Technology Control Plans July 2014

advertisement
Technology Control Plans
for Cleared Defense
Contractors
Michael Miller
University of Central Florida
Agenda
• TCP Essentials
– What is a TCP?
– Who needs to implement a TCP and when?
– What are the critical elements of a TCP?
• Regulatory Authorities and Agencies
• Developing a TCP - Agency Expectations
• Monitoring Effectiveness
• Training
• Violations
What is a Technology Control Plan?
• A Roadmap of how a company will control its technology. “How to do it”
document that explains how the ITAR, EAR and NISPOM will be carried out.
• Ensures classified defense information (“CI”) or controlled unclassified
information (“CUI”) is not provided to a foreign person (employees, visitors,
affiliates).
• A protection plan to control access to and dissemination of CI and CUI
– Includes information, items, articles and technical data
• Ensures program team are informed, aware, and
understand their obligations and responsibilities.
• Not a replacement for traditional security programs
(SPP), but an enhancement to existing practices.
Core Principles
• Multiple variations of the title “TCP”, content and layout
• Based on corporate policy, federal laws and regulations and facility clearance
requirements
• Identifies the controlled “things” (e.g. CI, CUI, EAR, ITAR, materials, technical
data, and services)
• Proscribes access and dissemination controls of the “things”
• Defines duties and responsibilities
• A TCP is only as strong as the training you provide to the staff who
must execute the plan.
Three Main Parts
1. The Plan
2. Non-Disclosure Statement
3. Acknowledgement
We will get into specific elements found in each section of the plan later.
Types of TCPs
• Facility type plan
– Plan to possess export-controlled or other restricted information
– Your personalized controls not specified in the NISPOM
• Project specific plan
– Implement a security bubble around elements of a program, i.e. access
to various parts of a facility, or compartmentalization methods:
•
•
•
•
Area quarantine
Time blocking
Locked storage and electronic security
Communication security
• Activity-related plan
– Visits, IT systems, launch activities, shared services, etc.
• Person specific plan
– Foreign person employees – a plan for the work activities.
Who Needs a TCP?
• Cleared defense contractors
– FOCI arrangements (in addition to SPP)
– Cleared facilities with foreign persons on-site
• Foreign employees
• Short-term and long-term visitors
– Foreign person export licenses - before transfer of hardware, software,
tech data or defense services
• Uncleared Defense Contractors, Manufacturers,
Distributors, Brokers subject to ITAR/EAR
–
–
–
–
–
Registration Requirement w/ DDTC
ITAR facilities w/ FN employees, visitors, plant visits, shared facilities
Needed even for unlicensed foreign persons w/o access to anything
Required for licensed foreign persons or other Government Approval
Mandated by Proviso / license condition
Who Needs a TCP?
• Service Providers
– Researchers, institutes, universities for unclassified export controlled
information
– Certain exports of Cat XV USML space projects and launch activity
providers
– Certain encryption technology providers
– FMS Freight Forwarders
EAR: “TCPs are a good practice for all holders of export controlled
technology”
Regulatory Authorities
Export Controls Agencies
• U.S. Department of State, Directorate of Defense Trade Controls
– International Traffic in Arms Regulations
• Department of Commerce, Bureau of Industry & Security
– Export Administration Regulations
Department of Defense Agencies
• Department of Defense, Defense Security Service
– National Industrial Security Program
• Department of Defense, Defense Technology Security Administration
– National Defense Authorization Act
•
Public Law 105-261, Title XV
State Department
Arms Export Control Act
• International Traffic in Arms Regulations (“ITAR”) , 22 CFR Parts 120 –
130
• Part 126 “General Policies and Provisions”
– 126.13(c) License applications for foreign person employees: TCP
required when foreign persons are employed at or assigned to securitycleared facilities.
– 126.18(c)(2) Exemptions for Intra-company transfer of unclassified
defense articles to foreign person employees: TCP required as a
condition to use exemption, in addition to complying with other ITAR
requirement (126.1 country prohibition, NDA, screening
for substantive contacts, travel, allegiance, business
relationships, etc.
– 126.5, Supplement 1, Note 14. Canadian Exemptions:
(Revision to Prior TCP Requirement No specific TCP but
rather a semi-annual report to state.
Commerce Department
Export Administration Act
• Export Administration Regulations (“EAR”) , 15 CFR Parts 730 - 744
• Part 752.11, Internal Control Program Requirements
– ICP is the basis for a TCP under the EAR, required for deemed export and
technology exports licenses.
– Essential elements:
• Corporate commitment to export compliance
• Physical security plan
• Information security plan
• Personnel screening procedures
• Training and awareness program
• Self evaluation program
• References:
–
–
http://www.bis.doc.gov/index.php/forms-documents/doc_download/387-intermediate-deemed-exports-pdf
http://www.bis.doc.gov/images/pdfs/deemedexports/foreignationals.pdf
Commerce Department
• Part 734.2(b)(2)(ii) Deemed Exports
– 734.2(b)(2)(ii) Deemed Export: Release of technology is deemed to be to
the home country of the foreign national, e.g. tours, foreign national
employees involved in certain R&D and manufacturing activities, foreign
students/scholars, hosting foreign nationals at your facility.
• Licensing of Deemed Exports: No specific EAR reference to TCP; however,
license requires “safeguards to restrict access” i.e. TCP.
– Required when foreign nationals are employed at or assigned to facilities
that handle export-controlled items or information
– BIS Licensing Guidance - Internal Technology Control Plan - Applicant
should describe measures to prevent unauthorized access by foreign
nationals to controlled technology or software. The measures may
include the applicant’s internal control program to prevent unauthorized
access to controlled technologies or software.
Commerce Department
• License Conditions
– The applicant will establish procedures to ensure compliance with the
conditions of this license, particularly those regarding limitations on
access to technology by foreign nationals. The applicant's key export
control management officials will ensure that the foreign national
complies with conditions 1- 5. A copy of such procedures will be
provided to DoC/BIS.
– The applicant will ensure that the foreign national does not have access
to any unlicensed controlled technology.
– The transfer of controlled technology and software shall be limited to the
minimum needed by the foreign national in his/her role as described in
the license application.
– http://www.bis.doc.gov/images/pdfs/deemedexports/foreignationals.pdf
Defense Technology Security Administration
Arms Export Control Act
• International Traffic in Arms Regulations (“ITAR”) , 22 CFR Parts 120 –
130
• Part 124 “Agreements, Off-Shore Procurement, and Other Defense
Services”
– 124.15(a)(1) Special Export Controls for Defense Articles and Services Controlled Under Cat.
XV “Space Systems and Space Launches”: Technology Transfer Control Plan (TTCP) and
Encryption Technology Control Plan (ETCP) required for use of any exemption, government
approval or for any export license related to Category XV.
– Special processing procedure & rules. DTSA must monitor compliance for proliferation.
– DTSA has a TTCP Development Guideline manual
– Approved by DoD, DOS, DTSA, and NSA.
Note Export Control Reform: Commercial satellites & related items transferring from the ITAR
to the EAR. ITAR will retain primarily military, intelligence, and certain remote sensing satellites)
and related ground systems, components, parts, software, and technical data and defense
services. Services include assistance related to ANY satellite launch, satellite/launch vehicle
integration, and satellite launch failure analysis.
Defense Security Service
• NISPOM 2-307 – Foreign Ownership, Control or Influence (FOCI)
– A TCP shall be implemented by companies cleared under FOCI action
plans that prescribes all security measures to reasonably foreclose the
possibility of inadvertent access by non-U.S. citizen employees and
visitors to information for which they are not authorized.
– Referenced in 22 CFR 126.13(c) (ITAR)
• NISPOM 10-509 – International Visits & Control of Foreign Nationals
– A TCP is required to control access by foreign nationals assigned to, or
employed by, cleared contractor facilities… The TCP shall contain
procedures to control access for all export-controlled information.
• DSS CDSE Webinar on Technology Control Plan under the NISPOM
– http://www.cdse.edu/catalog/webinars/industrial-security/technology-control-plan.html
FOCI Required Plans
• Technology Control Plan
• Affiliated Operations Plan
– Shared Services, e.g. IT, banking, etc.
• Electronic Communications Plan
– IT Systems, Tele/video conferencing
– Ensures no unallowable Technology Transfer
• Visitations Plan
– Foreign / U.S. company meetings
• Facility Location Plan
– Close proximity, shared, and co-located
http://www.dss.mil/isp/foci/foci_info.html
Developing a TCP – Agency Expectations
• Write your own plan and tailor it to your specific situation
• Know what needs to be protected and describe the things that are subject to
agency controls
– Ex. Information, articles, USML, CCL, Classification
• Describe procedures for protection and controls
– Controls should make sense
– If it is in your plan, do it
– Agency specific requirements (e.g. FOCI)
• Designate & empower company officials
– Technology Control Officer / Export Control Officer
– Facility Security Officer
• Educate personnel – critical.
Standard Sections of the Plan
• Introduction (scope, purpose, background, definitions)
• Corporate policy
• Identification of restricted technology
• Protection guidelines
– Physical security
– Personnel security
– Operational security** NSDD-298
– Signal security (if applicable)
– Computer security
– IT Network security
**Deny adversaries export controlled or public info that are unclassified
Standard Sections Cont.
• Licensing Procedures (TAA, MLA, Foreign Person Employees)
• Plant / Site visit
• Foreign travel
• International shipping
• Training requirements
• Recordkeeping
• Accountability and violation penalties
Optional Customized Sections
• Unique facility elements
– Identification of escorted areas
– Unescorted areas
– Segregated work areas
• Identification of team members & responsibilities
– Responsible Company Officials
• Investigation procedures
• Employee Separation
Best Practice Examples
Introductory information
• Introduction, scope, purpose, background, definitions
– Delineates and informs employees and visitors:
• The existence and description of technology controls,
• What areas of the company controls apply, i.e. “territories, divisions,
units” etc.
• Why they are necessary, i.e. “purpose”
• Specific provisions applicable to your company’s defense trade
function or facility clearance, i.e. “DTRADE Registration No.”
• Definition of Terms as they relate to the TCP, i.e. “foreign persons”
Introductory information
Introduction
This Technology Control Plan (“TCP”) delineates and informs employees and visitors of the controls necessary to
ensure that no transfer of technical information or data or defense services occur unless authorized pursuant to
federal regulations.
Purpose and Scope
The purpose of this plan is to describe the methods to 1) identify program activities that are subject to federal
regulatory requirements; 2) identify security responsibilities and requirements of project personnel; 2) establish
methods for the identification and handling of controlled unclassified information (“CUI”); 3) allowable and
unallowable access to the program, data and equipment, monitoring and control protocols, physical and electronic
measures for access, use, storage, transfer and destruction.
The Technology Control Plan (“TCP”) provides guidance on the control of access to classified and unclassified
export controlled information by foreign persons employed by, and long-term foreign national visitors assigned to,
a cleared U.S. contractor facility pursuant to the International Traffic in Arms Regulations (“ITAR”) codified at 22
Code of Federal Regulations (CFR) §§ 120-130, and the Export Administration Regulations (“EAR”) codified at
15 Code of Federal Regulations (CFR) §§ 300 – 799 and the National Industrial Security program operating
Manual (“NISPOM”). A TCP is a roadmap of how UCF will control restricted technology to ensure compliance
with the ITAR, EAR and NISPOM.
Statement of Commitment
• Corporate Directive or policy
– Reference to FCL, NISPOM, federal regulations and other commitments
– Required by the ITAR – corporate commitment
http://www.pmddtc.state.gov/compliance/documents/compliance_programs.pdf
– TCP should reference the corporate directive
– May include specific “foreign person” policy
UCF Statement of Commitment
The University will fully comply with U.S. export control laws while ensuring that, to the extent possible, university
instruction and research is conducted openly and without restriction on participation or publication. As a cleared
defense contractor, UCF is committed to educating its employees, professors, students, researchers or other
collaborators on U.S. export control laws and regulations and their particular application within a university
research setting. As part of the University’s ongoing commitment to export control compliance and education, the
University has established a website at: http://www.research.ucf.edu/ExportControl/ that contains university
export control policies, forms, training modules and reference materials.
Identification of Technology
• Identification and enumeration of restricted technology
– Commodity Jurisdiction determines which regulatory regime and
procedures will govern the activity.
• Security Classification(s)
• U.S. Munitions List Category and Subcategory
• Export Control Classification Number (“ECCN”)
Identification of Technology
• U.S. Munitions List Category and Subcategory
Export Control Jurisdiction, Classification and Categorization
UCF will create, generate, require access, or receive technical data or defense articles regulated by the Arms Export
Control Act (“AECA”) and subject to the federal restrictions specified in the ITAR in performance of this
program. This TCP details the mitigation techniques UCF will implement to comply with the ITAR requirements.
The Principal Investigator (PI) and Approved Project Personnel are required by law to conform to the minimum
security requirements to ensure that controlled defense services, articles, and technical data or controlled
commodities are adequately protected from disclosure. The applicable United States Munitions List (“USML”)
Category and subcategory classifications are:
Category IX: Military Training Equipment & Training, (a), (b), (d), (e)
(a) Training equipment specifically designed, modified, configured or adapted for military purposes, including but not limited to weapons system trainers, radar trainers,
gunnery training devices, antisubmarine warfare trainers, target equipment, armament training units, pilot-less aircraft trainers, navigation trainers and human-rated
centrifuges.
(b) Simulation devices for the items covered by this subchapter.
(c) Tooling and equipment specifically designed or modified for the production of articles controlled by this category.
(d) Components, parts, accessories, attachments, and associated equipment specifically designed, modified, configured, or adapted for the articles in
paragraphs (a), (b) and (c) of this category.
(e) Technical data (as defined in Sec. 120.10 of this subchapter) and defense services (as defined in Sec. 120.9 of this subchapter) directly related to the
defense articles enumerated in paragraphs (a) through (d) of this category.
(f) The following interpretations explain and amplify terms used in this category and elsewhere in this subchapter:
(1) The weapons systems trainers in paragraph (a) of this category include individual crew stations and system specific trainers;
(2) The articles in this category include any end item, components, accessory, part, firmware, software or system that has been designed or manufactured
using technical data and defense services controlled by this category;
(3) The defense services and related technical data in paragraph (f) of this category include software and associated databases that can be used to simulate
trainers, battle management, test scenarios/models, and weapons effects. In any instance when the military training transferred to a foreign person does not
use articles controlled by the U.S. Munitions List, the training may nevertheless be a defense service that requires authorization in accordance with this
subchapter. See e.g., Sec. 120.9 and Sec. 124.1 of this subchapter for additional information on military training.
Physical Security
• Cross-reference with SPP if necessary
• Facility layout with diagram
• Physical barriers and separators
– Building access
– Locking requirements
– Offices, doors, file cabinets
– Production, lab, manufacturing areas
– Visual access inhibitors
• Badges and badging
– Employee
– Visitor
– Foreign person
– Contractor
• Key control – log of who has what keys / electronic combinations
Badges & Badging
• Example
Personnel Security
• Written employee responsibilities
– Can be broken down by function or division (general employee,
supervisor, engineer, business development, security, HR, etc.)
• Foreign person in-residence responsibilities
– Licensing procedures
– Indoctrination procedure
– Monitoring
– Separation
• Third party responsibilities
– Custodian, maintenance, delivery, building management
• Random personnel inspections
– Entering and exiting the facility
– Bags, parcels, media, electronic devices
– Notification posted on premises
Example – Foreign Person Disclosure
Example - Indoctrination
Example - Responsibilities
Access Control
• Procedures for controlling and restricting access to:
– Work areas
– Information
• Uncontrolled and public
• Controlled
• Classified
• Proprietary
• Derived information
• Storage, destruction, transmission, dissemination
“All information that needs to be protected must be appropriately
marked or otherwise identifiable to all personnel”
– Equipment, hardware, production facilities, etc.
Example – Identification of Information
Example - Hardware
Access Controls
Site Visits
• Plant and site visit procedures
– Pre-visit screening
– In-processing, log, facility notification, badging & briefing
– Host escort and acknowledgement
Escorts
• Escorts are responsible and must be trained
• Must be able to control visitors at all times
• Do not allow wandering, pictures, embarrassing incidents, unannounced
changes, unannounced visitors, video crews, misinterpretations, multiple
requests, etc.
• Waiting room areas can be designated “safe harbor”
• Lock-up restricted information / articles
Escorts
The PI and approved project personnel will ensure that foreign nationals are not present
when measurement is taking place. All foreign persons must be are escorted within the
lab area. Foreign nationals are not permitted independent, unescorted 24 hour access to a
work area until such time as all export controlled activity has ceased.
Computer & Network Security
• Computer security
– Use NIST standard as a baseline
– User IDs, login, passwords, encryption, etc.
– Company email only, no clouds
• IT Network security
–
–
–
–
Procedures to maintain control of networked systems
Domain access restrictions
Repository (fileserver) for restricted CUI, proprietary, trade secret
Drawings, configuration management
NDA
TCP Acknowledgement
TCP Acknowledgement
SUBJECT: Attestation of Understanding and Compliance Agreement with the Technology Control Plan
Section 1: To be completed after initial ITAR Training
I, [Project Team Member], having read the subject Technology Control Plan, attest to my understanding of the following
responsibilities:
a.
I will refrain from sharing the research project’s Critical Information (CI) with personnel who are not part of the contract or
university research teams performing under contract Number [Number]
b.
I will notify my Principal Investigator (PI) of any inadvertent disclosures
c.
I will comply with the management controls and Te3chnology Control Plan countermeasures prescribed in the Plan.
__________________________________
_______
[Project Team Member]
________
___________________________________
Date
Date
Dr. [Name], Professor
Section 2: To be completed upon exit from the research project
I attest to my understanding that my obligation to protect the project’s Critical Information (CI) and Export Controlled technical
data continues past my association with the project. I acknowledge that I am required to follow the same countermeasures to protect that
information after my association with this project has concluded.
__________________________________
_______
[Project Team Member]
________
___________________________________
Date
Date
Dr. [Name], Professor
Monitoring
• Internal Self Assessment
– Annual review of TCPs should be conducted
– Checklist of items, measures and benchmarks that should be reviewed
• Employee knowledge
• Adherence to access procedures
• Corrective action plan for findings uncovered
• Penalties for violations must be enforced
• Recurring Training
– Personnel subject to TCP should be trained annually
– Training should review policy, procedure, legal requirements and TCP
protocols
TCP Violations
• Procedure for handling violations
Investigation will consist of three phases:
1. Data preservation
a. Notify necessary parties of the investigation
b. Require parties to preserve all materials related to the subject matter
c. Categorize and review the types of information and documents relevant to the
investigation
d. Demand strict compliance with data preservation
e. Inform parties of how information should be preserved
f. Designate a Point of Contact
2. Data collection and review
a. Document preservation and collection interviews
b. Collection and review of paper and electronic data
3. Interviews of relevant employees / participants
a. Following collection, review and organization of data, interviews with all relevant
parties will be conducted.
b. A formal memo and summary of all interviews will be prepared
Upon conclusion of data collection, interviews and evaluation, a formal report will be prepared.
Facts developed during the course of the investigation are important for VSD purposes in addition
to university decision-making. Contents of the report will include:
1.
2.
3.
4.
5.
Description of the subject and scope of the investigation
Description of each phase of the investigation, including all efforts
A chronology of the facts developed via the investigation
A description of remedial measures undertaken
A description of proposed corrective/preventative actions
Self-Disclosure
• Regulatory Requirements 127.12(c)(2)
(i) A precise description of the nature and extent of the violation (e.g., an unauthorized shipment, doing
business with a party denied U.S. export privileges, etc.);
(ii) The exact circumstances surrounding the violation (a thorough explanation of why, when, where, and
how the violation occurred);
(iii) The complete identities and addresses of all persons known or suspected to be involved in the activities
giving rise to the violation (including mailing, shipping, and e-mail addresses; telephone and fax/facsimile
numbers; and any other known identifying information);
(iv) Department of State license numbers, exemption citation, or description of any other authorization, if
applicable;
(v) U.S. Munitions List category and subcategory, product description, quantity, and characteristics or
technological capability of the hardware, technical data or defense service involved;
(vi) A description of corrective actions already undertaken that clearly identifies the new compliance
initiatives implemented to address the causes of the violations set forth in the voluntary disclosure and any
internal disciplinary action taken; and how these corrective actions are designed to deter those particular
violations from occurring again;
(vii) The name and address of the person making the disclosure and a point of contact, if different, should
further information be needed.
Contact Information
Mike Miller
Assistant Director for Export Controls
University of Central Florida
EM: Michael.Miller@ucf.edu
PH: 407-882-0660
Download