Ms. Vakare Valaitis
December 30, 2016
Page 1
James A. Hughes
3734 N. Woodrow St.
Arlington, VA 22207
[email protected]
December 30, 2016
Via Regulations.gov
Department of Defense
Attn: Vakare Valaitis
Office of the Deputy Chief Management Officer
Directorate for Oversight and Compliance
4800 Mark Center Drive, Mailbox #24
Alexandria, VA 22350–1700
Re:
Withholding of Unclassified Technical Data and Technology From
Public Disclosure (DOD–2015–OS–0126), 81 Fed. Reg. 75352 (October
31, 2016)
Dear Ms. Valaitis:
On behalf of the American Bar Association (“ABA”) Section of Public
Contract Law (“Section”), I am submitting comments on the Proposed Rule cited
above.1 The Section consists of attorneys and associated professionals in private
practice, industry, and government service. The Sections’ governing Councils and
substantive committees include members representing these three segments to ensure
that all points of view are considered. By presenting their consensus view, the
Section seeks to improve the process of public contracting for needed supplies,
services, and public works. The views expressed herein are being presented on
behalf of the Section of Public Contract Law and have not been approved by the
House of Delegates or the Board of Governors of the ABA and, therefore, should not
be construed as representing the policy of the ABA.2
1
Mary Ellen Coster Williams, Section Delegate to the ABA House of Delegates, and Marian Blank
Horn, Kristine B. Kassekert, and Heather K. Weiner, members of the Section’s Council, did not
participate in the Section’s consideration of these comments and abstained from the voting to approve
and send this letter.
2
This letter is available in pdf format at
http://www.americanbar.org/groups/public_contract_law/resources/prior_section_comments.html
under the topic “Cybersecurity; Access to and Protection of Information.”
Ms. Vakare Valaitis
December 30, 2016
Page 2
I.
INTRODUCTION
The Section applauds the Department of Defense (“DoD”) for drafting the Proposed Rule.
The Section agrees with revising out-of-date references in the current version of 32 C.F.R. part 250
and with recognizing the importance of safeguarding export-controlled information in the context
of DoD procurements. This latter point includes implementing requirements associated with the
provision of DoD-origin information to qualified contractors and release of such information either
by DoD or by its contractors.
The Section believes that the Proposed Rule has certain elements that could benefit from
further clarification or that could cut against the important public policy goal of complying with
export-control laws and regulations. Most specifically, the Section is concerned that, in the present
environment, the seemingly non-discretionary disqualification provisions of the Proposed Rule (if
actually exercised by DoD) may reduce self-reporting of potential violations of export-control laws
and regulations to the Departments of State and Commerce, which have legal jurisdiction over the
International Traffic in Arms Regulations (“ITAR”) and the Export Administration Regulations
(“EAR”). The Section offers recommendations below on this and other issues.
II.
COMMENTS
A.
The Section Recommends Altering the Provision on Access Revocation and
Disqualification.
The Proposed Rule calls for DoD to revoke access and implement an initial
disqualification process for qualified contractors for which DoD has “substantial and credible
information” of export-control violations or for contractors that have submitted potentially false
certifications on the contractor qualification form. See Proposed 32 C.F.R. § 250.6(e). The
export-control violations apparently encompass violations involving shipments of hardware as
well as technical data, which otherwise appear to be the focus of most other aspects of this rule.
Although the Section recognizes the important security interest that DoD has in its own
information and that DoD controls its own procurement process, DoD is not legally charged with
administering export-control laws and regulations. Therefore, having DoD itself determine
whether “substantial and credible information” of export-control violations exists, and take
action against contractors as a result, is at odds with the lead roles of the Departments of State
and Commerce in making such determinations, which they often undertake while coordinating
with DoD to determine potential national security exposure.
Moreover, companies typically self-disclose violations (including routine
civil/administrative violations) to the Departments of State and Commerce and are actively
encouraged by these agencies to do so. The Proposed Rule’s disqualification provision and the
possibility of parallel engagement with DoD and the Departments of State and Commerce may
discourage contractors from submitting such disclosures to the Departments of State and
Commerce; this inhibition may be contrary to the overall policy goal of export-control
compliance, which DoD no doubt also strives to encourage.
Ms. Vakare Valaitis
December 30, 2016
Page 3
The Section recognizes that DoD already has the disqualification power under the preexisting version of 32 C.F.R. part 250, albeit under a different standard (“credible and sufficient
information”). But the Section believes that this power has not been routinely exercised and that
in the current environment of frequent contractor disclosures to the Departments of State and
Commerce, exercising this power might not promote export-control compliance in DoD
programs.
In addition, DoD contractors also must report cyber-breaches to DoD’s Defense
Industrial Base office under the Network Penetration Rule at Department of Defense Federal
Acquisition Regulation Supplement 252.204-7012. See 81 Fed. Reg. 72986 (Oct. 21, 2016)
(final rule). Such breaches could involve export-controlled information, although for a
contractor with adequate cyber controls in place consistent with what is called for by the clause,
the breach would be tantamount to a “theft” and not an “export.” The Section encourages DoD
to recognize this important distinction and not seek to disqualify contractors that have suffered
cyber exfiltrations but that have not necessarily committed export-control violations.
In view of the above concerns, the Section recommends that DoD alter the
revocation/disqualification provision to cover only those instances when it has “substantial and
credible evidence” of “significant, willful violations” of export-control laws and regulations not
otherwise voluntarily disclosed to the underlying export-control agencies. This alternative
standard would provide a more definitive, measured standard that also appropriately recognizes
the roles of DoD and the Departments of State and Commerce.3 At the same time, the focus on
“evidence,” as opposed to “information,” would inject more discretion into DoD’s
determinations and thus prevent the provision from being over- (or erroneously) applied. DoD
and the responsible export-control agencies would thus be able to focus their resources on
serious offenders, which in the Section’s view would better promote the Proposed Rule’s goal of
ensuring the proper safeguarding of export-controlled information in DoD programs.4
B.
The Section Recommends Similar Alterations to the Provision on Law
Enforcement Reporting
For many of the same reasons as above, the Section is concerned with the Proposed
Rule’s requirement that DoD report “substantial and credible information” of export-control
violations to law enforcement agencies. See Proposed 32 C.F.R. § 250.6(g). Not only could
DoD over-report potential cyber breaches, which are not necessarily export violations, but if
DoD were also required to report minor, administrative export violations (or possible violations)
Of course, the Section recognizes that DoD is not the ultimate arbiter of “evidence” or “willfulness.”
In the same regard, the certification to be completed by U.S. and Canadian contractors states that the contractor
does not employ persons who have committed export-control violations. 81 Fed. Reg. at 75356. Because export
controls are a highly technical and broad area, and because companies (and individuals) not uncommonly commit
relatively minor apparent administrative/civil errors, a number of companies could have employees who have (or
may have) committed such technical violations, although such violations have never been formally adjudicated by
the Departments of State/Commerce or law enforcement agencies as actual violations. For that reason, the Section
recommends that the certification provisions be removed or be clarified to include only persons who have been
found in formal proceedings with the Departments of State, Commerce, or Justice to have committed violations or
been penalized under the underlying regimes for apparent violations.
3
4
Ms. Vakare Valaitis
December 30, 2016
Page 4
to law enforcement, then the Department of Justice and other investigative agencies, such as
Customs and Border Protection or Immigration and Customs Enforcement (or the Departments
of State/Commerce), could be overburdened with many reports of minor administrative
violations of export-control laws (including ones seemingly outside the Proposed Rule’s scope,
such as exports of hardware). This over-reporting could include erroneous reports filed by DoD
components whose personnel might not have specialized training in export controls.
The Section accordingly recommends that DoD consider altering the law-enforcement
reporting provision to include only instances in which DoD has “substantial and credible
evidence” of “significant willful violations” of export-control laws and regulations involving
DoD-owned technical data not otherwise disclosed to the underlying export-control agencies.
C.
The Section Recommends Harmonizing the Marking Provision with the
NARA Rule on Controlling Unclassified Information.
Certain aspects of the Proposed Rule’s “marking” provisions may benefit from
clarification. The Proposed Rule notes that export-controlled information associated with DoD
procurements should be marked by DoD and contractors in accordance with DoD Directive
5230.24, Distribution Statements on Technical Documents, which sets forth a variety of
“distribution statements” associated with controlled technical information. See, e.g., Proposed
32 C.F.R. § 250.4(i). Although the distribution statements in DoD Directive 5230.24 focus on
“releasability” and that Directive has existed for several years, the Section notes that DoD’s
apparent singular focus on releasability, as opposed to the underlying export-control status of
particular technical information, might not promote the proper treatment of such information
within an organization. This focus also might not promote compliant dissemination of such
information down the supply chain.
The Section believes that the Proposed Rule’s apparent focus on DoD Directive
5230.24’s marking requirements may ultimately prove to be inconsistent with the new National
Archives and Records Administration (“NARA”) rule regarding Controlled Unclassified
Information (“CUI”).5 See 81 Fed. Reg. 63323 (Sept. 14, 2016). This is because the NARA
rules purport to standardize marking protocols for CUI, including export-controlled information.
For example, according to the NARA CUI Registry, when an agency implements the NARA
CUI program, export-controlled documents should be marked “EXPT,” and controlled technical
information (which overlaps with export-controlled information) should be marked “CTI,”
although the CUI Registry’s explanatory entry for “CTI” also notes that CTI consists of
information that is marked with distribution statements pursuant to DoD Directive 5230.24. See
generally CUI Registry – Categories and Subcategories at
https://www.archives.gov/cui/registry/category-list.
Therefore, although the Section recognizes that DoD has a legitimate interest in
restricting “releasability,” when fully implemented the NARA regulatory construct would appear
5
The NARA rule is effective on November 14, 2016, for agencies (though full implementation may take some time)
and will eventually cover nonfederal entities such as contractors through agreements with disseminating agencies
such as DoD.
Ms. Vakare Valaitis
December 30, 2016
Page 5
to call for an export-controlled drawing to be marked “EXPT” and “CTI” and have a distribution
statement. DoD’s Proposed Rule, however, appears to focus exclusively on the distribution
statement. With this in mind, we encourage DoD to consider revising the final rule to note that
export-controlled documents should be marked consistently with NARA protocols upon DoD’s
adoption of the NARA CUI program, in addition to requiring distribution statements under the
Proposed Rule.6
III.
CONCLUSION
The Section appreciates the opportunity to provide these comments and is available to
provide additional information or assistance as you may require.
Sincerely,
James A. Hughes
Chair, Section of Public Contract Law
cc:
Aaron P. Silberman
Kara M. Sacilotto
Linda Maramba
Jennifer L. Dauer
Council Members, Section of Public Contract Law
Chairs and Vice Chairs, Cybersecurity, Privacy, and Data Protection Committee
Chairs and Vice Chairs, International Procurement Committee
Craig Smith
Samantha S. Lee
6
Separately, the Section encourages DoD to coordinate with NARA and the Departments of State and Commerce to
consider updating NARA’s CUI markings to facilitate the separate identification of ITAR and EAR controlled
technical information as opposed to the singular “EXPT” and “CTI” designations. Not only do ITAR/EAR
designations assist others with downstream compliance, the act of determining whether a document is ITAR or EAR
controlled (or possibly not controlled at all) may help ensure that documents are not over (or under) marked.