International Aspects of U.S. Government Procurement
Total Page:16
File Type:pdf, Size:1020Kb
International Aspects of U.S. Government Procurement Erin Felix Government Contracts Attorney National Contract Management Association- San Diego Chapter Luis F. Arandia, Jr. March 12, 2020 International Trade and Customs Attorney Overview • Export Controls & Sanctions Basics • EAR & ITAR General Overview • Encryption & Huawei Controls • OFAC Sanctions • Trade Agreement Issues • BAA / TAA / Berry • USMCA & Tariffs • Other Supply Chain Issues • FARS/DFARS Prohibitions Export Controls Basics Overview of U.S. Government Export Laws • Exports are highly controlled for various reasons • National Security • Trade Secrets • Statistics Who Controls U.S. Exports? U.S. Department of Commerce, Bureau of Industry and Security (BIS) • Export Administration Regulations (EAR) • Dual-use items and lower level military • Commerce Control List (CCL) U.S. Department of State, Directorate of Defense Trade Controls (DDTC) • International Traffic in Arms Regulations (ITAR) • Defense articles, or items • United States Munitions List (USML) Who Controls U.S. Exports? Homeland Security, U.S. Customs and Border Protection • “Police” the borders • Enforce exports at all U.S. borders Department of Commerce, Census Bureau • Collects and reports trade statistics Department of Treasury, Office of Foreign Assets Control • Enforces U.S. mandated embargoes and sanctions Structure of the EAR and ITAR • The Export Administration Regulations (EAR) • 15 CFR Parts 730-744 • Commerce Control List (CCL) • The International Traffic in Arms Regulations (ITAR) • 22 CFR Parts 120-130 • U.S. Munitions List (USML) EAR • Dual Use Goods • Commercial items that can also be used in a military application • “600” series items • ITAR controlled items that moved to the EAR as a result of export control reform • Require a license or exemption to export ITAR • Hardware • Rockets, fighter jets, body armor, etc. • Technical Data and Software • Drawings • Schematics • User manuals • Mission management software ITAR- Defense Services • Furnishing to foreign persons: • Assistance (including training) in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles • Technical data • Military training whether in person or by correspondence and using all types of media. • Consulting, engineering services, training EAR vs. ITAR- Registration • ITAR Registration Required • All manufacturers, exporters, temporary importers, and brokers of defense articles. • Occurs annually. • Requires a fee of $2250 plus additional fees for each license application. • No EAR Registration Required What is an Export? • Exports • Tangible – shipments through US port via air, ocean, truck, rail, mail, etc. • Intangible – electronic transfers (including email, fax and downloads); verbal discussions; technical assistance • Re-Exports • Shipments from one foreign country to another of US-origin goods, or foreign made goods containing certain US-origin parts, components or materials • In-Country Transfers • Shipment from a party in one country to another party in the same country Technology and Deemed Exports • Technical information or “technology” relating to a controlled product is also controlled under the export regulations: • Drawings • Manuals • Blueprints • Photographs • Instructions Recordkeeping • Parties are required to keep export records for five years from the latest date of export or reexport activity from the U.S. The latest date of such export or reexport activities include: • The date of any known reexport, transshipment, or diversion of such export • The date of any termination of the transaction, whether formally in writing or by other means • In the case of records pertaining to transactions involving restrictive trade practices or boycotts, the date the regulated person receives the boycott-related request or requirement Unauthorized End Users/ End Uses • Exporters responsible for conducting due diligence to ensure export is not destined for prohibited end-use, end-user, or destination • You cannot proceed with a transaction with knowledge that a violation of the export regulations is occurring or is about to occur • “Knowledge” does not always mean “you knew” • It also means you “should have known” • Cannot self blind • “Know Your Customer” and “Red Flag” Guidance on BIS website BIS Encryption Controls Encryption Overview • Products employing encryption technologies or functionalities are generally controlled under the Export Administration Regulations (EAR). • Category 5, Part 2 of the EAR Commerce Control List covers: • Cryptographic Information Security (ECCNs 5A002 and 5A992); (e.g., items that use cryptography) • Non-cryptographic Information Security (ECCN 5A003); and • Defeating, Weakening of Bypassing Information Security (ECCN 5A004) Key Terms and Questions • “Cryptography” - The discipline that embodies principles, means and methods for the transformation of data in order to hide its information content, prevent its undetected modification or prevent its unauthorized use. • “Cryptography” is limited to the transformation of information using one or more ‘secret parameters’ (e.g., crypto variables) and/or associated key management. • Is the product designed to use cryptography/encryption OR does it contain cryptography/encryption, whether from your company or third-party sources? Deemed Encryption Exports • Releases of controlled technology to foreign persons in the U.S. are "deemed" to be an export to the person’s country or countries of nationality. “ • Increased scrutiny of deemed exports • Specify ECCNs to the sub-paragraph level and provide justification • Have a comprehensive Technology Control Pan and supplement as needed • Provide technology roadmap and business plan updates as needed. Encryption Items NOT Subject to EAR Publicly Available • Encryption items that are publicly available are not subject to the EAR. Sections 734.3(b)(3) and 734.7 define what is publicly available and published. Common examples are free apps posted online or mass market software available as a free download. • An App made for a smartphone or computer that that meets the Mass Market criteria that is made available free of charge would be considered "publicly available." • Open source encryption source code available for free online. ECCN 5A002.a To be controlled in 5A002.a, an item must have “information security” as a primary function; be digital communications or networking systems; or be computers or other items having information storage or processing as a primary function 5A002.a (and equivalent software under 5D002 c.1) applies to items that: i. Use ‘cryptography for data confidentiality’; and ii. Have ‘in excess of 56 bits of symmetric key length, or equivalent’; and iii. Have cryptography described in 1 and 2 above where the cryptographic capability is usable, activated, or can be activated by means of "cryptographic activation" not employing a secure mechanism; and iv. Are described under 5A002 a.1 – a.4; and v. Are not described by Decontrol notes. Examples of Items Not Controlled • Research/Scientific/Analytical • Business process management and business process abstraction and modeling • Scientific visualization tools • Business/Systems Applications • Business process automation- process planning, supply chain management • Transportation- safety and maintenance, public transit operations • Industrial, manufacturing or mechanical systems- robotics, utilities • Academic instruction and testing tools and software • Applied geosciences- mining/drilling, mapping/surveying BIS Cloud Carve-Out • What encryption standard is required? • National Institute of Standards and Technology (NIST) https://csrc.nist.gov/projects/cryptographic-module-validation- program/validated-modules • Federal Information Processing Standards Publication 140-2 (FIPS 140-2) • End-to-end encryption • Stays encrypted between originator and recipient (uninterrupted) • Originator does not provide to third party • Encrypted when it crosses a border • Originator and recipient may be the same person • Mere ability to access encrypted technology / software is not a release BIS Controls on Huawei Huawei & U.S. Government Indictment • Huawei Technologies Co., Ltd. (Huawei) is world’s largest telecommunications equipment manufacturer. • The U.S. Government has determined that there is reasonable cause to believe that Huawei has been involved in activities contrary to the national security or foreign policy interests of the United States. • Huawei indicted in U.S. District for Eastern District of New York for allegedly violating OFAC Iran sanctions. BIS Entity List • On May 16, 2019, BIS added Huawei and 68 non-US affiliates to the Entity list for stealing intellectual property. • Prohibits both US and non-US companies from exporting, reexporting or transferring any item subject to the EAR to Huawei and listed affiliates • Includes commodities, technology and software • Includes a Temporary General License (TGL) • BIS imposes a license requirement for all items subject to the EAR and a license review policy of presumption of denial. Similarly, no license exceptions are available for exports, reexports, or transfers (incountry) to the persons added to the Entity List Temporary General License • Temporary General License (TGL) effective May 20, 2019 with renewed expiration dates (currently April 1, 2020). • Transactions in place prior to May 16, 2019 necessary to maintain and support Huawei’s