The Intersection of CMMC & Export Control

Sit down with Daniel Akridge, CMMC CCP, Summit 7, while he talks with Steven A. Casazza, President, Defense Trade Solutions. In episode 13 of That CMMC Show Daniel & Steven cover CUI vs ITAR, industry horror stories just in time for Halloween and so much more!

---

Transcript

Cmmc Show – Cui & Export Control Transcript (paragraph Formatted)

Hello everybody and welcome back to another episode of that CMMC show.

Uh today we have an interesting intersection of topics. We have CMMC and CUI joined with that of the export control world and who better to talk to it than the president of DTS Steven Casaza.

There’s your word. I got your last name right that go.

um to actually walk us through the intersection of CUI and export control, when they play together, when they could potentially play a part, and then because this is around the Halloween time, we’re going to share some horror stories of export control, which everybody loves to talk about.

So, Stephen, Mike, over to you, my friend. Who is DTS and what services you guys actually provide in this space? What do you guys do?

Thank you very much Daniel for the introduction and thanks to Summit 7 for having me on the podcast today.

So Steve Cassaza, president of Defense Trade Solutions and what we do is, you know, my team’s pretty lucky. They get to wake up every morning and like your team help make the world a safer place.

And what they do is they’re really a fractional global trade compliance office for small and midsize aerospace and defense companies really helping navigate ITAR E foreign military sales technology security and foreign disclosure logistics customs compliance and international government affairs type issues.

So for those small mid-size companies that don’t have access to 100 export control nerds or 100 foreign military sales experts, we’re the shop to go and make that happen for those companies and really help make export controls a competitive advantage for them and not a hindrance to international business.

Trade compliance as a service.

Exactly. What a what a great thing because I know a lot of MSPs and MSSPs out there, but not a lot of people that want to play in the export control regulation trade compliance game.

So, it’s nice to know SMB doesn’t have to be left out of having to hire multiple six-figure salaries to just do one part of their business.

They can call you guys up and be like, “Hey, I just need some help figuring this thing out. How do I even get a license for this thing?” Right?

What are the steps I have to do? Is this even export control?

I’ve been getting that question so much recently. It’s like the things I have actually export control or not?

I was like, I don’t know. I’m not a trade compliance guy. It’s like I can help you by pointing you at the USML, right?

Right. It’s like if it looks like it’s in there, well, you you’re probably got a problem. And then I was like, call Stephen. He can help you.

Spot on. Spot on.

And one of the interesting things, too, is that everything we just described, generally in the export control world, it requires multiple different kinds of humans.

So, generally expertise falls into a licensing, compliance, logistics, releasability, FMS kind of category.

And so, you know, rather than having to have five different kinds of humans, you really get, you know, the for the price of one, you get all those different areas of expertise.

Ma’am, that’s awesome.

Which brings us to really one of the first major points.

And again, you and I have kind of wrestled with this topic off and on.

I I actually was able to write a piece around export control violations that we’re actually seeing simply because people are now doing CMMC.

Because what I’ve realized very quickly, you know, even small businesses that have some sort of trade compliance support, they’re typically not talking to it and it is definitely not talking to them.

And so you have people stamping things and getting things processed and licenses and, you know, classifications.

You’ve got that whole team doing that piece, but they’re not like, “Hey, it uh I think we’re in the wrong Microsoft cloud.”

Because they have no one like they don’t necessarily care per se. They’re doing their part of the job.

And so one of the first things I always like to bring up is that CUI and export controller, CUI and ITAR, those are two different things, two different requirements for protection, but ITAR can also fit under CMMC if it’s done under a federal contract.

And so can you kind of walk me through when do I treat these independent and then when do I have to treat them as like a single thing?

Absolutely. Absolutely.

And so it’s a very interesting vin diagram we have of cui versus export control information.

So talking about it from an export control perspective.

First really export control information falls into two flavors.

You have ITAR control technical data which is technical details information software etc pertaining to defense articles and then you have E control technology which is similar you know but on the commercial and dual use side of things.

And those are the regulatory definitions when it comes to export controlled information.

There is no consideration really for whether that information was developed under a US government contract, whether it was developed by a company, whether it was developed by an individual.

It’s really whether or not you meet those definitions in the regulatory requirements under the ITAR or the EA part.

Full stop.

So that’s one side.

And then the other part of the de the ven diagram is your controlled unclassified information which for our purposes here with the aerospace and defense industry is really that information that is being provided to companies under US government contracts or when bidding on US government contracts in some kind of capacity.

Now the US government when categorizing controlled unclassified information one of the categories can be export controlled information and so that’s when the US government goes and they have their own technical data technology and so it technical data and technology that meets the definitions of both the ITAR and the E but it’s also being provided through the course of contractual discussions or contractual requirements and because the US government is providing it to a contractor they market underneath the umbrella of control of unclassified information as well.

So if I’m if I’m hearing this right, so I know that Department of State runs the ITAR program.

We’ll say Department of Commerce runs E, which obviously in the world of DoD, those are separate agencies completely.

Now DoD is saying, “Hey, with Dar 712 and CMMC, anything that’s CUI, apply the 110 controls of NIST 8001 171, um, Fed ramp moderate clouds or equivalent clouds, incident response, flowdowns to your subs, accountability of your subs, and things like that.”

But if I’m making a weapon for the DoD, not only is that CUI because it’s on a federal contract and the type of data is considered controlled unclassified information, but now I’ve got the Department of State looking at me in the sense of, oh, that’s an export requirement as well.

And you’re saying that my export control data can either be developed proprietary through my organization or on behalf of a federal contract.

And no matter what, I still have to also abide by that, which correct me if I’m wrong, most of those on under the commerce and state side are data sovereignty, so keep the data in the US unless you have an appropriate license, and an access requirement, which is US persons or those with uh technical assistance agreements um can be the ones that see this or access this information.

Is that the extent of the extra requirements kind of above and beyond what CUI is or is there even more nuance to what you can actually do with that data from an export control piece?

At a high level that is that is the main requirement.

It’s it’s really where you know where the data is stored and resides right and so that’s you know from an export perspective it’s in the if it’s in the US it’s not an export right um but if it moves outside of the US then it would be an export.

But then there’s also a release component which is you can have something that is you know controlled from an export perspective but you know you’re it’s data that is only being accessed by US persons and you can prove that and there are the right encryption controls around that in which case there are exemptions to allow for export control either technical data or technology outside the US for exclusive US person’s use because people travel and and all that.

But if there is a release of that information or that technical data or that technology ology, then those certain exemptions don’t apply anymore because you’ve now just transferred that information, technology or technical data to a non US person.

And so what ends up being very challenging for um for exporters when they are not looking at export controls from a IT perspective.

Yeah.

Is they’ll have export control data all over the place all over either their cloud infrastructure or even their servers and they don’t really know where it is and where it resides and it becomes very hard to prove the negative of that your information has not been exported outside the United States or there has not been a release of that technical data or technology to IT personnel that are managing the backup halfway around the world, right?

And so one of the great things about CMMC and the intersection I think of um of CUI and export controlled information is that CMNC is is really providing that cyber security hygiene that allows for not just the protection of CUI in a sufficient way but also the protection of export control information in a sufficient way even if it wasn’t developed under a US government contract.

If you’re if you’re maintaining good cyber security hygiene to comply with CMMC, a byproduct of that is you’re going to as long as you know where your export control information is, you can apply those same principles to your export control data.

So that’s I think was interesting is like access control is a really big family in CMMC and this it’s like listen first family you got to control the devices and people and service accounts that are actually accessing right hard stop like that’s just level one kind of stuff.

So, when I wrote that blog not too long ago, it was inspired by a conversation I had with a very large weapons manufacturer.

They do a combination of defense and commercial, but it’s a I’ll call them a household name when it comes to weapons.

And I remember being on the call with them and their IT team, and we were battling around cloud providers.

Hey, we’re in commercial today.

Um, and we think we’re good.

It’s like, okay, well, let me pull up Microsoft’s contractual obligation to you.

And Microsoft says, no, no, no. you have ITAR e technical data packages related to that. You can’t put it in commercial because, to your point, Microsoft will not prove that has not been released to somebody else or another country, right, if they have a disaster recovery effort or something like that.

And so in this conversation, the IT team is like, well, you know, we think we’re okay. I was like, okay, why don’t you call your trade compliance team? Because they’re big enough. Uh, they’re—I was like, I would love to just have you on the call and have me on the call and have them on the call.

And about 30 seconds into that follow-up meeting we had, all of a sudden their trade compliance—when I’m talking about unauthorized disclosures or release of information, uh, and I show them the Microsoft terms and I show them that beautiful little ITAR crosswalk—they look at me and they look at their IT team and say, “No, we’re actually in violation and we need to hang up the call right now and we need to go remediate things.”

And so it’s just interesting when you hear this stuff. That conversation I don’t think would have ever happened unless CMMC was in the mix, primarily talking about data sovereignty of cloud providers, their external support team—because they had an MSP, a global MSP, problematic—and just the simple fact of like, hey, we’re just in the wrong cloud. Like, this cloud provider is not actually allowing us the contractual requirement that we need to say that this data is protected according to not only the DoD, but something that carries even more penalties, which is an export control violation with like the Department of State or Department of Commerce.

And so what’s interesting in that, and I love—I’m going to skip kind of down to a question—is, you know, horror stories around that. So we’ll get into industry updates here at the tail end of that, but I want to jump straight. It’s around the Halloween season and we jokingly say—and it’s kind of tongue in cheek—you know, whoever makes the decision to do something the improper way, whether that’s because they don’t have the money to do it or just want to lean into it because it’s easier, and they’re like somebody’s making that corporate risk decision about mishandling this information.

We always like to joke and say, who has to write the check or who gets to wear orange, right? Who looks good in, you know, silver bracelets, if you will.

And so CUI—there hasn’t been a lot of, uh, how do you say this, a lot of like lawsuits, per se, yet, right? There’s False Claims Act, and that’s starting to ramp up more with the Civil Fraud Initiative or the Cyber Fraud Initiative.

But export control has a track record of decades of, hey, we’re going to put you in jail or we’re going to charge you a lot of money for violation of this. And so much of the defense industrial base, because they’re dealing with this technical information as space or military application, they’re simultaneously working with export control and CUI, and they most of the time have no idea.

So if you were to tell the viewers that are watching this, what are some penalties or what are some horror stories of past organizations who have done this incorrectly, um, just to kind of liven it up and make it a little bit more real that if you do this the wrong way, there actually are repercussions to it.

Yeah, absolutely. And so I won’t call out specific companies, but at a high level I will say, you know, just from the ITAR perspective, each individual violation of the ITAR carries up to a civil penalty of a little over $1.2 million per individual violation.

And so what we tell our customers is just the way the ITAR is structured, it’s actually really hard to only violate the ITAR once. Usually if you mess up, it’s you violated the ITAR no less than a dozen or two dozen times in different spots.

And so what ends up happening is companies that get caught for violations with the ITAR—uh, State Department, Department of Justice—when they decide to go after them, you know, and approve the compliance program, they’ll say, “We’ll have reason to believe you violated the ITAR all of these different hundreds of times. But if you consent to guilt under this consent agreement and agree to these remedial compliance measures, we’ll only fine you, you know, $50 million. And half of that you can reinvest into your compliance program.”

So my hat’s off to the Department of State for really having a structure where they’re not just going after companies, you know, for dollars for the sake of dollars. They’re actually having the companies reinvest that money into building best-in-class compliance programs.

And so on to the horror stories. I mean, in terms of—I actually think the companies that struggle the most with this in the defense industrial base are those companies that deal with both dual-use commercial and military.

Because what tends to happen is they tend to be global companies. They tend to have mixed workforces from a U.S. national and foreign national perspective. And it becomes—you know, when you’re a company, you want to have as much innovation happening as possible, which means as much access and collaboration as possible, right?

And so we know a number of companies that have been under consent agreement where they have a military division and a commercial division, and the commercial division employs Chinese nationals and, you know, foreign nationals in China, Hong Kong, et cetera.

And without the proper IT access controls, those nationalities allegedly had access to a number of documents, data, information related to military programs. And, you know, China is one of the countries that we’re actively competing with from a defense industrial base.

So that data could very well give the Chinese defense industrial base an edge in reverse engineering what we’re doing here in the United States. So that’s one horror story.

I would say another—and this is kind of going the other way, and this recently happened—is what happens when there’s a little bit of over-control. Oh, interesting.

We have a situation right now with a customer where there are a number of documents that were received by a government contractor that were marked as CUI from the U.S. government. And the reason for control—the control parameters—were export controlled information, specifically calling that export control information ITAR-controlled information.

And when you look at the documents that were received by that company, it’s financial info, it’s programmatic info. The things that are technical—when you actually do the jurisdiction classification analysis—for parts and components of the overall program, it’s not ITAR controlled. It’s, you know, best case EAR controlled, potentially even not EAR controlled, EAR99 potentially.

And so there’s a situation where the U.S. government, just by the nature of government employees potentially rounding up to be safe, ended up over-CUIing with not only CUI but ITAR.

And now we’re in an active situation where we’re trying to work through—our customer is a sub in this case—work through the prime, to then work with the government to say, hey, we’ve done this analysis against the ITAR and the EAR, and there’s no technical data or EAR-controlled technology here.

So because we want to go and do other things and not be subject to those controls, can you remove these markings? And we’re actually having to educate the government on how export control information—you can’t just slap a label on that. There’s actually a decision analysis that you have to go through with the ITAR and EAR to come to those conclusions.

Yeah. And, you know, it’s becoming a very difficult challenge for the company. A lot of people are like, “Oh, it’s just like FOUO days,” like we see disclaimers on emails—signature blocks—like, “This email may contain CUI.” And it’s like, hey, do you want to go have lunch today?

It’s like, well, number one, that doesn’t contain CUI. Nice try. But to your point, it’s making the burden on the subs and the primes unnecessarily burdensome.

And it’s like, guys, we want to protect the data. We want to do the right thing. But also, don’t say everything is CUI. Don’t say everything is ITAR. Just don’t do that.

Because now, honestly, it’s a little problematic. We end up in these weird disputes where we’re having to come back as the contractor—not the people who wrote the regulation, people who are trying to follow it—and educate you about the same thing that you wrote.

And anyways, that’s a tale as old as time from the industry parts that I’ve been a part of. It’s very frustrating. And the subs and primes should be frustrated because they’re trying to do the right thing.

So anyways, DoD, Department of State, Department of Commerce—or Department of War, I guess now—please try not to overmark things for the sake of your supply chain. They would greatly appreciate it.

I’m going to snip this, put it on LinkedIn. We’re going to tag a bunch of people saying, “Please just don’t do this, guys. Be better.”

Okay. Horror stories aside—because those are really good—it shows both sides of it. It’s like we tried to do the right thing, but then they’re coming after us for kind of benign stuff. And then also, hey, we actually did the wrong thing and there’s penalties associated with that.

I keep hearing about this August thing. This August thing is making the rounds. I’ve got Australian friends—they care about it, I think, more than the U.S. does. They’re very interested in bringing that work to Australia.

Tell me about just general industry updates—even outside of August—that’s happening in the export control space that I should know that could impact my organization.

Yeah, absolutely. And AUS will be a part of this. But at the high level, just even beyond export controls and looking at the defense industrial landscape for a second: between, you know, DOGE that happened earlier this year and now the U.S. government shutdown, what we’ve seen in the past six months—numerous U.S. defense companies are looking to diversify their portfolio away from domestic business and towards international.

Just trouble at home being one of those data points. And then also the world becoming more and more an unsafe place. Our allies are training and equipping themselves, but they’re still relying on the U.S. defense industrial base to be able to do that effectively and be interoperable.

Whether we’re talking about Europe, Taiwan, or Israel, between those two things the marketplace is ripe for U.S. defense companies going after international business. So we’ve seen a lot more activity in that area, and it’s sparked companies to do that. Yeah, that’s data point one.

Data point two is it’s becoming very, very challenging to be a global trade compliance professional. The kinds of questions that are coming out of this environment—from market pressure plus a significant amount of reform on the export control side, as well as the foreign military sales and direct commercial sales side—between FMS and DCS reforms, amendments to the ITAR from a USML reasons-for-control perspective, the 50% rule on the EAR, and the foreign direct product rule on the EAR.

I was at a conference in the UK a few weeks ago where I heard a term that I never thought I’d hear. It’s called EAR taint. So we knew about ITAR taint in terms of keeping the ITAR away from things sold in Europe to prevent extraterritorial controls on European products.

But now they’re worried about EAR taint because the EAR’s reach is starting to become deeper and deeper into Europe. And so all of these reforms—while a lot of them are good and will result in deregulation—the other half are more and more stringent controls. So that’s creating a lot more regulatory complexity for global trade practitioners to wade through. So that’s a second data point.

A third is this administration has actually increased the amount of export control enforcement that has been occurring. If you talk about headcount increases both in State and Commerce, the focus is really more on enforcement and compliance personnel.

You’re seeing the fines that I quoted have actually increased. The numbers I quoted are higher than they were last year, and you’re hearing a lot more enforcement actions coming out of that.

So the environment is more complex. There’s more demand for U.S. military technology, and there’s higher risk. Global trade compliance professionals—it’s not like we’ve gotten smarter over time, or that more of us have just appeared—we’re feeling the strain.

So my heart goes out to all fellow global trade compliance professionals who are just trying to get by these days. But with all that said, it’s important for defense companies to have access to that kind of expertise, because it’s going to be the only way you’re able to navigate this landscape.

And so that brings me to AUS. AUS is something I’m a huge proponent of. I think it is a great initiative at a high level, really taking the three defense industrial bases and making them tighter and more collaborative—not just with nuclear-powered submarines, but also across our industries.

The AUS exemption and the expedited licensing timelines around that are great tools for global trade practitioners to have in their toolbox. We’ve helped a number of our customers navigate the exemption and use it quite effectively.

Having said that, the chatter around AUS is that it doesn’t go far enough, and that there are a number of defense companies not using the AUS exemption or tools largely because of the complexity around it.

So there’s a trade-off with everything. You add complexity in exchange for increased speed and agility. What tends to happen—and this was discussed at an industry forum last week—is that business development professionals are the ones benefiting from the speed and agility of AUS.

They get to talk to industry colleagues faster. They don’t have to wait for licenses. They love it.

The people who take on the complexity side of the equation are the global trade professionals, who now have to make a number of decisions every day and are inherently risk-averse humans—which makes them good at their job.

So if something is more complex and inherently has a little more risk, and you only have so many hours in the day, we’re hearing a lot of global trade professionals default to traditional licensing and business as usual, which is a shame—but understandable.

When you get stressed, you follow what you know. You don’t want to start something new just for the sake of newness.

So my advice to defense companies that fit that profile is to allow space for the global trade team to work the problem. A good opportunity to work through the AUS exemption is not in a high-pressure situation where orders need to go out the door in two days.

It should be part of the international business strategy you’ve laid out for next year, analyzing which activities might fit under the AUS framework.

It’s interesting because I’ve heard so many good and bad things about AUS. It’s a great unifying effort between the UK, Australia, and the U.S., but there’s also been back-and-forth at the executive level around how it’s implemented.

So it’s interesting to hear the insight that it does exist—it’s just that many people aren’t leveraging it due to other pressures. They default to regular licenses because they know how to do that in their sleep.

There’s that tension of something new and potentially faster, but also slower in practice because there isn’t enough capacity, bandwidth, or trade compliance staff to lay the groundwork.

One thing to keep front of mind with AUS is that it’s not deregulating exports to the UK and Australia. It’s actually increasing the walls around the U.S., UK, and Australia to allow freer trade within those boundaries.

The complexity comes into play when activities need to cross that wall again. All you’ve really done is extend the bounds of the ITAR—rather than just around the U.S., it’s now around the UK and Australia. That doesn’t eliminate complexity; it shifts it.

With that said, on closing remarks—any other words of wisdom, Stephen, given all your experience and DTS’s experience, related to export control, intersections of CUI, CMMC, and landmines?

You have thousands of people listening. Give them some sage advice on navigating this complex landscape.

Yeah, absolutely. The best advice I can give is that we are a global economy, and the defense industry is going global. The world is becoming more dangerous, and that will require allies and partners to buy more U.S.-origin technology and engage in more complex transactions.

Having a strong global trade compliance resource is a competitive advantage and not something to skimp on.

A good comparison is having access to solid cybersecurity hygiene experts, like Summit 7, to ensure your infrastructure is structured so you can compete and access U.S. government contracts.

At the end of the day—whether it’s global trade, cybersecurity, or CMMC—it’s all designed to protect the U.S. warfighter and our technology.

When you have the right resources and expertise, you can focus on winning business, supporting allies, and executing contracts. Without that foundation, you’ll be left behind.

There it is. You’ve probably heard it before, but it doesn’t change the truth. You either gain strategic advantage or lose ground.

Stephen, thank you for joining. We love partnering with DTS for export control expertise. You’re a great company with a great team. We’ll have you on again.

Thanks to everyone watching. We’ll see you next time.

Thank you, Daniel. Thanks, Summit 7. Appreciate it.