export controls and cloud computing complying with itar
play

Export Controls and Cloud Computing: Complying with ITAR, EAR and - PowerPoint PPT Presentation

Presenting a live 90-minute webinar with interactive Q&A Export Controls and Cloud Computing: Complying with ITAR, EAR and Sanctions Laws TUESDAY, MAY 10, 2016 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific


  1. Presenting a live 90-minute webinar with interactive Q&A Export Controls and Cloud Computing: Complying with ITAR, EAR and Sanctions Laws TUESDAY, MAY 10, 2016 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific Today’s faculty features: Thaddeus R. McBride, Partner, Bass Berry & Sims , Washington, D.C. Christine M. Minarich, Global Trade Compliance Counsel, Raytheon , Dulles, Va. Cheryl A. Palmeri, Esq., Bass Berry & Sims , Washington, D.C. The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10 .

  2. Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-570-7602 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

  3. Continuing Education Credits FOR LIVE EVENT ONLY In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you email that you will receive immediately following the program. For additional information about continuing education, call us at 1-800-926-7926 ext. 35.

  4. Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to “Conference Materials” in the middle of the left - • hand column on your screen. • Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program. • Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon. •

  5. Export Controls & Cloud Computing Complying with the ITAR and EAR Strafford Publications May 10, 2016

  6. Who We Are  Christine Minarich – Global Trade Compliance Counsel Intelligence, Information & Services, Raytheon Company  Thad McBride – Partner, Bass Berry & Sims  Cheryl Palmeri – Associate, Bass Berry & Sims 6

  7. Agenda  Introduction  Background  Current Legal Landscape  Compliance  Questions / Discussion 7

  8. Export Controls 8

  9. Defense Exports  International Traffic in Arms Regulations (ITAR)  Department of State, Directorate of Defense Trade Controls (DDTC) 9

  10. Defense Exports (cont’d)  Defense articles – provide a critical military or intelligence advantage  Technical data  Defense services 10

  11. “Dual Use” Export Controls  Commercial items and technology  Export Administration Regulations (EAR)  U.S. Department of Commerce, Bureau of Industry and Security (BIS) 11

  12. Export Controls – Key Points  Law follows U.S.-origin items  “Deemed exports” – technical data / technology  Licensing  Not required for most dual use exports  Required for almost all defense exports  ITAR embargoes / tighter controls for certain countries 12

  13. Economic Sanctions 13

  14. Sanctions  Restrict transactions ( e.g. , provision of services)  U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) 14

  15. Sanctions (cont’d)  Country-based  Comprehensive ( e.g. , Iran , North Korea, Sudan)  Selective ( e.g. , Burma, Russia / Ukraine)  Own Category ( Cuba )  Specially Designated Nationals (SDNs)  Individuals ( e.g., terrorists, drug kingpins)  Groups ( e.g. , proliferators, terrorist organizations) 15

  16. Cloud-Based Applications 16

  17. What is Cloud Computing? On-demand network access to a shared pool of configurable computing resources 17

  18. Four Basic Types  Public : Provided by service provider to general public  Community : Shared by groups from specific community  Private : Provided for single organization, and hosted / managed internally or externally  Hybrid : Combined deployment of one or more types 18

  19. Examples  Email containing U.S.-origin technical data routed through server in China  Access by a foreign national cloud administrator to U.S. military code stored on defense contractor’s system  Iranian employee of non-U.S. company accesses data hosted by U.S. cloud service provider 19

  20. Regulatory Guidance 20

  21. BIS Advisory Opinions  January 13, 2009 / January 11, 2011  Provision of cloud computing services not subject to the EAR  Cloud service provider is not exporter  November 24, 2014  Cloud-based storefronts – no export of software 21

  22. DTAG White Paper  Cloud service users have limited visibility and control over how the information is handled  Special arrangements with cloud service providers can be expensive and may not meet all of the user’s requirements  Recommendations  Unclassified / encrypted data – no export  Amend definitions of “export” and “technical data” accordingly 22

  23. Proposed Rules  In June 2015, DDTC and BIS proposed to redefine “export” to specifically exclude information that is: (i) unclassified, (ii) secured using acceptable end-to-end encryption, and (iii) not stored in certain problematic countries 23

  24. Proposed Rules (cont’d)  Still an export  Providing a foreign national the means to access encrypted data  Actual access by a foreign national – even if unintended 24

  25. Proposed Rules (cont’d)  Theoretical access qualifies as an export  Require end-to-end encryption  Restrict where data can be stored  Only originator and recipient can have means to access encrypted data 25

  26. Differences in Proposed Rules ITAR EAR Any release of encryption keys / codes Requires knowledge / reason to that would allow access is an export know that the release will cause / permit transfer Encryption must be compliant with Allows “other similarly effective FIPS 140-2 and supplemented by U.S. cryptographic means” NIST procedures / controls Technical data cannot be stored in a § Technology cannot be stored in a 126.1 country or Russia country listed in Country Group D:5 26

  27. Illustrative Comments  Export should only occur when an actual transfer takes place, not when theoretically possible  Remove 126.1 / D:5 storage restriction or provide safe harbor for contract term  Revise “end -to- end encryption” requirement (e.g., accept tokenization )  Accept “other similarly effective cryptographic means ” 27

  28. Comments (cont'd)  Use EAR knowledge standard  Allow that means to access encrypted data can be given to a third-party that is a U.S. person  Do “originator” and “recipient” refer to individuals or companies (i.e., Are individual certificate keys required)? 28

  29. Hypothetical  Under the proposed revised rules, could a U.S. person employee of a U.S. defense contractor access controlled technical data while traveling in India?  Under what circumstances?  What compliance steps would be required? 29

  30. Compliance 30

  31. Compliance Steps  “Traditional” Measures:  Clear classification of data in cloud zones  Incorporate cloud into policies and awareness efforts  Ensure cloud agreements address export risks  Server locations  U.S. person administrators  Ensure licenses, other authorizations in place as needed 31

  32. Compliance (cont’d)  “Non - traditional” measures:  Continually review evolving legal and regulatory requirements  Ensure ongoing monitoring of security technology threats and incidents – adapt accordingly  Understand whether cyber security risks, incidents, and reporting have export control implications 32

  33. Thank You! Christine Minarich (571) 250-2156 christine.m.minarich@raytheon.com Thad McBride (202) 827-2959 tmcbride@bassberry.com Cheryl Palmeri (202) 827-2967 cpalmeri@bassberry.com 33

Recommend


More recommend