Introduction
What is Supply Chain Risk Management?
The defense and national security industry includes companies that ship sensitive technologies, handle classified information and support key national security infrastructure. All these companies are required to routinely check their supply chain for bad actors and/or ensure they are appropriately tracking the end use of sensitive technology and information.
Governments enforce strict laws and regulations relating to the export of controlled goods, technologies and services for strategic trade. This enforcement regime is often referred to as strategic trade controls (STC).
Additionally, the U.S. aggressively protects classified information associated with controlled goods and technologies through the Defense Counterintelligence and Security Agency (DCSA) and its National Industrial Security Program (NISP). Contractors who carry facility clearance levels (FCL) for access to classified information have greater obligations for reporting suspicious inquiries or contacts to DCSA. Companies with both FCLs and engage in exporting controlled goods and technologies have perhaps the highest national security compliance requirements.
Many defense contractors with FCLs are unwitting targets of foreign malign state actors such as China, Russia, North Korea and Iran that aggressively seek controlled commodities and/or classified technologies. The suspicious inquiries come in the form of emails, RFQs, bid proposals, pricing requests and other seemingly routine business inquiries. The procurement networks working for malign state actors operate businesses across the globe and are adept at disguising the actual end use and end user for the controlled commodity/technology.
Additionally, cleared contractors need to be aware of the Deemed Export concept, that includes the release of technology subject to export restrictions to a foreign national regardless of where the transfer takes place. This can include transfer of sensitive technology designs, blueprints, specifications as well as verbal descriptions of the sensitive technology.
The suspicious inquiries are often ignored by contractors even though they can provide tremendous value to DCSA and its partner enforcement agencies. The challenge then is for the cleared industry to identify the small number of suspicious inquiries from legitimate business inquiries they receive and report them to DCSA as required by the NISPOM (paragraph 1-302b).
Why is SCRM important for DCSA-cleared contractors?
The cleared industry and their trade partners - subcontractors, manufacturers, shippers, consignees or other entities involved in the supply chain - should employ the highest level of due diligence in reviewing their transactions to avoid compliance problems for controlled goods and possible risk to their Facility Clearance (FCL). “The technology and information resident in U.S. cleared industry is under constant and pervasive threat from foreign intelligence entities seeking to gain the technological edge.” Some of the primary reasons for effective risk management practices are summarized below:
- National Security: Preventing transactions with denied parties or watch listed entities that pose a threat to national and global security. Export enforcement programs prevent the proliferation of weapons of mass destruction and destabilizing accumulation of conventional weapons and related material. NISPOM helps protect the “crown jewels” of the U.S. defense sector and prevent grave damage to our national security.
- Economic Security: Protecting national trade competitiveness and supporting foreign policy objectives while maintaining innovation in strategic trade for advanced technologies.
- Global Security: Implementing effective export controls and due diligence best practices supports national contributions to global security – a safe international supply chain is only as effective as its weakest link and malign actors exploit those weak leaks.
- Preventing the introduction of sub-standard or counterfeit components into the U.S. defense industry supply chain.
Failure to adhere to DCSA / NISPOM guidelines could result in revocation of Facility Clearances and the ability to handle classified information.
Strategic trade control regulations apply based on three core areas:
- The entity/person, organization or destination that is receiving the goods.
- The type of commodity, technology or service that is being exported.
- The end-use or application of the item being exported may cause that export to be controlled. Applications (use) such as military end-use, use in chem/bio weapons, nuclear applications, missile technology and other areas. The controls are known as “catch all” controls.
What are the rules you need to adhere to?
There are several export control rules and NISPOM regulations. The primary statutes and regulations are listed below but the trade community should be aware several other statutes pertaining to money laundering, conspiracy, and false statements can be additionally charged for egregious, willful violations:
|
Item #
|
Statute / Regulation
|
Description
|
Enforcement Agencies
|
Max Civil Penalty
|
Max Criminal Penalty
|
|
1.
|
Export Control Reform Act 2018 - 50 USC 4801-4852 / Export Administration Regulations - 15 CFR 730 - 744
|
Regulates the export control, the export and re-export of commercial and dual use (commercial and military/security applications) items
|
Homeland Security, Commerce, FBI
|
$300,000 per violation or twice value of transaction
|
Up to 20 years and $1,000,000
|
|
Example: Drone technology can be used militarily, commercially or as for a hobby. Export licenses are required based on the end-use/user. Failure to obtain a license - whether knowingly or unknowingly can lead to severe criminal and civil penalties. Additionally, the transmission of sensitive information about the manufacture of this technology could be classified as a deemed export and incur a penalty to the transmitter of the information.
|
|
2.
|
Arms Export Control Act - 22 USC 2778 / International Traffic in Arms Regulations (ITAR) - 22 CFR 120-130
|
Controls the export and temporary import of military goods
|
Homeland Security, Commerce, FBI
|
$1,200,000 per violation
|
Up to 20 years and $1,000,000 per violation
|
|
Example: Parts for a ballistic missile, covered by the Missile Technology Control Regime, can be exported with a license to certain countries / regions. However, it cannot be exported to certain end users or regions/countries at any time without a license. Should the commodity be shipped, knowingly or unknowingly, the manufacturer, shipper, freight-forwarder and others in the supply chain can be criminally charged.
|
|
3.
|
Sanctions Statutes (Multiple - https://ofac.treasury.gov/additional-ofac-resources/ofac-legal-library/united-states-statutes)
|
Sanctions related statutes / regulations related to people, organizations and regions
|
Department of Treasury, HSI, DOJ, OEE
|
Up to $356,579
|
Up to 20 years and $1,000,000
|
|
Example: If a company transacts with a sanctioned individual, company or entity - such as a listed Russian oligarch, they may be liable to penalties.
|
|
4.
|
32 CFR Part 117 - National Industrial Security Program Operating Manual (NISPOM Rule)
|
Provides industrial security policy for contractors; ensures uniform implementation of the national security policy
|
DCSA
|
Revocation of ability to handle sensitive / classified information
|
N/A
|
|
Example: If a cleared contractor were to violate any of the regulations included in this table, fail to secure classified information appropriately or violate secure facility processes and procedures, this could result in the revocation of their facility clearance and ability to handle sensitive / classified information.
|
|
5.
|
Espionage Act, Gathering, transmitting or disclosing defense information 18 U.S. Code § 793 - Additional related statutes exist - see Link
|
Relates to the gathering, transmitting or disclosing of defense information that could affect national security
|
DCSA
|
Forfeitures
|
Imprison not more than ten years
|
|
Example: If personnel on a classified or sensitive government contract were to disclose information to known foreign adversaries - such as the location of confidential informats or the plans for a weapon systems - they would be violating the Espionage act and could be charged.
|
How does BITE Help?
The BITE Playbook, available in the BITE app, helps you navigate these regulatory requirements and quickly understand which agencies enforce what regulations associated with your specific transaction.
BITE Data: our BITE Playbook maps directly to watchlists, Harmonized Schedule codes and commodity screening lists, allowing you to quickly check a commodity or person against the extensive filters in our platform.
Training Modules: BITE Export Compliance Training - gets access to concise, easy-to-follow tutorials and guidelines
BITE Data Mapping
|
BITE Module
|
Whats included
|
Relevance to Import Compliance
|
|
Watchlists
|
40,000 + entities from official worldwide sanctions and watchlists
|
By reviewing entities in your supply chain and checking them against the BITE Watchlists, you will show due diligence in complying with US sanctions regulations, and therefore assist a user in complying with item 3 in the table above.
|
|
BITE list
|
300,000+ politically exposed persons, transshipers and 2nd/3rd tier relationships with sanctioned entities
|
Exporters can perform enhanced due diligence and risk management actions in order to secure their supply chain and make sure their commodities are not ending in the wrong hands.
|
|
BITE Trade Protection
|
Commodity control lists related to multiple agencies
|
The Trade Protection module allows users to search for a commodity and identify export-related controls such as ITAR, US Munitions List (USML), ECCNs, TARIC mapping and more and therefore assist a user in complying with items 1 and 2 in the table above.
|
Cleared contractors are required to report any suspicious inquiries - regardless of the intent of the inquiry - to DCSA immediately and inform their Facility Security Officer.
DCSA Contract Information: https://www.dcsa.mil/Contact/
For additional information from DCSA, please reference the following:
DCSA / NISP Tools and Resources: https://www.dcsa.mil/Industrial-Security/National-Industrial-Security-Program-Oversight/NISP-Tools-Resources/
NISP Handbook: https://www.dcsa.mil/Portals/91/Documents/CTP/nispom/self_inspect_handbook_nisp.pdf
DCSA Security Training: https://www.dcsa.mil/About-Us/Directorates/Security-Training/
.png)
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}