Category Archives: All

State Department Discontinues DSP-119, Other Forms in Development

The State Department’s Directorate of Defense Trade Controls (DDTC) has published a web notice discontinuing acceptance of the DSP-119 (Application for Amendment to License for Export or Temporary Import of Classified or Unclassified Defense Articles and Related Classified Technical Data):

Web Notice: Discontinuance of ELLIE and form DSP-119: (11.14.17)
Effective December 1, 2017, DDTC will no longer accept form DSP-119 to amend the DSP-85. All pending DSP-119’s will be processed pursuant to 123.25 of the ITAR. Any DSP-119 form submitted to DDTC on or after December 1, 2017 will be returned without action. When amending the DSP-85, the applicant must submit a completely new DSP-85 along with a transmittal letter, signed by the Empowered Official explaining the amended change.

Previously an all-purpose amendment form, the DSP-119 is currently only accepted to amend the DSP-85 Application for Permanent/Temporary Export or Temporary Import of Classified Defense Articles and Related Classified Technical Data.  Unclassified licenses are unaffected and may continue to be amended with the appropriate form (DSP-6, DSP-62, or DSP-74).

DDTC continues to work on expanding online DECCS (Defense Export Control and Compliance System) forms which are submitted through an interactive, browser-based form.  DECCS currently supports the submission of Commodity Jurisdiction (CJ) requests, which should be joined in the near future Advisory Opinion and Disclosure forms.  (Note also that DDTC currently recommends submitting a DSP-5 technical data export license in lieu of a General Correspondence Advisory Opinion when possible.)

DECCS forms for registration renewal and update as well as the single licensing form are also in development.

One-form electronic filing, proposed revisions of the definitions of defense services and manufacturing, and rules regarding release of technical data to foreign dual-nationals will be discussed at the next Defense Trade Advisory Group (DTAG) meeting scheduled for February 1, 2018 (originally December 7, 2017, but rescheduled in a November 20th Federal Register Notice).  To attend the DTAG meeting, please note the instructions at the end of the notice.

State Department Requires Form DSP-83 for Chemical Agent Resistant Coatings

The State Department’s Directorate of Defense Trade Controls (DDTC) has published a web notice on Chemical Agent Resistant Coatings (CARC):

Web Notice: Category XIV(f)(7), including Chemical Agent Resistant Coatings (CARC): (11.01.17)
Consistent with 81 FR 49531 (July 28, 2016), Category XIV(f)(7) defense articles are designated as Significant Military Equipment. Accordingly, any application to export Category XIV(f)(7) defense articles requires a DSP-83 non-transfer and use certificate.

The notice is consistent with the organization of the United States Munitions List (USML) where all of Category XIV(f) is designated Significant Military Equipment (SME), but reverses long-standing policies, including those announced in September 2009 and February 2017 web notices.

Specifically, XIV(f)(7) controls “Chemical Agent Resistant Coatings that have been qualified to military specifications (MIL-PRF-32348, MIL-DTL-64159, MIL-C-46168, or MIL-DTL-53039).”

A related Export Control Reform (ECR) FAQ continues to state that application of Chemical Agent Resistant Coatings (CARC) does not necessarily subject an item to the USML:

Q: Chemical Agent Resistant Coating (CARC) in its most basic form is controlled under USML Category XIV(f)(5). When it is applied to an item subject to either the ITAR or EAR, will the item to which it is being applied now be controlled as Category XIV(f)(5)? To the USML, at a minimum?

A: No. CARC coating on an item, in and of itself, does not provide a military capability warranting USML control. Hence, items that are subject to the EAR and classified on the Commerce Control List, to include vehicles and equipment, do not become subject to the ITAR simply due to the application of CARC paint.

The 2009 and 2017 web notices stated that “CARC paint does not possess ‘substantial military utility or capability,’” but ongoing Export Control Reform (ECR) revisions have not yet removed the SME designation from XIV(f)(7).

Export Control Reform Moving Along: A Report from DTAG

The Defense Trade Advisory Group (DTAG), an advisory group of defense trade representatives, held a public meeting this month to discuss policies, regulations, and technical issues in defense trade.  Here are some of the highlights:

  • Export Control Reform has driven a 55% reduction in licensing volume since 2013 for the State Department’s Directorate of Defense Trade Controls (DDTC).
  • DDTC is still working to move USML Categories I, II, & III (firearms, larger guns, and ammunition) to the CCL in the next year.  These categories currently represent around 30% of DDTC license applications, so the move would drive another significant reduction in their licensing volume.  One source of delay is Executive Order 13771, “Reducing Regulation and Controlling Regulatory Costs,” which directs agencies to repeal two existing regulations for each new significant regulation.  The new Commerce Department rules would be considered new regulations, requiring additional offsetting repeals of regulations.  The State Department operates under an exception for “regulations issued with respect to a military, national security, or foreign affairs function of the United States.”
  • The State Department will also consider revisions to the definition of defense services, U.S. persons abroad, and other definitions.
  • The State Department is considering whether UAVs should remain in Category I of the MTCR (Missile Technology Control Regime) Annex, as opposed to less-sensitive Category II, is also under review and will be discussed at the October MTCR plenary.
  • The State Department is working on revisions to the UK & Australia Treaty implementation regulations.  Both treaties have helped to decrease licensing volume, but improvements can be made.
  • An interagency group involving the Departments of State and Defense is working on a rewrite of the ITAR.  There has not been a wholesale rewrite of the ITAR since 1984.  Overall, they are seeking to restructure for gaps and inconsistencies, add definitions, shorten the ITAR where possible, consider incorporation of guidance documents, and lead to a format that is conducive to a single control list (an end goal of Export Control Reform).
  • In IT modernization, DDTC is currently on track for a December roll-out of a single case management system, to be followed by a single license form.

The DTAG is expected to meet again next spring.

Montenegro Joins NATO: What it Means for Agreements and ITAR Exemptions

Montenegro officially joined NATO on June 5, 2017.  The State Department’s Directorate of Defense Trade Controls (DDTC) published a notice that “it is the policy of the Department of State that the term “North Atlantic Treaty Organization” (“NATO”) in the International Traffic in Arms Regulations (“ITAR”) includes Montenegro for the purpose of any subject transactions.”  An amendment to the NATO country list at ITAR section 120.31 is expected.

For existing agreements that include NATO member states, but not Montenegro, amendments would be required to add Montenegro as a transfer territory (see section 3.14 “Use of Collective Language” in the Guidelines for Preparing Agreements):

Using collective terms based on a collective organization (e.g., NATO, EU, AU, ESA) without defining territories for the transfer of defense articles or the provision of defense services is not authorized. Any proposed agreement submitted to DTCL must specifically list the countries of the collective organization since membership in such collective organizations is subject to change.

Notable ITAR exemptions available to Montenegro as a NATO member include 123.9(e) (reexports or retransfers of U.S.-origin components incorporated into a foreign defense article), 124.2 (maintenance training), and 126.18 (dual and third-country national employees of foreign parties).  NATO members are also subject to the higher Congressional Notification thresholds under 123.15 ($25 million for Major Defense Equipment and $100 million for defense articles and services generally).

The State Department Wants Your Input: ITAR, Guidance, and Process Reforms Under Consideration

Comments Requested on the ITAR and DDTC Guidance

On July 14, the Department of State published a notice (82 FR 32493) “seeking comments on Department regulations, guidance documents, and collections of information that you believe should be removed or modified to alleviate unnecessary burdens.”

This is a part of the Department’s implementation of the President’s January 30, 2017 Executive Order 13771, “Reducing Regulation and Controlling Regulatory Costs” and an important opportunity to help make the ITAR and State Department guidance work better for everyone.  This includes any guidance on the DDTC website, https://www.pmddtc.state.gov/.

This is an open-ended chance to influence the future of the ITAR and DDTC guidance.  Consider any area that poses challenges to your company, including the questions addressed to DTAG below.

Comments may be submitted by internet at www.regulations.gov (Docket No. DOS–2017–0030) or by email to RegsReform@state.gov through August 14, 2017.

DTAG Recommendations Requested

Separately, the Directorate of Defense Trade Controls (DDTC) has asked the Defense Trade Advisory Group (DTAG) to make recommendations about the following topics at the upcoming plenary sessions:

  •  Whether industry would benefit from a single interagency form for DDTC, BIS, and OFAC.
    • Would a single form simplify company processes or is there concern that it would become unmanageably complex?
  • Whether batch filing should be expanded to registration, notifications, Commodity Jurisdiction requests, etc. and priorities for this expansion.
    • Does your company currently use batch filing? If so, how would expansion help?
  • Whether access/authentication methods other than IdenTrust certifications should be considered.
    •  Does your company have a positive experience with other certifications that should be considered?
  •  Key areas of concern regarding the 2015 proposed revision of the definition of defense services.
  •  An effective definition of “manufacturing” distinguished from assembly, integration, etc.
    •  This is in the context of possible revisions of Categories I-III removing most commercial firearms from the ITAR. Are there any changes to the definition that would be more workable?
  •  Identify alternative, workable methods to control releases of technical data to foreign dual-nationals.
    •  If releases to foreign dual-nationals are a challenge, what could be improved?
  •  Assessment of whether new agreements should have a standard expiration date of ten years from the date of approval. The current company-based expiration dates were designed to smooth out DDTC’s workload, but may have the opposite effect on individual companies.
    •  Do the company-based expiration dates unnecessarily complicate your business?
    •  For companies that do not always request the full ten years, would a standard expiration date complicate business?

DDTC’s DTAG letter may be found here.  DTAG will meet September 8, 2017 to review these recommendations.  Many of these questions would also fall under the regulatory reform comment request.

EXPORT COMPLIANCE IN 11 WORDS (Part 9 of 12)

EXPORT COMPLIANCE IN 11 WORDS
A Series on Export Compliance Essentials

(Part 9 of 12)

MONITOR!

Once you have an export compliance program in place, continuous monitoring is critically important to provide reasonable assurance of its effectiveness, enable you to make incremental adjustments to changing situations, and show you ways to improve the program’s efficiency. Annual compliance audits and assessments will be limited in their effectiveness and afford inadequate protection unless they are supported and complemented by the ongoing review processes that should be an integral part of compliance management.

Congratulations! It took a lot of hard work, and more time than you’d expected, but you’ve finally succeeded in getting a comprehensive export compliance program up and running at your company. You’re satisfied that it’s all there—the works, the whole enchilada, all the compliance essentials we’ve been looking at in this series:

  • Risk analysis and planning
  • A thorough manual with written policies and detailed procedures
  • Upper management commitment and involvement
  • Initial and repeated multi-level employee training
  • Clear delineation of roles, responsibilities, and accountability
  • Procedures for jurisdictional determination and product classification
  • Obtaining approval for licenses and agreements
  • Tracking the use of exemptions and exceptions
  • Labeling and marking controlled items and technical data
  • Real-time screening of customers, suppliers, service contractors, business partners, new hires, and other parties
  • Physical security
  • IT security
  • Mandatory recordkeeping and records-retention practices
  • Mandatory reporting to the government agencies
  • Periodic internal and external reviews, with follow-up of findings

All good. Sounds fantastic. We’ve got just a few more questions for you before you take off on that well-earned vacation you’ve been looking forward to. Here’s one:

What provisions have you made for monitoring the operation of your program? In other words, how do you plan to make sure your policies and procedures continue to be adequate and continue to function properly? And how do you plan to make sure you won’t be the last to know if they aren’t working as they should?

In compliance management, as in every other part of life, no matter how carefully you’ve planned and how well you’ve done your homework, there are sure to be some unforeseen challenges. Issues will surface that were not initially identified. A procedure that looked good on paper will be put into practice and turn out to be . . . not so good. Situations and personnel will change without warning, giving rise to a whole new set of problems.

Even the best-designed compliance program is bound to require fine-tuning and frequent adjustments in response to:

  • Changes in business needs
  • Changes in U.S. export laws and regulations
  • Changes in federal agency enforcement policies
  • Changes in technology
  • Changes in the national economy
  • Changes in the global marketplace
  • Changes in the global threat environment.

Yes, the annual risk assessments and compliance audits that you wisely included in your compliance plan are one important tool for coping with those challenges, but periodic audits cannot be the whole solution. All too often compliance audits are conducted too long after non-compliance events have already occurred to allow you to correct the issues and problems they uncover before a great deal of damage has been done.

If your company is committing an export violation today, or is about to do so, do you really want to be first apprised of the situation by the annual compliance audit report?  Don’t put off tomorrow what can be done today!

As a compliance officer, you need windows into your compliance program that allow you to view the current state of your company’s internal processes and see which areas need more attention right now. Periodic company-wide audits and assessments are most effective when they are informed and supplemented by day-to-day and week-to-week feedback from operational management, as well as frequent tests, checks, surveys, and “mini-audits” of specific processes and risk points.

Preventing the occurrence of export violations, or at least stopping them before they can multiply, is nearly always less costly and stressful than dealing with their aftermath. Successfully detecting intentional deviations from processes and procedures—such as when an employee purposely ignores or contravenes compliance safeguards for his or her own advantage or convenience—has the added benefit of reinforcing the perception that management prioritizes export compliance, is watching, and will take prompt action when problems occur.

That’s undoubtedly why the DDTC’s Compliance Program Guidelines counsel “internal monitoring” that involves “measurement of effectiveness of day-to-day operations” with “emphasis on validation of full export compliance, including adherence to license and other approval conditions.”

It’s also why the BIS’s Office of Exporter Services included “internal and external compliance monitoring,” along with periodic audits, as one of the Nine Key Elements of an Effective Compliance Program. In the agency’s 145-page handbook for U.S. exporters, Compliance Guidelines: How to Develop an Effective Export Management and Compliance Program and Manual, the BIS recommends “a transaction-level and process-level review of compliance efforts with a special emphasis placed on areas of high risk,” noting that such monitoring can “successfully focus attention at the business-unit level on risk areas at an early stage, affording the opportunity to correct deficiencies before they result in major problems.”

The DDTC and BIS guidance documents agree that internal and external monitoring are both important. Every company or organization, in addition to actively monitoring itself, needs outside assurance from an independent third party that its compliance efforts are on the right track.

The following compliance “best practices” also fall under the general rubric of export compliance monitoring:

  • Self-monitoring and reporting by operations staff in all export-related departments and divisions of the company on the effectiveness of specific compliance processes and procedures is requested and implemented.
  • Timely crosstalk is encouraged among employees in export-related departments, divisions, and branches within the company to ensure that practical compliance experiences and lessons learned are communicated throughout the entire organization, with a view to improving the effectiveness and efficiency of export controls and promoting consistency of procedures.
  • Clear and specific internal procedures have been established and communicated to all employees, including contract employees, for the reporting of potential export compliance problems to management, including the option of reporting export violations anonymously through a mailbox, website, or helpline.
  • Employees understand that management considers the reporting of suspected export violations to be the duty of each employee and know that they will be protected from retribution or retaliation of any kind if they raise questions or concerns about compliance in good faith.
  • On-site end-use monitoring of personnel performing defense services is performed frequently by qualified export compliance staff to ensure that their activities remain within the scope of the relevant export authorization.
  • Previously identified export compliance problems or high-risk areas are revisited to ensure that the prescribed corrective actions were implemented and that they have been effective.

Unlike banks and financial institutions, who may choose to concentrate their compliance monitoring on those transactions with the highest impact on revenue, exporters of defense articles and services, dual-use commodities, technical data, and controlled technology, when monitoring ITAR, EAR, and OFAC compliance, may sometimes need to focus on business areas that have a relatively small revenue impact but carry a large compliance risk. Manufacturing or distribution operations in a developing country, for example, or exports to new trading partners in a formerly embargoed nation whose U.S. trade sanctions were only recently lifted, might be relatively small now, when measured by current sales or profits, but multiple compliance challenges and the potential for serious penalties may call for close and continuous monitoring.

Monitoring day-to-day compliance may seem unexciting, like performing routine maintenance on your car. It undoubtedly requires a significant investment of time, effort, and money, and the benefits may not be immediately evident. But most car owners understand that failure to do so is a sure recipe for disaster.  In other words, don’t let procrastination get in the way of success and continuously monitor your compliance program!

 

New Year ITAR Updates

Category XV Revised

Effective January 15, 2017, the Department of State’s Directorate of Defense Trade Controls (DDTC) has revised United States Munitions List (USML) Category XV, Spacecraft and Related Articles, in Federal Register Notice 82 FR 2889.  Changes include new aperture specifications for remote sensing satellites under XV(a)(7) and XV(e)(2), the exclusion of the James Webb Space Telescope and “spacecraft that dock exclusively via the NASA Docking System (NDS),” and other spacecraft attributes and revisions.

Category XII Request for Comments

The Department of State also requested comments on recent revisions to USML Category XII, Fire Control, Range Finder, Optical and Guidance and Control Equipment, in Federal Register Notice 82 FR 4226.  Specifically, the Department requests comments about “(1) alternatives to controls on certain items when ‘specially designed for a military end user,’ (2) the scope of the control in paragraph (b)(1), and (3) certain technical parameters that the Department is evaluating to replace ‘specially designed’ controls.”

Comments will be accepted by email or internet through March 14, 2017.

Amendments to AES References

Also, effective December 31, 2016 but published on January 3, 2017 in 82 FR 15, multiple sections of the International Traffic in Arms Regulations (ITAR) were amended to refer directly to the U.S. Customs and Border Protection (CBP) International Trade Data System (ITDS).  References to the Automated Export System (AES) have been removed and now refer to the CBP’s electronic systems (which now include the Automated Commercial Environment (ACE)).

2016 Year-End USML Updates

2016 Year-End USML Updates

The Directorate of Defense Trade Controls (DDTC) has revised USML Categories VIII, XII, XIV, XVIII, and XIX effective December 31, 2016.

The revisions to Categories XII (Fire Control/Sensors/Night Vision), XIV (Toxicological Agents), and XVIII (Directed Energy Weapons) under the Export Control Reform (ECR) process are found in Federal Register notices 81 FR 70340 and 81 FR 49531.

In addition to increased detail and technical performance thresholds, the revision of Category XII also includes minor revisions to related parts of Categories VIII, XI, XIII, and XV.  VIII(e) (aircraft inertial reference systems), XIII(a) (cameras), and XV(c) (GPS equipment) have been removed and reserved with their contents now covered by the revised Category XII.  Radar and sensor specifications in XI(a)(3)(ii) and (a)(10) are also revised.

Revisions to Category XIV, which was already highly detailed, include the addition of XIV(a)(5) “Chemical warfare agents not enumerated above adapted for use in war to produce casualties in humans or animals, degrade equipment, or damage crops or the environment.”  XIV(b) and (g) are revised to identify biological agents and antibodies not previously specified.  Tear gasses and riot control agents are moved to the jurisdiction of the Department of Commerce.

As revised, Category XVIII is actually shorter, with a smaller list of directed energy weapons systems.

For previously-revised Categories VIII (Aircraft and Related Articles) and XIX (Gas Turbine Engines and Associated Equipment), some articles made subject to the EAR will again be subject to the ITAR (81 FR 83126).  DDTC’s rationale is that they “constitute or are specially designed for next-generation technology.”  Unshipped balances on Commerce licenses may not be used after the effective date, requiring a State Department authorization.  Any reexport or retransfer of articles previously subject to the EAR will be subject to the ITAR.

As a result of the changes in USML categories, DDTC is also updating licensing forms and batch Common Schema.   The new versions will be 9.3 for the DSP-5, DSP-61, and DSP-73 forms, version 3.2 for the DSP-85, and version 7.6 for the Common Schema.  The new versions have been posted on the DDTC website and must be used starting January 3, 2017.  DTrade will be down for maintenance from 6pm December 30, 2016 until 7am January 3, 2017.

In related news, Section 1292 of the 2017 National Defense Authorization Act (NDAA) (S.2943), signed by the President on December 23, 2016, states that the Secretaries of Defense and State should recognize India as a “major defense partner” and improve cooperation.  However, this does not currently require any specific amendments to the AECA or ITAR.  The NDAA does direct “an assessment of the defense export control regulations and policies that need appropriate modification, in recognition of India’s capabilities and its status as a major defense partner.”

EXPORT COMPLIANCE IN 11 WORDS (Part 8 of 12)

EXPORT COMPLIANCE IN 11 WORDS
A Series on Export Compliance Essentials

(Part 8 of 12)

SCREEN!

Failure to perform Restricted Party Screening was cited as either a root cause or a contributing cause in more than a few recent cases of export violations that resulted in severe penalties for U.S. companies. Protect your company by equipping your people with effective software tools for screening intermediaries and end-users in any potential export transaction.

In export control parlance, the process of checking and cross-referencing the entities involved in an export transaction against a variety of “black lists” prohibiting or curtailing trade with certain individuals, businesses, organizations, and nations is called Restricted Party Screening (RPS) or Denied Party Screening (DPS).

A number of such lists of “entities of concern” are maintained by the U.S. Government; similar lists are maintained by other governments (notably the UK, Canada, and Japan) and international bodies (notably the European Union and the United Nations). The “concerns” about the listed entities may be political or economic in nature (e.g., human rights violations, foreign policy and trade issues), security-related (e.g., terrorism, risk of diversion to WMD programs), or criminal law enforcement matters (e.g., narcotics trafficking, money laundering). All the lists are continually updated; names may be added or deleted at any time.

The U.S. Government takes the laws, regulations, treaties, and agreements that lie behind these sanctions lists very seriously and enforces them vigorously. Multi-million dollar fines and settlements for sanctions violations are not uncommon, and some U.S. firms have had their export privileges revoked or suspended. A breach of trade sanctions can also result in the commission of criminal offenses punishable by imprisonment.

Restricted Party Screening is a compliance control process designed to keep your company from breaking the law and prevent you from incurring penalties by inadvertently doing business with an embargoed country or restricted entity.

Screen. If you’re a frequent or regular exporter (or if you’re actively seeking to market your goods and services more widely overseas), you should be routinely screening not only your customers and potential customers, but any firms or individuals associated with your company’s export business.

Some candidates for RPS include:

  • Countries—any places where your buyers, intermediate and ultimate consignees (if different from the buyers), or end-users are based or situated.
  • Customers—not just foreign customers, but domestic customers, too, especially if they
  • Prospective customers (e.g., RFQs, RFIs).
  • Manufacturers, suppliers, and vendors of raw materials, parts, or components.
  • Contractors and subcontractors.
  • Freight forwarders and customs brokers.
  • Shipping companies.
  • Foreign banks and other financial institutions.
  • Visitors and the companies or governments they represent.
  • Brokers, sales representatives, and overseas agents.
  • Consultants, including research partners, institutions, and universities.
  • Business partners.
  • Parties to a potential acquisition or merger.
  • Employees and new hires.
  • Contract workers.
  • Service providers.
  • Proposed recipients of software source code and technical data.
  • Any “pay to” parties.
  • Any “pay from” parties.
  • Any “ship to” parties.
  • Any other parties associated with an export transaction.

Some managers are under the mistaken impression that the legal requirements for business dealings with restricted or denied parties apply only to international sales or items shipped overseas. That is simply not the case: those prohibitions can also apply to domestic or in-country transactions. If any of the parties to a domestic transaction is listed on one of the U.S. Government’s Blocked, Denied, Entity, Specially Designated Nationals, or Debarred Persons lists, the transaction should be handled with the same caution as would be used in dealing with an overseas transaction — which means you are almost certainly legally prohibited from dealing with that party. So — depending on the nature of your business and products — Restricted Party Screening may be a wise idea for domestic transactions as well as exports.

Re-screen. Because governments and international agencies are continually updating their lists, you need to be continually re-screening your parties. Your Denied Party Screening isn’t really finished until you’re really finished doing business with the party. Repeated screening of previously screened parties may seem like overkill, but it isn’t. Re-screening is imperative to ensure that their names weren’t added to one of the lists since the last time you checked.

How often should re-screening be done? Many compliance professionals would answer, “Every day!” But while daily re-screening is a good practice, an even better answer is, “Real-time!” Today’s RPS screening software, much like your other software, updates continually and automatically, and can be configured to alert you immediately if the status of any previously cleared party has changed.

Even with the necessary screening software in place and properly configured to your company’s needs, continual vigilance remains important. Although the latest trade compliance software uses advanced search methods to return accurate matches, the search results still need to be eyeballed and evaluated by a real live person who is qualified to make an informed decision. Software developers continue to make improvements, but the process of matching the parties to a transaction with an actual restricted party is still far from an exact science, and that isn’t likely to change anytime soon. Part of the problem resides in the lists themselves: the information they provide is often scanty and unreliable. Part of the problem resides in the “entities of concern”: they can be tricky people whose names and addresses are continually morphing. Software can do amazing things, and the programmers I know are all incredibly smart; but it’s hard to write code for gut instincts and horse sense. Final screening decisions are best left to human beings.

Depending on the nature of the list and transaction, a “match” could mean that you are legally forbidden to contract with, sell to, ship to, receive payments from, make payments to, convey technology to, have technical discussions with, or buy from the restricted party. Some U.S. companies simply choose not to engage in any transactions whatsoever with listed entities, even when certain kinds of transactions may not, strictly speaking, be legally prohibited, or when they could pursue and possibly obtain an authorization from the relevant government agency. They may do this as a matter of company policy or corporate values, for the sake of the company’s reputation, from the standpoint of cost-effectiveness, or for other reasons.

Actually, nowhere in the ITAR or EAR is it explicitly stated that a business must perform Restricted Party Screenings or purchase RPS software. So, a failure to screen the parties to a transaction is not in itself an export violation.  But the U.S. Government does require exporters to exercise due diligence to avoid violating U.S. laws and regulations in conducting their export transactions. That requires knowing the who, what, when, where, and how of all their business dealings. And that implies a careful and conscientious review of the denial lists. Realistically speaking, if RPS is not included in your company’s export compliance program, export violations are all but certain. In fact, you may have already committed some.

Keep records. Documenting your screening processes and decision-making, especially your responses to positive matches, is of the utmost importance. If you are asked about the export transaction at a later date, you should be able to explain the rationale behind your determinations clearly and confidently, demonstrating that the necessary level of due diligence was employed. Detailed notes regarding your incident response activities are a must so that facts are clear and your decisions are defensible in the event of a company visit or directed compliance audit.

You may know perfectly well that your company screens every single one of its export transactions thoroughly, but if problems should arise at a later date and it turns out there’s no record anywhere of your RPS activity, it might just as well never have happened. Specifics about who you screened, when you screened, which employee performed the screening, how it was done, and what the screening found must be included in your export recordkeeping.

Have a response plan in place. A compliance control process is worthless unless it includes an incident management plan. What should be done when RPS yields a match, and who should do it? What are your company’s policies and procedures for handling this situation? What’s the next step, and who is responsible to take that step? And what’s the step after that?

A positive screening match may be a cause for concern, but it shouldn’t be a cause for alarm. “False positives” are not uncommon, so you first need to ascertain whether the apparent match is genuine or not. Does the name on the sanctions list that was matched with the name of the party you are screening really refer to the same entity? Individuals and companies frequently have the same or similar names, after all. See if any further identifying details are provided in the search result, such as address, date of birth, the citation of an order in the Federal Register, or a photo. If so, you’re in luck! (Don’t get your hopes up too high, though; the information provided for some “parties of concern” is . . . well, disappointingly minimal.) Check your company’s records; they could also contain information that will help you make this determination, if you’ve had previous dealings with the party.

Sometimes identifying false positives is easy, and sometimes it isn’t. You might need to do a bit of detective work to clear up confusion caused by multiple given names, aliases, middle names, nicknames, abbreviations, alternative spellings, misspellings, different transliterations of foreign alphabets, international subsidiaries, branch offices, and divisions. You can’t skip this detective work, but don’t procrastinate or dilly-dally in getting it done either. Holding up orders and postponing shipments to perfectly legitimate customers is a good way to lose repeat business.

If you determine that a match is valid, however—and only trained and qualified employees should make such ultimate determinations—you must place the transaction on hold immediately and investigate further. That doesn’t mean you should panic. Remember that a match doesn’t equal a violation. If you haven’t exported anything yet, then plainly no export violation has occurred. But, equally plainly, the potential for an export control violation does exist, so additional due diligence is required. Proceed with caution.

The significance of a genuine match depends on the list your party’s name was found on. In some cases, exports of all kinds are strictly prohibited: some countries are subject to comprehensive trade embargoes, and some individuals are denied all trading privileges. In other cases, the restrictions are limited in scope, so you might still be able to export to, or do other business with, the sanctioned party, as long as you first apply to the listing agency and secure an export license or other permission. In still other cases, a name has been placed on a list to indicate that a “red flag” is present in the transaction—some information that couldn’t be verified and requires investigation and clarification.

Use software for screening.  If your company engages in more than a handful of export transactions in the course of a year, you should not try to conduct Restricted Party Screening by scanning each party against each of the sanctions lists, one name and one list at a time. Yes, you can do this; and the U.S. Government has even tried to help you recently by creating a Consolidated Screening List (CSL). But it is very foolish and dangerous to go this route. There are simply too many lists to scan, they are changing too frequently, the information they provide about the restricted parties is too sketchy, evaluating the search results without support is too difficult, and the stakes are much too high to risk a human error resulting in a violation. This initial screening is clearly a task for software, not human eyes and brains.

Many kinds of automated systems are available. Which type of software is best will depend on the nature and size of your export business, your budget, and your business model. Some software systems allow your employees to screen transactions individually through a simple browser-based application. Some permit batch uploading and processing of multiple names and transactions. Some can be fully integrated into your company’s existing ERP software system. Some employ extremely sophisticated search algorithms incorporating “fuzzy logic” and phonetic or “sounds-like” name matching. Some UIs are more user-friendly than others.

If you find all this confusing and aren’t sure what kind of screening system would work for your company — which of the advertised features are truly critical to your compliance and which would be a complete waste of money, given your business model — get some independent, objective, and knowledgeable advice before you make this important decision. Hint: Sales reps from software vendors may be knowledgeable – about their software, at least — but they definitely don’t qualify as “independent” or “objective.” There are experienced export compliance professionals out there. Besides giving you an independent and objective assessment of your compliance risks and vulnerabilities, they can also help you sort out the competing claims of RPS service providers and determine the safest and most economical solution for your business.

Even the simplest and most basic software system, however, will surely save you a lot of time, and will guarantee that you are screening against a database that includes all the relevant lists and is automatically updated every day. Most screening software will also allow you to configure your searches to minimize time-wasting false positives and create detailed reports of your screenings that can serve as defensible compliance audit trails.

We have no horse in this race, and we don’t see this as a compliance process where “one software solution fits all.” There are plenty of reputable vendors out there, offering screening products with a wide range of capabilities and features. There is no dearth of choices. Prices vary from downright-reasonable to guaranteed-to-induce-sticker-shock. (We’ve seen a couple of price quotes that really made us gasp — but those were outliers.)

We have only one recommendation: The worst buying decision you can possibly make is choosing not to invest in an adequate RPS software solution for your business. Take it from us – that’s a choice you can’t afford.

EXPORT COMPLIANCE IN 11 WORDS (Part 7 of 12)

EXPORT COMPLIANCE IN 11 WORDS

A Series on Export Compliance Essentials

(Part 7 of 12)

SECURE!

 

Wherever your business interfaces with the global marketplace, your workforce should be trained to recognize export-controlled technologies and technical data, and equipped with the know-how and tools to comply with ITAR, EAR, and DoD requirements, as well as industry best practices, for safeguarding sensitive information and combating cyber threats.

Responsible information-handling practices have always been critical to export compliance. In the past few years, however, troubling reports of frequent and successful cyberattacks on U.S. Government agencies and alarming headlines about technical trade secrets stolen from private firms by hackers have moved information security to the top of the priority list for every organization—small, medium-sized, or large.

Under the terms of the ITAR and EAR, manufacturers and exporters are legally responsible to protect certain technical data related to defense articles on the USML (ITAR §120.10), as well as key technologies required for the production, development, or use of items on the CCL (EAR §772.1), against access by unauthorized persons. The disclosure or release of such information without a license, inside and outside company facilities, on the ground and in the cloud, within the U.S. and overseas, constitutes an illegal “export.”

That’s why, if any of your products is export-controlled, you had better make certain that your employees are clearly aware of the fact, that they clearly understand everything it implies, and that this matters to them.

They need to know that they’re responsible for safeguarding technical data of any kind related to the product—engineering drawings and specifications, schematics, blueprints, design analyses, photographs, formulas, performance test results, pilot production schemes, manufacturing procedures, assembly flowcharts, testing and inspection methods, or any other technical information subject to export controls.

They need to know that if they share controlled technical data without appropriate authorization, or if they carelessly allow unauthorized access to it, they’ll be violating U.S. export laws, with potentially serious consequences for the company and for themselves.

You Need to Educate—and Motivate—Your People About IT Security

In today’s business world, technical information is increasingly—in many cases, almost exclusively—digital information, consisting of text, images, numerical data, and formulas stored and distributed electronically via computer networks. That means “information security” and “cybersecurity” are increasingly synonymous, which is why most organizations have made some sort of cybersecurity training for their employees mandatory. While that’s certainly wise, it shouldn’t be grounds for complacency, because “mandatory” and “some sort” are plainly not synonyms for “adequate” and “effective.”

In addition to providing and requiring cybersecurity awareness training for all employees, truly wise managers and administrators conduct regular internal assessments of security awareness to gauge how well their employees understand the nature and seriousness of the security risks and how well prepared they are to respond to cyber threats.

You can test your employees’ understanding of cybersecurity with a survey or questionnaire. Better yet—from the standpoint of accuracy, objectivity, and credibility — get help from qualified professionals in this critical area, and ask them to evaluate the effectiveness of your current cybersecurity awareness training as part of a comprehensive cybersecurity compliance risk assessment of your entire company.

Here are some very basic questions about cybersecurity that all your employees should be able to answer:

  • Who in my company is responsible for cybersecurity?
  • What are the policies and rules that govern my use of the company’s computer system and my access to electronically stored company information? Where can I read them? How can I stay current on changes to those policies and rules?
  • If I suspect I have a cybersecurity issue (e.g., malware, spyware, a compromised password, a sensitive document sent to the wrong person, identity theft, evidence of a co-worker’s carelessness or failure to follow policies and procedures), to whom can I report it? If that person is temporarily unavailable, who is their backup? What should I do immediately to reduce potential damage?
  • Does the company have a policy on bringing personal devices to the workplace and connecting to the company’s system through them? What about accessing the company’s system remotely from home, while traveling, or through an unsecured public network (e.g., coffee shop, library, hotel, university campus?
  • In what ways could my actions (e.g., opening a malicious e-mail attachment, clicking on a link to a compromised website, installing an application that contains a Trojan) endanger the security of the company’s system and sensitive information? What are some things I can do to avoid these dangers?

Those are the easy questions—or rather, they should be. If your employees can’t answer them easily, then give that “mandatory employee awareness training” the failing grade it deserves, roll up your sleeves, and get to work on improving your company’s cybersecurity. Don’t hesitate to get outside help—qualified, professional help—if you need it.

According to a survey of hundreds of U.S. companies, conducted in 2015 by CompTIA, “human error” accounts for 52 percent of security breaches. Turns out it’s a greater cyber threat than malware, hackers, or disgruntled employees—although most managers are surprised when they hear this, and have a hard time believing it.

That recalls another category of “human error”—one that wasn’t included in CompTIA’s survey, though perhaps it should have been. It’s an extremely hazardous condition that our cybersecurity compliance risk assessment team has discovered at more than one facility they visited. If you’re a regular reader of this blog, I’m confident that this cyber hazard is not present at your company, so I offer the following on-site finding, straight from the company officer’s mouth, without further comment:

“I’m not sure our company even has a cybersecurity policy or plan or procedures yet. Do we really need anything like that? We’re not some giant corporation, you know. How would we go about creating such a policy? After all, none of us are techies!”  

You Need to Prioritize Cybersecurity Compliance in 2017

Two recent technological trends have made the job of safeguarding export-restricted information more challenging than ever before:

  • The expansion of “cloud” services from simple file storage and archiving to business software applications of all kinds, infrastructure, and platforms.
  • The proliferation of new mobile IT devices.

These advances in technology make it possible for people to access the data and resources of your organization at any time from anywhere on earth. In other words, not only is your business no longer tied to a single location, it’s not even limited to a finite number of locations. Your firm is Open for Business everywhere.

By allowing unprecedented levels of connectivity between marketing and R&D staff, contractors and subcontractors, manufacturers and suppliers, domestic and foreign offices, salespeople and customers around the globe, Cloud Computing and Mobile Technology promise to help businesses accelerate innovation cycles and reduce time-to-market. At the same time, the adoption of these technologies has created new vulnerabilities and risk areas, exposed enterprises to new legal liabilities, and raised a host of new security concerns, some of which are only beginning to emerge.

Meanwhile, in response to the overwhelming global cyber threat environment, the U.S. Government has been issuing more and more cybersecurity laws and regulations. The DoD, GSA, OMB, NASA, NARA, DHS, and the White House have published, amended, modified, and clarified so many rules, Executive Orders, definitions, standards, and guidelines recently—all of them aimed at requiring Federal contractors and subcontractors to establish more stringent controls and practices for the protection of government data—that “regulatory compliance” became the cybersecurity buzz phrase of the year during 2016, and the topic seems unlikely to leave the limelight in 2017.

The latest driver of regulatory compliance is the need for businesses to implement a somewhat bewildering array of new cybersecurity requirements that apply to most Federal contractors and consultants across a wide range of industries, including both defense and non-defense contractors. The recent surge in regulatory activity has included—

  • A new FAR final rule on “Basic Safeguarding of Contractor Information Systems”).
  • A new BIS final rule, effective September 1, 2016, allowing U.S. companies to use cloud technology and other means of electronic transmission to store and transfer EAR-controlled unclassified “dual use” technology and software without the burden of export control requirements if certain encryption requirements are met.
  • A veritable glossary of new information security terms and definitions, including Federal Contract Information (FCI), Controlled Unclassified Information (CUI), covered contractor information system, Covered Defense Information (CDI), and operationally critical support, and an array of new safeguarding requirements associated with them.
  • New mandatory contract clauses covering cybersecurity, with flowdown to subcontractors and certain other parties (FAR 52.204-21 and DFARS 252.204-7008 – 7012).
  • A new DoD final rule, effective October 21, 2016, regarding network penetration reporting (“cyber incidents”) and contracting for cloud services (DFARS Case 2013-D018).

The above are just a few of the latest regulatory changes in this area. Others appear to be on the way as we head into the new year.

Putting all these rules and definitions together and figuring out which of them applies to your company and its products is a daunting task. Complying with the new regulations—minimizing your risks and liabilities—is an even greater challenge.

Businesses need be asking and finding answers to some important questions, such as—

  • How will our firm comply with the new requirements, such as “adequate security” for CDI/CUI per NIST SP 800-171, and “incident reporting” within 72 hours of discovery through the DoD’s DIBNet portal (including compliance with all the rules for investigating, preserving, and submitting information about the data breach)?
  • Do we try to handle cybersecurity regulatory compliance ourselves, do we seek the services of an outside IT contractor, or do we need some combination of both approaches?
  • Since these new cybersecurity standards appear to be mind-bogglingly difficult to navigate and not entirely coherent, and since a failure to comply with them could have dramatic adverse consequences for our company, should we be looking at a specialized cyber insurance policy to supplement our general and professional liability policies?

The ultimate deadline for full contractor compliance with most of the new cybersecurity requirements for CDI/CUI is December 31, 2017, and that date is not likely to change. But the new cybersecurity regulations are already impacting businesses and contracts, especially those in the defense sector.

While DFARS clause 252.204-7012 allows you to notify the DoD (within 30 days) of any cybersecurity requirements that your company has yet implemented at the time of contract award, the DoD still expects you to be moving toward full compliance as rapidly as possible, and to have a remediation plan in place to achieve it by December 31, 2017.

So, if you haven’t already done the following at your company, you need to do them now:

  • Conduct a risk assessment for cybersecurity regulatory compliance.
  • Develop a cybersecurity action plan, based on the assessment findings.
  • Implement a cybersecurity framework that is appropriate for your organization.

Note: For those who don’t keep up with the latest business jargon, a “framework” includes stuff like organizational infrastructure and job responsibilities; awareness and education programs; organizational culture; and governance (security policies; work processes and procedures; monitoring effectiveness; technical controls; risk assessments and audits; breach response and risk mitigation plans). “Implementing” a framework implies investing company resources in making it happen.

Whether your company is small, mid-sized, or large, if you do business with the Federal government, or with any other companies that do business with the Federal government — have I left anyone out here? — you should prioritize both regulatory compliance and cybersecurity during 2017.

Regulatory compliance is obligatory, of course, because . . . well, it’s the law, folks! But cyber-compliance is not the same as cyber-security, and security is what you really want.

If your goal is simply to avoid fines and penalties, then as long as you’re sure you meet the minimal requirements of compliance, don’t worry.

But if you’re reading this because your goal is to see your company survive and thrive in today’s digitally interconnected business world, and you’re aware of the current security threat landscape, you shouldn’t breathe easy if you’re told that your company is 100% compliant. Breathe easy when you’re confident that your company has good cybersecurity.