Export Regulations Due Diligence for Compliance

Export Regulations Due Diligence
Export Regulations Due Diligence

Exercising export regulations due diligence involves complying to complex sets of requirements set forth by multiple U.S. government agencies.  These agencies include the Bureau of Industry and Security (BIS), the Directorate of Defense Trade Controls (DDTC), the Office of Foreign Asset Controls (OFAC), and the National Nuclear Security Administration (NNSA).

The International Traffic in Arms Regulations (ITAR)

The ITAR are a series of regulations that control the export of military related technologies.  The ITAR are administered by the DDTC which is an agency of the U.S. Department of State.  Defense articles, defense services, and related technical data that fall under ITAR jurisdiction are enumerated in the United States Munitions List (USML).

These regulations are in place to protect U.S. national security and foreign policy interests.  Therefore export transactions of these goods are subject to a high level of scrutiny.  Requirements for ITAR include item and service classification, applying for required licenses, protection of technical data, site security, visitor screening, and the screening of employees, contractors, and customers. 

Export Administration Regulations (EAR)

The Bureau of Industry and Security (BIS) manages Export Administration Regulations (EAR).  The EAR is a series of regulations that control the export of items that have the potential to fall under dual usage categories.  Dual usage refers to technology that can be used for both peaceful and military purposes. 

Before exporting a product that is subject to the EAR, a business must determine whether an export license is needed from the Department of Commerce.  This is done by finding the classification of the product’s Export Control Classification Number (ECCN).  All ECCNs are listed in the Commerce Control List (CCL) 

BIS Best Practices for Export Regulations Due Diligence

BIS guidelines include the following best practices for maintaining due diligence for the EAR:

  1. Conduct a thorough assessment of your product’s potential application.  Even if an item would not require a license you should consider if there are any potential dual usage concerns.
  2. Always conduct a stringent vetting of new or unfamiliar customers and be on the lookout for any of the following “red flags”.
    • A new customer places an unexpected and/or high-value order for sophisticated equipment.
    • The customer is a reseller or distributor. In such cases, you should always inquire who the end user is.
    • The customer has no website or social media and is not listed in online business directories.
    • The customer’s address is similar to an entity listed on the CSL, or the address indicates the customer is located close to end users of concern, including co-located with an entity listed on the Entity List.
    • Your customer places an order for an item that is available at the designated location and the buyer incurs transportation costs.  In such cases, request that the freight forwarder provide you a copy of the Electronic Export Information (EEI) filing to ensure the information is accurate.

Screening Against Sanctions and Denied Parties Lists

Denied Parties Screening is an essential practice for ensuring regulatory compliance to U.S. law.  Screening is performed to restrict or prohibit U.S. individuals and organizations from shipping products or providing services to parties listed on denial, debarment, and blocked persons lists.

Screening applies to all businesses regardless of product or service sector.  An organization is obligated to ensure that any transaction, where there is a transfer of money, is not destined to an individual or entity on a government sanctions list.  Screening also applies to businesses that only engage in domestic transactions, as individuals on these lists often reside in the United States.  The sanctions these screenings are designed to implement are often in effect regardless of an item or service’s export regulation classification.

Requirements for a Compliance Program

It is a requirement for organizations involved in international trade to implement and maintain viable export compliance programs.  While there are differences in requirements based on which series of regulations an export is controlled by, there are many common requirements.

A formal export compliance program should be documented and have the full commitment of upper management to execute, provide adequate resources, monitor, and maintain.  Training should be provided to enhance program awareness and provide adequate information to allow team members to perform their tasks within the program.  Screening activities should be performed against multiple lists to ensure that any party to a transaction is not on a watch or denied parties list.

CVG Strategy Export Compliance Expertise

Ensuring that export regulation due diligence is consistently performed by an organization requires implementation of viable export compliance programs.  Failure to comply with regulations can result in administrative and criminal penalties including imprisonment and loss of export privileges.

CVG Strategy has the compliance and training programs to help you meet U.S. export due diligence requirements.  We can also assist in item classifications, voluntary disclosures, Technical Assistance Agreements (TAA), and licensing applications.  CVG Strategy also offer signs and accessories to aid in Visitor Access Control on our ITAR Store.

CVG Strategy, LLC is recognized the world over as the premier provider of customized ITAR Consulting and ITAR & Export Compliance Programs.  We provide training that addresses critical U.S. Government regulations including EAR, ITAR and other regulatory agencies.

Collaboration and Quality Management – Teamwork

Collaboration and Quality Management
Collaboration and Quality Management

Collaboration and Quality Management are concepts that should come to mind together.  It can, however, be difficult to combine teamwork and quality management in a manufacturing or service process.  There are challenges involved in bringing all interested parties to the table and engaging them in working together to continuously improve products and services.  These challenges can be addressed in a properly implemented Quality Management System such as ISO 9001:2015.

Working Between Departments

Interdepartmental differences in priority, culture, and mindset can create barriers to effective collaboration.  Often these differences can create an adversarial perception between teams.  By establishing shared goals in achieving quality, trust can be developed that can dissolve these perceived differences. 

This is particularly important because honest feedback is a key component of the continuous improvement process.  This improved communication can create better working relationships between departments and increase cooperation in increasing overall efficiency of processes.   Additionally, this can nurture a better work environment that increases retention of skilled team members.

Collaboration Between Tiers

As with any business undertaking, success begins with the involvement of top management.  Leadership must implement a program that addresses the culture of the organization, while promoting a vision for improvement.  They should be fully committed to the concepts, goals, and processes of the Quality Management System (QMS) and must seek to understand needs and expectations of all interested parties.  Additionally, upper management must also communicate these goals and processes to the rest of the company and implement training as these change. 

Working With Suppliers

Establishing strong relationships with trusted and qualified suppliers is an excellent way to improve a business’s competitive performance.  By sharing quality management goals with an organization’s supply chain, clarification of roles and expectations can be accomplished.  This clarity can work to reduce risks by maintaining long term goals and strategies.  It can also provide improvements by identifying and eliminating waste, increasing process efficiencies, and reducing lead times. 

Developing Collaborative Processes

A good starting point for developing collaboration and quality management processes is during the design and development phase of a new product or service.  A properly executed design and development plan should consider inputs from a number of sources.  These would include sales, marketing to communicate customer requirements.  It would necessitate reviewing information from similar product developments in the past and consider potentials and limitations of emerging technologies.

Once an initial concept has been achieved iterative design reviews can surmise the adequacy of existing manufacturing facilities, manufacturing processes, to produce a quality product.  Consideration can also be given to the ability of existing supply chain assets to provide required materials. 

CVG Strategy Experts

Our Exemplar Global Lead Auditor Consultants can help you with implementing a quality management system, which will include a risks and opportunities procedure.  CVG Strategy has prepared, trained and implemented quality management systems for manufacturing companies for over a decade.  We can assist in the implementation of ISO 9001:2015, AS9100, ISO 13485, and ISO 14971 programs among others.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Product Test and Evaluation.

NIST Cybersecurity for Business Applications

nist cybersecurity for business
nist cybersecurity for business

Integrating NIST cybersecurity for business applications into existing management system processes requires specialized implementation.  This is of special concern for organizations involved in contracting with the Department of Defense (DoD) that are adopting NIST SP 800-171 to meet Cybersecurity Maturity Model Certification (CMMC) requirements.  

A major issue in this integration, is that the NIST cybersecurity framework was originally designed for U.S. Government federal agencies.  These agencies do not share the organizational challenges in managing information security that businesses face.  Businesses must balance a wide array of risks including quality and regulatory into a cohesive management system.  To address these concerns, NIST has released a series of reports that address cybersecurity risk management methodologies applicable to Enterprise Risk Management (ERM) systems.

NISTIR 8286 Reports

NIST Interagency or Internal Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM) is a series of three documents that provide guidance in establishing and maintaining a systematic approach to risk guidance, identification, and analysis applicable to business management systems.  Central to these reports is the differentiation of roles of Enterprise Level Management and the Cybersecurity Risk Management.  It emphasizes the need for cooperation and collaboration of all parties in the establishment and operation of a Cybersecurity Risk Management System (CSRM). 

It describes a system whereby senior management provides a framework complete with scope, internal and external context, and essential requirements from stakeholders.  The CSRM is then tasked with controlling these risks and monitoring them in a Monitor, Evaluate and Adjust (MEA) cycle.

NISTIR 8286 goes further by describing an ongoing systematic approach to reporting findings back to the Enterprise Risk Management.  This allows for notification of stakeholders as to the status the program and evaluation of information security risks.  During this evaluation process adjustments are made of the organization’s approach to risk management to better address the dynamic requirements of the organization.

NISTIR 8286A

NISTIR 8286A provides guidance for risk context, scenario identification, and determination of the impact and likelihood of occurrence for those risks.  It utilizes Cybersecurity Risk Registers (CSRR) and Risk Detail Records (RDR) to aid in identifying and managing these risks.

NISTIR 8286A describes the necessity of senior management to establish the scope, context, and criteria of the program.  It further describes the establishment of organizational structures, processes, and business systems relevant to accomplishing these mission objectives.

NISTIR 8286B

NISTIR 8286B provides guidance for organization and system level management to assign risk ownership, define a specific risk descriptions, determine a response cost, and provide a priority for those risks.  Topics covered in this report include risk avoidance, risk transfer, risk mitigation, risk response, risk strategy, and implicit acceptance of risk.

NISTIR 8286C

Upon release of this post, NISTIR 8286C is published as a draft, although the public comment period has been closed.  This report describes methods for integrating information from the CSRM such that it can inform senior management and be implementable in the overall risk management process of the organization.  It emphasizes a continuous process for adjusting risk strategy and management activities.

ISO 27001:2013 Information Security Management System

ISO IEC 27001:2013 is an international standard and widely accepted Information Security Management System (ISMS).  The role of an ISMS is to preserve confidentiality, integrity and availability of information.  It accomplishes this task by applying risk management processes.  An effectively tailored program can meet this challenge because it is part of the organization’s processes and management structure. 

This standard provides the mechanisms and processes laid out in NISTIR 8286 and allows for an appropriate implementation of NIST cybersecurity for businesses.  It can when properly implemented provide processes for continual improvement.  

Implementation of an effective ISMS requires an assessment of the organization’s objectives, security requirements, and organizational processes.  These assessments include a consideration of the size and structure of the organization so that the ISMS is scaled to meet the needs of the organization.

Once these influencing factors have been defined a risk assessment can be conducted.  This process should:

  • identify the information security risks
  • identify the risk owners
  • assess the potential consequences of an undesired occurrence
  • assess the realistic likelihood of the occurrence
  • determine the levels of risk
  • establish priorities for treatment of the risk (e.g. implementation of information security controls)

CVG Strategy Information Security Management System Consultants

To assist businesses meet the challenges in adopting CMMC programs, CVG Strategy has developed an approach that combines the compliance requirements of CMMC 2.0 compliance with the ISO 27001 information security management system.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Implementing ISO 9001:2015 Around Your Organization

implementing iso 9001 2005
implementing iso 9001 2005

Implementing ISO 9001:2015 properly can benefit an organization across the board if executed appropriately.  The first steps of an effective implementation process should include determining what the intended results of the program should be. 

These quality objectives may include factors beyond meeting customer expectations and ensuring the quality of products and services.  For example, a factor for consideration might be employee retention or improvement through training of required skills.

Context of the Organization

Requirements of the standard include that the organization define the environment in which the business operates.  This analysis should include both internal and external factors that could affect the intended results of the quality management system (QMS).  These factors may include:

  • Type of industry
  • Company Objectives
  • Company Culture
  • Degree of Innovation
  • Customer Characteristics and Expectations
  • Competitors in the Field
  • Nature of the Market Sector

To be optimally effective these insights need to be gathered from interested parties inside and outside of the organization.  These include people at all levels within the company, customers, and suppliers.  Once these expectations have been gathered, an analysis can be made that will determine the scope of the QMS. 

As a company grows and evolves these factors can be revised and again used to reshape the manner in which the organization is implementing ISO 9001:2015 to reflect these changes.  This allows the company to manage processes instead of the processes managing the company.

Risks and Opportunities

Once the scope of the QMS has been defined, actions can be planned and implemented to address the determined risks and opportunities.  These actions should be implemented in defined processes and include methodologies for evaluation of effectiveness. 

When planning these actions it is often advantageous to integrate a SMART objectives approach.  SMART objectives are Specific, Measurable, Achievable, Relevant, and Time Based.  These types of objectives are most likely to achieve desired continuous improvements over time.

ISO 9001:2015 Flexibility

Every organization would like to improve the way it operates, whether that means increasing market share, driving down costs, managing risk more effectively or improving customer satisfaction.  A quality management system gives you the framework you need to monitor and improve performance in any area you choose. 

One of the great strengths of ISO 9001:2015 is the degree of flexibility in implementation.  This makes it a valuable and effective Quality Management System for large and small businesses alike for a wide variety of market sectors.  The essential task is to define and establish policies, procedures, and actions that are tailored to your organization’s requirements.

CVG Strategy

Our Exemplar Global Lead Auditor Consultants can help you with implementing ISO 9001:2015 in a manner that reflects the long term goals of your organization.  CVG Strategy has prepared, trained and implemented quality management systems for manufacturing companies in many business sectors.

Our quality strategy allows clients new to Quality Management Systems to rapidly implement a tailored system, because everything we do as consultants is processed based. Our Quality Experts have experience with ISO9001:2015, AS9100D, ISO 13485:2016, ISO 27001:2013 and Association of American Railroads (AAR) M-1003 and can readily deliver compliant procedures and work instructions.

We can provide expertise coupled with an outside perspective to assist you in tailoring a QMS that fits your organization’s specific requirements.  We have als assisted organizations in establishing programs for ISO 13485ISO 14971,  and AS9100.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process ImprovementITAR and Export ComplianceCyber Security and Product Test and Evaluation

 

IoT Device Cybersecurity Guidance for Industry

IoT Device Cybersecurity
IoT Device Cybersecurity

Internet of Things (IOT) cybersecurity is becoming an issue of increasing concern as these devices continue to secure a larger marketplace presence.  This is due to the fact that IoT solutions are a cost effective means of achieving integration of connected devices.  IoT include smart home products, wearable technology, health monitoring devices, alarm systems, and transportation equipment.  They can also be found in industrial controls technology, agriculture, military, and infrastructure applications. 

IoT devices are functional, inexpensive, and easy to implement.  As a result there has been an amazing growth in this market.  Fortune Business Insights predict that IoT Technology will grow from 478 billion dollars in 2022 to 2.4 trillion dollars in 2029.

IoT Device Core Baseline Cybersecurity

To address the vulnerabilities of IoT platforms, the National Institute of Standards and Technology (NIST) has released recommendations for manufacturers of IoT systems for improving how securable the IoT devices they make are.  The IoT Device Cybersecurity CapabiIity Baseline provides six actionable items, four that should be conducted to assess pre-market impact, and two activities with primarily post-market impact.  Because these activities affect the process by which design specifications should be created, the document is primarily intended for the development of new devices.

Pre-Market Activities for Baseline IoT Security

IoT product manufacturers should consider the security of a product throughout its life cycle.  This includes an examination of integration into the customers probable usage and overall system requirements.  Because these factors will widely vary from product to product the following steps should be conducted:

  1. Identify expected customers and users, and define expected use cases.
  2. Research customer cybersecurity needs and goals.
  3. Determine how to address customer needs and goals.
  4. Plan for adequate support of customer needs and goals.

IoT Considerations After Product Release

It is important to define methods for communicating cybersecurity risks and recommended protocols.  These considerations should include a declaration of risk related assumptions.  It is important to remember that both the manufacturer and the consumer share a responsibility in implementing and maintaining security.

NIST has provided a list of six recommended security features that manufacturers should build into IoT devices.  These features should be considered when consumers are selecting a device.

  • Device Identification: The IoT device should have a unique identifier when connecting to networks. 
  • Device Configuration: An authorized user should be able to change the device’s configuration to manage security features.
  • Data Protection: Internally stored data should be protected by a device.  This can often be accomplished by using encryption.
  • Logical Access to Interfaces: The device should limit access to its local and network interfaces by using authentication of users attempting to access the device.
  • Software and Firmware Update: A device’s software and firmware should be updatable using secure protocols.
  • Cybersecurity Event Logging: IoT devices should log cybersecurity incidents and provide this information to the owner and manufacturer.

Additional Protective Steps

Because IoT devices often do not allow access to their built in management tools, implementing IoT devices can provide access points into networks that contain sensitive data.  Additionally, preventing access to devices from unauthorized persons can be a challenge in large industrial settings.  Therefore, segregation and isolation of these devices by using Virtual Local Area Networks (VLAN) should be considered when installing devices in a business setting.  

Cybersecurity of Increasing Concern for Businesses

Because many incidents go unreported, real losses to U.S. manufacturing from cybercrime are difficult to assess.  Even the most statistically reliable data is derived from a small survey of businesses conducted by the Bureau of Justice Statistics.   In a recent report from Douglas Thomas of NIST, estimated losses for all industries could be as high as between 0.9% and 4.1% of total U.S. gross domestic product (GDP), or between $167.9 billion and $770.0 billion.

The unfortunate reality for businesses is that those implementing IoT systems do not fully comprehend the vulnerabilities these devices present.  As with cloud computing, proper implementation is essential.  Common issues include insecure interfaces, lack of consistent device updates, and weak password protection.  It is therefore essential that those who select, install, and service IoT devices be trained and follow documented best practices to prevent data breaches.

Other actions can be taken to mitigate malicious threats on sites where IoT applications are used.  Performing data analytics can often allow an organization to identify threats before they become critical.  Another tool for protecting data is utilizing Public Key Infrastructure (PKI) to provide effective encryption of IoT networks.

Call for IoT Certification and Labeling

Because consumer based cybersecurity measures are at best reactive, there has been an effort to initiate a Certification & Voluntary Labelling Scheme to set a standard for manufacturers of IoT devices.  A labeling system would allow an easy way for developers of IoT applications to gain the confidence of consumers.  This international certification framework would involve third party assessments of  at accredited test facilities to and would be internationally recognized.  Currently, a pilot program is open for applications for case studies.

CVG Strategy Cybersecurity

There are many applications where  the benefits of IoT have yet to be fully explored.  As development of IoT sensors continue, they will contribute to the enhancement of such technologies as Artificial Intelligence (AI) and even smart cities.  However, as they rely on internet connectivity they have inherent vulnerabilities.

Many manufacturers implement such devices to control processes and gather critical data.  Because of this, the risk these devices present should be taken into consideration by an effective Information Security Management System (ISMS).  CVG Strategy can help your business implement ISO 27001 to exercise due diligence and compliance with contractual and regulatory data security.  

CVG Strategy is committed to assisting organizations doing business with the Department of Defense achieve CMMC to secure our defense manufacturing supply chain’s information secure.  As industry leaders in cybersecurity, ITAR, and risk based management systems.  We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

 

Economic Espionage by China Threatens United States

Economic Espionage by China
Economic Espionage by China

Economic Espionage by China Continues in Every Sector in the United States

Economic espionage efforts by China continue to pose a serious threat to the United States in both public and private sectors.  In the public sector hacking groups backed by the People’s Republic of China have infiltrated local and federal agencies.  These persistent attacks seem to be focused on gathering information.  According to an article by CNN, these agencies have included the Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Agency (CISA).

In the private sector Cyberreason has reported that China is conducting a global cyber espionage program to steal trade secrets, intellectual property, and sensitive information from companies in North America, Europe, and Asia.  Many organizations that have suffered these data breaches, which go back to 2019, are not even aware that their computer networks have been compromised.

These attacks have exploited vulnerabilities in a wide array of tools including the Microsoft Common Log File System (CLFS).  They often utilized multi-stage infection chains to remain undetected.  Other attacks have involved more standard forms of malicious software including spear-phishing emails.

A Call to Action Against Cyberattacks

While China is not the sole nation to threaten U.S. interests with cyberattacks, its activities have, unlike others, focused on economic espionage and intellectual property theft.  Clearly China intends to be the dominant economic global force by any and all means available.  U.S. businesses therefore must engage in effective strategies to protect their interests and remain vigilant. 

The FBI has warned U.S. executives of partnering with Chinese parties as vendors or customers.  Christopher Wray in a speech in February of 2022, pointed out that no nation presents a greater danger to the U.S. than China.  He went on to say that they are using hacking tools of increasing sophistication to cause indiscriminate damage.  Often these campaigns are conducted with the help of independent cyber criminals.

He mentioned the Microsoft Exchange hack in which over 10,000 American companies were attacked as an example of China’s efforts to steal information to create industrial bases in desired sectors.  He also stressed the enormity of China’s efforts exceed those of all of our other adversaries combined.

Mixed Responses from the Federal Government

The federal government’s responses to state sponsored cyber threats have had mixed results.  Recently the National Security Division of the Department of Justice announced it was terminating its “China Initiative” to counter an report on threats posed by China.  Efforts, in the way of proposed legislation, have been proposed to hold the agency accountable in its efforts to prosecute Chinese nationals involved in efforts to endanger U.S. national and economic security.

Meanwhile, the Department of Defense’s efforts to protect Controlled Unclassified Information (CUI) under the auspices of the Cybersecurity Maturity Model Certification has had an uneven start.  Changes in its management and dissatisfaction from companies striving to comply with costly cyber security solutions have led to revisions and delays in a final release of the program.

Indeed, federal officials have shown limited abilities in preventing foreign governments from accessing government computer systems.  According to The 2021 Thales Data Threat Report, 47% of federal government respondents stated that they had experienced data breaches in the last calendar year.  These incidents included the DoD and CISA.

Assuming Responsibility in the Prevention of Cyberattacks

Organizations in the private sector have begun to realize the enormous threat that cyberattacks pose.  Their responses however, have been slow, and the levels of cybersecurity maturity attained thus far are leaving proprietary and sensitive data vulnerable.  While numerous advances in IT tools are available in assisting organizations in their fight against cyberattacks, organizations require management tools to evaluate risks, implement plans, and coordinate control mechanisms.

For many small to medium businesses, a severe data breach could spell the end of their enterprises.  Their challenges are confounded by the need to share data with suppliers, customers and other third parties.

Clearly, the path forward is not likely to get easier for those involved in the protection of data.  It is therefore the duty of all organizations to assume responsibility for their best interests and shape their entities to protect their futures.

CVG Strategy Can Help

Information Security Management Systems

CVG Strategy can assist your organization in implementing and maintaining a viable and dynamic Information Security Management System (ISMS) by achieving ISO 27001 certification.  An ISMS is a comprehensive approach to securing data that involves all stakeholders in a risk assessed managerial approach. 

It involves processes, facility security, people, and IT systems to engage in best practices.  It also involves a constant improvement approach so that threats can be continually assessed and addressed as they evolve.  This business system can help your organization remain vigilant against economic espionage and cyberattacks conducted by China and other nation states.

CMMC for Department of Defense Contractors

CVG Strategy is committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure.  As industry leaders in cyber security, ITAR, and risk based management systems.  We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

Many organizations find it beneficial to integrate CMMC requirements into an Information Security Management System (ISMS) such as ISO 27001.  The basis of ISO 27001 requires ongoing risk assessment and asset management.

It requires information security incident management to anticipate and respond to information security breaches. It requires a regular and systematic internal audit to review that management. ISO 27001 also requires the implementation of training and awareness throughout the organization to create a code of practice.

An ISO Information Security Management System (ISMS) is a comprehensive approach to keep confidential corporate information secure. It encompasses people, processes and IT systems and helps your business coordinate your security efforts consistently and cost effectively.

 

Export Compliance Program Management ISO 37301

Export Compliance Program Management
Export Compliance Program Management

Export Compliance Program Management

Effective export compliance program management poses challenges for organizations of all sizes and sectors.  U.S. export regulations such as the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR) are complex and under constant revision.  Compliance is further complicated for organizations that have multinational operations and must therefore comply with additional export controls.

CVG Strategy Export Compliance Management Systems

CVG Strategy export compliance specialists, drawing from decades of experience in the field, have created Export Compliance Management Systems.  These management systems include manuals, work instructions, forms, and attachments that address U.S. export legal and regulatory requirements.  Additionally, management systems are available to address requirements for the Canadian Controlled Goods Program.

These document sets address the all departmental functions in an export compliance system including those for planning, human resources, sales and marketing, engineering, vendor management, and production and services.  They also include the required processes for maintaining export compliance including item classification, screening, anti-boycott compliance, and incident response including instructions for conducting voluntary self disclosure.

Additionally, these documents contain imbedded tools for assessing and rating risks.  These tools can help members of a compliance team identify compliance risks in projects where extra diligence is required to maintain compliance obligations.

These management system document sets are fully compliant with ISO 37301:2021 Compliance Management Systems to provide a coherent method of integration into an organizations existing operations.

ISO 37301 Compliance Management Systems

ISO 37301:2021 is an international standard that can help establish and maintain a culture of compliance within an organization.  It can also extend these expectations to interested third parties.  Application of this standard can provide a basis for a sustainable organization by helping it meet its regulatory obligations.

Since ISO 37301 is structured along the same lines as ISO 9001:2015 it can be harmonized with an organization’s existing  Quality Management Systems (QMS).  While compliance functions are maintained independent from other functions, ISO 37301 compliance management can be integrated with other management processes.

Creating and implementing a successful compliance management system requires that the system fit the organization’s culture and specific regulatory requirements.  This is accomplished by defining a context of the organization that will allow for the creations of policies that are embedded in and reflected by the behaviors of all personnel and interested parties.  These policies should reflect core values and ethical practices incumbent on maintaining compliance to export laws and regulations.

As with any successful business undertaking, an effective export compliance program must start at the top.  Top management must be committed to strict adherence with export laws and regulations.  Management must also allot adequate resources to maintain and develop the compliance program as the business evolves. 

When implementing a compliance program, specific risks must be identified when determining the scope of a program.  These risks, once identified, can be addressed and monitored by the management system.  As with other ISO standards, ISO 37301 employs a Plan, Do, Check, Act methodology that provides an organization a means to engage in continual improvement of processes while accessing new risks and opportunities.

Flexibility in Implementation

There are numerous types of organizations that must comply to export laws and regulations.  Therefore a compliance program must vary to address differences in type, size, nature, and sector of business.  CVG Strategy Export Compliance Management Systems provide flexibility in implementation to be applicable to all types of export scenarios.

As an example, a business may design, service, manufacture, and export dual use products that are not enumerated by the United States Munitions List (USML).  Such an organization would need only comply with Export Administration Regulations (EAR) and not those of the International Traffic in Arms Regulations (ITAR).

Our Export Compliance Management System provides means to determine, tailor, and document which sets of laws and regulations are applicable to an organizations context, thereby preventing unnecessary burdens and overhead.

CVG Strategy Export Compliance Services

CVG Strategy, LLC is recognized the world over as the premier provider of customized Export Compliance Consulting, Export Compliance Programs, and Training that address critical U.S. Government and Canadian laws and regulations, from Export Administration Regulations (EAR), to the International Traffic in Arms Regulations (ITAR), Office of Foreign Asset Controls (OFAC), Canadian Goods Program (CGP) and other regulatory agencies.

CVG Strategy ITAR and Export Compliance experts have managed manufacturing and distribution businesses and have worked for multi-national organizations.  CVG Strategy’s experts are not ex-government employees, they understand the needs and goals of small to medium-sized operations in managing compliance requirements.  They also have expertise in the implementation and maintenance of a wide variety of management system standards.

 

Service Industry Quality Management ISO 9001-1:2015

service industry quality management
service industry quality management

Why Have a Quality Management System for Service Industry Businesses?

At first glance a Quality Management System (QMS) might appear inappropriate for service industry businesses.  There would appear to be a lack of metrics to serve as inputs, as a large portion of the product is not physical. 

Customer satisfaction however, is a very tangible item.  Think back on a meal at a restaurant or a hotel stay that left you less than satisfied.  How likely are you to return to that business?

What is a QMS?

A QMS is a framework that promotes consistent performance in an organization through implementation of policies, processes, and work instructions.  Continuous Improvement is achieved in a QMS through a Plan, Do, Check, Act methodology where a plan is implemented, monitored, and then changed as necessary to achieve desired levels of performance.  

An effective QMS requires active participation of top management in all of its phases including, establishment of policies and the regular review of internal audits. 

ISO 9001:2015

ISO 9001:2015 is an international standard quality management system that is applicable for service industry.  It provides a process approach to manage products and services with a customer focus.  It can be tailored to address multiple organizational business needs including supply chain quality and regulatory requirements in its context of the organization.

This standard is applicable for organizations of any size and in any number of industrial sectors.  Organizations certified to ISO 9001 can achieve a competitive advantage by showing their customer base that they apply quality management principles in the conduct of business.

Every Business Model Incorporates Process

Processes are a part of every employee function.  Where those processes can be defined, consistent performance of tasks can be accomplished.  When team members have the ability to offer feedback into process improvement they will be less frustrated by imposed systems that aren’t working as well as they should.  A frustrated employee is less able to provide a positive experience to a customer and satisfied customers means a successful business. 

Buy in by all stakeholders is the backbone of QMS and it provides the inputs for continual improvement.  These inputs can then be documented to provide dynamic process development that can evolve as a business grows.

Offsetting Quality Management System Costs

Service Industry businesses often operate with tight margins.  The immediate perception for many is that a QMS is an expensive undertaking.  While some cost is involved, these costs can often be offset by savings in process efficiency.  They of course can also be offset by the increased profitability of a satisfied customer base. 

It is important to realize that a QMS is scalable to a business’s size and is built around the context of the organization.  This means that a QMS should be built around the specific boundaries, scope, and requirements of a business.  This allows for a determination of scope and complexity for a given company’s QMS.  When a thorough analysis is made the argument could be made that a service industry business cannot afford to be without quality management. 

Achieving the highest possible return on investment is important, regardless of which quality management systems standard you organization implements. Taking advantage of all the features of that standard requires an understanding of Quality Management Systems and the growing number of requirements businesses face in their specific sectors.

CVG Strategy

Our Exemplar Global Lead Auditor Consultants can help you with implementing a quality management system, which will include a risks and opportunities procedure.  CVG Strategy has prepared, trained and implemented quality management systems for manufacturing companies in many business sectors.

Our quality strategy allows clients new to Quality Management Systems to rapidly implement a tailored system.  That is because everything we do as consultants is processed based. Our Quality Experts have experience with ISO9001:2015, AS9100D, ISO 13485:2016, ISO 27001:2013 and Association of American Railroads (AAR) M-1003 and can readily deliver compliant procedures and work instructions.

We can provide expertise coupled with an outside perspective to assist you in tailoring a QMS that fits your organization’s specific requirements.  We have assisted organizations in establishing programs in ISO 27001, ISO 13485, ISO 14971, AS9100, and ISO 9001.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Product Test and Evaluation

 

Understanding CMMC Requirements for DoD Suppliers

Understanding CMMC Requirements
Understanding CMMC Requirements

Understanding CMMC Requirements is critical for businesses of all sizes in the defense industry.  This need is becoming more urgent as final release of CMMC 2.0 is expected to occur in 2023.  Failure to achieve an appropriate level of Cybersecurity Maturity Model Certification in a timely manner may impede an organization’s ability to participate in Department of Defense (DoD) contracts.

The Importance of Establishing a Standard for Basic Cyber Hygiene

The defense industry supply chain is reliant on the flow of data through a vast number of networks both within and across multiple manufacturer’s systems.  Securing this data is essential for maintaining national security.  The rapid increase in cyber-espionage aimed at the industrial sector places this data at an increased risk.  While a number of cybersecurity approaches exist in the industrial sector, most are not appropriate or adequate for the protection of controlled and uncontrolled defense information.  

CMMC 2.0 has been developed as a means of implementing a risk based management approach with baseline requirements that are adaptive to changing cyber threats.  It also includes a certification process to ensure that organizations DoD contractors comply with CMMC.  This will allow for the integration of companies of all sizes and at all levels to maintain the resiliency and integrity of the defense manufacturing supply chain.

CMMC Levels of Compliance

As opposed to CMMC 1.0, CMMC 2.0 has three different levels of CMMC compliance.  While Level 3 compliance is reserved for programs that the DoD considers of high priority, Level 1 and 2 determinations are based on the type of information an organization is using, Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

As defined in 48 CFR 52.204-21, FCI refers to information provided or generated by the U.S. government that is not intended for public release.  This information is generally created in the development of a contract for a product or service. 

CUI as defined in 32 CFR 2002.4, is information that the U.S. government creates or possesses, or any information created for the Government, that is controlled by a law or regulation.  The CUI definition does not include classified information.  It would therefore include, unclassified information that falls under the jurisdiction of the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).

CMMC Level Requirements

  • Level 1 (Foundational) applies to organizations that deal solely with FCI.  Level 1 requirements for cybersecurity are based on requirements detailed in FAR 52.204-21.  These 17 controls protect contractor information systems by limiting their access to authorized users.
  • Level 2 (Advanced) applies to organizations that work with CUI.  Level 2 requirements include the 14 levels and 110 controls contained in NIST 800-171.  
  • Level 3 (Expert) applies to organizations working on high priority projects critical to U.S. national security.  Level 3 will include the controls for Level 2 along with additional controls that have yet to be announced.  These controls will be designed to reduce the risk from Advanced Persistent Threats (APTs). 

CVG Strategy’s Experience and Commitment

CVG Strategy is committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure.  As industry leaders in cybersecurity, ITAR, and risk based management systems.  We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

Many organizations find it beneficial to integrate CMMC requirements into an Information Security Management System (ISMS) such as ISO 27001.  The basis of ISO 27001 requires ongoing risk assessment and asset management.

It requires information security incident management to anticipate and respond to information security breaches. It requires a regular and systematic internal audit to review that management. ISO 27001 also requires the implementation of training and awareness throughout the organization to create a code of practice.

An ISO Information Security Management System (ISMS) is a comprehensive approach to keep confidential corporate information secure. It encompasses people, processes and IT systems and helps your business coordinate your security efforts consistently and cost effectively.

Implementation of ISO 13485:2016 for Medical Devices

Implementation of ISO 13485:2016
Implementation of ISO 13485:2016

 

ISO 13485:2016 Applicability 

Implementation of ISO 13485:2016 Quality Management System (QMS) is applicable to organizations involved with the any of the steps in a medical devices life cycle, including design, calibration, production, and disposal.  This voluntary international standard allows for the variances in regulatory requirements particular to the organization’s region of application.  Because ISO 13485 shares the basic structure of other QMS it can be integrated into an overall management system.   

Devices Under the Scope of the Standard

ISO 13485:2016 includes in its scope a large variety of medical devices with the exception of pharmacological and immunological products.  These include: equipment involved with diagnosis, prevention, monitoring, life support, disinfection, conception, and in vitro analysis of specimens.  Its reach extends to the associated services, software, processed materials, and support activities related to these devices.

The standard also addresses the control of the work environment in the medical device industry for sterile devices that require contamination control.  These controls address requirements for documented procedures for both facility and personnel.

Requirements for Design and Development

As can be expected, there are detailed requirements addressing the design and development of medical devices.  Firstly, verification should be conducted to that the equipment performs as defined in design inputs.  These evaluations must be conducted using statistical techniques that include a rationale for sample sizes.  Furthermore, evaluations should be performed with the equipment connected to interfaced equipment in its regular use.

Validation evaluations are also required for medical devices.  These evaluations should be performed on representative equipment.  These validations an include clinical and or performance evaluations in accordance with relevant standards.

As well as ensuring that a design is suitable for use, ISO 13485:2016 also has controls for ensuring that the product is suitable for manufacturing.  This step involves verification that the manufactured product can meet design requirements.

Purchasing Requirements for Medical Devices

Given the importance of the level of quality required for medical devices it is understandable that Implementation of ISO 13485:2016 requires significant requirements on the procurement process.  It is therefore important that suppliers be selected based on their ability to meet an organization’s requirements.  The performance should be regularly assessed and the degree of diligence should be proportional to the associated risks.

Criteria for evaluation of suppliers is to be conducted prior to the selection of suppliers.  these criteria can include product specifications, acceptance procedures, supplier personnel qualifications, or any other stipulations mandated by the QMS.

Once products have been purchased by the organization, their quality shall be verified according to documented processes.

Installation and Servicing Activities

Unlike many QMS, ISO 13485 includes requirements for organizations that install and service products.  The standard requires that methods of installation and servicing be performed in accordance to documented procedures.  It also requires that these services be documented and records retained.  Furthermore it is incumbent on the service provider to validate methods of installation and service.  

Identification and Traceability of Medical Devices

Identification of devices is to be performed that can provide a unique identity of the product during all phases of its life cycle, including manufacturing, storage, and installation.  This should be performed in accordance with applicable regulations.

Generally, the standard requires documentation of procedures to maintain traceability of medical devices.  This requirement applies to manufactures and customers of devices.  This traceability should protect medical devices from from unauthorized alteration, contamination, or damage.

Monitoring and Measurement

Implementation of ISO 13485:2016, as with most QMS, requires establishing monitoring and measurement activities.  This standard is no different in that it places requirements on the organization to gather information that will provide feedback.  Here though, special attention is given to complaint handling.  For this standard, specific protocols are built around the handling of complaints including sharing of data with relevant third parties and regulatory authorities.

Corrective Action and Preventative Action (CAPA)

A major feature of ISO 13485:2016 are Corrective Action and Preventative Action (CAPA) processes.  These processes correspond to requirements for the Food and Drug Administration (FDA) as defined in Section 820.100 of Title 21.  

Corrective actions include the following:

  1. A thorough analysis of all involved processes and relevant documentation.  This should include a complete identification of existing and potential sources of nonconformity.  This information should utilize statistical methodologies to detect recurring issues;
  2. Identification of non-conformity causes;
  3. Identification of  required actions needed to prevent recurrence nonconformance;
  4. Conducting appropriate planning and documentation of actions;
  5. Ensuring through verification that actions taken do not have adverse affects;
  6. Conducting a review of actions to determine effectiveness;

Preventative actions include:

  1. The determination of potential nonconformities;
  2. The evaluation of actions to address the potential nonconformities;
  3. Documenting these actions;
  4. Conducting analysis to verify that preventative actions do not have adverse effects;
  5. Conducting regular reviews of these actions

Additional Jurisdictional Requirements for Medical Devices

Medical Devices Regulation and the Food and Drug Administration (FDA)

In  the United States, it is a requirement for manufacturers of medical devices to establish and comply with quality systems to ensure consistency in product quality.  Under the jurisdiction of the Food and Drug Administration (FDA), the Current Good Manufacturing Practices (CMGP) are defined under Part 820 of the Code of Federal Regulations Title 21.  Because this places additional requirements on those organizations involved with medical devices in multiple countries, the FDA has signaled its intent to harmonize the U.S. Quality System Regulation with the international standard.

European Medical Devices Regulation

For organizations involved in medical devices the European Union, Medical Devices Regulation (EU 2017/745) establishes requirements beyond those stipulated in ISO 13485:2016.  These include additional risk analysis and management tasks specific for each individual device and a requirement for sufficient financial coverage to handle potential product liabilities.

CVG Strategy Can Help 

Given the potential risks of harm involved in the design and manufacture of medical equipment, requirements and regulations are rigorous.  Aside from ISO 13485 medical device manufacturers may also need to comply with:

CVG Strategy Quality Management experts can assist your organization in the Implementation of ISO 13485:2016.  Our team has helped organizations meet international requirements for many medical devices.

Our quality experts understand the importance in processes and process improvement.  We offer a variety of Quality Management services to assist in the implementation and continual improvement of effective systems that save money and ensure customer satisfaction. 

 

Infrastructure and Manufacturing Cyberattacks Continue

Infrastructure and Manufacturing Cyberattacks
Infrastructure and Manufacturing Cyberattacks

Infrastructure and the manufacturing sector concerns pose tempting targets for cyberattacks.  Widespread effects that can harm vast sectors of society can occur when these systems are compromised.

When considering Cyber Security first thoughts usually go to computers and information technology, but industrial devices and processes can fall victims as well.  On May of 2021 the Colonial  Pipeline Company was targeted by a ransomware attack.  The pipeline supplied nearly half of the gas, diesel, and jet fuel to the U.S. east coast.  The outage resulted in over 10,000 gas stations being without fuel.

In a similar incident in 2019 the Cybersecurity and Infrastructure Security Agency (CISA) reported on a cyberattack that effected the Operational Technology (OT) of a natural gas compression facility.  This event led to a controlled shutdown that lasted for about two days.  The attack involved ransomware using a Spearphishing Link. 

The event was finally rectified when replacement equipment was installed and configurations reloaded.  Perhaps the biggest takeaway from this event is that the facility’s emergency response plan focused on physical emergency scenarios and that no plan was in place for cyber incidents. 

A Large and Serious Problem Not Easily Solved

Most industrial sites were constructed before the age of cybersecurity.  Where information technology has been introduced, legacy systems are often in place with little or no IT support.

Many facility managers or maintenance personnel have insufficient expertise in IT and requisite cybersecurity protocols.  This has created systems with high vulnerabilities that are extremely difficult to secure.  These type of attacks have occurred at petrochemical facilities, and even nuclear power plants, making this a very real threat beyond the immediate sites.

Risk Management and Cyber Security

Successful integration of risk management to address cybersecurity involves the foundation of a program that outlines processes.  These processes must include participation from external parties.  

The management system should include functions that:

  • identify processes and assets that require protection
  • implement protections 
  • detect events and anomalies continuously
  • respond to events 
  • recover from events

Information Security Management Systems

An Information Security Management System (ISMS) is a collection of policies, procedures, and controls that systematically address information security in an organization.  It provides a framework to conduct risk assessment and risk management.  The most widely recognized and instituted ISMS in the business environment is ISO 27001.  It shares many of the features of a quality management system such as ISO 9001. 

Because an ISMS is a management system it incorporates mitigation strategies beyond technical solutions such as firewalls and anti virus programs.  As such, an ISMS must be designed to the specific requirements and risk profile of an organization.  This would include the establishment of objectives for the establishment of security controls and the identification of all information assets within the organization (this includes electronic data, people, and paperwork.

Once these steps have been accomplished a risk assessment can be undertaken to identify and rank vulnerabilities.  Involvement of all stakeholders is important in this process, including clients, customers, and supply chain participants.  Then the necessary policies and procedures can be developed taking into account the specific regulatory requirements applicable for an organization’s industry. 

These policies and procedures should not only involve mitigation strategies but should include incident response procedures in the event that a data breach should occur.  As with many management systems, buy in from all levels of an organization is required starting at the top.  Once instituted the program can be monitored, audited, and reviewed for effectiveness so that a continuous improvement cycle is in effect.

IoT Device Recommended Security 

IoT devices are widely used in industrial controls technology, agriculture, military, and critical infrastructure applications.  IoT devices are functional, inexpensive, and easy to implement.  As a result there has been an amazing growth in this market.  Presently the global market value in the trillions of dollars.

NIST has provided a list of six recommended security features that should built into IoT devices to prevent infrastructure and manufacturing cyberattacks.  These features should be considered when consumers are selecting a device.

  • Device Identification: The IoT device should have a unique identifier when connecting to networks. 
  • Device Configuration: An authorized user should be able to change the device’s configuration to manage security features.
  • Data Protection: Internally stored data should be protected by a device.  This can often be accomplished by using encryption.
  • Logical Access to Interfaces: The device should limit access to its local and network interfaces by using authentication of users attempting to access the device.
  • Software and Firmware Update: A device’s software and firmware should be updatable using secure protocols.
  • Cybersecurity Event Logging: IoT devices should log cybersecurity incidents and provide this information to the owner and manufacturer.

CVG Strategy

Infrastructure and Manufacturing Cyberattacks will remain posing a threat to the international community.  

CVG Strategy consultants provide training to make your entire team aware of cyberattacks and how to employ processes to prevent these threats.  We can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.

Our ISMS consulting services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS).  Our team of experts bring extensive experience and deep information security process control expertise (including certifications as Exemplar Global Lead Auditor ISO/IEC 27001:2013 Lead Auditor) to ensure that you achieve ISO 27001 certification—on time and on budget.

 

ITAR Requirements – Export Compliance Program

ITAR Requirements

ITAR Requirements

Essential Features of an ITAR Compliance Program

International Traffic in Arms Regulations (ITAR) compliance is a requirement for companies entering markets with defense related applications.  To establish an effective ITAR compliance program all segments of a business must be involved.  Important features of an ITAR program include the following:

  • Registration with the Directorate of Defense Trade Controls (DDTC)
  • Establishing an Export Compliance Officer
  • An effective and continuous training program for all employees
  • Effective Cybersecurity
  • Visitor Access Control
  • A continuing review and evaluation of the ITAR program

DDTC Registration

DDTC registration is a requirement for organizations involved with the manufacture, export, temporary import, brokering, provision of technical services, or involved with technical data of ITAR controlled items as defined on the United States Munitions List (USML) Part 121 of the ITAR.

Export Compliance Team

The primary positions for the development and maintenance of a compliance program are the Empowered Official and the Export Compliance Officer.

The Empowered Official is an individual directly employed by an organization who is legally empowered to authorize license applications.  The Empowered Official verifies the legality of transactions and has the right to refusal of any license application.

An Export Compliance Officer (ECO) is the appointed individual of an organization who has the prime responsibility and approval authority for the ITAR export compliance program.  As such the ECO duties include maintaining DDTC registration, submission of Technical Assistance Agreements (TAA), creation of Technology Control Plans (TCP), ensuring that information and facility security is maintained, filing of Temporary License Exemptions (TLA), record keeping, and submission of Voluntary Disclosures.

Export Compliance Training

Regular training is a requirement for all involved employees in an export compliance program. This is a requirement by both the Bureau of Industry and Security (BIS) and the Department of State Directorate of Defense Trade Controls (DDTC).

Cybersecurity Requirements

The security of classified and Controlled Unclassified Information (CUI) in the the Defense Industrial Base (DIB) has long been a source of concern for the Department of Defense (DoD).  In response the DoD has established the Cybersecurity Maturity Model Certification (CMMC) framework, a criteria for cybersecurity requirements and basic cyber hygiene can be established for DoD contractors.

CMMC requirements are largely based on NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. There are however, other requirements including FAR 52.204-21.

Facility Security

Maintenance of site security is essential for the protection of information.  This security includes control of facility access, posting of areas of limited access, and visitor badges.

Review and Evaluation of the Export Compliance Program

The export compliance program should be audited and reviewed at regular intervals.  This review should be conducted with the participation of upper management.

The Risks of ITAR Violations

Companies attempting to find a quick fix will often overlook the complexities involved in meeting ITAR requirements and place themselves in legal jeopardy.  Because of this they place themselves at risk of failing to comply with ITAR and facing severe penalties.  These penalties can include civil fines as high as $500,000 per violation or criminal fines of up to $1,000,000 and 10-years imprisonment per violation.  They can also include being barred from future exports and a loss of reputation of a business.

Meeting ITAR Requirements Effectively

Meeting ITAR requirements effectively should include by in from the top down.  It must involve all employees.  It must ensure security of a company’s facilities and maintain control of sensitive data.

A properly established program can continually protect a business by integrating with Quality Management Systems (QMS) to evaluate itself.  This allows for a means to detect risks in ITAR Compliance and adjust procedures accordingly.

CVG Strategy

If you are part of a large corporation or a small company with a part-time compliance person, CVG Strategy has the compliance and training programs to help you meet ITAR requirements.  Often smaller businesses often don’t have the bandwidth to dedicate to adequate export compliance.  Because of this we offer outsourced Export Compliance Officer services.  We also offer signs and accessories to aid in Visitor Access Control on our ITAR Store.

CVG Strategy, LLC is recognized the world over as the premier provider of customized ITAR Consulting and ITAR & Export Compliance Programs and Training that addresses critical U.S. Government regulations, from Export Administration Regulations (EAR), to the International Traffic in Arms Regulations (ITAR) and Office of Foreign Asset Controls (OFAC) and other regulatory agencies and more.

Cybersecurity Strategy and Business Management

cybersecurity strategy
cybersecurity strategy

Having a Cybersecurity Strategy is Essential

Having an effective cybersecurity strategy to protect information assets is a necessity in today’s business world.  News stories and alerts appear daily, informing us of yet another threat or data breach that has put at risk the valuable data and security of millions of people.  This endless pressure can lead to paralysis induced by fear, but fear is not a strategy. 

As Sun Tzu, author of the Art of War said, “He who exercises no forethought but makes light of his opponents is sure to be captured by them.”  Sadly, the modern business world is often too caught up in a tactical perspective at the expense of a strategic one.  Strategy involves vision, risk management, and a hankering for moving beyond the status quo. 

Learn From Those in the Lead of Cybersecurity Strategy

Having accepted the need for action, one need not re-invent the wheel.  A number of organizations who must respond effectively are setting excellent examples.  The Department of Homeland Defense (DHS) is such an example. 

In its publication, Cybersecurity Strategy the DHS lays out its plan of battle in a series of goals.  These goals include Five Pillars:

  1. Risk Identification
  2. Vulnerability Reduction
  3. Threat Reduction
  4. Consequence Mitigation
  5. Enabling Cybersecurity Outcomes

Risk Identification

Identifying the evolving nature of the threat landscape through a risk assessment can inform an organization of the scope of the problem and the nature of the cybersecurity strategy that must be employed.  As the nature of cyber attacks are constantly changing, effective strategies will require constant monitoring with goals of improvement of extent processes and controls.  

Vulnerability Reduction

For the DHS Vulnerability Reduction includes denial of access to malicious cyber activity and maximizing collaboration between stake holders.  This is an excellent practice for businesses as well.  Employing appropriate  policies and working together with all departments, employees, customers, and vendors is a major step is an important part of an effective cybersecurity strategy.

Threat Reduction

The DHS seeks to reduce cyber threats by countering transnational criminal organizations and sophisticated cyber criminals.  While as executed by the DHS, such activities lay well beyond the purview of most companies, employing effective technological and security systems to protect your organization’s information is essentially performing the same task.

Consequence Mitigation

Having an action for mitigating the effects of a cybersecurity incident is of extreme importance to a business, its vendors, and customers.  Such responses must be planned for and coordinated across the board to minimize the damage as quickly as possible.  Because the nature of future incidents is unknown, strategies developed to address them should be flexible in order to enable solutions that are adaptive.

Enabling Cybersecurity Outcomes

This pillar is composed of two goals: To support policies and activities that enable improved cybersecurity risk management, and to execute these policies in an integrated and prioritized way.  

Examples of enabling outcomes would include allocation of resources to ensure proper cloud system configurations and ensuring that software and hardware used don’t increase attack vectors.

ISO 27001 Information Security Management System (ISMS)

Fortunately for businesses who are serious about developing a comprehensive cybersecurity strategy, ISO 27001 employs all of these principals into action.  It incorporates people, processes, and IT systems to coordinate security efforts consistently and cost effectively.  CVG Strategy can help your business develop a cybersecurity strategy that is appropriate to your business goals, culture, and marketplace. 

CMMC Still on Schedule. Is Your Business?

CMMC Still on Schedule
CMMC Still on Schedule

CMMC Still on Schedule Despite Covid-19 Setbacks

The Cybersecurity Maturity Model Certification (CMMC) is still on schedule according to articles posted by National Defense Magazine.  CMMC was developed by the Department of Defense and industry as an effective means of implementing a risk based management approach to cybersecurity.  The first draft (Version 1.0) was released in January 31, 2020. 

This approach to cybersecurity will be accomplished by establishing baseline requirements for vendors in the defense industry.   By the end of September 2020 the DoD required at least some companies to meet certain criteria of cybersecurity when responding to requests for proposals.  By 2026 all new DoD contracts will require compliance.

Auditor Classes on Schedule as Well

Auditing of businesses involved in DoD contracts will occur by qualified third parties.  These auditors will be qualified by means of CMMC Certified Third Party Organizations (C3PAO).  Plans are still underway to get the first round of C3PAO classes running in May or June of this year.  These audits will be performed on site.

Businesses Urged to Get Started

Katie Arrington, chief information security officer at the office of the undersecretary of defense acquisition commented that businesses should start implementing Level 1 requirements immediately.  She was quoted as saying “CMMC level one are 17 controls, no cost, that you can implement today that can help you be secure”.  She also stressed a need for urgency saying “Waiting isn’t an option for any of us right now”.


SPRS Cybersecurity Assessment Requirements

To press companies toward compliance, and assure that the CMMC is still on schedule, the DoD created an interim ruling, DFARS 252.204-7012, to require Supplier Performance Risk System (SPRS) assessments in September of 2020.  This has left businesses, especially second and third tier suppliers, scrambling to meet requirements.  The SPRS Cybersecurity Assessment is a requirement for all businesses providing products or services to the Department of Defense (DoD).  The SPRS assessment is to be completed by the contractor before DoD contracts can be awarded.  

The assessment is based on a scoring methodology of security requirements based on the NIST SP 800-171 DoD assessment methodology. The methodology is comprised of three levels (basic, medium and high).  The interim rule requires a basic level self-assessment to be completed by the contractor.  Medium or high assessments must be completed by the government. 

Self-attestation to NIST 800-171 is already a requirement under current regulations, however the interim ruling allows the government to inspect compliance more carefully.  CMMC will not be required for for Commercially Available Off-the-Shelf (“COTS”) procurements at or below the micro-purchase threshold.

NIST SP 800-171

NIST SP 800-171 comprises the backbone for a collection of cybersecurity best practices and controls to protect Controlled Unclassified Information (CUI) in the DoD supply chain.  It is comprised of 5 levels of cybersecurity maturity levels:
  • Level 1 – Basic Cyber Hygiene
  • Level 2 – Intermediate Cyber Hygiene
  • Level 3 – Good Cyber Hygiene
  • Level 4 – Proactive
  • Level 5 – Advanced/Progressive

Each of these levels require an organization to have a minimum number of controls in place.  To verify compliance an organization will need to be audited by a certified third party assessor organization (C3PAO).

CMMC Controls

CMMC is currently comprised of 171 controls involving people, processes, and technology.  These include controls for access, configuration management, incident response, media protection, and situational awareness among others.  While having these controls in place is essential, CMMC does not provide a means for effective management of these controls. 

The Need for Effective Cybersecurity in Businesses is Very Real

As of the beginning of the year about $600 billion dollars of domestic product is lost through cyber theft per year.  A large part of this is being undertaken by the Peoples Republic of China and the Democratic People’s Republic of Korea.  For businesses involved in the manufacture or development of defense materiel, this is especially concerning. 

Because of Covoid-19 many companies have had to institute remote work before establishing sufficient cyber protocols.  At this time companies are being urged to remain diligent.  Of late many businesses have had problems with Zoom.  While Zoom is not alone with regards to vulnerabilities, its links to China make it a poor choice for members of the defense industrial base.

Concerns Over Industry Costs

In April of 2021 it was announced that The Defense Department was conducting an “internal assessment” of the CMMC.  There have been a number of voices that have raised concerns about the costs of meeting CMMC to smaller businesses in the DoD contractors.  Among them is Lauren Knausenberger, the Air Force Chief Information Officer, whom Fedscoop reported as having mixed feelings about locking out smaller innovative suppliers.

CVG Strategy CMMC Consultants

CVG Strategy is committed to getting businesses on track and competent with cybersecurity.  The CMMC  is still on schedule is your business?  We are assisting businesses in performing their SPRS assessments and providing guidance as to how to move forward. 

Our Cybersecurity Consulting Services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS). 

Interim CMMC Version Released After Leadership Change

Interim CMMC Version Released
Interim CMMC Version Released

An Interim CMMC version was released on September 29, 2020 finishing off a tumultuous month at the organization.  On September 2, 2020 two members of the Cybersecurity Maturity Model Certification Accreditation Board were voted off in the midst of a conflict of interest controversy involving a pay to play strategy.  Karlton Johnson is now the chairman of the board.

DoD Interim Ruling

The interim ruling, DFARS 252.204-7012 Interim Rule, places immediate cybersecurity requirements on Department of Defense (DoD) supply chain contractors.  Among the changes is a requirement for vendors to complete security compliance with NIST SP 800-171 DoD assessment methodology. 

This assessment is to be completed by the contractor before DoD contracts can be awarded.  The DoD has encouraged contractors to respond immediately.

This assessment is based on a scoring methodology of security requirements.  The methodology is comprised of three levels (basic, medium and high).  The interim rule requires a basic level self-assessment to be completed by the contractor. 

Medium or high assessments must be completed by the government.  CMMC will not be required for for Commercially Available Off-the-Shelf (“COTS”) procurements at or below the micro-purchase threshold.

Self-attestation to NIST 800-171 is already a requirement under current regulations.  However the interim ruling allows the government to inspect compliance more carefully.

This new enforcement will become effective on November 30, 2020 and is a requirement for the award of government contracts.  This gives those affected little time to respond as the DoD is only receiving comments through November 22.

Supplier Performance Risk System (SPRS)

The SPRS is the DoD’s web-enabled enterprise application that gathers, processes, and displays data about the performance of suppliers.   DFARS clause 252.204-7012 will require contractors to have assessments completed.  After completion contractors will have an opportunity to access their SPRS score and rebut the findings.

Background on CMMC

CMMC was created  by the Office of the Under Secretary of Defense for Acquisition & Sustainment as an effective means of implementing risk based management approaches to cybersecurity.  It is a cooperative effort between the DoD and industry and is  coordinated by the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB).

The CMMC was enacted to place cybersecurity requirements on DoD contractors to achieve levels of cybersecurity maturity to protect Controlled Unclassified Information (CUI)  and Federal Contract Information (FCI) in the DoD supply chain. 

The CMMC (Cybersecurity Maturity Model Certification) Accreditation Body will approve Third Party Assessment Organizations (C3PAOs).  These Third party organizations, when accredited, will be authorized to conduct CMMC assessments and grant CMMC certifications.  The CMMC is still on target for full implementation in 2025.

Reactions to the CMMC Interim Ruling

There has been some disappointment voiced by federal contractors on the  immediacy of this change because the industry will, in effect, have limited ability to respond.  This is because this ruling was not published as a proposed draft. 

Additionally, many small business owners have expressed concerns about the increased cost involved in hiring third party cybersecurity assessors to verify compliance to the National Institute of Science and Technology standard.  To many the assessments seem redundant with final requirements of the CMMC.

The Importance of a Secure Supply Chain

The security of supply chain in the Defense Industrial Base is vital to the U.S.  There has been a broad recognition of the lack of sufficient security among suppliers to the DoD.  As with other industries,  defense contractors have been behind the curve on securing sensitive data.  Cyber supply chain risks include theft of information, tampering, and insertion of malicious software.

Hostile nation states including, China, Russia, Iran, and North Korea are actively involved in theft and sabotage of DoD information.  Because of the inherent complexities of managing a multi tiered interconnected supply chain it is essential to provide a uniform set of requirements for all members.  This latest revision to the CMMC is a stop gap measure to shore up vulnerabilities until its full implementation is complete.

CVG Strategy

The Interim CMMC Version released in October underlines the governments commitment to protecting the DoD from the very immediate and intrinsic threat of data breach.  In response to these developments CVG Strategy is providing consulting services to help your organization ramp up to compliance for DFARS 252.204-7012 and NIST 800-171

CVG Strategy, will also be providing pre-assessment training, implementation and subject matter support as final CMMC requirements roll out.