Jamie Hamilton, Author at CVG Strategy

Disruptive Technology Strike Force to Enforce EAR

February 22, 2023 by Jamie Hamilton

The Department of Commerce has initiated the Disruptive Technology Strike Force which will partner the Bureau of Industry and Security (BIS) with the Department of Justice (DoJ) in the enforcement of the Export Administration Regulations (EAR). Export Administration Regulations (EAR) control the export of commodities determined to be dual-use. Dual-use items refer to commodities and technologies that normally are used for civilian purposes but may also be used for military purposes. The specific regulations can be found in 15 CFR §730.

Agencies now included in this enforcement will include the FBI and Homeland Security Investigations (HFI). This ongoing enforcement will include fourteen different U.S. Attorney’s Offices centered in twelve metropolitan regions. These regions include Boston, Atlanta, Chicago, Dallas, Houston, Los Angeles, Miami, New York City, San Jose, Phoenix, Portland and Washington D.C.

Actions to Protect Sensitive Technologies

These joint actions are being taken to target illicit actors attempting to acquire and export sensitive technologies from the United States to Russia, North Korea, Iran, and China. These states are using these technologies to enhance their military capabilities which, aside from posing a threat to U.S. national security can also be used to enable actions against human rights. Additionally these violations of export controls threaten economic security by threatening business that create these advanced technologies.

Pulling Out All the Stops

In enacting this enforcement U.S. enforcement agencies will use use advanced data analytics, and enhanced intelligence to coordinate actions. They will be performing more training of field agents and furthering coordination between agencies in the Intelligence Community. Furthermore there will be efforts to enhance partnerships in the private sector as well as with international partners.

The strike force will fall under the joint leadership of Assistant Attorney General Matthew G. Olsen from the National Security Division of the Justice Department and Matthew Axelrod who serves as Assistant Secretary for Export Enforcement from the Bureau of Industry and Security.

Semiconductors a Focus

The BIS has been specifically focusing on the export of semiconductors and technologies involved with the design an manufacture of semiconductors. In May of 2022, the BIS added export controls pursuant to Section 1758 on two substrates of ultra-wide bandgap semiconductors and Electrical Computer Aided Design (ECAD) tools. These actions are being taken because these types of devices have significant potential for use in military applications. Effected ECCN classifications are listed in Document Number 2022-17125.

A Call to Actions for Businesses Involved in Export

The announcement of the Disruptive Technology Strike Force shows the Department of Commerce’s commitment to continue ramping up enforcement of Export Administration Regulations. This action is the latest in a series of steps that show how serious the U.S. government is in protection of dual use items. Additionally, partners of the U.S. are coordinating efforts to enforce export control laws. Aside from enforcement, penalties both civil and criminal are increasing.

Businesses must ensure that they do not violate export regulations by enacting viable Export Compliance Management Programs (ECMP). These programs are a requirement for both the Export Administration Regulations and the International Traffic in Arms Regulations (ITAR). While businesses involved with the ITAR have been proactive in compliance, many involved with the export of dual-use goods enumerated in the EAR have been less diligent.

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization. They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation. They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy Export Compliance Management Programs

Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.

CVG Strategy can help you in understanding Export Administration Regulations and establishing a coherent and effective export compliance system. We can perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. Contact Us with you export regulation questions.

Delays in CMMC 2.0 Final Ruling

February 9, 2023February 9, 2023 by Jamie Hamilton

As 2023 opens it appears that there may be further delays in CMMC 2.0 reaching a final ruling as the Pentagon considers additional revisions of the proposed rule. These reconsiderations are, as reported on ClearanceJobs, the result of internal politics and concerns on the impact on businesses. Because the rule is in proposed status, it is still open for public comment. In the past this feedback has led to major changes in CMCC that led to the release of CMMC 2.0.

Cybersecurity Maturity Model Certification

In 2013 the Defense Federal Acquisition Regulation Supplemental (DFARS) 252-204-7000 went into effect in an effort to establish requirements for safeguarding Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) held by DoD contractors in the Defense Industrial base. This was followed by the DFARS clause 7012 in 2016, which established NIST-SP-800-171 as the mechanism for providing this desired protection.

In 2019 the Department of Defense (DoD) announced the Cybersecurity Maturity Model Certification (CMMC) to provide an external mechanism for certifying levels of cyber hygiene of an organization. Following industry professionals’ concerns for the complexity, cost, and proposed timeline, the DoD released CMMC 2.0 in 2021. Among other changes, the levels for compliance were reduced from five to three.

Currently CMMC 2.0 requirements are divided into three levels of compliance:

CMMC Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
CMMC Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle CUI. It requires that a third-party assessment by conducted every three years for information deemed critical for national security. It also requires an annual internal assessment.
CMMC Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls. There is also a requirement for triennial assessments conducted by government representatives.

Establishment of a Certification Body

The Cyber AB was established as a non-governmental agency as the official accreditation body for CMMC. Its primary mission is to accredit organizations that will be responsible for conducting third party assessments. These organizations when accredited become part of the CMMC Third-Party Assessment Organizations (C3PAO).

While there has been progress in accrediting these organizations, concerns have been raised that there are still not enough accredited personnel to service the number of non-governmental organizations that require certification. Additionally, there have been several mishaps in the formation of the Cyber AB that have hampered its ability to function optimally.

CMMC Requirements Are Here to Stay

While delays in CMMC 2.0 roll out continue, the requirements will remain. Non-governmental organizations in possession of CUI and FCI will have to receive certification sooner or later. Establishing and implementing a CMMC program within an organization requires time and effort. Once the requirements have been met these systems must be integrated into the day-to-day operations of the organization.

While NIST SP 800-17 does contain a number of requirements for establishing and maintaining a cybersecurity program, it often comes up short in detailed descriptions on how non-IT functions are to be executed. This is particularly the case for critical functions such as auditing and management review. These functions must be performed regularly to ensure that the cybersecurity program is effectively addressing cyber risks.

CVG Strategy Information Security Management System Consultants

To assist businesses to meet the challenges in adopting CMMC 2.0 standards, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

We can help you meet your information security management system goals. CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors. We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.

Export Compliance Program Guidelines – DDTC

January 25, 2023 by Jamie Hamilton

The Directorate of Defense Trade Control (DDTC) has released Export Compliance Program Guidelines to provide businesses with an overview of best practices for complying with the International Traffic in Arms Regulations (ITAR). These guidelines encourage organizations to adopt robust policies and procedures to ensure that compliance with export controls for items enumerated in the United States Munitions List (USML) is maintained.

Management Commitment

As with any effective business undertaking, top management must show commitment to export compliance by creating a culture of compliance. This culture can be created by management at all levels through words and actions that place a priority on avoiding export violations. These priorities should be regularly communicated to all employees, contractors, suppliers, and customers.

All employees should understand that export compliance is an expected responsibility. This should be communicated in an Export Compliance Manual that sets forth all policies and procedures. They should be encouraged to recommend methods for improving compliance and reducing risk. Additionally, all employees should be made aware of disciplinary actions for non-compliance.

Creating a Compliance Program

When creating an export compliance service it is important to tailor the program to identify and address the specific risks that could lead to violations. Policies and Procedures can then be created to address these risks. This should include a management commitment statement that underscores the organization’s commitment to export compliance.

These policies and procedures must receive adequate resources and be regularly reviewed by top management to assess their performance. Resources required for a program should include training, funding, adequate personnel, information security management, and organizational management. The adequacy of these resources should be continually reviewed throughout an organization’s evolution.

Responsibilities, authorities, and points of contact should be clearly defined and communicated within the organization. Export Compliance Officers (ECO) and Empowered Officials (EO) should overseeing and implementing functions of the compliance program and for investigating, identifying, and correcting causes for any ITAR violations.

Activities Associated with Export Compliance

Classification

Export Control Classification is required of businesses selling products that fall under the jurisdiction of any federal regulations. An export can include sale of goods within the United States to a person or entity that is not a U.S. person. A transfer of technical data can also be considered an export which can be conducted by means of a phone call or email.

Export Control Classification begins with the defining the technical specifications for the item to be transferred. This applies to actual shipments as well as transfers of technical data. It is important to note that a given product may fall under numerous classifications based on how regulations are interpreted.

It is essential to ensure that a thorough analysis be conducted to ensure that due diligence for compliance has been met. Therefore it is not prudent to rely on a customer’s or supplier’s classification as there are severe consequences for non-compliance.

Registration

The DDTC Export Compliance Program Guidelines outline the many activities that are part of a compliance program. These of course begin with registration with the the DDTC, which is a requirement for any manufacturer, exporter, or broker of defense products or services. The agency also details types of registration and requirements for registration changes.

Licensing, Agreements and Approvals

Other activities include applying for licenses, agreements, or other approvals from the DDTC for export, reexport, retransfers or temporary import of controlled goods and services. The activities include Manufacturing Licensing Agreements (MLA), Technical Assistance Agreements (TAA), and Distribution Agreements.

Restricted Party Screening.

Significant emphasis was given in the guidance to the performance of restricted party screening for all parties involved in a transaction. This activity is often overlooked or performed with insufficient care in many organizations. Restricted Party Screening should also be performed on all personnel and any other parties who may come in contact with controlled items or data thereof.

Cybersecurity

Although the ITAR does not include specific cybersecurity requirements, there are regulatory requirements to protect information and data of controlled items. CMMC is a requirement for organizations contracting with the Department of Defense (DoD) that handle Controlled Unclassified Information (CUI).

The guidance suggests the use of cybersecurity protocols and encryption to protect this sensitive data. It also recommends the establishment of policies and procedures for employees traveling with mobile devices.

Recordkeeping

It is a requirement of ITAR to maintain records pertaining to the manufacture, acquisition, and disposition of defense articles. These records must be maintained for a minimum of five years. They should include licenses, exemptions, technical data exports, brokering activities, and any political contributions, fees, and commissions. The DDTC again calls for documented policies and procedures that define what activities must be documented and allocate specific responsibilities for the creation and maintenance of those records.

Detecting, Reporting, and Disclosure of Violations

The DDTC understands that violations of export regulations often occur through error. However, because these violations can cause harm to the national security and foreign policy of the United States, it is important that organizations detect these violations, investigate the cause of the violation, take corrective actions to mitigate further violations, and report these violations through the Voluntary Disclosure mechanism.

Training

It is essential that organizations perform training programs that provide sufficient levels of education for all employees, especially those members of the organization’s export compliance team. This training should be up to date and utilize knowledgeable and experienced trainers. Furthermore the depth of the training should reflect the level of activity that person has in the compliance program.

Risk Assessments

It is important to continually reassess risks that may lead to ITAR violations. Considerations in the reassessments should include changes in the organization, the physical and cybersecurity infrastructure, the organizations, employees, customers, suppliers, and other third parties. These should occur as required throughout the year.

Audits and Compliance Monitoring

Independent and objective audits must be performed regularly to provide inputs in determination of the compliance programs effectiveness. These audits should include interviews with relevant personnel, review of documentation, site security, and IT security. Various types of audits should be included including functional level audits focusing on specific areas, program level audits, and external audits.

CVG Strategy Can Help

The DDTC’s Export Compliance Program Guidelines underscore the importance of viable export compliance programs for businesses engaged in sales of defense articles and defense services. These programs should be incorporated into an organization’s management system to ensure effective mitigation of risks associated with violations.

MIL-STD-461 RE102 Radiated Emissions

January 17, 2023 by Jamie Hamilton

MIL-STD-461

MIL-STD-461 is an EMI/EMC standard for developmental test and evaluation. This standard is broken out into nineteen various methods. These methods include Radiated Emissions, Conducted Emissions, Radiated Susceptibility, and Conducted Susceptibility.

MIL-STD-461 testing includes radiated and conducted test methods. These methods involve simulations of magnetic, radio frequency, Electrostatic Discharge (ESD), and Electromagnetic Pulse (EMP) sources of potential disturbance. Susceptibility requirements are determined by type of equipment, type of platform the equipment is to be operational on, and location of the equipment on that platform.

RE102 Radiated Emissions Testing

RE102 is the MIL-STD-461 method for evaluating electromagnetic field radiated emissions from systems and subsystems enclosures and cabling designed for U.S. military applications. Requirements and testing to this military standard vary for platform of intended installation. The frequency ranges applicable for various platforms are:

Ground: 2 MHz to 18 GHz
Surface Ships: 10 kHz to 18 GHz
Submarines: 10 kHz to 18 GHz
Aircraft (Army and Navy): 10 kHz to 18 GHz
Aircraft (Air Force): 2 MHz to 18 GHz
Space: 10 kHz to 18 GHz

By the numbers, limits imposed on emissions are severe and well below most commercial standards. The numbers however, do not tell the entire story, because test values measured are peak values, not average or quasi-peak. Measurements are also made with antennas positioned 1 meter away from the edge of the test set up.

In short there is not an apple to apple comparison that can be made between RE102 and other standards; the emission limits are lower, the frequency ranges are larger, and the measurements are performed in a more severe manner.

Special Test Requirements for AIAA S-121A

AIAA S-121 specifies general design practices and sets recommended verification and validation requirements for space vehicles and launch vehicles. This standard can be used for tailoring MIL-STD-461 methods for space applications that may exceed those of MIL-STD-461. This can often be the case for radiated emissions where the limits for certain frequency bands are extremely low.

To achieve these measurements, tailored testing involving scans at reduced Resolution Bandwidths (RBW). Performing these tests requires detailed communications with test facilities to ensure that testing is performable and to calculate required time for test performance.

Getting it Right

While RE102 testing should be performed as early in product development as possible, it is important that the test item be as representative as possible. This means that enclosure, PCB revisions, firmware, software, and cabling should be fully representative of the final product. Care should also be taken in creating the ability to simulate normal modes of operation so that testing can be performed on the Equipment Under Test (EUT) that reflects its intended use.

All of these parameters should be reflected in an Electromagnetic Test Procedure (EMITP) that is constructed in accordance to MIL-STD-461 requirements as described in DI-EMCS-80201. Other important data for inclusion in the EMITP are descriptions of stimulation and monitoring equipment, operating frequencies, performance checks, and a description of cable types complete with construction details.

Facing the Music About MIL-STD-461 RE102

The simple fact is that most product developers do not pass MIL-STD-461 RE102 testing the first time. Retest and redesign cost money and time. Adding patchwork cures such as filtered connectors can add significantly to product cost and often not provide the required attenuation. Often the most cost effective solution is to perform an evaluation of the product to assess sources of the emissions and make design changes to mitigate them before they can couple onto wiring and power sources.

CVG Strategy Experts

Our experts at CVG Strategy have extensive experience in EMI/EMC testing for a number of industries and products, both military and commercial. We also have expertise in testing for space requirements including AIAA S-121A. Our industry experts can assist in developing tailored test plans, test witnessing and troubleshooting. We can also provide design analysis and guidance for product compliance.

Our EZ-test plans are available for military applications for EMI/EMC and environmental testing. Our Electromagnetic Test Procedures are recognized by A2LA Certified Test Labs as reliable and comprehensive. We have included, in addition to guidance from the standards, additions including best practices which we have learned in test program management of equipment designed to Department of Defense standards.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Quality Management Systems.

Maintaining a CMMC Program – Best Practices

January 25, 2023December 20, 2022 by Jamie Hamilton

Maintaining a CMMC program requires that organizations engage management system principles in their daily cybersecurity programs. These activities will be essential for Department of Defense (DoD) contractors to remain compliant.

Current CMMC Requirements

Currently CMMC 2.0 requirements are divided into three levels of compliance:

CMMC Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
CMMC Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle Controlled Unclassified Information (CUI). It requires that a third-party assessment by conducted every three years for information deemed critical for national security. It also requires an annual internal assessment
CMMC Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls. There is also a requirement for triennial assessments conducted by government representatives.

Upon further investigation, one will find that NIST SP 800-171 involves references to over half a dozen other documents which are comprised of thousands of pages. While these documents describe the implementation of controls and development of a risk management framework, they often fail to provide solutions easily integrated into business practices.

The Dynamics of Cybersecurity

Maintaining an Information Security Management System (ISMS) requires that the organization conduct regular risk assessments. These assessments should include internal and external factors that are regularly in flux. These would include external threat dynamics and changes in the systems and locations of CUI within the organization.

The organization should also consider third parties involved with the organization. These would include contractors and vendors who may impact the confidentiality, integrity, or availability of information. Regular review of these external providers is advisable.

Beyond Technology

The weakest link in a cybersecurity program can often not reside within the digital realm. People and places provide very real risks that can be easily overlooked. Reviews should regularly be given to screening of persons who will have access to CUI.

Those who have been screened should receive sufficient education and training on information security policies and practices. Physical controls should be regularly reviewed to ensure that areas are secure, that clear desk and clear screen practices are being employed.

The Importance of an Internal Audit

Internal audits are utilized in businesses to access the organization’s ability to maintain compliance. These audits should be conducted regularly and their criteria and scope should be adequately defined. They should include an examination of procedures and security plans to evaluate their effectiveness and whether they are being implemented in actual operations as envisioned. The findings from these audits should be presented in a way that is relevant to management as these audits serve as a major input for management review.

The Role of Management Review

It is essential that management be involved with a cybersecurity program to ensure that requirements are integrated into organizational processes. Management must maintain responsibility in seeing that all objectives are met and that the program has sufficient resources. To make these decisions it is necessary that all functions of the program are monitored and measured.

Management review should consider actions of previous reviews to ascertain their effectiveness. They should also changes both within and external to the organization that may effect information risks. Considerations should also be given to incidents and events that may have occurred so that improvements to the program can be instituted.

CMMC in Action

Much emphasis has been placed on implementing CMMC and for good reason. It is of great national security that important information be kept out of the hands of hostile nation states. However, maintaining a CMMC program, once put in place, will require continual due diligence. This will require a coordinated effort by all parties and functions within an organization.

CVG Strategy Information Security Management System Consultants

To assist businesses meet the challenges in maintaining a CMMC program, CVG Strategy has developed an approach that combines the requirements of Cybersecurity Maturity Model Certification compliance with the ISO 27001 information security management system. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

Electrical Power for MIL-STD-810 Testing

December 15, 2022 by Jamie Hamilton

Electrical Power considerations for MIL-STD-810 testing create a new level of detail for functional and operational tests. The standard has placed increased emphasis in recent revisions, to changes in voltage, frequency, phase displacement, and other power deviations that are expected to be present in the normal operation of the device to be tested.

Guidance for these power fluctuations can be found in the following standards:

MIL-STD-704 Aircraft Electrical Power Characteristics
MIL-STD-1275 Characteristics of Volt DC Input Power to Utilization Equipment in Military Vehicles
MIL-STD-1399 Interface Characteristics for Shipboard Equipment
RTCA DO-160 Environmental Conditions and Test Procedures for Airborne Equipment

Where these electric power system fluctuations could cause test item failure or pose a significant threat to the safety of personnel it may be necessary to perform an electrical survey of the intended platforms power characteristics.

MIL-STD-810 Testing Purpose

MIL-STD-810 Environmental Engineering Considerations and Laboratory Tests, is a series of laboratory methods to verify and validate equipment for a wide variety of environments. As such the standard places a heavy emphasis on tailoring testing to replicate, as nearly as possible, environmental stresses that will be present in the intended environment. Furthermore it stresses, where applicable, to examine the synergetic and cumulative effects that may affect equipment operation.

Method 520 Combined Environments

Electrical power fluctuations may affect the operation and reliability of equipment. These effects may be more pronounced when combined forcing functions are present such as, high temperature, low temperature, altitude, and humidity. Method 520 Combined Environments provides information on these electrical stresses that is applicable for testing in other methods.

Method 520 is intended for evaluation of equipment for utilization on aircraft. This method includes procedures for Engineering Development, Flight or Mission Support, and Platform Envelope. This method considers electrical power stresses incurred from ground support equipment and during mission profiles. Specific conditions it considers are:

Normal AC system stresses
ON/OFF cycling during normal operation
Mission related transients within platform electrical systems
Safety related stresses for abnormal or emergency conditions for flight critical and safety critical components

These factors can then be included in a mission profile so that electrical power fluctuations can be integrated into a mission profile that is included in laboratory testing. This approach can be utilized for testing of other equipment types such as military vehicle, ground stationary, or shipboard where the equipment is mission critical or safety critical.

The Role of Developmental Test and Evaluation

MIL-STD-810 is intended for developmental test and evaluation of equipment intended for use in military systems. It is also utilized in commercial industries where rugged equipment is essential. To ascertain which testing should be performed and determine test parameters it is essential to engage in a tailoring process. This process integrates measured data from specific areas of intended use and data compiled in Part Three of the standard. This data is collected in a Life Cycle Environmental Profile (LCEP).

An LCEP is an analysis of the environmental stresses likely to be encountered during the entire life of a product, from manufacturing to end of life. It serves as an input for a Environmental Issues/Criteria List (EICL) which is a collection of justified environmental parameters for design and product test. These stresses include those found in logistical, tactical, and operational phases.

Once this analysis is completed, Detailed Environmental Test Plans can be created that detail the exact procedure to be performed, operational and functional test to be run, essential data to be collected, and specific pass/fail criteria for the Unit Under Test (UUT).

CVG Strategy Test and Evaluation Experts

CVG Strategy engineers can help you integrate fluctuations in electrical power for MIL-STD-810 testing. Our experts at CVG Strategy have extensive experience in Climatic/Dynamic and EMI/EMC testing for a number of industries and products, both military and commercial. CVG Strategy specializes in Independent Developmental Testing and Evaluation including development of Test Plans, Test Procedures, Test Witnessing and Troubleshooting.

Huawei and ZTE Designated Threats to Security

January 3, 2023November 29, 2022 by Jamie Hamilton

The Federal Communications Commission (FCC) and Homeland Security Bureau have designated Huawei and ZTE as threats to U.S. national security. Because both Chinese companies are subject to the Chinese Communist Party, they are required by law to cooperate with China’s intelligence gathering activities. China has developed an arsenal of cyber capabilities to target U.S. information security. The use of these companies’ products therefore allows the communist party to exploit network vulnerabilities and compromise critical communication networks.

FCC Prohibits Import of Telecom Equipment

On November 25, 2022 the FCC announced that it had adopted final rules to bar the sale or import of telecommunications equipment manufactured by Huawei and ZTE. It also included products from Dahua Technology Hangzhou Hikvision Digital Technology Co. and Hytera Communications. This action was unanimously approved by the four FCC commissioners. This is the first time in history that the FCC has voted to prohibit electronic equipment to protect national security.

While protecting government concerns, the actions taken do not provide complete protection from questionable devices. The ban does not block all products from these companies but focuses on equipment intended for public safety, government facility security, critical infrastructure surveillance, or national security purposes.

The United States is not alone in these bans. The United Kingdom, Canada, Australia, and New Zealand have also acted against Chinese companies involvement in telecommunications, especially equipment involved with 5G technologies. This action will likely bring to focus banning other equipment generated by hostile state-controlled companies.

Similar actions by the U.S. federal government are taking place against Chinese firms as the FBI has voiced concerns about TikTok’s use of U.S. citizens’ user data to the House Committee on Homeland Security by Director Christopher Wray. The Chinese owned social media app currently has over one billion monthly users. Among the FBI’s concerns is that the Chinese government could conduct influence operations with the app or use it to gain control of millions of user devices.

FCC Bans Universal Service Fund For These Companies

The FCC banned the use of the agency’s Universal Service Fund for the purchase services or equipment from Huawei and ZTE in 2020. This fund is currently 8.3 billion dollars per year and is used to provide affordable communications for schools, libraries, and rural health care. At that time carriers receiving monies from the fund were required to purge their networks of such equipment.

At that time both agencies claimed ample evidence justifying these actions. In fact the agency spent 1.9 billion dollars in 2021 to remove Huawei and ZTE gear that was being used in U.S. rural areas.

Huawei No Stranger to U.S. Scrutiny

The Bureau of Science and Industry (BIS) restricted Huawei’s semiconductor manufacturing capabilities in May of 2020. BIS took this action to prevent the company from acquiring semiconductors that are the direct product of U.S. technologies and software. These technologies now fall under the Export Authorization Regulations (EAR). In the same year Homeland Security prohibited the company from engaging in government contracting services under the Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment.

The Department of Justice also prosecuted a case against the company for participation in a fraudulent scheme to export banned U.S. goods and technologies for its business in Iran. Although Huawei denied these allegations, company records show that the company was directly involved in these actions.

CVG Strategy Cybersecurity Solutions

FCC concerns about Huawei and ZTE illustrate the severity of cybersecurity threats to businesses in the United States. IT solutions alone are not sufficient to combat these forces. Viable solutions include all stakeholders in an enterprise. They include people, policies, procedures, risk analysis, incident responses, and an internal auditing process that yields constant improvement.

CVG Strategy provides cybersecurity consulting and training for large and small organizations. Our experts can tailor a program using risk management process to identify information assets and interested parties. We can create the documentation and provide the essential training to establish your ISMS and guide you through certification audits.

CVG Strategy also provides consulting services for NIST 800-171 and CMMC Certification for those businesses and institutions providing services to the Department of Defense and other government agencies.

MIL-STD-810 Classes Are Available

October 28, 2022 by Jamie Hamilton

CVG Strategy MIL-STD-810 classes will provide you with the ability to develop and conduct an environmental test program. Our two day course not only provides you with valuable information about climatic and dynamic test methods but also includes training in the methodology to correctly apply test tailoring. This course is available online or onsite. Ample time is available for questions and comments so that participants are encouraged to keep engaged. Check here for our online Training Registration Schedule.

Course Description

In this two day course you will learn:

The history and evolution of MIL-STD-810
Use of Parts I of the standard to support test program development and test tailoring
Use of Part III of the standard to evaluate expected climatic conditions
How to conduct a Life Cycle Environmental Profile
Developing a Detailed Environmental Test Plan (DETP)
Preparing for Laboratory Testing
Considerations for vibration test fixtures
Description and purpose of each test method

MIL-STD-810 Applications

MIL-STD-810 Environmental Engineering Considerations and Laboratory Tests is comprised of 29 test methods that address a broad range of environmental conditions. These methods include climatic testing such as high and low temperature, humidity, salt fog, and sand and dust. The standards also provides test methods for evaluating the effects of dynamic stressors such as vibration, shock, and acceleration.

This important standard has been used by product developers in the the United States and internationally to evaluate both defense and commercial products’ ability to perform as designed when subjected to the environmental stressors that are expected in their life cycle. This testing can therefore verify and validate the environmental worthiness and overall durability of a system design.

Test Program Tailoring

MIL-STD-810 does not impose test specifications. Instead, it describes the environmental tailoring process that results in realistic materiel designs and test methods. This process combines requirements and information derived from Whole Life Assessments (WLA) to provide criteria for selection of appropriate test methods. It will also provide criteria for selecting appropriate severities and durations to perform for each test.

CVG Strategy Test and Evaluation Expertise

Our team of test and evaluation experts can assist you in creating a meaningful test program that meets requirements and prevents costly failures at the operational test stage. CVG Strategy provides an array of services to help you with environmental and EMI/EMC testing.

Our instructors have decades of experience in laboratory test and evaluation of military and commercial products. We understand the importance of testing and getting a properly designed product to market in a timely fashion.

In many cases, testing requirements can be met or enhanced through compliance by analysis. Such analysis can involve computer modeling and simulation, acceptance by similarity, or testing of coupon samples. These types of analysis can also serve to identify design deficiencies early in product development and thereby streamline product to market schedules.

Vibration Test Fixtures – A Reason For Concern

September 2, 2022September 2, 2022 by Jamie Hamilton

The Importance of Vibration Test Fixtures

For most projects, the design of vibration test fixtures is often left to the last minute. Regardless of your industry, vibration testing is one of the most important tools in product test and evaluation. A well designed fixture will provide ample rigidity to prevent resonances that can result in product over test. It will help provide confidence that the vibration encountered by the unit under test is representative of the required spectrum.

Using you own

Using your own vibration test fixture as opposed to using one from a test facility has many benefits. Fixtures laying around test labs are often drilled out and adapted for any number or customers’ immediate requirements. If retesting is required, having your own fixture assures you of a more repeatable test regardless of the test facility you may use.

The same fixtures can also be used for shock testing where rigidity and strength are requirements. Using vibration test fixtures in environmental chamber tests for can facilitate proper orientation of equipment and prevent accidental damage to interconnected test items during removal from the chamber.

Designing your Fixture

Rigidity

Rigidity is the major consideration in vibration fixture design. A microscopic deflection in any part of the fixture can result in alarming resonances and nulls. Aluminum is an excellent material for vibration test fixtures as it provides the required rigidity while minimizing weight. Consider the intended orientations of test items and provide mounting holes for test items so that they can be easily installed and removed.

Weight

Weight is also a consideration when designing a fixture. This is particularly the case if multiple units undertest are to be tested simultaneously. Material selection can help reduce the overall weight requirements for the vibration table. Aluminum is a good material for most fixtures. It is relatively inexpensive and is light as compared to steel. It is easily worked and can be constructed to provide the required rigidity.

Magnesium provides the best material for tensile strength to weight ratio. It also has better dampening at high frequencies. It is however, more costly and is not as easy to machine. It is therefore usually reserved for high test performance requirements.

Computer Modeling

A well designed fixture will provide repeatable testing and provide the required excitation to the product being tested without resonances or nulls. To accomplish this, computer modeling should be performed. These evaluations are will ensure that the fixture has a minimum of harmonic distortion over the bandwidth of planned testing.

Validating your Fixture

Before using your vibration fixture in testing it is beneficial to perform a resonance scan to check for any unwanted responses. This is accomplished by attaching multiple accelerometers to the fixture, and sending low-level random signals that cover the frequency range of your intended test.

CVG Strategy Experts

CVG Strategy engineers can design and build vibration fixtures to meet you specific test requirements. We have decades of experience in vibration and shock testing. Let our expertise keep your test program on schedule by letting us assist you with your test and evaluation needs.

Our experts at CVG Strategy have extensive experience in Climatic/Dynamic and EMI/EMC testing for a number of industries and products, both military and commercial. CVG Strategy specializes in Independent Developmental Testing and Evaluation including development of Test Plans, Test Procedures, Test Witnessing and Troubleshooting.

Product Ruggedness and Water Test Methods

July 28, 2022 by Jamie Hamilton

Water is a Major Concern in Product Ruggedness Testing

Water is part of many test methods when evaluating product ruggedness. We live in a world that is predominated by the substance, and its effects on products for any application are severe. Because of this, products must be evaluated for their abilities to endure exposure to water as a solid, liquid, and as a gas. These tests, although seemingly simple, can present challenges to product designers.

Effects of water on products include:

Possible degradation of strength
Corrosion or erosion of materials
Fungal Growth
Malfunction of electronic and electrical equipment with possibility of hazardous operation
Fouling of lubricants
Increased chemical reactions
Swelling of materials
Condensation
Changes in material properties such as elasticity

Ingress Testing

Ingress testing is found in a wide variety of industry specific test methods. Perhaps the standard with the broadest use is IEC 60529 which evaluates a product’s degree of protection as classified by an Ingress Protection Code (IP Code). These tests also involve solid foreign objects including dust. Testing that involves water includes dripping, spraying, splashing, jetting, powerful jetting, temporary immersion, continuous immersion, and water jet with high pressure and temperature.

Similar testing can be found in standards specific to the aerospace, automotive, and military sectors. In the automotive sector a number of ISO, IEC, and proprietary standards are used in evaluation. In defense applications MIL-STD-810 includes testing for blowing rain, humidity, salt fog, immersion, the effects of icing.

Of major concern in these tests are gaskets and seals used to create “waterproof” enclosures. Though it may appear to be an easy task, gasket design can be a great challenge. In many cases a gasket must not only protect against ingress but also serve to attenuate radio frequency energy to meet EMI requirements.

The sealing materials must also endure thermal, solar, and dynamic effects. In some cases, such as wind blown rain, the impact of droplets can cause resonances that defeat otherwise sound barriers.

Humidity

Large portions of the planet experience intense humidity. Some areas experience this year round. Additionally certain applications such as marine will have extreme conditions.

Humidity can wreck havoc in a large number of ways. Prolonged exposure to humidity can degrade plastics. It can interact with deposits of dust and other substances to produce corrosive films.

Testing for the effects of humidity is difficult. Thorough evaluation usually involves lengthy tests that can last months. Aggravated or accelerated testing can at times be useful to point out potential design deficiencies, but it can be difficult to ascertain the validity of data returned with respect to anticipated exposures.

Fungus

Exposure to airborne fungal mycotoxins can be highly hazardous to humans resulting in neurological damage and cancer. Fungus and mold species prosper in humid conditions. A number of test standards can evaluate a products potential for supporting fungal growth.

It can be difficult to ascertain this by a simple analysis of materials in a Bill of Materials because deposits of contaminates may find their way on to a product during manufacturing or actual use. Generally these organisms can attack a wide variety of materials. Additionally their metabolic wastes can degrade materials.

Salt

Airborne salt can cause extreme corrosion. Salt fogs are common in coastal areas and of course in marine applications. Testing of protective coatings is essential for products that can expect such exposure. While test methods can detect possible sources of problems they are not effective simulations of the actual environmental effects.

Of further concern, testing is usually performed on new product. How a protective coating performs after thermal and solar can be difficult to evaluate, as can the effects of dropping, or impacts sustained in actual use.

Water as a Solid

Product ruggedness can be greatly diminished by ice and frost. Deposits of ice can cause structural failures and of course render devices inoperable. Frost and ice can gradually cause failures of seals and gaskets.

It can also cause failure of bonding materials and cause distortion of parts when recurring icing and thawing events occur. Test methods are available for evaluation of ice effects and time should be taken to select appropriate procedures based on a product’s intended usage.

CVG Strategy Product Test Expertise

CVG Strategy has extensive experience in product test and evaluation of product ruggedness and water. We can evaluate products, examine requirements, assess gasketing and sealing methods, and develop a test matrix to ensure that a product will perform as designed for its intended service life. We provide a variety of consultant services to assist in product testing.

We also provide test plan templates for MIL-STD-810, IEC 60529, and a number of other standards. These provide the necessary documentation to ensure that testing is performed as required, functional and operational tests are conducted, and important data is collected.

ISO 27001 Cybersecurity Management System

July 27, 2022 by Jamie Hamilton

ISO 27001 cybersecurity management is an effective Information Security Management System (ISMS) for organizations and businesses of all sizes. It provides a means to ensure confidentiality, integrity, and availability of information in a system that can be harmonized with other management systems.

The ISO Advantage

There are numerous cyber security solutions for protecting confidential information. Some of these however, are not well suited for the requirements of a business environment. To be effective in these environments cyber security must integrate information security risk assessments with other risks facing the organization so that upper management can tailor the program to fit the context of the organization.

When this has been accomplished, policies and procedures can be created that allow for cooperation and involvement at all levels of the organization. Then appropriate security controls can be implemented with assurance that adequate resources are available for proper execution.

This advantage is due to the fact that ISO 27001 shares the 10 clause framework of other ISO management standards such as ISO 9001:2015. This framework establishes methodologies for:

Identifying the expectation of all stakeholders for information security.
Identifying the specific risks that will likely threaten the confidentiality, integrity, or availability of that information.
Selection of appropriate controls for addressing these risks.
Establishment of measurable goals and objectives for securing information.
Implementation of controls and mitigations.
Establishing methods for measuring the effectiveness of the entire program and reporting that effectiveness to management.
Establishing a methodology for continuous improvement of ISMS.

ISO 27000 Set of Standards

The ISO 27000 series of information security standards include over sixty separate standards that address specific elements intrinsic to a complete ISMS. While ISO 27001 provides the framework of the management system, other standards address specific information security controls. Many of these address the needs of specific technologies such as communication, cloud services, or storage security. Others provide guidelines for incident management and the analysis of digital evidence.

This vast set of resources allows organizations adopting this standard to address issues specific to their industry’s requirements. Additionally, because it is an internationally accepted standard it allows for enhanced supplier and customer relationships worldwide.

Competitive Advantages of an ISMS

ISO 27001 is an effective approach to cybersecurity because it incorporates a coordinated systematic approach that involve all levels of an organization. Because this standard institutes management review and auditing it ensures that the organization is attuned to the changing nature of cybersecurity threats. It accomplishes this through a Plan-Do-Act-Check (PDCA) Cycle. The PDCA establishes objectives and processes, implements them, assesses and measures effectiveness, and provides corrective actions.

Implementing an ISMS in compliance with ISO 27001 and achieving certification, demonstrates to all parties that an organization is actively engaged in the confidentiality, availability, and integrity of information. It can provide a competitive edge for businesses in any sector by instilling confidence that valuable and sensitive information is safe.

There have been countless incidences of cyberattacks that compromised operation and data of organizations. Industry experts do not forecast these events diminishing, as new strategies are constantly being refined by cybercriminals.

For many smaller businesses, failure to address the likely hood of a data breach could result in catastrophe. In today’s world, addressing data security and having comprehensive plans for recovery in the event of a breach is essential.

CVG Strategy ISMS Solutions

Businesses worldwide are under attack from players that are well funded and very focused on compromising proprietary data. IT solutions alone are not sufficient to combat these forces. Viable solutions include all stakeholders in an enterprise. They include people, policies, procedures, risk analysis, incident responses, and an internal auditing process that yields constant improvement.

Military Power Quality Testing Standards

July 26, 2022 by Jamie Hamilton

Test requirements for equipment designed for use on military platforms include a number of power quality standards. These standards evaluate the equipment’s ability to operate normally when subjected to disturbances characteristically found on their platform of intended use. They also place limits on the level of disturbance the equipment can contribute to the voltage distribution network.

Power distribution systems are subject to extreme variances and disturbances caused by devices that share the system. They can also have disturbances caused by variances in power generation devices such as generators and alternators. Inductive load dumps, spikes and surges, coupled interference, voltage fluctuations, and frequency variations can all cause significant disturbances in equipment’s normal operation that could lead to hazardous conditions or render the equipment inoperable. Because of this, military standards for evaluation of these phenomena can place stringent demands on Equipment Under Test (EUT).

MIL-STD-1275

MIL-STD-1275 “Characteristics of 28 Volt DC Power Input to Utilization Equipment in Military Vehicles” is a series of tests that simulate expected variances on vehicle power distribution systems. Test also evaluate variances emitted by the equipment under test to ensure that the equipment does not contribute excessive disturbances to supply voltage inputs. Test methods employed in this evaluation include:

Operational Voltage Range – For this test the EUT is powered at 20 and 30 Volts DC for 30 minutes at each voltage.
Voltage Ripple – The Voltage Ripple test is in fact a variance of MIL-STD-461 CS101. with the upper test frequency extended from 150 kHz to 250 kHz.
Starting Operation including Initial Engagement Surges and Cranking Surges.
Voltage Spikes both emitted and injected.
Voltage Surges both emitted and injected.
Reverse Polarity – For this test the EUT is powered at 33 Volts with reverse polarity for five minutes.

All of these tests can be challenging, but in particular the surge test can result in smoke emanating from power input circuitry, a disappointing end of a trip to the lab to be certain.

MIL-STD-704

MIL-STD-704 “Aircraft Electrical Power Characteristics” evaluates equipment for power distribution systems present on U.S. military aircraft platforms. Separate matrices of evaluation are performed based on the type of power input the equipment utilizes. Power types include:

Single Phase, 400 Hz, 115 VAC
Three Phase, 400 Hz, 115 VAC
Single Phase, Variable Frequency, 115 VAC
Three Phase, Variable Frequency, 115 VAC
Single Phase, 60 Hz, 115 VAC
28 Volts VDC

For any of the above power types, as many as 18 various tests are to be conducted. These tests include Current Harmonic Measurements, Voltage and Frequency Modulations, Transients, Interrupts, Emergency Limits, and Phase Reversals.

Consideration for classes of equipment and their level of immunity are covered in this standard. For example, a coffee pot can be rendered momentarily inoperable but a flight navigational system cannot. In no case can equipment equipment under test suffer damage or cause an unsafe condition. As with MIL-STD-1275 limits are placed on disturbances the equipment contribute to the electric power system.

MIL-STD-1399-300

MIL-STD-1399-300 “Electric Power, Alternating Current” provides test methodologies for evaluating equipment for shipboard operation. As with any of the aforementioned standards, limits and specifications are mandatory.

This standard is broken up into two parts. Part one covers low supply voltages (115 or 440 VAC). Part two covers medium voltage supplies from 4,160 VAC to 13,800 VAC. Required testing includes variances in Voltage and Frequency, Voltage Spikes, Emergency Conditions, Grounding Tests, Equipment Profile Tests, Current Waveform Tests, Simulated Human Body Leakage Current, Equipment Insulation Tests, and Active Ground Tests.

Designing Equipment for Power Sources

Military power quality testing is a specific set of methodologies that examine equipment’s ability to operate when subjected to extreme characteristics of electric power to ensure compatibility in their intended environments. While being associated Electromagnetic Compatibility (EMC) and Electromagnetic Immunity (EMI) it presents specific challenges to equipment designers.

In many cases, specially designed power supplies can be utilized to provide protection from electrical supply disturbances and distortions. However, when equipment is designed to control large inductive loads, care must be taken early in design to ensure that the equipment does not itself cause power distribution issues.

CVG Strategy Test and Evaluation Experts

CVG Strategy offers a wide array of services to assist you with EMI/EMC and electrical product evaluation to keep your product development on schedule. We also can provide EZ-Test Plan Templates for MIL-STD-461, MIL-STD-1275, MIL-STD-704, and MIL-STD-1399-300.

CVG Strategy can also provide guidance for MIL STD environmental testing including performance of a Life Cycle Environmental Profile as required for MIL-STD-810. Our engineers can perform design analysis to identify potential design issues before testing. We can also assist in developing test programs for product verification and validation.

BIS Considers Enforcement Policies Changes

April 12, 2024July 5, 2022 by Jamie Hamilton

The Bureau of Industry and Security (BIS) considers enforcement policies changes an instrument for combatting national security threats. This was highlighted in remarks released from Matthew Axelrod, Assistant Secretary for Export Enforcement. In recent presentations he outlined the changing focus of the United States export control system and the need for bolstering enforcement actions of the Export Administration Regulations (EAR).

Administrative Enforcement Changes Under Consideration

The BIS is considering three major changes in the way that export regulations are enforced. These proposed changes are as follows:

Publicizing administrative charging letters when filed. Currently charging letters are not publicized until the case has been resolved. Making these letters public will incentivize other companies involved in similar violations to desist in those activities. A policy to make administrative charges public would be similar to actions taken in criminal proceedings taken by the agency.
Limiting the use of no admit / no deny settlements. The BIS has often settled various administrative enforcement cases out of court, allowing organizations to pay reduced penalties without admitting to violation of export regulations. While the agency does desire to incentivize companies to resolve violations, the overuse of no admit / no deny falls short of getting companies to admit fault and fails to identify root causes of those violations.
The BIS is considering raising penalty amounts for administrative cases. Axelrod pointed out that if penalties are not sufficiently severe, that organizations can conclude that the risk is not sufficient to deter violation of the law. Furthermore, it was pointed out that penalties should be commensurate with the level of threat they present to national security.

Other Areas of Increased Enforcement Focus

Enforcement of Sanctions

Sanction enforcement is not a new area of enforcement for agencies involved with export regulations. In fact, in the last decade, enforcement authorities actions in sanction cases have resulted in billions of dollars in civil and criminal penalties. This is because many businesses are lax in ensuring that parties they are engaging in transactions are not on denied parties lists.

In the past sanctions have been considered by many to be applicable solely to financial institutions. Today, however, as sanctions have been increasingly utilized for national security and foreign ends, they are becoming increasingly relevant to any business in the international supply chain. This is the case for companies doing business in any number of countries, as more and more nations are working together in imposing sanctions multilaterally.

Antiboycott Compliance

Mr. Axelrod, along with enforcing the Department of Commerce’s EAR, also oversees the Office of Antiboycott Compliance. Anti boycott regulations were adopted to require U.S. firms to refuse to participate in foreign boycotts that the United States does not sanction. They have the effect of preventing U.S. firms from being used to implement foreign policies of other nations which run counter to U.S. policy.

The enforcement of these regulations are also currently under review. As with EAR enforcement, increases in administrative penalties and reconsideration of no admit / no deny settlements are being eyed. Additionally, those involved with enforcement are looking to prioritize which violations are being actively investigated, placing emphasis on more severe violations.

Changes in the Implementation of Export Controls

Export controls are increasingly being implemented in response to a complex and challenging geopolitical landscape. These issues include:

A growing concern over Russian actions and intentions
Nations engaged in genocide
Nations involved in subjection of ethnic minorities
Nations involved in slavery and forced labor
Nations actively engaged in theft of proprietary information including trade secrets
Nations involved in propping up illegitimate regimes through institutional corruption

As Axelrod pointed out, companies that engage in transactions with these nations, receive profit at the expensive of the world’s collective peace and prosperity. It is therefore more important than ever that those involved in export activities to effectively engage in the complexities of export compliance.

CVG Strategy Export Compliance Expertise

CVG Strategy, a proven leader in export compliance, can help your organization implement and maintain viable export compliance programs to navigate this increasingly complex business concern. We can provide expertise in Export Administration Regulations, International Traffic in Arms Regulations (ITAR), Sanctions, Denied Parties Screening, Anti Boycott and Canadian Goods Program (CGP).

We also provide assistance in item classification, Technical Assistance Agreements (TAA), and voluntary disclosures. Our staff can also provide effective training for all levels of an organization to ensure that all personnel are aware and up to date on export compliance issues.

As the BIS considers enforcement policies changes, it is becoming more and more important for companies to develop effective export compliance programs. These developments are likely to continue to raise the complexity and associated risks for companies involved in the international supply chain.

Challenges in Adopting CMMC Standards

July 1, 2022July 1, 2022 by Jamie Hamilton

Many small businesses owners have expressed concerns about the challenges in adopting CMMC standards. While the Department of Defense (DoD) has been stressing the necessity for contractors to reach various levels of Cybersecurity Maturity Model Certification (CMMC) for years now, many businesses are at a loss as to how to implement an effective program despite the fact that failure to reach certification may hinder their ability to be eligible for DoD contracts.

This situation continues despite efforts by the DoD to ease implementation through the creation of CMMC 2.0, which was created following push back from the DoD contractor community.

Cybersecurity is Complex

In an interview with Federal News Network, Dr. Kelly Fletcher, principal deputy CIO for the DoD, recounted feedback from small business owners who were confounded by CMMC requirements. In one instance when Dr. Fletcher was giving a presentation to the public on cybersecurity, the owner of a building contractor company politely stated, “Lady, I don’t know what you are talking about”.

This is a good summation for many in the business world. While they may have high levels of competence in their respective fields, they are not cybersecurity experts.

The requirements laid out in CMMC are well intentioned. There is a definite need for data security for government contractors who handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Adversaries of the United States are actively engaged in stealing this information in efforts to duplicate technologies under development. There are, however, real challenges in incorporating these security practices into the daily operations of a small organization.

CMMC 2.0 Requirements

Currently CMMC 2.0 requirements are divided into three levels of compliance:

Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle CUI. It requires that a third-party assessment by conducted every three years for information deemed critical for national security. It also requires an annual internal assessment
Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls. There is also a requirement for triennial assessments conducted by government representatives.

NIST SP 800-17 and Business Management

While NIST SP 800-17 does contain a number of requirements for establishing and maintaining a cybersecurity program, it often comes up short in detailed descriptions on how non-IT functions are to be executed. This is particularly the case for critical functions such as auditing and management review. These functions must be performed properly to insure that accurate assessments have been conducted.

Businesses operating in the defense sector often utilize ISO management systems to effectively and consistently provide products and services. These management systems can address quality, legal and regulatory compliance, environmental compliance, and information security requirements for a company. They share a harmonized approach to business management that includes a methodology for continual improvement.

ISO-27001 Information Security Management Systems

An Information Security Management System is a collection of policies, procedures, and controls that systematically address information security in an organization. It is a framework based on risk assessment and risk management. The most widely recognized and instituted ISMS in the business environment is ISO 27001. It shares many of the features of a quality management system such as ISO 9001.

Because ISO 27001 is configurable to your company’s requirements it is an effective means of organizing data security. This is because it includes a complete process and involvement of all stakeholders in monitoring and preventing cyberattacks. An ISMS can readily address numerous issues because centers it around policies and processes that are adopted from top management down and includes all stakeholders including third parties.

Because an ISMS is a management system it incorporates mitigation strategies beyond technical controls. It specifically addresses auditing, training, and management review. Additionally, because it shares the basic structure of other management systems, it can be more easily implemented and maintained in the daily operations of a business.

CVG Strategy Information Security Management System Consultants

To assist businesses meet the challenges in adopting CMMC standards, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

Medical Equipment EMC Requirements from the FDA

June 15, 2022June 15, 2022 by Jamie Hamilton

The Food and Drug Administration (FDA) has completed guidance for medical equipment Electromagnetic Compatibility (EMC) information to be submitted before an electrical medical device that is manufactured in the United States is marketed. This guidance updates previous submission recommendations released in 2016. Its intent is to provide clarification of what the FDA will consider in its premarket reviews.

The FDA is requiring the sponsors of most medical devices to adopt to the new guidance but is extending the period to one year for In Vitro Diagnostic (IVD) devices. While this guidance refers to electromagnetic compatibility, the guidance applies to both interference and immunity.

Electromagnetic Compatibility (EMC)

Electromagnetic compatibility refers to the requirement for electronic devices to not interfere with the normal operation of other equipment in its shared environment. All electronic products are sources electromagnetic energy. This energy may be transmitted both in radiated and conducted forms.

Radiated energy may be comprised of digital signals generated by the circuitry, energy generated by Point of Load (PoL) voltage regulators, or inappropriate usage of intentionally radiated Bluetooth or Wi-Fi signals (e.g. transmission protocol or excessive bandwidth). Conducted emissions are those that are introduced onto power lines or interconnecting cables.

Electromagnetic Interference (EMI)

EMI can be generated by environmental factors. The Sources of naturally occurring EMI include:

Radio Atmospheric – (Sferic) Broadband impulses that occur as a result of lightning.
Solar Radiations – Including Solar Flares and Aurora Borealis resulting when charged particles emanating from the sun interact with Earth’s magnetic field.
Cosmic Noise – Radiation caused by planets and other stars other than the sun. (Generally, this does not pose a significant risk to modern electronics.)

EMI can also be caused by other electrical and electronic systems in the proximity of the device of concern. Potential sources of interference include any number of analog or digital sources. This energy can be classified into broadband and narrowband.

Broadband EMI is usually from unintentional radiators. Sources of broadband include power convertors, electrical motors, and digital circuits. Narrowband is usually generated by intentional transmitters. These include TV and radios stations, cellular phones, Wi-Fi and Bluetooth devices.

EMI can enter a circuit either by radiated energy or energy coupled onto wiring such as power inputs. These energies are further categorized into radio and magnetic. Magnetic refers to low frequencies generally below 100 kHz. Radio extends from 100 kHz to the GHz range.

Other sources of interference include power fluctuations, surges, and disturbances, and Electrostatic Discharge (ESD).

Required Information

Medical Product’s Intended Environment

Information required by the FDA includes that the product designer define the environment of intended use. A modern medical facility is packed full of electronic devices that can be effected by electromagnetic energy. Many of these devices have safety critical functions that if effected could result in life threating events. These devices include defibrillators and ventilators.

Test Summary

A test summary should be provided on all testing performed on a finished product. This summary should include data, pass/fail criteria, and any allowances, deviation or modifications.

Defined Modes of Operation

The FDA is also requiring that manufactures define the device’s functions and modes of operation. There is an emphasis on defining which modes would be most at risk for EMI events.

FDA Adopts Consensus Standard IEC 60601

The IEC 60601 series of standards address hazards to to electrically powered medical equipment (ME) and ME systems. They include many specific standards that address specific categories of devices such as sterilizers, infusion pumps, and centrifuges.

IEC 60601-1-2: 2014 includes risk management requirements in form of an assessment be performed before testing to determine immunity test levels and pass fail criteria.

This analysis must be conducted by the manufacturer. It should define the essential performance for each essential function of the device to be tested against the factors likely to be encountered in the intended environment. These factors include radiated energy sources, conducted sources, electrostatic discharge, and power fluctuations and disturbances.

After this assessment is performed a list of relevant immunity test methods can be selected at realistic levels can be documented in a test plan. This test plan, again, is the responsibility of the manufacturer to create.

CVG Strategy Expertise

CVG Strategy EMI/EMC consultants can provide susceptibility analysis for medical equipment EMC requirements and recommend appropriate test methodologies to ensure reliable operation of safety critical products. Our team has decades of experience in automotive commercial, aerospace, and defense sector testing. We can also provide assessment for coexistence of products using Wi-Fi protocols.

Emissions Test Failures Cost Time and Money

June 10, 2022 by Jamie Hamilton

EMI emission test failures for compliance testing are a major cause of product development delays because most products fail in their first trip to the lab. Radiated Emissions is the most common problem for developmental electronic products and one that is often difficult to mitigate. This holds true for both military and commercial products.

Radiated Emission Test Standards

For most commercial equipment radiated emission testing must be performed per CISPR 11/EN 55011, CISPR 32/EN 55032, or FCC Part 15 to achieve certification. Medical , industrial, and scientific equipment are tested to CISPR 11. For equipment designed for U.S. military applications and space system applications MIL-STD-461 is the standard used. These testing requirements vary in terms of frequency range measured, acceptable levels of radiation, and test equipment employed in testing.

Limits imposed on emissions in MIL-STD-461 are severe and well below most commercial standards. There are two separate test procedures for radiated emissions in this standard, RE101 for magnetic field emissions from 20 Hz to 100 kHz and RE102 for electric field emissions.

Testing measurements for RE102 are made with antennae position 1 meter away from the Equipment Under Test and test values are peak values, not average or quasi-peak. Furthermore, this testing can be a requirement for high frequencies up to 18 GHz.

Common Mode Considerations

Electromagnetic energy emanating from electronic devices appear in two modes, common and differential. Common-mode emissions appear simultaneously on two conductors in the same phase. Often these electromagnetic fields will radiate from cables connected to equipment being tested.

This energy will generally not be related to the intended signals on the cable. Because these emissions are in phase different mitigation techniques must be considered than those commonly used with differential signals. For lower current applications common mode chokes can provide required levels of signal reduction.

EMI Emission Design Issues

Application of ferrites and shielding at the lab is often a desperate battle with diminishing returns. The best strategy is to identify major sources of emissions early in the design and mitigate at the source. A well-designed Printed Circuit Board (PCB) can alleviate many problems but it is important to remember that every interconnecting cable is an antenna that can provide a path for radiated emissions.

Unwanted radiated emissions can be mitigated utilizing a number of strategies in the design stage but, each product has its area of special concern. A product that controls stepper motors will have very different mitigation issues than a Bluetooth communication device.

Switching power supplies are a common area of concern for all products. This includes main power sources and Point of Load (POL) circuits. Care must be taken to ensure the selection of components in these circuits (e.g. low ESR capacitors) and their proper placement and interconnection.

Preparation for Emissions Testing

A great design can still fail if poorly constructed. Pre-production or early production samples of products often will have paint and coatings in unwanted areas resulting in ungrounded cables and chassis parts. Cables utilized for testing will often not be representative due to size constraints of the lab.

These cables often are not constructed to the same standards and may not have adequate shielding. Off-chamber simulation and monitoring equipment requires special attention. This equipment can often contribute emissions that will cause a “false” EMI emissions test failure.

CVG Strategy

Our experts at CVG Strategy have extensive experience in EMI/EMC. We can provide pretest analysis to help reduce EMI emission test failures and their resultant delays. We also have expertise in Environmental testing and evaluation in a number of industries and products, both military and commercial.

The fact is that most EMI/EMC tests result in failures. Design teams often have to go through multiple design iterations before achieving success. Our EMI/EMC experts can provide a pretest analysis of a product to identify potential design shortcomings and provide appropriate modifications. This prevents costly program delays and patchwork solutions.

Our EMI/EMC engineers can provide a wide array of services to help you with your problems and questions. We have experience in Aerospace, Automotive, Commercial, and Defense standards. We can also work with you on IoT and Wi-Fi issues.

CVG Strategy specializes in Independent Developmental Testing and Evaluation including: Development of Life Cycle Environmental Profiles, Test Plans, Test Witnessing and Troubleshooting.