Every month we post the highlights of FCC’s Export/Import Daily Update (“The Daily Bugle”). The Daily Bugle is sent out every business day to approximately 10,000 readers, who keep up to date with changes of defense and high-tech trade laws and regulations. It is a free daily newsletter from Full Circle Compliance, edited by James E. Bartlett III and Elina Tsapouri.
We check the following sources daily: Federal Register, Congressional Record, Commerce/AES, Commerce/BIS, DHS/CBP, DOE/NRC, DOJ/ATF, DoD/DSS, DoD/DTSA, FAR/DFARS, State/DDTC, Treasury/OFAC, White House, and similar websites of European Union, Australia, Canada, U.K., and other countries and international organizations. Due to space limitations, we do not post Arms Sales notifications, Denied Party listings, or Customs AD/CVD items. To subscribe, click here.
Last month’s highlights of The Daily Bugle included in this edition are:
- State/DDTCAmends the ITAR to Add Ethiopia and Change the Eritrea Country Policy;Monday, 1 Nov 2021; Item #2
- Commerce/BIS Adds NSO Group and Other Foreign Companies to Entity List for Malicious Cyber Activities; Wednesday, 3 Nov 2021; Item #3
- Commerce/BIS Imposes Administrative Penalty and Audit Requirements to Resolve Allegations Of Unlicensed Shipments To Huawei; Tuesday, 9 Nov 2021; Item #3
- Executive Office of the President: “Continuation of the National Emergency With Respect to Iran”; Wednesday, 10 Nov 2021; Item #1
- Commerce/BIS Posts FAQs for ‘Cybersecurity Items’ and the Export Administration Regulations; Friday, 11 Nov 2021; Item #4
- DoD/DARS: “Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward”; Wednesday, 17 Nov 2021; Item #1
- EU Commission: “2021 Export Control Forum – Registration Open”; Monday, 22 Nov 2021; Item #6
- State/DDTC: “New FAQs: Violations and Disclosures & Debarments, Rescissions, and Reinstatements – – DDTC Public Announcements”; Tuesday, 23 Nov 2021; Item #5
- Treasury/OFAC Expands Syria Nongovernmental Organizations General License; Monday, 29 Nov 2021; Item #5
- FCC Academy Presents 2022 Webinars Schedule
State/DDTC Amends the ITAR to Add Ethiopia and Change the Eritrea Country Policy
(Source: Federal Register, 1 Nov 2021) [Excerpts]
86 FR 60165: Rule
* AGENCY: Department of State.
* ACTION: Final rule.
* SUMMARY: The Department of State is amending the International Traffic in Arms Regulations (ITAR) to add and update entries for Ethiopia and Eritrea, respectively. These changes codify that it is the policy of the United States to deny licenses and other approvals for exports of defense articles and defense services to certain end-users in those countries as described herein.
* DATES: The rule is effective on November 1, 2021.
Commerce/BIS Adds NSO Group and Other Foreign Companies to Entity List for Malicious Cyber Activities
(Source: Commerce/BIS, 3 Nov 2021)
The Commerce Department’s Bureau of Industry and Security (BIS) has released a final rule adding four foreign companies to the Entity List for engaging in activities that are contrary to the national security or foreign policy interests of the United States. The four entities are located in Israel, Russia, and Singapore.
NSO Group and Candiru (Israel) were added to the Entity List based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers. These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.
Positive Technologies (Russia), and Computer Security Initiative Consultancy PTE. LTD. (Singapore) were added to the Entity List based on a determination that they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide.
U.S. Secretary of Commerce Gina M. Raimondo released the following statement: “The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad.”
The End-User Review Committee (ERC) which is chaired by the Department of Commerce and includes the Departments of Defense, State, Energy, and where appropriate, Treasury, determined that the conduct of these four entities raises sufficient concerns to place them on the Entity List pursuant to § 744.11(b) of the Export Administration Regulations (EAR).
The Entity List is a tool utilized by BIS to restrict the export, reexport, and in-country transfer of items subject to the EAR to persons (individuals, organizations, companies) reasonably believed to be involved, have been involved, or pose a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States. For the four entities added to the Entity List in this final rule, BIS imposes a license requirement that applies to all items subject to the EAR. In addition, no license exceptions are available for exports, reexports, or transfers (in-country) to the entities being added to the Entity List in this rule. BIS imposes a license review policy of a presumption of denial for these entities.
Today’s action is a part of the Biden-Harris Administration’s efforts to put human rights at the center of U.S. foreign policy, including by working to stem the proliferation of digital tools used for repression. This effort is aimed at improving citizens’ digital security, combatting cyber threats, and mitigating unlawful surveillance and follows a recent interim final rule released by the Commerce Department establishing controls on the export, reexport, or in-country transfer of certain items that can be used for malicious cyber activities.
Commerce/BIS Imposes Administrative Penalty and Audit Requirements to Resolve Allegations Of Unlicensed Shipments To Huawei
(Source: Commerce/BIS, 8 Nov 2021) [Excerpts]
On November 8, 2021, Kevin J. Kurland, the Acting Assistant Secretary for Export Enforcement, Bureau of Industry and Security (BIS) of the U.S. Department of Commerce, announced an administrative settlement with SP Industries, Inc. (d/b/a SP Scientific), of Warminster, Pennsylvania (“SP Industries”), which includes a civil penalty payment of $80,000 and audit requirements related to allegations that SP Industries committed four violations of the Export Administration Regulations (“EAR”) by exporting items to Huawei Technologies Co. Ltd. (“Huawei”) and two subsidiaries, Huawei Device Co., Ltd. and HiSilicon Technologies Co., Ltd., without the required BIS licenses. The violations resulted in the unauthorized export of four shipments to Huawei and related entities after they were designated on the Entity List in May 2019. SP Industries fully cooperated with an investigation conducted by the New York Field Office, including voluntarily self-disclosing two of the alleged violations. …
SP Industries self-reported to BIS that the violations involving four shipments occurred between May 28 and August 2, 2019, pursuant to errors in its export screening process. Since learning of the apparent violations, SP Industries has instituted new screening and compliance procedures for all orders. As part of its settlement with BIS, in addition to paying an $80,000 penalty, SP Industries agreed to conduct two audits of its compliance system over the next two years and submit the results to Export Enforcement’s New York Field Office. When such audits identify actual or potential violations of the EAR, SP Industries must promptly provide a detailed plan of corrective actions to be taken to BIS, along with documentation related to the compliance concerns. …
The issued Order, along with the related settlement agreement and proposed charging letter, is available here.
BIS’s mission is to advance U.S. national security and foreign policy objectives by ensuring an effective export control and treaty compliance system and promoting continued U.S. strategic technology leadership. Among its enforcement efforts, BIS is committed to preventing U.S.- origin items from supporting Weapons of Mass Destruction (WMD) projects, terrorist activities, or destabilizing military modernization programs.
Executive Office of the President: “Continuation of the National Emergency With Respect to Iran”
(Source: Federal Register, 9 Nov 2021) [Excerpts]
86 FR 62709: Notice
On November 14, 1979, by Executive Order 12170, the President declared a national emergency with respect to Iran pursuant to the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq. ), and took related steps to deal with the unusual and extraordinary threat to the national security, foreign policy, and economy of the United States constituted by the situation in Iran.
Our relations with Iran have not yet normalized, and the process of implementing the agreements with Iran, dated January 19, 1981, is ongoing. For this reason, the national emergency declared on November 14, 1979, and the measures adopted on that date to deal with that emergency, must continue in effect beyond November 14, 2021. Therefore, in accordance with section 202(d) of the National Emergencies Act (50 U.S.C. 1622(d)), I am continuing for 1 year the national emergency with respect to Iran declared in Executive Order 12170. The emergency declared by Executive Order 12170 is distinct from the emergency declared in Executive Order 12957 on March 15, 1995. This renewal, therefore, is distinct from the emergency renewal of March 5, 2021.
Commerce/BIS Posts FAQs for ‘Cybersecurity Items’ and the Export Administration Regulations
(Source: Commerce/BIS, 12 Nov 2021)
The Bureau of Industry and Security has posted 29 Questions & Answers dealing with the export of cybersecurity items. Twenty are posted here, with the answer to the first question. The others can be downloaded from HERE.
(1) What is a ‘cybersecurity item’ for purposes of this rule and the Export Administration Regulations (EAR), and how does this relate to Wassenaar Arrangement (WA) decisions?
Answer: This rule implements multilateral Wassenaar Arrangement (WA) export control decisions regarding certain dual-use items related to “intrusion software” and Internet Protocol (IP) network communications surveillance. The new term ‘cybersecurity item’ refers to these specific items that are now subject to the EAR. In adopting these controls to the EAR, a new license exception Authorized Cybersecurity Exports (ACE) has been created to permit a qualified range of license-free exports of ‘cybersecurity items’ while ensuring U.S. Government licensing review in situations as required by the national security and foreign policy interests of the United States. This includes that License Exception ACE authorizes exports, reexports and transfers (in-country) to the following ‘favorable treatment cybersecurity end users’ located in any non-embargoed / nonsanctioned destination, except in exceptional circumstances where the exporter knows (or has reason to know) that the ‘cybersecurity items’ may be diverted or otherwise misused: ❖ “U.S. subsidiaries”; ❖ Providers of banking and other financial services; ❖ Insurance companies; ❖ Civil health and medical institutions providing medical treatment or otherwise conducting the practice of medicine, including medical research.
(2) Do the terms “intrusion software” and ‘IP network communications surveillance’ mean the same thing?
(3) What are the Export Control Classification Numbers (ECCNs) of these ‘cybersecurity items’, and where do I find them in the EAR?
(4) Are ‘publicly available’ software and technology related to “intrusion software”, subject to the EAR?
(5) Are non-published, machine-executable exploits (and other forms of proprietary “intrusion software”) ‘cybersecurity items’ subject to the EAR?
(6) I have, or have access to, specialized knowledge about exploits (and other forms of “intrusion software”) that is not “published”. Is that “technology” a ‘cybersecurity item’?
(7) License Exception ACE has certain restrictions related to ‘government end users’ of countries listed in Country Group D:1, D:2, D:3, D:4 or D:5. What is this definition of ‘government end users’ applicable to ‘cybersecurity items’ and License Exception ACE, and where do I find it in the EAR?
(8) When can I export ‘cybersecurity items’ without needing to apply for a license?
(9) What are some situations where License Exception ACE does not authorize the export, reexport or transfer (in-country) of ‘cybersecurity items’?
(10) How would the proposed rule affect software used by multinational companies that monitor their overseas networks?
(11) Will companies be required to share their zero-day exploits with the government in order to get a license?
(12) Doesn’t the rule potentially criminalize hacking?
(13) Mobile phone jailbreaking tools include platforms for delivering intrusion software to the phone. These generally include fully operational exploits including the delivery code. Are such tools subject to control? “Vulnerability Disclosure” and “Cyber Incident Response”
(14) What are the definitions of “vulnerability disclosure” and “cyber incident response” relevant to ‘cybersecurity items’ and License Exception ACE, and where do I find them in the EAR?
(15) What are some examples of “individuals or organizations responsible for conducting or coordinating remediation”?
(16) When can I export ‘cybersecurity items’ pursuant to “vulnerability disclosure” or “cyber incident response” without needing to apply for a license?
(17) Are there situations where the processes of “vulnerability disclosure” or “cyber incident response” may involve the “release” (or other “export”) of “technology” or “software”, including source code, related to “intrusion software”?
(18) Do I need a license for training someone if the training involves the release of cybersecurity items?
(19) Would prior BIS authorization be required for a researcher to privately disclose an exploit to a vendor outside the U.S. with the understanding that the information would NOT be published?
(20) I am a cybersecurity professional chiefly responsible for my organization’s “cyber incident response” activities. In that capacity, I have been asked to help train and equip the cyber defenders / cybersecurity incident responders (e.g., “Blue Team” and SOC/CSIRT personnel) of a corporate partner of ours, that is headquartered and located in a Country Group D:1 country. In planning for this event, I am informed by my corporate partner that a few Government officials of that D: 1 country have been invited to the event, and it is anticipated that these officials may be accompanied by select technical experts who are known to provide consulting services to that Government. Is a license required for me to provide this training, and release information and “software” classified under one or more of the ‘cybersecurity items’ ECCNs related to “intrusion software” to these various participants? Penetration testing tools and other ‘cybersecurity items’ overlap with Category 5 -Part 2 ‘encryption items’. . . . .
DoD/DARS: “Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward”
(Source: Federal Register, 17 Nov 2021)
86 FR 64100: Rule
* AGENCY: Office of the Under Secretary of Defense for Acquisition and Sustainment, Department of Defense (DoD).
* ACTION: Advanced notice of proposed rulemaking.
* SUMMARY: This document provides updated information on DoD’s way forward for the approved Cybersecurity Maturity Model Certification (CMMC) program changes, designated as “CMMC 2.0.” CMMC 2.0 builds upon the initial CMMC framework to dynamically enhance Defense Industrial Base (DIB) cybersecurity against evolving threats. The CMMC framework is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors and provide assurance that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will be protected at a level commensurate with the risk from cybersecurity threats, including Advanced Persistent Threats. Under the CMMC program, DIB contractors will be required to implement certain cybersecurity protection standards, and, as required, perform self-assessments or obtain third-party certification as a condition of DoD contract award.
* DATES: November 17, 2021.
* ADDRESSES: Visit the updated CMMC website for CMMC 2.0 updates: https://www.acq.osd.mil/cmmc/.
EU Commission: “2021 Export Control Forum – Registration Open”
(Source: European Commission)
The European Commission and the Slovenian Presidency of the Council are inviting representatives from EU Member States and the European Parliament, industry, academia and civil society to participate in the 2021 Export Control Forum.
The 2021 Export Control Forum will provide an opportunity to discuss the recent export control developments in the EU and globally, including the initial steps for the implementation of the new dual-use regulation, in force as of 9 September 2021.
The 2021 Export Control Forum will be opened by representatives of the Commission, the Presidency and the European Parliament, and will convene selected panels of experts, to be followed by open dialogue with the stakeholders.
- Date: 8 December 2021
- Time: 9:30 – 17:00. Registration will be open at 8:45.
- Venue: Albert Borschette Conference Centre (CCAB) Room 0A. Rue Froissart 36, Brussels
- Language: The conference will be held in English.
- Travel/accommodations/lunch: Participants are responsible for their own travel and accommodation arrangements. Refreshments during the conference and a sandwich lunch will be provided.
- Registration is open. Deadline 3 December end of day.
- Web streaming: The entire event will be web streamed (link to be confirmed).
State/DDTC: “New FAQs: Violations and Disclosures & Debarments, Rescissions, and Reinstatements – – DDTC Public Announcements”
The Directorate of Defense Trade Controls has published several new frequently asked questions on violations and disclosures, debarments, rescissions, and reinstatements. See FAQs here.
* Debarments, Rescissions, Reinstatements FAQs (19 Nov 2021)
- Are individuals who are recipients of grants issued in accordance with the Deferred Action for Childhood Arrivals (DACA) policy of the United States G…
- Can DDTC grant an exception so that a statutorily or administratively debarred party can participate in an ITAR-controlled activity?
- Is the rescission of statutory debarment under ITAR § 127.7(b) the same as the reinstatement of export privileges under ITAR § 127.11? If not, how ca…
- How do I know whether an individual whose name appears on the lists of statutorily or administratively debarred parties is the same as the person I’m …
- What does it mean to be on one of DDTC’s lists of debarred parties?
- How long does my administrative debarment or statutory debarment last? Can I apply to have my administrative or statutory debarment rescinded?
* Violations and Disclosures (22 Nov 2021)
- I’ve received a letter, apparently unrelated to any voluntary disclosure I previously filed, with questions from DDTC asking for information. What sh…
- How does DDTC assign voluntary disclosure case numbers? How long from the sender’s postmark date does it take DDTC to provide the disclosing party with a voluntary disclosure case number
- How do I submit voluntary disclosure correspondence to the Department of State?
- How can I obtain an extension of time to submit a full voluntary disclosure or other information to DDTC?
- I submitted a voluntary disclosure. How do I find out the status?
- Do I need to wait until a voluntary disclosure case is closed before applying for a DDTC license that is related to the matters disclosed?
- I believe I may have violated the AECA or the ITAR. Am I required to disclose the violation to DDTC?
Treasury/OFAC Expands Syria Nongovernmental Organizations General License
(Source: Treasury/OFAC) [Excerpts]
The Department of the Treasury’s Office of Foreign Assets Control (OFAC) amended the Syrian Sanctions Regulations (SySR) to expand the authorizations for nongovernmental organizations (NGO) to engage in certain transactions and activities. This action — which builds upon the U.S. government’s longstanding humanitarian exemptions, exceptions, and authorizations in the Syria sanctions program — helps ensure the continued provision of humanitarian assistance, including certain early-recovery activities, that benefit the Syrian people. Treasury’s recent sanctions review highlighted the need for continued review of existing authorities to facilitate legitimate humanitarian activity while continuing to deny support to malicious actors.
As part of this commitment, OFAC amended the NGO general license (GL) at § 542.516 of the SySR. The amended GL authorizes NGOs to engage in the following additional transactions and activities in support of certain not-for-profit activities in Syria: new investment in Syria; the purchase of refined petroleum products of Syrian origin for use in Syria; and certain transactions with elements of the Government of Syria. These new transactions and activities are authorized only in support of the not-for-profit activities already authorized under the GL, including humanitarian projects that meet basic human needs, democracy-building, projects supporting education, non-commercial development projects directly benefitting the Syrian people, and activities to support the preservation and protection of cultural heritage sites.
Additionally, the NGO GL authorizes U.S. financial institutions to process transfers of funds in support of the authorized transactions and activities outlined above. This amendment will take effect on November 26, 2021. For more information on what the NGO GL at § 542.516 authorizes, as well as guidance for non-U.S. persons engaging in or facilitating transactions and activities authorized for U.S. persons under the amended GL, please refer to FAQ 937. Additional information on early recovery transactions and activities authorized pursuant to the amended NGO GL can be found in FAQ 938. …
OFAC encourages those interested in providing humanitarian assistance to Syria to avail themselves of the longstanding exemptions and authorizations pertaining to humanitarian assistance, as further described in FAQs 884, 885, and 934. For a summary of the most relevant exemptions, exceptions, and authorizations for humanitarian assistance under the Syria sanctions programs, please refer to the Office of Foreign Assets Control’s COVID-19-related Fact Sheet. Should individuals, governments, or entities have sanctions-related questions about the provision of humanitarian assistance to Syria, or believe additional authorizations are needed, OFAC stands ready to provide guidance and respond to applications for specific licenses.
For transactions not otherwise authorized or exempt from sanctions, OFAC considers license requests on a case-by-case basis and prioritizes applications, compliance questions, and other requests related to humanitarian support. If you have additional questions regarding the scope of any sanctions programs’ requirements, or the applicability or scope of any humanitarian-related authorizations, please contact OFAC’s Sanctions Compliance and Evaluation Division at (800) 540-6322 or (202) 622-2490, or by email at OFAC_Feedback@treasury.gov.
FCC Academy Presents 2022 Webinars Schedule
– U.S. Export Controls: ITAR from a non-U.S. Perspective
Tue, 1 Feb; 15:00 – 17:00 pm (CET) / 09:00 – 11:00 am (EDT)
Register or find info HERE
– The ABCs of Foreign Military Sales (FMS)
Thu, 3 Feb; 15:00 – 17:00 pm (CET) / 09:00 – 11:00 am (EDT)
Register or find info HERE
– U.S. Export Controls: EAR from a non-U.S. Perspective
Tue, 8 Feb; 15:00 – 17:00 pm (CET) / 09:00 – 11:15 am (EDT)
Register or find info HERE
– Designing an ICP for Export Controls & Sanctions
Tue, 1 Mar; 15:00 – 17:00 pm (CET) / 09:00 – 11:00 am (EDT)
Register or find info HERE
– Implementing an ICP for Export Controls & Sanctions
Thu, 3 Mar; 15:00 – 17:00 pm (CET) / 09:00 – 11:00 am (EDT)
Register or find info HERE
– U.S. Export Controls: EAR & ITAR from a non-U.S. Perspective
Tue, 5 Apr; 15:00 – 17:15 pm (CET) / 09:00 – 11:15 am (EDT)
Register or find info HERE
* If you are a past attendee, take advantage of the discounted price! Find more about the applicable discounts on each event’s page.
* If you are interested in course to be scheduled in a different time zone, contact us at firstname.lastname@example.org.