If you don’t know what “Potential Access” risk means in the context of export controls, you should. It is what keeps those in-the-know up at night, and is the single greatest ITAR export compliance risk facing the DIB. Export compliance and IT security professionals must have a clear understanding of Potential Access risk and collaboratively work to address it.
Although referenced in official government writings, “Potential Access” is not a defined term in the regulations. Use of the term has evolved within industry to describe a particular export compliance risk that exists where users have privileges to access ECI.
Initially, the risk was described by the export community as “Theoretical Access.” The question export compliance professionals would ask their IT counterparts was, “In theory, could you get access to the ECI.” Since, in theory, an IT admin, with the right privileges, could do any number of things to get at the data, the answer was always “yes.” Theoretical Access was problematic, as it ignored existing access controls, and placed companies in a position to disclose any number of conspiracy theories. Literally. Folks would dream-up and disclose ways that IT professionals could engage in nefarious activities, often requiring collusion with others (e.g. IT security), to illegally access ECI. As such, the term evolved into “Potential Access.”
Potential Access takes into account existing access controls. Where there aren’t any controls to prevent a user from accessing ECI, and where actual access logs aren’t in place to prove a user didn’t access ECI, there is Potential Access. Stated another way, Potential Access exists when a person has a user account with the privileges to render or download information electronically. In these cases, users have the inherent privileges to access data. Thus, Potential Access exists where a user has Inherent Access, and Actual Access (render/download) logs are not available.
From a US export compliance perspective, when non-US Person users access ECI, a “release” (a.k.a. “export”) has occurred. Historically, if you don’t have the capability (i.e., access logs) to disprove release, you’ve had a Potential Access “violation,” which companies have tended to voluntarily disclose.
I say “historically,” because the USG went public with their position on “Potential Access,” beginning with BIS on June 3, 2016 (FR 2016-06-03),…
…and followed by DDTC on September 8, 2016 (FR 2016-09-08).
However, in the 2018 FLIR Proposed Charging Letter, DDTC seemed to reverse the 2016 position on Potential Access with an additional qualification…
…”necessary for their job performance.” So, for example, if an Engineer has Potential Access to engineering ECI, and if you don’t have the access logs to disprove release, an export is assumed. The additional “necessary for job performance” qualification should not be overlooked. From an IT administrative perspective, the qualification is very important. Most IT administrators do not require access to the data to perform their jobs.
To bring it full-circle, in theory, an IT admin with the right privileges can find any number of ways to get the data. It is why adversaries target these accounts, why IT security focuses on these accounts, and why monitoring of admin accounts for nefarious activity falls squarely in the realm of IT security (not export compliance). Although “Potential Access” for IT administrators may not pose the export compliance risk it once did, IT Security must have capabilities to monitor, report, and mitigate the risk of unauthorized admin activities (#CMMC). If called upon by export compliance in an investigation, and IT security doesn’t have demonstrable controls, you can count on issues…even disclosures.
The techniques and technologies to mitigate Potential Access risk are field-proven and mature. If you like to learn more about how to mitigate Potential Access risk, shoot me a private message.