foreign person employees (fpes): obtaining authorization and … · 2018. 5. 1. · u.s. department...
TRANSCRIPT
Society for International Affairs
Foreign Person Employees (FPEs):Obtaining Authorization and
Implementing Necessary Workplace Restrictions
Anthony DearthChief of StaffOffice of Defense Trade Controls
Rob MonjayOffice of Defense Trade Controls Policy
Laura ForteRUAG Space US
Kelli BullingtonCobham AdvancedElectronic Solutions
Rick LairdThe Boeing Company
U.S. Department of State s Directorate of Defense Trade Controls
Foreign Person Employees
Anthony M. Dearth
DDTC Chief of Staff
U.S. Department of State s Directorate of Defense Trade Controls
FOREIGN PERSON EMPLOYMENT
• Web Guidance Dated 7/18/12
• Applies to foreign person employees of U.S. persons
• ITAR 120.39 defines “Regular Employee”
• Depending on level of defense services, can be licensed via:
• DSP-5 for Unclassified minimal defense services (124.1(a) exception to TAA)
• DSP-85 for Classified minimal defense services (124.1(a) exception to TAA)
• Technical Assistance Agreement (TAA) for extensive defense services
• Application MUST be supported with specific documentation
U.S. Department of State s Directorate of Defense Trade Controls
FOREIGN PERSON EMPLOYMENT
• Required Documentation to support application
• Resume/CV
• Copy of Passport
• VISA or Work Authorization (U.S.-based employees)
• Job Description
• Description of Technical Data employee will receive access to
• Non-Disclosure Agreement (NDA)
• DSP-83 for Classified or SME technical data
NON-US EMPLOYEES ASSIGNED TO US LOCATIONS
Presented by: Rick Laird, Manager, Global Trade Controls, The Boeing Company
SIA Proprietary
HIRING CONSIDERATIONS FOR NON-US EMPLOYEES
AT US LOCATIONS
Hiring or assigning Non-US Employees to positions at a US location . . . do you have a process?
• Early identification!
• Are there questions/prompts in hiring processes that ensure the staffing organization reaches out to the trade control group for guidance?
• What about re-assignment/relocation process for existing employees?
• Checklist/evaluation tool to allow Hiring Manager to assess statement of work for export control purposes?
• Licensing required? If so, what is the lead time needed to obtain proper export authorizations (3-6 months)?
SIA Proprietary
HIRING CONSIDERATIONS FOR FOREIGN PERSON
EMPLOYEES AT US LOCATIONS
Additional Considerations:
• Consultants? Executives? Interns? Critical Hires? Does everyone follow the same process for job assignments?
• Statement of Work may change over time
− Increased Scope
− Technology advances may invalidate existing licenses
− Desire to transition from a commercial “EAR NLR” assignment to an ITAR-controlled one
• Pending US Person status
• Contractual obligations
• Lack of early identification may result in delays due to insufficient export licensing
SIA Proprietary
TECHNOLOGY CONTROL PLANS
Do you have a process for establishing Technology Control Plans (TCP) when non-US Persons are assigned to US facilities?
• Applies to all assigned non-US persons (e.g. employees and non-employees)
Generally . . . TCPs are required when a non-U.S. person will be granted unescorted access in an ITAR controlled area. A TCP may also be required by provisos.
Do you have continuous escort plans when TCPs are not available?
Building Security Control Plans
• Plans that identify export-controlled areas with appropriate and conspicuous signage.
• Helpful in developing TCPs
SIA Proprietary
TCP Considerations
• Badging; Badge Readers; Cyber Locks
• Floor Plans/Maps detailing:
− Access Routes and Emergency Evacuation Routes
− Perimeter of Unescorted Access Areas
− ‘Green areas’, buffer zones, restricted areas, etc.
• Signage
• Telephone Use (e.g. camera limitations?)
• Copier Use
• Certification/TCP briefing acknowledgement
• Training/Briefings to colleagues
• Process to notify and revise, as necessary. Timetable for review/updates (annually?)
SIA Proprietary
TECHNOLOGY CONTROL PLANS
TECHNOLOGY CONTROL PLANS
What about access to Information Technology Systems?
Does your TCP address access to IT systems (e.g. an IT Access Control Plan)?
• IT systems need to have controls that restrict unauthorized access to export-controlled information by non-US persons.
− Does the system have controls that allow information to be segregated or do users obtain access to all data?
− Does the IT system allow (and require!) the marking of data?
− Can the system be configured so that only information approved for export can be accessed by the non-US person (e.g. under an appropriate license or authorization)?
• Does the TCP allow for alternative methods for transferring approved data if IT systems access is not feasible?
SIA Proprietary
RISK CONSIDERATIONS FOR FOREIGN PERSONEMPLOYEES AND US PERSONS ABROAD
Presented by:
Kelli Bullington, Export Compliance Manager, Cobham Advanced Electronic Solutions
SIA Proprietary
FOUNDATION REQUIREMENTS FOR FPE AND USPE SCENARIOS
Obtain Authorization
Conduct Restricted Party Screening
Restrict/Isolate Controlled Areas
Implement Facility Access/Badging and Escort Policies
Establish Technology Control Plans
Obtain NDA’s and Required Records
Consider Anti-discrimination laws
SIA Proprietary
USPE Working for Foreign Affiliate
(Parent/Sub/Affiliate)
USPE Working for USCO Abroad
FPE Working for USCO
FPE Working for USCO Abroad
NOW WHAT?MAINTAIN AND SUSTAIN
1. Identify the Applicable Risks
• Consider Provisos of Applicable Authorizations
• Review Consent Agreements and Other Lessons Learned
• Consult with Experienced Employees
• Develop “USPE/FPE Categorization Methodology”
2. Quantify the Risks
• Develop “Impact Legend”
• Utilize Experienced Employees
• Be Consistent
SIA Proprietary
3. Establish Risk Threshold
• Develop Heat Map
4. Create a Plan (eliminate or mitigate)
• Document
• Develop “Micro TCP”
• Utilize Automation Tools
• Incorporate “Education and Engagement Plan”
• Develop Change Management Plan
5. Monitor
• Is it Measurable and Effective?
• Is it Efficient? Adaptable?
• Move towards “Predictive Monitoring”
SCENARIO RISK FACTORS FOR CONSIDERATIONUSPE ABROAD
1. Defense Service Type (EX: Field Service Rep., Advisor, Technician, Logistics, etc.,)
2. Authorization Type and Risk of Applicable Restrictions
(EX: FMS, DCS, TAA, TPT, Provisos, etc.,)
3. Directorate/Dept./Program “Export Health”
4. Defense Article/Technical Data Type (EX: SME, EAR, ITAR, etc.,)
5. End User and/or Level of Third Party Interaction
6. Employee Export Knowledge, Specialized Background
SIA Proprietary
Utilize Risk Assessment to Determine:
Frequency and Depth of Export Education Frequency of Engagement Recordkeeping Requirements and Best
Practices Potential Risks Associated with Change
and Ability to Detect
HAVE YOU THOUGHT OF EVERYTHING?USPE OR FPE ABROAD
• Employees should be aware of other countries export/import laws
• Elicitation of employees
• Employees traveling with information from previous employment
• Employees advising each other on regulations
• Advising on foreign origin equipment, technology, programs, etc.,
• Comparing US and foreign technology
• Recommending new technology
SIA Proprietary
• Employee position scope creep
• Employee inadvertently develops technical data abroad
• End User introduces new parties/individuals
• Inability to determine employer of other Parties (contract employee vs. regular employee)
• Foreign party organization restructuring (i.e. mergers, acquisitions)
• Foreign influence
• And more…
EXPORT CONTROL CONSIDERATIONS FOR MANAGING
AUTHORIZATIONS OF FPE AND USPES ABROAD
• Be intentional, creative and keep it simple for employees;
• Be careful with making broad generalizations and assumptions;
• Develop methodology for categorizing employees level of risk;
• Identify the important changes to be made;
• Create export communication structure and account for time difference;
• Provide consistent guidance, training and oversight;
• Utilize technology for automated engagement with employees abroad.
SIA Proprietary
FOREIGN PERSON EMPLOYEES:U.S. SUBSIDIARY OF FOREIGN PARENT
Presented by: Laura Forte, Global Trade Controls Manager, RUAG Space USA
SIA Proprietary
FOREIGN PERSON EMPLOYEES – U.S. SUBSIDIARIES
• FIRST - Must have a documented Technology Control Plan in place.
• What gates and procedures are in place to prevent unauthorized access and/or release of export-controlled technical data and/or the provision of defense services to non-U.S. persons?
• Data Storage – Where and how? How to access? Who controls gates?
• Data Transfers – Secured method?
• Foreign Travel – Who, where, why, and what will be hand-carried?
• Foreign Visitors – Who, where, why, and what will be hand-carried?
• Webinars / Video Conferences – Who is attending? Subject? Recorded? Stored?
• IT structure? ERP system? Intranet controls?
SIA Proprietary
FOREIGN PERSON EMPLOYEES – U.S. SUBSIDIARIES
• Must implement a training program explaining U.S. export control regulations and educate employees on the Technology Control Plan, and respective company policies and procedures.• Training to identify and define controlled technical data, defense
services, U.S. persons, non U.S. persons, exports (tangible, intangible), company personnel responsible for compliance oversight and guidance, and recordkeeping requirements (e.g., logs, retention periods).
• Onboard training, annual training, targeted training, all documented.
SIA Proprietary
FOREIGN PERSON EMPLOYEES – U.S. SUBSIDIARIES
• Export Challenge – Ongoing collaborative efforts with non-U.S. parent and other non-U.S. subsidiaries in the design, development and manufacture of launcher fairings and structures for launch vehicles.
• Authorization Solution – Manufacturing License Agreement.• Specific to identified and approved signatories, sublicensees,
territories, USML categories and scope of effort defined.
• Dual/Third Party National employee screening.
• Strict recordkeeping requirements and reporting requirements.
SIA Proprietary
FOREIGN PERSON EMPLOYEES – U.S. SUBSIDIARIES
• Ongoing export challenges –• Change in scope.
• Expansion of effort – new hardware – new USML.
• New product development spinning off existing product efforts.
• Change in employees, change in DN/TCN status/nationalities.
• Addition of sublicensees and respective territories.
• Recordkeeping.
• Reporting.
• Training.
SIA Proprietary