Controlled Unclassified Information (CUI) document marking requirements apply to a wide range of users who access information related to the U.S. government. CUI is unclassified information that requires safeguards or dissemination controls in accordance with governmental regulations and policies. CUI is categorized into 20 “Organizational Index Groupings” to address sectors such as Defense, Export Control, Legal, and Immigration. Each of these groupings is further divided into 124 specific “CUI Categories”.
CUI designated information can be shared for lawful government purposes only. Each agency can place additional limits on the dissemination of CUI beyond this scope. There are ten classifications of Limited Dissemination Controls, each with its own marking. For example, information designated for federal employees and contractors only is to be marked “FEDCON”.
Department of Defense CUI Marking Requirements
The Department of Defense (DoD) has requirements for the marking of the various types of CUI for government contractors and organizations in the defense industrial base. Information covered under these requirements includes information associated with DoD contracts, work products, and emails. Classified information and information not created by or under the control of the U.S. Government does not qualify as CUI.
The CUI designation replaces the DoD’s legacy For Official Use Only (FOUO) marking as an interagency standardized approach to information controls. CUI categories for defense include:
Controlled Technical Information
DoD Critical Infrastructure Security Information
Naval Nuclear Propulsion Information
Unclassified Controlled Nuclear Information – Defense
CMMC Requirements
DoD contractors under Defense Federal Acquisition Regulations (DFAR) 252.204.7021 are now required to achieve Cybersecurity Maturity Model Certification (CMMC) to protect CUI. The current level, CMMC 2.0 utilizes NIST SP 800-171 to establish minimum requirements and guidelines for this protection.
NIST SP 800-171 requires CUI document marking requirements. The standard states that visually identifying CUI is a basic tenet of information security so that authorized users understand which handling controls to apply. Labeling is identified as the use of security attributes for internal system data structures. Labelling is to be applied to digital media and non-digital media such as paper and microfilm.
CVG Strategy Information Security Management System Consultants
To assist businesses to meet the challenges in adopting CMMC 2.0 standards, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.
We can help you meet your information security management system goals. CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors. We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.
Identify Areas With CUI with CVG Strategy Signs
CVG Strategy provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.
Managing an Export Compliance Program (ECP) properly ensures its effectiveness. These programs are essential to the sustainability of a business. However, any plan, no matter how well conceived, is only as effective as its execution.
Planning the Export Compliance Program
Specific requirements for an Export Compliance Program are contingent on the types of products an organization exports, the size of the organization, the number of exports, where articles are to be exported, and the end-use of the exported items. Each product or service to be exported should be classified to determine the United States Government agency involved in regulating the export.
The Directorate of Defense Trade Controls (DDTC), under the jurisdiction of the Department of State, controls defense articles and services categorized on the United States Munitions List (USML) These items are regulated under the International Traffic in Arms Regulations (ITAR).
The Bureau of Industry and Security (BIS) under the auspices of the Department of Commerce administers the Export Administration Regulations (EAR). The EAR control the export of commodities enumerated in the Commerce Control List (CCL) with a unique Export Control Classification Number (ECCN). Prohibition of export or requirements for licensing are based on the classification of the item, the destination of export, the end user, and the end use of the item.
Program Creation
A properly designed export compliance program should be tailored to the unique requirements of the business. These requirements should include the size of the business, the percentage of sales that are export controlled, and the expected growth of the organization. The plan should be kept current with changes in regulations and should include procedures to handle compliance issues.
Essential Elements of an ECP
Requirements for Managing an Export Compliance Program vary between these two agencies and organizations should refer to current requirements to create and maintain their program. However, these key elements are critical for any program.
Management
The management team has ultimate responsibility for the ECP. As such it should create and maintain a program, provide sufficient resources for its functions, and communicate its commitment through a written policy statement. Once initiated, management should regularly review and update the program as required for its proper function and foster a culture of compliance within the organization.
Management should also appoint and train Empowered Officials (EO) and Export Compliance Officers as required. These officers are responsible for overseeing activities of the program including classification, licensing, and restricted party screening.
Registration
Registration with the DDTC is a requirement for organizations falling under the ITAR. Program documentation should include instructions for registration and maintenance of registration.
Risk Assessment
Processes should be in place to assess risks associated with:
Exporting a controlled item without a required export license
A deemed export caused by the unauthorized release of sensitive information or controlled technologies
Servicing of items outside of the United States
Restricted Party Screening
It is the responsibility of the exporter to ensure that exports do not end up in the hands of prohibited end-users. Procedures should be in place to verify the legitimacy of the buyer, obtain end-use statements, screen all involved parties against denied parties lists, and ensure that shipping documentation notifies all parties of the nature of the export.
Record Retention
Retention of documents pertaining to export activities should be maintained for a minimum period of five years. For electronic documentation, care should be taken to ensure confidentiality, integrity, and availability of information. Specific roles and responsibilities for maintaining these records should be assigned.
Training
Any Export Compliance Program is only as resilient as its weakest link. Training is mandatory for all members of an organization that are involved with controlled items. This training should provide job specific knowledge, communicate responsibilities, and impart accountability for compliance. This training should be periodically reviewed to ensure knowledge and update personnel on changes in regulations or policies.
Audits
The export compliance program should be regularly audited to assess its effectiveness. Audits should be conducted on specific functional levels as well as the program level. While these audits can be conducted internally, it is considered a best practice to conduct an audit with an outside auditor.
Handling Export Violations and Taking Corrective Actions
Violations can occur even in a well-executed export compliance program. In the event of a violation, procedures should be in place to address the investigation, corrective action processes, and voluntary disclosure. An organizational culture should be in place that encourages employees to suspected violations and ensures a safe environment for doing so.
Compliance Manual
Elements of the Export Compliance Program should be detailed in a manual that is available to all employees. This manual should stress the importance of compliance to the organization and provide a summary of relevant export laws and regulations. It should explain the functions of the compliance program and identify roles and responsibilities within the program.
The manual should reference policies and procedures necessary for the performance of functions within the program and contain necessary templates for communicating with relevant agencies. This manual should be updated regularly in response to changes in regulations, organizational knowledge obtained in maintaining the program, and vulnerabilities and key risk areas identified in program review processes.
Managing an Export Compliance Program is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.
CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance system. We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.
Voluntary Self-Disclosure policy updates were issued jointly by the Department of Commerce, Department of Treasury, and the Department of Justice. Under the moniker of Tri-Seal, the three agencies provided information about the self-disclosure process for violations of sanctions, export regulations, and other national security laws.
These three agencies have been increasingly coordinating efforts to prevent sensitive U.S. technologies and goods from being acquired from U.S. adversaries and to prevent abuses of the financial system by sanctioned parties. This announcement further details a memorandum previously released by the Bureau of Industry and Security (BIS) in May of 2023,
Defining a Voluntary Self-Disclosure
A Voluntary Self-Disclosure (VSD) is conducted when an organization recognizes that violations or suspected violations of U.S. regulations have occurred. It is the responsibility of the organization to report such findings in a timely and transparent manner to the appropriate federal agency. The three major sets of U.S. regulations for export compliance are, the International Traffic in Arms Regulations (ITAR), the Export Administration Regulations (EAR), and the Office of Foreign Assets Control (OFAC).
Increased Regulatory and Enforcement Activity
There has been increased activity from the BIS, which enforces the EAR, and OFAC in terms of increased regulations and enforcement activity in recent years. These actions have been in response to developments in the international arena in an effort to protect U.S. foreign policy and national security interests. This continuing change in regulations and sanctions lists increases the likelihood of a business involved in export to inadvertently transfer controlled goods or information to a restricted country, person, or entity.
Summary of Comments
Department of Justice’s National Security Division (NSD)
The NSD restated its updated policy to incentivize organizations to promptly disclose potential violations of U.S. sanctions or export regulations. In cases where organizations do perform a disclosure, the NSD will generally not pursue prosecution and the company will not need to pay a fine. This NSD policy also applies to other corporate criminal matters such as enforcement of the Foreign Agents Registration Act, laws prohibiting support to terrorists.
Bureau of Industry and Security
The BIS encourages voluntary disclosures of potential violations of the EAR. When these disclosures are conducted in a timely and comprehensive manner with full cooperation, the BIS will substantially reduce civil penalties. This includes cases where controlled items, technology, have been transferred or transactions that have involved boycott violations.
The BIS had formerly announced a dual-track system whereby minor or technical infractions are processed within 60 days of final submission. This would include an issuance of a warning or a no-action letter from the Office of Export Enforcement (OEE).
The agency considers a deliberate nondisclosure an aggravating factor when determining severity of penalties. Furthermore, organizations cannot engage in self-blinding behavior in cases where violations may have occurred. Additionally, the BIS considers the existence of an adequate and engaged export compliance program a factor in case settlements.
Department of Treasury’s Office of Foreign Assets Controls (OFAC)
The OFAC considers a voluntary self-disclosure to be a mitigating factor in the determination of enforcement actions. In cases involving civil monetary fines, a properly performed VSD can result in significant reduction of fines. As with the BIS these disclosures must be self-initiated and not include false or misleading information.
As these Voluntary Self-Disclosure policy updates illustrate, the federal government is accelerating its regulatory and enforcement activities. It is essential that businesses involved with export have effective compliance programs in place that can conduct internal investigations, and, if required timely and appropriately remediate deficient processes.
Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.
CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance system. We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.
A Five Eyes export control agreement seeks to enhance the security concerns of Australia, Canada, New Zealand, the United Kingdom, and the United States by formally committing to coordinate export control enforcement efforts. Matthew S. Axelrod, Assistant Secretary of Commerce for Export Enforcement, stated that this will result in detentions, public identification, and penalties for actors who evade export controls.
This joint effort will serve to minimize gaps in export compliance investigations and enforcement. It will also leverage enforcement resources to expand the participating nations’ enforcement capacity. Additionally, these nations will engage members in private industry sectors to mitigate export diversions.
The restriction of technologies that could be used for the proliferation of weapons by Russia against the Ukraine were specifically mentioned by Axelrod in his comments, though recent comments have also been focused on China.
Continuing Efforts by the Bureau of Industry and Security
These international efforts coordinate with recent efforts by the Bureau of Industry and Security (BIS) to enforce the Export Administration Regulations (EAR). These regulations from the Department of Commerce, have in recent years sought to further secure technologies that are being sought by Russia and China through illicit procurement methods.
This is not the first mention of international coordination by the United States. The U.S. has worked with Japan recently in efforts to mitigate circumvention and evasion of sanctions leveled against Russia. Actions by the Office of Foreign Assets Control (OFAC) have recently engaged international partners to enforce sanctions and prosecute money laundering operations.
Aside from international efforts, U.S. agencies involved in export compliance have joined forces to combat illicit export of sensitive technologies. These efforts are combining the capabilities of the Department of Justice, the FBI, and Homeland Security Investigations into the Disruptive Technology Strike Force.
The History of Five Eyes
Early beginnings of this alliance can be traced to cooperative efforts between code breakers of the United States and the United Kingdom during World War II in 1941. This took place at Bletchley Park and preceded official U.S. involvement in the conflict.
Five Eyes was formalized after the war and shifted its efforts in response to cold war threats posed by the Soviet Union and China. The agreement was later signed by Canada, Australia, and New Zealand. This agreement, though in effect for decades, was not made known to the public until 2010.
As the cold war receded with the fall of the Soviet Union, the alliance continued to be repurposed to support international security concerns. During the 1990’s, participating agencies focused their efforts on the “war on terror”. Their efforts have continued in the fields of signals intelligence, defense intelligence, and human intelligence.
There is a great deal of controversy surrounding Five Eyes over its methods, as it monitors worldwide communications, even on its own citizens. It remains, however, to be an extremely powerful espionage alliance.
A Five Eyes working group was hosted by the Canada Border Services Agencey to focus on controls and sanctions in June of 2023. These discussions focused on the integration of methods for export compliance integration between the participating countries.
Increased Risks for Businesses Exporting Controlled Technologies
The Five Eyes export control agreement, while furthering the national security interests of the involved nations, creates additional risks for businesses involved in the export of controlled technologies that may unintentionally export goods to restricted parties. This applies to export by means of an exchange of information or actual shipment to foreign nationals.
Businesses must ensure that they do not violate export regulations by enacting viable Export Compliance Programs (ECP). These programs are a requirement for both the Export Administration Regulations and the International Traffic in Arms Regulations (ITAR). While businesses involved with the ITAR have been proactive in compliance, many involved with the export of dual-use goods enumerated in the EAR have been less diligent.
Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization. They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation. They also ensure that training, auditing, and record keeping are maintained according to requirements.
Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.
CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance system. We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.
The Department of Defense (DoD) is addressing foreign influence in academia with the publication a foreign entities list that includes threats to U.S. national security. This was announced in an address from Heidi Shyu, Under Secretary of Defense for Research and Engineering (USD R&E).
By adding this requirement for screening of potential partners, the Pentagon is attempting to ensure money is not going to projects that involve one of the blacklisted entities that harvest U.S. technology secrets or have relationships with intelligence organizations in the Peoples Republic of China and Russia.
The release of this list was a requirement under the 2019 Defense Authorization Act. This action was specifically undertaken to ensure that research and development initiatives funded by the DoD remain secure and that information gained is not stolen by foreign governments. The DoD is encouraging academic institutions, the research community, and industry partners to remain vigilant and exercise caution when selecting research partners.
Entity List Part of a Continuing Effort
This latest effort by the DoD is part of a continuing to protect the integrity of science and technology research. In June of 2023 Shyu signed in a policy that directs research enterprises engaged in DoD research projects to evaluate potential financial conflicts of interest or commitments.
Additionally, the National Science Foundation’s (NSF) has released list of documents that outline procedures for risk assessments for preventing the misappropriation of research and development efforts. These actions set disclosure requirements for participants in federally funded research, to reveal potential conflicts of interest or commitment. They also provide “clear messaging” about what constitutes acceptable behavior with regard to foreign interests.
In December of 2020, the Government Accountability Office (GAO) released a report calling for enhanced policies for addressing foreign influence in federal research. It sought to find means for combat undue foreign influence while maintaining an open research environment.
U.S. federal agencies have thwarted numerous attempts by China to steal U.S. defense sector technologies. Recent enforcement activities as reported by Military Times, included the indictment of Chinese nationals who were involved in a campaign to turn U.S. citizens into spies. These individuals are part of an entity defined in this released list.
Addressing Soft Power Espionage
The federal government is also addressing indirect espionage by Trojan Horse institutions that encourage research organizations to disclose sensitive information. The Confucius Institutes is such an organization in that it attempts to attain information by convincing professors and students that China does not pose a threat and can benefit their research initiatives.
Confucius Institutes have been sponsored by the Chinese government since 2004 in universities around the world in an effort to carry out a number of propaganda objectives. While many have closed as a consequence of governmental actions, they have often later reappeared under various titles.
Complexities Involved in Maintaining Compliance
Universities and research laboratories face numerous regulatory boundaries with regard to export controls on information. However, additional compliance requirements are invoked by the Department of Defense. These requirements may vary across departments or agencies within the DoD. As such these institutions should exercise due diligence with regard to the risks involved in any research activities.
The DoD is addressing foreign influence in academia to protect U.S. national and economic interests. These threats are present in all sectors including developers of defense items and items with dual-use capabilities. It is the responsibility of all organizations involved in export or deemed exports to seriously consider export compliance requirements.
If you are part of a large corporation or a small company with a part-time compliance person, CVG Strategy has the compliance and training programs to help you meet International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) rules and requirements. As the BIS place controls on a growing number of technologies it becomes increasing difficult for smaller businesses to stay abreast of regulatory developments. Because of this, we provide Export Compliance Management Programs (ECMP) for businesses of all sizes.
During a recent address at the Ethics and Compliance Initiative Impact Conference, Marshall Miller, the Principal Associate Deputy Attorney General at the Department of Justice (DOJ), stressed Export Compliance diligence in ensuring compliance with export regulations. He further stated that as the agency continues enforcement efforts connected to United States national security investigations that they are increasingly encountering corporate crime.
These crimes have varied from money laundering to sanction violations and even involvement in terrorist organizations. Corporations involved in these acts have included companies involved in construction, agriculture, telecommunications sectors, and financial institutions. Many were established, publicly traded entities such as LaFarge who was penalized $750 million for funneling monies to terrorist groups such as ISIS.
DOJ Increasing its Enforcement of Export Activity
The DOJ has dramatically increased its export control and sanctions enforcement activities. Previously the agency had minimal association with export, mostly centered around sanction enforcements. In February, however, the Disruptive Technology Strike Force was formed as a multi-agency initiative to target illicit export of sensitive technologies. Agencies included in this enforcement effort will include the Department of Commerce, the FBI, and Homeland Security Investigations (HFI).
In enacting this law enforcement, U.S. agencies will use use advanced data analytics, and enhanced intelligence to coordinate actions. They will be furthering coordination between agencies in the Intelligence Community and enhancing partnerships in the private sector. Additionally, the agency added over two dozen new prosecutors to the DOJ’s Nation Security Division to focus on corporate crime.
The department is also issuing joint advisories with the departments of Treasury and Commerce and SEC to inform the private sector about evolving national security concerns. Given the current state of global affairs, it can be expected that these updates should be frequent.
What Compliance Managers Can Expect
In the current global landscape, private sector businesses are at the forefront of facing the geopolitical and national security hurdles. Export Administration Regulations, sanctions, and other regulations are rapidly changing. This has placed a dynamic and increasingly complex load on companies that are serious about compliance.
Marshall Miller and the Assistant Attorney General have repeatedly iterated how the DOJ will approach enforcement of export controls and sanction violations. The department has upgraded and standardized its approach to organizations that voluntarily self-disclose. The Criminal Division’s Voluntary Self-Disclosure Policy incentivizes companies to disclose misconduct uncovered during program audits and due diligence. The Criminal Division often declines enforcement actions against companies that promptly self-disclose violations, cooperate with the department, and engage in remediation policies.
Another area that has received a substantial overhaul pertains to companies with good export compliance programs acquiring companies with less than exemplary histories of conduct. Companies that conduct proper pre-acquisition investigations will be less likely to face penalties if problems later arise.
Concluding Remarks
In his closing remarks, Marshall Miller stated that, businesses that maintain effective compliance programs, protect our nation from security risks and protect their clients. He also stated that the Department of Justice will continue to conduct robust enforcement with predictability, uniformity, and transparency so as to incentivize businesses to cooperate with them.
Recent comments of the DOJ stressed Export Compliance programs should place regulations that involve national security high in their risk assessments. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities. Your business cannot afford to have its reputation ruined by a failure to comply with rapidly evolving regulations.
If you are part of a large corporation or a small company with a part-time compliance person, CVG Strategy has the compliance and training programs to help you meet International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) rules and requirements. As the BIS place controls on a growing number of technologies it becomes increasing difficult for smaller businesses to stay abreast of regulatory developments. Because of this, we provide Export Compliance Management Programs (ECMP) for businesses of all sizes.
Recent enforcement activities by the Bureau of Industry and Security (BIS) illustrate the importance of having a viable Export Administration Regulations (EAR) Export Compliance Program. These events including a 300-million-dollar penalty imposed on Seagate Technology earlier this year, are as Assistant Secretary for Export Enforcement Matthew Axelrod described, “a clarion call” for businesses to comply with BIS export laws.
Export Administration Regulations (EAR) control the export of commodities enumerated as described in15 CFR §730. The EAR are administered and enforced by the Bureau of Industry and Security (BIS) under the auspices of the Department of Commerce. These regulations are in place to advance the national security and foreign policy objectives of the United States Government.
Items controlled under the EAR are listed in the Commerce Control List (CCL) and identified by a unique Export Control Classification Number (ECCN). Prohibition of export or requirements for licensing are based on the classification of the item, the destination of export, the end user, and the end use of the item.
Elements of an Export Compliance Program
Export compliance programs must have processes in place to identify, prevent, and mitigate export regulation violations. These programs should include the following components in a manner that is coordinated with a cohesive management system.
Management
An effective export compliance must have commitment from top management as reflected in an official policy statement. This statement should include statements that no sale or transfer of controlled items will occur and identify persons to contact if potential violations or compliance questions arise. Management must also provide adequate resources for the compliance program and develop a company culture of compliance through example and training.
Risk Assessment
Processes should be in place to assess risks associated with:
Exporting a controlled item without a required export license
A deemed export caused by the unauthorized release of sensitive information or controlled technologies
Servicing of items outside of the United States
Organizational Operations
Programs should have clearly defined roles with sufficient oversight. Interdepartmental cooperation and communication within the organization are critical. When organizations have multiple campuses, considerations should be given to the degree of independence required to maintain compliance at each location. Furthermore, procedures related to the compliance programs should be delineated in a properly maintained document system.
Screening of Customers
It is the responsibility of the exporter to ensure that exports do not end up in the hands of prohibited end-users. Procedures should be in place to verify the legitimacy of the buyer, obtain end-use statements, screen all involved parties against denied parties lists, and ensure that shipping documentation notifies all parties of the nature of the export.
Customer screening should address the risk of unauthorized diversions of exported items and ensure that agreements are not made in violation of Anti-boycott laws.
Export Authorization
Processes should be in place for the proper classification of products and services. Classifications should begin with determining if the item falls under the International Traffic in Arms Regulations (ITAR) which are administered by the Directorate of Defense Trade Controls. Then determinations can be made as to whether the item is subject to the EAR.
Once classification has been completed a determination should be made if the intended export is prohibited, licensing is required, or license exemptions apply.
Record Retention
Retention of documents pertaining to export activities should be maintained for a minimum period of five years. For electronic documentation, care should be taken to ensure confidentiality, integrity, and availability of information. Specific roles and responsibilities for maintaining these records should be assigned.
Training
Any EAR Export Compliance Program is only as resilient as its weakest link. Training is mandatory for all members of an organization that are involved with controlled items. This training should provide job specific knowledge, communicate responsibilities, and impart accountability for compliance. This training should be periodically reviewed to ensure knowledge and update personnel on changes in regulations or policies.
Audits
The export compliance program should be regularly audited to assess its effectiveness. Audits should be conducted on specific functional levels as well as the program level. While these audits can be conducted internally, it is considered a best practice to conduct an audit with an outside auditor.
Handling Export Violations and Taking Corrective Actions
Violations can occur even in a well-executed export compliance program. In the event of a violation, procedures should be in place to address the investigation, corrective action processes, and voluntary disclosure. An organizational culture should be in place that encourages employees to suspected violations and ensures a safe environment for doing so.
CVG Strategy Export Compliance Programs
EAR Export Compliance Programs are essential for businesses involved in the export of items listed on the CCL. These programs should be incorporated into an organization’s management system to ensure effective mitigation of risks associated with violations.
CVG Strategy can help you understand Export Administration Regulations, and help you establish a coherent and effective export compliance program. We can perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.
BIS restrictions on technologies to the PRC are being put in place to limit China’s ability to enhance its military capabilities, according to Thea D. Roxman Kendler in testimony to the Senate Banking, Housing, and Urban Affairs Committee. Roxman is the Assistant Secretary of Commerce at the Bureau of Industry and Security (BIS) in charge of the development of export regulations.
Department of Commerce Export Controls
The BIS, under the authorization of the Department of Commerce, protects U.S. national security and foreign policy objectives by ensuring that technology developed in the United States is not made available to adversaries. This is accomplished by identifying sensitive technologies, developing policies and strategies, and reviewing license applications for the export of these items under the Export Administration Regulations (EAR).
The BIS maintains controls of the shipping, transmitting, or transfer of items categorized as dual-use items. These are items, software, and technology that have both civilian and military applications. Dual-use export controls are applicable to:
Military and spacecraft items enumerated in the Commerce Control List (CCL)
Multilaterally controlled dual use items
Items with civil applications that will be exported to parties with intended military purposed end use
Exports to parties identified on BIS’s Entity List
The BIS continues to work with interagency partners in the Department of State, Department of Defense, and Department of Energy. It also works with international partners such as the Global Export Control Coalition to enhance the effectiveness of these controls.
Effects of Enhanced Regulatory Activities on the Export Community
The BIS is applying increased scrutiny on license applications submitted by exporters sending items to the PRC. This is due to the concern over the risk of technologies being diverted to parties other than those described in license applications.
This has resulted in longer license processing time. In 2022 license applications for the PRC took an average of 90 days to process, up from an average of 76 days for 2021. In CY 2022, approximately 26 percent of license applications for exports to the PRC were returned without action or denied.
Additionally, licensing applications have dropped, as fewer U.S. companies are applying to export sensitive technologies to China. During 2022, the BIS witnessed a drop of applications for the PRC of over twenty-six percent. This is due to the fact that businesses are becoming increasingly aware that license applications are likely to be denied and are looking for red flags when screening potential customers.
Specific Technologies Restricted for PRC Export
Semiconductor and Hypersonic Technologies
The BIS is using restricting very specific technologies so as to protect U.S, interests while not unduly imposing limitations on legitimate commercial trade. As an example, in May of 2022 the agency placed controls on the following technologies:
Ultra-wide bandgap semiconductors used in semiconductors devices intended for use in severe conditions where high temperatures and voltages are present.
ECAD software tools are used in the design process of integrated circuits and printed circuit boards for development of Gate-All-Around Field Effect Transistors (GAAFET).
Pressure Gain Combustion used in the development of high-speed applications such as hypersonic air-breathing propulsion systems.
Artificial Intelligence
In October 2022, the BIS addressed advanced computing and semiconductor manufacturing to limit PRC access to integrated circuits and supercomputing capabilities necessary for quantum computing and artificial intelligence (AI). AI presents particular concerns for U.S. national security as it can be used to improve the speed and effectiveness of military planning and logistics. AI can also be used in conjunction with electronic warfare, signals intelligence, and radar technologies.
Semiconductor Production Technology
BIS has also expanded controls on various entities tied to the PRC. These parties are now subject to the Foreign Direct Product Entity List rule that restricts them from obtaining semiconductor devices and other items. Additionally, controls have been placed on semiconductor manufacturing equipment required for high-end semiconductor production.
Biological Weapon Related Technologies
BIS restrictions on technologies to the PRC have also been placed on technologies that could be used for development of biological weapons. Devices used for automated peptides synthesis were specifically targeted due to their capabilities of being used in the design of new or enhanced pathogens.
Other BIS Actions
Civil Space Industrial Base Assessment
The BIS, under the auspices of the Department of Commerce, and the Office of Technology Evaluation (OTE) are evaluating the U.S. Civil Space Industrial Base (CSIB) by means of the authority of Section 705 of the Defense Production Act and Executive Order 13603. The intent is to gather information that will provide guidance for the formation of governmental policies and proposals.
These policies are generated in an effort to protect and advance U.S., national security, foreign policy concerns, and economic base. The assessment was requested jointly by NASA, NOAA, The NOAA Office of Space Commerce (OSC), and the National Environmental Satellite, Data, and Information Services (NEDIS). Members of the commercial space sector that are chosen for involvement in this study will be required to participate. Although this assessment is a one-time event the possibility for further studies is possible.
Increased Enforcement Activities
The BIS under the direction of the Department of Commerce and other export enforcement agencies have been changing the scope and enforcement policies in recent years to address the increased complexities of the international political arena. Export Administration Regulations (EAR) have continually been changing as more items are being added to the Commerce Control List (CCL).
David Axelrod, Assistant Secretary for Export Enforcement, has stressed on numerous occasions that the BIS intends to hold U.S. companies and foreign subsidiaries accountable for export violations to protect U.S. foreign policy and national security interests.
Recent events in enforcement include a 300-million-dollar penalty imposed on Seagate Technology, LCC. These actions were taken for alleged export of hard drives to the PRC and include a five-year suspended Denial Order, which if activated, would terminate the organization’s ability to conduct export business.
The Department of Commerce has initiated the Disruptive Technology Strike Force which will partner the BIS with the Department of Justice (DoJ) in the enforcement of the EAR. In enacting this enforcement U.S. enforcement agencies will use use advanced data analytics, and enhanced intelligence to coordinate actions. They will be performing more training of field agents and furthering coordination between agencies in the Intelligence Community.
A Call to Actions for Businesses Involved in Export
These BIS Restrictions on technologies to PRC shows the Department of Commerce’s commitment to continue ramping up enforcement of Export Administration Regulations. This action is the latest in a series of steps that show how serious the U.S. government is in protection of dual use items. Additionally, partners of the U.S. are coordinating efforts to enforce export control laws. Aside from enforcement, penalties both civil and criminal are increasing.
Businesses must ensure that they do not violate export regulations by enacting viable Export Compliance Management Programs (ECMP). These programs are a requirement for both the Export Administration Regulations and the International Traffic in Arms Regulations (ITAR). While businesses involved with the ITAR have been proactive in compliance, many involved with the export of dual-use goods enumerated in the EAR have been less diligent.
Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization. They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation. They also ensure that training, auditing, and record keeping are maintained according to requirements.
Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.
CVG Strategy can help you in understanding BIS Restrictions on technologies to PRC and help you in establishing a coherent and effective export compliance system. We can perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. Contact Us with you export regulation questions.
Photo by: Nave Petty Officer 2nd Class Sawyer Connally
The Open General License (OGL) Pilot Program has been implemented by the Directorate of Defense Trade Controls (DDTC) to ease licensing requirements for reexport and retransfer of unclassified defense articles to pre-approved parties in the United Kingdom, Australia, and Canada. The current program is in effect from August 2022 to July 31, 2026, pursuant to the International Traffic in Arms Regulations ITAR§120.22(b).
The OGL program is designed to support mission readiness of U.S. allies and to facilitate activities related to storage, repair, and maintenance of unclassified defense articles of existing deployed articles. It is not intended for supporting new acquisitions and capabilities.
Open General Licenses (OGL)
OGLs define the specific type of defense article and or technical data to be reexported or retransferred. It identifies all destination countries and recipients as well as intended end use of article. It also lists any additional requirements or limitations that must be satisfied for use as determined by the DDTC.
Retransfers are allowed under this program to the governments of the United Kingdom, Canada, Australia, members of the Australian or UK communities, or Canadian registered persons under OGL 1. Reexports are limited to those same parties under OGL 2. Items originally exported by way of Foreign Military Sales (FMS) are not eligible for OGLs.
The OGL program pertains only to unclassified defense articles exported by means of a license or approval from the DDTC. No items listed as Missile Technology (MT) in the United States Munitions List (USML) or listed on the Missile Technology Control Regime are eligible for OGLs.
Technical Data Limitations
Technical data eligibility is limited to organizational, intermediate, or depot level information pertaining to the storage, repair or maintenance of defense articles. The end use of this data must be by, or for, operation on behalf of the governments of Canada, Australia, or the United Kingdom. Technical data relating to any usage of Unmanned Aerial Vehicles (UAV), space-launch vehicles, or items on the MTCR Annex or ITAR part 121 is not eligible for OGLs.
Other Requirements
Other Open General License (OGL) requirements exist for the transferor of eligible defense articles. These include compliance with §123.9(b) of the ITAR which deals with the country of ultimate destination and information that must be incorporated into the commercial invoice. Records of each retransfer or reexport must be maintained and made available to the DDTC if required.
Congressional notification by the Department of State is required for any defense equipment valued at or exceeding $25 million. For defense services this limit is $100 million. These services are limited to maintenance repair, or overhaul of defense equipment that does not augment or increase the military capabilities of the equipment being serviced.
The Future of the OGL Program
The DDTC is carefully monitoring this program and considering options to enhance its capabilities. This program to those administered by other nations such as Japan, Australia, and the United Kingdom. Its intention is to facilitate United States foreign policy and national security objectives while ensuring that sensitive technologies are denied to U.S. adversaries.
CVG Strategy Export Compliance Services
Keeping abreast of and remaining compliant of ITAR requirements and other United States export controls is a challenge for businesses of all sizes. Partnering with a trusted expert in export compliance can provide your organization with systems and training to avoid expensive and reputation ruining violations.
CVG Strategy, LLC is recognized the world over as the premier provider of customized Export Compliance Consulting, Export Compliance Programs, and Training that address critical U.S. Government and Canadian laws and regulations, from Export Administration Regulations (EAR) to the International Traffic in Arms Regulations (ITAR), Office of Foreign Asset Controls (OFAC), Canadian Goods Program (CGP) and other regulatory agencies.
CVG Strategy ITAR and Export Compliance experts have managed manufacturing and distribution businesses and have worked for multi-national organizations. CVG Strategy’s experts are not ex-government employees, they understand the needs and goals of small to medium-sized operations in managing compliance requirements. They also have expertise in the implementation and maintenance of a wide variety of management system standards.
The #Stopransomware Guide update was released in May 2023 jointly by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC). Information in this guide was developed by the Joint Ransomware Task Force (JRTF) which is overseen by the Federal Bureau of Investigation (FBI) and CISA. to help organizations reduce the risk of ransomware events. In this revision the National Security Agency (NSA) and FBI were added as contributors.
What is Ransomware?
Ransomware is a malware attack on data that encrypts files to render the data unusable. Victims of these attacks are then pressured into paying a ransom to threat actors to retrieve data and prevent this proprietary data from being released.
Ransomware attacks are continuing to increase in numbers and have proven to be costly for organizations victimized. These events can severely impact processes by rendering mission-critical services inoperable. This can result in economic and reputational damage as third-party data is often compromised.
What was Added in this Update?
In this update recommendations were made for preventing vulnerable infection vectors such as compromised credentials and various forms of social engineering. Recommendations were also updated to promote Zero Trust Architecture (ZTA). Additionally, the ransomware response checklist was expanded with tips for detection and analysis of ransomware attacks. All of these recommendations were cross mapped to CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).
Guidance to Prevent, Respond and Recover
The twenty-nine-page document provides step by step approaches to detect, prevent, and respond to incidents through best practices. It is stressed that offline encrypted backups be maintained that are not synced to the cloud. It is also stressed that a hard copy of a cyber–Incident Response Plan (IRP) be formulated and regularly reviewed.
Much of the guidance reiterates best practices that have been accepted by the cybersecurity community at large. These include the use of regular vulnerability scans, updating software and operating systems, use of VPNs, password protocols and protections, and of course training. Regardless, this document is a must read for anybody involved in information security management.
Part 2 of the document provides a checklist for ransomware and data extortion response that is critical knowledge for any organization. This includes steps for detection and analysis, reporting and notification, and containment and eradication. Additionally, the guidance provides contact information for federal agencies that should be notified in the event of a ransomware attack.
CVG Strategy Cybersecurity
As the #stopransomware guide update illustrates, requirements for data protection surpass the implementation of information control technologies. Policies that incorporate risk assessment, training, and management review are required to ensure that an organization is on track for the prevention of initial access by threat actors and data exfiltration.
CVG Strategy consultants provide training to make your entire team aware of cyberattacks and how to employ processes to prevent these threats. We can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.
Our ISMS consulting services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS). Our team of experts bring extensive experience and deep information security process control expertise (including certifications as Exemplar Global Lead Auditor ISO/IEC 27001:2013 Lead Auditor) to ensure that you achieve ISO 27001 certification—on time and on budget.
CVG Strategy is also committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure. As industry leaders in cybersecurity, ITAR, and risk-based management systems. We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.
The Export Administration Regulations UVL (Unverified List) controls the export, reexport or transfer (in country) of items to listed parties. Furthermore, parties on this list are not eligible for any license exemptions. Failure to comply with these regulations can result in civil and criminal penalties, imprisonment, and debarment from export activities.
Conducting Export Activities to UVL Entities
Export activities to entities appearing on the Unverified List (UVL) require the exporter, transferor, or rexporter to obtain a UVL statement from the listed person. These statements, recorded in a document, are valid for multiple exports, reexports, or in country transfers for a single item. The document must be signed and dated by the UVL party. Specific data for this document include: name, physical address, agreement not to engage in any prohibited end use, statement of end user, end use, and country of ultimate destination.
The listed person must certify that they have sufficient authority to bind the party legally. They must also agree to Post-Shipment Verification (PSV) to be conducted by or on behalf of the Bureau of Industry and Security (BIS). PSVs are conducted by officials in person to verify that exported items arrive at the intended destinations.
Denied Parties Screening
UVL controls are yet another example of why organizations need to conduct denied parties screening. This activity is an essential practice for ensuring regulatory compliance to U.S. law. Screening is performed to restrict or prohibit U.S. individuals and organizations from shipping products or providing services to parties listed on denial, debarment, and blocked persons lists.
The United States Government maintains a number of lists of sanctions and debarred parties. These are maintained on the Consolidated Screening List (CSL). Additionally, a number of private vendor solutions are available that provide screenings and alert users to any change in status.
Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities. Your business cannot afford to have its reputation ruined by a failure to comply.
CVG Strategy can help you in understanding Export Administration Regulations UVL requirements and help you in establishing a coherent and effective export compliance system. We can perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. Contact Us with you export regulation questions.
The government of Canada has specific Controlled Goods Program (CGP) Cloud Solutions requirements for individuals or organizations that possess or transfer controlled goods and associated technical data. Technical data includes drawings, blueprints, software, or technical documentation that could be used or adapted for military or space end use. Cloud service providers that provide storage or processing and/or processing of technical data associated with controlled goods must register with the Controlled Goods Program.
This requirement makes it a requirement for storage of data on servers located in Canada unless licensing requirements have been met through Global Affairs Canada.
Responsibility for Data Security
Organizations registered in the CGP are responsible for determining what cloud solutions are appropriate for their applications. As such, it vital that monitoring and regular risk assessments be taken to ensure that adequate and appropriate security controls are in place. Guidance for conducting these risk assessments can be found at Guidance on Cloud Security Assessment and Authorization.
When selecting a cloud service provider, organizations should understand what security controls are provided. They should then assess requirements for any additional security controls to mitigate any residual risk of unauthorized access to data.
Restriction of Access
The underlying purpose of data security is to restrict access of data to individuals who have been security assessed as detailed in section 15 of the CGP. Organizations should ensure that data stored on the cloud is made available through secure connections such as Virtual Private Networks (VPN) or Transport Layer Security (TLS). Dual authentication mechanisms and proper password policies should be employed in conjunction with these solutions.
Encryption Requirements
Controlled goods technical data stored on the cloud should by encrypted. The Government of Canada recommends U.S. Federal Information Processing Standard (FIPS) 140-2 for appropriate end-to-end encryption. The use of phishing resistant authentication controls are also recommended.
Export Compliance Security Plan
A documented security program is required for organizations registered in the CGP. These security plans should include specific information relating to data storage. This includes, the security employed by the cloud provider, additional controls implemented by the organization’s information security management team, and any other measures or processes incorporated to manage residual risks.
Differences in Canadian and U.S. Requirements
These cloud service requirements contrast with requirements in the United States for the International Traffic in Arms Regulations (ITAR). The current ITAR requirements (§ 120.54) allow for storage of unclassified ITAR technical data on foreign servers if end to end encryption compliant with the U.S. National Institute of Standards and Technology (NIST) requirements.
CVG Strategy Export Compliance and Information Security Expertise
Export Compliance Expertise
Navigating international import and export laws can be extremely challenging for organizations. This is especially the case for those whose products are defense related. CVG Strategy export compliance experts have over a decade of experience in assisting businesses establish and maintain export compliance programs.
CVG Strategy has helped companies comply with both U.S. and Canadian regulations. We can answer your export compliance questions to keep your organization in compliance to regulations. We can also provide essential training to ensure that your team is up to date on ever changing export laws.
Cybersecurity Expertise
CVG Strategy is committed to helping businesses protect information by helping them establish effective cybersecurity programs. We know that viable solutions include all stakeholders in an enterprise. They include people, policies, procedures, risk analysis, incident responses, and an internal auditing process that yields constant improvement.
CVG Strategy provides cybersecurity consulting and training for large and small organizations. We can create the documentation and provide the essential training to establish your ISMS and guide you through certification audits.
A Voluntary Self-Disclosure (VSD) is conducted when an organization recognizes that violations or suspected violations of export regulations of the United States have occurred. The three major sets of U.S. Regulations are the International Traffic in Arms Regulations (ITAR), the Export Administration Regulations (EAR), and the Office of Foreign Assets Control (OFAC).
International Traffic in Arms Regulations
The ITAR is regulated by the Directorate of Defense Trade Controls or DDTC under the authority of the Department of State. ITAR controlled items are defense products and defense services enumerated in the United States Munitions List (USML). The DDTC strongly encourages submitting a voluntary self-disclosure of any potential violations of the Arms Export Control Act. Voluntary Disclosures may be viewed as a mitigating factor when determining administrative penalties, if any, that should be imposed.
Export Administration Regulations
The EAR is administered by the Bureau of Industry and Security (BIS) under the direction of the Department of Commerce. Items controlled under the EAR are enumerated in the Commerce Control List (CCL).
The BIS considers VSDs as an indicator of an organization’s intent to comply with U.S. export law. The BIS carefully reviews VSDs to determine if violations have occurred. They then determine the appropriate corrective action when violations of the export regulations have taken place.
Office of Foreign Assets Control
The OFAC is administered by the Department of Treasury. Its responsibilities include administering and enforcing economic and trade sanctions to further U.S. security and foreign policy objectives. It is the responsibility of all organizations to screen any party involved with items to be exported. As with the other two agencies Voluntary Self Disclosure is a factor in the consideration of mitigated penalties.
Recent Guidelines from Export Enforcement
In a recent memorandum from Matthew Axelrod, Assistant Secretary for Export Enforcement, the importance of proper handling of VSDs was stressed to export enforcement agents. The Assistant Secretary heads enforcement activities for the BIS and OFAC.
Mr. Axelrod stressed the importance of effective Export Compliance Programs for organizations involved in export activities. These programs must have processes in place to identify, prevent, and mitigate export regulation violations. These programs should include mechanisms for conducting voluntary disclosures of an organization’s own potential violations and the potential violations of other organizations.
To speed up the handling of VSDs, involved governmental agencies have incorporated a dual-track system to handle EAR infractions. The majority of cases reported involve minor and technical infractions and these are now fast-tracked to be resolved within sixty days of final submission. For minor infractions, organizations can now combine multiple incidents into a single submission.
The memorandum went on to stress that both organizations and enforcement agencies should understand that timely VSDs that include full cooperation with export enforcement should result in mitigation of penalties for non-egregious cases. Conversely, when VSDs are not filed, while this does not necessarily constitute concealment, increased penalties may result. Factors for consideration of penalties include, adequacy of the export compliance program, proposed steps to prevent reoccurrence.
The memorandum stressed the importance of incentivizing disclosures of other organizations stating that it should not be expected that exporters suffer in silence in forgoing sales while competitors may be taking advantage by conducting business in violation of regulations. To simplify this reporting the agency now offers a Confidential Reporting Form. If the disclosed violations include both export and sanctions violations the Financial Crimes Enforcement Network (FinCEN) is authorized to provide whistleblowers with substantial financial awards.
CVG Strategy Export Compliance Expertise
The DDTC, the BIS, and the OFAC, along with international partners have greatly increased their activities in the generation and enforcement of regulations. This increases the likelihood of a non-egregious violation occurring even in a company with a well-run export compliance program. Understanding and documenting how to execute a Voluntary Self Disclosure (VSD) is therefore essential.
If you are part of a large corporation or a small company with a part-time compliance person, CVG Strategy has the compliance and training programs to help you meet International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) rules and requirements. As the BIS place controls on a growing number of technologies it becomes increasing difficult for smaller businesses to stay abreast of regulatory developments. Because of this, we provide Export Compliance Management Programs (ECMP) for businesses of all sizes.
The Office of Foreign Assets Control (OFAC) Non SDN Sanction List is a reference tool that is published by the United States Department of Treasury to identify persons subject to specific types of sanctions. This list includes non-blocking prohibitions of the export specific goods and services and prohibitions based on statutory exceptions for imports. The list also controls prohibition of investments.
The SDN list is not a part of other OFAC sanction lists enumerated in the List of Foreign Financial Institutions Subject to Correspondent Account or Payable-Through Account Sanctions (CAPTA List) or the Specially Designated National and Blocked Person (SDN List). To address this the OFAC has created the Consolidated Sanctions List to ease the burden placed upon organizations conducting business internationally.
Chinese Military and Surveillance Technology Sectors
The Non SDN List includes entities determined to be involved in the military and surveillance technologies at the behest of the People’s Republic of China. These actions were initiated during the Trump administration and are being actively continued in the Biden administration. As a result of these changes, the authority for identifying these parties has been moved from the Department of Defense (DoD) to the OFAC.
Parties particular to China are listed in the Non-SDN Communist Chines Military Companies List (NS-CMIC List). This list has replaced the Non-SDN Communist Chinese Military Companies List previously on the OFAC website.
Russian Related Designations
Russian entities listed under these sanctions also continue to grow as a result of that country’s hostilities against Ukraine. These entities may appear in other countries allied with the Russian efforts such as Belarus. It is important to understand that these lists are updated on a regular basis and that information on parties from previous transactions should be screened against latest information before engaging in new business.
Penalties for Noncompliance
The U.S. Government maintains sanctions to support the United States national security and foreign policy objectives. These sanctions are often in effect regardless of an item or service’s export regulation classification. Conducting an activity that results in the sale or transfer of an item, service, or information to a denied party or entity can result in civil fines, criminal fines, and imprisonment.
Export sanctions are enforced by the Department of Treasury’s Office of Foreign Assets Control (OFAC). There are numerous penalties based on the relevant statue under which violations may have occurred. These penalties are adjusted for inflation annually. Recent penalties from the OFAC include a $30,000,000 settlement, from Wells Fargo.
Growing Burden on International Businesses
Actions taken by the United States are also being instituted by its allies including the European Union, United Kingdom, Australia, New Zealand and others. This makes identification of parties involved in transactions more important than ever. While many organizations have actively engaged in active Export Compliance Programs, they often have not actively incorporated denied party screening into their processes.
To learn more about Denied Party Screening click on this link to download a whitepaper about this important activity.
Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities. Your business cannot afford to have its reputation ruined by a failure to comply.
Our Export Compliance Management Programs include procedures that address lists checks, including the OFAC Non SDN Sanction Lists to help your organization maintain due diligence. We can also perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help you remain compliant.
A 300 million dollar penalty was imposed on Seagate Technology, LCC, by the Bureau of Industry and Security (BIS). These administrative penalties were leveled at the business’s operations in Fremont, California and Singapore and include a five-year suspended Denial Order, which if activated, would terminate the organization’s ability to conduct export business under the Export Administration Regulations (EAR).
Although Seagate CEO, Dave Mosley, denied any wrongdoing, the BIS alleges that the company continued to sell computer disk drives to Huawei in violation of the Foreign Direct Product Rule. It is alleged that Seagate entered an agreement with Huawei to be a strategic supplier when Seagate’s competitors had stopped selling to Huawei.
Background on BIS Controls on Huawei
The BIS took action to prevent the company from acquiring semiconductors that are the direct product of U.S. technologies and software restricted Huawei’s in May of 2020 under the Foreign Direct Product Rule. These actions placed Huawei on the Entity List and effectively banned the export of items to the company. The United States has long held that Huawei products are a threat to information security. The United Kingdom and members of the European Union have voiced those concerns as well, because Huawei is a producer of 5G technologies.
BIS Sends Warning
This $300 million penalty is the largest standalone penalty in BIS history. Matthew Axelrod, Assistant Secretary for Export Enforcement, stated that the settlement is “a clarion call” for businesses conducting exports to comply with BIS export rules. He further stated that any organization subject to FDP restriction need to reassess its manufacturing processes to ensure that U.S. technologies or software are not used in building restricted items. Companies that discover violations were encouraged to submit Voluntary Self-Disclosures (VSD).
BIS Enhancing Enforcement and Prosecution
The BIS under the direction of the Department of Commerce and other export enforcement agencies have been changing the scope and enforcement policies in recent years to address the increased complexities of the international political arena. Export Administration Regulations (EAR) have continually been changing as more items are being added to the Commerce Control List (CCL). Additionally, the agency has increased its focus on the use of sanctions and denied parties lists to protect sensitive technologies.
David Axelrod, Assistant Secretary for Export Enforcement, has stressed on numerous occasions that the BIS intends to hold U.S. companies and foreign subsidiaries accountable for export violations to protect U.S. foreign policy and national security interests.
CVG Strategy Export Compliance Programs
This 300-million-dollar penalty on a multinational business underscore the importance in creating and maintaining viable export compliance programs for technology-based businesses. These programs should be incorporated into an organization’s management system to ensure effective mitigation of risks associated with violations.
CVG Strategy can help you understand Export Administration Regulations, and help you establish a coherent and effective export compliance program. We can perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.
The U.S. Government continues to impose export compliance penalties for companies that commit violations. This is the case for exports that fall under the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR). These penalties can include both civil and criminal fines, imprisonment, and denial of export privileges.
Penalties Under the ITAR
Organizations involved in the export of defense goods or defense services that are enumerated in the United States Munitions List (USML) are subject to export controls under the ITAR. The ITAR fall under the controls of the United States Department of State and are administered by the Directorate of Defense Trade Controls (DDTC).
As described in CFR 22 §127, it is a violation to export, reexport, transfer, or retransfer ITAR controlled articles without a written license or approval. Furthermore, it is unlawful to misrepresent or make false statements in such export transactions. Under 22 U.S.C 2778(c) penalties can include fines of up to $1,000,000 per violation and or imprisonment for twenty years.
Penalties Under the EAR
Export Administration Regulations place controls on the export of commodities including intellectual property, technology, and software. These items which are enumerated in the Commerce Control List (CCL) are often referred to as “dual use” items in that they may have military as well as commercial applications. These export controls fall under the jurisdiction of the Department of Commerce and are administered by the Bureau of Industry and Security (BIS).
The BIS can invoke both civil penalties and criminal penalties for violations of the EAR. Criminal penalties can include up to $1,000,000 in fines per violation and up to twenty years imprisonment. Civil penalties, also referred to as administrative penalties, can be either $300,000 per violation or twice the transaction value, whichever is greater. These penalties are adjusted for inflation on an annual basis.
Other Export Penalties
Aside from the two sets of regulations, the U.S. Government maintains sanctions to support the national security and foreign policy objectives. These sanctions are often in effect regardless of an item or service’s export regulation classification. Conducting an activity that results in the sale or transfer of an item, service, or information to a denied party or entity can result in civil fines, criminal fines, and imprisonment.
Export sanctions are enforced by the Department of Treasury’s Office of Foreign Assets Control (OFAC). There are numerous penalties based on the relevant statue under which violations may have occurred. These penalties are also adjusted for inflation annually.
Recent Examples of Enforcement
Companies of all sizes are being penalized for export violations. Recently the BIS imposed a $300 million dollar civil penalty against Seagate Technologies for exporting hard disk drives to Huawei Technolgies Co. Ltd. 3D Systems, a U.S. company based in South Carolina agreed to a settlement of $20,000,000 for violations of the ITAR. Additionally, Wells Fargo agreed to a $30,000,000 settlement with the OFAC.
CVG Strategy Export Compliance Management Systems
Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Unfortunately, many businesses fail to adequately engage in managing their compliance requirements.
CVG Strategy can help you establish a coherent and effective Export Compliance Management System. We can also perform export control classifications, perform audits, and educate your export compliance team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. Our experts can provide guidance for your export issues and questions.
