Export Controls and Cloud Computing: Complying with ITAR, EAR and - - PowerPoint PPT Presentation

export controls and cloud computing complying with itar
SMART_READER_LITE
LIVE PREVIEW

Export Controls and Cloud Computing: Complying with ITAR, EAR and - - PowerPoint PPT Presentation

Sep 16, 2022 30 likes •364 views

Presenting a live 90-minute webinar with interactive Q&A Export Controls and Cloud Computing: Complying with ITAR, EAR and Sanctions Laws TUESDAY, MAY 10, 2016 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

slide-1
SLIDE 1

The audio portion of the conference may be accessed via the telephone or by using your computer's

  • speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

Export Controls and Cloud Computing: Complying with ITAR, EAR and Sanctions Laws

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific TUESDAY, MAY 10, 2016

Thaddeus R. McBride, Partner, Bass Berry & Sims, Washington, D.C. Christine M. Minarich, Global Trade Compliance Counsel, Raytheon, Dulles, Va. Cheryl A. Palmeri, Esq., Bass Berry & Sims, Washington, D.C.

slide-2
SLIDE 2

Tips for Optimal Quality

Sound Quality If you are listening via your computer speakers, please note that the quality

  • f your sound will vary depending on the speed and quality of your internet

connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-570-7602 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

slide-3
SLIDE 3

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you email that you will receive immediately following the program. For additional information about continuing education, call us at 1-800-926-7926

  • ext. 35.

FOR LIVE EVENT ONLY

slide-4
SLIDE 4

Program Materials

If you have not printed the conference materials for this program, please complete the following steps:

  • Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

  • Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

  • Double click on the PDF and a separate page will open.
  • Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

slide-5
SLIDE 5

Export Controls & Cloud Computing Complying with the ITAR and EAR

Strafford Publications May 10, 2016

slide-6
SLIDE 6

 Christine Minarich – Global Trade Compliance Counsel Intelligence, Information & Services, Raytheon Company  Thad McBride – Partner, Bass Berry & Sims  Cheryl Palmeri – Associate, Bass Berry & Sims

6

Who We Are

slide-7
SLIDE 7

 Introduction  Background  Current Legal Landscape  Compliance  Questions / Discussion

Agenda

7

slide-8
SLIDE 8

8

Export Controls

slide-9
SLIDE 9

 International Traffic in Arms Regulations (ITAR)  Department of State, Directorate

  • f Defense Trade Controls (DDTC)

9

Defense Exports

slide-10
SLIDE 10

 Defense articles – provide a critical military or intelligence advantage  Technical data  Defense services

10

Defense Exports (cont’d)

slide-11
SLIDE 11

 Commercial items and technology  Export Administration Regulations (EAR)  U.S. Department of Commerce, Bureau

  • f Industry and Security (BIS)

11

“Dual Use” Export Controls

slide-12
SLIDE 12

 Law follows U.S.-origin items  “Deemed exports” – technical data / technology  Licensing

  • Not required for most dual use exports
  • Required for almost all defense exports

 ITAR embargoes / tighter controls for certain countries

12

Export Controls – Key Points

slide-13
SLIDE 13

13

Economic Sanctions

slide-14
SLIDE 14

 Restrict transactions (e.g., provision

  • f services)

 U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC)

14

Sanctions

slide-15
SLIDE 15

 Country-based

  • Comprehensive (e.g., Iran, North Korea, Sudan)
  • Selective (e.g., Burma, Russia / Ukraine)
  • Own Category (Cuba)

 Specially Designated Nationals (SDNs)

  • Individuals (e.g., terrorists, drug kingpins)
  • Groups (e.g., proliferators, terrorist organizations)

15

Sanctions (cont’d)

slide-16
SLIDE 16

16

Cloud-Based Applications

slide-17
SLIDE 17

On-demand network access to a shared pool of configurable computing resources

17

What is Cloud Computing?

slide-18
SLIDE 18

 Public: Provided by service provider to general public  Community: Shared by groups from specific community  Private: Provided for single organization, and hosted / managed internally or externally  Hybrid: Combined deployment of one or more types

18

Four Basic Types

slide-19
SLIDE 19

Examples

 Email containing U.S.-origin technical data routed through server in China  Access by a foreign national cloud administrator to U.S. military code stored on defense contractor’s system  Iranian employee of non-U.S. company accesses data hosted by U.S. cloud service provider

19

slide-20
SLIDE 20

20

Regulatory Guidance

slide-21
SLIDE 21

 January 13, 2009 / January 11, 2011

  • Provision of cloud computing services not subject to

the EAR

  • Cloud service provider is not exporter

 November 24, 2014

  • Cloud-based storefronts – no export of software

21

BIS Advisory Opinions

slide-22
SLIDE 22

 Cloud service users have limited visibility and control over how the information is handled  Special arrangements with cloud service providers can be expensive and may not meet all of the user’s requirements  Recommendations

  • Unclassified / encrypted data – no export
  • Amend definitions of “export” and “technical data” accordingly

22

DTAG White Paper

slide-23
SLIDE 23

 In June 2015, DDTC and BIS proposed to redefine “export” to specifically exclude information that is: (i) unclassified, (ii) secured using acceptable end-to-end encryption, and (iii) not stored in certain problematic countries

23

Proposed Rules

slide-24
SLIDE 24

 Still an export

  • Providing a foreign national the

means to access encrypted data

  • Actual access by a foreign

national – even if unintended

24

Proposed Rules (cont’d)

slide-25
SLIDE 25

 Theoretical access qualifies as an export  Require end-to-end encryption  Restrict where data can be stored  Only originator and recipient can have means to access encrypted data

25

Proposed Rules (cont’d)

slide-26
SLIDE 26

ITAR EAR

Any release of encryption keys / codes that would allow access is an export Requires knowledge / reason to know that the release will cause / permit transfer Encryption must be compliant with FIPS 140-2 and supplemented by U.S. NIST procedures / controls Allows “other similarly effective cryptographic means” Technical data cannot be stored in a § 126.1 country or Russia Technology cannot be stored in a country listed in Country Group D:5

26

Differences in Proposed Rules

slide-27
SLIDE 27

 Export should only occur when an actual transfer takes place, not when theoretically possible  Remove 126.1 / D:5 storage restriction or provide safe harbor for contract term  Revise “end-to-end encryption” requirement (e.g., accept tokenization)  Accept “other similarly effective cryptographic means”

27

Illustrative Comments

slide-28
SLIDE 28

 Use EAR knowledge standard  Allow that means to access encrypted data can be given to a third-party that is a U.S. person  Do “originator” and “recipient” refer to individuals or companies (i.e., Are individual certificate keys required)?

28

Comments (cont'd)

slide-29
SLIDE 29

 Under the proposed revised rules, could a U.S. person employee of a U.S. defense contractor access controlled technical data while traveling in India?  Under what circumstances?  What compliance steps would be required?

29

Hypothetical

slide-30
SLIDE 30

30

Compliance

slide-31
SLIDE 31

Compliance Steps

 “Traditional” Measures:

  • Clear classification of data in cloud zones
  • Incorporate cloud into policies and awareness efforts
  • Ensure cloud agreements address export risks
  • Server locations
  • U.S. person administrators
  • Ensure licenses, other authorizations in place as needed

31

slide-32
SLIDE 32

Compliance (cont’d)

 “Non-traditional” measures:

  • Continually review evolving legal and regulatory

requirements

  • Ensure ongoing monitoring of security technology

threats and incidents – adapt accordingly

  • Understand whether cyber security risks, incidents,

and reporting have export control implications

32

slide-33
SLIDE 33

Thank You!

33

Christine Minarich

(571) 250-2156 christine.m.minarich@raytheon.com

Thad McBride

(202) 827-2959 tmcbride@bassberry.com

Cheryl Palmeri

(202) 827-2967 cpalmeri@bassberry.com