CMMC Unacknowledged Ep. 34 | Can foreign nationals have access to CUI?

Transcript

well good morning and welcome to cmmc unacknowledged where we answer the unanswered questions that were asked during the monthly cmmcab town hall meetings my name is todd stanton i'm the regional sales manager for all things cmmc adi tactics as always i'm joined by ty wittenberg ty is the senior information insurance manager at rain associates welcome ty hey good morning todd thanks for having me thank you for being here all right this is the last in a series of conversations that we've been having about cui and today we're going to talk about who has access to controlling classified information so my question specifically is can foreign nationals have access to cui this is really a tough question for me because you know there are vendors that the department of defense does business with that are outside of the united states right um so you know uh you know if you look at the national archives they'll speak to you a little bit about limited dissemination of controls um you know if you talk about cmmc and folks who can do assessments uh in your environment they can't be foreign nationals or you can't have foreign national um rp's or c3paos yet uh you know obviously there's a little bit there's not some unity here amongst the different um branches of the service in regards to this but there is some controlled unclassified information within those government contracts that are are exposed so i i don't know the whole inner workings to that but i i would think that it would be no different than uh you know secret top secret clearances and vetting processes have to go through for those foreign nationals that are working on projects for the department of defense to have access to that information but you know if you are a small manufacturer or organization here in the united states you know especially with itar rules and things like that as well too you cannot allow foreign nationals within your organization that are not naturalized citizens that are on visas to be able to access that controlled unclassified information and there's a distribution statement uh about no foreign nationals right like no foreign isn't that a marking that can be used to identify documents that cannot be shared with foreign nationals that is correct and so you know some of the exceptions that i found to accessing cy you know absent the the no form marking um you know non-us citizens employed by dod may receive cui if access is within scope of their assigned duties so you know these are people employed by dod or access would throw the execution of a dod undertaking access is not detrimental to a dod interest for the u.s government there's no contract restriction prohibiting access and it complies with dod 8500-01e and 5200-2.2-r and export control regulations so it seemed like there's a lot a lot of different you know legal convergences here when we have cui that would be accessed by you know somebody outside the u.s or non-us citizen um a lot like you mentioned you know itar and some of the other you know regulations that might apply so i think that it is something that you want to take a very close look at before sharing cui with a non-us citizen correct for sure i mean and we just you just rattled off a a ton of references there a real simple reference is if you just go to the national archives right around and it gives you some general dissemination principles that as an organization here in the united states can help you navigate your execution or questions that you need to ask to ensure that you're doing your due diligence to safeguard that information one of the things that i found particularly interesting in there was you know the line that says agencies may place limits on disseminating the cui beyond uh for lawful government purpose only through the use of limited dissemination controls and then it has a list below in the national archives right so a simple place to go would be the national archives but then todd rattled off a bunch for you as well too around nist around the dod information dodi 5200 regs that you guys could take a look at as well too and i think you know if you did want to share it there's even a non-disclosure agreement that must be approved by an appropriate dod component before that information can be shared for sure i would just hope that you for organizations that are listening to us here that are in the united states and might be in that small or medium category if you do have somebody that's working with you or in your organization that's a foreign national just make sure that you're asking the right questions and doing your due diligence not only to safeguard you safeguard uh them as an employee uh and then you know also make sure that you know we're making sure we defend our our intellectual property is what i've been calling it for cui especially if it's tied to war fighter or national security so i'm going to um ask you a difficult scenario then based on you know this being a tough topic here so small business and this is a real world um you know example i just had earlier this week small business whose parent company is in europe the us subsidiary produces a commercial off-the-shelf product but for dod they make that you know small modification but they modify it so that now they realize that what they have created is cui as part of the the performance of the contract and the parent company in europe wants to have access to that information right so the question was can they have access to that information so i kind of go back to this checklist here you know is it within the assigned scope of their assigned duties for the european country to you know have access to it i don't really think that it would be right i mean is there a reason like does it further dod's you know mission if the european parent company has access to this information and i doesn't seem like from the brief conversation i had that it did my opinion is in alignment with yours that it does not you know obviously the parent company or not obviously if i could ask a question uh the parent company performs the same type of work in europe that the subsidiary does here stateside it's a commercial off-the-shelf product but the u.s subsidiary had modified it for dod so you know the contract is with the u.s subsidiary i think had the contract been with the european parent you know now there's a reason to know right it furthers his mission so i think that's where the you know the line i would draw is what what reason what benefit does dod get out of the european parent company having access to this information it doesn't seem to further their mission if they're able to perform the contract without them having that right right the only way i could see that being relevant right is that that information needed to be moved over the parent because they were about to and so hopefully your example that you're talking about if they're listening i'm not saying that your your parent company in europe is going to close your doors right but if if you were going to close the door so that small and take in all that intellectual property obviously i think you would have to go through some of the rebidding process on that contract or get confirmation for it to come over those aren't my areas of expertise to be honest with you you would definitely have to talk with somebody who deals with mergers and acquisitions have a really strong attorney to ensure that you know that comes over and you get the approval of the department of defense to maintain that contract but to your point yes that in my mind there's no need for the parent company in europe to have that information for that modification which is now no longer a commercial off the shelf so you know we we we've talked about this before that commercial off the shelf if you've made any modification to it for specificity for a contract and you know something that's uh germane to the nation state or war fighter it's not commercial off the shelf anymore you and i cannot go to a local gasket place or um hardware place and buy that anymore because it is specific to that contract in that particular phase of the development of production so um no my answer is no final answer let's put a slight twist on it and see if your answer changes so now let's say the you know prime whoever awarded that that contract to this u.s base subsidiary comes back and says we want you to enhance this product a little bit more and make some additional modifications to it and the u.s company doesn't have the resources the actual engineering team is in europe they're the ones who designed the commercial off-the-shelf products so now we've got to engage these non-us citizens in europe who are at the parent company to come in and help that modification does that at all change you know your opinion as to whether or not now there might be a reason for you know sharing that information as it might further dod's mission so i'm going to ask two questions um is it the actual modification of the product with those engineers or is it modification of the quality control to confirm that it works i would say the product itself okay so quality control would not be a problem in my mind partnering with them to to modify it will require you to go back up the food chain and get approval and vetting not only from whoever your client is but ultimately they would have to request and get vetting and approval from the department of defense that could take time in the project that they don't want to do um you know and from a business decision even though it would be easier to run it up the pipeline with the engineers in house that you already have and know you know you could potentially expect for speed to production um you know fifo first in first out that you have to find somebody who's vetted probably potentially uh done their spur score in the procurement integrated portal um and and find a vendor that way um that in the u.s that can accomplish that goal for you interesting okay well always a pleasure to hear your thoughts on these subjects i know they're not easy topics but we'll just you know close this one out by saying when in doubt maybe seek some legal counsel um and and ask about you know what laws may be you know in play in terms of the type of information that you're dealing with uh and what the process would be to actually provide that access right there's obviously some forms that would have to be signed once right some vetting in some forms a sign for sure no different than like a non-disclosure agreement right and i'm that i'm making it very simplistic so your advice is fantastic find an attorney take some advice you know i haven't actually done uh research in the cmmc accreditation body marketplace but i would have to believe based off of the gentleman bob metzger that you like to talk about a lot that there's got to be some potential attorneys that are also in the information security rp space that are rpos in that space and are are well versed in cmmc defense contracting all of those things are going to be critical in making sure that you don't expose yourself to risk you know i feel like uh months ago they talked about how these non-us-based companies that are contractors for dod would go through the certification process right because like you mentioned earlier you know c3pao cannot be a foreign health company they have to be us-based so how is a company in france you know who is a contractor for dod going to get certified we're going to be flying assessors from the us to go to france to do what are your thoughts on that uh i would say yes it would be no different than you know some of the bigger firms out there that do artists and audits and adaptation attestation work um so yeah you you're going to have some folks that are c3paos that are going to get a couple additional stamps on their um on their passports right and they're going to fly over and they're going to they're going to vet these companies that are have to you know be certified for cmmc levels i don't think we've we've seen any of that yet right but that you know we're still trying to uh you know make the water clear around the cmc ruling right and now you and i just added another aspect it's all messy is a bad word to say per se but it's it's messy because you know business isn't exacting it's always a little messy so it's complicated it's complicated yeah there we go i think um i think our um [Music] i think the cmmc and the dod as this journey continues and as we get closer to 2023 may 2023 you know all the things that you and i are talking about obviously are also things that folks are thinking about um and some of that stuff will begin to formulize um you know i'd love to stamp the passport and go over to france and you know be a rp or or a c3pao for that not that i'm advertising for that but um you know that'd be so if there's a company in france that wants to hire ty wittenberg how can they get a hold of you uh you can reach out to us at uh ray and associates particularly my email thai.wittenberg r w-h-i-t-t-e-n-b-u-r-g at r e a cpa.com perfect well thank you for your time ty i appreciate the conversations around cy i feel like i learned something um hopefully you found the time worthwhile investment hopefully people watching feel the same so thank you again yeah thank you so much for having me have a good one