16-1004 Tuesday “The Daily Bugle”

16-1004 Tuesday “Daily Bugle”

Tuesday, 4 October 2016

TOPThe Daily Bugle is a free daily newsletter from Full Circle Compliance, containing changes to export/import regulations (ATF, Customs, NISPOM, EAR, FACR/OFAC, FTR/AES, HTSUS, and ITAR), plus news and events. Subscribe 
for free subscription.
Contact us
 for advertising inquiries and rates.

  1. Ex/Im Items Scheduled for Publication in Future Federal Register Editions
  2. Commerce/BIS: (No new postings.) 
  3. DoD/DSCA Posts SAMM and Policy Memoranda, Week 1-8 Oct 
  4. State/DDTC: (No new postings.) 
  5. EU Posts Q&A Concerning Modernization of Export Controls System 
  1. ST&R Trade Report: “CBP to Deactivate 25 Chicago Port Codes for Cargo”
  1. B. Adelmann: “Congress Pushes Back Against Gunsmith Edict” 
  2. J.S. Mussallem & K.B. Oldenburg: “Declinations with Disgorgement: The DOJ’s New Enforcement Category” 
  3. M.J. Scheimer & M.F. Mason: “Controlled Unclassified Information (CUI) Final Rule Released” 
  4. T. Murphy: ” ITRAC — The End of an Era?” 
  1. Bartlett’s Unfamiliar Quotations 
  2. Are Your Copies of Regulations Up to Date? Latest Changes: ATF (15 Jan 2016), Customs (26 Aug 2016), DOD/NISPOM (18 May 2016), EAR (20 Sep 2016), FACR/OFAC (18 May 2016), FTR (15 May 2015), HTSUS (30 Aug 2016), ITAR (29 Sep 2016) 



[No items of interest noted today.]

* * * * * * * * * * * * * * * * * * * * 


OGS_a11. Ex/Im Items Scheduled for Publication in Future Federal Register Editions
(Source: Federal Register)

* Commerce; Industry and Security Bureau; NOTICES; Meetings [Publication Date: 5 October 2016.]:
  – Information Systems Technical Advisory Committee
  – Materials Processing Equipment Technical Advisory Committee
  – Sensors and Instrumentation Technical Advisory Committee

* Treasury; Foreign Assets Control Office; NOTICES; Blocking or Unblocking of Persons and Properties [Publication Date: 5 October 2016.]

* U.S. Customs and Border Protection; NOTICES; Agency Information Collection Activities; Proposals, Submissions, and Approvals [Publication Date: 5 October 2016.]:
  – NAFTA Regulations and Certificate of Origin
  – United States-Caribbean Basin Trade Partnership Act

* * * * * * * * * * * * * * * * * * * *

OGS_a22. Commerce/BIS: (No new postings.)

(Source: Commerce/BIS)
* * * * * * * * * * * * * * * * * * * *

OGS_a63. DoD/DSCA Posts SAMM and Policy Memoranda, Week 1-8 Oct

(Source: DoD/DSCA)
* * * * * * * * * * * * * * * * * * * *

OGS_a34. State/DDTC: (No new postings.)

(Source: State/DDTC)
* * * * * * * * * * * * * * * * * * * *

OGS_a45. EU Posts Q&A Concerning Modernization of Export Controls System

The European Commission has posted on its website a Questions and Answers session regarding the recent proposals to modernize the system of EU export controls. The Questions and Answers session can be found here.
* * * * * * * * * * * * * * * * * * * *


U.S. Customs and Border Protection reports that during the week of Oct. 3 the following Chicago port codes will be deactivated and the trade community will no longer be able to use them on bills of lading or in-bond movements.
  – 3506 Sioux City, IA
  – 3575 Minneapolis/St. Paul Airport
  – 3601 Duluth, MN (inactive)
  – 3602 Ashland, WI (inactive)
  – 3608 Superior, WI (inactive)
  – 3614 Silver Bay, MN
  – 3903 Omaha, NE (inactive)
  – 3904 East Chicago, IN
  – 3906 O’Hare INTL Airport (the main port of Chicago O’Hare is 3901 and will remain active)
  – 3907 Des Moines, IA (inactive)
  – 3981 Waukegan Airport
  – 3983 Chicago Executive Airport
  – 3985 Decatur Airport
  – 3991 Nippon Courier Hub
  – 4108 Ashtabula, OH (inactive)
  – 4109 Conneaut, OH (inactive)
  – 4111 Fairport Harbor, OH (inactive)
  – 4113 Evansville, IN (inactive)
  – 4114 Lawrenceburg, IN (inactive)
  – 4170 Burlington Air Express
  – 4181 Airborne Air Park
  – 4185 Hulman Regional Airport
  – 4191 Airborne Hub
  – 4194 Inactive Do Not Use
  – 4506 Spirit of Saint Louis Airport
CBP is conducting a process in which it is identifying port codes associated to facilities that are no longer active and deactivating them one field office at a time.

* * * * * * * * * * * * * * * * * * * *


. B. Adelmann: “Congress Pushes Back Against Gunsmith Edict”

(Source: The New American)
* Author: Bob Adelmann, The New American Contributor, badelmann@thenewamerican.com.
Last week, House Minority Whip Steve Scalise (R-La.) and Senator Steve Daines (R-Mont.) introduced a bill in their respective chambers that would effectively rescind the State Department’s “guidance” issued in July that would have forced many small gunsmiths out of business. The bill is not a direct confrontation but a demand that the authority of the State Department be transferred to the less anti-gun and more business-friendly Department of Commerce, according to Scalise:
The State Department’s July guidance takes a hostile stance toward gun owners and the Second Amendment. The federal government shouldn’t be treating local gunsmiths like they are international arms dealers. It’s as ludicrous as saying your neighborhood car mechanic is an automobile manufacturer – it just doesn’t add up.
Our common-sense, bipartisan bill simply transfers regulatory responsibility for non-military-grade firearms from the Department of State to the Commerce Department – where it belongs – so that it can be regulated like any other commercial business.
Senator Daines expanded on the bill he offered simultaneously in the Senate:
The Obama administration is continually making attempts at restricting the rights of law-abiding Americans to own guns. This unduly targets gunsmiths, most of whom make little to no income and simply do it for the love of the trade, or are small business owners who will be negatively impacted by this burdensome cost. This bill protects both our Second Amendment rights and our small businesses from government overreach.
The National Rifle Association had a hand in crafting the legislation, with Chris Cox, the NRA’s executive director, adding:
This bill would effectively rescind the State Department’s reckless “guidance” that seeks to treat law-abiding gun owners and gunsmiths as if they were international commercial firearms exporters. This bill would also remove gunsmiths altogether from the State Department’s control so they are not caught up in the bureaucratic red tape and [be] required to pay exorbitant annual fees [of $2,250] meant [only] for commercial exporters.
At issue is the “guidance” letter sent to Federal Firearms Licensees (FFLs) from the State Department’s Directorate of Defense Trade Controls (DDTC) on July 22 which spent two pages of legalese trying to differentiate between “gunsmithing” activities and “manufacturing” activities. For its purposes, the DDTC – responsible for administering the Arms Export Control Act – decided to stretch the definition of “manufacturing” to include hobbyists and small shop gunsmiths who used “any special tooling … in order to improve the capability of … firearms.” It included “the systematized production of ammunition, including automated loading or reloading of ammunition … [and] the machining or cutting of firearms … that results in an enhanced capability.”
The bills offered last week are simply the latest in the pushback against the obvious efforts by the State Department to put out of business small gunsmiths and hobbyists working on firearms or doing reloading at home using “automated” presses. Without gunsmiths to repair, maintain, and enhance the operation of firearms, a large percentage of the estimated 300 million firearms owned by Americans would eventually become nothing more dangerous than a rusty paperweight.
As noted above, five days after the DDTC sent its letter to FFLs, the NRA made clear that the new “guidance” would “require anybody who engages in the business of ‘manufacturing’ [so-defined] … to register with the DDTC and pay a registration fee [of] $2,250 per year. These requirements apply even if the business does not, and does not intend to, export any [firearm].”
Two weeks later, dozens of senators and well over 100 pro-Second Amendment members of the House responded with a strongly worded letter to Secretary of State John Kerry stating that “the last thing [those small businesses] need is an edict from the federal government imposing fees and requirements which are wholly unnecessary and nonsensical.”
It’s too early to tell whether either bill will gain much traction in Congress. But what is clear is that the “ratchet” effect of rules coming from the administrative branch of the federal government is in play. An agency, acting outside of its jurisdiction and motivated politically with an anti-Second Amendment agenda, proposes a rule. People get upset. They pressure their representatives and senators to “do something.” A bill is crafted, such as this one, that merely shuttles the illegal unconstitutional rule from one offending agency to another one with perhaps a slightly less odious or obvious agenda.
If the bill is passed into law (highly unlikely under the Obama administration), it cements into place the concept that government should regulate gunsmiths, gunsmithing activities and home reloaders, all in contravention of the Second Amendment to the U.S. Constitution. And if the bill never sees the light of day, then the administrative edict will stand. 
In a more perfect world, the bill would instead rescind the Gun Control Act of 1968, the father of most of the anti-Second Amendment mischief foisted upon legitimate law-abiding citizens who enjoy the right to keep, bear, use, maintain, repair, and enhance the capability of their firearms.

* * * * * * * * * * * * * * * * * * * *

. J.S. Mussallem & K.B. Oldenburg: “Declinations with Disgorgement: The DOJ’s New Enforcement Category”

* Authors: Jessica S. Mussallem, Esq., jmussallem@velaw.com, 415-979-6920; and Kurt B. Oldenburg, Esq., koldenburg@velaw.com, 415-979-6945. Both of
Vinson & Elkins LLP.
Over the past year, the U.S. Department of Justice (DOJ) has released new directives and guidance in an effort to enhance its enforcement of the U.S. Foreign Corrupt Practices Act of 1977, as amended (FCPA), starting with the September 2015 release of Deputy Attorney General Sally Quillian Yates’s memorandum (the Yates Memo) followed by the announcement of a Pilot Program to encourage companies to self-report potential FCPA violations and cooperate in federal investigations. Assistant Attorney General Leslie Caldwell said that companies who report early and cooperate will receive up to a 50 percent reduction off the bottom end of the U.S. Sentencing Guidelines fine range. Coupled with this carrot of cooperation credit was the Yates Memo stick: Companies would not be considered for cooperation credit if they failed to disclose individual misconduct.
How these new directives would play out has been the topic of much interest. Over the summer, the DOJ declined to pursue charges against three companies. However, the companies also reached settlements with the Securities and Exchange Commission (SEC) that involved disgorgement of alleged profits from the misconduct. The declination letters to Akamai Technologies and Nortek Inc. were released within days of each other this past summer. It was widely debated whether the declinations should even be attributed to the DOJ’s Pilot Program because it is questionable whether either investigation involved viable criminal charges, i.e., evidence of bribery or willful and knowing violation of the books and records provision of the FCPA. There was no articulated evidence that anyone at the issuer companies participated in, knew of or authorized the improper conduct. Also, neither company self-disclosed under the Pilot Program, having done so in early 2015 before the program’s conception.
Last week, the DOJ released letters to two Texas companies declining criminal prosecution for violations of the FCPA. Both companies – which are privately held and therefore not subject to SEC FCPA enforcement actions – agreed to disgorge all profits resulting from the bribery. These “declinations with disgorgement” mark a new category of enforcement action for the DOJ. Although the idea of paying money to get out of a criminal case is nothing new – the DOJ has been doing this for a long time – calling it disgorgement takes a term out of SEC’s playbook.
The HMT LLC and NCH Corp. decisions are the fourth and fifth declinations issued by the DOJ since the inception of its Pilot Program. The declination letters are fairly brief but do offer some insight, especially into the factors considered by the DOJ in its decisions to decline to prosecute. Most notably, the DOJ seems to have considered very similar factors for both declinations, which consist of:

  (1) the timely, voluntary self-disclosure;
  (2) the thorough and comprehensive investigation including providing all known relevant facts about the individuals involved with the misconduct;
  (3) the steps taken to enhance compliance programs and internal accounting controls;
  (4) agreements to disgorge all profits earned; and
  (5) full remediation including terminating individuals and severing relationships with third parties.

The first factor goes directly to the Pilot Program’s encouragement of self-disclosure. The second factor – requiring companies to provide all known relevant facts about the individuals involved – is not surprising post-Yates Memo, which directs prosecutors to consider and address individual culpability in connection with each FCPA investigation. The third and fifth factors – requiring enhancements to compliance programs and internal accounting controls and thorough remediation – are also to be expected, considering the DOJ’s hiring of a full-time compliance program expert on the heels of its Yates Memo announcement. The fourth factor, although somewhat new, is a concept that was announced in the Pilot Program itself, which made clear that even a company that voluntarily self-discloses, fully cooperates, and remediates will be required to disgorge all profits resulting from the FCPA violation. Prior DOJ declinations did not require companies to disgorge profits from the alleged wrongdoing, but cited the companies’ disgorgement to the SEC as a factor supporting declination.
The amounts at issue in four out of the five declinations have been nominal. HMT LLC, a Woodlands, Texas-based company that makes liquid storage tanks for the oil and gas industry, agreed to disgorge $2.7 million in alleged profits resulting from bribes paid in Venezuela to a state-owned energy company, and in China to various state-owned enterprises totaling $500,000. NCH Corp., an Irving, Texas-based company that makes cleaning products, agreed to disgorge $335,000 in alleged profits resulting from $44,545 in cash, gifts, meals, and entertainment given in China to employees of Chinese state-controlled customers. Nortek Inc., a Rhode Island-based building products manufacturer, entered a $320,000 non-prosecution agreement with the SEC and allegedly paid $290,000 in improper cash payments. Akamai Technologies, a Massachusetts-based internet services provider, entered a $673,000 non-prosecution agreement with the SEC and allegedly arranged $40,000 in payments to induce government-owned entities to purchase more services than they actually needed.
It is not at all clear that the expectation of an out and out declination, in cases involving larger or more substantial FCPA issues, should follow.
The Pilot Program may not be such a bargain after all: The (up to) 50 percent reduction in criminal penalties is not guaranteed, is based on the sentencing guidelines range which is usually a high number to begin with, and now, apparently, does not relieve companies from having to disgorge alleged profits or impact the amount of profits that must be disgorged, which is usually a number subject to interpretation and a lot of negotiation. These case examples also might not be representative of the fact patterns or realistic penalties faced by large companies with FCPA exposure: Two declinations involved private companies, and four resulted in minimal sanctions where the DOJ may have lacked evidence needed to ultimately prove criminal conduct, causing many to ask what, exactly, was the DOJ “declining” to prosecute?
That said, the risks of not self-reporting are higher still and must be carefully considered when weighing against these benefits. The DOJ continues to be in the relatively early stages of implementing its Pilot Program and the Yates Memo, and more informative trends may begin to emerge. Corporate counsel should continue to monitor FCPA settlements as an indicator of how these principles will (or will not) shape FCPA enforcement in the future.

* * * * * * * * * * * * * * * * * * * *

. M.J. Scheimer & M.F. Mason: “Controlled Unclassified Information (CUI) Final Rule Released”

Hogan Lovells
* Authors: Michael J. Scheimer, Esq.,
, 202-637-6584; and Michael F. Mason, Esq.,
, 202-637-5499. Both of Hogan Lovells.
On Wednesday, September 14, 2016, the National Archives and Records Administration (NARA) released its long awaited Controlled Unclassified Information (CUI) Final Rule, which prescribes requirements governing U.S. Federal agencies’ safeguarding, marking, and disposal of CUI, available here. [FN/1] The CUI Rule reflects NARA’s consideration of 245 individual public comments on a proposed rule it had previously released on May 5, 2015. [FN/2] The CUI Rule:

  – formally identifies the approved categories and subcategories of CUI;
  – establishes the CUI Registry as the official online repository for information, guidance, policy, and requirements for Federal agencies to following in handling CUI;
  – distinguishes between “CUI Basic” and “CUI Specified” for purposes of safeguarding requirements;
  – prescribes the use of NIST Special Publication (SP) 800-171 when CUI will reside on non-federal information systems;
  – applies directly only to Federal agencies, but will affect contractors and grantees through contract and agreement provisions addressing CUI. An anticipated Federal Acquisition Regulation (FAR) rule will extend the CUI Rule to the contractor environment, but agencies are expected to use their own agency-specific contract clauses before the FAR rule is released; [FN/3] and
  – takes effect on November, 14, 2016, but NARA implementation guidance provides a further 180 days for agencies to implement certain parts of the CUI Rule (32 C.F.R. Part 2002).
Background on the Federal CUI Program
Executive Order (EO) 13556, Controlled Unclassified Information (November 4, 2010), available here, established the government-wide CUI Program and designated NARA as the Executive Agent (EA). [FN/4] The CUI Program addresses common issues across the Federal government in managing and protecting unclassified information, including inconsistent markings, inadequate safeguarding, and needless restrictions. The program aims to remedy these issues by standardizing related procedures and providing common definitions through the CUI Registry. NARA’s CUI Registry condenses more than 100 types of historically “sensitive but unclassified” (SBU) federal information categories into 23 categories and 84 subcategories of CUI. [FN/5]
The CUI Registry
The CUI Registry is the official online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI EA. Among other information, the CUI Registry identifies the approved government-wide CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, and sets out procedures for marking and handling the information. The final rule establishes the CUI Registry as the authoritative source for approved CUI categories and subcategories – “agencies may use only those categories and subcategories approved by the CUI EA and published in the CUI Registry to designate information as CUI.” [FN/6]
Definitions: CUI Basic v. CUI Specified
In accordance with EO 13556, only information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies may be designated as CUI. This definition excludes, however, classified information under EO 13526 (Dec 29, 2009), or any predecessor or successor order, or the Atomic Energy Act of 1954 (42 U.S.C. 2011), as amended. [FN/7]
In response to comments received on the proposed rule, the final CUI Rule clarifies that “information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency” is not CUI. [FN/8] (emphasis added).
Also, the final CUI Rule distinguishes between “CUI Basic” and “CUI Specified.”
First, the term “CUI Basic” covers CUI categories and subcategories that have a general requirement for safeguarding or disseminating controls. All CUI that does not have specific protections set out in a law, regulation, or Government-wide policy falls into CUI Basic categories. [FN/9] CUI Basic requirements are the default requirements for protecting CUI, and apply to the vast majority of CUI. Examples of CUI Basic include:
Second, “CUI Specified” are CUI categories and subcategories that may have higher, or different, safeguarding requirements based in a law, regulation, or Government-wide policy that requires or permits other controls for safeguarding or disseminating of that information. [FN/10] A number of CUI Specified categories and subcategories have governing authorities with specific requirements and with higher penalties for failing to protect the information. Examples of CUI Specified include:
Information systems that process, store, or transmit CUI
The CUI Rule distinguishes two types of information systems that process, store, or transmit CUI. For a “Federal information system” (i.e., an information system used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency), the system is covered by the Federal Information Security Management Act, as amended by the Federal Information Security Modernization Act of 2014 (collectively, FISMA). CUI on Federal information systems should be safeguarded at the “moderate” confidentiality impact level under FISMA (unless the particular CUI category or subcategory prescribes heightened safeguarding requirements). [FN/11]
For a “non-federal information system” (e.g., a contractor system that receives CUI only incidental to providing a service or product to the Government), the system is covered by the requirements in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. [FN/12] The final rule states that agencies “must use NIST SP 800-171 when establishing security requirements to protect CUI’s confidentiality on non-Federal information systems [i.e., contractor internal information systems].” [FN/13]
Agency Obligations under the CUI Program
The CUI Rule requires the head of each executive branch agency to ensure implementation of the CUI program within his/her respective agency. This includes:

  – Designating a CUI Senior Agency Official (SAO)
  – Establishing self-inspection programs and training programs
  – Establishing a process within the agency for challenges to designation of information as CUI
  – Establishing a process for reporting and investigating misuse of CUI
Agencies are expected to re-mark their legacy or archived SBU material with the approved CUI category/subcategory markings. [FN/14] A CUI SAO can approve a waiver on marking if the need to mark is “excessively burdensome” or if there are “exigent circumstances.” [FN/15]
Extension of the CUI regulation to contractors and grantees
The final CUI Rule applies directly only to executive branch agencies. However, although the government is developing a FAR case for government-wide implementation, the final rule directs agencies to “include provisions that [require the non-executive branch entity to] handle the CUI in accordance with the Order, this part, and the CUI Registry” [FN/16] in any written agreements with non-executive branch agencies (including contracts, grants, licenses, certificates, and other agreements) that involve CUI. Therefore, until a standard FAR provision is adopted, contractors with different agency customers may find themselves subject to potentially conflicting and duplicative agency-specific contract clauses regarding CUI. [FN/17]
Also, the final rule does not address its interaction with the current DFARS safeguarding and incident reporting rule. The DFARS rule addresses “Covered Defense Information” (CDI), a DoD-defined term made up of types of information that fall under certain CUI categories and subcategories. However, because the DFARS rule was released while the NARA CUI rule was not final, the DFARS does not explicitly refer to the CUI Registry. Also, the current DFARS rule provides DoD contractors until December 31, 2017, to implement all the security requirements of NIST 800-171. It remains unclear whether the forthcoming FAR CUI rule will provide civilian-agency contractors a similar grace period.
There is a DFARS final rule scheduled for publication that may clarify the interaction between the DoD requirements and the CUI Rule. [FN/18]
NARA CUI Marking and Implementation Guidance
In the same week the final CUI Rule was published, NARA also posted two key guidance documents at the CUI Registry:
1. Controlled Unclassified Information (CUI) Notice 2016-01: Implementation Guidance for the Controlled Unclassified Information Program (Sept.14, 2016)
The Implementation Guidance provides for phased implementation of the CUI program at agencies with a number of milestones over the next two years. Within 180 days of the effective date of the final CUI Rule’s new 32 C.F.R. Part 2002, agencies must develop and publish an implementation plan. NARA will also require annual reports on agency progress, with the first report due November 1, 2017.
2. Marking Controlled Unclassified Information (Marking Handbook) (Sept. 16, 2016)
The Marking Handbook provides authorized holders with instructions and examples for marking materials containing CUI with a marking process that cleared contractors will recognize as very similar to the marking requirements for classified national security information. [FN/19] Some key marking requirements are:
  – CUI Banner Markings on the top portion of every page of all CUI documents. The CUI Control Marking may consist of either the word “CONTROLLED” or the acronym “CUI” (at the designator’s discretion)
  – CUI Control Markings must use a double forward slash (//) to separate between Category or Subcategory Markings and Dissemination controls. For example: CONTROLLED or CUI//CATEGORIES AND SUBCATEGORIES//DISSEMINATION
  – All documents containing CUI must carry an indicator of who in the agency designated the CUI within it. This designation indicator must be readily apparent to authorized holders although it may appear only on the first page or cover.
Overlapping CUI related developments
Although the final CUI Rule is only effective 60 days after publication, and agencies have a 180 day window for initial implementation, there are other anticipated rulemakings and policy development that will affect the CUI program, including:

  – Revised final OMB acquisition guidance to all agencies on CUI; [FN/20]
  – A FAR rule applying the CUI regulation to contractors;
  – A DFARS final rule; and
  – Revision 1 to NIST 800-171. [FN/21]
Hogan Lovells will continue to monitor the implementation of the CUI Rule and any other developments in the CUI Program. For more information, please contact the authors or the Hogan Lovells lawyer with whom you work.

  [FN/1] NARA, Controlled Unclassified Information, Final Rule, 81 Fed. Reg. 63,324 – 63,347 (Sept. 14, 2016).
  [FN/2] 80 Fed. Reg. 26,501 (May 8, 2015).
  [FN/3] NARA’s proposed rule stated that the CUI Program is undergoing a three part implementation plan to: 1) finalize the NARA proposed CUI rule in 32 C.F.R. § 2002; 2) finalize NIST 800-171 (which was completed in June 2015); and 3) release a single FAR rule on CUI. 80 Fed. Reg. 26,501 (May 8, 2015).
  [FN/4] Specifically NARA has delegated the EA role to the Director of the Information Security Oversight Office (ISOO), which also coordinates government-wide classified national security information policy. Cleared contractors will notice many similarities between the new marking requirements for CUI and the traditional marking requirements for classified information.
  [FN/5] The CUI Registry was officially established a year after EO, and reflects a drawn out interagency process to identify CUI categories/subcategories that actually started years earlier with a Presidential Memorandum on the Designation and Sharing of Controlled Unclassified Information (May 7, 2008), available here. With the release of the final rule, the CUI Registry has finally become the official source for approved CUI.
  [FN/6] 32 C.F.R. § 2002.12(b). See also 32 C.F.R. § 2002.10 The CUI Registry.
  [FN/7] 32 C.F.R. §2002.4 Definitions, (h) Controlled Unclassified Information (CUI).
  [FN/8] 32 C.F.R. §2002.4 Definitions, (h) Controlled Unclassified Information (CUI).
  [FN/9] 32 C.F.R. §2002.4 Definitions, (j) CUI Basic.
  [FN/10] “CUI Specified controls may be more stringent than, or simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out specific controls for CUI Specified information and does not for CUI Basic information.” 32 C.F.R. §2002.4 Definitions, (r) CUI Specified.
  [FN/11] Final Rule, Preamble, 81 Fed. Reg. at 63326.
  [FN/12] NIST SP 800-171 establishes guidance for protecting CUI: (1) When the CUI is resident in non-Federal information systems and organizations; (2) when the information systems where the CUI resides are not used or operated by contractors of Federal agencies or other organizations on behalf of those agencies; and (3) when the authorizing law, Federal regulation, or Government-wide policy listed in the CUI Registry for the CUI category or subcategory does not prescribe specific safeguarding requirements for protecting the CUI’s confidentiality. Effectively this means that an information system that meets all 800-171 security requirements can handle CUI Basic, but there may be additional requirements the information system will have to meet for any CUI Specified information.
  [FN/13] 32 C.F.R. § 2002.14 Safeguarding (g) – (h).
  [FN/14] 32 C.F.R. §2002.20 Marking (a)(i) “[agencies must] discontinue all use of legacy or other markings not permitted by this part or included in the CUI Registry…”.
  [FN/15] 32 C.F.R. §2002.38.
  [FN/16] 32 C.F.R. §2002.16(a).
  [FN/17] The FAR CUI Rule will go beyond the minimal security measures in the recent FAR clause 52.204-21 “Basic Safeguarding of Covered Contractor Information Systems.” See our previous analysis of the FAR Basic Safeguarding clause here.
  [FN/18] For DFARS Case 2013-D018, the most recent Open DFARS case tracker indicates that DoD submitted the final DFARS rule to OMB for review on 8/09/2016.
  [FN/19] Marking Classified National Security Information (Revision 3, August 2016), available at the ISOO training website here.
  [FN/20] On August 11, 2015, shortly after the release of the NARA Proposed Rule and NIST 800-171, OMB issued “proposed guidance” on Improving Cybersecurity Protections in Federal Acquisitions. The guidance was intended to “take major steps toward implementing strengthened cybersecurity protections in federal acquisitions[,] thus mitigating the risks of potential incidents.” The OMB Guidance specifically directs agencies to require their contractors that handle CUI to meet the requirements of NIST 800-171. A final version of this acquisition guidance is expected to be published in fall 2016.
  [FN/21] NIST released a draft NIST 800-171 Revision 1 for a public comment period from August 16, 2016 through September 16, 2016. One of the most significant changes of the proposed Revision 1 was the addition of requirements for System Security Plans (SSPs) and associated Plans of Action and Milestones (POAMs).

* * * * * * * * * * * * * * * * * * * *

. T. Murphy: ” ITRAC — The End of an Era?”

(Source: Author)
* Author: Ted Murphy, Esq., Baker & McKenzie LLP, ted.murphy@bakermckenzie.com, 202-452-7069.
U.S. Customs and Border Protection (CBP) is in the process of finalizing the transition to the Automated Commercial Environment (ACE). Once the remaining post-release functionality is up and running (soon, soon), CBP will no longer populate import data in the Automated Commercial System (ACS), which means that the Importer Trade Activity (ITRAC) reports will no longer be available (or provided to Importer Self-Assessment Program participants). Instead, import data reports will only be available through ACE.
As many of you know, ITRAC has been a reliable tool for years. The data proved invaluable when preparing for audit or Focused Assessment (Regulatory Audit pulled the audit data from the same system – ACS), drafting a prior disclosure, or just performing periodic/annual compliance testing. ACE has come a long way and, going forward, should be an equally-reliable tool (with some added functionality/benefits over ITRAC).
Given that the ACE data may only be complete on a going forward basis, however, we recommend that companies consider obtaining one last ITRAC data report from CBP HQ before the program goes off-line. This way, the company will have the last 5 years of its import data just in case something comes up in the future, such as a Focused Assessment or the need to file a prior disclosure. You do not want to find yourself a year from now, for example, needing to look back at your 2014 import data and discovering that not all of it is captured in ACE. Better to have the data and not need it, than to need it and not have it.

* * * * * * * * * * * * * * * * * * * *


(Source: Editor)


Notable birthdays:


* Damon Runyon (Alfred Damon Runyon. 4 Oct 1880 – 10 Dec 1946, was an American newspaperman and author known for his prohibition era stories with characters with colorful nicknames.)
  – “The race is not always to the swift, nor the battle to the strong, but that’s the way to bet.”
* Rutherford B. Hayes (Rutherford Birchard Hayes, 4 Oct 1822 – 17 Jan 1893, was the 19th President of the United States, from 1877 to 1881.)
  – “Let every man, every corporation, and especially let every village, town, and city, every county and State, get out of debt and keep out of debt. It is the debtor that is ruined by hard times.”

* * * * * * * * * * * * * * * * * * * *

12. Are Your Copies of Regulations Up to Date? 

(Source: Editor)

The official versions of the following regulations are published annually in the U.S. Code of Federal Regulations (C.F.R.), but are updated as amended in the Federal Register.  Changes to applicable regulations are listed below.
: 27 CFR Part 447-Importation of Arms, Ammunition, and Implements of War
  – Last Amendment: 15 Jan 2016: 81 FR 2657-2723: Machineguns, Destructive Devices and Certain Other Firearms; Background Checks for Responsible Persons of a Trust or Legal Entity With Respect To Making or Transferring a Firearm  
: 19 CFR, Ch. 1, Pts. 0-199
  – Last Amendment: 26 Aug 2016: 81 FR 58831-58834: Administrative Exemption on Value Increased for Certain Articles  

  – Last Amendment: 18 May 2016: Change 2: Implement an insider threat program; reporting requirements for Cleared Defense Contractors; alignment with Federal standards for classified information systems; incorporated and canceled Supp. 1 to the NISPOM  (Summary here.)

  – Last Amendment: 20 Sep 2016: 81 FR 64693-64698: Revisions to the Entity List; and 81 FR 64655-64692: Wassenaar Arrangement 2015 Plenary Agreements Implementation, Removal of Foreign National Review Requirements, and Information Security Updates  

: 31 CFR, Parts 500-599, Embargoes, Sanctions, Executive Orders
  – Last Amendment: 18 May 2016: 81 FR 31169-31171: Burmese Sanctions Regulations 
: 15 CFR Part 30
  – Last Amendment: 15 May 2015; 80 FR 27853-27854: Foreign Trade Regulations (FTR): Reinstatement of Exemptions Related to Temporary Exports, Carnets, and Shipments Under a Temporary Import Bond 
  – HTS codes that are not valid for AES are available
  – The latest edition (9 May 2016) of Bartlett’s Annotated FTR (“BAFTR”), by James E. Bartlett III, is available for downloading in Word format. The BAFTR contains all FTR amendments, FTR Letters and Notices, a large Index, and footnotes containing case annotations, practice tips, and Census/AES guidance.  Subscribers receive revised copies every time the FTR is amended.  The BAFTR is available by annual subscription from the Full Circle Compliance website.  BITAR subscribers are entitled to a 25% discount on subscriptions to the BAFTR, please contact us to receive your discount code. 
, 1 Jul 2016: 19 USC 1202 Annex.  (“HTS” and “HTSA” are often seen as abbreviations for the Harmonized Tariff Schedule of the United States Annotated, shortened versions of “HTSUSA”.)
  – Last Amendment: 30 Aug 2016; Harmonized System Update (HSU) 1612, containing 4,692 ABI records and 935 harmonized tariff records.   
  – HTS codes for AES are available
  – HTS codes that are not valid for AES are available

22 C.F.R. Ch. I, Subch. M, Pts. 120-130 (Caution — The ITAR as posted on GPO’s eCFR website and linked on the DDTC often takes several weeks to update the latest amendments.)

  – Latest Amendment: 29 Sep 2016:
81 FR 66804-66807: RIN 1400-AD95; Amendment to the International Traffic in Arms Regulations: Tunisia, Eritrea, Somalia, the Democratic Republic of the Congo, Liberia, Cote d’Ivoire, Sri Lanka, Vietnam, and Other Changes

  – The only available fully updated copy (latest edition 29 Sep 2016) of the ITAR with all amendments is contained in Bartlett’s Annotated ITAR (“BITAR”), by James E. Bartlett III.  The BITAR contains all ITAR amendments to date, plus a large Index and over 700 footnotes with case annotations, practice tips, DDTC guidance, and explanations of errors in the official ITAR text.  Subscribers receive updated copies of the BITAR in Word by email, usually revised within 24 hours after every ITAR amendment.  The BITAR is
the essential tool of the ITAR professional.  The BITAR is available by annual subscription from the Full Circle Compliance
website.  BAFTR subscribers receive a 25% discount on subscriptions to the BITAR — please
contact us to receive your discount code.  

* * * * * * * * * * * * * * * * * * * *


* The Ex/Im Daily Update is a publication of FCC Advisory B.V., edited by James E. Bartlett III and Alexander Bosch, and emailed every business day to approximately 7,500 subscribers to inform readers of changes to defense and high-tech trade laws and regulations. We check the following sources daily: Federal Register, Congressional Record, Commerce/AES, Commerce/BIS, DHS/CBP, DOJ/ATF, DoD/DSS, DoD/DTSA, State/DDTC, Treasury/OFAC, White House, and similar websites of Australia, Canada, U.K., and other countries and international organizations.  Due to space limitations, we do not post Arms Sales notifications, Denied Party listings, or Customs AD/CVD items.

* INTERNET ACCESS AND BACK ISSUES: The National Defense Industrial Association (“NDIA”) posts the Daily Update on line, and maintains back issues since August, 2009 here.

* RIGHTS & RESTRICTIONS: This email contains no proprietary, classified, or export-controlled information. All items are obtained from public sources or are published with permission of private contributors, and may be freely circulated without further permission. Any further use of contributors’ material, however, must comply with applicable copyright laws.

* CAVEAT: The contents cannot be relied upon as legal or expert advice.  Consult your own legal counsel or compliance specialists before taking actions based upon news items or opinions from this or other unofficial sources.  If any U.S. federal tax issue is discussed in this communication, it was not intended or written by the author or sender for tax or legal advice, and cannot be used for the purpose of avoiding penalties under the Internal Revenue Code or promoting, marketing, or recommending to another party any transaction or tax-related matter.

* SUBSCRIPTIONS: Subscriptions are free.  Subscribe by completing the request form on the Full Circle Compliance website.

* TO UNSUBSCRIBE: Use the Safe Unsubscribe link below.

Scroll to Top