Kevin Gholston, Author at CVG Strategy

BIS Addressed Human Rights Through Entity List

April 21, 2023 by Kevin Gholston

The Bureau of Industry and Security (BIS) addressed human rights abuses with additions to the Entity List of individuals and organizations that are enabling or engaging in human rights violations. The eleven entities added, in March of 2023, are based in China, Burma, Russia, and Nicaragua. These actions demonstrate the ongoing efforts by the Department of Commerce to use export controls laws and trade sanctions to support the foreign policy objectives of the United States.

These actions by the Commerce Department restrict the export of technology, commodities, and software to parties on the Entity List (Supplement No. 4 to Part 744 of the Export Administration Regulations (EAR)). Export license applications for export, reexport, transfer, or re-transfer to these parties have a license review policy of “presumption of denial”.

Parties Added to Entity List

Five of the entities now listed are associated with continued violations of human rights against the Uyghur people of China. These abuses include arbitrary detention, and severe repression. Entities based in Burma and Russia were placed on the list for providing military equipment used to attack and kill civilians within Burma. Additionally, the Nicaraguan National Police (NNP) have been added for abuses against citizens of that country.

Specially Controlled Technologies

Aside from controlling items that have a direct military application, the U.S. government is seeking to control the export of technologies that have a high potential for misuse. These technologies include Artificial Intelligence used for the control of mass surveillance and technologies used for mass censorship. The restrictions on spyware are also being endorsed by U.S. partners including the United Kingdom, Australia, Canada, France, New Zealand, Norway, Switzerland, Sweden, and Costa Rica.

Export Controls and Human Rights Initiative

The U.S. government in conjunction with international partners, have created the Export Controls and Human Rights Initiative. This action, supported by twenty-six nations, establishes a Code of Conduct to support democracy. The agreement seeks to control the export of commodities, technologies, and software that could be used for human rights abuses.

This multi-lateral effort was initiated at the first Summit for Democracy in 2021 where representatives of the international community discussed challenges to democracy in today’s world. The group has continued to meet annually to further their goals.

The Need for Denied Party Screening

As export regulations continue to grow in complexity, Denied Party Screening becomes a greater responsibility for businesses involved in export. Many businesses have been reluctant to engage in this important compliance practice, placing themselves in growing risk of being in violation of export regulations.

In recent years the BIS and the Department of the Treasury Office of Foreign Assets Control have ramped up their enforcement activities. This has resulted in numerous actions against companies of all sizes, resulting in civil fines, criminal fines, imprisonment, and disbarment of organizations from export activities.

Screening should be an integral part of an export compliance management program. There are a number of resources available for organizations to perform screenings. The Consolidated Screening List is maintained by the U.S. Government and is updated daily to include changes from the Department of Commerce, the Department of State, and the Treasury Department. Additionally, commercial screening products are available that can automatically screen parties on databases at regular intervals.

CVG Strategy Export Compliance Expertise

If you are part of a large corporation or a small company with a part-time compliance person, CVG Strategy has the export compliance and training programs to help you meet ITAR and EAR export controls. As the BIS place controls on a growing number of technologies it becomes increasing difficult for smaller businesses to stay abreast of regulatory developments. Because of this, we offer outsourced Export Compliance Officer services. We also offer signs and accessories to aid in Visitor Access Control on our ITAR Store.

CVG Strategy, LLC is recognized the world over as the premier provider of customized Export Consulting, Export Compliance Programs and Training that addresses critical U.S. Government regulations, from Export Administration Regulations (EAR), to the International Traffic in Arms Regulations (ITAR) and Office of Foreign Asset Controls (OFAC) and other regulatory agencies and more.

Microsoft Export Violations Make News

April 14, 2023 by Kevin Gholston

Microsoft export violations have resulted in multi-million-dollar penalties for the software provider. The company has made voluntary disclosures to the Bureau of Industry and Security (BIS), the Department of the Treasury’s Office of Foreign Assets Controls (OFAC), and the Department of Justice (DOJ). Most of these reported violations occurred between 2012 and 2019. These violations were the result of a failure to adequately identify end-users of products.

Microsoft Sanction Programs Violations

Microsoft will pay over $3 million dollars in civil penalties for over 1,300 possible sanction violations. These violations involved providing its software license and related services to individuals in Cuba, Syria, Russia, and Iran designated on the Specially Designated Nationals and Blocked Persons List (SDN). The SDN List is maintained by the OFAC to identify companies and individuals owned, controlled by, or acting on behalf of sanctioned countries.

Most of the violations in this case involved Russia which has been the focus of numerous additional sanctions and regulations since the beginning of the war in Ukraine. Although the OFAC noted that the violations were self-disclosed and non-egregious it also cited a “reckless disregard for sanctions” in this case despite the company’s voluntary self-disclosure. Microsoft is not alone in these infractions as numerous companies have continued to conduct business to parties on sanctions lists.

BIS Enhancing Enforcement and Prosecution

The BIS and other export enforcement agencies have been changing the scope and enforcement policies in recent years to address the increased complexities of the international political arena. Export Administration Regulations (EAR) have continually been changing as more items are being added to the Commerce Control List (CCL). Additionally, the agency has increased its focus on the use of sanctions and denied parties lists to protect sensitive technologies.

David Axelrod, Assistant Secretary for Export Enforcement, has stressed on numerous occasions that the BIS and OFAC intend to hold U.S. companies and foreign subsidiaries accountable for export violations to protect U.S. foreign policy and national security interests.

The Importance of Denied Parties Screening

In this case, properly performed denied parties screening would have prevented export and sanction violations. Screening is performed to restrict or prohibit U.S. individuals and organizations from exporting products or providing services to parties listed on denial, debarment, and blocked persons lists.

Screening applies to all businesses regardless of product or service sector. An organization is obligated to ensure that any transaction, where there is a transfer of money, is not destined to an individual or entity on a government watch list. Screening also applies to businesses that only engage in domestic transactions, as individuals on these lists often reside in the United States.

CVG Strategy Export Compliance Programs

Microsoft export violations underscore the importance in creating and maintaining viable export compliance programs for technology-based businesses. These programs should be incorporated into an organization’s management system to ensure effective mitigation of risks associated with violations.

CVG Strategy can help you understand Export Administration Regulations and OFAC sanctions, and help you establish a coherent and effective export compliance program. We can perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.

Quality Management Internal Auditing Tips

April 11, 2023 by Kevin Gholston

Quality Management internal auditing is performed in an organization to assess strengths and weakness, and identify areas of noncompliance. These audits are usually conducted by employees of the organization to assess processes they are not directly involved in to ensure an unbiased analysis.

Information gathered from a well performed internal audit can provide insights for improvements in the organization and increased efficiency. Additionally, when trained to be internal auditors, employees can identify areas for improvement in their own areas of operation and become more effective contributors to the Quality Management System.

The Importance of Auditing

Auditing is an important step in the Plan, Do, Check, Act methodology that is incorporated in ISO 9001, ISO IEC 27001, and AS9100D and other standards. As such it is a requirement in all Quality Management Systems. Auditing checks on the effectiveness of plans that have been implemented. Findings from audits provide actionable items to implement new plans or modify old ones to drive continuous improvement.

Organizations undergo constant change as personnel transition, technologies mature, market places evolve, and customer expectations change. These factors, and others, can alter the effectiveness of a management system in ensuring levels of quality for their products and services. Processes and work procedures may no longer be up to date or be effectively communicated in training. The internal audit function can uncover these deficiencies.

Types of Audits

There are three types of audits; first party-audits, second-party audits, and third-party audits.

First-party audits are performed by inside an organization to assess strengths and weakness. This can serve to identify areas of noncompliance so that corrective actions can be taken. These internal audits are usually conducted by employees of the organization to assess processes they are not directly involved in to ensure an unbiased analysis.

Second-party audits are provided by an external entity. These external audits can be requested by a customer to confirm that an organization is performing as required. It can also be initiated by the organization itself to provide a gap analysis or find if the organization is in compliance and ready for certification.

Third-party audits are conducted by external auditors to certify the organization to the standard being implemented. These certification audits ensure that the organization’s operations are in compliance with the requirements of the standard. They will examine processes to see if they are being implemented as they are documented. They will also assess if the management system has buy in from upper management and is sufficiently resourced.

Learning How to Perform an Internal Audit

As with any other quality management function, internal quality audits use a process approach. These processes provide a step by step methodology that engages all aspects of the QMS standard. They include defining a purpose and scope, developing check lists and questions, creating reports, and completing follow-up activities. These activities are scheduled by upper management so that findings can be reviewed at management review meetings.

Once the functions of the audit have been defined the auditor must engage in the performance of the audit. This requires the development of some very important interpersonal skills. These skills include making people being audited feel comfortable, learning to listen, reading body language, and developing a line of inquiry during the interview process.

Stages of the Internal Audit

An internal audit is performed in a series of stages. These stage include the following steps:

Audit Planning: The audit is scheduled so that all parties are aware of the upcoming audit. The schedule and scope are determined and audit checklists prepared.
Opening Meeting: The audit team explains the the specific processes to be examined.
Performance of the Audit: The audit commences and completes it planned activities
Closing Meeting: A meeting is help to review audit team findings including any nonconformities.
Follow Up Activities: Reports are completed and actions taken to address nonconformities found in the audit.

Learning How to Participate in an Audit

Employees are often likely to feel threatened by an audit. It is important to stress that quality management internal auditing is an important part of an organization’s operations and they should not feel threatened. Additionally it is important for employees being interviewed to understand that it is important to be concise in their answers. An audit is not a time for a life story or to branch out into areas other than those being asked about.

CVG Strategy Quality Management Expertise

Our Exemplar Global Lead Auditor Consultants can help you develop an effective Quality Management Internal Auditing team to perform first-party audits within your organization. We can also help you implement a new quality program, provide training, and perform second party audits to ensure that your organization complies with contractual requirements.

Our quality strategy allows clients new to Quality Management Systems to rapidly implement a tailored system, because everything we do as consultants is processed based. Our Quality Experts have experience with ISO 9001:2015, AS9100D, ISO 13485:2016, ISO IEC 27001:2022 and Association of American Railroads (AAR) M-1003 and can readily deliver compliant procedures and work instructions.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Product Test and Evaluation.

GoDaddy Multi-Year Security Breach

October 20, 2023March 28, 2023 by Kevin Gholston

Hosting giant, GoDaddy, has disclosed a Multi-Year Security Breach that has compromised customer security and may cause infection of websites. This is a noteworthy concern as the company acts as a hosting service for 20 million customers worldwide.

The first breach was reported in November of 2019. Since this time the company has reported two other breaches. The latest threat, enacted by as a yet unidentified party, has resulted in complaints from customers of redirects to malicious sites. These sites could infect sites with phishing attacks and malware.

Extent of Compromised Data

GoDaddy has reported that this multiple year security breach has been conducted by a sophisticated threat actor group. The company has begun working with forensic external cybersecurity teams and international law enforcement agencies. These actions have resulted in a continued investigation w has led to the discovery that other web hosting companies have also been targeted.

In the latest series of discoveries, GoDaddy reported that customers websites were being occasionally redirected due to a breach in the company’s shared hosting environment where malware had been installed into service source code.

In 2020 the login credentials for 28,000 customers had been compromised. In a reported breach in November 2021, attackers gained access to a WordPress linked provisioning system and compromised passwords for WordPress site admin. WordPress is a website builder content management system. This allowed the attackers to access customer websites and install malware. The 2021 attack effected around 1.2 million customers.

GoDaddy has forced a reset on WordPress passwords and private keys. I has also begun issuing new SSL certificates. Information concerning these breaches was submitted to the United States Security and Exchange Commission (SEC) outlining the occurrence of service interruptions and security breaches and the remediation actions taken.

The Importance of Information Security Management Systems

Organizations, both public and private face a growing threat of data breach. Many of these attacks are being funded by nation/states intent on the theft of proprietary information and the disruption of business continuity. Cybercriminals target companies handling valuable information. These threats to the confidentiality, availability, and integrity of data can result in the complete collapse of a business.

Threats from cyber incidents are not only targeted at conventional data bases but at infrastructure and manufacturing processes that use digital technologies. In fact every new technology introduced to an organization presents an entry point for a cyber crime to occur.

While the effective implementation of cyber security software solutions and security controls is essential, they can easily be compromised by lax physical plant security or members of remote work force failing to employ security practices. That is why policies, procedures, and training are required for effective risk management.

While there are a variety of systems that specify security controls, such as NIST SP 800-53 and CMMC, they do not incorporate effective risk management or process improvement. For those industries that must comply to these standards an ISMS can greatly facilitate the performance of these regulatory requirements.

CVG Strategy ISMS Solutions

As the GoDaddy multi-year security breach illustrates, businesses worldwide are under attack from players that are well funded and very focused on compromising proprietary data. CVG Strategy can help you attain an ISO 27001 certification. This can help you demonstrate a commitment to data security through an internationally recognized process. IT solutions alone are not sufficient to combat these forces.

Viable solutions include all stakeholders in an enterprise. They include people, policies, procedures, risk analysis, incident responses, and an internal auditing process that yields constant improvement.

CVG Strategy provides cybersecurity consulting and training for large and small organizations. Our experts can tailor a program using risk management process to identify information assets and interested parties. We can create the documentation and provide the essential training to establish your ISMS and guide you through certification audits.

CVG Strategy also provides consulting services for NIST 800-171 and CMMC Certification for those businesses and institutions providing services to the Department of Defense and other government agencies.

Tabletop Exercises for Cyber Incident Response

March 9, 2023March 6, 2023 by Kevin Gholston

Tabletop Exercises for Cyber Incident Response teams are effective tools for assessing the ability of an organization to protect and preserve sensitive data. These exercises engage team members to respond to a variety of scenarios. This provides an evaluation of the Cyber Incident Response Plan’s technologies, processes, and personnel’s ability to maintain confidentiality, integrity, and availability of information.

Types of Tabletop Scenarios

Scenarios can be created that are relevant to all business sectors; from a large organization that implements Internet of Things (IoT) technology involved with critical infrastructure, to a small organization finding ways to deal with data breaches and ransomware attacks. These scenarios need not be limited to computer networks. These exercises can also include national disasters such as fires, floods, and storms.

Possibilities can also include data shared with third parties that could threaten an organization’s supply chains. Additionally, internal threats should be considered such as cyber attacks from employees and contractors. In essence, all involved parties should be included and all types of cybersecurity threats should be considered when appraising the incident response plan.

Sources for Tabletop Exercises

A number of standards for are available for conducting these sessions. Sources should be selected based on the requirements of the organization. One such standard is available from the National Institute of Standards (NIST), NIST SP 800-84. This exercise is overseen by a facilitator and involves break out groups.

The Cybersecurity & Infrastructure Security Agency (CISA) also provides publications that include numerous threat vectors including ransomware, insider threats, and phishing. Materials are available for specific organization types such as; local governments, schools, industry, health care, and infrastructure such as water systems.

Guidelines for Getting the Most From Your Exercise

Firstly, understand and define the risk environment for your organization. This should be a process that involves upper management and all stakeholders. Many risks can be addressed for mitigation, but others, such as a meteor strike, may be accepted. This will set boundaries for your exercise session.

Secondly, complete your Incident Response Plan. It is impossible to access something that has not been formalized. Create a plan and give your team members amble time to understand it. This will lead to a fruitful process that will illuminate where the plan is likely to succeed and where changes will need to be made.

Information Security Management Systems

Ultimately an organization must address risks to effectively manage any deterrence or mitigation plan. This involves identifying the risk, planning mitigations, assessing the effectiveness of the plans, and acting to continually improve performance. To effectively oversee a cybersecurity framework an Information Security Management System (ISMS) is required.

An Information Security Management System is a collection of policies, procedures, and controls that systematically address information security in an organization. It is a framework based on risk assessment and risk management. The most widely recognized and instituted ISMS in the business environment is ISO 27001. It shares many of the features of a quality management system such as ISO 9001.

Because an ISMS is a management system it incorporates mitigation strategies beyond technical solutions such as firewalls and anti virus programs. As such, an ISMS must be designed to the specific requirements and risk profile of an organization. This would include the establishment of objectives for the establishment of security controls and the identification of all information assets within the organization (this includes electronic data, people, and paperwork.

CVG Strategy Information Security Management System Consultants

To assist businesses handling Controlled Unclassified Information (CUI) meet the challenges in implementing and maintaining an Information Security Management System (ISMS), CVG Strategy has developed an approach that combines the requirements of Cybersecurity Maturity Model Certification (CMMC) compliance with the ISO 27001 information security management system. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

We can help you meet your information security management system goals. CVG Strategy ISMS experts are Exemplar Global Certified Lead Auditors. We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. We can also provide assessment services including Tabletop Exercises for Cyber Incident Response to validate your organization’s ability to protect and preserve sensitive information.

DDTC Open General License Program

February 24, 2023January 9, 2023 by Kevin Gholston

The Directorate of Defense Trade Controls (DDTC) Open General License (OGL) pilot program has been instituted to ease the conditions under which exports, reexports, and retransfers of unclassified defense articles may be performed between pre-approved parties. This program was started in August 1, 2022 and will continue through July 31, 2023, at which time the DDTC will evaluate the merits of the program.

This system is similar to programs in Japan, Australia, and the United Kingdom. The OGLs pertain to specific reexports and retransfers of unclassified defense articles to support the mission readiness of United States allies. They specifically apply to trade activity involving maintenance, repair, and storage of unclassified defense
articles enumerated under the International Traffic in Arms Regulations (ITAR).

Limitations of the Open General License Program

The following limitations apply to the applicability of OPGs:

The OGL pertains to the retransfer and reexport of unclassified defense articles to the governments of the United Kingdom, Canada, Australia. It is also applicable to members of the Australian or UK communities and Canadian-registered persons. All retransfers or reexports must take place within the physical territories of these countries.
OGLs are not allowed for items listed in the Missile Technology Control Regime (MTCR) which are now denoted as (MT) in the current version of ITAR.
The transfer of technical data is limited to information to be used for maintenance, storage, or repair of defense articles.
The original export must have been conducted under a previous license or approval by the DDTC.
Current OGLs are valid for a period of one year from issue.
Appropriate records must be maintained and made available to the DDTC when requested.
Items that were originally exported through Foreign Military Sales (FMS) are not eligible for OGLs.

CVG Strategy Export Compliance Services

Our export compliance team of experts can help your organization incorporate the DDTC Open General License program to facilitate further transfer of defense articles already approved by the DDTC.

CVG Strategy, LLC is recognized the world over as the premier provider of customized Export Compliance Consulting, Export Compliance Programs, and Training that address critical U.S. Government and Canadian laws and regulations, from Export Administration Regulations (EAR), to the International Traffic in Arms Regulations (ITAR), Office of Foreign Asset Controls (OFAC), Canadian Goods Program (CGP) and other regulatory agencies.

CVG Strategy ITAR and Export Compliance experts have managed manufacturing and distribution businesses and have worked for multi-national organizations. CVG Strategy’s experts are not ex-government employees, they understand the needs and goals of small to medium-sized operations in managing compliance requirements. They also have expertise in the implementation and maintenance of a wide variety of management system standards.

Understanding Export Administration Regulations (EAR)

July 19, 2022June 27, 2022 by Kevin Gholston

The Importance of Understanding Export Administration Regulations (EAR)

Understanding Export Administration Regulations is especially important for businesses today because of the prevalence and ease of conducting international trade in today’s world. Many businesses learn too late the consequences of remaining ignorant of federal export control laws. Unfortunately, ignorance is not a defense when a party is found to be in violation of these regulations.

Title 15 of the Code of Federal Regulations

The Export Administration Regulations (EAR) are comprised of a set of regulations in Title I5 of the Code of Federal Regulations. These regulations are overseen by the Department of Commerce and enforced by the Bureau of Industry and Security (BIS) to protect national security and support United States foreign policy.

Items falling under the jurisdiction of the EAR include “dual use” items that have the potential to be used for both civilian and military applications. Dependent of the classification of an item and the nation of intended export, the BIS may require an export license. Regulations under the EAR are subject to constant change in response to international political events. While the EAR is not the sole set of regulations, it is the set that covers the broadest range of items for export and reexport.

Other regulations include:

International Trade in Arms Regulations (ITAR) which controls defense articles and services listed on the U.S. Munitions List (22 CFR part 121).
Treasury Department, Office of Foreign Assets Control (OFAC) which controls embargoes on specific nations.
U.S. Nuclear Regulatory Commission (NRC) which controls the export and reexport of nuclear materials and technologies.

What is an Export Under EAR?

An export can be a tangible or intangible item. Intangible items include software, technology, or information. This means that in certain cases a telephone call, email, or conversation could be deemed an export and could violate federal regulations. This means that for effective export compliance, a large sector of a business must be involved, not just those directly involved with sales.

EAR Export Classification

The first action any business must perform when seeking to export a product is to perform an Export Control Classification. Items which are not controlled under ITAR or other regulations will fall under the EAR. EAR classifications are listed in the Commerce Control List (CCL) (15 CFR Part 774) are designated by a five-character alpha numeric code.

Most items will fall under the classification of EAR99 which means they are not specifically controlled for export. Other classifications are for items that may be controlled because of its specific performance characteristics, qualities, or designed-end use. Export of these items are very specifically defined and may be restricted or require licensing dependent on country of intended export.

Due Diligence

Even if an item is deemed EAR99 you must ensure the item is not going to an embargoed or sanctioned country, a prohibited end-user, or used in a prohibited end-use. These criteria must be documented for every transaction. Furthermore, Schedule B Code export numbers are required to be reported to the Foreign Trade Division for the collection of U.S. export statistics.

Export Compliance Program Requirements for EAR

The EAR has specific requirements for an organization’s management of the export of controlled items. These requirements include the establishment of a viable Export Compliance Program (ECP). These requirements include:

Management commitment to ensure provision of adequate resources for the program
Documented procedures for export functions
Record keeping
Training of individuals within the organization
Regular audits of the compliance program
Procedures detailing corrective actions to be taken in the event of an export violation

Penalties Under the EAR

As specified by the Export Administration Regulations in the Code of Federal Regulations (CFR) enforcement actions may include the following:

Civil penalties may be the greater of $300,000 or twice the value of the transaction
Criminal penalties up to $1,000,000 and/or up to 20 years imprisonment per violation
Debarment and denial of export privileges

CVG Strategy Can Help

Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities. Your business cannot afford to have its reputation ruined by a failure to comply.

CVG Strategy can help you in understanding Export Administration Regulations and establishing a coherent and effective export compliance system. We can perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. Contact Us with you export regulation questions.

Quality Objectives – SMART Goals Provide Results

June 23, 2022June 23, 2022 by Kevin Gholston

Achieving quality objectives is a goal when implementing and maintaining any ISO 9000 family quality management system (QMS). To achieve goals however, an organization must first clearly delineate what those objectives are. Establishing quality objectives is a requirement under the planning clause of ISO 9001:2015. However, to obtain the greatest value, care should be taken in this very important step.

Quality Objectives and Planning to Achieve Them

The ISO 9001 standard requires that established objectives should be consistent with an organization’s quality policy, that they be measurable, be applicable to an organization’s requirements, and be relevant to the conformity of products and services. They should also be monitored, communicated, and updated as required.

This approach can yield benefits for an organization and does indeed meet the requirements of ISO 9001, but by applying SMART objectives, an organization can provide a more effective framework for achieving continual improvement and customer satisfaction.

SMART Objectives

SMART Objectives were first defined by George Duran in 1981 in the November edition of Management Review to define a way of setting objectives for employee review. These goals are parametric and as such provide tractability and structure to elements that might otherwise be dealt with subjectively. The elements of the SMART approach are:

S – Specific
M – Measurable
A – Achievable
R – Relevant
T – Time Based

Specific objectives are obtainable when reviews of an organization’s performance have been conducted on viable data. For example if there has been an issue with on time deliveries of products, then a proper response would be to attempt to better this performance. To be specific in this response it would be important to document the contributing factors that lead to the late deliveries and determine the resources or actions necessary to achieve improvement.

Measurable goals are an important component of SMART goals and indeed to any QMS. To effectively evaluate a situation, metrics must be applied that can set expectations and determine if objectives have been met. Because this is the basis of any QMS monitoring system it should therefore be a given, but it is an important item to check when establishing objectives.

Achievable goals also provide for better monitoring of an objective’s outcome. If, using the previous example, management sets an objective of zero late deliveries, then that goal may never be met. This will be a cause of frustration for all team members because it fails to take into account failures in the supply chain or facility closures due to acts of nature or pandemics.

Relevant goals take into considerations the ability of the organization to provide the necessary resources to an issue. If the economics of a quality situation prevent human resources from acquiring personnel with adequate training then expectations should be set for a degree of failure until adequate compensation can be budgeted.

Time Based goals are important in setting objectives in that they provide scheduling for ramping up performance. If a solution involves acquiring new technologies and training team members on using that technology, then realistic expectations should be established for completion. This gives all involved with the activity, its monitoring, and review a benchmark by which achievement of the objective can be based on.

Cashing in on Opportunities

When establishing objectives, every challenge is an opportunity to achieve excellence. Organizations that strive for continuous improvement will perform more efficiently and remain competitive. This improvement can be made more viable and measurable if objectives are clearly researched and defined.

To adequately research causes and effective corrective measures it is important to engage an organization at all levels because front-line workers can often provide a more granular perspective than an organization’s managers and senior leaders. By affording all team members the opportunity to provide feedback, an organization can nurture a culture of continuous improvement that will provide results.

CVG Strategy Experts

Our Exemplar Global Lead Auditor Consultants can help you with implementing a quality management system, which will include a risks and opportunities procedure. CVG Strategy has prepared, trained and implemented quality management systems for manufacturing companies in many business sectors.

Our quality strategy allows clients new to Quality Management Systems to rapidly implement a tailored system, because everything we do as consultants is processed based. Our Quality Experts have experience with ISO9001:2015, AS9100D, ISO 13485:2016, ISO 27001:2013 and Association of American Railroads (AAR) M-1003 and can readily deliver compliant procedures and work instructions.

We can provide expertise coupled with an outside perspective to assist you in tailoring a QMS that fits your organization’s specific requirements. We have assisted organizations in establishing programs in a variety of quality management systems including ISO 27001, ISO 13485, ISO 14971, AS9100, and ISO 9001.

Risks and Opportunities – Utilizing Your QMS

November 28, 2022May 17, 2022 by Kevin Gholston

Risks and Opportunities are Everywhere

Businesses evaluate risks and opportunities every time they make a decision. It is all about weighing the probability of a positive outcome versus the impact or cost of a negative outcome from an action taken.

Strengths, Weaknesses, Opportunities, and Threats (SWOT)

For most organizations ISO 9001:2015 provides a Quality Management System (QMS) that can address the risks and opportunities. This can be accomplished in a number of ways including performing a Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis. A SWOT analysis enables businesses to identify strengths and weaknesses. It can also provide information that allows informed decision making in adapting business models.

Risks and Opportunities play a role in continual improvement and should be implemented into your regular improvement processes. Prior to approving and implementing a quality plan, corrective action, non-conformance, design and development plan are all areas that require “risk based thinking”. These quality processes (and more) are required and used by most companies who apply a formal and organized risks and opportunities procedure.

By identifying the risks and opportunities that are applicable to an organization, appropriate actions can be taken to take to limit the negative impacts of potential problems. These actions can also allow an organization to capitalize on opportunities that can lead to new sales markets or product lines. Properly acting on risks and opportunities can realize great profit for your company and help resolve a fundamental requirement in ISO 9001:2015 for “risk based thinking”.

Risk Management in Medical Device Manufacture

For manufacturers of medical equipment, risk management is required to ensure products that can safely perform their designed tasks. For medical device manufacturing ISO 14971:2019 establishes general requirements for risk management.

The standard includes specification for risk analysis, risk evaluation, and risk control execution. It establishes the requirements for conducting evaluations of residual risk. It also provides process criteria for risk management review. Finally, the standard establishes requirements for gathering data of equipment during production and post production phases of the device life cycle.

The standard contains three annexes that contain rationale for the requirements, provide details for risk management processes, and define basic risk concepts. It also includes a Guidance Document, ISO/TR 24971:2020, that contains eight informative annexes providing detail on a variety of issues including the identification of risk, the roles and relationships between policies, risk acceptability, risk control, and risk evaluation and special guidance for vitro diagnostic medical devices.

Aerospace Industry Applications

Aerospace is an industry that must effectively address risk management. AS9100 is the applicable standard for this industry. This standard uses a High-Level System (HLS). This HLS allows ease of use between standards and helps companies implement complex multi-standard quality management systems.

CVG Strategy’s AS9100 Consulting Experts have prepared several multi-standard quality management systems for its customers (AS9100D & ISO 9001:2015 & Aerospace Customer Standard, AS9100D & AAR M-1003 [Rail Roads]).

AS9100D addresses key concerns of the aviation, space, and defense industries. These include:

Increased emphasis on Product Safety.
Increased emphasis on the requirement for risk assessment in operational processes.
Consideration of human factors in the work environment e.g. (distraction, fatigue, lack of resources, lack of knowledge).
Improvement in stakeholder requirement assessment through configuration management.
A reinforcement for individual awareness of product and service quality and safety. This also pertains to ethical behavior in the performance of these tasks.
Measures to prevent the introduction of counterfeit parts into the supply chain.

Risks and Opportunities Applied to Cybersecurity

Evaluation of risks and opportunities is also a function of an Information Security Management System (ISMS). ISO 27001 uses risk assessment to protect information assets. This is accomplished by examining security risks to data that is both digitally and non-digitally stored and then designing and implementing appropriate controls to mitigate these risks.

Applicable controls for data protection include IT solutions, physical site security, and policies. These controls are coordinated by management processes that ensure that these elements continue to provide adequate protection.

Information security is important to an organization’s customer base, supply chain, and partners. Certification in this standard, therefore provides business opportunities and a competitive edge over competition.

Applications for Regulatory Compliance

Organizations are subject to a growing number of regulations and laws, regardless of their business sector. Here again, risks and opportunities play a key role in the establishment of effective policies and procedures. To address these concerns ISO 37301 provides a management tool to coordinate compliance management. Proper application of this standard can help prevent breaches in compliance and provide increased stakeholder confidence.

Improving Business Performance

Regardless of an organization’s industry, having a comprehensive QMS helps your managers to raise the organization’s performance above and beyond competitors who aren’t using management systems. It establishes criteria for expectation for your supply chain in terms of product quality and dependable delivery. It also instills confidence in your brand by consistently meeting customer requirements.

This is because an effectively designed QMS identifies risks and establishes monitoring, measurement, analysis and evaluation to assess the performance of processes. These processes are audited on a regular basis and results from these audits are reviewed by management so that non-conformities can be addressed with corrective actions.

Additionally, the entire QMS system is to be continually reviewed for its effectiveness so that improvements and enhancements can be made when opportunities arise.

CVG Strategy Experts

ITAR EAR Rules For US Companies and Citizens

April 10, 2024May 14, 2022 by Kevin Gholston

ITAR and EAR- U.S. Export Regulations

The ITAR (International Traffic in Arms Regulations) and the EAR (Export Administration Regulations) are export control regulations run by different departments of the U.S. Government. Both are in place to ensure that restricted technologies do not get into the hands of terrorists and countries who are not operating in accordance to U.S, foreign policies. An export license may be required for both ITAR and EAR controlled items if the parties involved are non-US citizens or involve non-US charted corporations.

These regulations make it mandatory for businesses that manufacture and service electronic communications gear, armor, firearms, radios and other related items, to register with the federal government. While this system is a great way to protect sensitive information, the regulations have proven to be challenging for many businesses.

Article Classification

If an organization is involved with export, reexport, freight forwarding or brokering, a classification must be conducted on the item or service to be exported. This classification should start with screening through the ITAR by determining if the item or service is enumerated in the United States Munitions List (USML). If the item is not found in the USML then classification should be performed against the EAR Commerce Control List (CCL).

Item export for classification should be performed by each organization involved in a transaction to demonstrate due diligence. It is however, appropriate to reuse an organizations previous classifications for a product or service if it has not been modified or revised. It is important to remember when using a previous classification to ensure that the regulations cited are still current as export regulations are undergoing constant revision.

Among the most confusing parts of the ITAR and EAR Rules is the stipulations that it has for software development companies. The regulations state that if the software has been modified for military use, then the company that produced it will have to comply with the regulations.

Applying for Licenses and Technical Assistance Agreements

If an item or service is enumerated in either the USML or CCL the transaction may be banned or require licensing. This will require compiling the required information as specified by either the Directorate of Defense Trade Controls (DDTC) for ITAR, or the Bureau of Industry and Security (BIS) for EAR. This process can take a number of months in some cases so determination of requirements should be performed well in advance of a projected transaction.

For services that fall under the jurisdiction of the ITAR a Technical Assistance Agreement (TAA) is required. A Technical Assistance Agreement is a document which specifies the arrangement between you and the foreign person who will be the recipient of the defense service. A TAA must be approved prior to the release of technical data or a restricted defense service to a foreign person.

Technical data would include information on the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles whether or not the technical data is electronic or printed.

Establishing an Export Compliance Program

Both the DDTC and BIS have requirements for an Export Compliance Program. Failure to implement and administer an effective export compliance can result in fines, debarment (loss of ability to export products) and imprisonment. Therefore it is crucial to have a program that meets all requirements.

An effective export compliance program must be integrated into all aspects of an organization. It must clearly define roles, establish policies, train all employees, and provide concise work instructions for the execution of required tasks. Furthermore it must undergo risk assessment and periodic auditing to identify potential shortcomings and incorporate corrective actions.

Considerations for Multinational Entities

Many organizations involved in the export of defense related goods or services have operations in multiple nations. Often these operations are in Canada. The Canadian Controlled Goods Program (CGP) under the Defense Production Act controls goods that have defense or national security importance.

To conduct an export of these items the party must be a Canadian citizen, resident, registered business. They must also be registered with the Controlled Goods Directorate and abide by all requirements of the Canadian regulations along with U.S. ITAR and EAR rules.

CVG Strategy Export Compliance Expertise

If you are part of a large corporation or a small company with a part-time compliance person, CVG Strategy has the compliance and training programs to help you meet ITAR and EAR rules and requirements. Often smaller businesses often don’t have the bandwidth to dedicate to adequate export compliance. Because of this we offer outsourced Export Compliance Officer services. We also offer signs and accessories to aid in Visitor Access Control on our Export Compliance Store.

CVG Strategy, LLC is recognized the world over as the premier provider of customized ITAR Consulting and ITAR & Export Compliance Programs and Training that addresses critical U.S. Government regulations, from Export Administration Regulations (EAR), to the International Traffic in Arms Regulations (ITAR) and Office of Foreign Asset Controls (OFAC) and other regulatory agencies and more.

Using Your QMS for Organizational Development

February 24, 2022 by Kevin Gholston

Using Your QMS to Enhance Profitability

Using your Quality Management System (QMS) to improve processes can enhance customer satisfaction and increase profitability. The key to achieving these goals is for the management team and senior leadership to identify the strategic direction of the organization and align the QMS to achieve those goals.

Certification body quality auditors can identify problems, and they may identify some opportunities for improvement, but the ultimate responsibility for optimization of a QMS is in the hands of upper management.

ISO 10014 Quality Management Guidelines

ISO 10014 – Quality management — Guidelines for realizing financial and economic benefits, provides guidance to top management that enables an organization to achieve sustainable success. These “management principles” are derived and compatible with ISO 9000 series quality management standards. These principles can be used to develop processes to achieve an organization’s strategic objectives:

Customer focus
Leadership
Involvement of people
Process approach
System approach to management
Continual improvement
Factual approach to decision making
Mutually beneficial supplier relationships

Engaging Management Principles Through Strategic Decision Making

Like ISO 9001:2015, ISO 10014 focuses on the participation of top management. It functions in conjunction with ISO 9004 to systematize performance improvements. It provides examples of achievable benefits and outlines tools to realize them. A key element in this strategy is effective process utilization of the Plan, Do, Check, Act (PDCA) methodology to examine the management principles listed above.

This approach allows for consistent application of evidence based decision making towards to address financial and economic decisions. The process accomplishes this by applying QMS approaches to the organization and its management.

Accessing the Maturity Level of an Organization

A task within the standard is for management to preform a self assessment of implementations of these management principles. This provides management with an overview of the organization’s maturity level.

As the organization matures, it will increasingly embrace the standard and will exhibit characteristics of an agile and innovative group capable of sustained improvement.

Benefits of Engaging in ISO 10014

Quality management programs are an important investment, and serious consideration should be given to their potential to provide return on that investment. terms. Given the time, and resources required to engage in such a program there should be measurable return in reduced costs, organizational efficiency, and increased customer satisfaction.

Adoption of the management principles incorporated in ISO 10014 can allow an organization to achieve its full potential. By utilizing the standard’s management methods and tools an organization can become more proficient at achieving financial and economic targets while ensuring consistent improvement.

Economic and financial benefits are attained by more effectively managing resources and better implementation of processes. When properly applied they can increase the overall worth and health of the organization. Economic benefit can be realized through improved resource management and enhanced customer relationships. Financial benefits are realized as a result of consistently adopting cost effective management practices.

CVG Strategy Quality Management Experts

Our quality strategy allows clients new to Quality Management Systems to rapidly implement a tailored system. That is because everything we do as consultants is processed based. Our Quality Experts have experience with ISO9001:2015, AS9100D, ISO 13485:2016, ISO 27001:2013 and Association of American Railroads (AAR) M-1003 and can readily deliver compliant procedures and work instructions.

We can provide expertise coupled with an outside perspective to assist you in tailoring a QMS that fits your organization’s specific requirements. We have assisted organizations in establishing programs in ISO 27001, ISO 13485, ISO 14971, AS9100, and ISO 9001.

ITAR Export Compliance Regulations for Defense Products

February 22, 2022January 26, 2022 by Kevin Gholston

ITAR Export Compliance Regulations

International Traffic in Arms Regulations (ITAR) Export Compliance regulations control the export of articles that are developed for defense-related applications. This includes items that are designed for military systems or intended for a military purpose. The Directorate of Defense Trade Controls (DDTC), which is part of the Department of State, administers the ITAR.

Organizations or individuals that are involved with the manufacture, export, or import of defense articles are required to register with the DDTC. This includes temporary importers and brokers. ITAR controls not only physical items but extends to military product services and technical data. Once registered the organization can then apply for any required licenses, approvals, or exemptions.

The History of ITAR

The Arms Export Control Act (AECA) and ITAR were implemented during the cold war to establish unilateral arms control necessary for national security. These controls have continued to change, and the rate of enforcement activity has dramatically increased in recent years. Failure to comply with these export regulations can result in both civil and criminal charges. The penalties can include fines, imprisonment, or revoking the ability of an organization to engage in export activities.

Product Classifications

The degree of controls for a given item is determined by its classification. Organizations are required to self-classify their products. Most classifications can be found in the United States Munitions List (USML). Products relating to missiles or rockets can be found in the Missile Technology Control Regime (MTCR).

If a product classification can not be found in the ITAR then classification should be performed under the Export Administration Regulations (EAR). The EAR, which is administered by the Bureau of Industry and Security (BIS) and the Department of Commerce, regulate items that are usable for both commercial and military applications.

ITAR Approvals

The DDTC must approve of any export of temporary import of a defense article or service. The classification of the article or service and the nation to which the transfer is to occur are factors in the DDTC’s decision making process. These approvals are generally granted as either a license or an approval.

A license must be obtained for the permanent or temporary export of an item, service, or technical data. It is important to understand that the export of technical data can be performed by way of an email or conversation.

Approvals are given to authorize a U.S. person to provide a service to a foreign person. They can also authorize the manufacture of defense items abroad or to establish distributions points for the transfer of items to foreign persons or agencies.

ITAR Compliance Program

The DDTC has specific ITAR requirements for registered organizations to adopt an Export Compliance Program. These programs are to be adopted to create policies and procedures that prevent an organization from violating export violations.

A properly designed export compliance program should be tailored to the unique requirements of the business. These requirements should include the size of the business, the percentage of sales that are export controlled, and the expected growth of the organization. The plan should be kept current with changes in regulations and should include procedures to handle compliance issues.

Elements of an Export Compliance Program should include:

The Assignment of Roles

Defining roles and assigning capable personnel to carry out procedures is essential. For ITAR, it is a requirement that an Empowered Official be appointed to oversee the compliance program.

Management Commitment

Management commitment to itar export compliance is vital in creating and maintaining an export compliance program. Senior management must show public support for the policies and procedures and provide sufficient resources to the program. Particular attention should be given to assure that adequate export compliance training is provided.

Risk Assessments and Audits

Risk assessments should be conducted to identify vulnerabilities so that procedures and processes can be developed to mitigate potential violations. As a program is audited these assessments should be remade to compensate for an inadequacies.

ITAR Education and Training

Regular training is a requirement for all involved employees in an export compliance program. This training should convey the key US Government agencies and export regulations applicable to the organization. The training should also include what factors involved in requirements for an export license and the consequences of failure to comply.

CVG Strategy Export Compliance Solutions

While many export compliance providers offer programs geared toward compliance with a single set of regulations, CVG Strategy offers a harmonized program that will ensure that your company is compliant to all of these regulations. Furthermore we consolidate this program in a collection of documents that can be integrated into a quality management system.

Quality Management Approach to Export Compliance

This makes an ITAR export compliance program an excellent choice for inclusion in a quality management frame work. CVG Strategy’s Export Compliance Management Program (ECM) Manual and associated documents are structured in accordance to ISO 9001 and AS9100D. They provide policies, a manual, work instructions, and forms for the completion of specific export compliance tasks.

Support in Program Implementation

CVG Strategy can provide support in the implementation of your program to ensure that the specific requirements of your business model are met. This ensures that the program will address all stakeholders and meet your regulatory and customer requirements.

Our training programs ensure that your export compliance team is up to date in their comprehension of export regulations. These engaging classes are available online on a regular basis. They provide ample time for your questions and specific concerns.

We can assist in export control classification of items against the United States Munitions List and the Commerce Control List. We also provide ITAR program assessments to enable your program to pass audits.

Continuing Support Available

Many customers rely on our continued support when faced with complex issues with export compliance. These can include difficult item classification issues or even guidance in voluntary self disclosure. We also provide quick answers for your ITAR questions on a question by question basis. Additionally, our ITAR Store can supply you with signs, visitor badges, and other accessories required for maintaining site security

Corrective Actions – Make them Work For You

January 18, 2022January 14, 2022 by Kevin Gholston

Corrective Actions Provide Opportunities for Improvement

Corrective Actions are excellent opportunities for process improvement and increasing profitability. It is necessary however, to implement a process to these control corrective actions. This is often perceived by some as being a cumbersome, unnecessarily complicated, and time consuming process. However, a properly constructed Quality Management System can ensure that the process is not excessively used on small problems.

It is, therefore, worth a second look at how you can make a corrective actions system work to help you find improvements.

When Are Corrective Actions Appropriate

Actionable items can be found when conducting an analysis of your organizations performance. These items could be found when reviewing:

feedback from staff
customer complaints
hazard reporting
product inspections
resolving non-conforming products or services
reviewing system failures
reviewing regulatory requirements
testing, inspecting, and monitoring of plant and equipment
internal audits
external audits

When an issue is identified, an investigation should be undertaken to determine the root causes of the problem. At this point, both short term containment and permanent corrective or preventative actions should be formulated to correct the problem. These proposed actions should then be reviewed through a risk assessment to determine their acceptability. At this point a decision can be made as to what actions if any are recommended.

Implementation of Action

It is important to ensure that the action to eliminate the root cause of a problem can be accomplished. An assessment should be made if training or retraining of staff is required. All of these steps should be adequately documented as required by the applicable QMS standard requirements. Once this has been accomplished the corrective action can be closed out.

Verifying the Problem Has Been Resolved

Once an action is implemented, management should schedule a review to analyze the results of the corrective action. This should include an assessment of if the action has been implemented as specified and if the corrective action was effective. After the actions have been verified they should be monitored and improved if necessary thereby closing the plan, do, check, act cycle.

The Advantage of Engaging in Corrective Actions and Continuous Improvement

Non conformities will always be a reality for providers of products and services. However, ‘dealing with it’ with a quality management system means that you eliminate the problem and make sure it will not happen again. Thus, when viewed through the lens of continuous improvement they become opportunities . These opportunities can result in improved profitability and increased customer satisfaction.

Engaging in a Quality Management System

Your organization can greatly improve with an appropriately implemented quality management system. The challenge is to tailor it to meet the specific context of the organization. The context of the organization includes ascertaining the needs and expectation of concerned parties, the culture of the organization, and the statutory requirements particular to the locale and type of enterprise.

Once the context has been determined the scope of the management system can be specified and tailored to address the risks the organization faces. Then relevant policies, procedures, processes, and work instructions can be created to begin the continuous improvement cycle.

CVG Strategy Quality Management Expertise

Achieving the highest possible return on investment is important, regardless of which quality management systems standard you organization implements. Taking advantage of all the features of that standard requires an understanding of Quality Management Systems and the growing number of requirements businesses face in their specific sectors.

We can help you implement a quality management system, which will include a risks and opportunities procedure. CVG Strategy has prepared, trained and implemented quality management systems for manufacturing companies for over a decade.

Our Exemplar Global and Probitas Certified Quality Experts provide quality consultation in the Quality and Inspection disciplines to customers across North America. Our quality strategy allows clients new to Quality Management Systems to rapidly implement a tailored system.

We have assisted customers in implementing business management opportunities into their quality management systems by coupling our QMS expertise with our extensive experience in export compliance and product test and evaluation.

Voluntary Self Disclosure and Export Regulations

January 24, 2022October 25, 2021 by Kevin Gholston

What is a Voluntary Self-Disclosure

A Voluntary Self-Disclosure (VSD) is conducted when an organization recognizes that violations or suspected violations of Export Regulations of the United States have occurred. This disclosure can reflect the organization’s due diligence in detecting, and correcting these violation. When conducting a voluntary self disclosure to the federal government the following supporting documentation should be presented:

A description of the type of violation involved
A compilation of all data that was not reported or incorrectly reported
A list of dates of when the violations occurred
A description of how the violations occurred
Identities and addresses of all involved individual and entities
Descriptions of any mitigating factors
A compilation of corrective actions taken.
A list of Internal Transaction Numbers (ITNs) of effected shipments
Any additional information relevant to the issues

Do you need to file a Voluntary Self Disclosure?

Violations of US Export Law for the Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR) can often occur without malfeasance. It is therefore crucial that when companies recognize a violation of US Export Law at their company that they take action to report these events.

Such a filing can help mitigate potential damage to your company and in most cases results in the avoidance of fines, penalties, and negative exposure. Because failure to report violations may result in circumstances detrimental to U.S. national security and foreign policy interests, the enforcing agency will consider it an adverse factor when determining enforcement actions.

Export Administration Regulations

The EAR is administered by the Bureau of Industry and Security (BIS). The BIS considers VSDs as an indicator of an organization’s intent to comply with U.S. export law. The BIS carefully reviews VSDs to determine if violations have occurred. They then determine the appropriate corrective action when violations of the export regulations have taken place.

International Traffic in Arms Regulations

The ITAR is regulated by the Directorate of Defense Trade Controls or DDTC. The DDTC strongly encourages submitting a voluntary self disclosure of any potential violations of the Arms Export Control Act. Voluntary Disclosures may be viewed as a mitigating factor when determining administrative penalties, if any, that should be imposed.

Corrective Actions

It is important to realize however, that the Voluntary Self Disclosure is the first step in addressing the potential violation. Follow up measures must be taken to address the occurrence and organizational steps taken to prevent any subsequent similar violations. This can involve any number of administrative actions but must include training to ensure future compliance.

Failure to implement these steps can lead to penalties from the enforcement agency involved. These penalties can occur years after the initial incident if there is a recurrence of the violation and it is found that sufficient action was not taken.

Export Compliance Programs

To be certain, compliance to export law as relates to EAR, ITAR can be a challenge for any organization. Development of a program tailored to the needs of your company is important in protecting its reputation and ability to conduct business. This program must include relevant and regular training to maintain organizational rigor and scheduled assessments to ensure that the compliance program is in sync with the dynamics of an organization’s evolution.

Conducting a Voluntary Self Disclosure

A voluntary self disclosure can be painless, as long as it is honest and the company filing it takes action to prevent its reoccurrence. This action would likely include a formal written ITAR compliance program, training, processes to control restricted items and data from foreign persons and licensing when required by US export law. It is recommended that when a company files a VSD, that you ensure that all the documentation is prepared properly and in compliance with the requirements of the EAR or ITAR.

CVG Strategy Export Compliance Expertise

The CVG Strategy team has over 20 years of experience in U.S. export controls. We can help you develop an ITAR Compliance Program appropriate to your organizations requirements and provide training to prevent occurrences that could lead to violations and the need to file VSDs.

We also have the experience to assist in guidance when unforeseen incidents do occur to develop strategies to prevent future violations. CVG Strategy has assisted many organizations file Voluntary Self Disclosures in the past decade and is well equipped to help you, if your company needs to file.

Context of the Organization and ITAR Compliance

March 26, 2021 by Kevin Gholston

Utilizing the context of the organization clause of an ISO 9001:2015 Quality Management System (QMS) can allow for a more resilient ITAR compliance program. This can be accomplished by integrating export compliance into an existing management system s that includes all the tasks required to ensure that business is conducted in accordance to federal regulations. These task include top management involvement, risk assessment, training, and auditing.

What is Context of the Organization?

The context of the organization and ITAR Compliance requirement in ISO 9001:2015 uses the internal and external issues that impact its strategic objectives as inputs for establishing the QMS framework . This means that you need to define influences of various elements on the organization and how they reflect on the QMS, the company’s culture, objectives and goals, complexity of products, flow of processes and information, size of the organization, markets, customers, etc. It is also a means to detect risks and opportunities regarding the business context.

Assuredly, export compliance is an external factor that effects objectives, goals, and processes. It also presents a risk to the organization because of the possible penalties that may be faced in the event of violation of any number of federal export violations.

What is Export Compliance?

The two major set of U.S. export regulations are the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR). Both are in place to give the government a tool to ensure that restricted technologies do not get into the hands of nation states or parties that threaten U.S. security or impede U.S. foreign policy interests and obligations.

The ITAR was written to control the export of goods and services developed specifically for defense related applications. These goods are categorized in the United States Munitions List (USML). The EAR controls items which fall under a dual-use classification under the Commerce Control List (CCL). An export license may be required for both ITAR and EAR controlled items if the parties involved are non-US citizens or involve non-US charted corporations.

Failure to comply with all parts of these regulations can result in significant fines and even imprisonment. Additionally, a business can be banned from any future export activities.

Context of the Organization and Export Compliance

If your company manufactures or provides services that are classified as restricted under the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR), consideration for compliance must be included. Registrars are becoming more aware in the past few years of how U.S. Government Regulatory compliance impacts companies and their operations and they are starting to issue derogatory findings for companies that explicitly ignore the ITAR or EAR in their QMS, when they clearly are providing products or services that should be controlled.

Context of the Organization is all about the external and internal factors that will guide the company and its pursuit of risk mitigation through its commitment to continuous improvement. The Context of the Organization and ITAR Compliance is the lens that companies need to view their commitment to ITAR and EAR Compliance. It allows companies to formalize policies, processes, and procedures to ensure compliance and enact procedures to promptly respond to incidents where violations may have occurred.

Consultants can help you with understanding how to implement this. We do recommend that your work with a consultant who is fluent in the ITAR and EAR and is experienced in Quality Management Systems such as ISO 9001:2015, ISO 13485:2016 and AS9100D.

CVG Strategy Can Help

CVG Strategy consultants are experts in quality management systems and export compliance. Our team members are Exemplar Global Certified Lead Auditors in these areas as well as certified through ECTI as Export Compliance Professionals. We have helped business of all sizes in a variety of sectors integrate their export compliance program into their quality management systems.

SuperMicro Hardware Hack on Server Motherboards

August 1, 2023February 16, 2021 by Kevin Gholston

Bloomberg reported on February 12, 2021 that a Supermicro hardware hack had been conducted on server motherboards by a Chinese espionage program. This report follows previous reports by the news agency in 2018 and illustrates the susceptibility of technology manufacturers to supply chain attacks.

The hack involved embedding a small integrated circuit into the trace on a multilayered printed circuit board. This malicious hardware was inconspicuous enough to not be detected in quality assurance testing. Its purpose was to send data from the server to China. This hack has placed unknown numbers of data centers at risk in the public, private, and defense sectors at risk.

Spy Chips Found in Department of Defense Servers

In the Bloomberg article the United States Department of Defense (DoD) found that large numbers of its servers were sending data to China in 2010. Previous devices with malicious chips were found in Lenovo laptops used by the U.S. military in Iraq in 2008. It is not known how much data was compromised by these laptops in Iraq.

The incident in 2010 involved Supermicro servers on unclassified networks. While the implanted servers did not send any data regarding military operations, they did provide the Chinese with a partial map of the DoD’s unclassified networks. Supermicro has stated in response to questions that it had “never been contacted by the U.S. government, or by any of our customers, about these alleged investigations.”

According to Bloomberg sources security experts surmised that the implanted devices could be setting up networks for more extensive hacks or sabotaging entire networks in the event of a conflict between nations. In 2013 U.S. intelligence agencies including the National Security Agency decided to keep the discovery a secret, install countermeasures, and begin gathering intelligence on China’s motives without alerting it.

Supermicro Hacks Extend Beyond Hardware

Further investigations into the Pentagon breach ascertained that malicious instructions had been embedded in the servers’ BIOS, a set of instructions to the computer configuration that are executed during system start up. These types of malware are difficult to detect by means available even to users with good security protocols. These hacks were apparently conducted by Chinese agents early in product development.

Supermicro servers have also been exploited by a security breach generated by firmware updates generated from the company’s site. These breaches were detected by Intel security executives in 2014.

Hardware Hack and Supply Chain Vulnerabilities

This series of incidents point out the vulnerability to industry supply chains. Outsourcing manufacture of electronic assemblies to foreign countries is a common practice to reduce costs. However, business as usual may no longer be an acceptable practice.

U.S. government officials have in recent years been beating the drum about securing the supply chain, and while this may have immediate ramifications to the public and defense sectors, products destined for the private sector will continue to pose threats for network security and proprietary information.

Industry has been slow to engage in even basic cyber hygiene practices. Its willingness to apply stricter controls on its supply chain and manufacturing processes will be interesting to note. Clearly the Supermicro case along with the SolarWinds hack calls for a serious reassessment of industry protocols and diligence.

Challenges for Information Security Management Systems

Information Security Management Systems (ISMS) are a compilation of policies, procedures, and controls to identify and mitigate risk to data security. While incident response and asset management are features of these systems, assuring the security of the hardware, firmware, and bios of those assets provides sources of concern beyond the scope of many ISMS currently in place.

The National Security Agency (NSA) Cybersecurity Directorate has released Hardware and Firmware Security Guidance for aiding DoD administrators in the verification of systems currently in use. This repository is continually updated as new information and guidance become available.

Although this site is targeted towards the defense sector, it is applicable for organizations in the public sector as well. A list of hardware and firmware vulnerabilities can also be found in a post on INFOSEC which outlines a number of other vulnerabilities.

CVG Strategy Cybersecurity Solutions

Security of data is essential for any organization. This includes proprietary data, and the sensitive data of partners and customers. This latest report on the Supermicro hardware hack underlines the rapidly changing parameters of data security risks.

CVG Strategy is committed to helping businesses in all sectors, secure their sensitive data. We can help you meet your information security management system goals. CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.

We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.

The Department of Defense has been undertaking efforts to secure Unclassified Controlled Information (CUI) in its supply chain by the implementation of the Cybersecurity Maturity Model Certification (CMMC) program. CVG Strategy is helping DoD contractors prepare to for these requirements while meeting interim DFARS 252.204-7012 assessment requirements.