DDTC IT Modernization 2 1500_IT...RELEASE #2 Development Ends 5/31/2017 Government and Industry...
Transcript of DDTC IT Modernization 2 1500_IT...RELEASE #2 Development Ends 5/31/2017 Government and Industry...
DDTC IT Modernization
Anthony DearthDirectorate Defense Trade Controls
Acting Managing Director
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
AGENDA
• DECCS Release 2 Features and IndustryBatch Filing/Testing
• DECCS Cyber Security
• DTAG Recommendations for DECCSRelease 3
• DECCS Release 2 Timeline
• DECCS Release 2 Screenshots
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
DECCS INDUSTRY FEATURES –RELEASE 2
• Single user portal for approved DDTC data collections
• Interactive web-based interface
• Implementation of Pay.gov for registration fee payments via:• Credit cards• Paypal• ACH (Automated Clearing House)g House
• Confirmation of application receipt with tracking number
• Status tracking of all applications & submission types
• Continued batch filing of license applications with minimal changes
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
LICENSING BATCH FILINGTESTING PLAN
• Licensing batch filing will be available for industry testing thismonth.
• How to submit test batch filings?
• Review the batch specification document:http://pmddtc.state.gov/documents/DTC_Batch_Format_Spec.pdf
• Send the principal information of your digital certificate [email protected] to be granted access to thetest system.
• A Conditions of Use for Batch Filing must be signed and returnedto [email protected].
• Further details on how to access the system will be providedonce we receive your testing request and signed Conditions.
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
BATCH LICENSE FILING TECHNICALDETAILSRELEASE 2
• Submissions use SOAP with Attachments message format
• XML Signature used for signing
• Authenticate with IdenTrust ACES client certificates
• The schemas will be the same
• Current functionality will stay the same
o Filing upload and Status download
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
LICENSING BATCH FILING – KEYBUSINESS AND TECHNICALDIFFERENCESRELEASE 2
• DECCS will support multiple records (submissions) per batch
• The URL will be different and will likely require industry securityfirewall changes
• DECCS batch filing is implemented using SAAJ APIs includedwith Java8 JDK and uses no third party libraries.
• Submissions will require multipart/related content type
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
DECCS CYBER SECURITY
Encryption
FIPS 140-2 Encryption
Use of TLS (NIST SP 800-52r1) TLS 1.2, TLS 1.1, TLS 1.0*
Multifactor authentication
Access Certificates for Electronic Services (ACES)
Currently evaluating DoD External Certification Authority (ECA)
Report security inquiries/concerns/incidents to DDTC Service Deskat (202) 663-2838, or email at [email protected]
* Restricted to supporting external connections to non-government entities.
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
INDUSTRY TESTING - CYBERSECURITY
• Industry Test Environment Security• Environment is completely segregated from DDTC production
systems.• Users required to submit digitally signed Usage Agreement.• DDTC will provide test user accounts.
• Fake Registration Numbers• Fake Usernames
• No IP Access Restrictions at this time.
• Do not submit any real data including personally identifiableinformation (PII), other sensitive proprietary information, or ITARdata in the testing environment. Use your standard ACEScertificate for all operations that would require digital cryptography.
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
DTAG RECOMMENDATIONS FORDECCS RELEASE 3
Suggests that Corporate Admin be assigned by letter request (not through theForm 2032 Registration filing).
• DDTC has decided to allow both options (through 2032 or by letter request)
Concerned about use of digital certificates as the exclusive mechanism forauthentication in DECCS.
• For Release 3, we will implement other appropriate DOS approved two-factorauthentication methods
DECCS user roles and responsibilities must match organizational structure,comply with OCI, SSA and other legal and organizational “firewalls” includingprotecting sensitive personal information in DS-2032
• We will work with industry to implement “firewalls” and protection of sensitive data forRelease 3. For Release 2 we will not implement ability to view applications byindustry users.
DDTC site needs modifications to support industry• We are planning an external stakeholder session to further define industry
requirements
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
DTAG RECOMMENDATIONS FORDECCS RELEASE 3 (CONTINUED)
• Suggests that General Correspondence for freight forwarder nameand address changes remain the responsibility of the freightforwarder.
• DDTC will continue to accept freight forwarder name and addresschanges by General Correspondence and will post notices to the web
• However, it will be the responsibility of the licensee to update itslicensing records in DECCS either:
• Through the web interface or
• Through batch filing
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
DECCS HIGH LEVEL TIMELINERELEASE #2
Development Ends5/31/2017
Ends5/31/2017
Governmentand Industry
Testing4/2017 -8/20174/2017 -8/2017
Authorization toOperateApproval
Packagesubmitted5/31/2017
Packagesubmitted5/31/2017
Training &Onboarding
5/2017 -8/20175/2017 -8/2017
Deployment 9/20179/2017
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
DECCS: LOGIN
SIA PROPRIETARYNOTE: All speaker comments are off-the-
record and not for public release
DECCS: REGISTRATION DS-2032
SIA PROPRIETARYNOTE: All speaker comments are off-the-
record and not for public release
DECCS: REGISTRATION DS-2032 BLOCK 2
SIA PROPRIETARYNOTE: All speaker comments are off-the-
record and not for public release
DECCS: REGISTRATION BLOCK 4VALIDATION
SIA PROPRIETARYNOTE: All speaker comments are off-the-
record and not for public release
DECCS: LICENSING HOME PAGE
SIA PROPRIETARYNOTE: All speaker comments are off-the-
record and not for public release
DECCS: LICENSING DSP-5
SIA PROPRIETARYNOTE: All speaker comments are off-the-
record and not for public release
DECCS: LICENSING DSP-5 BLOCK 5
SIA PROPRIETARYNOTE: All speaker comments are off-the-
record and not for public release
DECCS: LICENSING TRACK STATUS
SIA PROPRIETARYNOTE: All speaker comments are off-the-
record and not for public release
DECCS: LICENSING APPLICATION DETAIL
SIA PROPRIETARYNOTE: All speaker comments are off-the-
record and not for public release
Questions?
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
Developments in Cloud Computing, IntrusionSoftware and Network Surveillance Controls
Aaron AmundsonDirector, Information Technology Controls Division
Bureau of Industry & SecurityMay 2, 2017
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
BIS GUIDANCE ON CLOUD COMPUTING
23
•Three directly relevant, published, AdvisoryOpinions, 2009-2014
•Definitional changes published in June 3 FRnotice, in effect as of September 1, including the“encryption carve-out.”
•Encryption carve-out provisions were notincluded in ITAR bookend of definitionalchanges – to be published separately.
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
ADVISORY OPINIONS ON CLOUDCOMPUTING
24
• Jan. 2009 - a cloud provider that provides access tocomputational capacity is not the exporter of dataderived from the computations because they arenot the principal party in interest.
• Jan. 2011 - if the cloud provider is not theexporter, the cloud provider is not making a“deemed export” if their foreign national networkadministrators access the data.
• Nov. 2014 - remotely using controlled software isnot an export itself, unless there is a transfer ofcontrolled software or technology.
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
JUNE 3 FR NOTICE ON DEFINITIONS
25
• Opportunity to address the issue; relevant changes inmultiple locations in the proposed language.
• The term “cloud” not used in regulatory text –changes affect cross-national data transmission andrelease to non-U.S. nationals.
• Primary citation in EAR is in a new section, §734.18,“Activities that are not exports, reexports, ortransfers.”
• Three basic requirements for the carve-out: “end-to-end” encryption, applicability of FIPS standards, andprohibition on storage in D:5/Russia
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
“END-TO-END” ENCRYPTION
26
• Defined as uninterrupted cryptographic protectionbetween and originator (or the originator’s in-country security boundary) and an intendedrecipient (or the recipient’s in-country securityboundary).
• Definition is intended to be flexible enough toaccommodate different technical approaches (e.g.IPSEC VPN, SSL VPN, etc.)
• Definition is not intended to preclude serviceprovider involvement (i.e., security can bedelegated to a third party).
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
“BOUNDARY TO BOUNDARY”
27
• In the June 3 FR notice, definition of “end-to-end”was changed from “system to system” encryption(e.g., PGP) to “security boundary to securityboundary.”
• Reflects common industry practice and providesmore flexibility.
• Allows necessary services to be performed withinthe security boundaries while meeting theobjectives of the rule.
• Caveat: boundary must be in-country – data cannotcross a national border in the clear.
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
STORAGE RESTRICTIONS
28
• “Intentional” storage prohibited in D:5 and Russia.• Temporary storage on Internet servers while in
transit not considered intentional storage.• Storage on PC’s while in D:5 is considered
“intentional”; in such circumstances, anotherauthorization (e.g., TMP) is required.
• As a practical matter, cloud providers servingwestern customers (including those owned by thePRC) have not located their resources in thesecountries.
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
KEYS AND OTHER ACCESS DATA
29
• Release of keys, passwords or other data (accessinformation) with “knowledge” that such release ortransfer will result in release of underlying technicaldata is a controlled event.
• An unauthorized release of access information wouldbe a violation to the same extent as unauthorizedrelease of underlying data.
• Keys and other access data are not considered“technical data,” and can thus be managedindependently.
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
ISSUES RELATED TO EXECUTION
30
• Decryption outside the U.S. does not, of itself,constitute an export or release.
• Storage in the clear (after decryption) outside the U.S.does not, of itself, constitute an export or release.
• When transmission is decrypted and re-encrypted,“end-to-end” no longer applies. Subsequenttransmission is a separate, new transmission.
• A user may delegate security to a third party provider,but must ensure that such provider meets carve outcriteria (e.g. encrypts between cloud resources).
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
CONCLUSION ON CLOUD COMPUTING
31
• Changes are intended to provide maximumflexibility to providers and users.
• BIS will provide additional guidance asmore fact patterns emerge and technologyevolves.
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
SUMMARY OF 2013 WASSENAAR CYBERCONTROLS
32
• Controls on “network communications and surveillance equipment”for “carrier class” IP networks (5.A.1.j).
Drafters contemplated that controls would apply to a narrow rangeof specific products.
• Controls on network intrusion (4.A.5, 4.D.4, and 5.E.1) focused oncommand and delivery platforms for network intrusion software (e.g.,exploits/payloads).
Included hardware/software command and control platforms andassociated technology.
While defining “intrusion software,” controls did not apply to suchsoftware itself. Controls did apply to technology for such software(5.E.1.c).
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
U.S. IMPLEMENTATION EFFORTS
33
• The U.S. published a rule implementing these controls in theExport Administration Regulations in proposed form in May,2015.
• We originally anticipated that the reach of the new controlswould be quite narrow, as the discussions in Wassenaarfocused on products of a few companies such asFinFisher/Gamma, Hacking Team and Vupen.
• As a result, the proposed rule required individual licenses forexports to all countries except Canada and for release to allnon-U.S. and non-Canadian nationals.
• Public comment was extensive, focused primarily on networkintrusion, and was overwhelmingly negative.
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
CURRENT STATUS OF U.S.IMPLEMENTATION
34
• Due to comments received and subsequent extensive outreach tocybersecurity stakeholders, including Government cybersecurityorganizations, we decided to delay implementation.
• Nature of the commentary revealed differences between the originalintent of the controls and the actual impact of the language.
• These issues must be clarified in order to create a level playing fieldwithin Wassenaar and to limit potential negative impact onMember States’ critical cybersecurity activities.
• The U.S. returned to Wassenaar in 2016 with proposals to addresssome of the more important issues, and met with only limitedsuccess; we are continuing this discussion in this year’s session.
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
UNIQUE FEATURES OF THECYBERSECURITY ENVIRONMENT
35
• Cybersecurity activities are highly globalized.• Cybersecurity employs a fundamental “Red
Team/Blue Team” approach.• Participants vary widely and fluctuate as
needs demand• Cyber activities are now only lightly touched
by export control or other regulations.• Cybersecurity activity can be extremely time
sensitiveSIA PROPRIETARY
NOTE: All speaker comments are off-the-record and not for public release
QUESTIONS FOR WASSENAARDISCUSSION
36
• High level issue: how to control target products without impedingdefensive work
• Problem: in order to effectively prevent a small subset of transactions, alltransactions involving network intrusion command and controlplatforms (including technology) must be touched in some way: Classification – deciding what is caught and what is not IT solutions (firewalls, access controls) Procedures Training
• While U.S. corporations with pre-existing compliance programs areequipped to execute such controls, non-U.S. enterprises, smallcompanies, academic entities, and individuals are not; the latter are bigplayers in cyber defense.
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release
Questions?
SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release