EXPORT COMPLIANCE IN 11 WORDS
A Series on Export Compliance Essentials
(Part 7 of 12)
SECURE!
Wherever your business interfaces with the global marketplace, your workforce should be trained to recognize export-controlled technologies and technical data, and equipped with the know-how and tools to comply with ITAR, EAR, and DoD requirements, as well as industry best practices, for safeguarding sensitive information and combating cyber threats.
Responsible information-handling practices have always been critical to export compliance. In the past few years, however, troubling reports of frequent and successful cyberattacks on U.S. Government agencies and alarming headlines about technical trade secrets stolen from private firms by hackers have moved information security to the top of the priority list for every organization—small, medium-sized, or large.
Under the terms of the ITAR and EAR, manufacturers and exporters are legally responsible to protect certain technical data related to defense articles on the USML (ITAR §120.10), as well as key technologies required for the production, development, or use of items on the CCL (EAR §772.1), against access by unauthorized persons. The disclosure or release of such information without a license, inside and outside company facilities, on the ground and in the cloud, within the U.S. and overseas, constitutes an illegal “export.”
That’s why, if any of your products is export-controlled, you had better make certain that your employees are clearly aware of the fact, that they clearly understand everything it implies, and that this matters to them.
They need to know that they’re responsible for safeguarding technical data of any kind related to the product—engineering drawings and specifications, schematics, blueprints, design analyses, photographs, formulas, performance test results, pilot production schemes, manufacturing procedures, assembly flowcharts, testing and inspection methods, or any other technical information subject to export controls.
They need to know that if they share controlled technical data without appropriate authorization, or if they carelessly allow unauthorized access to it, they’ll be violating U.S. export laws, with potentially serious consequences for the company and for themselves.
You Need to Educate—and Motivate—Your People About IT Security
In today’s business world, technical information is increasingly—in many cases, almost exclusively—digital information, consisting of text, images, numerical data, and formulas stored and distributed electronically via computer networks. That means “information security” and “cybersecurity” are increasingly synonymous, which is why most organizations have made some sort of cybersecurity training for their employees mandatory. While that’s certainly wise, it shouldn’t be grounds for complacency, because “mandatory” and “some sort” are plainly not synonyms for “adequate” and “effective.”
In addition to providing and requiring cybersecurity awareness training for all employees, truly wise managers and administrators conduct regular internal assessments of security awareness to gauge how well their employees understand the nature and seriousness of the security risks and how well prepared they are to respond to cyber threats.
You can test your employees’ understanding of cybersecurity with a survey or questionnaire. Better yet—from the standpoint of accuracy, objectivity, and credibility — get help from qualified professionals in this critical area, and ask them to evaluate the effectiveness of your current cybersecurity awareness training as part of a comprehensive cybersecurity compliance risk assessment of your entire company.
Here are some very basic questions about cybersecurity that all your employees should be able to answer:
- Who in my company is responsible for cybersecurity?
- What are the policies and rules that govern my use of the company’s computer system and my access to electronically stored company information? Where can I read them? How can I stay current on changes to those policies and rules?
- If I suspect I have a cybersecurity issue (e.g., malware, spyware, a compromised password, a sensitive document sent to the wrong person, identity theft, evidence of a co-worker’s carelessness or failure to follow policies and procedures), to whom can I report it? If that person is temporarily unavailable, who is their backup? What should I do immediately to reduce potential damage?
- Does the company have a policy on bringing personal devices to the workplace and connecting to the company’s system through them? What about accessing the company’s system remotely from home, while traveling, or through an unsecured public network (e.g., coffee shop, library, hotel, university campus?
- In what ways could my actions (e.g., opening a malicious e-mail attachment, clicking on a link to a compromised website, installing an application that contains a Trojan) endanger the security of the company’s system and sensitive information? What are some things I can do to avoid these dangers?
Those are the easy questions—or rather, they should be. If your employees can’t answer them easily, then give that “mandatory employee awareness training” the failing grade it deserves, roll up your sleeves, and get to work on improving your company’s cybersecurity. Don’t hesitate to get outside help—qualified, professional help—if you need it.
According to a survey of hundreds of U.S. companies, conducted in 2015 by CompTIA, “human error” accounts for 52 percent of security breaches. Turns out it’s a greater cyber threat than malware, hackers, or disgruntled employees—although most managers are surprised when they hear this, and have a hard time believing it.
That recalls another category of “human error”—one that wasn’t included in CompTIA’s survey, though perhaps it should have been. It’s an extremely hazardous condition that our cybersecurity compliance risk assessment team has discovered at more than one facility they visited. If you’re a regular reader of this blog, I’m confident that this cyber hazard is not present at your company, so I offer the following on-site finding, straight from the company officer’s mouth, without further comment:
“I’m not sure our company even has a cybersecurity policy or plan or procedures yet. Do we really need anything like that? We’re not some giant corporation, you know. How would we go about creating such a policy? After all, none of us are techies!”
You Need to Prioritize Cybersecurity Compliance in 2017
Two recent technological trends have made the job of safeguarding export-restricted information more challenging than ever before:
- The expansion of “cloud” services from simple file storage and archiving to business software applications of all kinds, infrastructure, and platforms.
- The proliferation of new mobile IT devices.
These advances in technology make it possible for people to access the data and resources of your organization at any time from anywhere on earth. In other words, not only is your business no longer tied to a single location, it’s not even limited to a finite number of locations. Your firm is Open for Business everywhere.
By allowing unprecedented levels of connectivity between marketing and R&D staff, contractors and subcontractors, manufacturers and suppliers, domestic and foreign offices, salespeople and customers around the globe, Cloud Computing and Mobile Technology promise to help businesses accelerate innovation cycles and reduce time-to-market. At the same time, the adoption of these technologies has created new vulnerabilities and risk areas, exposed enterprises to new legal liabilities, and raised a host of new security concerns, some of which are only beginning to emerge.
Meanwhile, in response to the overwhelming global cyber threat environment, the U.S. Government has been issuing more and more cybersecurity laws and regulations. The DoD, GSA, OMB, NASA, NARA, DHS, and the White House have published, amended, modified, and clarified so many rules, Executive Orders, definitions, standards, and guidelines recently—all of them aimed at requiring Federal contractors and subcontractors to establish more stringent controls and practices for the protection of government data—that “regulatory compliance” became the cybersecurity buzz phrase of the year during 2016, and the topic seems unlikely to leave the limelight in 2017.
The latest driver of regulatory compliance is the need for businesses to implement a somewhat bewildering array of new cybersecurity requirements that apply to most Federal contractors and consultants across a wide range of industries, including both defense and non-defense contractors. The recent surge in regulatory activity has included—
- A new FAR final rule on “Basic Safeguarding of Contractor Information Systems”).
- A new BIS final rule, effective September 1, 2016, allowing U.S. companies to use cloud technology and other means of electronic transmission to store and transfer EAR-controlled unclassified “dual use” technology and software without the burden of export control requirements if certain encryption requirements are met.
- A veritable glossary of new information security terms and definitions, including Federal Contract Information (FCI), Controlled Unclassified Information (CUI), covered contractor information system, Covered Defense Information (CDI), and operationally critical support, and an array of new safeguarding requirements associated with them.
- New mandatory contract clauses covering cybersecurity, with flowdown to subcontractors and certain other parties (FAR 52.204-21 and DFARS 252.204-7008 – 7012).
- A new DoD final rule, effective October 21, 2016, regarding network penetration reporting (“cyber incidents”) and contracting for cloud services (DFARS Case 2013-D018).
The above are just a few of the latest regulatory changes in this area. Others appear to be on the way as we head into the new year.
Putting all these rules and definitions together and figuring out which of them applies to your company and its products is a daunting task. Complying with the new regulations—minimizing your risks and liabilities—is an even greater challenge.
Businesses need be asking and finding answers to some important questions, such as—
- How will our firm comply with the new requirements, such as “adequate security” for CDI/CUI per NIST SP 800-171, and “incident reporting” within 72 hours of discovery through the DoD’s DIBNet portal (including compliance with all the rules for investigating, preserving, and submitting information about the data breach)?
- Do we try to handle cybersecurity regulatory compliance ourselves, do we seek the services of an outside IT contractor, or do we need some combination of both approaches?
- Since these new cybersecurity standards appear to be mind-bogglingly difficult to navigate and not entirely coherent, and since a failure to comply with them could have dramatic adverse consequences for our company, should we be looking at a specialized cyber insurance policy to supplement our general and professional liability policies?
The ultimate deadline for full contractor compliance with most of the new cybersecurity requirements for CDI/CUI is December 31, 2017, and that date is not likely to change. But the new cybersecurity regulations are already impacting businesses and contracts, especially those in the defense sector.
While DFARS clause 252.204-7012 allows you to notify the DoD (within 30 days) of any cybersecurity requirements that your company has yet implemented at the time of contract award, the DoD still expects you to be moving toward full compliance as rapidly as possible, and to have a remediation plan in place to achieve it by December 31, 2017.
So, if you haven’t already done the following at your company, you need to do them now:
- Conduct a risk assessment for cybersecurity regulatory compliance.
- Develop a cybersecurity action plan, based on the assessment findings.
- Implement a cybersecurity framework that is appropriate for your organization.
Note: For those who don’t keep up with the latest business jargon, a “framework” includes stuff like organizational infrastructure and job responsibilities; awareness and education programs; organizational culture; and governance (security policies; work processes and procedures; monitoring effectiveness; technical controls; risk assessments and audits; breach response and risk mitigation plans). “Implementing” a framework implies investing company resources in making it happen.
Whether your company is small, mid-sized, or large, if you do business with the Federal government, or with any other companies that do business with the Federal government — have I left anyone out here? — you should prioritize both regulatory compliance and cybersecurity during 2017.
Regulatory compliance is obligatory, of course, because . . . well, it’s the law, folks! But cyber-compliance is not the same as cyber-security, and security is what you really want.
If your goal is simply to avoid fines and penalties, then as long as you’re sure you meet the minimal requirements of compliance, don’t worry.
But if you’re reading this because your goal is to see your company survive and thrive in today’s digitally interconnected business world, and you’re aware of the current security threat landscape, you shouldn’t breathe easy if you’re told that your company is 100% compliant. Breathe easy when you’re confident that your company has good cybersecurity.