;

16-1214 Wednesday “The Daily Bugle”

16-1214 Wednesday “Daily Bugle”

Wednesday, 14 December 2016

TOP
The Daily Bugle is a free daily newsletter from Full Circle Compliance, containing changes to export/import regulations (ATF, Customs, NISPOM, EAR, FACR/OFAC, FTR/AES, HTSUS, and ITAR), plus news and events.  Subscribe 
here for free subscription.  Contact us
for advertising inquiries and rates.

  1. DoD/DSS Seeks Comments on Form 232, National Industrial Security Program Cost Collection Survey 
  2. Justice/ATF Seeks Comments on Records of Acquisition and Disposition, Collectors of Firearms 
  3. DHS/CBP Posts Quarterly IRS Interest Rates Used in Calculating Interest on Overdue Accounts and Refunds on Customs Duties 
  1. Ex/Im Items Scheduled for Publication in Future Federal Register Editions 
  2. Commerce/BIS: (No new postings.) 
  3. State/DDTC: (No new postings.) 
  1. The Hill: “Iran to Build Nuclear-Powered Vessels in Response to US ‘Violation'” 
  2. KGMI: “Man Charged in Seattle with Selling Parts to China” 
  3. ST&R Trade Report: “CBP Modifies Post-Summary Correction, Periodic Monthly Statement Tests” 
  4. ST&R Trade Report: “No Change to Quarterly IRS Interest Rates Relating to Customs Duties” 
  1. G. Novalis: “Export Compliance in 11 Words (Part 7): Secure!” 
  2. J.W. Cottle, P. Rappo, E.J. Krauland: “UK Government Seek Consultations on New Civil Penalties For Violations of Economic Sanctions” 
  1. ACE Export Reports Webinar – 15 Dec 
  1. Bartlett’s Unfamiliar Quotations 
  2. Are Your Copies of Regulations Up to Date? Latest Changes: ATF (15 Jan 2016), Customs (12 Dec 2016), DOD/NISPOM (18 May 2016), EAR (5 Dec 2016), FACR/OFAC (4 Nov 2016), FTR (15 May 2015), HTSUS (30 Aug 2016), ITAR (5 Dec 2016) 

EXIMEX/IM ITEMS FROM TODAY’S FEDERAL REGISTER

EXIM_a11. DoD/DSS Seeks Comments on Form 232, National Industrial Security Program Cost Collection Survey

 
81 FR 90338-90339: Proposed Collection; Comment Request
* AGENCY: Defense Security Service, DoD.
* ACTION: Notice. …
* DATES: Consideration will be given to all comments received by February 13, 2017. …
* FOR FURTHER INFORMATION CONTACT: To request more information on this proposed information collection or to obtain a copy of the proposal and associated collection instruments, please write to the Defense Security Service, ATTN: Mr. Corey Beckett, Chief Finanical Officer, 27130 Telegraph Road, Quantico, VA 22134.
* SUPPLEMENTARY INFORMATION:
  – Title; Associated Form; and OMB Number: National Industrial Security Program Cost Collection Survey; DSS Form 232; OMB Control Number 0704-0458.
  – Needs and Uses: The information collection requirement is necessary as a result of Executive Order 12829, “National Industrial Security Program,” which requires the Department of Defense to account each year for the costs associated with implementation of the National Industrial Security Program and report those costs to the Director of the Information Security Oversight Office (ISOO). …
  – Collection of this data is required to comply with the reporting requirements of Executive Order 12829, “National Industrial Security Program.” This collection of information requests the assistance of the Facility Security Officer to provide estimates of annual security labor cost in burdened, current year dollars and the estimated percentage of security labor dollars to the total security costs for the facility. Security labor is defined as personnel whose positions exist to support operations and staff in the implementation of government security requirements for the protect ion of classified information. Guards who are required as supplemental controls are included in security labor. This data will be incorporated into a report produced to ISOO for the estimated cost of securing classified information within industry. The survey will be distributed electronically via a Web-based commercial survey tool.
 
   Dated: December 9, 2016.
Aaron Siegel, Alternate OSD Federal Register Liaison Officer, Department of Defense.
* * * * * * * * * * * * * * * * * * * *

EXIM_a22. Justice/ATF Seeks Comments on Records of Acquisition and Disposition, Collectors of Firearms

(Source: Federal Register) [Excerpts.]
 
81 FR 90385-90386: Agency Information Collection Activities; Proposed eCollection eComments Requested; Records of Acquisition and Disposition, Collectors of Firearms
* AGENCY: Bureau of Alcohol, Tobacco, Firearms and Explosives, Department of Justice.
* ACTION: 60-day notice. …
* DATES: Comments are encouraged and will be accepted for 60 days until February 13, 2017.
* FOR FURTHER INFORMATION CONTACT: Rinell Lawrence, Firearms Industry Program Branch, Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), either by mail at 99 New York Ave. NE., Washington, DC 20226, by email at fipb-informationcollection@atf.gov, or by telephone at 202-648-7190.
* SUPPLEMENTARY INFORMATION: …
  – The Title of the Form/Collection: Records of Acquisition and Disposition, Collectors of Firearms. …
  – Component: Bureau of Alcohol, Tobacco, Firearms and Explosives, U.S. Department of Justice.
  – Abstract: The recordkeeping requirement for this collection is primarily to facilitate ATF’s authority to inquire into the disposition of any firearm during the course of a criminal investigation. …
  – If additional information is required contact: Jerri Murray, Department Clearance Officer, United States Department of Justice, Justice Management Division, Policy and Planning Staff, Two Constitution Square, 145 N Street NE., Room 3E-405B, Washington, DC 20530.
   Dated: December 9, 2016.
Jerri Murray, Department Clearance Officer for PRA, U.S. Department of Justice.
* * * * * * * * * * * * * * * * * * * *

EXIM_a33. DHS/CBP Posts Quarterly IRS Interest Rates Used in Calculating Interest on Overdue Accounts and Refunds on Customs Duties

(Source: Federal Register) [Excerpts.]
 
81 FR 90370-90372: Quarterly IRS Interest Rates Used in Calculating Interest on Overdue Accounts and Refunds on Customs Duties
* AGENCY: U.S. Customs and Border Protection, Department of Homeland Security.
* ACTION: General notice.
* SUMMARY: This notice advises the public that the quarterly Internal Revenue Service interest rates used to calculate interest on overdue accounts (underpayments) and refunds (overpayments) of customs duties will remain the same from the previous quarter. For the calendar quarter beginning October 1, 2016, the interest rates for overpayments will be 3 percent for corporations and 4 percent for non-corporations, and the interest rate for underpayments will be 4 percent for both corporations and non-corporations. This notice is published for the convenience of the importing public and U.S. Customs and Border Protection personnel.
* DATES: Effective Date: October 1, 2016.
* FOR FURTHER INFORMATION CONTACT: Kara N. Welty, Revenue Division, Collection and Refunds Branch, 6650 Telecom Drive, Suite #100, Indianapolis, Indiana 46278; telephone (317) 614-4614.
* SUPPLEMENTARY INFORMATION: …
   In Revenue Ruling 2016-23, the IRS determined the rates of interest for the calendar quarter beginning October 1, 2016, and ending on December 31, 2016. The interest rate paid to the Treasury for underpayments will be the Federal short-term rate (1%) plus three percentage points (3%) for a total of four percent (4%) for both corporations and non-corporations. For corporate overpayments, the rate is the Federal short-term rate (1%) plus two percentage points (2%) for a total of three percent (3%). For overpayments made by non-corporations, the rate is the Federal short-term rate (1%) plus three percentage points (3%) for a total of four percent (4%). These interest rates are subject to change for the calendar quarter beginning January 1, 2017, and ending March 31, 2017.
   For the convenience of the importing public and U.S. Customs and Border Protection personnel the following list of IRS interest rates used, covering the period from before July of 1974 to date, to calculate interest on overdue accounts and refunds of customs duties, is published in summary format. …
   Dated: December 9, 2016.
R. Gil Kerlikowske, Commissioner.
* * * * * * * * * * * * * * * * * * * *

OGSOTHER GOVERNMENT SOURCES

OGS_a14. Ex/Im Items Scheduled for Publication in Future Federal Register Editions
(Source: Federal Register)


* Commerce; Industry and Security Bureau; RULES; Addition of Certain Persons to the Entity List [Publication Date: 15 December 2016.]

* State; NOTICES; Modification of Iran, North Korea, and Syria Nonproliferation Act Measures Against Russian Entity [Publication Date: 15 December 2016.]

* Treasury; Foreign Assets Control Office; NOTICES; Blocking or Unblocking of Persons and Properties [Publication Date: 15 December 2016.] 

* * * * * * * * * * * * * * * * * * * *

* * * * * * * * * * * * * * * * * * * *

OGS_a66. State/DDTC: (No new postings.)

(Source: State/DDTC)

* * * * * * * * * * * * * * * * * * * *

NWSNEWS

NWS_a17
. The Hill: “Iran to Build Nuclear-Powered Vessels in Response to US ‘Violation'”

 
Iran announced Tuesday that it will instruct its scientists to create nuclear-powered marine vessels in response to what it sees as a U.S. “violation” of a nuclear agreement with the nation.

Following the decision of Congress to extend a portion of U.S. sanctions against the country, Iranian President Hassan Rouhani revealed the orders to build a “nuclear propeller to be used in marine transportation,” but would not clarify if the program will be used for producing nuclear-powered submarines, according to
Reuters
.

It is also unclear if Iran will enrich its uranium above the maximum level set by the Joint Comprehensive Plan of Action (JCPOA) in order to properly develop such a technology.

 
The White House has maintained that Iran will not violate the terms of the nuclear deal and will not use the program to obtain a nuclear weapon.

  “The announcement from the Iranians today does not run counter to the international agreement to prevent Iran from obtaining a nuclear weapon,” said White House spokesman Josh Earnest.

U.S. State Department spokesman John Kirby said many details are still unknown.  “There’s a lot we don’t know about it, what it means,” Kirby said in reference to Rouhani’s announcement, according to Reuters. He added that such a program is a “massive undertaking for any nation” and said it could potentially take decades.

Iran has been highly critical of U.S. lawmakers who have been campaigning to maintain pressure on Iran by keeping some of the sanctions intact. Iran’s president has also criticized President-elect
Donald Trump
‘s tough rhetoric toward the country, pledging that he will not be able to dismantle the agreement when he takes office.  “[Trump] wants to do many things, but none of his actions would affect us,” Rouhani
said
during a speech at the University of Tehran last week.


   “Do you think the United States can rip up the JCPOA? Do you think we and our nation will let him do that?” Rouhani said. 

* * * * * * * * * * * * * * * * * * * *

NWS_a2
8. KGMI: “Man Charged in Seattle with Selling Parts to China”

(Source: KGMI)
 
A New Zealand man arrested in Seattle is charged with trying to buy devices used on airplanes, spacecraft and missiles in the U.S. so he could sell them to China.
 
William Ali is accused of attempting to violate the Arms Export Control Act.
 
He was arrested at a Seattle hotel in April after he met with an undercover Homeland Security agent to purchase the devices.
 
Ali’s lawyer says this is a case of entrapment because the federal agent induced Ali to come to the U.S. to commit a crime.
 
The trial is now underway in a Federal courtroom in Seattle.

* * * * * * * * * * * * * * * * * * * *

NWS_a3
9. ST&R Trade Report: “CBP Modifies Post-Summary Correction, Periodic Monthly Statement Tests”

 
U.S. Customs and Border Protection is expanding the types of entries that may be corrected by filing a post-summary correction and making other changes to its ongoing tests of PSCs and periodic monthly statements. These modifications will be effective as of Jan. 14, 2017.
 
Post-Summary Corrections. Under the PSC test, importers may use the Automated Broker Interface to file PSC claims to entry summaries filed in the Automated Commercial Environment. Importers and their brokers may also use ABI to file PSCs to those pre-liquidation ACE entry summaries that are accepted by CBP, fully paid, and under CBP control.
 
CBP is now expanding the type of entries that may be corrected by filing a PSC (which currently include types 01 (consumption – free and dutiable) and 03 (consumption – antidumping/countervailing duty) to include the following.
 
  – 02 (consumption – quota/visa)
  – 06 (consumption – foreign-trade zone)
  – 07 (consumption – AD/CV duty and quota/visa combination)
  – 21 (warehouse)
  – 22 (re-warehouse)
  – 23 (temporary importation bond)
  – 31 (warehouse withdrawal – consumption)
  – 32 (warehouse withdrawal – quota)
  – 34 (warehouse withdrawal – AD/CV duty)
  – 38 (warehouse withdrawal – AD/CV duty and quota/visa combination)
  – 51 (Defense Contract Administration Service Region)
  – 52 (government – dutiable)
 
CBP is also modifying this test as follows.
 
Merchandise Subject to Quota. When filing a PSC for an entry of merchandise subject to quota, the date and time of submission will be considered the date and time of presentation of the merchandise to CBP. If a PSC is filed on an entry with merchandise subject to quota and the quota is full or nearly full at threshold, the PSC filer must (1) follow the entry summary business rules and process document on the CBP website and (2) within 24 hours of making the correction contact CBP Headquarters Quota Branch regardless of whether the correction concerns merchandise subject to quota.
 
PSC Showing Increase in Liability. If a PSC is filed that increases the importer’s liability for duties, fees, or taxes the importer must deposit those additional duties, fees, and taxes within three business days of submitting the PSC and no additional PSCs can be filed until this is done.
 
AD/CV Duties. A PSC may now declare that a previously filed entry stating that merchandise covered by that entry was subject to AD and/or CV duties is not, in fact, subject to such duties. For instance, a PSC may declare that a previously filed 03 entry type is corrected to indicate it is a 01 entry type.
 
In addition, importers may deposit new or additional AD and/or CV duties within three business days of submitting the PSC, although no additional PSCs can be filed until this is done. Previously CBP would reject PSCs declaring that an entry was corrected to indicate it was subject to new or additional AD and/or CV duties if those duties were not deposited at the time the PSC was submitted.
 
FTA Claims. In June 2011 CBP announced that one of the data elements that may not be modified via a PSC is the NAFTA indicator. CBP is now clarifying that this prohibition applies not only to post-importation NAFTA claims under 19 USC 1520(d) but also to claims made under other free trade agreements covered by 19 USC 1520(d).
 
Time Limits. In November 2013 CBP published a notice stating that a PSC cannot be filed when any merchandise covered by the original entry has been conditionally released and its right to admission has not been determined. However, CBP states that this restriction was overly broad and prevented importers from filing PSCs because all goods are conditionally released and their admissibility is not legally determined until liquidation. CBP is now announcing that this restriction does not prevent the filing of a PSC within the time periods allowed as long as all other requirements and limitations are met.
 
Periodic Monthly Statements. The PMS test allows importers to deposit estimated duties, fees, and taxes on a monthly basis. CBP is now announcing that when the importer uses the automated clearing house debit process a PMS will be considered paid when CBP receives confirmation from the Treasury Department that funds are available and transferred to CBP from the financial institution designated by the importer for payment of the ACH debit authorization (rather than when CBP transmits the debit authorization to the designated financial institution). This change will result in a delay of approximately two working days in the time that CBP uses to consider a PMS as paid.
 
CBP notes that this modification applies only to importers who participate in the test program and that for all other importers the current regulation (19 CFR 24.25(c)(4)) still applies, meaning that CBP will consider a statement as paid upon acceptance of the ACH debit authorization.

* * * * * * * * * * * * * * * * * * * *

NWS_a4
10. ST&R Trade Report: “No Change to Quarterly IRS Interest Rates Relating to Customs Duties”
 
U.S. Customs and Border Protection has updated its list of the quarterly Internal Revenue Service interest rates used to calculate interest on overdue accounts (underpayments) and refunds (overpayments) of customs duties. For the quarter Oct. 1 through Dec. 31, 2016, the interest rates for overpayments are three percent for corporations and four percent for non-corporations, and the interest rate for underpayments is four percent. These rates are unchanged from the previous quarter.
* * * * * * * * * * * * * * * * * * * *

COMMCOMMENTARY

COMM_a1
11. G. Novalis: “Export Compliance in 11 Words (Part 7): Secure!”

 
* Author: Gregory Novalis, Export Compliance Solutions LLC,
 
Wherever your business interfaces with the global marketplace, your workforce should be trained to recognize export-controlled technologies and technical data, and equipped with the know-how and tools to comply with ITAR, EAR, and DoD requirements, as well as industry best practices, for safeguarding sensitive information and combatting cyber threats.
 
Responsible information-handling practices have always been critical to export compliance. In the past few years, however, troubling reports of frequent and successful cyberattacks on U.S. Government agencies and alarming headlines about technical trade secrets stolen from private firms by hackers have moved information security to the top of the priority list for every organization-small, medium-sized, or large.
 
Under the terms of the ITAR and EAR, manufacturers and exporters are legally responsible to protect certain technical data related to defense articles on the USML (ITAR §120.10), as well as key technologies required for the production, development, or use of items on the CCL (EAR §772.1), against access by unauthorized persons. The disclosure or release of such information without a license, inside and outside company facilities, on the ground and in the cloud, within the U.S. and overseas, constitutes an illegal “export.”
 
That’s why, if any of your products is export-controlled, you had better make certain that your employees are clearly aware of the fact, that they clearly understand everything it implies, and that this matters to them.
 
They need to know that they’re responsible for safeguarding technical data of any kind related to the product-engineering drawings and specifications, schematics, blueprints, design analyses, photographs, formulas, performance test results, pilot production schemes, manufacturing procedures, assembly flowcharts, testing and inspection methods, or any other technical information subject to export controls.
 
They need to know that if they share controlled technical data without appropriate authorization, or if they carelessly allow unauthorized access to it, they’ll be violating U.S. export laws, with potentially serious consequences for the company and for themselves.
 
You Need to Educate-and Motivate-Your People About IT Security
 
In today’s business world, technical information is increasingly-in many cases, almost exclusively-digital information, consisting of text, images, numerical data, and formulas stored and distributed electronically via computer networks. That means “information security” and “cybersecurity” are increasingly synonymous, which is why most organizations have made some sort of cybersecurity training for their employees mandatory. While that’s certainly wise, it shouldn’t be grounds for complacency, because “mandatory” and “some sort” are plainly not synonyms for “adequate” and “effective.”
 
In addition to providing and requiring cybersecurity awareness training for all employees, truly wise managers and administrators conduct regular internal assessments of security awareness to gauge how well their employees understand the nature and seriousness of the security risks and how well prepared they are to respond to cyber threats.
 
You can test your employees’ understanding of cybersecurity with a survey or questionnaire. Better yet-from the standpoint of accuracy, objectivity, and credibility – get help from qualified professionals in this critical area, and ask them to evaluate the effectiveness of your current cybersecurity awareness training as part of a comprehensive cybersecurity compliance risk assessment of your entire company.
 
Here are some very basic questions about cybersecurity that all your employees should be able to answer:
  – Who in my company is responsible for cybersecurity?
  – What are the policies and rules that govern my use of the company’s computer system and my access to electronically stored company information? Where can I read them? How can I stay current on changes to those policies and rules?
  – If I suspect I have a cybersecurity issue (e.g., malware, spyware, a compromised password, a sensitive document sent to the wrong person, identity theft, evidence of a co-worker’s carelessness or failure to follow policies and procedures), to whom can I report it? If that person is temporarily unavailable, who is their backup? What should I do immediately to reduce potential damage?
  – Does the company have a policy on bringing personal devices to the workplace and connecting to the company’s system through them? What about accessing the company’s system remotely from home, while traveling, or through an unsecured public network (e.g., coffee shop, library, hotel, university campus?
  – In what ways could my actions (e.g., opening a malicious e-mail attachment, clicking on a link to a compromised website, installing an application that contains a Trojan) endanger the security of the company’s system and sensitive information? What are some things I can do to avoid these dangers?
 
Those are the easy questions-or rather, they should be. If your employees can’t answer them easily, then give that “mandatory employee awareness training” the failing grade it deserves, roll up your sleeves, and get to work on improving your company’s cybersecurity. Don’t hesitate to get outside help-qualified, professional help-if you need it.
 
According to a survey of hundreds of U.S. companies, conducted in 2015 by CompTIA, “human error” accounts for 52 percent of security breaches. Turns out it’s a greater cyber threat than malware, hackers, or disgruntled employees-although most managers are surprised when they hear this, and have a hard time believing it.
 
That recalls another category of “human error”-one that wasn’t included in CompTIA’s survey, though perhaps it should have been. It’s an extremely hazardous condition that our cybersecurity compliance risk assessment team has discovered at more than one facility they visited. If you’re a regular reader of this blog, I’m confident that this cyber hazard is not present at your company, so I offer the following on-site finding, straight from the company officer’s mouth, without further comment:
 
“I’m not sure our company even has a cybersecurity policy or plan or procedures yet. Do we really need anything like that? We’re not some giant corporation, you know. How would we go about creating such a policy? After all, none of us are techies!”
 
You Need to Prioritize Cybersecurity Compliance in 2017
 
Two recent technological trends have made the job of safeguarding export-restricted information more challenging than ever before:
  – The expansion of “cloud” services from simple file storage and archiving to business software applications of all kinds, infrastructure, and platforms.
  – The proliferation of new mobile IT devices.
 
These advances in technology make it possible for people to access the data and resources of your organization at any time from anywhere on earth. In other words, not only is your business no longer tied to a single location, it’s not even limited to a finite number of locations. Your firm is Open for Business everywhere.
 
By allowing unprecedented levels of connectivity between marketing and R&D staff, contractors and subcontractors, manufacturers and suppliers, domestic and foreign offices, salespeople and customers around the globe, Cloud Computing and Mobile Technology promise to help businesses accelerate innovation cycles and reduce time-to-market. At the same time, the adoption of these technologies has created new vulnerabilities and risk areas, exposed enterprises to new legal liabilities, and raised a host of new security concerns, some of which are only beginning to emerge.
 
Meanwhile, in response to the overwhelming global cyber threat environment, the U.S. Government has been issuing more and more cybersecurity laws and regulations. The DoD, GSA, OMB, NASA, NARA, DHS, and the White House have published, amended, modified, and clarified so many rules, Executive Orders, definitions, standards, and guidelines recently-all of them aimed at requiring Federal contractors and subcontractors to establish more stringent controls and practices for the protection of government data-that “regulatory compliance” became the cybersecurity buzz phrase of the year during 2016, and the topic seems unlikely to leave the limelight in 2017.
 
The latest driver of regulatory compliance is the need for businesses to implement a somewhat bewildering array of new cybersecurity requirements that apply to most Federal contractors and consultants across a wide range of industries, including both defense and non-defense contractors. The recent surge in regulatory activity has included-
  – A new FAR final rule on “Basic Safeguarding of Contractor Information Systems”).
  – A new BIS final rule, effective September 1, 2016, allowing U.S. companies to use cloud technology and other means of electronic transmission to store and transfer EAR-controlled unclassified “dual use” technology and software without the burden of export control requirements if certain encryption requirements are met.
  – A veritable glossary of new information security terms and definitions, including Federal Contract Information (FCI), Controlled Unclassified Information (CUI), covered contractor information system, Covered Defense Information (CDI), and operationally critical support, and an array of new safeguarding requirements associated with them.  
  – New mandatory contract clauses covering cybersecurity, with flowdown to subcontractors and certain other parties (FAR 52.204-21 and DFARS 252.204-7008 – 7012).
  – A new DoD final rule, effective October 21, 2016, regarding network penetration reporting (“cyber incidents”) and contracting for cloud services (DFARS Case 2013-D018).
 
The above are just a few of the latest regulatory changes in this area. Others appear to be on the way as we head into the new year.
 
Putting all these rules and definitions together and figuring out which of them applies to your company and its products is a daunting task. Complying with the new regulations-minimizing your risks and liabilities-is an even greater challenge.
 
Businesses need be asking and finding answers to some important questions, such as:
  – How will our firm comply with the new requirements, such as “adequate security” for CDI/CUI per NIST SP 800-171, and “incident reporting” within 72 hours of discovery through the DoD’s DIBNet portal (including compliance with all the rules for investigating, preserving, and submitting information about the data breach)?
  – Do we try to handle cybersecurity regulatory compliance ourselves, do we seek the services of an outside IT contractor, or do we need some combination of both approaches?
  – Since these new cybersecurity standards appear to be mind-bogglingly difficult to navigate and not entirely coherent, and since a failure to comply with them could have dramatic adverse consequences for our company, should we be looking at a specialized cyber insurance policy to supplement our general and professional liability policies?
 
The ultimate deadline for full contractor compliance with most of the new cybersecurity requirements for CDI/CUI is December 31, 2017, and that date is not likely to change. But the new cybersecurity regulations are already impacting businesses and contracts, especially those in the defense sector.
 
While DFARS clause 252.204-7012 allows you to notify the DoD (within 30 days) of any cybersecurity requirements that your company has yet implemented at the time of contract award, the DoD still expects you to be moving toward full compliance as rapidly as possible, and to have a remediation plan in place to achieve it by December 31, 2017.
 
So, if you haven’t already done the following at your company, you need to do them now:
  – Conduct a risk assessment for cybersecurity regulatory compliance.
  – Develop a cybersecurity action plan, based on the assessment findings.
  – Implement a cybersecurity framework that is appropriate for your organization.
 
Note: For those who don’t keep up with the latest business jargon, a “framework” includes stuff like organizational infrastructure and job responsibilities; awareness and education programs; organizational culture; and governance (security policies; work processes and procedures; monitoring effectiveness; technical controls; risk assessments and audits; breach response and risk mitigation plans). “Implementing” a framework implies investing company resources in making it happen.
 
Whether your company is small, mid-sized, or large, if you do business with the Federal government, or with any other companies that do business with the Federal government – have I left anyone out here? – you should prioritize both regulatory compliance and cybersecurity during 2017.
 
Regulatory compliance is obligatory, of course, because . . . well, it’s the law, folks! But cyber-compliance is not the same as cyber-security, and security is what you really want.
 
If your goal is simply to avoid fines and penalties, then as long as you’re sure you meet the minimal requirements of compliance, don’t worry.
 
But if you’re reading this because your goal is to see your company survive and thrive in today’s digitally interconnected business world, and you’re aware of the current security threat landscape, you shouldn’t breathe easy if you’re told that your company is 100% compliant. Breathe easy when you’re confident that your company has good cybersecurity. 

* * * * * * * * * * * * * * * * * * * *

COMM_a212. J.W. Cottle, P. Rappo, E.J. Krauland: “UK Government Seek Consultations on New Civil Penalties For Violations of Economic Sanctions”

 
* Authors: Jeffrey W. Cottle, Esq., jcottle@steptoe.com, +44 20-7367-8002; Patrick Rappo, Esq., prappo@steptoe.com, +44 20-7367-8089; and Edward J. Krauland, Esq., ekrauland@steptoe.com, 202-429-8083. All of Steptoe & Johnson LLP
 
The UK’s HM Treasury is holding a consultation (click here), open for comment through January 26, 2017, on the process for imposition of civil penalties for breach of financial sanctions. This is a major change from current UK law, which has produced few enforcement actions, as the law currently allows only for criminal enforcement of sanctions breaches or regulatory oversight for those operating in the financial services sector for failing to have adequate systems and controls in place to comply with financial sanctions.
 
The new civil sanctions regime would be applied under the Policing and Crime Bill (click here), which is expected to be enacted by Parliament early next year as the Policing and Crime Act 2017. Part 8 of the proposed Act sets out the new financial sanctions provisions, including civil monetary penalties of up to the greater of £1 million or 50% of the estimated value of funds or economic resources involved in a sanctions breach. Such civil penalties would be applicable both to businesses and other organizations, and to individuals (in the case of company officials, where it is shown by the “balance of probabilities” that an offense involved the connivance, consent or neglect of the official).
 
Part 8 of the proposed Act would also:
  – establish enhanced criminal penalties for sanctions violations;
  – add sanctions offenses to the offenses which may be covered by a deferred prosecution agreement under the Crime and Courts Act 2013 or a serious crime prevention order under the Serious Crime Act 2007; and
  – authorize certain temporary actions to facilitate prompt implementation of new UN and EU sanctions.
 
The consultation relates only to monetary penalties under the Act (and not to the other issues set out in the previous paragraph). Monetary penalties would be administered by the UK Office of Financial Sanctions Enforcement (OFSI), a new office of HM Treasury established on March 31, 2016 to facilitate UK compliance with financial sanctions. At present, OFSI has no sanctions enforcement role (criminal penalties are within the jurisdiction of the UK Serious Fraud Office, the Crown Prosecution Service and the Attorney General), but the Act would give it primary responsibility for civil sanctions enforcement. Topics covered by the consultation include:
  – which “serious” and “most serious” sanctions breaches will trigger enforcement action;
  – aggravating and mitigating factors (including voluntary disclosure) – analogous to a briefer version of the enforcement guidance issued by the US Office of Foreign Assets Control (OFAC Enforcement Guidance);
  – setting penalty levels – including a “penalty matrix” quite similar to the one in the OFAC Enforcement Guidance;
  – initiation of penalty proceedings, and process for participation in proceedings by target(s);
  – review of penalty determinations (by a HM Treasury minister) and appeal (to the Upper Tribunal, which handles certain other types of administrative appeals); and
  – publication of penalty determinations “to deter future non-compliance, and promote[] increased awareness of good practice”.
 
More generally, civil enforcement of sanctions is rare in the EU, and some have suggested that UK adoption of civil sanctions could be influential in other EU member states. However, the ongoing Brexit process of UK withdrawal from the EU may affect the persuasiveness of UK action, as well as UK implementation of the Act. The main sources of UK sanctions are UN and EU sanctions decisions and legislation, and the Act and the consultation are drafted on the assumption of UK membership in the EU. Various changes to UK sanctions legislation and processes will be required if and when Brexit takes place.
 
Companies interested in responding to the consultation may do so via the process in Part 3 of the consultation.  . . .  

* * * * * * * * * * * * * * * * * * * *

TEEX/IM TRAINING EVENTS & CONFERENCES

TE_a1
13. ACE Export Reports Webinar – 15 Dec
(Source: U.S. Census Bureau)
 
*  What:  This free webinar will discuss the following topics:
  – Overview of ACE Export Reports
  – Running Standard Reports
  – Customizing Data Fields
  – Scheduling Reports  
  – Additional Report Resources
*  When:  Thu, 15 Dec, 2-3 PM
*  Where:  Your computer
*  Speakers:  Nidaal Jubran (Census), Mayumi Brewster (Census), and David Thomas (CBP)
*  Register: There is no cost for this webinar and no registration required.

The webinar can be accessed 
here.

* * * * * * * * * * * * * * * * * * * *

ENEDITOR’S NOTES

* * * * * * * * * * * * * * * * * * * *

EN_a315
. Are Your Copies of Regulations Up to Date?
(Source: Editor)

The official versions of the following regulations are published annually in the U.S. Code of Federal Regulations (C.F.R.), but are updated as amended in the Federal Register.  Changes to applicable regulations are listed below.
 
*
ATF ARMS IMPORT REGULATIONS
: 27 CFR Part 447-Importation of Arms, Ammunition, and Implements of War
  – Last Amendment: 15 Jan 2016: 81 FR 2657-2723: Machineguns, Destructive Devices and Certain Other Firearms; Background Checks for Responsible Persons of a Trust or Legal Entity With Respect To Making or Transferring a Firearm 
 
*
CUSTOMS REGULATIONS
: 19 CFR, Ch. 1, Pts. 0-199
  – Last Amendment: 12 Dec 2016: 81 FR 890375-89381: Electronic Notice of Liquidation 

* DOD NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL (NISPOM): DoD 5220.22-M
  – Last Amendment: 18 May 2016: Change 2: Implement an insider threat program; reporting requirements for Cleared Defense Contractors; alignment with Federal standards for classified information systems; incorporated and canceled Supp. 1 to the NISPOM  (Summary here.)

* EXPORT ADMINISTRATION REGULATIONS (EAR): 15 CFR Subtit. B, Ch. VII, Pts. 730-774 
  – Last Amendment: 5 Dec 2016: 81 FR 87426-87427: Amendment to the Export Administration Regulations: Removal of Semiconductor Manufacturing International Corporation From the List of Validated End-Users in the People’s Republic of China (effective 5 Dec 2016); and 81 FR 87424-87426: Amendment to the Export Administration Regulations: Removal of Special Iraq Reconstruction License (effective 4 Jan 2017) 

  
*
FOREIGN ASSETS CONTROL REGULATIONS (OFAC FACR)
: 31 CFR, Parts 500-599, Embargoes, Sanctions, Executive Orders
  – Last Amendment: 4 Nov 2016: 81 FR 76861-76863: Amendments to OFAC Regulations To Remove the Former Liberian Regime of Charles Taylor Sanctions Regulations and References to Fax-on-Demand Service 
 
*
FOREIGN TRADE REGULATIONS (FTR)
: 15 CFR Part 30
  – Last Amendment: 15 May 2015; 80 FR 27853-27854: Foreign Trade Regulations (FTR): Reinstatement of Exemptions Related to Temporary Exports, Carnets, and Shipments Under a Temporary Import Bond 
  – HTS codes that are not valid for AES are available
here.
  – The latest edition (9 Mar 2016) of Bartlett’s Annotated FTR (“BAFTR”), by James E. Bartlett III, is available for downloading in Word format. The BAFTR contains all FTR amendments, FTR Letters and Notices, a large Index, and footnotes containing case annotations, practice tips, and Census/AES guidance.  Subscribers receive revised copies every time the FTR is amended. The BAFTR is available by annual subscription from the Full Circle Compliance website.  BITAR subscribers are entitled to a 25% discount on subscriptions to the BAFTR.
 
*
HARMONIZED TARIFF SCHEDULE OF THE UNITED STATES (HTS, HTSA or HTSUSA)
, 1 Jul 2016: 19 USC 1202 Annex.  (“HTS” and “HTSA” are often seen as abbreviations for the Harmonized Tariff Schedule of the United States Annotated, shortened versions of “HTSUSA”.)
  – Last Amendment: 30 Aug 2016; Harmonized System Update (HSU) 1612, containing 4,692 ABI records and 935 harmonized tariff records.  
  – HTS codes for AES are available
here
.
  – HTS codes that are not valid for AES are available
here.
 
INTERNATIONAL TRAFFIC IN ARMS REGULATIONS (ITAR): 22 C.F.R. Ch. I, Subch. M, Pts. 120-130.
  – Latest Amendment: 5 Dec 2016 (effective 5 Dec 2016): 81 FR 87427-87430: Corrections & Additions to ITAR Parts 120, 121, 122, 124, 126 and 127
  – The only available fully updated copy (latest edition 9 Dec 2016) of the ITAR with all amendments is contained in Bartlett’s Annotated ITAR (“BITAR”), by James E. Bartlett III.  The BITAR contains all ITAR amendments to date, footnotes to amendments that will take on 31 December 2016, plus a large Index, over 750 footnotes containing case annotations, practice tips, DDTC guidance, and explanations of errors in the official ITAR text.  Subscribers receive updated copies of the BITAR in Word by email, usually revised within 24 hours after every ITAR amendment.  The BITAR is available by annual subscription from the Full Circle Compliance website.  BAFTR subscribers receive a 25% discount on subscriptions to the BITAR, please contact us to receive your discount code.  

* * * * * * * * * * * * * * * * * * * *

EPEDITORIAL POLICY

* The Ex/Im Daily Update is a publication of FCC Advisory B.V., edited by James E. Bartlett III and Alexander Bosch, and emailed every business day to approximately 8,000 readers of changes to defense and high-tech trade laws and regulations. We check the following sources daily: Federal Register, Congressional Record, Commerce/AES, Commerce/BIS, DHS/CBP, DOJ/ATF, DoD/DSS, DoD/DTSA, State/DDTC, Treasury/OFAC, White House, and similar websites of Australia, Canada, U.K., and other countries and international organizations.  Due to space limitations, we do not post Arms Sales notifications, Denied Party listings, or Customs AD/CVD items.

* RIGHTS & RESTRICTIONS: This email contains no proprietary, classified, or export-controlled information. All items are obtained from public sources or are published with permission of private contributors, and may be freely circulated without further permission. Any further use of contributors’ material, however, must comply with applicable copyright laws.

* CAVEAT: The contents of this newsletter cannot be relied upon as legal or expert advice.  Consult your own legal counsel or compliance specialists before taking actions based upon news items or opinions from this or other unofficial sources.  If any U.S. federal tax issue is discussed in this communication, it was not intended or written by the author or sender for tax or legal advice, and cannot be used for the purpose of avoiding penalties under the Internal Revenue Code or promoting, marketing, or recommending to another party any transaction or tax-related matter.

* SUBSCRIPTIONS: Subscriptions are free.  Subscribe by completing the request form on the Full Circle Compliance website.

* TO UNSUBSCRIBE: Use the Safe Unsubscribe link below.

Scroll to Top