Kevin Gholston, Author at CVG Strategy

Training for Export Compliance – ITAR and EAR

August 16, 2023 by Kevin Gholston

Regular training for export compliance is more important than ever. This is due to dynamic changes in export regulations and increased enforcement of those regulations. CVG Strategy offers up to date training for Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR). Our training is interesting and engaging for participants and allows ample time for questions and clarifications.

Changing Global Dynamics Effect Regulations

The United States and its allies are increasing utilizing export controls to address national security and foreign policy objectives. Several years ago, export compliance was generally considered to be a concern chiefly for providers of defense articles and defense services. Now, the Department of Commerce has increased regulations and accelerated enforcement of dual-use items enumerated in the Commerce Control List (CCL). This presents increased risk for exporters of non-military products.

Increases in Enforcement Activity of Export Regulations

U.S. export agencies are working together with the FBI, Department of Justice, Department of Treasury to ensure that controlled items and their associated technical data are not exported to restricted countries, entities, or individuals. They are also involving the participation of the international intelligence community to further their objectives.

These intelligence assets, such as Five Eyes, utilize communications intelligence, global positioning intelligence, and human intelligence resources to identify, investigate, and enforce potential violations around the world. Additionally, agencies are partnering with private sector entities to identify potential violations.

ITAR & EAR Education and Training

Regular training is a requirement for all involved employees in an export compliance program. This is a requirement by both the Bureau of Industry and Security (BIS) and the Department of State Directorate of Defense Trade Controls (DDTC).

Professionals new to export controls need to understand how and why exports are regulated. They should be familiar with the key US Government agencies and which export regulations that could apply to your business. They also need to understand what factors can lead to a requirement for an export license and the consequences of failure to comply.

Those with more experience in export law need to be aware of the constant changes in regulations and reinforce their understanding of the basic framework of export compliance. Keeping current on changes in regulations and on best practices for achieving compliance is the best way to ensure that your company is maintaining its due diligence.

Training is Vital for Export Compliance Programs

The United States Government strongly recommends that businesses implement effective export compliance programs. In cases where export violations may have occurred businesses are required to conduct Voluntary Self Disclosures (VSD) in a timely manner. When enforcing agencies access these violations, businesses having viable export compliance programs receive reduced penalties. As mentioned, training is an essential part of any compliance program.

Employees at every level of an organization must understand their responsibilities in maintaining compliance and reporting any threats to that compliance. Aside from remaining current on regulations, personnel should have their knowledge and awareness reinforced.

CVG Strategy Export Compliance Course Description

This one-day webinar provides a fundamental overview of the U.S. International Traffic in Arms (ITAR), the U.S. Export Administration Regulations. It includes instruction and exercises on how to classify articles (product and tech data). Additionally, it explains the key principals in the regulatory and statutory framework involved in export compliance.

Upon completion of this course, students are given a certificate of completion.

Subjects covered in this training include:

ITAR and USML (United States Munitions List)
EAR and CCL (Commerce Control List)
Registration with the State Department
ITAR and EAR technical data controls
ITAR and EAR licenses
Compliance and enforcement
Transition of hardware and technical data from the Munitions List (USML) to the Export Administration Regulations (EAR)
Regulation of brokering activities
Two sections on how to classify articles
Use of classifications to organize necessary controls under US Law.

CVG Strategy Export Compliance Management Programs

Recent comments of the DOJ stressed Export Compliance programs should place regulations that involve national security high in their risk assessments. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities. Your business cannot afford to have its reputation ruined by a failure to comply with rapidly evolving regulations.

If you are part of a large corporation or a small company with a part-time compliance person, CVG Strategy has the compliance and training programs to help you meet International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) rules and requirements. As the BIS place controls on a growing number of technologies it becomes increasing difficult for smaller businesses to stay abreast of regulatory developments. Because of this, we provide Export Compliance Management Programs (ECMP) for businesses of all sizes.

CVG Strategy, LLC is recognized the world over as the premier provider of Export Compliance Consulting and Export Compliance Programs for businesses involved in export in the U.S. and Canada. We also provide the essential training that ensures that your team is up to date on governmental regulations, including the Export Administration Regulations (EAR), the International Traffic in Arms Regulations (ITAR), the Canadian Controlled Goods Program, and Office of Foreign Asset Controls (OFAC) and other regulatory agencies and more.

Denied Parties Screening for Export Compliance

November 22, 2022November 18, 2022 by Kevin Gholston

Denied Parties Screening is an essential practice for ensuring regulatory compliance to U.S. law. Screening is performed to restrict or prohibit U.S. individuals and organizations from shipping products or providing services to parties listed on denial, debarment, and blocked persons lists.

Screening applies to all businesses regardless of product or service sector. An organization is obligated to ensure that any transaction, where there is a transfer of money, is not destined to an individual or entity on a government watch list. Screening also applies to businesses that only engage in domestic transactions, as individuals on these lists often reside in the United States.

The sanctions these screenings are designed to implement are often in effect regardless of an item or service’s export regulation classification. Failure to perform a screening that results in the sale or transfer of an item, service, or information to a denied party or entity can result in civil fines, criminal fines, and imprisonment.

To illustrate the severity of failure to comply with these sanctions, the Department of Treasury’s Office of Foreign Assets Control (OFAC) has set, as of February of 2022, a maximum civil fine of $1,644,396 per violation of the Foreign Narcotics Kingpin Designation Act (FNKDA).

Who Should be Screened

Dependent on the business environment of an organization, screening may be a requirement for the following:

Suppliers, Vendors, Subcontractors
Customers, Brokers, Financial Institutions
Employees, Visitors, Contractors, and Consultants

Conducting Denied Party Screening

U.S. Government screening lists are updated regularly. These updates should be checked against an organization’s current database of customers, suppliers, employees (to include consultants and contractors), and visitors, to determine if any new matches may exist. Records of these screenings should be maintained for a minimum of five years.

Should this periodic screening indicate that a party in question is matched on one or more of the denied parties’ lists. A review of the screen should be conducted by the organization’s Export Compliance Official (ECO) to determine if the result is a false positive match.

If it is determined that the screen has correctly identified a person or entity, the organization should cease all involvement with that party. This includes making efforts to stop any shipment which is in-transit to the matched party.

If a transaction to a denied party has occurred a Voluntary Disclosure to the appropriate federal agency should be initiated. It should be noted that Voluntary Disclosures usually are taken as a mitigating factor when penalties are imposed.

Screening Lists

The United States Government maintains the Consolidated Screening List (CSL) as an online consolidation of multiple export screening lists. The CSL is updated daily and includes tools that can optimize results such as a “fuzzy name search”. These tools allow for searches without knowing exact spelling of names. The CSL provides downloadable files that are date stamped to allow accurate record keeping.

While this provides some benefits to an organization it does not provide automation or easy implementation into business systems and databases.

Private Vendor Supplied Screening Tools

Private vendors supply Restricted Party Screening solutions that are affordable and modular. These solutions are interfaceable to databases of persons and entities. They can provide these screenings automatically and alert users to changes in status. They also provide more thorough searches across wider sets of list than the CSL and these searches can be tailored to integrate into a variety of business systems.

CVG Strategy Can Help

Export Compliance is an important subject for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities. Your business cannot afford to have its reputation ruined by a failure to comply.

CVG Strategy can help you in understanding Export Administration Regulations and establishing a coherent and effective export compliance system. We can perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help. Contact Us with you export regulation questions.

FBI Concerns About TikTok User Data

January 3, 2023November 18, 2022 by Kevin Gholston

FBI concerns about TikTok’s use of U.S. citizens’ user data were conveyed to the House Committee on Homeland Security by Director Christopher Wray. The Chinese owned social media app currently has over one billion monthly users. Among the FBI’s concerns is that the Chinese government could conduct influence operations with the app or use it to gain control of millions of user devices.

The Chinese government allows officials to obtain access to data from companies. Currently Chinese sponsored cyber attacks have stolen more U.S. personal and business data than all other nations combined. Wray stated that the bureau has seen an increase in cybersecurity cases. It is estimated that ransomware alone cost U.S. businesses $1.2 billion dollars in 2021.

Chinese Government Ties Not a New Concern

Former President Donald Trump attempted to ban TikTok in the United States in 2020 due to concerns for national security. This executive order was revoked in 2021 by President Joe Biden. The Biden administration then asked the Treasury Department to investigate the app. Consequently, the Committee on Foreign Investment in the United States (CFIUS) has been examining the risks and implications of TikTok’s continued activity in the U.S. market.

In 2020, the Department of Defense recommended that employees not install or uninstall TikTok on their personal devices. This was incorporated into Army, Navy, and Marine policies. These policies ban the app from all government phones because the app is considered a cyber threat.

Many private organizations are also banning the app on business owned devices and taking cybersecurity preventative measures such as blocking specific internet categories or domains.

Chief Concerns About TikTok

TikTok’s parent company ByteDance is a Chinese company. The Chinese National Intelligence Law requires all organizations and citizens to cooperate with state intelligence activities. The company collects sensitive information from millions of devices without the user’s knowledge or permission. This data can include browsing history, geolocation, and file names.

ByteDance also collects Personally Identifiable Information (PII) such as image, age, gender, and relationship status. Additionally it is alleged that the app collects various types of biometric data such as fingerprints, iris scans, and facial geometry. On the whole TikTok’s data collection activities are seen by industry experts as being far more intrusive than comparable apps.

Of even greater concern, TikTok has regularly been in violation of the Children’s Online Privacy Protection Rule (COPPA) which prohibits the collection of PII of children under the age of 13 without parental consent. App content has also been a recurring concern raise about the app. A national group of state attorneys have stated concerns that app content may pose a threat to the mental health of children.

Aside from distribution of content that is not appropriate for children, the app also is used as a propaganda device for the Chinese government by both putting forth influencing content and banning information critical of the policies and actions of the nation.

CVG Strategy Cybersecurity Solutions

FBI Concerns about TikTok illustrate scope of the problem businesses are facing with cybersecurity. IT solutions alone are not sufficient to combat these forces. Viable solutions include all stakeholders in an enterprise. They include people, policies, procedures, risk analysis, incident responses, and an internal auditing process that yields constant improvement.

CVG Strategy provides cybersecurity consulting and training for large and small organizations. Our experts can tailor a program using risk management process to identify information assets and interested parties. We can create the documentation and provide the essential training to establish your ISMS and guide you through certification audits.

CVG Strategy also provides consulting services for NIST 800-171 and CMMC Certification for those businesses and institutions providing services to the Department of Defense and other government agencies.

Restructured ITAR Streamlines Export Regulations

October 26, 2022 by Kevin Gholston

The Directorate of Defense Trade Controls (DDTC) has restructured ITAR in an effort to streamline the regulations and clarify definitions. While no substantive changes were made to the International Traffic in Arms Regulations (ITAR), revisions in definitions may effect those under the regulation’s purview.

Changes to Part 120 – Purpose and Definitions

Part 120 of the ITAR has received massive reorganization. This section is now broken up into three parts; General Information, General Policies and Processes, and Definitions enumerated as subparts A through C. Subpart A – General Information details purpose and legislative authority for the regulations. Subpart B – General Policies and Processes provides an overview of general policies and processes within the regulations. Subpart – C Definitions provides a centralized locations for terms used throughout the document.

Prior to this revision, definitions had been scattered throughout the regulations. They are now arranged in Subpart – C in a logical order proceeding from larger conceptual items to those of lesser importance. Subsequently those definitions have been removed from other sections. Additionally, these terms have undergone clarification and been moderately reworded. Examples of terms that have undergone revision include:

Defense Article
Defense Service
Technical Data
Public Domain
Compositional Terms
U.S. Person
Foreign Person
Regular Employee
Specially Designed
Export
Reexport

Missile Technology Control Regime

The Missile Technology Control Regime (MTCR) Annex which had previously been a part of the ITAR has now been removed in its entirety. The content of this annex is now reflected with notations in the United States Munitions List (USML). Articles enumerated in the USML that relate to MTCR controls are now annotated with (MT).

CVG Strategy Export Compliance Services

Because the the DDTC has restructured ITAR, providers of military goods and services will have to make adjustments to their export compliance programs. This will involve adjustments to program documents and assessing revised definitions to assure that compliance requirement are met and maintained.

CVG Strategy, LLC is recognized the world over as the premier provider of customized Export Compliance Consulting, Export Compliance Programs, and Training that address critical U.S. Government and Canadian laws and regulations, from Export Administration Regulations (EAR), to the International Traffic in Arms Regulations (ITAR), Office of Foreign Asset Controls (OFAC), Canadian Goods Program (CGP) and other regulatory agencies.

CVG Strategy ITAR and Export Compliance experts have managed manufacturing and distribution businesses and have worked for multi-national organizations. CVG Strategy’s experts are not ex-government employees, they understand the needs and goals of small to medium-sized operations in managing compliance requirements. They also have expertise in the implementation and maintenance of a wide variety of management system standards.

IoT Product Labeling Program for Cybersecurity

November 23, 2022October 17, 2022 by Kevin Gholston

In an effort to improve cybersecurity in the United States, the National Institute of Standards and Technology (NIST), Federal Trade Commission (FTC) and other federal government agencies are initiating an Information of Things (IoT) product labeling program for consumer devices. This action is being taken as part of Executive Order (EO) 14028 to improve the nation’s cybersecurity.

Defining Consumer IoT

As defined by NIST, an IoT device is a computing device with at least one sensor or actuator that has access to a network interface. These devices are usually components of systems that may have multiple backends or companion applications. Because system components have access to IoT devices and data they are vulnerable to cyber attacks on systems, local networks, or the internet.

Consumer internet of things cybersecurity is a growing issue of concern as their marketplace presence continues to increase. Consumer IoT products include smart home devices, health monitoring devices, home security systems, fitness trackers, and transportation equipment.

Beyond the consumer realm IoT are highly utilized in industrial controls technology, agriculture, military, and critical infrastructure applications. There have been many incidents where these devices have been attacked in recent years, rendering industries inoperable such as recent water treatment facility hacks.

Baseline Criteria for Product Labeling

NIST is recommending the following baseline criteria for IoT product systems and devices:

Asset Identification: IoT products should be uniquely identifiable and a system should be capable of maintaining an inventory of all components. This ability is required to support asset management as related to a cybersecurity system’s ability to update, protect data, and perform digital forensics for incident response.
Product Configuration: There should be a method to restore system configurations to secure default settings. Additionally, these configuration changes should only be allowable to authorized individuals, services, and other IoT components. This allows for secure system tailoring as defined by the user.
Data Protection: This requirement involves the protection of sensitive information stored and transmitted by all connected devices. This supports the Confidentiality, Integrity, and Availability (CIA) requirement for cybersecurity information security.
Interface Access Control: Systems and components access should be restricted to local network interfaces and to protocols and services used by those interfaces. Furthermore access should be limited to authorized individuals, services, and IoT system components. This acts to preserve confidentiality, integrity, and availability by preventing unauthorized access and modification.
Software Update: All system devices should be capable of receiving software updates to address vulnerabilities discovered after a product has been sold.
Cybersecurity State Awareness: All products should capture and store data that can be used to detect cybersecurity incidents.
Documentation: The product developer is responsible for the creating, gathering, and storing cybersecurity information about the product prior to release and throughout the life cycle of the IOT device or system.
Information and Query Reception: The product developer must receive cybersecurity information relevant to a product from customers and other sources.
Information Dissemination: The product developer must alert the public and customers of collected cybersecurity information.
Product Education and Awareness: Customers should be informed on best practices to securely use the IoT product.

Product Developer Risk Management

It is necessary for product developers to make assessments based on the specific risks of a product. This is because of the diversity of IoT products and their ability to be tailored in numerous ways. This will allow for flexibility in supporting products and technologies and risk change. It also allows the developer or assessor to base their judgements on desirable mitigations.

Use of Existing Resources Moving Forward

Implementation of the IoT product labeling program will utilize existing standards and programs. This would include the use of international standards such as CTA 2088 or ETSI 303 645. Harmonization of conformity assessment schemes will benefit developers, customers, and assessors. NIST recommends that periodic testing with a large variety of customers be performed regularly to assess the usability of the label program.

Consumer Education

NIST has recommended that a consumer education campaign be conducted to raise awareness of the IoT product labeling program and the significance of proper cybersecurity protocols. This will benefit both the consumer and the marketplace and ensure greater protection of data.

CVG Strategy Cybersecurity

CVG Strategy consultants provide training to make your entire team aware of cyberattacks and how to employ processes to prevent these threats. We can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.

Our ISMS consulting services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS). Our team of experts bring extensive experience and deep information security process control expertise (including certifications as Exemplar Global Lead Auditor ISO/IEC 27001:2013 Lead Auditor) to ensure that you achieve ISO 27001 certification—on time and on budget.

CVG Strategy is also committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure. As industry leaders in cybersecurity, ITAR, and risk based management systems. We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

Forced Labor Goods Banned from Xinjiang

September 30, 2022 by Kevin Gholston

The Department of Homeland Security (DHS) announced on September 14, 2020 that forced labor goods from China are now banned. The U.S. Customs and Border Protection (CBP) has issued Withhold Release Orders on products produced in China’s Xinjiang province. In a statement Acting CBP Commissioner Mark A. Morgan stated that the forced labor goods banned sends “a clear message to the international community that we will not tolerate the illicit, inhumane, and exploitative practices of forced labor in U.S. supply chains.”

China’s Treatment of Uyghurs in Xinjiang

The Uyghurs are a native ethnic minority in the Xinjiang province of China. Most Xinjiang Uyghurs are Muslims. The Chinese government has detained between 1 to 3 million Uyghurs in “re-education” centers to undergo psychological indoctrination programs. This program is considered the largest internment of an ethnic-religious minority since World War II.

Along with torture, forced sterilization, and sexual abuse, Uyghurs are subjected to forced labor to produce a number of products. Many of these products are exported worldwide. The Chinese Communist Party has a used forced labor camps since the days of Mao Zedong in 1949.

Australian Strategic Policy Institute Report

An investigation conducted by the Australian Strategic Policy Institute concluded that local governments and private brokers being “paid a price per head” by the Xinjiang government to organize detainment of Uyghurs. While the Chinese government claims detention is used to combat religious extremism, many have been detained for praying or wearing a veil. The report called on international companies to conduct a review of their supply chains to ensure human rights are not being violated.

Xinjiang Forced Labor Goods Banned

In 2020 the U.S. Customs and Border Protection (CBP) was ordered to withhold the release of products from Xinjiang Uyghur Autonomous Region including:

Forced labor products from Lop County No. 4 Vocational Skills Education and Training Center in Xinjiang.
Products made with forced labor from the Lop County Hair Product Industrial Park in Xinjiang.
Apparel produced by Yili Zhuowan Garment Manufacturing Co., Ltd. and Baoding LYSZD Trade and Business Co., Ltd in Xinjiang.
Cotton produced and processed by Xinjiang Junggar Cotton and Linen Co., Ltd. in Xinjiang.
Computer parts made by Hefei Bitland Information Technology Co., Ltd. in Anhui, China.

These goods are banned under Section 307 of the Tariff Act of 1930 (19 U.S.C. 1307). This regulation prohibits the importation of all goods and merchandise mined, produced, or manufactured wholly or in part in any foreign country by forced labor, convict labor, or/and indentured labor under penal sanctions, including forced child labor.

China’s Continuing Trade Issues

China has been under increased scrutiny by the international community. This is resulting in increased trade barriers being imposed by the United States.

The BIS placed Chinese companies involved in the building of artificial islands in the South China Seas on the Entity List thereby preventing them from receiving U.S. exports.
Hong Kong Special Status was revoked by the Commerce Department due inhumane crack down of dissidents.
The U.S. restricted Huawei’s access to U.S. semiconductor design and manufacture capabilities.
Numerous parties and entities were placed on the Department of Commerce Military End Use (MEU) List.
Calls from members of Senate to remove China from the Federal Retirement Thrift Investment Board (FTRIB).
Sanctions on silica-based products from Chinese solar suppliers.
Export bans to 64 companies and police departments associated with violations against Uyghurs, Kazakhs, and other Muslim ethnic minorities.
Visa bans on officials complicit in Chinese human rights violations.
Investment bans on companies involved in these human rights violations.

International Response to Crimes Against Humanity

In response to these human rights abuses China has been facing increasing pressure from the international community. In September 2022, the United Kingdom banned the Chinese delegation of attending Queen Elizabeth’s funeral. The U.K. has placed import bans applying to products made in Xinjiang. It has also placed sanctions against perpetrators of human rights violations in the central Asia province.

In August of 2022, the United Nations finally released its report on human rights abuses in the Xinjiang Uyghur Autonomous Region. These findings, which China has taken great exception to, confirm what the European Union and United States have long held.

These reports are expected to bring further actions by the European parliament against China. These actions could include targeting complicit individuals and entities and increases in fines, introduction of a human rights due diligence law, and take actions to protect Uyghurs and other residents of East Turkistan. The EU has already coordinated sanctions against perpetrators of human rights against Uyghurs.

On the multilateral front, aside from the United Nations and the EU, the Organization of Islamic Cooperation and the G7 have condemned China’s human rights violations.

Specific nations taking a stance against China’s actions include Canada, the Czech Republic, Germany, Italy, Japan, Lithuania, Malaysia, the Netherlands, Norway, Sweden, Switzerland, Taiwan, and Turkey.

Conclusions

China is facing growing pressure both internationally and within its own borders in response to failed policies. This is making the prospect of conducting business with organizations and entities in the nation less attractive. Organizations considering imports, exports, or investments with China must now consider this nations continued lack of stability as it attempts to cope with numerous issues. Additionally, the nation’s activities abroad including extensive cybercrime demonstrate the need for vigilance in dealing with an increasingly hostile nation state.

CVG Strategy Export Compliance Expertise

CVG Strategy export compliance can assist your team with consultant services including classifications and license applications. We can also tailor an export compliance program to fit the specific needs of your organization.

While many export compliance providers offer programs geared toward compliance with a single set of regulations, CVG Strategy offers a harmonized program that will ensure that your company is compliant to all regulations. Furthermore, we consolidate this program in a collection of documents that can be integrated into a quality management system.

The CVG Strategy team has over 20 years of experience in U.S. export controls. We can help you develop an ITAR Compliance Program appropriate to your organizations requirements and provide training to prevent occurrences. We also have the experience to assist in guidance when unforeseen incidents do occur to develop strategies to prevent future violations.

Iranian Cybersecurity Threats Continue Worldwide

September 28, 2022September 27, 2022 by Kevin Gholston

The Truth About Iranian Cybersecurity Threats

Given recent headlines, one might conclude that Iranian Cybersecurity threats were a new development. In fact, Iran has been a player in the international cyber game since 2002 with the formation of the Ashiyane hacking forum to repress dissidents. By 2007, government backed organizations had begun to develop sophisticated tools and engage in active campaigns.

As reported by the Carnegie Endowment for International Peace, Iran’s first major international act was to attack Twitter in December of 2009 to disturb the efforts of the Iranian Green Movement that was working against the reelection of Mahmoud Ahmadinejad. Two years later Iranian efforts resulted in one of the largest data breaches in internet history when a hack on DigiNotar gave the Iranian government access to Gmail users in Iran.

Cybersecurity Threats to Businesses

As Iran’s skills in cyber attacks developed, their focus has expanded to international businesses. In 2012 an alleged virus was launched against Saudi Arabia’s Aramco oil conglomerate. It also conducted denial-of-service attacks against U.S. banks. This trend in Iranian cybersecurity threats is continuing to grow.

The Iranian hacker group OilRig has focused primarily on private industry targets and managed to breach Las Vegas Sands in 2014. Another group, Iranian Dark Coders Team, has focused on cyber-vandalism by defacing industry sites with pro-Iranian propaganda.

Recent Iranian Cyberattacks Against Albania

Albania has accused the Iranian government for multiple cyberattacks that have disrupted Albanian government. These attacks included targeting the Total Information Management System that is used to track data of parties leaving and entering the nation. According to prime minister Edi Rama these same Iranian actors have been responsible for previous hacks against Albania.

The FBI and The Cybersecurity & Infrastructure Security Agency (CISA), in a joint cybersecurity advisory, confirmed these attacks against the government of Albania. These attacks were executed between July and September of 2022 by Iranian state sponsored cyber actors identified as HomeLand Justice. These attacks included the use of ransomware-style file encryption and disk wiping malware. Initial access was accomplished by exploiting an Internet-facing SharePoint.

The U.S. Department of Treasury has imposed economic sanctions against HomeLand Justice and Esmail Khatib who is linked to the Iranian Ministry of Intelligence and Security. These sanctions have been enacted in reaction to cyberattacks and various anti humanitarian crimes against the nation’s citizenry. Aside from the imposed sanctions, these actions place any possible nuclear deal with Iran in jeopardy.

Other Iranian Hacking Activities

Here in the United States, federal authorities have indicted three Iranian individuals for cyberattacks. These attacks used ransomware to target critical infrastructure targets including power companies. The campaigns were coordinated efforts of the Iranian Government and the Islamic Revolutionary Guard Corps.

Internationally Iran has been actively targeting both individuals and entities in both the public and private sectors. Such activities have been reported in Canada, Australia, and the United Kingdom. According to additional reports from Israel, the Israel Defense Forces (IDF) claim that cyberattacks against Israel have more than doubled in 2022.

Iranian cybersecurity threats are changing in that more state run organizations are being utilized. In the past Iran had largely depended on outsourced hackers. Now, as the country develops it talent resources more groups like HomeLand justice and APT42 are being identified as having directly under the Islamic Revolutionary Guard Corps.

International Threats

In truth, there are few innocent nation states in the cyber attack world. There has been an invisible and silent international state of war in the cyber world for decades. Those that pose the greatest threat to businesses in the United States include The Peoples Republic of China, Russia, and North Korea. These players actively seek on an ongoing basis to disrupt businesses and steal vital and sensitive information.

Cyberattacks initiated by nation states normally fall under four categories; disinformation and propaganda, espionage, terrorism, and sabotage. While these activities are often discovered and attributed to countries, as of now, little public retribution is to be expected. We are in a world of war in the shadows where nefarious exploits can render very real and harmful effects.

The Larger Cybercrime Situation

International trends in cybercrime show an increasing sophistication by both organized crime and hostile nation states. These cybercriminals are continuing their efforts against high-value targets that include the industrial, IT, and infrastructure sectors. This activity is occurring at a time when many organizations are struggling to develop integrated cybersecurity solutions.

Many industrial sectors have been reluctant to adopt systematic approaches to cyber hygiene. Effective cybersecurity for organizations must include an Information Security Management System (ISMS). An ISMS is a collection of policies, procedures, controls, and incident responses that systematically address information security in an organization. It is a framework based on risk assessment and risk management.

This has been the case with numerous businesses in the United States contracting with the Department of Defense (DoD). In 2020, the interim ruling, DFARS 252.204-7012, placed cybersecurity requirements on Department of Defense (DoD) supply chain contractors vendors to complete security compliance with NIST SP 800-171 DoD assessment methodology.

Cybercriminals control a vast underground economy worth trillions of dollars a year. Hacking enterprises offer their services for hire and sell their stolen private and proprietary data online. These players specialize in specific methods to meet their clients needs. Beyond the hackers, dealers of stolen data create wealth to fund other activities including human trafficking.

CVG Strategy ISMS Solutions

Businesses worldwide are under attack from players that are well funded and very focused on compromising proprietary data. CVG Strategy can help you attain an ISO 27001 certification. This can help you demonstrate a commitment to data security through an internationally recognized process. IT solutions alone are not sufficient to combat these forces.

Viable solutions include all stakeholders in an enterprise. They include people, policies, procedures, risk analysis, incident responses, and an internal auditing process that yields constant improvement.

Preparing for ISO Audits in Your Organization

September 26, 2022 by Kevin Gholston

Preparing for ISO audits can greatly enhance the quality of information received from the process. This information can provide insights for improvements in the organization and increased efficiency. Regardless of the standard being employed, some simple steps can be taken to get the desired results.

ISO Standards

The International Organization for Standardization (ISO) publishes and maintains numerous standards that allow organizations to manage their businesses. These standards address product quality, environmental management, health and safety, information security an other subjects. Many of these subjects are specific to industry sectors such as medical equipment and food safety management.

Some popular standards include:

ISO 9001:2015 Quality Management Systems
ISO 27001 Information Security Management Systems
ISO 13485 Medical Devices

Because these standards are recognized internationally, they provide a competitive advantage to organizations who achieve and maintain certification. They are also, in many industries a requirement for providing products or services. Regardless of area of focus, these standards share a common structure that provides management review of business processes. These reviews incorporate findings from auditing processes.

Types of Audits

There are three types of ISO audits; first party-audits, second-party audits, and third-party audits.

First-party audits are performed by inside an organization to assess strengths and weakness. This can serve to identify areas of noncompliance so that corrective actions can be taken. These internal audits are usually conducted by employees of the organization to assess processes they are not directly involved in to ensure an unbiased analysis.

Second-party audits are provided by an external entity. These external audits can be requested by a customer to confirm that an organization is performing as required. It can also be initiated by the organization itself to provide a gap analysis or find if the organization is in compliance and ready for certification.

Third-party audits are conducted by external auditors to certify the organization to the standard being implemented. These certification audits ensure that the organization’s operations are in compliance with the requirements of the standard. They will examine processes to see if they are being implemented as they are documented. They will also assess if the management system has buy in from upper management and is sufficiently resourced.

Preparing for Audits

Internal Audits

To ensure an effective internal audit, care should be taken to clearly identify what aspects of the program are to be evaluated. An audit criteria and scope should be clearly defined to determine the role of the internal audit.

Those being interviewed during the audit should feel free to speak freely. To encourage this, employees should understand that an audit is an opportunity for an organization to improve processes and efficiencies and that their feedback is important to that end.

External Audits

The same preparations taken for internal audits should be taken with external audits. Additionally, an external auditor, by definition, will not be as familiar to your organization and its processes. The organization’s representative should be well acquainted with the processes, work instructions, forms, and attachments that will be reviewed. The representative should also be aware of which individuals are engaged with the processes to be audited.

Conclusion

Preparing for ISO audits should be a routine activity in an organization. Knowledge of the specifics of a given program is essential. It is important to understanding that the essential take away from any auditing report is an honest evaluation that identifies opportunities for growth and improvement.

CVG Strategy Experts

Our Exemplar Global Lead Auditor Consultants can help you with integrating multiple management systems. CVG Strategy has prepared, trained and implemented management systems for manufacturing companies in many business sectors.

Our quality strategy allows clients new to Quality Management Systems to rapidly implement a tailored system, because everything we do as consultants is processed based. Our Quality Experts have experience with ISO9001:2015, AS9100D, ISO 13485:2016, ISO 27001:2013 and Association of American Railroads (AAR) M-1003 and can readily deliver compliant procedures and work instructions.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Product Test and Evaluation.

Quantum-Resistant Cryptographic Algorithms NIST

September 1, 2022 by Kevin Gholston

The National Institute of Standards and Technology (NIST) announced that they had selected four Quantum-Resistant Cryptographic Algorithms to address concerns of quantum computer cyber attacks against current encryption technologies. The selection was made from respondents to a post-quantum cryptography standardization project.

The Emerging World of Quantum Computing

Quantum computers utilize certain phenomena of quantum mechanics to perform computational problems. Although current quantum computers are unable to out perform standard computers, this technology will eventually dramatically outperform today’s technology. This is especially the case in operations such as integer factorization which is central to encryption technologies.

Current public key encryption systems utilize integer factorization. These systems generate keys by using the products of large prime numbers. As cryptography is a central tool for protecting the confidentiality and integrity of digital information, it is critical to create and adopt quantum resistant cryptography standards. One of the criticisms leveled at current cryptography is that algorithms are not validated or internationally standardized.

Application Specific Cryptographic Solutions

Cryptographic systems are used in a variety of applications in cybersecurity. NIST has selected the four algorithms to address specific applications. One algorithm, CRYSTAL-Kyber is intended for general encryption. General encryption is used to secure websites. Its advantages for this application are its speed of operation and the ease in which parties can exchange encryption keys.

NIST selected three other algorithms to address requirements for digital signatures. Digital signatures applications are used to verify the identity of parties. They are often used for digital transactions or remote document signatures. Those selected are CRYSTALS-Dilithium, FALCON, and SPHINC+. Of the three, CRYSTALS-Dilithium and FALCON were rated as the most highly efficient in operation.

Two separate technologies are used in these algorithms. They utilize different families of math problems to generate and decode encryption. SPHINC+ uses hash functions cryptography. While this approach is a larger and slower application, it is seen as valuable in that it uses a different approach. The other solutions implement mathematical problems based on structured lattices.

NIST is Looking Towards the Future

New challenges emerge with every step in the evolution of technology. Computer science is no different than any other technology in this regard. As classical computers are replaced with large scale quantum computers, encryption algorithms will need to evolve. Current public key cryptography has served the digital world well but will need constant improvement to ensure security.

As with other technologies, standardization and accepted means of validation are required to provide acceptable performance criteria. To address this need, NIST is creating a post-quantum cryptographic standard. The four selected technologies will be central to that standard. These new Quantum-Resistant Cryptographic Algorithms technologies are still rapidly developing and there will certainly be new solutions in the future.

NIST is currently on schedule to finalize the standard in two years. This should provide the cyber community with better tools for securing vital and sensitive information. In the mean time NIST is encouraging information security experts to experiment with the new algorithms. It is also suggesting that consideration be given to how these applications could be implemented.

As these solutions are still in development they are not, as yet, ready for integration into live cybersecurity programs but cybersecurity practitioners would be well advised to familiarize them selves with the new technologies. They can also act as messengers to inform their associates and users of the upcoming changes in public-key cryptography. This will allow organizations to plan for the necessary allocation of resources to integrate Quantum-Resistant Cryptographic Algorithms into their systems.

CVG Strategy Cybersecurity Solutions

Businesses worldwide are under attack from players that are well funded and very focused on compromising proprietary data. IT solutions alone are not sufficient to combat these forces. Viable solutions include all stakeholders in an enterprise. They include people, policies, procedures, risk analysis, incident responses, and an internal auditing process that yields constant improvement.

Integrating Multiple Management Systems – Goals

December 12, 2023August 19, 2022 by Kevin Gholston

Integrating multiple management systems can provide businesses with a more coordinated approach to addressing growing numbers of organizational concerns and responsibilities. This integration can be accomplished prior to implementing a management system or after implementing any number of systems. Once accomplished however, an organization can realize enhanced planning, accountability, and reduction of costs.

The International Organization for Standardization (ISO) has published a handbook that outlines methods and approaches for performing these integrations. This handbook also illustrates the potential benefits to an organization performing these implementations.

The Growth of Management System Standards

In recent years management systems have been created to address the growing arenas of business involvement. These arenas include quality, compliance, information security, energy, and environmental management. Many of these standards are industry specific but they all share similar formats. These standards include:

These and other widely adopted international standards adhere to fundamental quality management principles that include a process approach to their specific areas. As such they allow for organizational continuous improvement.

Reasons to Consider Integration

There are numerous benefits in integrating multiple management systems. These benefits all lead to developing flexibility in adapting to new requirements and addressing the concerns of interested parties.

Eliminating Redundancies

Management systems share common requirements such as policies, processes, and resources. They also share in activities such as planning, training, management review, internal audits, document control. Reducing duplication of these requirements and activities can increase efficiencies.

Consistency

If systems are operated separately, they can work against each other and create confusion. A single policy that incorporates all of the organization’s objectives will facilitate consistency and avoid inter tier frictions.

Less Bureaucracy

Integration of management systems can streamline processes by reducing the amount of personnel to maintain the system. It allows for cross-functional teams that can breakdown inter tier barriers.

Reduction of Costs

Maintaining multiple systems requires people, resources, and time, all of which relate to the bottom line. Coordinated systems can consolidate assessment and audit functions processes which can yield better efficiency.

Optimization of Processes and Procedures

Every process in an organization is interdependent with other activities and requirements. Performance of a regulatory process will incur the necessity of assuring that information exchanged maintains confidentiality, integrity, availability. An action to address an environmental compliance risk should not compromise customer satisfaction. These drawbacks can be avoided by optimizing processes and procedures to accomplish tasks across tiers.

Consolidation of Audits and Assessments

Functions, like audits and assessments, can be combined to reduce efforts spent in the maintenance of systems. Aside from saving resources by performing these activities multiple times, consolidation can provide information of how well linked processes work together.

Better Management Decision Making

Integrating multiple management systems reduces redundancies and allows for more consistent performance across areas of interest. This increase in performance also extends to upper management. Because processes are more interrelated, functional and departmental barriers are lessened. This results in better communication.

Decision making is further enhanced by assessments that are conducted on cross linked activities. These assessments provide a more wholistic picture of an organization’s performance. Better data in leads to better decisions made. These better decisions thereby can have a more positive effect across the board.

Tailoring an Integrated Solution

There are many factors to be considered when implementing an integration of standards. Key among them is establishing which standards are to be used and what is the priority of those standards to the organization’s goals and interested parties. Other factors include specific objectives and processes that have been selected for integration. These variables will define the scope of the integration.

Decisions can also be made as to whether implementation is to conducted in one exercise or incrementally. These decisions can be made based on the size of the organization, the required resources for implementation, and required time for completion.

Once the scope of the project has been defined, the interrelation of processes can be mapped clause by clause with the selected standards. While there are variances from standard to standard the intent of the clauses is the same. This allows the clauses to be combined to follow the requirements for both standard and the involved process.

This is of particular importance when integrating the plan, do, check, act components of a standard. Proper implementation of these clauses will provide accurate monitoring of the process in question. This in turn will allow for effective management decision making and create more positive effects as the system matures.

Conclusions

To effectively combine management standard, tailoring must be executed that addresses how each standard requirement fits into the overall direction of the organization. This can be accomplished through mapping. This mapping will eliminate the creation of separate standard based focuses in the organization. This will minimize redundancies and maximize synergies.

There are several approaches to mapping. One such approach is the matrix technique in which the requirements of the standards are mapped against an existing management system. Another approach is to overly common requirements and then linking them with the corresponding components of a management system.

CVG Strategy Experts

BIS Places Controls on Section 1758 Technologies

August 22, 2022August 17, 2022 by Kevin Gholston

The Bureau of Industry and Security (BIS) places controls on technologies pursuant to Section 1758, whose export may threaten U.S. national security and foreign policy objectives. As of May 23, 2022 the BIS announced that it would no longer classify those controlled technologies as emerging or foundational. This action is providing the agency with flexibility in requiring export licenses for those technologies.

Commerce Control List Revisions

On August 15, 2022 the BIS has revised the Commerce Control List (CCL) to implement controls on specific technologies. These actions were taken to reflect decisions made by nations participating in the Wassenaar Arrangement pursuant to Export Controls for Conventional Arms and Dual-Use Goods and Technologies.

These actions are being taken because these types of devices have significant potential for use in military applications. Effected ECCN classifications are listed in Document Number 2022-17125.

Controls Placed on Specific Types of Semiconductors

The BIS added export controls on two substrates of ultra-wide bandgap semiconductors. These semiconductor materials include Gallium Oxide and diamond substrates. These materials are typically used in semiconductors devices intended for use in severe conditions where high temperatures and voltages are present.

Electrical Computer Aided Design (ECAD) Tools

ECAD software tools are used in the design process of integrated circuits and printed circuit boards. They are currently being widely used in the aerospace and military applications in the development of Gate-All-Around Field Effect Transistors (GAAFET). These devices are essential in the electronics design scaled to 3 nanometers or less. Control have been placed on these tools as such they are ideal for the development of military and communication satellite applications.

Pressure Gain Combustion (PGC) Devices

Pressure Gain Combustion is being utilized to achieve higher efficiencies in gas turbine power systems. As such it can be used in the development of high speed applications such as hypersonic air-breathing propulsion systems.

The Growing Role of Export Administration Regulations

Many assume that the Export Administration Regulations (EAR) are of less significance than the International Traffic in Arms Regulations (ITAR). While the ITAR controls the export of articles specifically designed or otherwise intended for military end-use, the EAR controls dual-use items that could be used for commercial and military applications. As shown in the examples above, these dual-use items are of immense importance to national and international security.

The BIS has been changing its scope and enforcement policies in recent years to address the increased complexities of the international political arena. Export Administration Regulations have continually been changing as more items are being added to the Commerce Control List (CCL). Additionally, the agency has increased its focus on the use of sanctions and denied parties lists to protect these sensitive technologies.

The Complexities of Export Compliance

As the BIS places controls on a growing number of technologies, it poses challenges for organizations involved in export transactions. If a business produces or provides military articles or services, there is at the very least an understanding that ITAR export controls will probably be in place. For those involved in dual-use items however, the requirements for export compliance are much less clear.

The CCL, by which controlled items are enumerated, has extremely fine distinctions based on highly technical criteria for determination of export controls. For those items with controls there are further complications based on the nation or individuals to whom the items will be exported to.

The fact is that EAR requires all companies to self-classify their products and services in order to determine the degree of necessary control on restricted articles as they are listed in the CCL. These regulations apply to manufactures, service providers, distributors, engineering companies, freight forwarders, and brokers. Additionally if an organization deals in controlled articles or services it must maintain a viable export compliance program.

CVG Strategy Export Compliance Expertise

If you are part of a large corporation or a small company with a part-time compliance person, CVG Strategy has the compliance and training programs to help you meet ITAR and EAR rules and requirements. As the BIS place controls on a growing number of technologies it becomes increasing difficult for smaller businesses to stay abreast of regulatory developments. Because of this we offer outsourced Export Compliance Officer services. We also offer signs and accessories to aid in Visitor Access Control on our ITAR Store.

CVG Strategy, LLC is recognized the world over as the premier provider of customized ITAR Consulting and ITAR & Export Compliance Programs and Training that addresses critical U.S. Government regulations, from Export Administration Regulations (EAR), to the International Traffic in Arms Regulations (ITAR) and Office of Foreign Asset Controls (OFAC) and other regulatory agencies and more.

Florida State Cybersecurity Act Revision

August 16, 2022 by Kevin Gholston

Amendments were signed into law to the Florida State Cybersecurity Act on July 1, 2022. These revisions illustrate the gap between desired levels of information security and attained levels in both the public and private sectors.

The Act, also known as the Cybersecurity Act applies to the Florida Digital Service (FLDS) and the heads of state and local agencies in the state of Florida. While the revisions are well intended, many will be difficult if not impossible to meet. Therefore further revisions will probably be required to adjust the legislation to accommodate the reality of government entities’ operations.

A major requirement is that fines and penalties are now established for parties that engage in ransomware attacks against government agencies. Another development is that those agencies are prohibited to make payments or comply with ransom demands. Additionally, and perhaps most importantly, the revision requires local governments to adopt cybersecurity standards in accordance with NIST and train technology employees with access to highly sensitive information annually.

Reporting Requirements Under the Revised Act

The revised act now requires state agencies and local governments to provide after-action reports of ransomware incidents no later than 12 hours after discovery. Reports are to be placed with the state’s Cybersecurity Operations Center (“CSOC”), the Cybercrime Office of the Department of Law Enforcement and local sheriff. The CSOC must then provide the Legislature and the Cybersecurity Advisory Council (CAC) with a consolidated incident report on a quarterly basis.

Information required to be reported to the CSOS by agencies includes:

a summary of the incident
date of most recent data backup
integrity of backed up data, and physical location of data
the types of data compromised
any estimated fiscal impact
ransom demand details

Other Florida State Cybersecurity Act Requirements

The revised legislation now requires that incidents be classified in severity based on the Department of Homeland Security’s National Cyber Incident Response Plan (NCIRP). The NCIRP rates incidents (which are defined as a violation or imminent threat of violation) on a 1-5 scale, with 1 being a low-level incident, and 5 being and emergency-level incident. The rating reflects the inherent impacts on public safety, governmental security, economic security, civil liberties, and public confidence.

Unintended Consequences of the Revision

Though well intentioned, these amendments could create significant issues, especially for smaller local governments. Adoption of an effective cybersecurity program is a challenging task that requires significant effort and resources. Example of this situation can be seen at the federal level where adoption of the CMMC by the Department of Defense is causing distress for smaller defense contractors.

Another potential issue is the number of agencies involved in an incident. This could well hamper a swift and efficient response and resolution to incidents that pose high threat levels to a community.

Overall many items remain vague or undefined which can lead to confusion and ineffective actions taken. As an example the term “highly sensitive information” is not defined in the documentation. Levels and types of information assets need to be specifically defined in NIST cybersecurity protocols.

CVG Strategy Cybersecurity

Export Regulations Due Diligence for Compliance

July 25, 2022 by Kevin Gholston

Exercising export regulations due diligence involves complying to complex sets of requirements set forth by multiple U.S. government agencies. These agencies include the Bureau of Industry and Security (BIS), the Directorate of Defense Trade Controls (DDTC), the Office of Foreign Asset Controls (OFAC), and the National Nuclear Security Administration (NNSA).

The International Traffic in Arms Regulations (ITAR)

The ITAR are a series of regulations that control the export of military related technologies. The ITAR are administered by the DDTC which is an agency of the U.S. Department of State. Defense articles, defense services, and related technical data that fall under ITAR jurisdiction are enumerated in the United States Munitions List (USML).

These regulations are in place to protect U.S. national security and foreign policy interests. Therefore export transactions of these goods are subject to a high level of scrutiny. Requirements for ITAR include item and service classification, applying for required licenses, protection of technical data, site security, visitor screening, and the screening of employees, contractors, and customers.

Export Administration Regulations (EAR)

The Bureau of Industry and Security (BIS) manages Export Administration Regulations (EAR). The EAR is a series of regulations that control the export of items that have the potential to fall under dual usage categories. Dual usage refers to technology that can be used for both peaceful and military purposes.

Before exporting a product that is subject to the EAR, a business must determine whether an export license is needed from the Department of Commerce. This is done by finding the classification of the product’s Export Control Classification Number (ECCN). All ECCNs are listed in the Commerce Control List (CCL)

BIS Best Practices for Export Regulations Due Diligence

BIS guidelines include the following best practices for maintaining due diligence for the EAR:

Conduct a thorough assessment of your product’s potential application. Even if an item would not require a license you should consider if there are any potential dual usage concerns.
Always conduct a stringent vetting of new or unfamiliar customers and be on the lookout for any of the following “red flags”.

- A new customer places an unexpected and/or high-value order for sophisticated equipment.
- The customer is a reseller or distributor. In such cases, you should always inquire who the end user is.
- The customer has no website or social media and is not listed in online business directories.
- The customer’s address is similar to an entity listed on the CSL, or the address indicates the customer is located close to end users of concern, including co-located with an entity listed on the Entity List.
- Your customer places an order for an item that is available at the designated location and the buyer incurs transportation costs. In such cases, request that the freight forwarder provide you a copy of the Electronic Export Information (EEI) filing to ensure the information is accurate.

Screening Against Sanctions and Denied Parties Lists

Screening applies to all businesses regardless of product or service sector. An organization is obligated to ensure that any transaction, where there is a transfer of money, is not destined to an individual or entity on a government sanctions list. Screening also applies to businesses that only engage in domestic transactions, as individuals on these lists often reside in the United States. The sanctions these screenings are designed to implement are often in effect regardless of an item or service’s export regulation classification.

Requirements for a Compliance Program

It is a requirement for organizations involved in international trade to implement and maintain viable export compliance programs. While there are differences in requirements based on which series of regulations an export is controlled by, there are many common requirements.

A formal export compliance program should be documented and have the full commitment of upper management to execute, provide adequate resources, monitor, and maintain. Training should be provided to enhance program awareness and provide adequate information to allow team members to perform their tasks within the program. Screening activities should be performed against multiple lists to ensure that any party to a transaction is not on a watch or denied parties list.

CVG Strategy Export Compliance Expertise

Ensuring that export regulation due diligence is consistently performed by an organization requires implementation of viable export compliance programs. Failure to comply with regulations can result in administrative and criminal penalties including imprisonment and loss of export privileges.

CVG Strategy has the compliance and training programs to help you meet U.S. export due diligence requirements. We can also assist in item classifications, voluntary disclosures, Technical Assistance Agreements (TAA), and licensing applications. CVG Strategy also offer signs and accessories to aid in Visitor Access Control on our ITAR Store.

CVG Strategy, LLC is recognized the world over as the premier provider of customized ITAR Consulting and ITAR & Export Compliance Programs. We provide training that addresses critical U.S. Government regulations including EAR, ITAR and other regulatory agencies.

Collaboration and Quality Management – Teamwork

July 21, 2022 by Kevin Gholston

Collaboration and Quality Management are concepts that should come to mind together. It can, however, be difficult to combine teamwork and quality management in a manufacturing or service process. There are challenges involved in bringing all interested parties to the table and engaging them in working together to continuously improve products and services. These challenges can be addressed in a properly implemented Quality Management System such as ISO 9001:2015.

Working Between Departments

Interdepartmental differences in priority, culture, and mindset can create barriers to effective collaboration. Often these differences can create an adversarial perception between teams. By establishing shared goals in achieving quality, trust can be developed that can dissolve these perceived differences.

This is particularly important because honest feedback is a key component of the continuous improvement process. This improved communication can create better working relationships between departments and increase cooperation in increasing overall efficiency of processes. Additionally, this can nurture a better work environment that increases retention of skilled team members.

Collaboration Between Tiers

As with any business undertaking, success begins with the involvement of top management. Leadership must implement a program that addresses the culture of the organization, while promoting a vision for improvement. They should be fully committed to the concepts, goals, and processes of the Quality Management System (QMS) and must seek to understand needs and expectations of all interested parties. Additionally, upper management must also communicate these goals and processes to the rest of the company and implement training as these change.

Working With Suppliers

Establishing strong relationships with trusted and qualified suppliers is an excellent way to improve a business’s competitive performance. By sharing quality management goals with an organization’s supply chain, clarification of roles and expectations can be accomplished. This clarity can work to reduce risks by maintaining long term goals and strategies. It can also provide improvements by identifying and eliminating waste, increasing process efficiencies, and reducing lead times.

Developing Collaborative Processes

A good starting point for developing collaboration and quality management processes is during the design and development phase of a new product or service. A properly executed design and development plan should consider inputs from a number of sources. These would include sales, marketing to communicate customer requirements. It would necessitate reviewing information from similar product developments in the past and consider potentials and limitations of emerging technologies.

Once an initial concept has been achieved iterative design reviews can surmise the adequacy of existing manufacturing facilities, manufacturing processes, to produce a quality product. Consideration can also be given to the ability of existing supply chain assets to provide required materials.

CVG Strategy Experts

Our Exemplar Global Lead Auditor Consultants can help you with implementing a quality management system, which will include a risks and opportunities procedure. CVG Strategy has prepared, trained and implemented quality management systems for manufacturing companies for over a decade. We can assist in the implementation of ISO 9001:2015, AS9100, ISO 13485, and ISO 14971 programs among others.

NIST Cybersecurity for Business Applications

July 19, 2023July 20, 2022 by Kevin Gholston

Integrating NIST cybersecurity for business applications into existing management system processes requires specialized implementation. This is of special concern for organizations involved in contracting with the Department of Defense (DoD) that are adopting NIST SP 800-171 to meet Cybersecurity Maturity Model Certification (CMMC) requirements.

A major issue in this integration, is that the NIST cybersecurity framework was originally designed for U.S. Government federal agencies. These agencies do not share the organizational challenges in managing information security that businesses face. Businesses must balance a wide array of risks including quality and regulatory into a cohesive management system. To address these concerns, NIST has released a series of reports that address cybersecurity risk management methodologies applicable to Enterprise Risk Management (ERM) systems.

NISTIR 8286 Reports

NIST Interagency or Internal Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM) is a series of three documents that provide guidance in establishing and maintaining a systematic approach to risk guidance, identification, and analysis applicable to business management systems. Central to these reports is the differentiation of roles of Enterprise Level Management and the Cybersecurity Risk Management. It emphasizes the need for cooperation and collaboration of all parties in the establishment and operation of a Cybersecurity Risk Management System (CSRM).

It describes a system whereby senior management provides a framework complete with scope, internal and external context, and essential requirements from stakeholders. The CSRM is then tasked with controlling these risks and monitoring them in a Monitor, Evaluate and Adjust (MEA) cycle.

NISTIR 8286 goes further by describing an ongoing systematic approach to reporting findings back to the Enterprise Risk Management. This allows for notification of stakeholders as to the status the program and evaluation of information security risks. During this evaluation process adjustments are made of the organization’s approach to risk management to better address the dynamic requirements of the organization.

NISTIR 8286A

NISTIR 8286A provides guidance for risk context, scenario identification, and determination of the impact and likelihood of occurrence for those risks. It utilizes Cybersecurity Risk Registers (CSRR) and Risk Detail Records (RDR) to aid in identifying and managing these risks.

NISTIR 8286A describes the necessity of senior management to establish the scope, context, and criteria of the program. It further describes the establishment of organizational structures, processes, and business systems relevant to accomplishing these mission objectives.

NISTIR 8286B

NISTIR 8286B provides guidance for organization and system level management to assign risk ownership, define a specific risk descriptions, determine a response cost, and provide a priority for those risks. Topics covered in this report include risk avoidance, risk transfer, risk mitigation, risk response, risk strategy, and implicit acceptance of risk.

NISTIR 8286C

Upon release of this post, NISTIR 8286C is published as a draft, although the public comment period has been closed. This report describes methods for integrating information from the CSRM such that it can inform senior management and be implementable in the overall risk management process of the organization. It emphasizes a continuous process for adjusting risk strategy and management activities.

ISO 27001:2013 Information Security Management System

ISO IEC 27001:2013 is an international standard and widely accepted Information Security Management System (ISMS). The role of an ISMS is to preserve confidentiality, integrity and availability of information. It accomplishes this task by applying risk management processes. An effectively tailored program can meet this challenge because it is part of the organization’s processes and management structure.

This standard provides the mechanisms and processes laid out in NISTIR 8286 and allows for an appropriate implementation of NIST cybersecurity for businesses. It can when properly implemented provide processes for continual improvement.

Implementation of an effective ISMS requires an assessment of the organization’s objectives, security requirements, and organizational processes. These assessments include a consideration of the size and structure of the organization so that the ISMS is scaled to meet the needs of the organization.

Once these influencing factors have been defined a risk assessment can be conducted. This process should:

identify the information security risks
identify the risk owners
assess the potential consequences of an undesired occurrence
assess the realistic likelihood of the occurrence
determine the levels of risk
establish priorities for treatment of the risk (e.g. implementation of information security controls)

CVG Strategy Information Security Management System Consultants

To assist businesses meet the challenges in adopting CMMC programs, CVG Strategy has developed an approach that combines the compliance requirements of CMMC 2.0 compliance with the ISO 27001 information security management system. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

We can help you meet your information security management system goals. CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors. We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.

Implementing ISO 9001:2015 Around Your Organization

July 14, 2022 by Kevin Gholston

Implementing ISO 9001:2015 properly can benefit an organization across the board if executed appropriately. The first steps of an effective implementation process should include determining what the intended results of the program should be.

These quality objectives may include factors beyond meeting customer expectations and ensuring the quality of products and services. For example, a factor for consideration might be employee retention or improvement through training of required skills.

Context of the Organization

Requirements of the standard include that the organization define the environment in which the business operates. This analysis should include both internal and external factors that could affect the intended results of the quality management system (QMS). These factors may include:

Type of industry
Company Objectives
Company Culture
Degree of Innovation
Customer Characteristics and Expectations
Competitors in the Field
Nature of the Market Sector

To be optimally effective these insights need to be gathered from interested parties inside and outside of the organization. These include people at all levels within the company, customers, and suppliers. Once these expectations have been gathered, an analysis can be made that will determine the scope of the QMS.

As a company grows and evolves these factors can be revised and again used to reshape the manner in which the organization is implementing ISO 9001:2015 to reflect these changes. This allows the company to manage processes instead of the processes managing the company.

Risks and Opportunities

Once the scope of the QMS has been defined, actions can be planned and implemented to address the determined risks and opportunities. These actions should be implemented in defined processes and include methodologies for evaluation of effectiveness.

When planning these actions it is often advantageous to integrate a SMART objectives approach. SMART objectives are Specific, Measurable, Achievable, Relevant, and Time Based. These types of objectives are most likely to achieve desired continuous improvements over time.

ISO 9001:2015 Flexibility

Every organization would like to improve the way it operates, whether that means increasing market share, driving down costs, managing risk more effectively or improving customer satisfaction. A quality management system gives you the framework you need to monitor and improve performance in any area you choose.

One of the great strengths of ISO 9001:2015 is the degree of flexibility in implementation. This makes it a valuable and effective Quality Management System for large and small businesses alike for a wide variety of market sectors. The essential task is to define and establish policies, procedures, and actions that are tailored to your organization’s requirements.

CVG Strategy

Our Exemplar Global Lead Auditor Consultants can help you with implementing ISO 9001:2015 in a manner that reflects the long term goals of your organization. CVG Strategy has prepared, trained and implemented quality management systems for manufacturing companies in many business sectors.

We can provide expertise coupled with an outside perspective to assist you in tailoring a QMS that fits your organization’s specific requirements. We have als assisted organizations in establishing programs for ISO 13485, ISO 14971, and AS9100.