agency had minimal association with export, mostly centered around sanction enforcements. In February, however, the Disruptive Technology Strike Force was formed as a multi-agency initiative to target illicit export of sensitive technologies. Agencies included in this enforcement effort will include the Department of Commerce, the FBI, and Homeland Security Investigations (HFI).

In enacting this law enforcement, U.S. agencies will use use advanced data analytics, and enhanced intelligence to coordinate actions. They will be furthering coordination between agencies in the Intelligence Community and enhancing partnerships in the private sector. Additionally, the agency added over two dozen new prosecutors to the DOJ’s Nation Security Division to focus on corporate crime.

The department is also issuing joint advisories with the departments of Treasury and Commerce and SEC to inform the private sector about evolving national security concerns. Given the current state of global affairs, it can be expected that these updates should be frequent.

What Compliance Managers Can Expect

In the current global landscape, private sector businesses are at the forefront of facing the geopolitical and national security hurdles. Export Administration Regulations, sanctions, and other regulations are rapidly changing. This has placed a dynamic and increasingly complex load on companies that are serious about compliance.

Marshall Miller and the Assistant Attorney General have repeatedly iterated how the DOJ will approach enforcement of export controls and sanction violations. The department has upgraded and standardized its approach to organizations that voluntarily self-disclose. The Criminal Division’s Voluntary Self-Disclosure Policy incentivizes companies to disclose misconduct uncovered during program audits and due diligence. The Criminal Division often declines enforcement actions against companies that promptly self-disclose violations, cooperate with the department, and engage in remediation policies.

Another area that has received a substantial overhaul pertains to companies with good export compliance programs acquiring companies with less than exemplary histories of conduct. Companies that conduct proper pre-acquisition investigations will be less likely to face penalties if problems later arise.

Concluding Remarks

In his closing remarks, Marshall Miller stated that, businesses that maintain effective compliance programs, protect our nation from security risks and protect their clients. He also stated that the Department of Justice will continue to conduct robust enforcement with predictability, uniformity, and transparency so as to incentivize businesses to cooperate with them.

CVG Strategy Export Compliance Management Programs

Recent comments of the DOJ stressed Export Compliance programs should place regulations that involve national security high in their risk assessments. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities. Your business cannot afford to have its reputation ruined by a failure to comply with rapidly evolving regulations.

EAR Export Compliance Program Requirements

June 29, 2023 by Kevin Gholston

EAR Export Administration Regulations Requirements

Recent enforcement activities by the Bureau of Industry and Security (BIS) illustrate the importance of having a viable Export Administration Regulations (EAR) Export Compliance Program. These events including a 300-million-dollar penalty imposed on Seagate Technology earlier this year, are as Assistant Secretary for Export Enforcement Matthew Axelrod described, “a clarion call” for businesses to comply with BIS export laws.

Export Administration Regulations (EAR) control the export of commodities enumerated as described in15 CFR §730. The EAR are administered and enforced by the Bureau of Industry and Security (BIS) under the auspices of the Department of Commerce. These regulations are in place to advance the national security and foreign policy objectives of the United States Government.

Items controlled under the EAR are listed in the Commerce Control List (CCL) and identified by a unique Export Control Classification Number (ECCN). Prohibition of export or requirements for licensing are based on the classification of the item, the destination of export, the end user, and the end use of the item.

Elements of an Export Compliance Program

Export compliance programs must have processes in place to identify, prevent, and mitigate export regulation violations. These programs should include the following components in a manner that is coordinated with a cohesive management system.

Management

An effective export compliance must have commitment from top management as reflected in an official policy statement. This statement should include statements that no sale or transfer of controlled items will occur and identify persons to contact if potential violations or compliance questions arise. Management must also provide adequate resources for the compliance program and develop a company culture of compliance through example and training.

Risk Assessment

Processes should be in place to assess risks associated with:

- Exporting a controlled item without a required export license
- A deemed export caused by the unauthorized release of sensitive information or controlled technologies
- Servicing of items outside of the United States

Organizational Operations

Programs should have clearly defined roles with sufficient oversight. Interdepartmental cooperation and communication within the organization are critical. When organizations have multiple campuses, considerations should be given to the degree of independence required to maintain compliance at each location. Furthermore, procedures related to the compliance programs should be delineated in a properly maintained document system.

Screening of Customers

It is the responsibility of the exporter to ensure that exports do not end up in the hands of prohibited end-users. Procedures should be in place to verify the legitimacy of the buyer, obtain end-use statements, screen all involved parties against denied parties lists, and ensure that shipping documentation notifies all parties of the nature of the export.

Customer screening should address the risk of unauthorized diversions of exported items and ensure that agreements are not made in violation of Anti-boycott laws.

Export Authorization

Processes should be in place for the proper classification of products and services. Classifications should begin with determining if the item falls under the International Traffic in Arms Regulations (ITAR) which are administered by the Directorate of Defense Trade Controls. Then determinations can be made as to whether the item is subject to the EAR.

Once classification has been completed a determination should be made if the intended export is prohibited, licensing is required, or license exemptions apply.

Record Retention

Retention of documents pertaining to export activities should be maintained for a minimum period of five years. For electronic documentation, care should be taken to ensure confidentiality, integrity, and availability of information. Specific roles and responsibilities for maintaining these records should be assigned.

Training

Any EAR Export Compliance Program is only as resilient as its weakest link. Training is mandatory for all members of an organization that are involved with controlled items. This training should provide job specific knowledge, communicate responsibilities, and impart accountability for compliance. This training should be periodically reviewed to ensure knowledge and update personnel on changes in regulations or policies.

Audits

The export compliance program should be regularly audited to assess its effectiveness. Audits should be conducted on specific functional levels as well as the program level. While these audits can be conducted internally, it is considered a best practice to conduct an audit with an outside auditor.

Handling Export Violations and Taking Corrective Actions

Violations can occur even in a well-executed export compliance program. In the event of a violation, procedures should be in place to address the investigation, corrective action processes, and voluntary disclosure. An organizational culture should be in place that encourages employees to suspected violations and ensures a safe environment for doing so.

CVG Strategy Export Compliance Programs

EAR Export Compliance Programs are essential for businesses involved in the export of items listed on the CCL. These programs should be incorporated into an organization’s management system to ensure effective mitigation of risks associated with violations.

CVG Strategy can help you understand Export Administration Regulations, and help you establish a coherent and effective export compliance program. We can perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.

BIS Restrictions on Technologies to PRC

June 23, 2023 by Kevin Gholston

BIS restrictions on technologies to the PRC are being put in place to limit China’s ability to enhance its military capabilities, according to Thea D. Roxman Kendler in testimony to the Senate Banking, Housing, and Urban Affairs Committee. Roxman is the Assistant Secretary of Commerce at the Bureau of Industry and Security (BIS) in charge of the development of export regulations.

Department of Commerce Export Controls

The BIS, under the authorization of the Department of Commerce, protects U.S. national security and foreign policy objectives by ensuring that technology developed in the United States is not made available to adversaries. This is accomplished by identifying sensitive technologies, developing policies and strategies, and reviewing license applications for the export of these items under the Export Administration Regulations (EAR).

The BIS maintains controls of the shipping, transmitting, or transfer of items categorized as dual-use items. These are items, software, and technology that have both civilian and military applications. Dual-use export controls are applicable to:

Military and spacecraft items enumerated in the Commerce Control List (CCL)
Multilaterally controlled dual use items
Items with civil applications that will be exported to parties with intended military purposed end use
Items to be used in Weapons of Mass Destruction (WMD) programs
Exports to parties identified on BIS’s Entity List

The BIS continues to work with interagency partners in the Department of State, Department of Defense, and Department of Energy. It also works with international partners such as the Global Export Control Coalition to enhance the effectiveness of these controls.

Effects of Enhanced Regulatory Activities on the Export Community

The BIS is applying increased scrutiny on license applications submitted by exporters sending items to the PRC. This is due to the concern over the risk of technologies being diverted to parties other than those described in license applications.

This has resulted in longer license processing time. In 2022 license applications for the PRC took an average of 90 days to process, up from an average of 76 days for 2021. In CY 2022, approximately 26 percent of license applications for exports to the PRC were returned without action or denied.

Additionally, licensing applications have dropped, as fewer U.S. companies are applying to export sensitive technologies to China. During 2022, the BIS witnessed a drop of applications for the PRC of over twenty-six percent. This is due to the fact that businesses are becoming increasingly aware that license applications are likely to be denied and are looking for red flags when screening potential customers.

Specific Technologies Restricted for PRC Export

Semiconductor and Hypersonic Technologies

The BIS is using restricting very specific technologies so as to protect U.S, interests while not unduly imposing limitations on legitimate commercial trade. As an example, in May of 2022 the agency placed controls on the following technologies:

- Ultra-wide bandgap semiconductors used in semiconductors devices intended for use in severe conditions where high temperatures and voltages are present.
- ECAD software tools are used in the design process of integrated circuits and printed circuit boards for development of Gate-All-Around Field Effect Transistors (GAAFET).
- Pressure Gain Combustion used in the development of high-speed applications such as hypersonic air-breathing propulsion systems.

Artificial Intelligence

In October 2022, the BIS addressed advanced computing and semiconductor manufacturing to limit PRC access to integrated circuits and supercomputing capabilities necessary for quantum computing and artificial intelligence (AI). AI presents particular concerns for U.S. national security as it can be used to improve the speed and effectiveness of military planning and logistics. AI can also be used in conjunction with electronic warfare, signals intelligence, and radar technologies.

Semiconductor Production Technology

BIS has also expanded controls on various entities tied to the PRC. These parties are now subject to the Foreign Direct Product Entity List rule that restricts them from obtaining semiconductor devices and other items. Additionally, controls have been placed on semiconductor manufacturing equipment required for high-end semiconductor production.

Biological Weapon Related Technologies

BIS restrictions on technologies to the PRC have also been placed on technologies that could be used for development of biological weapons. Devices used for automated peptides synthesis were specifically targeted due to their capabilities of being used in the design of new or enhanced pathogens.

Other BIS Actions

Civil Space Industrial Base Assessment

The BIS, under the auspices of the Department of Commerce, and the Office of Technology Evaluation (OTE) are evaluating the U.S. Civil Space Industrial Base (CSIB) by means of the authority of Section 705 of the Defense Production Act and Executive Order 13603. The intent is to gather information that will provide guidance for the formation of governmental policies and proposals.

These policies are generated in an effort to protect and advance U.S., national security, foreign policy concerns, and economic base. The assessment was requested jointly by NASA, NOAA, The NOAA Office of Space Commerce (OSC), and the National Environmental Satellite, Data, and Information Services (NEDIS). Members of the commercial space sector that are chosen for involvement in this study will be required to participate. Although this assessment is a one-time event the possibility for further studies is possible.

Increased Enforcement Activities

The BIS under the direction of the Department of Commerce and other export enforcement agencies have been changing the scope and enforcement policies in recent years to address the increased complexities of the international political arena. Export Administration Regulations (EAR) have continually been changing as more items are being added to the Commerce Control List (CCL).

David Axelrod, Assistant Secretary for Export Enforcement, has stressed on numerous occasions that the BIS intends to hold U.S. companies and foreign subsidiaries accountable for export violations to protect U.S. foreign policy and national security interests.

Recent events in enforcement include a 300-million-dollar penalty imposed on Seagate Technology, LCC. These actions were taken for alleged export of hard drives to the PRC and include a five-year suspended Denial Order, which if activated, would terminate the organization’s ability to conduct export business.

The Department of Commerce has initiated the Disruptive Technology Strike Force which will partner the BIS with the Department of Justice (DoJ) in the enforcement of the EAR. In enacting this enforcement U.S. enforcement agencies will use use advanced data analytics, and enhanced intelligence to coordinate actions. They will be performing more training of field agents and furthering coordination between agencies in the Intelligence Community.

A Call to Actions for Businesses Involved in Export

These BIS Restrictions on technologies to PRC shows the Department of Commerce’s commitment to continue ramping up enforcement of Export Administration Regulations. This action is the latest in a series of steps that show how serious the U.S. government is in protection of dual use items. Additionally, partners of the U.S. are coordinating efforts to enforce export control laws. Aside from enforcement, penalties both civil and criminal are increasing.

Businesses must ensure that they do not violate export regulations by enacting viable Export Compliance Management Programs (ECMP). These programs are a requirement for both the Export Administration Regulations and the International Traffic in Arms Regulations (ITAR). While businesses involved with the ITAR have been proactive in compliance, many involved with the export of dual-use goods enumerated in the EAR have been less diligent.

CVG Strategy Export Compliance Management Programs

CVG Strategy can help you in understanding BIS Restrictions on technologies to PRC and help you in establishing a coherent and effective export compliance system. We can perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. Contact Us with you export regulation questions.

Open General License (OGL) Pilot Program

June 20, 2023 by Kevin Gholston

The Open General License (OGL) Pilot Program has been implemented by the Directorate of Defense Trade Controls (DDTC) to ease licensing requirements for reexport and retransfer of unclassified defense articles to pre-approved parties in the United Kingdom, Australia, and Canada. The current program is in effect from August 2022 to July 31, 2026, pursuant to the International Traffic in Arms Regulations ITAR § 120.22(b).

The OGL program is designed to support mission readiness of U.S. allies and to facilitate activities related to storage, repair, and maintenance of unclassified defense articles of existing deployed articles. It is not intended for supporting new acquisitions and capabilities.

Open General Licenses (OGL)

OGLs define the specific type of defense article and or technical data to be reexported or retransferred. It identifies all destination countries and recipients as well as intended end use of article. It also lists any additional requirements or limitations that must be satisfied for use as determined by the DDTC.

Retransfers are allowed under this program to the governments of the United Kingdom, Canada, Australia, members of the Australian or UK communities, or Canadian registered persons under OGL 1. Reexports are limited to those same parties under OGL 2. Items originally exported by way of Foreign Military Sales (FMS) are not eligible for OGLs.

The OGL program pertains only to unclassified defense articles exported by means of a license or approval from the DDTC. No items listed as Missile Technology (MT) in the United States Munitions List (USML) or listed on the Missile Technology Control Regime are eligible for OGLs.

Technical Data Limitations

Technical data eligibility is limited to organizational, intermediate, or depot level information pertaining to the storage, repair or maintenance of defense articles. The end use of this data must be by, or for, operation on behalf of the governments of Canada, Australia, or the United Kingdom. Technical data relating to any usage of Unmanned Aerial Vehicles (UAV), space-launch vehicles, or items on the MTCR Annex or ITAR part 121 is not eligible for OGLs.

Other Requirements

Other Open General License (OGL) requirements exist for the transferor of eligible defense articles. These include compliance with § 123.9(b) of the ITAR which deals with the country of ultimate destination and information that must be incorporated into the commercial invoice. Records of each retransfer or reexport must be maintained and made available to the DDTC if required.

Congressional notification by the Department of State is required for any defense equipment valued at or exceeding $25 million. For defense services this limit is $100 million. These services are limited to maintenance repair, or overhaul of defense equipment that does not augment or increase the military capabilities of the equipment being serviced.

The Future of the OGL Program

The DDTC is carefully monitoring this program and considering options to enhance its capabilities. This program to those administered by other nations such as Japan, Australia, and the United Kingdom. Its intention is to facilitate United States foreign policy and national security objectives while ensuring that sensitive technologies are denied to U.S. adversaries.

CVG Strategy Export Compliance Services

Keeping abreast of and remaining compliant of ITAR requirements and other United States export controls is a challenge for businesses of all sizes. Partnering with a trusted expert in export compliance can provide your organization with systems and training to avoid expensive and reputation ruining violations.

CVG Strategy, LLC is recognized the world over as the premier provider of customized Export Compliance Consulting, Export Compliance Programs, and Training that address critical U.S. Government and Canadian laws and regulations, from Export Administration Regulations (EAR) to the International Traffic in Arms Regulations (ITAR), Office of Foreign Asset Controls (OFAC), Canadian Goods Program (CGP) and other regulatory agencies.

CVG Strategy ITAR and Export Compliance experts have managed manufacturing and distribution businesses and have worked for multi-national organizations. CVG Strategy’s experts are not ex-government employees, they understand the needs and goals of small to medium-sized operations in managing compliance requirements. They also have expertise in the implementation and maintenance of a wide variety of management system standards.

#Stopransomware Guide Update Released 2023

June 12, 2023 by Kevin Gholston

The #Stopransomware Guide update was released in May 2023 jointly by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC). Information in this guide was developed by the Joint Ransomware Task Force (JRTF) which is overseen by the Federal Bureau of Investigation (FBI) and CISA. to help organizations reduce the risk of ransomware events. In this revision the National Security Agency (NSA) and FBI were added as contributors.

What is Ransomware?

Ransomware is a malware attack on data that encrypts files to render the data unusable. Victims of these attacks are then pressured into paying a ransom to threat actors to retrieve data and prevent this proprietary data from being released.

Ransomware attacks are continuing to increase in numbers and have proven to be costly for organizations victimized. These events can severely impact processes by rendering mission-critical services inoperable. This can result in economic and reputational damage as third-party data is often compromised.

What was Added in this Update?

In this update recommendations were made for preventing vulnerable infection vectors such as compromised credentials and various forms of social engineering. Recommendations were also updated to promote Zero Trust Architecture (ZTA). Additionally, the ransomware response checklist was expanded with tips for detection and analysis of ransomware attacks. All of these recommendations were cross mapped to CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).

Guidance to Prevent, Respond and Recover

The twenty-nine-page document provides step by step approaches to detect, prevent, and respond to incidents through best practices. It is stressed that offline encrypted backups be maintained that are not synced to the cloud. It is also stressed that a hard copy of a cyber–Incident Response Plan (IRP) be formulated and regularly reviewed.

Much of the guidance reiterates best practices that have been accepted by the cybersecurity community at large. These include the use of regular vulnerability scans, updating software and operating systems, use of VPNs, password protocols and protections, and of course training. Regardless, this document is a must read for anybody involved in information security management.

Part 2 of the document provides a checklist for ransomware and data extortion response that is critical knowledge for any organization. This includes steps for detection and analysis, reporting and notification, and containment and eradication. Additionally, the guidance provides contact information for federal agencies that should be notified in the event of a ransomware attack.

CVG Strategy Cybersecurity

As the #stopransomware guide update illustrates, requirements for data protection surpass the implementation of information control technologies. Policies that incorporate risk assessment, training, and management review are required to ensure that an organization is on track for the prevention of initial access by threat actors and data exfiltration.

CVG Strategy consultants provide training to make your entire team aware of cyberattacks and how to employ processes to prevent these threats. We can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.

Our ISMS consulting services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS). Our team of experts bring extensive experience and deep information security process control expertise (including certifications as Exemplar Global Lead Auditor ISO/IEC 27001:2013 Lead Auditor) to ensure that you achieve ISO 27001 certification—on time and on budget.

CVG Strategy is also committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure. As industry leaders in cybersecurity, ITAR, and risk-based management systems. We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

Export Administration Regulations UVL § 744.15

June 6, 2023 by Kevin Gholston

The Export Administration Regulations UVL (Unverified List) controls the export, reexport or transfer (in country) of items to listed parties. Furthermore, parties on this list are not eligible for any license exemptions. Failure to comply with these regulations can result in civil and criminal penalties, imprisonment, and debarment from export activities.

Conducting Export Activities to UVL Entities

Export activities to entities appearing on the Unverified List (UVL) require the exporter, transferor, or rexporter to obtain a UVL statement from the listed person. These statements, recorded in a document, are valid for multiple exports, reexports, or in country transfers for a single item. The document must be signed and dated by the UVL party. Specific data for this document include: name, physical address, agreement not to engage in any prohibited end use, statement of end user, end use, and country of ultimate destination.

The listed person must certify that they have sufficient authority to bind the party legally. They must also agree to Post-Shipment Verification (PSV) to be conducted by or on behalf of the Bureau of Industry and Security (BIS). PSVs are conducted by officials in person to verify that exported items arrive at the intended destinations.

Denied Parties Screening

UVL controls are yet another example of why organizations need to conduct denied parties screening. This activity is an essential practice for ensuring regulatory compliance to U.S. law. Screening is performed to restrict or prohibit U.S. individuals and organizations from shipping products or providing services to parties listed on denial, debarment, and blocked persons lists.

The United States Government maintains a number of lists of sanctions and debarred parties. These are maintained on the Consolidated Screening List (CSL). Additionally, a number of private vendor solutions are available that provide screenings and alert users to any change in status.

CVG Strategy Export Compliance Management Programs

CVG Strategy can help you in understanding Export Administration Regulations UVL requirements and help you in establishing a coherent and effective export compliance system. We can perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. Contact Us with you export regulation questions.

CGP Cloud Solutions Guidance – Technical Data

June 1, 2023 by Kevin Gholston

The government of Canada has specific Controlled Goods Program (CGP) Cloud Solutions requirements for individuals or organizations that possess or transfer controlled goods and associated technical data. Technical data includes drawings, blueprints, software, or technical documentation that could be used or adapted for military or space end use. Cloud service providers that provide storage or processing and/or processing of technical data associated with controlled goods must register with the Controlled Goods Program.

This requirement makes it a requirement for storage of data on servers located in Canada unless licensing requirements have been met through Global Affairs Canada.

Responsibility for Data Security

Organizations registered in the CGP are responsible for determining what cloud solutions are appropriate for their applications. As such, it vital that monitoring and regular risk assessments be taken to ensure that adequate and appropriate security controls are in place. Guidance for conducting these risk assessments can be found at Guidance on Cloud Security Assessment and Authorization.

When selecting a cloud service provider, organizations should understand what security controls are provided. They should then assess requirements for any additional security controls to mitigate any residual risk of unauthorized access to data.

Restriction of Access

The underlying purpose of data security is to restrict access of data to individuals who have been security assessed as detailed in section 15 of the CGP. Organizations should ensure that data stored on the cloud is made available through secure connections such as Virtual Private Networks (VPN) or Transport Layer Security (TLS). Dual authentication mechanisms and proper password policies should be employed in conjunction with these solutions.

Encryption Requirements

Controlled goods technical data stored on the cloud should by encrypted. The Government of Canada recommends U.S. Federal Information Processing Standard (FIPS) 140-2 for appropriate end-to-end encryption. The use of phishing resistant authentication controls are also recommended.

Export Compliance Security Plan

A documented security program is required for organizations registered in the CGP. These security plans should include specific information relating to data storage. This includes, the security employed by the cloud provider, additional controls implemented by the organization’s information security management team, and any other measures or processes incorporated to manage residual risks.

Differences in Canadian and U.S. Requirements

These cloud service requirements contrast with requirements in the United States for the International Traffic in Arms Regulations (ITAR). The current ITAR requirements (§ 120.54) allow for storage of unclassified ITAR technical data on foreign servers if end to end encryption compliant with the U.S. National Institute of Standards and Technology (NIST) requirements.

CVG Strategy Export Compliance and Information Security Expertise

Export Compliance Expertise

Navigating international import and export laws can be extremely challenging for organizations. This is especially the case for those whose products are defense related. CVG Strategy export compliance experts have over a decade of experience in assisting businesses establish and maintain export compliance programs.

CVG Strategy has helped companies comply with both U.S. and Canadian regulations. We can answer your export compliance questions to keep your organization in compliance to regulations. We can also provide essential training to ensure that your team is up to date on ever changing export laws.

Cybersecurity Expertise

CVG Strategy is committed to helping businesses protect information by helping them establish effective cybersecurity programs. We know that viable solutions include all stakeholders in an enterprise. They include people, policies, procedures, risk analysis, incident responses, and an internal auditing process that yields constant improvement.

CVG Strategy provides cybersecurity consulting and training for large and small organizations. We can create the documentation and provide the essential training to establish your ISMS and guide you through certification audits.

Voluntary Self Disclosure (VSD) Guidelines

May 30, 2023 by Kevin Gholston

A Voluntary Self-Disclosure (VSD) is conducted when an organization recognizes that violations or suspected violations of export regulations of the United States have occurred. The three major sets of U.S. Regulations are the International Traffic in Arms Regulations (ITAR), the Export Administration Regulations (EAR), and the Office of Foreign Assets Control (OFAC).

International Traffic in Arms Regulations

The ITAR is regulated by the Directorate of Defense Trade Controls or DDTC under the authority of the Department of State. ITAR controlled items are defense products and defense services enumerated in the United States Munitions List (USML). The DDTC strongly encourages submitting a voluntary self-disclosure of any potential violations of the Arms Export Control Act. Voluntary Disclosures may be viewed as a mitigating factor when determining administrative penalties, if any, that should be imposed.

Export Administration Regulations

The EAR is administered by the Bureau of Industry and Security (BIS) under the direction of the Department of Commerce. Items controlled under the EAR are enumerated in the Commerce Control List (CCL).

The BIS considers VSDs as an indicator of an organization’s intent to comply with U.S. export law. The BIS carefully reviews VSDs to determine if violations have occurred. They then determine the appropriate corrective action when violations of the export regulations have taken place.

Office of Foreign Assets Control

The OFAC is administered by the Department of Treasury. Its responsibilities include administering and enforcing economic and trade sanctions to further U.S. security and foreign policy objectives. It is the responsibility of all organizations to screen any party involved with items to be exported. As with the other two agencies Voluntary Self Disclosure is a factor in the consideration of mitigated penalties.

Recent Guidelines from Export Enforcement

In a recent memorandum from Matthew Axelrod, Assistant Secretary for Export Enforcement, the importance of proper handling of VSDs was stressed to export enforcement agents. The Assistant Secretary heads enforcement activities for the BIS and OFAC.

Mr. Axelrod stressed the importance of effective Export Compliance Programs for organizations involved in export activities. These programs must have processes in place to identify, prevent, and mitigate export regulation violations. These programs should include mechanisms for conducting voluntary disclosures of an organization’s own potential violations and the potential violations of other organizations.

To speed up the handling of VSDs, involved governmental agencies have incorporated a dual-track system to handle EAR infractions. The majority of cases reported involve minor and technical infractions and these are now fast-tracked to be resolved within sixty days of final submission. For minor infractions, organizations can now combine multiple incidents into a single submission.

The memorandum went on to stress that both organizations and enforcement agencies should understand that timely VSDs that include full cooperation with export enforcement should result in mitigation of penalties for non-egregious cases. Conversely, when VSDs are not filed, while this does not necessarily constitute concealment, increased penalties may result. Factors for consideration of penalties include, adequacy of the export compliance program, proposed steps to prevent reoccurrence.

The memorandum stressed the importance of incentivizing disclosures of other organizations stating that it should not be expected that exporters suffer in silence in forgoing sales while competitors may be taking advantage by conducting business in violation of regulations. To simplify this reporting the agency now offers a Confidential Reporting Form. If the disclosed violations include both export and sanctions violations the Financial Crimes Enforcement Network (FinCEN) is authorized to provide whistleblowers with substantial financial awards.

CVG Strategy Export Compliance Expertise

The DDTC, the BIS, and the OFAC, along with international partners have greatly increased their activities in the generation and enforcement of regulations. This increases the likelihood of a non-egregious violation occurring even in a company with a well-run export compliance program. Understanding and documenting how to execute a Voluntary Self Disclosure (VSD) is therefore essential.

OFAC Non SDN Sanction List

May 25, 2023 by Kevin Gholston

The Office of Foreign Assets Control (OFAC) Non SDN Sanction List is a reference tool that is published by the United States Department of Treasury to identify persons subject to specific types of sanctions. This list includes non-blocking prohibitions of the export specific goods and services and prohibitions based on statutory exceptions for imports. The list also controls prohibition of investments.

The SDN list is not a part of other OFAC sanction lists enumerated in the List of Foreign Financial Institutions Subject to Correspondent Account or Payable-Through Account Sanctions (CAPTA List) or the Specially Designated National and Blocked Person (SDN List). To address this the OFAC has created the Consolidated Sanctions List to ease the burden placed upon organizations conducting business internationally.

Chinese Military and Surveillance Technology Sectors

The Non SDN List includes entities determined to be involved in the military and surveillance technologies at the behest of the People’s Republic of China. These actions were initiated during the Trump administration and are being actively continued in the Biden administration. As a result of these changes, the authority for identifying these parties has been moved from the Department of Defense (DoD) to the OFAC.

Parties particular to China are listed in the Non-SDN Communist Chines Military Companies List (NS-CMIC List). This list has replaced the Non-SDN Communist Chinese Military Companies List previously on the OFAC website.

Russian Related Designations

Russian entities listed under these sanctions also continue to grow as a result of that country’s hostilities against Ukraine. These entities may appear in other countries allied with the Russian efforts such as Belarus. It is important to understand that these lists are updated on a regular basis and that information on parties from previous transactions should be screened against latest information before engaging in new business.

Penalties for Noncompliance

The U.S. Government maintains sanctions to support the United States national security and foreign policy objectives. These sanctions are often in effect regardless of an item or service’s export regulation classification. Conducting an activity that results in the sale or transfer of an item, service, or information to a denied party or entity can result in civil fines, criminal fines, and imprisonment.

Export sanctions are enforced by the Department of Treasury’s Office of Foreign Assets Control (OFAC). There are numerous penalties based on the relevant statue under which violations may have occurred. These penalties are adjusted for inflation annually. Recent penalties from the OFAC include a $30,000,000 settlement, from Wells Fargo.

Growing Burden on International Businesses

Actions taken by the United States are also being instituted by its allies including the European Union, United Kingdom, Australia, New Zealand and others. This makes identification of parties involved in transactions more important than ever. While many organizations have actively engaged in active Export Compliance Programs, they often have not actively incorporated denied party screening into their processes.

To learn more about Denied Party Screening click on this link to download a whitepaper about this important activity.

CVG Strategy Export Compliance Management Programs

Our Export Compliance Management Programs include procedures that address lists checks, including the OFAC Non SDN Sanction Lists to help your organization maintain due diligence. We can also perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help you remain compliant.

300 Million Dollar Penalty Imposed by BIS

May 15, 2023 by Kevin Gholston

A 300-million-dollar penalty was imposed on Seagate Technology, LCC, by the Bureau of Industry and Security (BIS). These administrative penalties were leveled at the business’s operations in Fremont, California and Singapore and include a five-year suspended Denial Order, which if activated, would terminate the organization’s ability to conduct export business under the Export Administration Regulations (EAR).

Although Seagate CEO, Dave Mosley, denied any wrongdoing, the BIS alleges that the company continued to sell computer disk drives to Huawei in violation of the Foreign Direct Product Rule. It is alleged that Seagate entered an agreement with Huawei to be a strategic supplier when Seagate’s competitors had stopped selling to Huawei.

Background on BIS Controls on Huawei

The BIS took action to prevent the company from acquiring semiconductors that are the direct product of U.S. technologies and software restricted Huawei’s in May of 2020 under the Foreign Direct Product Rule. These actions placed Huawei on the Entity List and effectively banned the export of items to the company. The United States has long held that Huawei products are a threat to information security. The United Kingdom and members of the European Union have voiced those concerns as well, because Huawei is a producer of 5G technologies.

BIS Sends Warning

This $300 million penalty is the largest standalone penalty in BIS history. Matthew Axelrod, Assistant Secretary for Export Enforcement, stated that the settlement is “a clarion call” for businesses conducting exports to comply with BIS export rules. He further stated that any organization subject to FDP restriction need to reassess its manufacturing processes to ensure that U.S. technologies or software are not used in building restricted items. Companies that discover violations were encouraged to submit Voluntary Self-Disclosures (VSD).

BIS Enhancing Enforcement and Prosecution

CVG Strategy Export Compliance Programs

This 300-million-dollar penalty on a multinational business underscore the importance in creating and maintaining viable export compliance programs for technology-based businesses. These programs should be incorporated into an organization’s management system to ensure effective mitigation of risks associated with violations.

Export Compliance Penalties for ITAR and EAR

May 3, 2023 by Kevin Gholston

The U.S. Government continues to impose export compliance penalties for companies that commit violations. This is the case for exports that fall under the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR). These penalties can include both civil and criminal fines, imprisonment, and denial of export privileges.

Penalties Under the ITAR

Organizations involved in the export of defense goods or defense services that are enumerated in the United States Munitions List (USML) are subject to export controls under the ITAR. The ITAR fall under the controls of the United States Department of State and are administered by the Directorate of Defense Trade Controls (DDTC).

As described in CFR 22 §127, it is a violation to export, reexport, transfer, or retransfer ITAR controlled articles without a written license or approval. Furthermore, it is unlawful to misrepresent or make false statements in such export transactions. Under 22 U.S.C 2778(c) penalties can include fines of up to $1,000,000 per violation and or imprisonment for twenty years.

Penalties Under the EAR

Export Administration Regulations place controls on the export of commodities including intellectual property, technology, and software. These items which are enumerated in the Commerce Control List (CCL) are often referred to as “dual use” items in that they may have military as well as commercial applications. These export controls fall under the jurisdiction of the Department of Commerce and are administered by the Bureau of Industry and Security (BIS).

The BIS can invoke both civil penalties and criminal penalties for violations of the EAR. Criminal penalties can include up to $1,000,000 in fines per violation and up to twenty years imprisonment. Civil penalties, also referred to as administrative penalties, can be either $300,000 per violation or twice the transaction value, whichever is greater. These penalties are adjusted for inflation on an annual basis.

Other Export Penalties

Aside from the two sets of regulations, the U.S. Government maintains sanctions to support the national security and foreign policy objectives. These sanctions are often in effect regardless of an item or service’s export regulation classification. Conducting an activity that results in the sale or transfer of an item, service, or information to a denied party or entity can result in civil fines, criminal fines, and imprisonment.

Recent Examples of Enforcement

Companies of all sizes are being penalized for export violations. Recently the BIS imposed a $300 million dollar civil penalty against Seagate Technologies for exporting hard disk drives to Huawei Technolgies Co. Ltd. 3D Systems, a U.S. company based in South Carolina agreed to a settlement of $20,000,000 for violations of the ITAR. Additionally, Wells Fargo agreed to a $30,000,000 settlement with the OFAC.

CVG Strategy Export Compliance Management Systems

Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Unfortunately, many businesses fail to adequately engage in managing their compliance requirements.

CVG Strategy can help you establish a coherent and effective Export Compliance Management System. We can also perform export control classifications, perform audits, and educate your export compliance team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. Our experts can provide guidance for your export issues and questions.

ITAR Expands Treaty Exemptions for Transfers

April 28, 2023 by Kevin Gholston

The International Traffic in Arms Regulations (ITAR) expands treaty exemptions for the transfer of defense articles, services, and technical data enumerated on the Munitions List. This rule, which will become effective on May 12, 2023, is in effect for transfers between the United States and Australia, the United Kingdom, and Canada.

Effect of Rulemaking

This amendment was created to ensure that treaty exemptions between these nations enhance, cooperation, interoperability, and operational capabilities. The Department of State is amending Supplement No. 1 to part 126 of the ITAR to expand the types of articles in connection with the various extant Defense Trade Cooperation Treaties between the nations.

While this amendment will have little effect on the ITAR at large, it will reduce the requirements for export licenses, relieving burdens on exporters and the Directorate of Defense Trade Controls (DDTC). The amendment is not open for comments as it will not require expenditures by the United States Government.

CVG Strategy Export Compliance Services

As ITAR Expands Treaty Exemptions illustrate, the world of export compliance is in continual flux. Maintaining diligence and being aware of opportunities to expand business opportunities requires an adequately trained export compliance team working within a properly designed export compliance management system.

CVG Strategy, LLC is recognized the world over as the premier provider of customized Export Compliance Consulting, Export Compliance Programs, and Training that address critical U.S. Government and Canadian laws and regulations, from Export Administration Regulations (EAR), to the International Traffic in Arms Regulations (ITAR), Office of Foreign Asset Controls (OFAC), Canadian Goods Program (CGP) and other regulatory agencies.

New DoD Requirement For Contractors

April 27, 2023 by Kevin Gholston

A new Department of Defense (DoD) requirement for contractors has been proposed. This would require contractors to provide applicable export authorizations when receiving certain types of government contracts. This proposed amendment to the Defense Federal Acquisition Regulation Supplement (DFARS) would empower the Defense Contract Management Agency (DMCA) to request export authorizations when contracts require Government Quality Assurance Surveillance Oversight.

Government Quality Assurance Surveillance Oversight

Government Quality Assurance Surveillance is used to assess contractor performance to ensure that specific objectives have been met. This is accomplished by having contractors submit a Quality Assurance Surveillance Plan (QASP). This document identifies performance objectives and the specific methods of inspection used to verify compliance. A QASP is required when contracts are designated for countries in the European Union, Israel, Turkey, and the United Kingdom.

At present, the DCMA must either have government personnel travel abroad or have foreign auditors perform these assessments. Export licensing documents must specify if foreign auditors can be utilized. It can require a significant amount of time to determine if licensing allows for foreign auditors. Therefore, this requirement would provide the agency to know if they can delegate foreign auditors more quickly.

Number of Entities Effected

While a number of prime contractors may be affected by this requirement, the DCMA estimates that relatively few small entities will fall under these additional requirements. Based on an analysis of contracts that required government quality assurance oversight surveillance between May of 2018 and May of 2019, only 723 were classified as small entities. This is important because of the burden associated with additional reporting and record keeping.

As with other proposed changes in these types of regulations, the DoD is inviting comments from effected parties, especially small businesses involved in these types of contracts. Comments should cite 5 U.S.C 610 (DFARS Case 2018-D053) when submitted.

Export Authorizations

The proposed amendment would require contractors to submit export authorizations. These authorizations could include export licenses, export license exceptions, or export license exemptions. Export licensing is required to ensure that United States national security and foreign policy objectives are maintained when defense products or services are exported that are controlled under the International Traffic in Arms Regulations (ITAR). These controls are also required for the export of commercial products and services whose export is controlled by the Bureau of Industry and Security (BIS) under the Export Administration Regulations (EAR).

Licensing requirements are determined by classification of an article or service under the ITAR and EAR. When an item has been found to be enumerated under these regulations various prohibitions or licensing requirements may exist depending on the type of product, its intended end use, and the country of export.

Technical Assistance Agreements

Another control for export compliance is the Technical Assistance Agreement (TAA). A TAA is a document that specifies the arrangement between an exporter and a foreign person who is a recipient of a defense service. The information covered by TAAs include any information required on the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles. TAAs are often a requirement for the following activities:

Support of exported direct commercial sales
Overseas maintenance or training
Demonstrations, evaluations or consultations
Activities in support of U.S. government sponsored foreign contracts

Export Control Classification

An export can include sale of goods within the United States to a person or entity that is not a U.S. person. A transfer of technical data can also be considered an export which can be conducted by means of a phone call or email. Export Control Classification begins with the defining the technical specifications for the item to be transferred. This applies to actual shipments as well as transfers of technical data.

It is important to note that a given product may fall under numerous classifications based on how regulations are interpreted. It is essential to ensure that a thorough analysis be conducted to ensure that due diligence for compliance has been met. Therefore, it is not prudent to rely on a customer’s or supplier’s classification as there are severe consequences for non-compliance.

CVG Strategy Export Compliance Expertise

New DoD requirements for contractors and subcontractors will place additional scrutiny on the licensing of exported products and services. Governmental enforcement has become more stringent in recent years for failures to comply with the ITAR and the EAR.

Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities. Your business cannot afford to have its reputation ruined by a failure to comply.

CVG Strategy can help you establish and maintain a coherent an effective Export Compliance Management System that will address these new DoD requirements for contractors. We can assist you by performing export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.