17-0831 Thursday “Daily Bugle”

17-0831 Thursday “Daily Bugle”

Thursday, 31 August 2017

The Daily Bugle is a free daily newsletter from Full Circle Compliance, containing changes to export/import regulations (ATF, Customs, NISPOM, EAR, FACR/OFAC, FTR/AES, HTSUS, and ITAR), plus news and events.  Subscribe 
here for free subscription.  Contact us
for advertising inquiries and rates.

[No items of interest noted today.] 

  1. Ex/Im Items Scheduled for Publication in Future Federal Register Editions
  2. Commerce/BIS: (No new postings.)
  3. DHS/CBP Releases Guidance for Exporters Amidst Hurricane Harvey
  4. DHS/CBP Updates Guidance to Trade on Cargo Processing during Hurricane Harvey
  5. State/DDTC: (No new postings.)
  6. EU Amends Restrictive Measures Against North Korea
  1. AINonline: “Under Trump Administration, U.S. Reviews Drone Export Policy”
  2. CNBC: “US Sanctions Are Very Bad News – Unless You’re North Korea”
  3. Sputnik News: “Berlin Monitors Use of Arms Exported from Germany”
  4. ST&R Trade Report: “Trade Enforcement Coordination Center Established in Norfolk”
  5. WorldECR News Alert, 31 Aug
  1. M. Volkov: “Challenges in Transitioning from the Law to Compliance”
  2. R. Edens, R. Enriquez & B. Birdwell: “The Perfect Storm- Controlled Unclassified Information and Governance, Risk, and Compliance in the Defense Industrial Base”
  3. T. McVey: “ITAR For Government Contractors” (Part 1 of 4)
  4. Gary Stanley’s ECR Tip of the Day
  5. R.C. Burns: “OFAC’s FAQs on Venezuela Sanctions Omit the Most Frequently Asked Question”
  1. Ed Peartree Moves from DDTC to BAE
  2. Sue Gainor Appointed as VP at Boeing
  1. ECTI Presents United States Export Control (ITAR/EAR/OFAC) Seminar Series on 30 Oct – 2 Nov in Phoenix AZ
  1. Bartlett’s Unfamiliar Quotations 
  2. Are Your Copies of Regulations Up to Date? Latest Changes: ATF (15 Jan 2016), Customs (28 Jul 2017), DOD/NISPOM (18 May 2016), EAR (15 Aug 2017), FACR/OFAC (16 Jun 2017), FTR (19 Apr 2017), HTSUS (25 Jul 2017), ITAR (30 Aug 2017) 
  3. Weekly Highlights of the Daily Bugle Top Stories 


[No items of interest noted today.] 

* * * * * * * * * * * * * * * * * * * *


OGS_a11. Ex/Im Items Scheduled for Publication in Future Federal Register Editions
Federal Register

* Treasury; Foreign Assets Control Office; NOTICES [Publication Date: 1 September 2017.]:
  – Blocking or Unblocking of Persons and Properties
  – Sanctions Actions

* * * * * * * * * * * * * * * * * * * *

* * * * * * * * * * * * * * * * * * * * 


CSMS# 17-000528, 30 Aug 2017.)
Commercial trade operations at the Ports of 2101 (Port Arthur), 5301 (Houston Seaport), 5309 (Houston Airport), 5310 (Galveston), and 5311 (Freeport, TX) are temporarily suspended for the following dates Wednesday, August 30, 2017 through Friday, September 1, 2017, due to Tropical Storm Harvey.
Exporters that are able to divert their export cargo are encouraged to do so. The exporters or their filing agents should make every effort to correct and update the Electronic Export Information (EEI) filings within the Automated Export System to reflect the new port of export, the date of export and the carrier information.
CBP suggests that prior to amending the EEI: exporters, freight forwarders, or the authorized agents; if capable, make efforts to determine if the cargo was damaged. Exporters will need to make business decisions to either update or cancel the EEI.
If adjustments in the quantities or values of cargo being exported under an export license or license exemption/exception, the exporter or their authorized agent should first attempt to amend the EEI filing to reflect the corrected information for the shipment. If the amendment is not successful, please contact Outbound Enforcement at OFO-Export-Cargo@cbp.dhs.gov and provide the following information: the ITN the license number, the corrected quantities and value for each controlled commodities (including the International Traffic in Arms Regulations (ITAR) data elements).

* * * * * * * * * * * * * * * * * * * * 

OGS_a44. DHS/CBP Updates Guidance to Trade on Cargo Processing during Hurricane Harvey

(Source: CSMS #17-000530, 31 Aug 2017.)
“For cargo being diverted from the Port of Houston to another CBP port, CBP will accept a copy of the CBP Form 3171 that was presented to Houston, due to the fact that trading partners with offices in Houston may be unable to create a new 3171. Pen and ink changes to the copy reflecting the new Port, (block 2), Arriving From (block 6), Date/Time of Arrival (block 7) and Locations (block 8), and as applicable, will be sufficient.”

* * * * * * * * * * * * * * * * * * * * 

OGS_a55. State/DDTC: (No new postings.)

(Source: State/DDTC)

* * * * * * * * * * * * * * * * * * * * 

OGS_a66. EU Amends Restrictive Measures Against North Korea

  – Council Regulation (EU) 2017/1509 of 30 August 2017 concerning restrictive measures against the Democratic People’s Republic of Korea and repealing Regulation (EC) No 329/2007.
  – Council Decision (CFSP) 2017/1512 of 30 August 2017 amending Decision (CFSP) 2016/849 concerning restrictive measures against the Democratic People’s Republic of Korea.

* * * * * * * * * * * * * * * * * * * * 


AINonline, 31 Aug 2017.) [Excerpts.]
The Trump administration is reviewing U.S. export control policy with an eye toward relaxing restrictions that block sales to some countries of unmanned aerial vehicles. Industry is encouraging the review, with one major manufacturer saying it has mounted “a very strong campaign” to educate lawmakers on the consequences of limiting such exports.
The policy reassessment is taking two tracks. Under the eight-month-old Trump administration, federal agencies have been more receptive to clearing UAV exports under existing policy, as evidenced in June when the State Department approved the sale of 22 General Atomics MQ-9B Sea Guardians to India. The U.S. announced a new export policy in February 2015 that provided for the sale of military and commercial UAVs to other than close allies on a case-by-case basis, but it required that recipient nations agree to “end use assurances” as a condition of sale.
Longer term, the U.S. seeks to change how UAVs are categorized by the Missile Technology Control Regime (MTCR), an assemblage of 35 nations that have agreed to limit the proliferation of missiles and missile technology. Changes to the multilateral agreement then would flow to broader export policy. …
* * * * * * * * * * * * * * * * * * * *

CNBC, 30 August 2017.)
Businesses around the world are bracing themselves for the fallout from tough U.S. sanctions against North Korea, as their impact moves through global supply chains.  
Those effects were still being processed as the reclusive nation fired a ballistic missile over Japan early on Tuesday in what is seen as one of its most provocative actions ever.
President Donald Trump and Japan Prime Minister Shinzo Abe spoke after the launch when they agreed to increase pressure on the isolated regime, according to reports.  
On Wednesday, the
United Nations Security Council condemned
North Korea’s firing as an “outrageous” act and called on all states to implement UN sanctions on Pyongyang.  
Already, Trump’s administration had taken out new so-called
“secondary sanctions” against third-country entities
deemed to be aiding Pyongyang
prompting some protests.
Beyond its North Korea concerns, the White House has also recently rolled out sanctions against various countries including Russia and Venezuela.  
And while Kim Jong Un’s regime may not be showing signs of slowing down, recently announced U.S. penalties are already eliciting strong reactions from other countries.
As the world’s largest economy, the U.S. has significant clout in the global supply chain that will hit many companies’ logistics, said Alex Capri, a visiting senior fellow at the National University of Singapore’s business school.
That’s likely to create a domino effect down the supply chain in terms of tracing the movement of goods, which will be hard and costly to enforce, with consequences to business operations. The U.S. sanctions are causing “great distress,” according to the international trade scholar.
Capri has over two decades of experience in various trade roles including leading the Asia trade and customs practice at accounting giant KPMG.  
Now, those who come into contact with “strategic goods,” as defined by U.S. authorities, will need special licenses.
While such goods are generally understood to be weapons, nuclear and biological materials, that designation can affect a much wider range of products, which is what makes sanctions “so painful,” said Capri.
Broadly, sanctions also cover the trade of “dual use” goods, which refer to products and technologies that can be used by both civilians and the military. They include over 1,000 classes of goods from brake pads to SIM cards, Capri said.  
“Once sanctions are in place, dual use goods might require special export licenses or be banned entirely,” he added.  
That will impact the entire supply chain from seller to end user.
For instance, Capri said, the latest round of U.S. sanctions against Russia may require five of the largest companies in Western Europe to halt their business activities on a gas pipeline. That project, connecting Russia to Europe, has seen the firms partner with Russian gas giant Gazprom, which will be hit by the U.S. sanctions.
Rainer Seele, CEO of OMV, a Vienna-based oil company that deals with Gazprom said greater clarity is needed from the U.S. There’s market uncertainty, he said, over the fallout of the new sanctions, which creates a supply-demand mismatch.
But analysts say these “secondary sanctions” have been imposed precisely because some United Nations members were not stringently enforcing overarching sanctions.  
“We are often reliant on the governments in these countries to police their own sanctions enforcement because the UN doesn’t have police on its own that it can send around the world. A lot of it is in good faith, and as we often see in the case of mainland China as the conduit for North Korea’s trade for the rest of the world, a lot of the enforcement doesn’t happen unfortunately,” said Sean King, senior vice president at consultancy Park Strategies.
The approach of new U.S. sanctions in the case of North Korea is to strengthen the effectiveness of direct economic penalties that have already been put in place on the reclusive regime, said IHS Markit’s Asia Pacific Chief Economist Rajiv Biswas.  
The new sanctions also take aim at firms that export North Korean workers overseas – a major source of foreign exchange earnings for the isolated regime, added Biswas.
Some countries have come out to say unilateral secondary sanctions from the U.S. are illegal, but that’s a matter of debate, experts said.
In July, France’s foreign ministry said new U.S. penalties against Iran, Russia appeared at odds with international law due to their extra-territorial reach, Reuters reported.  
Those sanctions limited the type of business
that energy companies can do with Russia and European companies fear they could lead to unintended consequences.
In fact, the French foreign ministry said that that its domestic and European laws would need to be adjusted due to the sanctions. Germany also signaled the U.S. sanctions against Russia were “a violation of international law.”
The issue is a contentious one, NUS’ Capri told CNBC.  
“Any country, technically, can impose sanctions against another state as a form of ‘coercive diplomacy,’ however, there is a considerable body of scholarly work that argues convincingly that this is a violation of international law,” he said.
“Only the U.S. and a handful of other states can effectively resort to this sort of realpolitik without real consequences,” Capri added.
Asia’s second-largest economy, Japan, also recently imposed secondary sanctions on North Korea. Chief Cabinet Secretary Yoshihide Suga told reporters that Japan would freeze the assets of entities and individuals linked to North Korea, including four Chinese entities, one Chinese individual and two Namibian entities.
As it did with the new sanctions from the U.S., Beijing reacted negatively to Japan’s announcement.  
“The Japanese side, in disregard of China’s stern stance, goes so far as to follow some countries to impose unilateral sanctions on the Chinese enterprises and individuals. We are strongly dissatisfied with and firmly opposed to this,”
Chinese Foreign Ministry spokeswoman Hua Chunying said
at a Friday news conference.
She added on Tuesday after North Korea’s latest missile test that “the past has proven that pressure and sanction only will not fundamentally settle the issue.”
  “We believe that only by addressing the legitimate security concerns of all parties in a balanced way can the intricate and complicated Peninsula issue be peacefully resolved and the vicious cycle of more sanctions followed by more missile tests be fundamentally cut off,” she said.
* * * * * * * * * * * * * * * * * * * *

Sputnik News, 30 Aug 2017.)
Berlin is monitoring the use of weapons that were exported from Germany in order to make sure they are used by final users mentioned in contracts, Andreas Obersteller, the head of the Federal Office of Economics and Export Control (BAFA), said on Wednesday.
  “We prove whether the delivered arms are still possessed by the named final user,” Obersteller said, as quoted by the Rheinische Post media outlet.
A firearms retailer examines a Smith & Wesson 9mm pistol at the Shooting, Hunting and Outdoor Trade show, Jan. 18, 2011, in Las Vegas
He said that the first monitoring mission revealed whether 30 high-precision rifles delivered to India were really used by the country’s military.
  “All of them were at the mentioned place,” Obersteller said.
The current controls are the result of new regulations devised by former German Economy Minister Sigmar Gabriel, who is now the country’s foreign minister.
* * * * * * * * * * * * * * * * * * * *

Officials with U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement’s Homeland Security Investigations recently signed a memorandum of agreement to establish their 12th trade enforcement coordination center at the port of Norfolk-Newport News in Virginia.
According to an ICE press release, this center will focus on identifying intellectual property rights violations, public health and safety threats, and compliance with import and export laws. It will work with a variety of federal agencies, including the Food and Drug Administration, the Consumer Product Safety Commission, the Bureau of Alcohol, Tobacco, Firearms, and Explosives, the Environmental Protection Agency, and the Department of Transportation, to enforce these laws and prevent the introduction of illegally and fraudulently shipped goods into U.S. commerce.
The new agreement provides for increased communication and information sharing between CBP and ICE/HSI about imports and commercial fraud investigations. It will also help establish better processes for combating trade fraud and create a united form for pursuing prosecutions.
* * * * * * * * * * * * * * * * * * * *

  (1) EU consolidates North Korea measures in new regulation
  (2) Germany to monitor arms export end use
  (3) Israel suspends drone export after alleged live fire demo
  (4) Temporary rule clarifies scope of US military electronics controls
  (5) Australia Syria sanctions
[Editor’s Note: Visit http://worldecr.com/ to subscribe to WorldECR, the journal of export controls and sanctions.]
* * * * * * * * * * * * * * * * * * * *



M. Volkov: “Challenges in Transitioning from the Law to Compliance”

Volkov Law Group Blog. Reprinted by permission.)
* Author: Michael Volkov, Esq., Volkov Law Group, mvolkov@volkovlaw.com, 240-505-1992.
The legal profession is undergoing significant changes. With an over-supply of attorneys and lower profits, lawyers are looking for new angles to distinguish themselves in the marketplace.
In contrast, the compliance profession has grown in importance and opportunities. Unlike attorneys, companies are hiring compliance officers and salaries are increasing. As the demand for lawyers declines, more legal professionals are transitioning into the compliance field. In most cases, this trend makes sense.
Lawyers can make excellent compliance officers. However, a compliance officer does not have to be a lawyer. In the end, a compliance officer has to be intelligent, hard-working, and most importantly, has to possess integrity and strong interpersonal skills.
Lawyers who transition to compliance have to adopt a new frame of reference. A lawyer has to define legal risks for the company’s activities. Legal decision-making is a lot different from business ethics, and lawyers have to understand the difference. There is a fine distinction between making business decisions based on legal principles or ethical principles. A company may decide not to move forward with a decision that is legal but violates its ethical principles.
Compliance is a function that is premised on proactive strategies to promote the company’s culture, its code of conduct, and overall compliance with the law and the company’s code of conduct. An effective compliance officer balances inspiration, education, business acumen and enforcement and discipline. A lawyer’s portfolio is not as broad, and does not include as many proactive functions, such as monitoring and auditing employee conduct.
Lawyers should be familiar with the compliance function because they share a close working relationship. Sometimes CLOs do not have a positive relationship with CCOs; it is a sure sign of a poor culture when CLOs and CCOs do not work together effectively.
Legal skills can come in handy for a lawyer in transition to a compliance position. A compliance officer who is a lawyer can apply his/her training to a variety of issues that arise. While these skills can be helpful, a compliance officer has to devote more attention to core compliance functions.
Lawyers who become compliance officers have to recognize that the company’s culture is its most important asset. A new compliance officer has to learn how to monitor and promote the company’s culture. This requires the compliance officer to adopt creative strategies to survey, measure and monitor the company’s culture. Legal skills are not intrinsically part of this function.
To be effective, lawyers and compliance officers share an important trait: they should be problem solvers. Lawyers and compliance officers have to be viewed by the business as effective problem solvers, and not viewed as a “Dr. No,” someone who routinely tells the business they cannot proceed with a proposed course of action. Lawyers and compliance officers depend on their relationships with business clients, and a compliance officer cannot succeed without the trust of business colleagues.
Lawyers and compliance officers will continue to cross-pollinate. There is a natural synergy between the functions. Lawyers and compliance officers have to understand each other’s roles and functions. As more lawyers move into the compliance function, the professions will continue to learn from each other and work effectively together.

* * * * * * * * * * * * * * * * * * * * 

13. R. Edens, R. Enriquez & B. Birdwell: “The Perfect Storm — Controlled Unclassified Information and Governance, Risk, and Compliance in the Defense Industrial Base”
(Source: Huffington Post)
* Authors: Regan Edens, Chief Operations Officer, Global Eyes, reganedens@getglobaleyes.com, 443-910-3159; Roberto Enriquez, Senior Manager, roberto@getglobaleyes.com; and Bo Birdwell, President, Cyber Forward, contact here.
A storm is brewing for the Defense Industrial Base impacting tens of thousands of companies and research institutions. For the Defense Industry, December 31, 2017 is a critical deadline. Controlled Unclassified Information (CUI) is the compliance risk management topic every Defense Industry and research institutions’ Board of Directors, CEO, CIO, General Counsel, and COO should be discussing. Cyber security vulnerabilities and regulatory compliance requirements are two very challenging areas for most organizations. “Controlled Unclassified Information” (CUI) includes 115 categories and subcategories of unclassified information, which is required to be protected by existing Federal law, statutory regulation, and government-wide policy. Executive Order 13556, Defense Federal Acquisition Regulation (DFAR) 252.204-7012, National Institute of Standards and Technology (NIST) Special Publication 800-171 r1, and CUI program guidance from the Information Security and Oversight Office within the National Archives and Records Administration give very specific new requirements for safeguarding, handling, and marking CUI data. These CUI requirements are mandated to all Federal and Non-Federal organizations if they handle, store, process, create, and transmit CUI data. CUI mandates impact the entire operations and Information Technology (IT) enterprise with the proliferation of data across emails, devices, hard drives, and printed materials. The organizational wide impact of these new CUI and cyber security compliance mandates is complicated, messy, and far bigger than an IT problem, and the DFAR deadline for compliance is looming.
These challenges can fall below urgent day-to-day tasks and other business priorities. Defense Industry and research organizations often struggle with compliance requirements. Export control compliance programs provide a meaningful example of compliance risks that have a broad organizational impact. And yes, export controlled information is a specified category regulated by the new CUI requirements. (Source) Successful compliance programs require cross-functional implementation, robust risk visibility, and effective risk management. Viewing CUI compliance through more than a technology lens is critical to establishing, certifying, and sustaining compliance with the DFAR and NIST 800-171. Using an export control program compliance framework to address CUI requirements will produce better results, in less time, and be more sustainable.
Does DFAR CUI Compliance, sound familiar? It should.
A clear understanding of the downside risk and penalties of non-compliance is absolutely imperative. Failure to comply by the deadline could result in being unqualified to bid on future contracts and perhaps even jeopardize the status of current contracts. Failure to sustain compliance could result in civil and criminal penalties. CEO’s and key leaders need to ask the right questions to lead their organizations towards the successfully meeting the CUI compliance deadline on December 31, 2017.
New CUI mandates require disclosure of incidents involving potential compromise of CUI data within 72 hours of detection.
CEO: What is CUI? What is
The new CUI compliance requirements present significant challenges across a defense industry and supplier implementation. The new CUI data requirements focus on safeguarding “information” and in some companies, the data is likely to be scattered everywhere. The U.S. Government (USG) is consolidating many different types of unclassified data required by existing laws and statutes to protect from disclosure, into a uniform set of standards for protection and safeguarding. CUI data includes 115 categories and sub-categories. (Source) For large defense industry companies many types of CUI data could exist in both printed and electronic format throughout the company. Many are familiar with pre-existing control markings such as “For Official Use Only (FOUO)”, “Sensitive But Unclassified (SBU)”. However, many CUI files and sensitive data are not likely marked at all.
Many companies may actually create many different types of CUI data, including export controlled CUI data. CUI data that is export controlled has specified handling and protection requirements. Export controlled CUI is defined as, “unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations and the munitions list; license applications; and sensitive nuclear technology information.” (Source)
A Defense Industry company who produces, markets, and sells products and services that are export controlled must satisfy all the requirements of the DFAR, Arms Export Control Act (AECA), the ACEA implementing guidelines International Traffic In-Arms Regulations (ITAR) and the Export Administration Regulations (EAR) with regard to safeguarding and handling CUI data and meet the cyber compliance requirements mandated in the NIST SP 800-71. This is a complex and challenging problem set because the shared ownership of CUI information is likely among many business units, operations, research and development (R&D), engineering, manufacturing, sales and marketing, etc. to name a few. CUI data and normal unclassified data are intermingled across an IT backbone blind to any differentiation between normal data and CUI data. Determining what types of CUI data are within the corporate-wide enterprise is critical. An organizational wide CUI risk assessment is needed across all 115 categories and subcategories of CUI data to identify those business processes and projects, which include any of the categories of unclassified data regulated within the new CUI compliance requirements. (Source)
CEO: Who are the CUI Compliance Stakeholders?
The CUI compliance stakeholders include all those areas who receive, process, print, store, create, protect, and share any of the 115 categories and subcategories of CUI data. CUI compliance stakeholders include all those areas and personnel across the business functional areas who contribute to an efficient and effective CUI compliance risk management program.
The relationship among the CUI compliance stakeholders is interdependent, because the stakeholders execute tasks, use systems, and capture information, which are essential to an efficient, and effective CUI compliance program. They contribute to regulatory compliance or fuel CUI compliance risk. The participation of the CUI stakeholders is critical to establishing an effective CUI compliance program and meeting the requirements by the December 31, 2017 deadline.
CEO: How do we baseline our CUI risk?
Key leaders set the groundwork for establishing a CUI compliance risk management framework. The framework guides, coordinates, and unifies the parallel activities CUI stakeholders must complete across the organization in order to meet the December 31, 2017 deadline. The CUI stakeholders leverage the experience of internal and external resources to accelerate the assessment, development, and rollout of essential CUI compliance program components. Program components include a complex mixture of policy, procedures, and technology across a wide variety of functional areas. Consulting support during implementation will also be critical because of the constraints of time and internal resources competing with on-going responsibilities.
The manner an organization frames CUI compliance is essential to accelerating implementation, saving time, and reducing challenges. Although cyber security is essential to CUI compliance, it should not be the focus. CUI Compliance risk is an operations-based, organizational wide challenge. A CUI Compliance Program is a risk management initiative with critical legal ramifications. CUI compliance mandates encompasses the cyber risks to your IT network and the risk of disclosure of sensitive information. Both are high profile vulnerabilities with mandatory reporting requirements. CUI compliance represents an enduring strategic business risk with persistent vulnerabilities, and high regulatory oversight.
The first thing the General Counsel should do is evaluate the new CUI requirements and contrasts the types of information and information systems within the corporate domain. A clear understanding of the downside risk and penalties of non-compliance is absolutely imperative. Non-compliance could result in being unqualified to bid on future contracts or perhaps even jeopardize the status of current contracts. If the evaluation of the new CUI mandates started within your organization’s IT departments, the data management and cyber security requirements focus will not likely address the greatest contributors to CUI compliance risk, day-to-day operations. CUI is principally an information management issue and the compliance mandates require a deliberate integration into on-going business operations, products, and services contract fulfillment activities. Information management, data management, and even cyber security are people-centric challenges, first, and technology challenges, second.
Finding and properly marking data and documents required under the new compliance mandates is going to be challenging in small organizations, let alone complex organizations. CUI data likely exists across your entire network, on hard drives, emails, video, and perhaps printed in paper format. For example, CUI data for export controlled technologies are likely scattered across the business development, marketing, manufacturing, R&D, training, supply chain, logistics, and C-suite to name a few. The challenge is CUI data represents a consolidated new category encompassing many different types of regulated unclassified data. Once the CUI stakeholders work through the complex process of determining what types of CUI data they receive, create, store, and share. The CUI data will be very difficult to find without specialized tools and methods and will need the guidance and support of CUI stakeholders. CUI stakeholders must help determine “what data” is actually CUI data that must meet the safeguarding, dissemination, and marking requirements, and what data is not CUI. During that process the data maybe unrecognizable without specific experience, unlabeled, or perhaps even mislabeled.
A formal CUI risk assessment is an effective vehicle for leaders at all levels understand the risks across the organization. A CUI Risk Assessment is needed to establish the scope of legacy CUI issues potentially existing across the core business functional areas, physical security, as well as products and services functional areas. The CUI Risk Assessment also scopes the potential impact of the CUI mandates on day-to-day operations. The CUI Risk Assessment should identify the scope of search, types of data, and specific data features and signatures of your CUI data, so IT can identify the specialized tools and methods necessary to find legacy CUI data scattered across the IT enterprise. The CUI Risk Assessment should also include a network security assessment and evaluate the specific changes required in your current network security technologies and practices.
Current policies, procedures, and practices need to be evaluated with the CUI requirements across operations and IT areas, from an information management (Operations), data management (IT), physical security (Operations), and cyber security (IT) considerations.
  – An organizational wide compliance program requires an effective training program that not only trains employees on CUI awareness, but also integrates relevant policies, procedures, and practices. A baseline of knowledge about CUI compliance requirements is necessary in order to develop effective solutions and meet the program implementation and sustainment challenges. Training the general employee work force also includes evaluating, certifying, periodically inspecting, and auditing performance. Defense Industry and Research Institutions CUI compliance programs should mirror Federal Agency requirements, except when policy standards specifically identify standards for Non-Federal institutions and (Private) organizations. In a series of policies, the USG requires CUI program training to all agencies personnel, individuals, and private organizations with handling and safeguarding responsibilities. A CUI program should train, evaluate, and certify employees can:
  – Convey individual responsibilities related to protecting CUI
  – Describe the differences between CUI basic and CUI specified.
  – Identify the categories routinely handled by personnel and special handling requirements of Specified CUI.
  – Describe the CUI Registry, its purpose, structure, and website address.
  – Identify offices and organizations with oversight responsibilities of the CUI Compliance Program.
  – Address CUI marking requirements.
  – Address the required physical safeguards and methods of protecting CUI.
  – Address CUI destruction requirements and methods.
  – Address CUI incident reporting procedures.
  – Address the methods for properly sharing or disseminating CUI internally and externally.
  – Address the practices for properly decontrolling CUI.
  – Understand network security risks and user vulnerabilities
  – Recognize Insider Threats to Network Security
Other more specialized functional areas supporting CUI compliance require specific training and knowledge as described in NIST 800-171 r1. on:
  – Network security
  – Network auditing and accountability
  – Network configuration management
  – Network identification and authentication
  – Incident response procedures
  – Network maintenance
  – Media protection
  – Personnel security
  – Physical protection
  – On-going Network risk and security assessments
  – Systems and communication protection
  – Systems and information integrity
Measuring and monitoring risk is essential to good risk governance. Assessing key metric areas for developing an effective CUI compliance dashboard is absolutely essential during the risk assessment process. Compliance metrics improve risk visibility, and also provide insights to managers and leaders in evaluating effectiveness the CUI compliance program.
Assessing and understanding third party CUI risk is also critical. The new CUI requirements make it clear prime contractors are responsible for subcontractors and vendors CUI compliance. This is also a complex challenge, because meeting internal and external CUI compliance requirements all have the same deadline, penalties, and reporting requirements. A compliance gap analysis and prioritization within the CUI risk assessment help drive the program schedule and tasks. Many companies will need external consulting support across a wide variety of areas in order to meet a very tight CUI compliance deadline on December 31, 2017.
CEO: Is a CUI Compliance Program needed to implement, sustain, and manage CUI compliance risk?
CUI compliance is an unfunded requirement. Quite literally, CUI mandates are the new cost of doing business with the Federal Government. For those Defense Industry companies and other non-Federal Institutions whose products, R&D, technologies, and services are included within the scope of CUI program mandates, the requirements are impactful and the deadline is danger close.
Often within companies, a precious few people worry about compliance risks. Unfortunately, the brutal impact of CUI compliance violations on an organization is far greater than those precious few. Sanctions, fines, and prohibitions not only impact shareholder value, but may also disrupt core revenue streams. Addressing CUI compliance risk is a complex leadership challenge, especially across large organizations. Many compliance professionals understand compliance risks, but few understand how to implement, shape and reduce risk across the organization.
The consequences of organizations not “owning” CUI compliance risks are far reaching. Organizations some do not “own” risk very well. Leaders require knowledge, visibility, and resources to manage their organizational risks. Good corporate governance must include CUI compliance risk within their strategic risk management process. “Strategic risks are those risks that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately effect shareholder value or the viability of the organization.” A CUI Compliance Program serves to implement, manage, and provide strategic risk visibility and is a business imperative. Engage and embrace the organizational and people-centric realities within establishing and sustaining compliance programs, or ignore them at your peril.
CEO: How can outsourcing support accelerate our CUI Compliance Program implementation and reduce risk?
Coherently integrated experience, services, and technologies offer remarkable accelerant to companies seeking to rapidly address CUI compliance risk. Once developed and implemented, a CUI Compliance Program approach is self-sustainable. Executives and managers need the outside assistance and perspectives of quality consulting organizations who can identify the CUI challenges organizationally, functionally, and technically.
Mapping consulting capabilities to a CUI compliance risk reduction framework whose purpose is to establish compliance within the organization, bridges missing internal capabilities and risk reduction objectives. Surging consulting capabilities to drive risk-reducing outcomes enables the roadmap and tight schedule for the Board and senior leaders committed to CUI compliance. Corporate and organizational leaders with authority and compliance consultants work together to leverage findings from the CUI risk assessment to rapidly develop a strategy, plan, tasks, and schedule. Results will always outperform legacy “passive recommendations” made by typical consultants. A hands-on approach is absolutely required.
Boards and corporate leaders need to embrace those consulting firms whose reputation is tied to results, not just beautifully bound and printed documents. Comprehensive CUI compliance risk assessments should also reveal managerial and systemic compliance vulnerabilities obscured by other approaches. Consulting success must be tied to reducing organizational-wide CUI risks: Assess, Understand, Prioritize, Enable. What are the critical elements to comprehensively reducing your CUI compliance risk?
CEO: Do we fully understand the new requirements?
The Defense Federal Acquisition Regulation (DFAR) [252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting] mandates contractors (and sub-contractors) must protect CUI to the standards outlined in the National Institute of Science and Technology (NIST) Special Publication 800-171r1, [Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations]. The Special Publication lists 110 actions required to protect CUI in 14 different categories. The United States Government (USG) has an interest in safeguarding the CUI data from unauthorized dissemination and also has an interest in insuring the confidentiality, integrity, and availability of a company’s IT system which safeguards CUI data. The new CUI policies mandate requirements for all Federal Agencies beyond the network security requirements, individuals, and private organizations handling CUI basic and specified data.
CUI is divided into two categories, basic and specified. Export Controlled information falls within the CUI specified category because laws, regulations, and government policies mandate specific requirements regarding disclosure and protection. Export control, as with many other specified categories of CUI, also includes significant penalties for violations and mishandling. Much like export controlled compliance regulations, the DFAR directs contractors (and sub-contractors) disclose and report when CUI data is compromised. Since most companies rely heavily on IT systems and the preponderance of CUI data is electronic, the DFAR requires cyber incidents be disclosed within 72 hours of detection to the Department of Defense (DoD). CUI requirements in larger organizations are complex both technically and programmatically. CUI program leaders need the authority and ability to coordinate implementation across complex organizations.
Eventually, circumstances will require companies demonstrate their CUI compliance across their organization. Companies and research institutions that ignore the CUI compliance requirements to safeguard CUI information, data, and meet network security requirements place themselves at significant risk to civil, criminal, and contract penalties. In today’s cyber security environment of ubiquitous risk, the detection of a reportable incident is inevitable. With mandatory reporting requirements, an entity should be able to produce a system compliant security plan and security assessment upon request. CUI non-compliance places current and future DoD business opportunities at significant risk.
New Federal regulations surrounding CUI data and safeguarding mandates requires strict adherence to programmatic and technical regulations that are detailed, unforgiving, time-consuming, and often not well understood. Foreign interests aggressively target CUI data through a variety of surreptitious means. Even for the most vigilant companies, urgent business pressures distract well-intentioned leaders, managers, and employees from the looming CUI requirements on information, data, and security management requirements are a distant priority…until it’s too late. The CUI Compliance deadline on December 31, 2017 will arrive, and organizations will, or will not be ready. CUI Risk Management acknowledges the strategic risk to your business and the necessity to establish effective risk governance. A CUI compliance program accelerates successful implementation, and effectively manages the risk of sustaining compliance across your entire organization. The path toward implementation and managing CUI compliance risk is not easy, so what do we do now? We lead.

* * * * * * * * * * * * * * * * * * * * 

T. McVey: “ITAR For Government Contractors” (Part 1 of 4)

(Source: Williams Mullen)
* Author: Thomas B. McVey, Chair of the International Practice Group of Williams Mullen, tmcmcvey@williamsmullen.com.
[Editor’s Note: Due to space limitations, Thomas B. McVey’s ITAR Guide for Government Contractors has been divided into four parts. The four parts will be published in the Daily Bugle of 31 August, and 1, 5 and 6 September 2017. The Guide been revised for recent amendments on 10 August 2017.]
One of the most important areas of regulation for defense contractors is the International Traffic in Arms Regulations (ITAR). ITAR are the State Department controls that regulate the defense industry. [FN/2] Companies regulated under ITAR are subject to a number of requirements including registration, licensing, restrictions on transferring controlled technical data and performing defense services, among others. Following recent amendments, a second set of regulations – the Export Administration Regulations (EAR) [FN/3] – impose related requirements for government contracts firms and must be considered alongside ITAR. Contrary to popular belief, these apply beyond export transactions to many domestic activities of U.S. defense firms – they can apply even if the company’s only customer is the U.S. Government. Due to the potential civil and criminal liability involved, it is imperative for defense firms to have a clear understanding of these laws. The following provides an overview of these requirements and strategies for complying with them.
(Part 1) Is My Company Subject to ITAR?
  (1) The U.S. Munitions List. At the core of the ITAR is a list of products called the U.S. Munitions List (USML). The USML contains a wide array of products as well as software, technical data and services. If a company’s product, software, technical data or services are identified on the list, the company is subject to the ITAR requirements.
The USML contains twenty-one broad categories of products, ranging from firearms and military vehicles to computers and communication equipment. The original intent behind these regulations was to list military products, however over time the USML has expanded to cover many items that are used in both military and commercial applications. Examples of items covered on the USML are:
  – Specified command, control and communications systems including certain radios (transceivers) and identification equipment;
  – Military training services and equipment;
  – Certain types of drone aircraft;
  – Body armor providing protection level equal or above NIJ Type IV;
  – Inertial navigation systems specially designed for military aircraft;
  – Military vehicles and certain specially designed parts and components;
  – Naval vessels and certain specially designed equipment, parts,
technologies and software;
  – Certain satellites, launch vehicles and ground control equipment,
including parts, technologies and software;
  – Certain electronic sensor systems;
  – Advanced materials such as ablative materials fabricated from advanced
  – Specified lasers and related systems;
  – Certain underwater sound equipment;
  – Certain flight control, radar, avionics products, software and
  – Classified products, technical data and software;
  – Toxicological agents; and
  – Certain auxiliary military equipment.
A complete list of the 21 Categories covered on the USML is attached below in Exhibit A.
If a company’s product is on the USML, the company is subject to a number of requirements in domestic and international activities, as more fully described below.
  (2) Regulation of Technical Data and Software. ITAR covers not just products, but also software and technical data as well. If an item is listed on the USML, software required to run that item is typically also covered on the USML. Similarly, technical data related to the item is also usually listed on the USML. Technical data is defined to include information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of articles on the USML. [FN/4] If a company produces any of these items it is subject to ITAR.
  (3) Services. In addition, the ITAR covers “defense services.” If an item is listed on the USML, the performance of many types of services related to such item for foreign parties are also covered on the USML and subject to ITAR. This includes services involving the installation, design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles. In addition, providing military training to foreign parties as well as “military advice” to such parties are considered defense services subject to ITAR. Even if a company does not manufacture or sell a particular product that is listed on the USML, if it performs services related to such items the services may be covered under the USML and the company subject to ITAR.
  (4) Parts and Components. The USML covers not just end-products but also subsystems and certain parts, components, accessories, attachments and software that are “specially designed” to be used with end- items on the USML. (In addition, many “specially designed” parts and components of ITAR items are regulated under the EAR – see Section B below). Under the State Department’s interpretative “See-Through Rule,” if a part or component is subject to ITAR and used in a larger system, the entire larger system becomes subject to ITAR regulation. This creates significant complications for both U.S. and foreign companies that supply defense components including second- and third-tier suppliers. Thus, these controls reach far and wide within the defense supply chain.
  (5) Products and Technologies Developed From Government Research Funding. A key factor that the State Department considers in assessing if a product is on the USML is whether the product or technology was originally developed from U.S. Government funding. Many products that were developed using U.S. defense research funding, such as under SBIR contracts or DOD research grants, are on the USML and hence the product, as well as the technical data, software and defense services related to such product, may be ITAR-controlled.
  (6) Universities and Research Institutions. ITAR applies beyond commercial firms to universities, research institutions and other not-for-profit organizations involved in technology research and development. Indeed, some of the most important technologies in the defense field are being developed in these institutions and ITAR controls apply within these as well. In one well known case, a professor at the University of Tennessee was sentenced to four years in prison for ITAR violations related to the disclosure of ITAR-controlled technical data to foreign national students in his laboratory at the University. [FN/5]
  (7) Obligations Under ITAR. If a company’s products, software, technical data or services are on the USML, ITAR imposes a number of requirements and the company may become subject to one or more of the following unless a license exemption applies:
  – Registration – If a U.S. company manufactures, exports, temporarily imports or brokers an item on the USML or performs a “defense service” the company is required to register with DDTC under ITAR Part 122. Note that registration is required even if a company only performs domestic manufacturing activities – exporting is not required to trigger the registration obligation. [FN/6]
   – Transfer of Technical Data and Software to Foreign Nationals – The company is prohibited from transferring software or technical data on the USML to foreign nationals, [FN/7] either in the U.S. or abroad, without an export license, unless a license exemption applies. This applies even if the foreign national is an employee of the company.
  – Defense Services – The company is prohibited from performing “defense services” related to items on the USML for foreign parties, either in the U.S. or abroad, without obtaining a State Department authorization called a Technical Assistance Agreement (TAA).
  – Export License – The company is prohibited from exporting products listed on the USML without obtaining an export license unless a license exemption applies.
  – Reexports/Retransfers – If an ITAR-controlled item is exported under a license, the foreign recipient is not permitted to reexport the item (i.e., export the item to another foreign country) or retransfer the item (i.e., transfer the item to another party or for a different end use in the same foreign country) unless the State Department has provided specific authorization for the reexport/retransfer.
  – Products Manufactured Abroad Using ITAR-Controlled Items – If a foreign party uses an ITAR-controlled component in a new product manufactured abroad, or manufactures a new foreign product based upon ITAR-controlled technical data, the new product manufactured abroad becomes ITAR-controlled. As such, the foreign party is not permitted to transfer the foreign produced item to any other parties unless DDTC provides specific authorization for such transfer. If a US company grants a foreign party an authorization to manufacture defense articles abroad which involve the use of ITAR-controlled technical data, the parties are typically required to execute a Manufacturing License Agreement (MLA) which has been authorized by DDTC and comply with other requirements. In addition, agreements between U.S. companies and foreign companies for the warehousing and distribution of defense articles overseas (referred to as Warehousing and Distribution Agreements) must be approved in advanced by the Directorate of Defense Trade Controls (DDTC).
  – Temporary Imports – The company is prohibited from importing defense items listed on the U.S. Munitions List in temporary import transactions without obtaining a temporary import license. [FN/8]
  – Brokering – If companies perform activities to assist or facilitate the sale of ITAR-controlled items to non-US parties this is generally referred to as “brokering activity.” [FN/9] Parties who engage in brokering activities are subject to numerous requirements including broker registration, the requirement to obtain advanced State Department authorization to perform brokering activities for certain products, reporting, recordkeeping and restrictions on engaging in brokering transactions involving the Section 126.1 “Proscribed Countries” (See Section C.(4) below).
  – Reports for Payments of Sales Commission, Fees and Political Contributions – Companies that pay sales commission, fees and/or political contributions in connection with the sale of ITAR-controlled products or services that meet the requirements of ITAR Part 130 are required to file reports with DDTC regarding such payments and comply with other requirements under ITAR Part 130.
  – Transactions with Debarred Parties – Persons who have been debarred or who are deemed “ineligible” under the provisions of ITAR §120.1(c)(2) [FN/10] are prohibited from entering into transactions regulated under ITAR. In addition, companies are prohibited from entering transactions regulated under ITAR if other parties involved in such transactions have been debarred or are otherwise ineligible under §120.1(c)(2).
  – §126.1 Proscribed Countries – Companies are prohibited from (i) entering transactions regulated under ITAR involving countries listed in ITAR §126.1 (referred to as the “Section 126.1 Proscribed Countries”) without specific DDTC authorization (which is subject to a policy of denial); (ii) submitting marketing proposals or presentations to parties in the Section 126.1 Proscribed Countries without advanced authorization from DDTC; and (iii) engaging in brokering transactions with parties involving the Section 126.1 Proscribed Countries. In addition, if a person knows or has reason to know of a proposed, final or actual sale, export or other transfer of ITAR-controlled items involving the Section 126.1 Proscribed Countries they are required to immediately inform DDTC of such event.
 – Recordkeeping Requirement – The company is required to maintain records in accordance with the ITAR recordkeeping requirements set forth at 22 CFR §122.5.
  (8) Domestic Versus International Activities. Many executives view ITAR to be part of the U.S. export control laws and regulate just exports. However, ITAR regulates a wide variety of activities in purely domestic commercial activity, such as:
  – The prohibition of the transfer of technical data or software subject to ITAR to foreign nationals in the United States;
  – The prohibition of the performance of defense services for foreign parties in the United States;
  – The requirement for U.S. companies to register with the State Department as a domestic manufacturer, even if they do not export any products;
  – The requirement to comply with ITAR recordkeeping requirements;
  – The requirement to obtain import authorization for the import of defense items; and
  – The prohibition of the transfer of USML products to representatives of foreign governments and military organizations (including NATO, United Nations, etc.) in the United States unless a license is obtained or an exemption applies.
  (9) Obligations on Foreign Companies. ITAR requirements may also apply to foreign companies including foreign government contractors. For example, if a foreign company receives an ITAR controlled item overseas, including hardware, technical data or software, it is prohibited from reexporting or retransferring such item unless the State Department has provided specific authorization (referred to as reexport or retransfer authorization). Also, as mentioned above, if an ITAR-controlled component is exported from the U.S. and incorporated into a foreign-manufactured product, under the “See- Through Rule” the entire foreign-made product becomes subject to ITAR regulation.
  (10) Penalties. Penalties for ITAR violations include civil and criminal penalties, including fines of up to $1,000,000 per violation and up to 20 years imprisonment. [FN/11] Other sanctions include debarment, denial of export privileges and publication of a press release by DDTC regarding the company’s violation.
  [FN/1] The author specialises in the areas of ITAR, EAR and the federal regulation of international business. Additional articles on ITAR, EAR and US sanctions programs are available at “
ITAR Articles
  [FN/2] The ITAR can be found at 22 CFR Chapter I, Subchapter M, Parts 120-130.
  [FN/3] The EAR can be found at 15 CFR Chapter VII, Subchapter C.
  [FN/4] Information that is in the “public domain” as defined in 22 CFR §120.11 is not considered controlled technical data. In addition, certain additional types of information are outside the scope of “technical data” – see 22 CFR §120.10(b).
  [FN/5] See
  [FN/6] While there are a number of exemptions from the registration requirement as set forth in 22 CFR §122.1(b), if a company is exempt from the registration requirement it may still be subject to many of the other requirements under ITAR.
  [FN/7] A “Foreign Person” is defined in ITAR §120.16 as a person who is not a US citizen, permanent resident alien (green card holder) or “protected individual” under 8 USC §1324b(a)(3), or is a foreign business entity that is not incorporated in the US.
  [FN/8] In addition, parties that import items on the US Munitions Import List in permanent import transactions will be subject to regulations promulgated by the Bureau of Alcohol, Tobacco, Firearms and Explosives.
  [FN/9] The definition of “brokering activities” is set forth at ITAR §129.2(b).
  [FN/10] ITAR §120.1(c)(2) provides as follows: 
Persons who have been convicted of violating the U.S. criminal statutes enumerated in §120.27, who have been debarred pursuant to part 127 or 128 of this subchapter, who are subject to indictment or are otherwise charged (e.g., charged by criminal information in lieu of 
indictment) with violating the U.S. criminal statutes enumerated in §120.27, who are ineligible to contract with or to receive a license or other form of authorization to import defense articles or defense services from any agency of the U.S. Government, who are ineligible to receive an export license or other approval from any other agency of the U.S. Government, or who are subject to a Department of State policy of denial, suspension, or revocation under §126.7(a) of this subchapter, are generally ineligible to be involved in activities regulated under the subchapter.
  [FN/11] See: 4th Circuit Lowers Threshold For Criminal Violations Of ITAR, available

* * * * * * * * * * * * * * * * * * * * 

15Gary Stanley’s ECR Tip of the Day

(Source: Defense and Export-Import Update; available by subscription from
* Author: Gary Stanley, Esq., Global Legal Services, PC, (202) 352-3059,
ITAR § 120.19 provides that any release outside the United States of technical data to a foreign person is deemed to be a reexport to all countries in which the foreign person has held or holds citizenship or holds permanent residency. This is the regulatory underpinning of DDTC’s policies with respect to dual/third country national employees, temps, and interns working at foreign companies and other entities.

* * * * * * * * * * * * * * * * * * * * 

16R.C. Burns: “OFAC’s FAQs on Venezuela Sanctions Omit the Most Frequently Asked Question”

Export Law Blog
. Reprinted by permission.)
* Author: R. Clifton Burns, Esq., Bryan Cave LLP, Wash DC,
, 202-508-6067).
Last week the Office of Foreign Assets Control (“OFAC”) announced a set of new sanctions on Venezuela and it’s petroleum company Petroleos de Venezuela, S.A. (“PdVSA”) as set forth in the newly published Executive Order 13808. Under the Executive Order, U.S persons are prohibited from dealing in (1) new debt of the Government of Venezuela extended after August 24 with a maturity greater than 30 days, (2) new debt of PdVSA extended after August 25 with a maturity greater than 90 days, (3) bonds issued by the Government of Venezuela or (4) dividends or other profit distributions paid to the Government of Venezuela by entities owned by the Government of Venezuela. At the same time, it issued four general licenses authorizing, among other things, wind-down transactions, transactions involving CITGO and transactions involving agricultural commodities, medicine or medical devices.
The prohibitions on dealing in new debt closely parallel similar restrictions that OFAC imposed on certain Russian entities and, in fact, OFAC issued FAQs on the new Venezuela debt prohibitions that are identical to the FAQs on the Russian debt prohibitions. As a result, and once again, OFAC doesn’t answer in its FAQs what is in fact the most frequently asked question about new debt – namely, does new debt cover instances where PdVSA or the Government of Venezuela fails to pay for goods or services rendered within 30 or 90 days after the services are rendered or the goods are provided.
Certainly, it seems clear that it would be debt where the contract provides for and allows payment after these 30-day and 90-day periods as applicable. But suppose, you have a contract with PdVSA which provides for payment net 30. Does that become “new debt” with a maturity greater than 90 days when, on day 91, PdVSA fails to pay? And since the FAQs say that the prohibitions do not extend to debt extended prior to August 25, 2017, when was this debt extended if the goods or services were provided prior to August 25. Did that occur on Day 31? Or day 91? Given what appears to be the not uncommon practice of these two entities of not paying on time, these are not simply brain teasers that I have cooked up to tease the folks at OFAC.
Of course, it seems that there would be a good argument that an involuntary extension of debt in such a situation should not be covered, although nothing in the order or the FAQs makes this clear. If such involuntary extensions are included in the prohibitions, should the contracting party file a voluntary disclosure as soon as possible after PdVSA accounts receivable age out over 90 days? And even if involuntary extensions of debt are exempted, what does the party to the agreement with PdVSA or the Government of Venezuela have to do to prove that the extension of debt is involuntary. Sue? Withhold further services? Stop future deliveries? Send a nastygram from its lawyers demanding payment?

Rather than answer these questions, which, no doubt, large numbers of people with accounts receivable from PdVSA or the Government of Venezuela are asking at this very moment, OFAC’s FAQs dither around on the esoterica of, among other things, whether the new sanctions prohibit getting bank financing to purchase goods from PdVSA (no) or prohibit maintaining correspondent accounts for state-owned Venezuelan banks (no, as long as no debt of greater than 30 days is extended). This is all baffling and simply further evidence that the people at OFAC who administer these regulations have little idea of how business actually works.

* * * * * * * * * * * * * * * * * * * * 


* * * * * * * * * * * * * * * * * * * *

. Sue Gainor Appointed as VP, Global Trade Controls, at Boeing

Sue Gainor, recently Director, Office of Defense Trade Controls Compliance at the State Department, has been appointed Vice President, Global Trade Controls, Office of Internal Governance and Administration, at The Boeing Company.

* * * * * * * * * * * * * * * * * * * *


* What: United States Export Control (ITAR/EAR/OFAC) Seminar Series in Phoenix, AZ
* When: ITAR Seminar:  October 30-31, 2017; EAR/OFAC Seminar: Nov 1-2, 2017
* Where: Phoenix, AZ: Sheraton Crescent Hotel Phoenix
* Sponsor: Export Compliance Training Institute (ECTI)
* ECTI Speaker Panel: John Black, Scott Gearity and Melissa Proctor
* Register: Here, or Jessica Lemon, 540-433-3977, jessica@learnexportcompliance.com
* * * * * * * * * * * * * * * * * * * *



* Maria Montessori (Maria Tecla Artemisia Montessori; 31 Aug 1870 – 6 May 1952; was an Italian physician and educator best known for the philosophy of education that bears her name, and her writing on scientific pedagogy. Her educational method is in use today in some public and private schools throughout the world.)
  – “Early childhood education is the key to the betterment of society.”
  – “Never help a child with a task at which he feels he can succeed.”

* * * * * * * * * * * * * * * * * * * *

. Are Your Copies of Regulations Up to Date?
(Source: Editor)

The official versions of the following regulations are published annually in the U.S. Code of Federal Regulations (C.F.R.), but are updated as amended in the Federal Register.  Changes to applicable regulations are listed below.
: 27 CFR Part 447-Importation of Arms, Ammunition, and Implements of War
  – Last Amendment: 15 Jan 2016: 81 FR 2657-2723: Machineguns, Destructive Devices and Certain Other Firearms; Background Checks for Responsible Persons of a Trust or Legal Entity With Respect To Making or Transferring a Firearm. 
: 19 CFR, Ch. 1, Pts. 0-199
  – Last Amendment: 28 Jul 2017: 82 FR 35064-35065: Technical Corrections to U.S. Customs and Border Protection Regulations
  – Last Amendment: 18 May 2016: Change 2: Implement an insider threat program; reporting requirements for Cleared Defense Contractors; alignment with Federal standards for classified information systems; incorporated and cancelled Supp. 1 to the NISPOM (Summary here.)

: 15 CFR Subtit. B, Ch. VII, Pts. 730-774

  – Last Amendment: 15 Aug 2017: 
82 FR 38764-38819: Wassenaar Arrangement 2016 Plenary Agreements Implementation 

: 31 CFR, Parts 500-599, Embargoes, Sanctions, Executive Orders
  – Last Amendment: 16 Jun 2017: 82 FR 27613-27614: Removal of Burmese Sanctions Regulations 
: 15 CFR Part 30
  – Last Amendment: 19 Apr 2017: 82 FR 18383-18393: Foreign Trade Regulations: Clarification on Filing Requirements 
  – HTS codes that are not valid for AES are available
  – The latest edition (18 July 2017) of Bartlett’s Annotated FTR (“BAFTR”), by James E. Bartlett III, is available for downloading in Word format. The BAFTR contains all FTR amendments, FTR Letters and Notices, a large Index, and footnotes containing case annotations, practice tips, Census/AES guidance, and to many errors contained in the official text. Subscribers receive revised copies every time the FTR is amended. The BAFTR is available by annual subscription from the Full Circle Compliance website.  BITAR subscribers are entitled to a 25% discount on subscriptions to the BAFTR.
, 1 Jan 2017: 19 USC 1202 Annex. (“HTS” and “HTSA” are often seen as abbreviations for the Harmonized Tariff Schedule of the United States Annotated, shortened versions of “HTSUSA”.)
  – Last Amendment: 25 Jul 2017: Harmonized System Update 1706, containing 834 ABI records and 157 harmonized tariff records.
  – HTS codes for AES are available
  – HTS codes that are not valid for AES are available
  – Last Amendment: 30 Aug 2017: 82 FR 41172-41173: Temporary Modification of USML Category XI(b)
  – The only available fully updated copy (latest edition: 30 Aug 2017) of the ITAR with all amendments is contained in Bartlett’s Annotated ITAR (“BITAR”), by James E. Bartlett III. The BITAR contains all ITAR amendments to date, plus a large Index, over 800 footnotes containing amendment histories, case annotations, practice tips, DDTC guidance, and explanations of errors in the official ITAR text. Subscribers receive updated copies of the BITAR in Word by email, usually revised within 24 hours after every ITAR amendment. The BITAR is available by annual subscription from the Full Circle Compliance website.  BAFTR subscribers receive a 25% discount on subscriptions to the BITAR, please contact us to receive your discount code.  [Editor’s note to BITAR subscribers: If you did not receive an emailed copy of the 30 August edition, please reply to me at JEBartlett@JEBartlett.com.]

* * * * * * * * * * * * * * * * * * * *

Weekly Highlights of the Daily Bugle Top Stories

(Source: Editor) 

Review last week’s top Ex/Im stories in “Weekly Highlights of the Daily Bugle Top Stories” published 

* * * * * * * * * * * * * * * * * * * *


* The Ex/Im Daily Update is a publication of FCC Advisory B.V., compiled by: Editor, James E. Bartlett III; Assistant Editors, Alexander P. Bosch and Vincent J.A. Goossen; and Events & Jobs Editor, John Bartlett. The Ex/Im Daily Update is emailed every business day to approximately 8,000 readers of changes to defense and high-tech trade laws and regulations. We check the following sources daily: Federal Register, Congressional Record, Commerce/AES, Commerce/BIS, DHS/CBP, DOJ/ATF, DoD/DSS, DoD/DTSA, State/DDTC, Treasury/OFAC, White House, and similar websites of Australia, Canada, U.K., and other countries and international organizations.  Due to space limitations, we do not post Arms Sales notifications, Denied Party listings, or Customs AD/CVD items.

* RIGHTS & RESTRICTIONS: This email contains no proprietary, classified, or export-controlled information. All items are obtained from public sources or are published with permission of private contributors, and may be freely circulated without further permission. Any further use of contributors’ material, however, must comply with applicable copyright laws.

* CAVEAT: The contents of this newsletter cannot be relied upon as legal or expert advice.  Consult your own legal counsel or compliance specialists before taking actions based upon news items or opinions from this or other unofficial sources.  If any U.S. federal tax issue is discussed in this communication, it was not intended or written by the author or sender for tax or legal advice, and cannot be used for the purpose of avoiding penalties under the Internal Revenue Code or promoting, marketing, or recommending to another party any transaction or tax-related matter.

* SUBSCRIPTIONS: Subscriptions are free.  Subscribe by completing the request form on the Full Circle Compliance website.

* TO UNSUBSCRIBE: Use the Safe Unsubscribe link below.

Scroll to Top