DECCS Is Here!
Don’t Panic, Just Enroll
If you are registered as an exporter or manufacturer of defense articles with the Department of State, Directorate of Defense Trade Controls (“DDTC”), you have by now probably noted reference to “DECCS”, the Defense Export Control and Compliance System, either on the DDTC website or in correspondence from or with DDTC.
Do you know what DECCS is?
More importantly, do you understand your responsibilities with DECCS today?
DECCS is DDTC’s new electronic portal for Export Licensing, Registration, Commodity Jurisdictions, Advisory Opinions, Retransfer Requests and in the future for Voluntary Disclosures.
DECCS is borne out of DDTC’s IT Modernization effort which began almost five years ago. After much testing, discussion and work, all of which is still underway, DECCS will formally deploy on Tuesday February 18, 2020. Per DDTC, DTrade will cease to be available as of 6 PM EST February 14, 2020.
Don’t worry! All registrant information, licensing and digital certificate information tied to your company registrant’s registration code will be migrated to your account in DECCS. NOTHING will be lost.
If you have a valid ITAR registration with DDTC, you need to enroll in DECCS to continue your ITAR licensing or registration activities.
Over the last few weeks DDTC has contacted all registrants and holders of digital certificates via a 3rd party (OKTA) about registering in DECCS. Upon reviewing the email, you will find your user ID for DECCS and a link to start your enrollment process in DECCS.
Unfortunately, as the email did not come from DDTC, but rather OKTA, and references an application program “MyApps”, many exporters have either believed it is junk/spam and deleted it or the email was automatically filtered to junk/spam.
To add some more bad news, the email link/window to register with the link in the window was only 7 days from the date OKTA sent it. This means if you cannot find the email and have not actioned it by the time you are reading this communique you will have missed the window to respond. Do not fear! You can easily resolve this problem by contacting the DDTC DTrade/DECCS Help Desk and requesting that the email be resent. See email addresses below to make this request.
So now that you have completed step 1, your in the DECCS enrollment page, what comes next?
You will provide your user ID and first/last name and phone number.
You then will get a notification on the DECCS page that an email is forthcoming from OKTA to complete the DECCS enrollment.
The second email from OKTA will prompt users to create a password and provide a phone number to enable two factor authentications for access to DECCS through the DECCS portal.
Now you are all set… almost! Like any IT system conduct validation testing
Log in and see the two-factor authentication process work.
Once complete you will be able to log into the DECCS portal and conduct business with DDTC, whether it is managing your account and users, preparing or tracking license status, filing registrations.
And the good news is, all licenses submitted in DTrade prior to the conversion will continue to process, as will any registrations that have been submitted. When complete, they will be issued in DECCS.
The phone numbers to call DDTC and request resending of the initial email are 202-663-2838 or 202-663-1282. To submit requests to DDTC via email, we recommend submitting to the following:
Do you know where your export controlled technical data is?
By Jenny Hahn
FD Associates, Inc.
In today’s global environment, the transfer of export controlled technical data, your company’s IP or customer technical data occurs in an instant. Export controlled technical data is regularly transferred electronically by email or other means to domestic and international customers, partners, vendors, legal counsel and consultants. To ensure compliance with U.S. export regulations, the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR) are met, it is important to understand what happens to the export controlled technical data when it is received by the domestic or international party. Who will have access to the export controlled technical data? Where will it be stored? Will the export controlled technical data be shared with other persons employed by the recipient or external to the recipient?
A recent case we encountered highlights just how far the questions need to go. In this situation, a U.S. company was exporting export controlled technical data to a foreign company. In doing its due diligence, it asked the foreign company where the export controlled technical data would be stored? And whether there were any external IT companies supporting the foreign company (i.e. administering its servers or supply chain partners that would receive the export controlled technical data). The U.S. company learned that backup of the foreign company servers would be at the foreign company’s parent location in another country. This backup of U.S. origin export controlled technical data in a separate country is a reexport under the ITAR and EAR, for which export authorization is or maybe required. If this question had not been asked during the license development process, the U.S. company would have released export controlled technical data to the foreign company and the foreign company would have caused an unwitting export violation.
How often do you ask this simple question of your domestic and foreign customers, partners, vendors, legal counsel or consultants?
Knowing where the export controlled technical data will reside once released from your company is a critical component of your export compliance program and due diligence.
Most companies require the implementation of a Non-Disclosure Agreement (NDA) before releasing export controlled technical data or company IP to another party. The primary reason for the NDA is not trade compliance related but for protection of company trade secrets. Those NDAs often permit the recipient to release the technical data to parties integral to the recipient to facilitate their cooperation with your company. Many NDAs do not include export compliance language articulating the need to comply with the ITAR or EAR prior to the transfer of the protected export controlled technical data to another party. While an NDA can give the receiving company the permission to release the export controlled technical data to other parties, it is not an ITAR or EAR approval and it cannot override either the ITAR or EAR requirements for authorization for the release/retransfer/reexport of export controlled technical data in the form of a license, or license exemption/exception.
When executing an NDA with a domestic or foreign party or evaluating the export regulatory considerations associated with an export of technical data to a foreign party, whether by license, license exemption/exception, be sure to perform your due diligence. This includes researching the party that you are doing business with, verifying whether there is any foreign ownership of that entity, inquiring where the export controlled technical data is going to be stored, asking whether there are any IT service providers who will have access to the server and confirming whether backup of the company servers is done by a third party or by the same company in a different country.
It also includes knowing where the servers are physically located. With the rampant use of the cloud to cut equipment costs, it is important to know that not all cloud providers can commit to hosting solutions that comply with the ITAR or EAR requirements (Not to mention DFARS requirements if the data is generated related to a U.S. government contract). While the ITAR and EAR have different requirements concerning the transfer to the cloud and whether such transfer is an export, only the EAR is clear that use of encryption in transit and at rest is a key element to prevent the unauthorized transfer of export controlled technical data to foreign persons using the cloud. The second key element is where the cloud is located. For example, ITAR export controlled data, may only be stored in a cloud environment hosted in the United States and managed by U.S. persons, whereas, the EAR may permit storage of EAR export controlled data in an encrypted environment excluding sanctioned countries.
A red flag regarding possible use of the cloud by customers, partners, vendors, legal counsel, consultants and others is the use of non-company email accounts like gmail, yahoo, aol, hotmail, msn etc. The use of such email service provider suggests the recipient does not have a traditional network infrastructure and is using the cloud to store any export controlled technical data sent to them. Companies like Google and Yahoo have servers located around the world and storage of the emails can take place at any of them.
Prior to any release of export controlled technical data, your company should determine what path that export controlled technical data will travel when it leaves your company and is received by the domestic or international customer, partner, vendor, legal counsel or consultant for storage and access.
Only when your company fully appreciates the forward transfers made by others, can your company be fully compliant with the ITAR and EAR.
This article does not address the separate Defense Federal Acquisition Regulations Cybersecurity obligations, DFARS 252.204-7000 and 252.204.7012 and the NIST SP 800-171. Refer to our article by Keil Ritterpusch on this subject.