DDTC IT Modernization 2 1500_IT...RELEASE #2 Development Ends 5/31/2017 Government and Industry...

DDTC IT Modernization

Anthony DearthDirectorate Defense Trade Controls

Acting Managing Director

SIA PROPRIETARYNOTE: All speaker comments are off-the-record and not for public release

AGENDA

• DECCS Release 2 Features and IndustryBatch Filing/Testing

• DECCS Cyber Security

• DTAG Recommendations for DECCSRelease 3

• DECCS Release 2 Timeline

• DECCS Release 2 Screenshots


DECCS INDUSTRY FEATURES –RELEASE 2

• Single user portal for approved DDTC data collections

• Interactive web-based interface

• Implementation of Pay.gov for registration fee payments via:• Credit cards• Paypal• ACH (Automated Clearing House)g House

• Confirmation of application receipt with tracking number

• Status tracking of all applications & submission types

• Continued batch filing of license applications with minimal changes


LICENSING BATCH FILINGTESTING PLAN

• Licensing batch filing will be available for industry testing thismonth.

• How to submit test batch filings?

• Review the batch specification document:http://pmddtc.state.gov/documents/DTC_Batch_Format_Spec.pdf

• Send the principal information of your digital certificate [email protected] to be granted access to thetest system.

• A Conditions of Use for Batch Filing must be signed and returnedto [email protected].

• Further details on how to access the system will be providedonce we receive your testing request and signed Conditions.


BATCH LICENSE FILING TECHNICALDETAILSRELEASE 2

• Submissions use SOAP with Attachments message format

• XML Signature used for signing

• Authenticate with IdenTrust ACES client certificates

• The schemas will be the same

• Current functionality will stay the same

o Filing upload and Status download


LICENSING BATCH FILING – KEYBUSINESS AND TECHNICALDIFFERENCESRELEASE 2

• DECCS will support multiple records (submissions) per batch

• The URL will be different and will likely require industry securityfirewall changes

• DECCS batch filing is implemented using SAAJ APIs includedwith Java8 JDK and uses no third party libraries.

• Submissions will require multipart/related content type


DECCS CYBER SECURITY

Encryption

FIPS 140-2 Encryption

Use of TLS (NIST SP 800-52r1) TLS 1.2, TLS 1.1, TLS 1.0*

Multifactor authentication

Access Certificates for Electronic Services (ACES)

Currently evaluating DoD External Certification Authority (ECA)

Report security inquiries/concerns/incidents to DDTC Service Deskat (202) 663-2838, or email at [email protected]

* Restricted to supporting external connections to non-government entities.


INDUSTRY TESTING - CYBERSECURITY

• Industry Test Environment Security• Environment is completely segregated from DDTC production

systems.• Users required to submit digitally signed Usage Agreement.• DDTC will provide test user accounts.

• Fake Registration Numbers• Fake Usernames

• No IP Access Restrictions at this time.

• Do not submit any real data including personally identifiableinformation (PII), other sensitive proprietary information, or ITARdata in the testing environment. Use your standard ACEScertificate for all operations that would require digital cryptography.


DTAG RECOMMENDATIONS FORDECCS RELEASE 3

Suggests that Corporate Admin be assigned by letter request (not through theForm 2032 Registration filing).

• DDTC has decided to allow both options (through 2032 or by letter request)

Concerned about use of digital certificates as the exclusive mechanism forauthentication in DECCS.

• For Release 3, we will implement other appropriate DOS approved two-factorauthentication methods

DECCS user roles and responsibilities must match organizational structure,comply with OCI, SSA and other legal and organizational “firewalls” includingprotecting sensitive personal information in DS-2032

• We will work with industry to implement “firewalls” and protection of sensitive data forRelease 3. For Release 2 we will not implement ability to view applications byindustry users.

DDTC site needs modifications to support industry• We are planning an external stakeholder session to further define industry

requirements


DTAG RECOMMENDATIONS FORDECCS RELEASE 3 (CONTINUED)

• Suggests that General Correspondence for freight forwarder nameand address changes remain the responsibility of the freightforwarder.

• DDTC will continue to accept freight forwarder name and addresschanges by General Correspondence and will post notices to the web

• However, it will be the responsibility of the licensee to update itslicensing records in DECCS either:

• Through the web interface or

• Through batch filing


DECCS HIGH LEVEL TIMELINERELEASE #2

Development Ends5/31/2017

Ends5/31/2017

Governmentand Industry

Testing4/2017 -8/20174/2017 -8/2017

Authorization toOperateApproval

Packagesubmitted5/31/2017

Packagesubmitted5/31/2017

Training &Onboarding

5/2017 -8/20175/2017 -8/2017

Deployment 9/20179/2017


DECCS: LOGIN

SIA PROPRIETARYNOTE: All speaker comments are off-the-

record and not for public release

DECCS: REGISTRATION DS-2032



DECCS: REGISTRATION DS-2032 BLOCK 2



DECCS: REGISTRATION BLOCK 4VALIDATION



DECCS: LICENSING HOME PAGE



DECCS: LICENSING DSP-5



DECCS: LICENSING DSP-5 BLOCK 5



DECCS: LICENSING TRACK STATUS



DECCS: LICENSING APPLICATION DETAIL



Questions?


Developments in Cloud Computing, IntrusionSoftware and Network Surveillance Controls

Aaron AmundsonDirector, Information Technology Controls Division

Bureau of Industry & SecurityMay 2, 2017


BIS GUIDANCE ON CLOUD COMPUTING

23

•Three directly relevant, published, AdvisoryOpinions, 2009-2014

•Definitional changes published in June 3 FRnotice, in effect as of September 1, including the“encryption carve-out.”

•Encryption carve-out provisions were notincluded in ITAR bookend of definitionalchanges – to be published separately.


ADVISORY OPINIONS ON CLOUDCOMPUTING

24

• Jan. 2009 - a cloud provider that provides access tocomputational capacity is not the exporter of dataderived from the computations because they arenot the principal party in interest.

• Jan. 2011 - if the cloud provider is not theexporter, the cloud provider is not making a“deemed export” if their foreign national networkadministrators access the data.

• Nov. 2014 - remotely using controlled software isnot an export itself, unless there is a transfer ofcontrolled software or technology.


JUNE 3 FR NOTICE ON DEFINITIONS

25

• Opportunity to address the issue; relevant changes inmultiple locations in the proposed language.

• The term “cloud” not used in regulatory text –changes affect cross-national data transmission andrelease to non-U.S. nationals.

• Primary citation in EAR is in a new section, §734.18,“Activities that are not exports, reexports, ortransfers.”

• Three basic requirements for the carve-out: “end-to-end” encryption, applicability of FIPS standards, andprohibition on storage in D:5/Russia


“END-TO-END” ENCRYPTION

26

• Defined as uninterrupted cryptographic protectionbetween and originator (or the originator’s in-country security boundary) and an intendedrecipient (or the recipient’s in-country securityboundary).

• Definition is intended to be flexible enough toaccommodate different technical approaches (e.g.IPSEC VPN, SSL VPN, etc.)

• Definition is not intended to preclude serviceprovider involvement (i.e., security can bedelegated to a third party).


“BOUNDARY TO BOUNDARY”

27

• In the June 3 FR notice, definition of “end-to-end”was changed from “system to system” encryption(e.g., PGP) to “security boundary to securityboundary.”

• Reflects common industry practice and providesmore flexibility.

• Allows necessary services to be performed withinthe security boundaries while meeting theobjectives of the rule.

• Caveat: boundary must be in-country – data cannotcross a national border in the clear.


STORAGE RESTRICTIONS

28

• “Intentional” storage prohibited in D:5 and Russia.• Temporary storage on Internet servers while in

transit not considered intentional storage.• Storage on PC’s while in D:5 is considered

“intentional”; in such circumstances, anotherauthorization (e.g., TMP) is required.

• As a practical matter, cloud providers servingwestern customers (including those owned by thePRC) have not located their resources in thesecountries.


KEYS AND OTHER ACCESS DATA

29

• Release of keys, passwords or other data (accessinformation) with “knowledge” that such release ortransfer will result in release of underlying technicaldata is a controlled event.

• An unauthorized release of access information wouldbe a violation to the same extent as unauthorizedrelease of underlying data.

• Keys and other access data are not considered“technical data,” and can thus be managedindependently.


ISSUES RELATED TO EXECUTION

30

• Decryption outside the U.S. does not, of itself,constitute an export or release.

• Storage in the clear (after decryption) outside the U.S.does not, of itself, constitute an export or release.

• When transmission is decrypted and re-encrypted,“end-to-end” no longer applies. Subsequenttransmission is a separate, new transmission.

• A user may delegate security to a third party provider,but must ensure that such provider meets carve outcriteria (e.g. encrypts between cloud resources).


CONCLUSION ON CLOUD COMPUTING

31

• Changes are intended to provide maximumflexibility to providers and users.

• BIS will provide additional guidance asmore fact patterns emerge and technologyevolves.


SUMMARY OF 2013 WASSENAAR CYBERCONTROLS

32

• Controls on “network communications and surveillance equipment”for “carrier class” IP networks (5.A.1.j).

Drafters contemplated that controls would apply to a narrow rangeof specific products.

• Controls on network intrusion (4.A.5, 4.D.4, and 5.E.1) focused oncommand and delivery platforms for network intrusion software (e.g.,exploits/payloads).

Included hardware/software command and control platforms andassociated technology.

While defining “intrusion software,” controls did not apply to suchsoftware itself. Controls did apply to technology for such software(5.E.1.c).


U.S. IMPLEMENTATION EFFORTS

33

• The U.S. published a rule implementing these controls in theExport Administration Regulations in proposed form in May,2015.

• We originally anticipated that the reach of the new controlswould be quite narrow, as the discussions in Wassenaarfocused on products of a few companies such asFinFisher/Gamma, Hacking Team and Vupen.

• As a result, the proposed rule required individual licenses forexports to all countries except Canada and for release to allnon-U.S. and non-Canadian nationals.

• Public comment was extensive, focused primarily on networkintrusion, and was overwhelmingly negative.


CURRENT STATUS OF U.S.IMPLEMENTATION

34

• Due to comments received and subsequent extensive outreach tocybersecurity stakeholders, including Government cybersecurityorganizations, we decided to delay implementation.

• Nature of the commentary revealed differences between the originalintent of the controls and the actual impact of the language.

• These issues must be clarified in order to create a level playing fieldwithin Wassenaar and to limit potential negative impact onMember States’ critical cybersecurity activities.

• The U.S. returned to Wassenaar in 2016 with proposals to addresssome of the more important issues, and met with only limitedsuccess; we are continuing this discussion in this year’s session.


UNIQUE FEATURES OF THECYBERSECURITY ENVIRONMENT

35

• Cybersecurity activities are highly globalized.• Cybersecurity employs a fundamental “Red

Team/Blue Team” approach.• Participants vary widely and fluctuate as

needs demand• Cyber activities are now only lightly touched

by export control or other regulations.• Cybersecurity activity can be extremely time

sensitiveSIA PROPRIETARY

NOTE: All speaker comments are off-the-record and not for public release

QUESTIONS FOR WASSENAARDISCUSSION

36

• High level issue: how to control target products without impedingdefensive work

• Problem: in order to effectively prevent a small subset of transactions, alltransactions involving network intrusion command and controlplatforms (including technology) must be touched in some way: Classification – deciding what is caught and what is not IT solutions (firewalls, access controls) Procedures Training

• While U.S. corporations with pre-existing compliance programs areequipped to execute such controls, non-U.S. enterprises, smallcompanies, academic entities, and individuals are not; the latter are bigplayers in cyber defense.


Questions?


DDTC IT Modernization 2 1500_IT...RELEASE #2 Development Ends 5/31/2017 Government and Industry...

Documents

Transcript of DDTC IT Modernization 2 1500_IT...RELEASE #2 Development Ends 5/31/2017 Government and Industry...