Handling Export Controlled Information in the Supply Chain

Handling Export Controlled Information in the Supply Chain The Department of Energy’s National Security Campus is operated and managed by Honeywell Federal Manufacturing & Technologies, LLC under contract number DE-NA 0002839 Contents of this presentation may contain Honeywell proprietary information

Foreign Targeting of Sensitive Information in Supply Chain • Foreign adversaries use varied means to acquire information and technology to gain political, military, and economic advantages. • Access to technology at a US suppliers facility may be misused in order to: • Steal technical information or products • Bypass expensive research and development • Recruit individuals for espionage Information that could be a target: • Proprietary formulas and processes • Technical components and plans • Computer network design • Manufacturing plans 2

Export Control Laws Prohibit Foreign Person Access Deemed Export : When disclosing export controlled information of an item or technical data to a foreign person, wherever located, it is “deemed” to be an export to their home country. Deemed Exports Exception: Any foreign national is subject to the "deemed export" rule except a foreign national who is granted: 1. Permanent residence, as demonstrated by the issuance of a permanent resident visa (i. e. , "Green Card"). 2. Dual Citizen includes U. S. citizenship. 3. Status as a "protected person. "

Export Control Approved Suppliers • Under NAP-23 in our contract, Nuclear Security Enterprise (NSE) sites are responsible to ensure suppliers are approved to receive, handle, and protect the security level of controlled unclassified information that may be released to them per site-specific requirements. – This applies to the transfer of technical data and samples at time of release to a supplier or potential supplier including for purposes of development, solicitation, requisition, or collaboration where no procurement is made. Items and information controlled under AEA requires the supplier to be approved for security & protection handling 4

SUPPLIERS CONTROL OF INFORMATION

Things to Consider • Access by visitors, cleaning company, vendors, contractors, new hires – Do you identify if they are foreign persons • What access is given to visitors of company computer • Tours – how do your restrict access from casual viewing – How do you restrict foreign person access away from ECI documents while in use during production – Foreign parent company access restricted

Risk Assessment • Take a tour of the facility; look for access points open to the public • Are drawings located on the shop floor • What restrictions are required to be flowed down to sub-tier suppliers • Does the company have a clean desk policy • Where is your server located – Where are documents stored once received – Does your foreign parent company have access to tech data • How is export controlled technical data electronically released • Who do employee’s contact regarding questions related to foreign persons or potential red flags

Controlling Information Access Control – ECI/OUO information and items shall be maintained in a secured area to prevent inadvertent release or disclosure to foreign persons. – Foreign persons (non-US persons), including employees, consultants, visitors, and/or sub-contractors, shall be restricted from having access to ECI/OUO information and items through any means (this includes overhearing conversations, observing material or information, or otherwise obtaining access in any way).

Storage Controls • STORAGE of ECI shall be maintained within a secure area. Such areas include a locked receptacle such as a file cabinet, desk drawer, overhead furniture credenza system, or similar locked compartment. • ECI can also be stored in a room or area that has sufficient physical access control measures (guard, cipher lock, card reader, etc. ) to afford adequate protection and prevent unauthorized access from foreign persons. • Companies who host their servers or store email on the “cloud” will not be approved to receive export controlled information from FM&T

Supplier Visit Checklist • Supplier Visit Checklist are used by Commodity Teams when visiting any supplier. • The export control section of the checklist is required to be completed. • If an order has been placed with a development supplier, the checklist is required. • All production suppliers require the completion of the checklist after a visit.

Secure Handling • TRANSMISSION of ECI/OUO will be sent electronically through a secured method of transmission. (e. g. Email encryption or authorized users of Web Exchange) Supplier is responsible to send ECI/OUO through secure methods when transmitting electronically. • DESTRUCTION of ECI/OUO including gerber files and electronic storage media, when no longer needed, may be accomplished by shredding into strips, burning, pulping, or pulverizing beyond recognition or reconstruction. After destruction, material may be disposed of with normal waste. • Articles returned for credit, failed inspection or defective parts will require demilitarization (DEMIL) in accordance 10 CFR part 109 rending useless the product.

Publicity • DOE products cannot be used for advertising – Posters – Product Display – Website • DOE products should not be discussed with visitors on visitor tours

Reporting Protocol Report any suspicious or potential release of export controlled information to your compliance officer. • Do not interrogate. • Do not investigate. • Maintain normal, professional conversations and relationships.

Every relationship with our business along the supply chain needs to be vetted to ensure security. “Security pros con sider thesup plychain a criti cal se curi ty risk. The first thing an at tack er will do is look at who you do busi ness with. ” – Minneapolis Star Tribune