18-0215 Thursday “Daily Bugle”

18-0215 Thursday “Daily Bugle”

Thursday, 15 February 2018

The Daily Bugle is a free daily newsletter from Full Circle Compliance, containing changes to export/import regulations (ATF, DOE/NRC, Customs, NISPOM, EAR, FACR/OFAC, FAR/DFARS, FTR/AES, HTSUS, and ITAR), plus news and events.  Subscribe 
here for free subscription. Contact us
for advertising inquiries and rates

[No items of interest noted today.] 

  1. Items Scheduled for Publication in Future Federal Register Editions 
  2. Commerce/BIS Opens Registration for 13th Annual Export Control Forum on 27-28 Mar in Santa Clara, CA 
  3. State/DDTC: (No new postings.) 
  1. Inside Higher Ed: “The Chinese Student Threat?” 
  2. Kyiv Post: “Ukraine Introduces E-Licensing in State Export Control System with U.S. Financial Support”
  3. Reuters: “UK Freezes $800,000 in Assets under Congo Sanctions”
  1. J.S. West, M. Gardner & L.A. Kuykendall: “New Requirements for Protecting Sensitive Government Data Adopted for U.S. Government Contractors: Is Your Company in Compliance?”
  2. M. Volkov: “Planning for the Perilous Consequences of a Data Breach”
  3. Gary Stanley’s ECR Tip of the Day
  1. ECS Announces “ITAR/EAR Beyond the Basics” on 20-21 Mar in San Diego, CA
  1. Bartlett’s Unfamiliar Quotations 
  2. Are Your Copies of Regulations Up to Date? Latest Amendments: ATF (15 Jan 2016), Customs (8 Dec 2017), DOD/NISPOM (18 May 2016), EAR (26 Jan 2018), FACR/OFAC (28 Dec 2017), FTR (20 Sep 2017), HTSUS (8 Feb 2018), ITAR (14 Feb 2018) 
  3. Weekly Highlights of the Daily Bugle Top Stories 



[No items of interest noted today.]

* * * * * * * * * * * * * * * * * * * *


OGS_a11. Items Scheduled for Publication in Future Federal Register Editions
(Source: Federal Register


* Commerce/BIS; RULES; Russian Sanctions: Addition of Certain Entities to the Entity List [Publication Date: 16 Feb 2018.]
* DHS/CBP; NOTICES; Program for the Private Sector to Participate in Trade-Related Training of U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement Personnel [Publication Date: 16 Feb 2018.]

* * * * * * * * * * * * * * * * * * * *


Commerce/BIS Opens Registration for 13th Annual Export Control Forum on 27-28 Mar in Santa Clara, CA

Commerce/BIS, 15 Feb 2018.)
The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) has announced that registration is now open for the 13th Annual Export Control Forum, taking place on 27-28 March at the Marriott Santa Clara, 2700 Mission College Boulevard, Santa Clara, CA 95054.
More information is available

* * * * * * * * * * * * * * * * * * * *

* * * * * * * * * * * * * * * * * * * * 


4. Inside Higher Ed: “The Chinese Student Threat?”

Inside Higher Ed, 15 Feb 2018.) [Excerpts.]
FBI director Christopher Wray tells Senate panel that American academe is naïve about the intelligence risks posed by Chinese students and scholars. Some worry his testimony risks tarring a big group of students as a security threat.
Most of the media coverage of
Tuesday’s Senate intelligence committee hearing focused on Russian threats to U.S. elections and what the Federal Bureau of Investigation knew — and when — about a senior White House aide who resigned in response to domestic abuse allegations. But of importance to higher education, the hearing on a wide range of threats to U.S. security also featured comments from FBI director Christopher Wray about Chinese students at American universities.
Asked by Senator Marco Rubio to comment on “the counterintelligence risk posed to U.S. national security from Chinese students, particularly those in advanced programs in the sciences and mathematics,” Wray responded, “I think in this setting I would just say that the use of nontraditional collectors, especially in the academic setting, whether it’s professors, scientists, students, we see in almost every field office that the FBI has around the country. It’s not just in major cities. It’s in small ones as well. It’s across basically every discipline. …
Jill Welch, the deputy executive director for public policy at NAFSA: Association of International Educators, said that it is “important to remember the extensive security measures already in place,” including “the thorough vetting and monitoring already in place for international students and scholars” and
deemed export control measures designed to prevent the transfer of technologies to other countries. … 

* * * * * * * * * * * * * * * * * * * * 

NWS_a25. Kyiv Post: “Ukraine Introduces E-Licensing in State Export Control System with U.S. Financial Support”

Kyiv Post, 15 Feb 2018.)
The State Export Control Service of Ukraine in cooperation with the U.S. government under the Export Control and Related Border Security (EXBS) Program has ensured the introduction of e-licensing in the state export control system.
According to a public report of the authority’s head for 2017 posted on the website of the State Export Control Service, e-licensing in the state export control system was introduced thanks to support of the United States.
Among the advantages of the new electronic licensing system are the following: ensuring the prompt exchange of data between executive authorities and business entities in the process of making decisions on the possibility of granting permits in the field of military-technical cooperation; acceleration of the implementation of licensing procedures through their full automation; reduction of expenses for ensuring licensing processes and saving budget funds; establishment of permanent communication with customs authorities in order to prevent offenses in the sphere of export control; creation and maintenance of a database of participants in international arms transfers, the results of goods identification and an archive of permits.
According to previously announced information by the authority, the developer of the Stratlink electronic licensing system of the automated system for state export control of Ukraine was Estonia’s SpinTEK. The introduction of the new electronic system was preceded by a joint analysis with the State Service of Special Communication and Information Protection of Ukraine to ensure the protection of information when it is used.
  “Electronic licensing is one of the decisive components of ensuring transparency of the export control system of Ukraine,” the authority said.
According to the document, within cooperation with the United States under the EXBS program, at present, the State Export Control Service is working on recommendations for updating the strategy for work with the defense industry.

* * * * * * * * * * * * * * * * * * * * 

NWS_a36. Reuters: “UK Freezes $800,000 in Assets under Congo Sanctions”

Reuters, 14 Feb 2018.)
The British government said it has frozen 580,000 pounds ($802,894) in assets held by several dozen militia leaders, army officers and private organizations with ties to Democratic Republic of Congo.
The freezes were mandated by the European Union as part of a sanctions regime imposed by the United Nations. Economic Secretary John Glen had written on the UK parliament website in response to an MP’s question that the total sum seized was 580 million pounds before his office corrected the figure later on Wednesday. Glen provided no details of the assets themselves.
Leaders of Congo’s dozens of militia groups, government officials and military officers have long enriched themselves by trafficking minerals, imposing illegal taxes and stealing public funds, according to the government and various experts.
The asset freezes apply to individuals and groups, including warlords convicted by the International Criminal Court, a Congolese general who was convicted of rape, a gold trading company in neighboring Uganda and two now-defunct Congolese airline companies.
Glen said the data covered the period from the sanctions’ adoption in 2005 up until Sept. 30, 2016. That was before the EU imposed sanctions in late 2016 and in 2017 on 15 state officials and a militia leader.
Those sanctions were imposed over alleged human rights abuses and delays replacing President Kabila, whose official mandate ran out in December 2016 but has failed to organize new elections to replace him.

(This story corrects sum of assets frozen to 580,000 pounds from 580 million pounds, following correction by Glen’s office). 

* * * * * * * * * * * * * * * * * * * * 



J.S. West, M. Gardner & L.A. Kuykendall: “New Requirements for Protecting Sensitive Government Data Adopted for U.S. Government Contractors: Is Your Company in Compliance?”

* Authors: John S. West, Esq.,
john.west@troutman.com; Michael “Mike” Gardner, Esq.,
mike.gardner@troutman.com; and Laura Anne Kuykendall, Esq.,
la.kuykendall@troutman.com. All of Troutman Sanders LLP.
In response to growing cybersecurity threats, the U.S. government has implemented new regulations requiring that its contractors take enhanced measures to protect sensitive government information stored on non-governmental systems and networks, including information stored, accessed, or sent outside the United States. Effective December 31, 2017, government contractors handling sensitive federal government information must comply with cybersecurity requirements found in the 
Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, which implements and incorporates the 
National Institute of Standards and Technology (“NIST”) Special Publication 800-171 Revision 1 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (“NIST SP 800-171 Rev. 1”).
Under DFARS regulations, contractors must adhere to two basic cybersecurity requirements: (1) they must provide adequate security to safeguard covered defense information that resides in or transmits through their internal, unclassified systems from any unauthorized access and disclosure; and, (2) they must rapidly report cyber incidents and cooperate with the Department of Defense (“DoD”) to respond to these security incidents. [FN/1] In addition, the NIST has imposed particular security controls and requirements with respect to fourteen categories: (1) access controls; (2) awareness and training; (3) audit and accountability; (4) configuration management; (5) identification and multifactor authentication; (6) incident response; (7) maintenance; (8) media protection; (9) personnel security; (10) physical protection; (11) risk assessment; (12) security assessment; (13) systems and communications protection; and, (14) systems and information integrity. [FN/2] Each category contains multiple requirements, resulting in over a hundred different controls. For example, within the access control category, the NIST requires that contractors limit unsuccessful logon attempts and automatically terminate a user session after a defined condition occurs. [FN/3]
Department of Defense contractors who fail to meet these minimum security standards risk losing their DoD contracts. These security controls must be implemented at the contractor and subcontractor levels. [FN/4] Any requests for variances from the requirements established by the NIST must be submitted to DoD’s Chief Information Officer (“CIO”). [FN/5] For all contracts awarded prior to October 1, 2017, the contractor had an obligation to notify the DoD CIO within 30 days of the contract award of any security requirements specified by NIST SP 800-171 Rev. 1 not implemented at the time of the contract award. [FN/6]
In November 2017, NIST also released 
draft guidance regarding implementing the NIST’s new controls, noting that the guidance was “intended to help organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements”.
The Department of Justice’s recent 
Non-Prosecution Agreement with a software development company, Netcracker Technology Corporation, signaled the importance of ensuring that all persons working on government defense and intelligence contracts have appropriate authorization and security clearances. To avoid criminal prosecution, Netcracker agreed to implement an Enhanced Security Plan for its U.S.-based customers’ domestic communications infrastructure. Contractors providing goods or services to other private contractors should obtain appropriate assurances regarding the U.S. person status of any person employed or working on behalf of the private contractor and/or the licensed/authorization status applicable under export control laws of foreign persons employed by or working on behalf of the other private contractor. Contractors should take these steps even when supplying DoD or the intelligence community with non-classified commercial off the self (“COTS”) products.
  [FN/1] DFARS 252.204-7012(b), (c).
See generally 
NIST 800-171 Rev. 1.
  [FN/3] NIST 800-171 Rev. 1 §§ 3.1.8, 3.1.11.
  [FN/4] DFARS 252.204-7012(m).
  [FN/5] DFARS 252.204-7012(b)(2)(ii)(B).
  [FN/6] DFARS 252.204-7012(b)(2)(ii)(A).

* * * * * * * * * * * * * * * * * * * * 


M. Volkov: “Planning for the Perilous Consequences of a Data Breach”

Volkov Law Group Blog, 14 Feb 2018. Reprinted by permission.)
* Author: Michael Volkov, Esq., Volkov Law Group,
mvolkov@volkovlaw.com, 240-505-1992.
The nightmare scenario for corporate boards and senior executives revolves around the impact of a major data breach. We have seen this first hand with Equifax, Anthem Healthcare, and Target, as prime examples.  In the Equifax case alone, it is estimated that approximately 140 million individuals had their information hacked in the attack.  It is easy to understand, in these circumstances, that a company can easily be fighting for its life.
The risks start from negative publicity, Congressional intervention and hearings, extend to breach remediation costs (technical and legal), corporate governance challenges, and the inevitable follow-on collateral litigation.  Costs from a data breach are mounting and companies can no longer ignore the impact of such an event.  Given the potential devastating impact, companies have to secure cyber insurance as part of an overall compliance and remediation strategy.
A Data Breach Emergency Protocol is a critical component of every Cybersecurity Compliance Plan.  A data breach has to be defined as the unauthorized collection or disclosure of sensitive information, personal or business secrets, to a party inside or outside the organization.  To protect against such attacks, companies employ a variety of strategies through firewalls, security divisions, strong authorization protocols and passwords to protect sensitive data.
In the simplest terms, a hack can occur from someone obtaining a valid username and password to enter the company’s network.  With the advent of cloud computing and complex hacking techniques, current security strategies are quickly becoming outmoded.
Companies are now focusing on strategies to protect the sensitive data itself through encryption strategies.  Each individual user has to be authorized at a second-level of protection to access the sensitive data itself.
Every state has established data breach notification requirements.  Despite numerous attempts, Congress has been unable to establish a federal standard that may preempt state requirements.  The individual state laws usually define a data breach, who has to be notified, what form the notification should take, what remedial action has to be taken, and the legal punishments for failure to comply with these requirements.
When customer information is breached, companies have to establish where a customer resides for purposes of determining which state law may apply.  Breaches that involve personal, health, and financial data require robust notification and remediation efforts.
The costs of notification are just the beginning – customer support for individuals who need assistance as well as compensation for damages and replacement for new credit cards, for example, can quickly add to a company’s costs to remediate after a data breach.
Given the increasing burden being imposed by the states, companies need to ensure prompt and comprehensive notification and remediation plans.  If a company fails to comply with these requirements, the headaches, legal consequences, reputational damage and penalties can increase exponentially.
A company’s response to a data breach is the most critical step that a company can take to limit the damage to its reputation.  When faced with a data breach crisis, a company has to rally around a comprehensive plan, stick to the scripts, and address issues as they arise.  An emergency response can never anticipate every issue, but a plan should have contingencies for most significant responses.
More companies are employing proactive technical protections against data breaches.  A company that segregates and encrypts its sensitive data may be able to protect against a data breach as defined under state laws.  An unauthorized intrusion may not be able to extend into the encrypted data.  As a result, encryption can create a safe harbor for a company from data breach notification requirements and consequences.

* * * * * * * * * * * * * * * * * * * * 

9. Gary Stanley’s ECR Tip of the Day

(Source: Defense and Export-Import Update, 15 Feb 2018. available by subscription from
* Author: Gary Stanley, Esq., Global Legal Services, PC, (202) 352-3059,
When determining whether an item made outside the United States is subject to the EAR because it contains more than a de minimis level of U.S.-origin content, BIS has historically followed a practice often referred to as the “second incorporation principle.” Although the EAR generally apply to foreign-made items that incorporate more than a de minimis level of controlled U.S.-origin content. the second incorporation principle excepts from EAR control certain U.S.-origin components of the foreign-made items. The second incorporation principle generally states that U.S.-origin components that are incorporated into a foreign-made discrete product will not he counted in de minimis calculations when the foreign-made discrete product of which they area part is itself incorporated into a subsequent foreign-made item (i.e., alter the second foreign incorporation). This principle may be employed only if a “first” incorporation has actually been completed, resulting in a foreign-made discrete product. In other words. the U.S.-origin components must be incorporated into a “first” discrete product before a “second” incorporation can occur, and the level of U.S.-origin content in the “first” discrete product must be considered until that product’s “second” incorporation is complete.
The purpose of the second incorporation principle is to minimize the burden on foreign parties who purchase foreign-made products and typically have little or no means to determine how much, if any, U.S.-origin content those foreign-made products contain. Whether a particular foreign-made item incorporating U.S.-origin components is a discrete product depends on the facts of a particular case, and it is helpful to keep the purpose of the second incorporation principle in mind when evaluating a particular situation. Evidence that a foreign-made item was purchased in an arm’s length transaction or evidence that the item is regularly sold by itself, either as a stand-alone product or as an identifiable replacement for a particular product, would tend to indicate that the item is a discrete product.

* * * * * * * * * * * * * * * * * * * * 


* What: ECS Presents ITAR/EAR Beyond the Basics, Establishing A Rock-solid Export Compliance Program
* When: March 21-22, 2018
* Sponsor: Export Compliance Solutions (ECS)
* ECS Speaker Panel: Suzanne Palmer, Lisa Bencivenga
* Register
or by calling 866-238-4018 or e-mail

* * * * * * * * * * * * * * * * * * * * 


* * * * * * * * * * * * * * * * * * * *

. Are Your Copies of Regulations Up to Date?
(Source: Editor)

The official versions of the following regulations are published annually in the U.S. Code of Federal Regulations (C.F.R.), but are updated as amended in the Federal Register.  The latest amendments to applicable regulations are listed below.
: 27 CFR Part 447-Importation of Arms, Ammunition, and Implements of War
  – Last Amendment: 15 Jan 2016: 81 FR 2657-2723: Machineguns, Destructive Devices and Certain Other Firearms; Background Checks for Responsible Persons of a Trust or Legal Entity With Respect To Making or Transferring a Firearm. 
: 19 CFR, Ch. 1, Pts. 0-199
  – Last Amendment: 8 Dec 2017: 82 FR 57821-57825: Civil Monetary Penalty Adjustments for Inflation

  – Last Amendment: 18 May 2016: Change 2
: Implement an insider threat program; reporting requirements for Cleared Defense Contractors; alignment with Federal standards for classified information systems; incorporated and cancelled Supp. 1 to the NISPOM (Summary 

: 15 CFR Subtit. B, Ch. VII, Pts. 730-774

  – Last Amendment: 26 Jan 2018: 83 FR 3577-3583: Addition of Certain Entities; Removal of Certain Entities; and Revisions of Entries on the Entity List

: 31 CFR, Parts 500-599, Embargoes, Sanctions, Executive Orders
  – Last Amendment: 28 Dec 2017: 
82 FR 61450-61451: Iraq Stabilization and Insurgency Sanctions Regulations

: 15 CFR Part 30
  – Last Amendment:
20 Sep 2017:
82 FR 43842-43844
: Foreign Trade Regulations (FTR): Clarification on Filing Requirements; Correction
  – HTS codes that are not valid for AES are available
  – The latest edition (1 Jan 2018) of Bartlett’s Annotated FTR (“BAFTR”), by James E. Bartlett III, is available for downloading in Word format. The BAFTR contains all FTR amendments, FTR Letters and Notices, a large Index, and footnotes containing case annotations, practice tips, Census/AES guidance, and to many errors contained in the official text. Subscribers receive revised copies every time the FTR is amended. The BAFTR is available by annual subscription from the Full Circle Compliance website.  BITAR subscribers are entitled to a 25% discount on subscriptions to the BAFTR.
, 1 Jan 2018: 19 USC 1202 Annex. (“HTS” and “HTSA” are often seen as abbreviations for the Harmonized Tariff Schedule of the United States Annotated, shortened versions of “HTSUSA”.)
  – Last Amendment: 8 Feb 2018:
83 FR 5674: Technical Corrections to the Harmonized Tariff Schedule of the United States [Concerns HTSUS Chapter 99, Subchapter III].

  – HTS codes for AES are available here.
  – HTS codes that are not valid for AES are available here.


  – Last Amendment: 14 Feb 2018:
83 FR 6457-6458
: Amendment to the International Traffic in Arms Regulations: Addition of South Sudan [Amends ITAR Part 126.]

  – The only available fully updated copy (latest edition: 19 Jan 2018) of the ITAR with all amendments is contained in Bartlett’s Annotated 

, by James E. Bartlett III. The BITAR contains all ITAR amendments to date, plus a large Index, over 800 footnotes containing amendment histories, case annotations, practice tips, DDTC guidance, and explanations of errors in the official ITAR text. Subscribers receive updated copies of the BITAR in Word by email, usually revised within 24 hours after every ITAR amendment.
 The BITAR is available by annual subscription from the Full Circle Compliance
. BAFTR subscribers receive a 25% discount on subscriptions to the BITAR, please
contact us
to receive your discount code.

* * * * * * * * * * * * * * * * * * * *

Weekly Highlights of the Daily Bugle Top Stories

(Source: Editor) 

Review last week’s top Ex/Im stories in “Weekly Highlights of the Daily Bugle Top Stories” published 

* * * * * * * * * * * * * * * * * * * *


* The Ex/Im Daily Update is a publication of FCC Advisory B.V., compiled by: Editor, James E. Bartlett III; Assistant Editors, Alexander P. Bosch and Vincent J.A. Goossen; and Events & Jobs Editor, John Bartlett. The Ex/Im Daily Update is emailed every business day to approximately 8,000 readers of changes to defense and high-tech trade laws and regulations. We check the following sources daily: Federal Register, Congressional Record, Commerce/AES, Commerce/BIS, DHS/CBP, DOE/NRC, DOJ/ATF, DoD/DSS, DoD/DTSA, FAR/DFARS, State/DDTC, Treasury/OFAC, White House, and similar websites of Australia, Canada, U.K., and other countries and international organizations.  Due to space limitations, we do not post Arms Sales notifications, Denied Party listings, or Customs AD/CVD items.

* RIGHTS & RESTRICTIONS: This email contains no proprietary, classified, or export-controlled information. All items are obtained from public sources or are published with permission of private contributors, and may be freely circulated without further permission, provided attribution is given to “The Export/Import Daily Bugle of (date)”. Any further use of contributors’ material, however, must comply with applicable copyright laws.

* CAVEAT: The contents of this newsletter cannot be relied upon as legal or expert advice.  Consult your own legal counsel or compliance specialists before taking actions based upon news items or opinions from this or other unofficial sources.  If any U.S. federal tax issue is discussed in this communication, it was not intended or written by the author or sender for tax or legal advice, and cannot be used for the purpose of avoiding penalties under the Internal Revenue Code or promoting, marketing, or recommending to another party any transaction or tax-related matter.

* SUBSCRIPTIONS: Subscriptions are free.  Subscribe by completing the request form on the Full Circle Compliance website.

* TO UNSUBSCRIBE: Use the Safe Unsubscribe link below.

Scroll to Top