Last Updated on January 25, 2023
US government contractors in the defense industrial base (DIB) and other sectors are facing inexorable pressure to demonstrate their ability to protect controlled unclassified information (CUI) in compliance with regulations, notably NIST 800-171 and soon the Cybersecurity Maturity Model Certification v2 (CMMC). But all CUI is not created equal—and neither are the penalties for mishandling it.
CUI is broadly categorized as either CUI Basic or CUI Specified., with the latter being more sensitive and subject to a greater degree of control. Especially for DIB orgs dealing with weapons systems or programs, a critically important CUI Specified marking to be aware of is Export Controlled (EXPT).
What is export controlled data, how do you identify it, and why should you be especially concerned about it?
To make business and security leaders aware of lurking CUI issues and risks, Stephanie Siegmann, Partner and Chair, International Trade and Global Security Group and Cybersecurity, Data Protection, and Privacy Group at Hinckley Allen, joined a recent episode of The Virtual CISO Podcast. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
ITAR and EAR
A big challenge for USG contractors around CUI Specified is that much of it is not correctly labeled. Yet its specific classification is critical to protecting it and to avoiding potentially severe penalties impacting not just the org but also its senior executives. Export violations can lead to far stiffer penalties than failure to protect “plain” CUI.
The key questions are: 1) Whether CUI is export controlled, as noted above; and 2) If yes, does it fall under that International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR)?
Stephanie explains: “The CUI categories directory doesn’t distinguish [between ITAR and EAR]—it just says EXPT for export controlled. That is a problem for contractors because there are different requirements for ITAR versus EAR. Under ITAR, anything that leaves the US or is transferred to a foreign person would require an export license. But that’s not the case for EAR. Whether a license is required under the EAR takes a more detailed analysis as to the country or nationality of the end user, and the end use.”
“You should be working with whoever in your company is in charge of export compliance, and/or your in-house counsel to make those determinations,” Stephanie adds. “And that’s why it’s so important that you find out from the contract officer or the prime if you’re a sub—how is this classified? Is it under the ITAR or under the EAR? If you’re given the information to hold, you are required in your contract to protect it if it’s CUI.”
Erring on the side of caution
Penalties for knowingly and willfully failing to protect export controlled data can range up to a 20-year felony sentence. Ignorance of the data’s marking might offer your execs some protection from criminal liability, but not from sanctions targeting your company for failing to comply with your contract.
With CUI in general, John often tells clients, “If you’re not sure you have CUI, it doesn’t matter. Do you have a DFARS 7012 clause [in your contract]?”
But with export controlled CUI, there may not always be an equivalent “smoking gun” in your contract to forewarn you about ITAR compliance requirements. Especially if you’re working on weapons systems, you need to proactively drill into your data.
Stephanie advises: “If you’re working on a military contract and the parts are going into a missile, for instance, my presumption would be that it’s ITAR. But if you’re working on something that involves nuclear, they could be controlled under the commerce control list [EAR].”
If there is any question or unclarity, Stephanie advises erring on the side of caution: “If you work on a military contract, the likelihood is that it is going to be controlled under the ITAR. You should be asking the contracting officer. And if they’re giving you an answer like, ‘It’s controlled under either the ITAR or the EAR,’ that’s not worth the paper it’s written on. That’s ridiculous because there is a [classification] under the EAR called EAR99 that has no export license requirements.”
That’s why it’s so important to find out for sure what export controlled data you have, whether it is regulated under ITAR or EAR, and what your specific obligations are to protect it.
Ready to hear this podcast show with Stephanie Siegmann? Click here.
Do you have a DFARS 7012 clause in your US Department of Defense (DoD) contract? Here’s what that means: What Every DIB Org Needs to Do NOW If You Have a DFARS 7012 Clause in ANY of Your DoD Contracts
A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.