compliance guardian - itar...©avepoint, inc. all rights reserved. confidential and proprietary...

Accessible content is available upon request.

COMPLIANCE GUARDIAN - ITARPresented by Esad Ismailov AvePoint January 2017

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc.

• International Traffic In Arms Regulations (ITAR)• Export Administration Regulations (EAR)


• The transfer of anything to a “FOREIGN PERSON” by any means, anywhere, anytime, or the knowledge that what you are transferring to a “U.S. PERSON”, will be further transferred to a “FOREIGN PERSON”.


• AECA and ITAR (USML) - 22 CFR 120• covers items such as Space Launch Vehicles (e.g., the Space Shuttle),

rocket engines, certain spacecraft (including all remote sensing satellite systems), missile tracking systems, etc. (both the hardware and the technology)

• EAA and EAR (CCL) - 15 CFR 730 • covers what is commonly referred to as “dual-use” items, including the

Space Station (the hardware and certain technology)


STATECOMMERCE

• BXADoD

• DTRA• JCS• Others

ACDATREASURY

• U.S. CUSTOMS• OFAC

WHITE HOUSE• OSTP• NSC• USTR

ICDoT

• FAAJUSTICE

• FBIDoE


• Examples of Other U.S. Government Players, Laws & Regulations

• Drug Enforcement Administration (21 CFR 1311)• Food and Drug Administration (21 USC 301)• Department of Interior (50 CFR 17.21,22,31,32)• Department of Treasury (31 CFR 500)• Department of Energy (10 CFR 205.300, 10 CFR 110 & 810)• Others


• National Security (NS)• Foreign Policy (FP)• Proliferation (MT, NP, CB)• Short Supply (SS)• Anti-Terrorism (AT)• Crime Control (CC)• High Performance Computer (XP)• Regional Stability (RS)• UN Sanctions (UN)


• The United States Munitions List (USML)• 21 categories of “Defense Articles/Services”• If an item is listed, it is subject to the ITAR

• Example: Category IV - Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs and Mines

• Example: Category XV - Spacecraft and Associated Equipment


I - FirearmsII - Artillery ProjectorsIII - Ammunition*IV - Launch Vehicles, etc.*V - Explosives, Propellants, Incendiary Agents

and Their Constituents VI - Vessels of War and Special Naval EquipmentVII - Tanks and Military VehiclesVIII - Aircraft and Associated EquipmentIX - Military Training EquipmentX - Protective Personnel EquipmentXI - Military Electronics*XII - Fire Control, Range Finder, Optical and

Guidance and Control Equipment

*XIII - Auxiliary Military EquipmentXIV - Toxicological Agents and Equipment and

Radiological Equipment*XV - Spacecraft Systems and Associated

EquipmentXVI - Nuclear Weapons Design and Related

EquipmentXVII - Classified Articles, Technical Data and

Defense Services Not Otherwise Enumerated

XVIII - ReservedXIX - ReservedXX - Submersible Vessels, Oceanographic and

Associated EquipmentXXI - Miscellaneous Articles


• The Commerce Control List (CCL)• Divided into ten (10) categories (0 to 9) • Complete listing of items controlled by the EAR

• Example: Category 9- Propulsion Systems, Space Vehicles and Related Equipment


• Category 0 - Nuclear Materials, Facilities and Equipment and Misc.• Category 1 - Materials, Chemicals, Microorganisms and Toxins• Category 2 - Materials Processing• Category 3 - Electronics• Category 4 - Computers• Category 5 - Communications, telecommunications• Category 6 - Optics, Cameras, Lasers, radar• Category 7 - Guidance, navigation, altimeters, avionics• Category 8 - Submersible systems, scuba, marine equipment• Category 9 - Propulsion Systems, space vehicles,


The Export Administration Regulations (EAR)

Criminal and civil penalties exist for violations of the Export Administration Regulations. Criminal penalties apply to “knowing” or “willful” violations and civil penalties apply to non-willful violations.

For each criminal violation of the EAR, the institution involved can be subject to a fine that is the greater of $1 million or five times the value of the exports for each violation. The individuals involved can be fined up to $250,000 and/or imprisoned for up to 10 years for each violation.

For each civil violation of the EAR, the institution as well as the individuals involved can be subject to a $12,000 fine for each violation. However, if the violation involves any item that is subject to national security controls, the fine is $120,000 per violation.

Other penalties for violations of the EAR include: The denial of export privileges and/or seizure/forfeiture of

the goods involved.

The International Traffic in Arms Regulations (ITAR)

Penalties for violations of the ITAR are similar to those under the EAR. Criminal and civil penalties exist and can be levied against the institution as well as the individuals involved.

Criminal penalties include a fine of up to $1 million and/or up to 10 years in prison for each violation. Civil penalties include a fine of up to $500,000 for each violation.

Other penalties for violations of the ITAR include: The denial of export privileges and/or seizure/forfeiture of the goods involved.


• Organizations need to:• Identify ITAR data and Classify it.• Protect ITAR data based on Classification/Sensitivity – Assign appropriate security controls

based on the information and who has (or should have) access to it.• Implement ongoing measures to assure ITAR Compliance – Monitor and Report on violations

as soon as they happen (Real Time) or once they are identified (On-Demand).


How to configureCompliance Guardian for ITAR:1. Using Checks & Test

Suites


Compliance Guardian ITAR Checks Overview A check is an XML file that defines the logic that Compliance Guardian uses to check files. Checks identify the purpose for the check (the type of check to run, such as a pattern of characters), the condition for the check (such as a social security number, ammunition type, weapons, pattern), and the possible result of the check (true or false). Users can change the values in the checks to determine the check conditions, but the elements’ specific format defined by Compliance Guardian in the checks must stay the same.


Compliance Guardian ITAR Test Suite Overview A test suite is a logical grouping of test definition files, or a set of checks, that define how to present the scanned data. Test suites allow you to build scan plans for your specific regulations and requirements. These collections are the basis of Compliance Guardian scans. A test suite contains one or more checks and a configuration file that is used to define how to combine these checks and set risk levels for scan results.


SharePoint List URL

Add the category, such as “Optics” which holds the various Optics naming values

Name of the check


Bonus:


Username contains (US)Username doesn’t contain (US)


Context Logic


Scan Header

Scan Footer

Scan for (body) wordsand/or codes


Contains keywords such as Fact Sheet or brochure

Contains keywords such as “Cleared for public Release” and/or “Distribution is unlimited”and/or “Approval SPR-####-##” etc.


How to configureCompliance Guardian for ITAR:1. Using Machine Learning


M L


SV M Machine learning

SVM

ITAR (product) documents

Health Forms

Loan Application Forms

Pay slips


Start the Content Classification Tool


Select positive/negative documents


Export results, then continue to train


Start Training


Export/Save the learning model


Save the learning model


Create a Custom check


SVM (Machine Learning) check

Add the path to your model


Using Dictionary & SVM (Machine Learning) checks for greater accuracy


Monitoring and Reporting


COMPLIANCE GUARDIAN - ITARAn Introduction to U.S. Export Control Laws and RegulationsWhat Is An Export Anyway?�U.S. Export Laws and RegulationsU.S. GOVERNMENT PLAYERSU.S. Export Laws and RegulationsReasons Certain Exports are Controlled The International Traffic in Arms Regulations (ITAR)The United States Munitions List (USML)The Export Administration Regulations (EAR)The (New) Export Administration Regulations (EAR)Violations and Penalties Summary幻灯片编号 14Compliance Guardian ITAR Checks Overview Compliance Guardian ITAR Test Suite Overview Creating ITAR checks – using Dictionary checkUsing SharePoint List as a reference (Create a Custom Check)Configure the Custom check to a SharePoint ListCreate ITAR keywords for each category which will serve as a reference (similar like dictionary)Create ITAR Test SuiteAdd the newly created check(s)Test Suite LogicCreate a Scan PlanSelect your new ITAR CustomChecks Test SuiteScan Plan (Business) LogicReal Time/Scheduled Scan Document ClassificationBonus: Use Context to Discover if a (ITAR) document is shared with non-US citizen.AD/SP User Name AttributesContext Logic – IF User with username that contain the word (US) has permission to a (ITAR) file. How CG scans ITAR/Sensitive documentHow to (potentially) distinguish sensitive (ITAR) from non-sensitive information?幻灯片编号 33How does Machine Learning work?�Identify Document Types using Support Vector Machine (aka Machine learning)Start the Content Classification ToolSelect positive/negative documentsExport results, then continue to trainStart TrainingExport/Save the learning modelSave the learning modelCreate a Custom checkSVM (Machine Learning) checkUsing Dictionary & SVM (Machine Learning) checks for greater accuracy幻灯片编号 45Incident Management Center DashboardScan Records by Test Suite and TypeRisk Trend & Scan Records HistoryScanned Records & All Incidents Status幻灯片编号 50COMPLIANCE GUARDIAN - ITAR�Presented by Esad Ismailov AvePoint January 2017

compliance guardian - itar...©avepoint, inc. all rights reserved. confidential and proprietary...

Documents