---------------------------------------------------------------------- FOR OFFICIAL USE ONLY FINAL REPORT MAY 2001 BOOK 1 AUTOMATED EXPORT SYSTEM (AES) CERTIFICATION REPORT Report to Congress Presented To: Senate: Committee on Foreign Relations House: Committee on International Relations Public Law 106-113, Title XII, "Security Assistance", Subtitle E, "Proliferation Prevention Enhancement Act of 1999" U.S. Department of Commerce Economics and Statistics Administration U.S. Census Bureau ---------------------------------------------------------------------- TABLE OF CONTENTS* EXECUTIVE SUMMARY v I. BACKGROUND 1 II. AUTOMATED EXPORT SYSTEM A. Automated Export System Overview 5 B. AESDirect Overview 9 C. Automated Export System System Description and Functionality 10 D. AESDirect System Description and Functionality 29 E. Automated Export System Operational Capacity 47 F. AESDirect Operational Capacity 49 III. SECURITY STANDARDS (AES & AESDirect) 51 IV. SUMMARY OF INFORMATION SYSTEMS SECURITY ASSESSMENT REPORTS (Office of Information Security, General Services Administration) A. Automated Export System Level I Security Assessment Summary (U.S. Customs Service) 56 B. Automated Export System Level II Security Assessment Summary (U.S. Customs Service) 59 C. AESDirect Level I Security Assessment Summary (Census Bureau) 61 D. AESDirect Level II Security Assessment Summary (Census Bureau) 63 V. AGENCY RESPONSE TO SECURITY ASSESSMENT REPORTS A. U.S. Customs Service Response to Security Assessment Report Level I 65 B. U.S. Customs Service Response to Security Assessment Report Level II 87 C. Census Bureau Response to Security Assessment Report Level I 90 D. Census Bureau Response to Security Assessment Report Level II 129 VI. RECOMMENDATIONS A. Security and Functionality of AES 148 B. Security and Functionality of AESDirect 148 C. Proposed Timetable for Implementing AES Filing for All Items on the Commerce Control List and U.S. Munitions List. 149 D. Cost of Implementing Provisions of H.R. 3194 150 VII. APPENDIX A. Agency Chief Information Officer (CIO) Evaluation Letters on the Security and Functionality of AES and AESDirect B. Legislation Text: Public Law 106-113, Title XII, Subtitle E, Proliferation Prevention Enhancement Act of 1999 C. AES Security Plan D. AESDirect Security Plan E. U.S. Customs Service AES Certification (Security Accreditation) F. U.S. Census Bureau AESDirect Certification (Security Accreditation) G. Security Standards: OMB Circular A-130 H. Security Standards: Presidential Decision Directive (PDD-63) * Page numbers in TABLE OF CONTENTS apply to the printed version and not this file. ---------------------------------------------------------------------- EXECUTIVE SUMMARY This "Report to Congress Automated Export System (AES) Certification Report" responds to Congress' direction as stated in Public Law 106-113, Title XII, Subtitle E,"Proliferation Prevention Enhancement Act of 1999, that the Secretary of Commerce, the Secretary of Treasury, and the Director of the National Institute of Standards and Technology jointly provide a certification of the AES to the Committee on Foreign Relations of the Senate and the Committee on International Relations of the House of Representatives. This Certification report verifies that a secure AES is available through the Internet and is capable of handling the expected volume of information required to be filed under Subsection (b) of the Proliferation Prevention Enhancement Act of 1999 plus the expected volume from voluntary use of the AES. This certification report further verifies that the AES has been successfully implemented and tested and is fully functional with respect to reporting all items on the United States Munitions List (USML) and the Commerce Control List (CCL), including their quantities and destinations. This is a companion report to the "Report to Congress Feasibility of Mandatory Automated Export System (AES) Filing" issued July 27, 2000. In that report, making the filing of all export shipments through the AES mandatory was judged to be a concrete and feasible step toward improving the collection of export information by the Federal Government. These improvements enhance the quality of export statistics; reduce unnecessary costs on businesses, the trade community, and Government; and most importantly strengthen the Nation's ability to control the export, of critical technologies, illegal goods, or commodities that could become weapons of mass destruction to hostile countries or parties overseas. This certification report describes the security measures in place to develop, implement, and maintain both the AES and AESDirect systems, a summary of the information system security assessment reports prepared by the General Services Administration (GSA), Office of Information Security, the U.S. Customs Service (Customs) and the U.S. Census Bureau's (Census Bureau) response to those security assessment reports that list the specific actions taken by both agencies to ensure the security and functionality of the system. Copies of the actual GSA Level I and Level II Information Systems Security Assessment Reports for the AES and AESDirect systems are also included in this report in a separate book. Currently, export information is compiled from both paper and electronic documents or transactions filed by the export trade community with Customs or the Census Bureau. All exports of merchandise valued over $2,500 from the United States, Puerto Rico, and the United States Virgin Islands, plus all licensed exports regardless of value, are required to be reported. For exports to Canada, the United States substitutes Canadian import statistics, rather than collect statistics on exports to Canada, in accordance with a data exchange arrangement codified in a Memorandum of Understanding signed by the customs services and statistical agencies in both countries. To improve the quality of export trade statistics, to reduce reporting burden on American exporters, legally defined as U.S. principal parties in interest; and to ensure compliance with export laws, the Census Bureau and Customs, in 1994, initiated the AES program. The AES is an electronic method by which exporters or their agents can transmit Shipper's Export Declaration information and by which carriers can transmit transportation (manifest) information to Customs or the Census Bureau. The AES became operational in July 1995. Currently it is a strictly voluntary program. Use of the AES by American exporters and forwarding agents increased slowly in its early years, in part because exporters could still make use of an alternative but antiquated computerized reporting system, the Census Bureau's Automated Export Reporting Program (AERP). This 30 year old system was shut down at the end of 1999, and since then, the number of filers using the AES and the value of export transactions reported over the AES have grown rapidly. The Chief Information Officers of the Department of Commerce, Department of the Treasury, and the National Institute of Standards and Technology evaluated the AES and AESDirect security and functionality attributes and have determined that the AES and AESDirect systems meet the security standards as set forth under the Security Standards of the Office of Management and Budget Circular A-130 and the Presidential Decision Directive (PDD-63). In addition, the AES has received a security accreditation from Customs, and AESDirect has received a security accreditation from the Census Bureau. Therefore, as a result of these security assessments and in response to the requirement stipulated in the Proliferation Prevention Enhancement Act of 1999, the Secretary of Commerce, the Secretary of the Treasury, and the Director of the National Institute of Standards and Technology jointly provide certification to the Committee on Foreign Relations of the Senate and the Committee on International Relations of the House of Representatives that a secure AES and AESDirect data capture system is available through the Internet capable of handling the reporting through the AES of all items on the CCL and the USML. It is further certified that the AES and AESDirect systems can handle the anticipated volume from voluntary use of the AES. The AES and AESDirect systems are production operational, have been fully tested, and are fully functional with respect to the reporting of all items on the CCL and the USML. ---------------------------------------------------------------------- I. BACKGROUND On November 29, 1999, the President signed H.R. 3194 (Public Law 106-113), the Consolidated Appropriations Act of 1999. Title XII, Subtitle E of the law contains the "Proliferation Prevention Enhancement Act of 1999." This Act amends Title 13, United States Code, Section 301, by adding at the end the following new subsection: "(h) The Secretary [Commerce] is authorized to require by regulation the filing of Shipper's Export Declarations under this chapter through an automated and electronic system for the filing of export information established by the Department of the Treasury." In general this Act authorizes the Secretary of Commerce, with the concurrence of the Secretary of the Treasury, to publish regulations in the Federal Register to require that, upon the effective date of those regulations, exporters (or their agents) who are required to file Shipper's Export Declarations (SEDs)under Chapter 9, Title 13, United States Code, file such declarations through the Automated Export System (AES) with respect to the export of all items on the United States Munitions List or the Commerce Control List. The regulations referred to in the previous paragraph will include at a minimum: (1) a provision by the Department of Commerce for the establishment of online assistance services to be available for individuals who must use the AES, (2) a provision by the Department of Commerce for ensuring that an individual who is required to use the AES is able to print out a validated record of the transaction, including the date of the submission and a serial number or other unique identifier for the export transaction, and (3) a requirement that the Department of Commerce print out and maintain on file a paper copy or other acceptable backup of the individual's submission selected by the Secretary of Commerce. The Act will become effective 270 days after the Secretary of Commerce, the Secretary of the Treasury, and the Director of the National Institute of Standards and Technology jointly provide a certification to the Committee on Foreign Relations of the Senate and the Committee on International Relations of the House of Representatives that a secure AES system available through the Internet is capable of handling the expected volume of information required to be filed under Subsection (b), plus the anticipated volume from voluntary use of the AES has been successfully implemented and tested and is fully functional with respect to reporting all items on the Commerce Control List and the United States Munitions list, including their quantities and destinations. This Act further specified that a Feasibility Report be submitted to the above listed committees of Congress not later than 180 days after enactment of the act. The U.S. Census Bureau (Census Bureau) and the U.S. Custom Service (Customs) coordinated the establishment of an AES Feasibility Working Group, comprised of the six Federal agencies listed below, to conduct this analysis, address the objectives of the legislation, and prepare a Feasibility Report for submission to the appropriate committees of Congress. Consistent with the Act, the major objectives of the report were to evaluate the feasibility of mandating AES for filing all export declarations, to investigate the manner in which the AES can or cannot be used by the automated export licensing systems listed below, to develop a timetable for any expansion of information (if any) to be filed through the AES, and to present the estimated cost for full implementation of such a system. The Feasibility of Mandatory Automated Export System (AES) Filing Report was submitted to the appropriate committees of Congress during the first week in August 2000. The report recommended the following: (1) The AES be made mandatory for filing all SED information. (2) Data gathered through the AES be made available to the export licensing agencies listed below based on their statutory and regulatory authority to have access to such data. Specific agreements and Memoranda of Understanding will be developed with each agency specifying their access, use, and restrictions on use of such AES data. The Federal Government licensing agencies participating in the report included the following: (A) Defense Trade Application System of the Department of State. (B) Export Control Automated Support System of the Department of Commerce. (C) Foreign Disclosure and Technology Information System of the Department of Defense. (D) Proliferation Information Network System of the Department of Energy. (E) Enforcement Communication System of the Department of the Treasury. (F) Export Control System of the Central Intelligence Agency. (3) That AES mandatory filing be phased in over a specified time period with a cost estimate for implementing the recommendations. To prepare the AES Certification Report, the Census Bureau, Department of Commerce, and the U.S. Customs Service, Department of the Treasury, established an AES Certification Working Group. Representatives of the Census Bureau, the Department of Commerce, the Department of the Treasury, Customs, and the National Institute of Standards and Technology are all represented on this working group and have taken the necessary steps to complete the certification process and present the appropriate report to Congress. The AES Certification Working Group determined that the best method for evaluating the security and functionality of the AES and AESDirect systems and to establish that the AES and AESDirect systems were secure and functional was to conduct an independent security review of both systems. At the request of the Census Bureau and Customs, the General Services Administration, Office of Information Security, conducted an Information Systems Security (INFOSEC) vulnerability assessment of the AES and AESDirect computer systems. The INFOSEC security assessments were conducted and final reports were prepared. While no major security vulnerabilities were discovered in either system, there were a number of minor security vulnerabilities discovered in both systems that required resolution by both agencies. The Census Bureau and Customs have addressed each of the vulnerabilities raised in the security assessments and either have resolved or specified the steps that will be taken to resolve all the security vulnerabilities addressed in the security assessments. A detailed description of the security vulnerabilities and the specific steps the Census Bureau and Customs are taking to resolve the vulnerabilities are discussed in Section V of this report The AES Certification Report presented to Congress, herein, presents the security and functionality certification of the AES mainframe and AESDirect systems and describes findings and specific recommendations for implementing the provisions of the legislation. The participating agencies agree that: (1) The AES and AESDirect systems are secure and functional automated export reporting systems that meet the security requirements established by the Federal Government, (2) The AES and AESDirect systems are capable of implementing the requirement specified in the legislation for the mandatory filing through the AES of all items on the United States Munitions List and the Commerce Control List, and (3) The AES and AESDirect systems are capable of handling the expected volume from the voluntary use of the AES. ---------------------------------------------------------------------- II. A. AUTOMATED EXPORT SYSTEM OVERVIEW In January 1994, the U.S. Census Bureau (Census Bureau), the U.S. Customs Service (Customs), other Federal agencies and the exporting community began developing the Automated Export System (AES). The Census Bureau and Customs, as the primary developers of the AES, created the AES to assist in the enforcement of export control laws, improve the collection of export trade statistics, and facilitate export trade. The AES was designed to electronically capture Census Bureau Shipper's Export Declaration (SED) information and Customs Carrier Outbound Manifest data and to be the single source for the submission of export data. Currently, the AES accepts commodity data reported on the SED for all methods of transportation and transportation data reported on the Vessel Outbound Manifest for vessel shipments. The AES is an information gateway for both the Census Bureau and Customs to improve the reporting of export trade statistics, improve customer service, assure compliance with and enforcement of export laws, and provide paperless reporting of export information. In meeting the needs of both the Census Bureau, Customs, and the other Federal agencies involved in export control, the AES provides detailed real-time export information that systematically identifies high-risk shipments for examination, prevents the illegal export of weapons of mass destruction and high technology goods, and helps prevent reporting errors, which affect the accuracy and coverage of export trade data. The Census Bureau is mandated by Title 13 of the United States Code, Chapter 9, to collect, compile, and publish the official export trade statistics. These statistics are compiled from data reported on the paper SED or the AES electronic record. The Census Bureau collects and processes approximately 1.8 million export transactions per month and projects this number will grow at a rate of 6 percent each year for the next 10 years. In the past, the collection of these export transactions was largely a manual process. The AES is the tool by which the Federal Government is automating this process. Since these are the official U.S. trade statistics, the AES provides quality data through up front editing. These data are used by the Government and the private sector. The Government uses these data to determine the balance of trade, to negotiate trade agreements with other countries, and to identify potential markets for U.S. exporters. The private sector uses the data to measure the impact of foreign competition, track trade flows with our trading partner countries, conduct market research, and develop and determine company trade policies. The AES saves time and money and eliminates duplicate reporting of data among the Census Bureau, Customs, the Bureau of Export Administration, and the Department of State. The National Council on International Trade Documentation conducted a survey and found that it costs the private sector approximately $18 to $75 to file a paper SED and approximately three times as much to correct a SED. By contrast another survey revealed that it costs only $1 to $2 to file SED data electronically. The AES certified exporters or their authorized agents transmit the SED (commodity data) to the AES in one of the formats accepted by the system plus the filer's identification number and unique shipment reference number (unique for 5 years) to reference the shipment. These data are edited by the system against various edits and agency requirement files. These agency requirement files include the munitions list and Bureau of Export Administration denied parties and license lists. If the data do not pass the edits, a message is sent back asking the filer to correct and resubmit the data. If the data are filed without errors, the AES returns a confirmation number. Upon acceptance by the AES, the filer delivers to the carrier both the cargo and notification that the shipment was transmitted through the AES. The carrier submits the transportation data to the AES upon receipt of the cargo. The AES matches the commodity and transportation data to form a complete export transaction. Section 30.12 of the Foreign Trade Statistics Regulations requires that SED data be submitted to the carrier prior to export, except where specifically exempt. The trade community wanted, in the AES, some form of post-departure filing to accommodate current business practices, to accommodate filers of the now defunct Automated Export Reporting Program, and to assist exporters or filers in cases where required information is not available predeparture. Therefore, the Census Bureau, Customs, other Federal agencies, and the exporting community entered into Interest-Based Negotiations to define post-departure filing options. The results were two additional filing options, options 3 and 4. The filing of the paper SED and the pre-departure filing of all data required on a SED were categorized as options 1 and 2 respectively. Option 3 provides for filing a minimum of 14 specific data elements, pre-departure, and filing the complete data within 5 days of export. Option 4 provides AES certified filers the authority to file an approved exporter's complete data within 10 days after export. Specific information on the export filing options are provided below: Option 1: Paper SED, Pre-Departure. ----------------------------------- This option refers to the current method of filing paper SEDs and offers no electronic communication. Currently, goods subject to State Department licenses are required to be processed under Option 1. (AES filers are "dual filing"; that is, they are filing both electronically through Option 2, as well as filing paper SEDs to satisfy State Department requirements.) The paper SEDs will continue to be given to the exporting carrier prior to exportation, although the State Department could approve exporters to only file once through the AES. Option 2: AES With Full Pre-Departure Information. -------------------------------------------------- Option 2 is used for shipments for which full commodity information is available prior to departure or for which full pre-departure information is required. Option 3: AES With Partial Pre-Departure Information. ----------------------------------------------------- Option 3 is available for shipments for which full commodity information is not available prior to export or for shipments by Option 4 exporters, for which pre-departure information is required for licensing or other purposes. All remaining data elements must be transmitted within 5 days of the date of exportation. This option is available to AES filers without prior approval. Option 4: AES With No Pre-Departure Information. ------------------------------------------------ Option 4 provides a full post-departure filing option to approved exporters. Qualified shipments can be exported with no pre-departure information. Complete commodity information must be filed within 10 working days from the date of exportation. The AES accepts data using the national standard, ANSI X-12, the international standard, UN/EDIFACT, and the Customs Proprietary format. Software in these formats may be developed using specifications as provided on the AES Web site, , or purchased from AES certified software vendors. Data may be transmitted through AES Certified Service Centers. When either the AES or the client's system is down, dialogue between the client and the client's Census Bureau or Customs client representative takes place and the established "Downtime Policy" becomes effective, that is, the cargo moves. ---------------------------------------------------------------------- II. B. AESDirect OVERVIEW AESDirect is the U.S. Census Bureau's free, Internet system for filing Shipper's Export Declaration (SED) information to the Automated Export System (AES). The AES is the electronic alternative to filing a paper SED. Exporters, forwarders, or anyone responsible for reporting export information may use the system. AESDirect streamlines the exporting process by reducing the paperwork burden on the exporting community, reducing costly document handling and storage, and ensuring timely filing of export information. AESDirect improves the quality of export trade statistics and helps the Census Bureau provide quality statistics to its customers, the Government, and the private sector. Participation in the AES requires the development or purchase of the software necessary to communicate with the AES computer. Some small- and mid-size exporters, forwarders, and other filers of the export data are unable to participate in the AES because of additional costs. To accommodate these filers, who collectively account for a large portion of export transactions, the Census Bureau, at its expense, contracted out the development and maintenance of an internet-based SED filing system for the AES, AESDirect. AESDirect, which became operational on October 4, 1999, provides online registration, tutorial, certification, and help. AESDirect provides for both interactive and batch filing. Currently, AESDirect is capable of handling 100,000 SEDs per month, with the capacity to expand in increments to handle up to 500,000 transactions per month; 100,000 unique filers; and up to 2,000 SEDs per batch for Export Filing Options 2 and 4. AESDirect is operational 24 hours a day, 7 days a week, and a staffed help desk is available from 7:00 a.m. to 7:00 p.m. EST. AESDirect provides data security through encryption and user authentication. Even though AESDirect was designed with the small and mid-size filers in mind, any exporter, forwarder, or anyone responsible for reporting export information may use this system. ---------------------------------------------------------------------- II. C. AUTOMATED EXPORT SYSTEM: SYSTEM DESCRIPTION AND FUNCTIONALITY Project Description The Automated Export System (AES) is the cornerstone of the U.S. Customs Service (Customs) Outbound Process. The Customs Service and the U.S. Census Bureau (Census Bureau) developed the AES to assist in the enforcement of export laws, improve the collection of trade statistics, and facilitate export trade. The AES provides for the electronic filing of the Census Bureau's Shipper's Export Declaration (SED) and electronic filing of the Customs manifest. As the primary export information gathering and processing system, the AES was developed through cooperative efforts with Customs, the Foreign Trade Division of the Census Bureau, the Bureau of Export Administration (BXA), the State Department's Office of Defense Trade Controls, other Federal agencies, and private industries with export missions. The AES system electronically collects export data from exporters, their agents, and outbound carriers. The consolidated export data as required by several Government agencies have eased the data-filing burden for exporters, while streamlining the Federal data collection process. In meeting the needs of both Customs and the Census Bureau, the AES provides detailed real- time export information that systematically identifies high-risk shipments for examination and helps prevent reporting errors, which affect the accuracy and coverage of export trade data. The AES reporting permits targeting high-risk vessel shipments and noncompliant exporters and carriers for outreach and compliance actions. Electronic filing of data through the AES provides Customs with a valuable tool for the identification of high-risk shipments based on specific targeting data that are screened against information provided by the exporter. Before the AES, Customs officers responsible for the enforcement of export laws had virtually no data to sort and target high-risk cargo from low-risk cargo. Inspectors expressed the need for a comprehensive automated system to alleviate the tremendous burden of reviewing paper documents. The AES allows agents to easily access supporting documents for court cases, conduct historical reviews, and input criteria in the automated system to apprehend individuals suspected of criminal activities. The AES also redirects the efforts of administrative personnel to compliance or enforcement actions. In the paper environment, it is estimated that up to half of the hours spent working the outbound process is associated with administrative activities. The AES allows these tasks to be performed in an automated fashion, thereby increasing available hours that can be dedicated to enforcement and compliance, without the need for additional personnel. Participation in the AES has increased dramatically since its July 1997 nationwide expansion to accept all modes of transportation for commodity data. As of December 1999, approximately 162,000 exporters file required information electronically through the AES using forwarders or service centers. With the termination of the Department of Commerce's Automated Export Reporting Program in December 1999, the AES is the only automated reporting vehicle for the collection of export data used for enforcement and statistical purposes. The AES does not change current legislative or regulatory pre-departure export reporting requirements. AES Project Background ---------------------- The AES was piloted in early 1993 in Charleston, South Carolina. Though limited in scope and duration, the pilot provided proof of concept and verified the potential of the AES. A subsequent cost/benefit analysis of the AES pilot validated development of a full AES in support of Customs' export enforcement mission. In 1994, following the cost/benefit analysis, a Customs Single Issue Conference Focus Group recommended the development of the AES. That decision led to a Commissioner Decision Memorandum approving the AES. Since that time, the modular, incremental project development strategy employed by the AES has resulted in seven major releases of the AES accomplished on schedule and within budget. These are as follows: - AES functionality at five seaports: July 1995. - Expansion to all seaports nationwide: October 1996. - Addition of client representative monitoring functions: March 1997. - Expansion of commodity filing to all modes of transport at all ports: July 1997. - AES-PASS feature for post-departure filing: November 1997. - State Department munitions license decrementation (for non- AES filers) at four major ports: November 1998. Nationwide implementation: 4th Quarter 1999. - Vessel Enhancements/Option 4 Post-departure SED filing: March 1999. In addition, the following other agency functionality exists in the AES: - Census Bureau edits; online accesses; batch transmission of commodity data to the Census Bureau. - System validation of outbound shipments against BXA regulated and Special Comprehensive Licenses; Denied Parties List reference file established for Customs field use. - System validation of outbound shipments against State Department DSP-5 approved munitions export licenses; program completed for flat file transfer of munitions shipment data to State/Office of Defense Trade Controls (ODTC). - License codes for Treasury/Office of Foreign Assets Control (OFAC) shipments. - License codes for Nuclear Regulatory Commission shipments. - State Department munitions license decrementation (for AES filers) In 1999, additional enhancements to the AES focused on collecting transportation data and commodity reporting options that resulted from Interest-Based Negotiations (IBN) with the trade community concerning timing of export commodity filing. In March 1999, IBN Option 4 Post Departure SED filing was implemented. Additionally, the AES began accepting booking information from ocean carriers prior to departure, as part of their AES filing (Vessel Carrier Enhancement). The Sea Carrier Initiative will help alleviate the problem of fines being assessed for missing SEDs for participating AES carriers. This should also serve as an incentive for greater participation in electronic ocean vessel manifest filing. The requirements for the collection of transportation data for air and overland carriers are under development through meetings with industry transportation groups. Implementation of this segment of the system is planned to be phased in during FY 2001. Other planned future enhancements include automatic release of in-bond and temporary import-bond and automatic close out of drawback. Full (major) functionality in the AES should be achieved by the end of FY 2002. The following Sections A through C describe how the AES has met and continues to support the requirements, initiatives, and goals of the Customs' outbound programs, the Census Bureau's statistical requirements, export control requirements, and the trade community. Section C discusses the enforcement aspects of the AES. A. The AES and Partnership Agency Interfaces Department of State: The interface with the Department of State for maintenance of license and registrants information in the AES was implemented in May 1998. Implementation of license decrementation for AES filers was also effected at that time. Implementation of license decrementation for non-AES filers is in process. Weapons are one of the primary controlled exports of the United States. It is essential that these exports are tracked and controlled to prevent these weapons from falling into the hands of those who would harm the national interest. The Office of Defense Trade Controls approves approximately 3,000 new licenses for weapons exports each month. These licenses are held and decremented manually at Customs ports, creating resource inefficiencies for Customs, as well as additional costs for legal exporters. The AES interface automates this process, allowing for the electronic decrementation of the DSP-5 licenses. Congress is now demanding greater accounting for these exports, and it is planned that the AES will be able to provide the required information for State Department reporting. The Munitions License database has been transferred from the Treasury Enforcement Communications System (TECS) to the AES. Department of Commerce, BXA: Dual use material, which may be used to produce weapons, is a significant controlled U.S. export. The AES interface with the Department of Commerce's BXA will provide authorized Customs users access to license data through the AES. The transfer of the BXA license module from the TECS to the AES is anticipated in FY 2000. Department of Justice, Drug Enforcement Administration (DEA): Customs works closely with the Department of Justice's DEA to ensure compliance with enforcement of laws that apply to chemicals that are imported, exported, or travel in transit through the United States. This project will provide authorized Customs users access to data on chemical exports and chemical inspection through the AES. The transfer of the current DEA database from TECS to the AES will be accomplished during FY 2000. Other Agencies: Schedules for other agency interfaces with the AES are proposed and are dependent on both Customs and other agency resources and system capability, which will be identified as development schedules become available. It is expected that implementation will be ongoing through at least 2002. For additional information on other Government agencies, see Other Government Agency Export Requirements. B. The AES and Trade Participation (as of February 2001) - More than 4,258 companies are filing data through the AES on behalf of more than 290,000 unique exporters. - Averaging more than 1.4 million commodity lines for the month of February 2001. This 1.4 million represents approximately 70 percent of the non-Canadian export shipments. - 2,300 companies are currently testing for participation or developing software for the AES and are considered non- operational at this time. A major marketing effort has been underway that has significantly increased participation in the AES. Both the Census Bureau and Customs are working closely with exporters, forwarders, software providers, and Non-Vessel Operating Common Carriers (NVOCCs) to ensure their successful participation. The long-range goal is to reduce paper filing by 75 percent by 2002. The trade community, while supporting the concept of electronic SED filing, felt that the initial AES proposal required modification for two primary reasons. First, a significant portion of the trade believes that pre-departure filing of SED data does not conform to current business processes. In many cases, exporters do not have complete information on pre-departure. Second, the AES proposal eliminated a privilege that many exporters had exercised and relied upon for nearly 30 years, the AERP, that allowed post-departure filing of SED data for qualified exporters Enhancements to the Vessel Transportation Module Currently the AES provides for the transmission of transportation data by carriers and commodity data by exporters, their agents, or service centers. When both the exporting carrier and commodity filer are AES participants, the separate transmissions are matched by an external transaction number (XTN) originating with the filer. Because the XTN is sometimes unavailable when a booking is first made (when the export transaction is initiated), a problem exists with matching transportation and commodity data. The enhancements include requiring pre-departure transmission of carrier booking information and matching booking and commodity data utilizing the carrier's booking numbers. C. The AES as an Enforcement Tool One of the roles of the Outbound Process is to assist in anti- terrorism efforts. Under the Antiterrorism Initiative, Congress appropriated funds for Customs to build an Outbound component in the rules-based Automated Targeting System to target high-risk shipments involved with terrorist attacks, as well as contraband or other violations. The distributed targeting infrastructure in the AES enables field users to conduct targeting with the AES as the critical data source. The AES enables inspectors to save time by viewing open shipments online, allowing them to examine more shipments in less time. Using advance data in the AES, inspectors have been able to improve their assessment of which export shipments to inspect. Then, by using enforcement criteria imbedded in the AES processing, inspectors are able to better target shipments for examination based on the advance information. Additionally, local Outbound officers possess the capability to build port-specific enforcement criteria into the AES to meet local enforcement needs. This aspect of the AES allows Customs to perform smarter targeting, versus the "hit-or- miss" approach of the past. The ability to zero in on only high- risk shipments means less cargo is held up. The majority of shipments, those that are low risk, continue to move, unimpeded. Inspectors also utilize the AES to retrieve historical information for case research in investigations into illegal exports, including those of precursor chemicals used to manufacture narcotics or chemical weapons. The AES also assists in preventing exports of illegal weapons, as the Strategic Investigations utilization of the EXODUS Command Center (Customs emergency information center for Customs agents) monitors the AES in its firearms traffic enforcement duties. - Legislative Compliance The AES supports the following Statutory Requirements: - Merchandise Trade Statistics - 13 U.S.C., Chapter 9, requires the Department of Commerce (Census Bureau) with assistance of the Department of Treasury (Customs) to collect, compile, and publish export trade statistics. - Currency and Foreign Transactions Reporting Act - 31 U.S.C. Sec. 5316 requires persons to report to Customs the transportation out of the United States of more than $10,000 in coin, currency, travelers checks, or bearer instruments. This law is used to interdict the resulting profits of the drug trade or other illegal activities. - Stolen Vehicles - 19 U.S.C. Sec. 1627(a) covers the interdiction of stolen vehicles that are being exported. - Arms Exports - 22 U.S.C. Sec. 2778 imposes criminal penalties for the exportation of weapons and munitions contrary to U.S. interest. - Critical Technology - 50 U.S.C. Sec. 2401 covers the export of "dual use" civilian technologies that are readily adaptable to military use or in the manufacture of weapons of mass destruction. - Drug Exports - 21 U.S.C. Sec. 953 prohibits the exportation of controlled substances. - Drug Traffic - 21 U.S.C. Sec. 955 prohibits any person from possessing a controlled substance on board a vehicle, vessel or aircraft departing from the United States. - Sanctions and proscriptions in support of U.S. Foreign policy - Enforce embargoes administered by the Office of Foreign Asset Controls as directed by the Trading with the Enemy Act 31CFR Part 500 and the Trade with Cuba Act, 22 U.S.C. Sec. 2370(a). - Statistical List - 19 U.S.C. Sec. 1484 directs Customs to establish for statistical purposes an enumeration or list of articles being exported from the United States. - Miscellaneous Provisions - The Foreign War Materials Act, 22 U.S.C. Sec. 401, the Atomic Energy Act, 42 U.S.C. Sec. 2011, and the Endangered Species Act, 16 U.S.C.668(aa). - Customs Modernization Act - The AES Improves Data Quality In the paper environment, it is known that a significant percentage of export shipments that require SEDs are never reported. The AES supports Census Bureau initiatives to improve the ability to capture export statistics. The AES provides the capability to readily identify and more accurately analyze information reported collectively or individually by exporters and forwarders, which can be used in the following ways: - Build company profiles that identify the type and volume of commodities shipped and potential destinations. Monitor error rates for individual participants and make data driven decisions to identify those in need of assistance or education. - Develop company-based edits, which will detect the less obvious reporting errors. Other Government Agency Export Requirements The AES is designed to support the data collection efforts of a number of Federal Government agencies referred to as Partnership Agencies. The AES currently captures export data that can be shared among these agencies. Because of the strict confidentiality provisions contained in Title 13, United States Code, Chapter 9, export data are only provided to other agencies based on the agencies' statutory and regulatory authority to have access to such data. When that authority is determined, a specific Memorandum of Understanding and Interagency Security Agreement will be prepared to allow for the sharing of such data and defining restrictions on the access and use of the data. U.S. GOVERNMENT AGENCIES WITH EXPORT REQUIREMENTS Agriculture, Department of: --------------------------- Agricultural Marketing Service Animal Plant Health Inspection Service Food Safety and Inspection Service Foreign Agricultural Service Commerce, Department of: ------------------------ U.S. Census Bureau Bureau of Export Administration International Trade Administration National Marine Fisheries Service/NOAA Office of Textiles and Apparel/ITA Consumer Product Safety Commission ---------------------------------- Defense, Department of: ----------------------- Defense Investigative Service Defense Logistics Agency Defense Security Assistance Agency Defense Technology Security Administration Army, Department of the: ------------------------ Corps of Engineers Energy, Department of: ---------------------- Energy Information Administration Office of Arms Control and Non-proliferation Environmental Protection Agency ------------------------------- Federal Maritime Commission Health and Human Services, Department of: ----------------------------------------- Centers for Disease Control Food and Drug Administration Interior, Department of the: ---------------------------- U.S. Fish and Wildlife Service International Trade Commission ------------------------------ Justice, Department of: ----------------------- Drug Enforcement Administration Labor, Department of: --------------------- Bureau of Labor Statistics Nuclear Regulatory Commission ----------------------------- Small Business Administration ----------------------------- State, Department of: --------------------- Office of Defense Trade Controls Transportation, Department of: ------------------------------ Bureau of Transportation Statistics Federal Aviation Administration Maritime Administration National Highway Traffic Safety Administration U.S. Coast Guard ---------------- Treasury, Department of the: ---------------------------- Bureau of Alcohol, Tobacco and Firearms Internal Revenue Service Office of Foreign Assets Control United States Arms Control and Disarmament Agency ------------------------------------------------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CURRENT AES PARTNERSHIP AGENCY INTERFACES ----------------------------------------- Customs/AES has developed various levels of automated interaction with the following agencies and is exploring further enhancements to the interfaces as noted. Bureau of Export Administration (BXA)/Commerce Office of Defense Trade Controls (ODTC)/State U.S. Census Bureau (Census Bureau)/Commerce Nuclear Regulatory Commission (NRC) Office of Foreign Assets Control (OFAC)/Treasury Bureau of Export Administration (BXA)/Commerce ---------------------------------------------- The BXA issues licenses for a variety of Outbound commodities regulated by that agency and designation of categories of "exceptions" to licensing requirements. In Place Data pertinent to BXA are currently collected as part of the electronic transmission of commodity information (SED) from the AES filer: License Code, License Number, ECCN (Export Control Classification Number). The Exporter/Agent selects the appropriate License Code (table includes BXA-approved Licenses, Special Comprehensive Licenses (SCL), and License Exceptions) from the License Type Code Tables. The exporter or its agent enters an ECCN where applicable (required for all BXA-approved Licenses and SCLs; for License Exceptions, as noted on the AES License Type Code Table). The exporter or its agent enters the approved BXA License Number for all BXA-approved Licenses and SCLs. A System validation of outbound shipments is performed against BXA-approved Licenses and Special Comprehensive Licenses. With the AES, Customs is still the responsible agency for reviewing export shipment information prior to departure. Note that no license application data are processed through the AES. A table and updates from BXA on the Denied Parties List are maintained in the AES for Customs use. A hyperlink from the Customs/AES Web site to the BXA home page on the Internet also provides access to the List to Exporters/Agents to assist in their compliance efforts. Future Enhancements Customs will collect and transmit to BXA commodity/transportation data on all export shipments. The ultimate goal is to eliminate the trade community's and Customs' manual processing and paper review of the SED/approved license data and replace them with data online to view for verification purposes. This will result in more efficient and faster handling of export shipments at the ports. Office of Defense Trade Controls (ODTC)/State --------------------------------------------- The ODTC issues licenses for permanent exports and temporary exports and imports of certain munitions (defense articles and services). In Place Data pertinent to ODTC are currently collected as part of the electronic transmission of commodity information (SED) from the AES filer: License Code, License Number/License Exemption Citation. The exporter or its agent selects the appropriate License Code (i.e., Permanent Export, Temporary Import, Temporary Export, License Exemption, and so forth) from the License Type Code Tables. The exporter or its agent enters the approved ODTC License Number or the License Exemption Citation (i.e., CFR) for all munitions shipments. A system validation of outbound shipments is performed against ODTC-approved Licenses. With the AES, Customs is still the responsible agency for reviewing export shipment information prior to departure. Note, that no license application data are processed through the AES. An automated munitions License Decrementation Program has been developed in Customs/AES. It has been implemented for local use at four ports and was expanded nationwide in the first half of 1999. Nationwide implementation allowed for decrementation of licenses, even when the shipment departed ports other than where the license resides. For AES filers with DSP-5 licensed goods, the filer's export shipment data entry will trigger the decrementation process. For non-AES filers, the program will allow Customs field personnel to key in the basic data on the dollar value of the shipment, etc. The program will decrement the license and calculate the remaining balance. Future Enhancements Customs will collect and transmit to ODTC commodity/ transportation data on export shipments subject to munitions licensing requirements. A return message will be sent to the AES filer with information on the ODTC/State remaining license balance for those export shipments for which they are the responsible party. The ultimate goal is to reduce the trade community's, Customs' and ODTCs' manual processing and paper review of the SED approved license data and replace them with current data online to view for verification purposes. This will result in more efficient and faster handling of export shipments at the ports. U.S. Census Bureau (Census Bureau)/Commerce ------------------------------------------- The Census Bureau is responsible for determining statistical requirements and collecting, compiling, and publishing statistics relating to U.S. exports, imports, balance of trade, and transportation relating thereto. In Place Customs collects and transmits to the Census Bureau line item commodity data provided by the exporter or its agent and transportation (manifest) data provided by the carrier on all export shipments. All line item data are subjected to Census Bureau edits provided for in the AES programs prior to acceptance of the data. The ultimate goal is to eliminate the trade community's, Customs', and the Census Bureau's manual processing and paper review of the SED and replace them with accurate data online to use for analytical and statistical reporting purposes. This will result in more efficient and faster handling of export shipments at the ports. Nuclear Regulatory Commission (NRC) ----------------------------------- The NRC issues licenses for shipments of nuclear material and equipment. In Place Data pertinent to the NRC are currently collected as part of the electronic transmission of commodity information (SED) from the AES filer: License Code, License Number/General License Citation. The exporter or its agent selects the appropriate License Code (i.e., Specific, General License) from the License Type Code Tables. The exporter or it agent enters the approved NRC Specific License Number or the General License Citation (i.e., CFR) for all nuclear material/equipment shipments. With the AES, Customs is still the responsible agency for reviewing export shipment information prior to departure. Note, that no license application data are processed through the AES. Future Enhancements Customs will collect and transmit to the NRC commodity/transportation data on export shipments subject to that agency's nuclear material and equipment licensing requirements. A System validation of outbound shipments will be performed against NRC-approved Licenses. The ultimate goal is to eliminate the trade community's and Customs' manual processing and paper review of the SED approved license data and replace them with data online to view for verification purposes. This will result in more efficient and faster handling of export shipments at the ports. Office of Foreign Assets Control (OFAC)/Treasury ------------------------------------------------ The OFAC issues licenses for certain export shipments that would otherwise be barred by specific country sanctions. In Place Data pertinent to the OFAC are currently collected as part of the electronic transmission of commodity information (SED) from the AES filer: License Code, License Number/General License Citation. The Exporter (U.S. principal party in interest) or its agent selects the appropriate License Code (i.e., Specific, General license) from the License Type Code Tables. The Exporter or it's agent enters the approved OFAC Specific License Number or the General License Citation (i.e., CFR...) for allowable shipments to sanctioned countries. With the AES, Customs is still the responsible agency for reviewing export shipment information prior to departure. Note, that no license application data are processed through the AES. Future Enhancements Customs will establish a Specially-Designated Nationals/Terrorists table in the AES for Customs use with regularly transmitted updates from the OFAC. A hyperlink will be established from Customs/AES Web site to the OFAC home page on the Internet to provide access to the list for exporters/agents to assist in their compliance efforts. Customs will collect and transmit to the OFAC commodity/transportation data on export shipments subject to that agency's sanctioned countries licensing requirements. A system validation of outbound shipments will be performed against OFAC approved licenses. The ultimate goal is to eliminate the trade community's and Customs' manual processing and paper review of the SED approved license data and replace them with data online to view for verification purposes. This will result in more efficient and faster handling of export shipments at the ports. POTENTIAL AES PARTNERSHIP AGENCY INTERFACES ------------------------------------------- In addition to the AES interfaces with Partnership Agencies already in place, the Census Bureau and Customs are working with other agencies with export permit/license requirements as a first priority. These efforts will be followed by exploring the potential for interfacing with agencies that have export monitoring and reporting responsibilities. Feasibility research has been conducted and preliminary meetings have been held with a number of the U.S. agencies in these groups. Memoranda of Understanding have been signed with some of these agencies and development of User Requirements are in progress. Potential agencies include the following: - Agriculture/Food Safety and Inspection Service (FSIS) - Treasury/Bureau of Alcohol, Tobacco, and Firearms (ATF) - Justice/Drug Enforcement Administration (DEA) - Energy/Office of Arms Control & Nonproliferation (NN) - Transportation/Maritime Administration (MARAD) - Energy/ Energy Information Administration (EIA) - Defense/Defense Security Assistance Agency (DSAA) - Agriculture/Foreign Agricultural Service (FAS) It should be noted that progress is dependent on partnership agency cooperation and available resources. For certain agencies researched, current regulations and processes are outdated or do not lend themselves to automation without significant revisions. For the potential interfaces being explored, benefits to the trade community and U.S. Government agencies for automating outbound processes do not always include elimination of paper forms at the time of shipment. A considerable number of export requirements placed on the trade community and government involve recordkeeping, after-the-fact reporting, monitoring, etc. Automation of any of these steps in the process will ultimately create a savings in personnel resources, data storage, and retrieval, in addition to facilitating the movement of merchandise out of the United States. Agriculture/Food Safety and Inspection Service (FSIS) ----------------------------------------------------- - Initial meeting: December 1996. Feasibility study in progress the FSIS requires certified export permits for meat and poultry products. - Transmission of permit data by filers through the AES would eliminate the requirement for a paper form at time of export. - The AES data on meat/poultry shipments would be electronically batched to the FSIS. - The FSIS also is interested in electronically transmitting health certificates to the countries of destination. - The FSIS has potential to qualify as a FAST TRACK Agency. - Impact on the AES participants: Additional data elements (i.e., permit number) will be required on a conditional basis for exports of meat/poultry. Treasury/Bureau of Alcohol, Tobacco and Firearms (ATF) ------------------------------------------------------ - Initial meetings: July/August 1995. - Discussed various ATF commodity-related export requirements trade interest in Tobacco Export Permit (Form 2149/2150), certifies that tobacco exported relieves shipper of Federal Excise Tax liability; and Firearms Export Permit (Form 9), exporters w/State munitions license and ATF requirements. - Other export forms dealt with drawback, tax exemptions, annual reports required by statute. - Potential to qualify as a FAST TRACK Agency. - As first phase, ATF is exploring electronic batching of the AES data on all export transactions related to alcohol, tobacco, firearms, and explosives within their purview. - No additional work burden on the AES participants. Justice/Drug Enforcement Administration (DEA) --------------------------------------------- - Initial meeting: August 1995. - Discussed Precursor Chemicals (Form 486) and Controlled Substances (DEA Form 236) export requirements. - Reference DEA Form 486 no control number; 15-day notification requirement. - Regulatory changes needed in-house to update process and accommodate automated environment such as the AES. - At present, license interface with the AES is not feasible. Energy/Office of Arms Control & Nonproliferation (NN) ----------------------------------------------------- - Initial meeting: December 1995; joint commitment statement signed August 1996. - Designated as a FAST TRACK agency. - Concerned with technology transfer. - Feedback needed on actual shipments against approved licenses (Commerce/BXA, State/ODTC, NRC) reviewed by Energy/NN. - User requirements being developed for Energy/NN receipt of AES data on above-licensed export transactions. - Exploring methodology for tracking noncontrolled exports. - No additional work burden on the AES participants. Transportation/Maritime Administration (MARAD)/Army Corps of Engineers (ACOE) ------------------------------------------------------------ - Initial meeting October 1995; joint commitment statement signed December 1996. - Designated as a FAST TRACK agency. - MARAD assures that U.S. flag carriers are used for U.S. government shipments of government personnel household/personal goods, defense materials/equipment, Agency for International Development (AID) assistance, etc. (U.S. Government-Impelled Ocean Vessel Shipments). - No specific form involved; CFR 381 & Cargo Preference Act requires exporters of such shipments to provide specific data to MARAD. - MARAD currently obtains data from Bills of Lading. - Work started (user requirements) for MARAD access to AES data on related export transactions. - Work started (user requirements) for automating the filing of the ACOE Form 7513 for In Transit shipment for the ACOE. - Impact on The AES participants: Additional data elements Federal Agency/Contract Number; and a YES/NO indicator "USG: ___ Shipment" (to flag pertinent export transactions). Energy/Energy Information Administration (EIA) ---------------------------------------------- - Initial meeting: April 1996; feasibility study in progress. - Federal Energy Administration Act/PL 93-275, Section 25. - Statute requires EIA to collect data on all transactions, sales, exchanges, or shipments for export from the United States to a foreign national of coal, crude oil, residual oil or any refined petroleum products. - Exploring EIA receipt of the AES data on related export transactions. - No additional work burden on AES participants. Defense/Defense Security Assistance Agency (DSAA) ------------------------------------------------- - Telephone discussions with DSAA representatives: January 18, 1996; interviews with State/ODTC, Customs field and trade community over second half 1995. - U.S. Foreign Military Sales (FMS) Program - DOD Form 1513/ Letter of Offer and Acceptance (LOA) and State DSP-94. - Trackable through FMS Case Number. - This automated interface would complete the picture for U.S. exporters dealing with munitions/equipment sales overseas (e.g., State/ODTC interface). - Current process is not workable in an electronic environment for validation of DSAA LOA approvals; State DSP-94 is self endorsed. Agriculture/Foreign Agricultural Service (FAS) ---------------------------------------------- - Initial meeting/briefing on the AES: November 1997. - FAS issues permits to U.S. manufacturers (300+) that use imported sugar to make food products to be exported. FAS is required to monitor exports of these "sugar-containing products." - Potential to receive permit file to validate shipments; send FAS shipment data; and set up National Criteria for non- compliant exporters. - Feasibility study commenced January 1998. - Study revealed that the majority of exports were to Canada, for which no SED is required; thus, no means to track shipments. Project not feasible at this time. ---------------------------------------------------------------------- II.D AESDirect SYSTEM DESCRIPTION AND FUNCTIONALITY Introduction AESDirect is the Census Bureau's free, Internet-based system for the filing of SEDs information to AES. It is the Internet alternative to filing paper SEDs or filing directly with AES at U.S. Customs. Exporters, freight forwarders, or anyone responsible for reporting export shipment information to the U.S. government can use AESDirect. AESDirect significantly streamlines the export reporting process by reducing the paperwork burden, reducing costly document handling, and ensuring that export information is filed in a timely manner. It also helps ensure that companies using it have complied with the U.S. government export reporting requirements. AESDirect was originally developed to assist small and mid- size companies in filing export data electronically to the U.S. government; companies with scarce resources to invest in highly technical, expensive hardware and software to report to AES at Customs. However, companies of any size and number of export shipments can use AESDirect. Participation AESDirect went into production on October 4, 1999. Since that time over 2,800 companies have registered for AESDirect and over 1,900 companies also have completed the tutorial and passed the certification quiz. Of those companies, over 1,400 now are reporting their export shipments through the system. Participation in AESDirect has been expanding greatly. During its 3 months of operation in 1999 only 8,600 shipments were submitted. During the month of September 2000 alone, nearly 90,000 shipments were filed in AESDirect, with over 500,000 for the year to date. Functional Overview AESDirect is designed to capture and edit all data fields from the SED, including mandatory, conditional, and optional data. When SED information is entered interactively into AESDirect, an immediate validation of the data is performed. If errors are found, the filer is immediately notified for resolution. AESDirect will not allow data with fatal errors to be transmitted to AES at Customs. When AESDirect accepts SED data as valid, it is automatically queued for transmission to AES and is transmitted on an every 5-minute schedule. AESDirect uses the official master reference files and tables from the Census Bureau in the data validation process. These same files on AESDirect also can be used as look-up tables to locate appropriate codes to use in filing data. After AESDirect transmits data to AES, AES will respond back to AESDirect as to whether the data were accepted or rejected by AES. Users can then query AESDirect about the status of their shipments. AESDirect stores and retains a filer's SED data in its secure and password protected system for up to 5 years. At any time during this period, SEDs can be retrieved by the filer, corrected as necessary, and resent to AES. Filers can also use previously submitted SEDs as templates for new shipments, simply by changing the appropriate data fields and the shipment number and resubmitting. This feature has the potential to save companies time and money associated with re-keying data. AESDirect also provides filers a selection of reporting options that can be customized to their preference. These reports, for example, can list all shipments sent today, sent last week, or sent to one foreign party. One can also design a report to show a summary of shipments by time period or any one of several other characteristics. Even though the electronic retention meets government regulations, AESDirect also provides a method for filers to print shipment data in an easy to read format. In addition to interactive input, AESDirect also provides the capability for filers to upload a batch file from their PC system containing multiple SEDs in two different formats. Data submitted in this manner will also be validated, processed, and stored in AESDirect, as those submitted interactively. Both the ANSI X12 and the Customs Proprietary Format are acceptable formats for batch files. AESDirect Functionality Details The AESDirect home page is pictured below in Figure 1. The left menu bar contains three distinct areas of functionality; Getting Started, Using AESDirect, and links to other Related Sites. Getting Started The basic functions in getting started with AESDirect include: - Online Demo - Registration Form - Tutorial The other functions in this section provide reference information concerning use and security of the system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 1. [ Shows the front page of the AESDirect web site, http://www.aesdirect.gov ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Online Demo The online demonstration is a screen-cam type of show that simply leads the viewer through many of the registration and data filing functions; it is also self-explanatory. Registration Form Figure 2 illustrates the first part of the registration form. Information from this form is needed to establish a potential AESDirect filer account in the AESDirect and AES user databases. Once this is done, an e-mail message is returned to the registrant providing a user ID and password. At this point, the account is only authorized to access the tutorial and quiz, not for filing SEDs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 2. [ Shows the registration screen of the AESDirect web site, http://www.aesdirect.gov. ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Tutorial and Quiz The tutorial and quiz are required for all filers who will use the interactive filing functions of AESDirect. The tutorial is divided into four sections, as shown in Figure 3. These sections do not have to be completed in one session, but can be taken at the filers pace. After completing the lessons of the tutorial, the user will then take a short quiz to determine if they understand the basics of filing SEDs in AESDirect. The quiz can be taken as many times as necessary. Once the quiz is passed, the filer will receive an e-mail message indicating that he is authorized to file SEDS in AESDirect. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 3. [ Shows the AESDirect On-Line Tutorial from the AESDirect web site, http://www.aesdirect.gov. ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Using AESDirect The basic functions in using AESDirect (as shown in the left menu bar in Figure 1,) include: - Log In - Support Center - Developers Center The other functions in this section provide additional reference information concerning Web browsers supported by AESDirect and news items and releases. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 1. [ Shows how to get to the log-in screen, support center and developers center screens of AESDirect through the menu bar on the left side of the screen. ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Support Center The Support Center (as shown in Figure 4) provides the filer with extensive information concerning who and how to contact staff for questions, guidance, or the resolution of filing problems. The Center also contains frequently asked questions, commodity code look-up functions, error code explanations, and additional technical information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 4. [ Shows the front page from the AESDirect Support Center section of the AESDirect web site, http://www.aesdirect.gov. ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Developers' Center The Developers Center provides detailed specifications concerning batch filing of SED data and integration of other web applications with AESDirect. Batch files in both ANSI X12 and the Customs Proprietary Format can be transmitted to AESDirect via the EDI upload functions. This section describes these processes and specifications. AESWebLink is an exciting new option added to AESDirect to permit other web applications to be integrated with AESDirect. This feature will accept a record of data already entered into another web application, such as an invoice or bill of lading application, and use that data to populate the SED. AESDirect will then solicit only the missing data items, eliminating the need to re-key data already entered into the other application. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 5. [ Shows the front page from the AESDirect Developers' Center section of the AESDirect web site, http://www.aesdirect.gov. ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Log In The log in screen and functions, as shown in Figure 6, permit an authorized AESDirect user to access the SED portion of the system. The filer must enter his assigned user ID and password at this point. The user can access only SED data filed by the account, as determined by the User ID. No one else can access it nor can the user access any other company's data. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 6. [ Shows the front page from the AESDirect Log-In section of the AESDirect web site, http://www.aesdirect.gov. ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ After successfully logging into AESDirect, the main menu screen is displayed, as shown in Figure 7. In this portion of the system, users can; - Enter, retrieve, correct, or submit SED data, - Set up profiles for their exporters or consignees, - Upload batch files, or - Create customized reports of data they have already submitted to AESDirect. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 7. [ Shows the MAIN MENU page (after log-in) from the AESDirect web site, http://www.aesdirect.gov. ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Create New Shipment This function is used to create a new SED to submit to AESDirect. Figure 8 shows the initial screen used to enter the exporter code, consignee code, and the shipment number. Filers can establish exporter and consignee codes using the Exporter and Consignee Maintenance function, to save data entry time by only needing to key the codes and not the entire name and address of each. Once these fields are complete, the filer is then taken to the shipment viewer screen (as shown in Figure 10) to enter the remaining SED data. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 8. [ Shows the NEW SHIPMENT page (after log-in) from the AESDirect web site, http://www.aesdirect.gov. ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Retrieve Existing Shipment AESDirect allows a filer to retrieve a shipment record that has been previously filed in the system. One can use this function to retrieve a shipment, to correct data items in the shipment, or use the shipment data as a template to create another new shipment. Figure 9 shows the screen one uses to enter the shipment reference number to retrieve an existing shipment record. Once retrieved, the filer can then use the Shipment Viewer screens to correct or change the data. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 9. [ Shows the RETRIEVE A SHIPMENT page (after log-in) from the AESDirect web site, http://www.aesdirect.gov. ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Shipment Viewer: SED This and the associated screens permit one to enter data for a new SED or to change data fields on an existing shipment. Refer to Figure 10. At the top of the toolbar on the left-hand side of the screen is a scroll box containing all sections of the SED. One simply selects the section from this list and edits the section to enter new or correct existing data. In the top right corner of the screen is the AESDirect Assistant, that provides brief instructions and tips on using AESDirect. On this screen the color of the section title indicates the status of that section: red indicates that the record is incomplete or an error exists; yellow indicates a warning; and green indicates the section is complete and ready to submit. Once all sections are complete, one can print the SED for reference purposes or submit it to AESDirect. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 10. [ Shows the SHIPMENT VIEWER: SED page (after log-in) from the AESDirect web site, http://www.aesdirect.gov. ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Edit Shipment After retrieving a shipment record and selecting the section of the SED to work on, such as Shipment Information as shown in Figure 11, one selects the menu button to Edit Section. This screen changes from the view to edit screen and makes the data fields from a previously entered SED or for a new SED accessible to enter or correct. When the current section is complete, one selects another section to enter or returns to the View Shipment screen. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 11. [ Shows the EDIT SHIPMENT page (after log-in) from the AESDirect web site, http://www.aesdirect.gov. ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Line Item 1 This section of the system refers to the commodity data of the SED. The screen (and ones for any additional line items) operates the same as the Shipment Information screen. Data can be entered or corrected and then saved by moving to another section of the SED or the Shipment View screen. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 12. [ Shows LINE ITEM 1 from the EDIT SHIPMENT pages (after log-in) from the AESDirect web site, http://www.aesdirect.gov. ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error Messages Once one has completed entering data for the entire SED, the next step is to select the Submit SED button in the left menu bar. Actions taken at this time include a final edit of the data to ensure that no errors are submitted to the Customs AES system. In the example, shown in Figure 13, two problems exist that must be resolved before AESDirect submits the SED to Customs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 13. [ Shows a sample of ERROR MESSAGES (after log-in) from the AESDirect web site, http://www.aesdirect.gov. ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reporting Service The Shipment Reporting Service is a tool that can be customized to view the status of one's shipment records. When first used, one can select the types of reports to display to select from - this becomes a unique report profile for the user. One can select based upon exporters and time periods, and may change fields, as the user desires. Figure 14 is an example of a report showing two shipment records this week for one exporter. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Figure 14. [ Shows a sample of the REPORTING SERVICE available (after log-in) from the AESDirect web site, http://www.aesdirect.gov. ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary AESDirect has numerous other functions and screens to supplement the ones already described. Many of these provide information or instructions and are self- explanatory, such as: - How to Register, - Terms and Conditions, - Privacy Policy, and - News In addition, the SED application includes other functions to assist the filer for particular needs such as: - Delete a Shipment from AES, - Exporter Profile Setup, - Consignee Profile Maintenance, and - EDI File Upload In summary, AESDirect has been designed and implemented to provide an easy-to-use, fully functional Internet-based system for exporters, freight forwarders, and others to input, correct, submit, report, save, print, etc. export shipment information. As the international trade, computer technology, or Internet environments change, the Census Bureau is committed to improving and enhancing AESDirect. Recent improvements include, adding the option for batch filers to submit data in the Customs Proprietary Format and integrating Web sites with AESDirect using AESWebLink. ---------------------------------------------------------------------- II. E. AUTOMATED EXPORT SYSTEM: OPERATIONAL CAPACITY: The U.S. Census Bureau (Census Bureau) and the U.S. Customs Service (Customs) prepared estimates of the operational capacity anticipated for the growth of the AES. The projected estimates consider the filing of all items on the Commerce Control List and the United States Munitions List, as well as the filing of all export information, through the AES. The following chart contains the estimated, actual, and projected number of AES records and filers for years 1996 through 2004. The number of records filed through the AES is expressed as a percent of total records, excluding those relating to trade with Canada, filed in any manner. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ AES Commodity Record Projections (1996 - 2004) ---------------------------------------------- Year: 1996 Estimated: NA Actual: 10,530 % of export trade: NA Fiscal Yr. No. Filers: NA Year: 1997 Estimated: NA Actual: 72,349 % of export trade: .4% Fiscal Yr. No. Filers: 38 Year: 1998 Estimated: NA Actual: 669,026 % of export trade: 3.7% Fiscal Yr. No. Filers: 107 Year: 1999 Estimated: 4,805,000 Actual: 2,719,265 % of export trade: 12.6% Fiscal Yr. No. Filers: 276 Year: 2000 Estimated: 11,272,916 Actual: 12,349,127 % of export trade: 64% Fiscal Yr. No. Filers: 1525 (est) Year: 2001 Estimated: 19,575,000 Actual: NA % of export trade: 72% Fiscal Yr. No. Filers: 3000 (est) Year: 2002 Estimated: 22,065,000 Actual: NA % of export trade: 85% Fiscal Yr. No. Filers: 6000 (est) Year: 2003 Estimated: 24,555,000 Actual: NA % of export trade: 95% Fiscal Yr. No. Filers: 8000 (est) Year: 2004 Estimated: 27,045,000 Actual: NA % of export trade: 95% Fiscal Yr. No. Filers: 10000 (est) Note: The Census Bureau includes approximately 60-65% of the total records transmitted into AES in the monthly trade statistics. The 35-40% of records not included are dropped because they are below the threshold for reporting (below $2,500). One AES transmission contains the same amount of commodity information as approximately 1.3 SEDs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Customs has reviewed the projected growth in AES workload and has concluded that the current Customs mainframe infrastructure can support the projected AES workload volume for fiscal years 2000 and 2001. However, Customs also assessed the three main infrastructure components of the AES mainframe: (1) the CPU processing capacity; (2) the direct access storage device capacity; and (3) the telecommunications capacity (both dial-up and dedicated line). This assessment determined that the three infrastructure components, listed above, will require upgrades in FY 2002 to ensure there is sufficient capacity to handle the projected workload volume of 25,500,000 AES filings through FY 2004. ---------------------------------------------------------------------- II. F. AESDirect: OPERATIONAL CAPACITY The U.S. Census Bureau's (Census Bureau) AESDirect Internet-based application for filing Shipper's Export Declaration (SED) information has the capacity to handle up to 500,000 transactions, for up to 100,000 uniqued filers, per month. AESDirect is able to transmit batch files of up to 2,000 SEDs per transmission into the AES mainframe computer at the U.S. Customs Service (Customs) for any given month. The AESDirect system has the capability of retaining and storing SED data that have been transmitted in a secure (password protected) contractor-provided environment for five years from the date of transmission. The chart below provides information on the number of shipments transmitted through the AESDirect system since its inception in October 1999. The chart also shows the number of total and operational registrants. Total registrants are all participants who have submitted applications to become certified on the AESDirect system, including those who have neither taken nor passed te certification test, and those who have taken and passed the certification test but have not submitted any transmissions to date, including those who registered to use the AESDirect system as a backup to their primary AES. Operational registrants are those participants actually transmitting SED information through the AESDirect system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ AESDirect Transmission Data: ---------------------------- Month (1999): September Monthly shippments: 11 Total registrants: 17 Operational registrants: 2 Month (1999): October Monthly shippments: 624 Total registrants: 83 Operational registrants: 16 Month (1999): November Monthly shippments: 1,740 Total registrants: 110 Operational registrants: 27 Month (1999): December Monthly shippments: 5,993 Total registrants: 106 Operational registrants: 60 Month (1999): 1999 Total Monthly shippments: 8,368 Total registrants: 316 Operational registrants: 105 Month (2000): January Monthly shippments: 34,940 Total registrants: 76 Operational registrants: 37 Month (2000): February Monthly shippments: 36,885 Total registrants: 81 Operational registrants: 36 Month (2000): March Monthly shippments: 41,807 Total registrants: 75 Operational registrants: 19 Month (2000): April Monthly shippments: 54,782 Total registrants: 46 Operational registrants: 47 Month (2000): May Monthly shippments: 52,284 Total registrants: 117 Operational registrants: 27 Month (2000): June Monthly shippments: 43,834 Total registrants: 264 Operational registrants: 71 Month (2000): July Monthly shippments: 41,378 Total registrants: 677 Operational registrants: 278 Month (2000): August Monthly shippments: 91,557 Total registrants: 686 Operational registrants: 541 Month (2000): September Monthly shippments: 87,601 Total registrants: 243 Operational registrants: 168 Month (2000): October Monthly shippments: 108,474 Total registrants: 1,096 Operational registrants: 344 Month (2000): November Monthly shippments: 158,264 Total registrants: 1,326 Operational registrants: 1,089 Month (2000): 2000 Total Monthly shippments: 751,806 Total registrants: 4,687 Operational registrants: 2,657 Month : 1999 and 2000 TOTAL Monthly shippments: 760,174 Total registrants: 5,003 Operational registrants: 2,762 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "AESDirect" currently has the capacity to handle up to 25 percent of the projected FY 2004 AES workload of 27,045,000 AES filings. In addition, the Census Bureau is developing an idle site for AESDirect to serve as a backup if the Customs' AES mainframe computer is down for an extended period of time. This second site will have the capability of handling the remaining AES filings. The second site became operational in the summer of 2000. With continued enhancements and necessary upgrades to the AES, the Census Bureau and Customs believe the AES and AESDirect will be able to handle the projected increase in the volume of AES filings that will result from making the AES mandatory for the filing of all SED information, and from integrating the AES with the automated licensing and export control systems of other Federal Government agencies. ---------------------------------------------------------------------- III. SECURITY STANDARDS: AUTOMATED EXPORT SYSTEM & AESDirect In order to assess the security of both the AES and AESDirect systems, the General Services Administration' (GSA) Office of Information Security was requested by the Foreign Trade Division, U.S. Census Bureau (Census Bureau) and the U.S. Customs Service (Customs) to perform a Level I and II Information Systems Security (INFOSEC) vulnerability assessment. The assessment was designed to determine: (a) the information security posture of both the Customs AES mainframe computer system and the Census Bureau's AESDirect systems; (b) where administrative or operational vulnerabilities could exist; (c) if adequate security measures were available and in place to protect sensitive information from internal and external exploitation; and (d) recommend safeguard measures for mitigation of identified vulnerabilities. The vulnerability assessments identified to what extent the systems met the requirements set forth by the Consolidated Appropriations Act of 1999, established within the Presidential Decision Directive 63 (PDD-63), and the Office of Management and Budget Circular A-130 (OMB A-130) guidelines. The National Security Agency's (NSA) Information Systems Security Assessment Methodology (IAM) criteria were used to provide the standardized framework for the assessment activities performed. This methodology involves gaining insight into various aspects of an organization's physical and operational security administration. This insight is gained through document reviews, personnel interviews, and demonstration of system use, configurations, and security features. The following list of categories and detailed components that comprise each category were used to assess both systems. Note: Only the categories and/or detailed components that were determined to have a potential vulnerability have been addressed in the assessment reports. INFOSEC Documentation - Policy - Guidelines - System Security Plans - Standard Operating Procedures - User System Security Manuals [ex. Security Features User Guide] INFOSEC Roles & Responsibilities - Upper Level Management - Systems Operation - User Community Identification & Authentication - Password Characteristics - Password Expiration - User Change Capability - History File - Classification - Group Accounts - Password Management consistency - Protected Password Files - No Auto-Logon Script - Training and Awareness Account Management - Documented Account Management Policy and Procedures - Written Formal Account Request - Account Initialization - Account Termination - Account Maintenance - Special Accounts Session Controls - Protected, logged on workstation - Time-outs - Lock-screen capability with password - Warning Banner - Lockout after unsuccessful logon attempts - Account history banner - Forgotten password/lock-out re-initialization - Limited Use of privileged accounts External Connectivity Internet Connectivity - Internet policy - Firewall control - Limit application/ports - Individual authentication to firewall - Audit firewall activity - Firewall boundaries - Hide internal architecture - Multiple firewall for internal controls - Modems - Policy - Restricted Modem Use - Formal justification for modem access - Dial in/dial out capability - Security features - Termination of remote access at departure - Modem disconnect after inactivity - Regularly monitor modem use - Dedicated - Policy/Memorandum of Agreement - Backdoor connectivity Telecommunications - Documented requirements and procedures for transmitting classified and sensitive information - Encryption issues - Alternate routes for increased availability Auditing - Policy requiring Mandatory Auditing - SOP defining what to audit - Audit analysis and reporting on a timely basis - System Security Administrator (SSA) trained in audit analysis - Contents of audit log should be protected - Audit logs retained - Coordination of audit records - Intrusion detection Virus Protection - Policy - Personal software loaded with SSA approval - Scan incoming software - System scans - Update tools - Employee education/training Contingency Planning - Documented - Identify mission or business critical functions - Uninterruptible Power Supply - Identify responsibilities - Should be coordinated with the System Security Plan - The plan should be maintained on-site and off-site - Periodic scheduled testing Maintenance - Policy and procedures - Personnel clearance level - Control of diagnostic software - Remote maintenance access Configuration Management - Storage devices taken off-line if possible - SSA controls removal and delivery of hardware - Preventive maintenance - Maintenance records - Documented configuration control plan - Configuration Control Board (CCB) - Software loading issues for SSA approval - Current system diagrams - List of all system resources - Control of relocation and reconfiguration of system resources Backups - Documented in SSP and SOP - Schedule - Proper storage - Periodic testing of back-ups Labeling - Policy/SOPs - Document what/why information is classified and/or sensitive - Employees trained on proper marking procedures - Removable media - System components Media Sanitation/Disposal - Documented policy and SOPs - Media sanitization methods - Established responsibilities - User education/training - Contract concerns - Physical Environment - Physical environment can be used to offset lack of system security capabilities - Ramification to INFOSEC posture Personnel Security - Background checks - Security clearance - Signed user agreements - Employee awareness of social engineering techniques Training & Awareness - Users are usually the weakest link in security - Documented responsibilities - Formal INFOSEC training program for users and SSA ---------------------------------------------------------------------- IV. A. AUTOMATED EXPORT SYSTEM LEVEL I SECURITY ASSESSMENT SUMMARY (U.S. Customs Service) DUE TO THE CONFIDENTIAL NATURE OF THE SECURITY INFORMATION CONTAINED IN THIS SECTION THE TEXT OF THIS SECTION CANNOT BE MADE AVAILABLE TO THE GENERAL PUBLIC. (Per Freedom of Information Act (FOIA) Exemption (b)(2) relating to records pertaining solely to internal personnel rules and practices of an agency and (b)(3) relating to data specifically exempted from disclosure by statute, i.e.Title 13 U.S.C., Chapter 9) ---------------------------------------------------------------------- IV. B. AUTOMATED EXPORT SYSTEM LEVEL II SECURITY ASSESSMENT SUMMARY (U.S. Customs Service) DUE TO THE CONFIDENTIAL NATURE OF THE SECURITY INFORMATION CONTAINED IN THIS SECTION THE TEXT OF THIS SECTION CANNOT BE MADE AVAILABLE TO THE GENERAL PUBLIC. (Per Freedom of Information Act (FOIA) Exemption (b)(2) relating to records pertaining solely to internal personnel rules and practices of an agency and (b)(3) relating to data specifically exempted from disclosure by statute, i.e.Title 13 U.S.C., Chapter 9) ---------------------------------------------------------------------- IV. C. AESDIRECT LEVEL I SECURITY ASSESSMENT SUMMARY (U.S. Census Bureau) DUE TO THE CONFIDENTIAL NATURE OF THE SECURITY INFORMATION CONTAINED IN THIS SECTION THE TEXT OF THIS SECTION CANNOT BE MADE AVAILABLE TO THE GENERAL PUBLIC. (Per Freedom of Information Act (FOIA) Exemption (b)(2) relating to records pertaining solely to internal personnel rules and practices of an agency and (b)(3) relating to data specifically exempted from disclosure by statute, i.e.Title 13 U.S.C., Chapter 9) ---------------------------------------------------------------------- IV. D. AESDIRECT LEVEL II SECURITY ASSESSMENT SUMMARY (U.S. Census Bureau) DUE TO THE CONFIDENTIAL NATURE OF THE SECURITY INFORMATION CONTAINED IN THIS SECTION THE TEXT OF THIS SECTION CANNOT BE MADE AVAILABLE TO THE GENERAL PUBLIC. (Per Freedom of Information Act (FOIA) Exemption (b)(2) relating to records pertaining solely to internal personnel rules and practices of an agency and (b)(3) relating to data specifically exempted from disclosure by statute, i.e.Title 13 U.S.C., Chapter 9) ---------------------------------------------------------------------- V. A. CUSTOMS RESPONSE TO SECURITY ASSESSMENT REPORT: LEVEL I DUE TO THE CONFIDENTIAL NATURE OF THE SECURITY INFORMATION CONTAINED IN THIS SECTION THE TEXT OF THIS SECTION CANNOT BE MADE AVAILABLE TO THE GENERAL PUBLIC. (Per Freedom of Information Act (FOIA) Exemption (b)(2) relating to records pertaining solely to internal personnel rules and practices of an agency and (b)(3) relating to data specifically exempted from disclosure by statute, i.e.Title 13 U.S.C., Chapter 9) ---------------------------------------------------------------------- V. B. CUSTOMS RESPONSE TO SECURITY ASSESSMENT REPORT: LEVEL II DUE TO THE CONFIDENTIAL NATURE OF THE SECURITY INFORMATION CONTAINED IN THIS SECTION THE TEXT OF THIS SECTION CANNOT BE MADE AVAILABLE TO THE GENERAL PUBLIC. (Per Freedom of Information Act (FOIA) Exemption (b)(2) relating to records pertaining solely to internal personnel rules and practices of an agency and (b)(3) relating to data specifically exempted from disclosure by statute, i.e.Title 13 U.S.C., Chapter 9) ---------------------------------------------------------------------- V.C CENSUS BUREAU RESPONSE TO SECURITY ASSESSMENT REPORT: LEVEL I DUE TO THE CONFIDENTIAL NATURE OF THE SECURITY INFORMATION CONTAINED IN THIS SECTION THE TEXT OF THIS SECTION CANNOT BE MADE AVAILABLE TO THE GENERAL PUBLIC. (Per Freedom of Information Act (FOIA) Exemption (b)(2) relating to records pertaining solely to internal personnel rules and practices of an agency and (b)(3) relating to data specifically exempted from disclosure by statute, i.e.Title 13 U.S.C., Chapter 9) ---------------------------------------------------------------------- V. D. CENSUS BUREAU RESPONSE TO SECURITY ASSESSMENT REPORT: LEVEL II DUE TO THE CONFIDENTIAL NATURE OF THE SECURITY INFORMATION CONTAINED IN THIS SECTION THE TEXT OF THIS SECTION CANNOT BE MADE AVAILABLE TO THE GENERAL PUBLIC. (Per Freedom of Information Act (FOIA) Exemption (b)(2) relating to records pertaining solely to internal personnel rules and practices of an agency and (b)(3) relating to data specifically exempted from disclosure by statute, i.e.Title 13 U.S.C., Chapter 9) ---------------------------------------------------------------------- VI. RECOMMENDATIONS AND CONCLUSIONS A. Security and Functionality of AES The U.S. Census Bureau (Census Bureau) and the U.S. Customs Service (Customs) in conjunction with the Chief Information Officers of the Department of Commerce, the Department of the Treasury, and the National Institute of Standards and Technology jointly certify that the Automated Export System (AES) is a secure and functional electronic system capable of handling the reporting through the AES of all items on the Commerce Control List (CCL) and the United States Munitions List (USML). The agencies listed above have reviewed the Level I and Level II security assessments conducted by the Office of Information Security, General Services Administration, and attest to the security and functionality of the AES system to handle the provisions contained in the Conference Report on H.R. 3194 (P.L. 106-113), Subtitle E, Automated Export System Relating to Export Information. As a result of these reviews, the Census Bureau, and Customs, in conjunction with the Secretary of Commerce, the Secretary of the Treasury, and the Director of the National Institute of Standards and Technology, jointly provide certification to the Committee on Foreign Relations of the Senate and the Committee on International Relations of the House of Representatives that a secure AES data capture system is available through the Internet capable of handling the reporting through the AES of all items on the CCL and the USML. It is further certified that the AES can handle the anticipated volume from voluntary use of the AES. The AES system is production operational, has been fully tested and is fully functional with respect to the reporting of all items on the CCL and the USML. B. Security and Functionality of AESDirect The Census Bureau, and Customs, in conjunction with the Chief Information Officers of the Department of Commerce, the Department of the Treasury, and the National Institute of Standards and Technology, jointly certify that the AESDirect system is a secure and functional system capable of handling the reporting through the AES of all items on the CCL and the USML. The agencies listed above have reviewed the Level I and Level II security assessments conducted by the Office of Information Security, General Services Administration, and attest to the security and functionality of the AESDirect system to handle the provisions contained in the Conference Report on H.R. 3194 (P.L. 106-113), Subtitle E, Automated Export System Relating to Export Information. As a result of these reviews the Census Bureau, and Customs, in conjunction with the Secretary of Commerce, the Secretary of the Treasury, and the Director of the National Institute of Standards and Technology, jointly provide certification to the Committee on Foreign Relations of the Senate and the Committee on International Relations of the House of Representatives that a secure AESDirect data capture system is available through the Internet that is capable of handling the reporting through the AES of all items on the CCL and the USML. It is further certified that the AESDirect can handle the anticipated volume from voluntary use of the AESDirect. The AESDirect system is production operational, has been fully tested and is fully functional with respect to the reporting all items on the CCL and the USML. C. Proposed Timetable for Implementing AES Filing for All Items on the Commerce Control List (CCL) and the United States Munitions List (USML) The Census Bureau and Customs, as the primary developers of the AES, recommend that the full implementation of mandatory filing for all items (licensed and unlicensed) on the CCL and the USML, as well as all other shipper's export declaration information, and the integration of the AES with other Federal Government agency licensing systems, as specified in the "Feasibility of Mandatory Automated Export (AES) Filing" report issued July 27, 2000, be initiated in four stages as described below: Stage 1 - Require mandatory filing through the AES only for exports of items on the USML and the CCL 90 days after the law becomes effective. The law will become effective 270 days after AES is certified as a secure, functional system. (FY 2001) Stage 2 - Require mandatory filing through the AES for the remainder of exports requiring an export license. (FY 2002) Stage 3 - Require mandatory filing through the AES for all freight forwarders, nonvessel operating carriers, consolidators, and other intermediaries, that file commodity documentation on behalf of exporters. (FY 2003) Stage 4 - Require mandatory filing through the AES for all exporters (U.S. principal parties in interest), including companies, individuals, and other exporting entities that file commodity documentation. (FY 2005) This proposed schedule recognizes the urgency of improving the surveillance of exports on the USML and the CCL, takes into consideration the time required to integrate the information systems among all the potential Government users of the AES data, and acknowledges the fact that mandatory filing of SEDs over the AES will represent a significant change in business practice for many exporters, especially smaller ones. D. Cost of Implementing AES Mandatory Filing 1. Census Bureau Funding Requirements AES Implementation of the Proliferation Prevention Enhancement Act of 1999 will require a significant increase in funding to ensure that the Census Bureau can meet the expanded requirements. Background For FY 2001, the Census Bureau received a $2.0 million adjustment to base and a $1.0 million initiative for export coverage improvement. The Export Coverage Improvement Initiative would commence a program to remedy the current under-valuation of exports, now estimated at 3 to 7 percent of the total value of exports. However, this funding will not cover the costs of the responsibilities that the Census Bureau would assume under the Proliferation Prevention Enhancement Act. Projecting costs for FY 2001 for implementation of the mandatory AES reporting system is complicated by the uncertainty of the extent to which the program might be in operation for the year. On the assumption that planning, system design, and infrastructure work could commence in FY 2001, the Census Bureau projects that obligations could reach $4.7 million for the year. This projected obligation is $1.7 million above the $3.0 million received for FY 2001. The $1.7 million would be used to implement Stage 1 mandatory filing through the AES for exports of items on the USML and the CCL. For FY 2002-2005, the Census Bureau will need $6.7 million to totally support the implementation of full mandatory reporting of SED information through the AES. The chart below identifies the full funding requirements of the Census Bureau to support AES and the collateral additional requirements of the Proliferation Prevention Enhancement Act of 1999. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Census Bureau Funding Requirements for AES ------------------------------------------ - Operational Support - FY2001 : $2,600,000 - FY2002 : $3,400,000 - FY2003 : $3,400,000 - FY2004 : $3,400,000 - FY2005 : $3,400,000 - Computer Programming - FY2001 : $1,000,000 - FY2002 : $1,000,000 - FY2003 : $1,000,000 - FY2004 : $1,000,000 - FY2005 : $1,000,000 - AES Internet Application - FY2001 : $600,000 - FY2002 : $600,000 - FY2003 : $600,000 - FY2004 : $600,000 - FY2005 : $600,000 - Outreach, Education and Training - FY2001 : $500,000 - FY2002 : $1,250,000 - FY2003 : $1,250,000 - FY2004 : $1,250,000 - FY2005 : $1,250,000 - Interagency Support (BXA, State, DOD, etc.) - FY2001 : $0 - FY2002 : $500,000 - FY2003 : $500,000 - FY2004 : $500,000 - FY2005 : $500,000 - TOTAL - FY2001 : $4,700,000 - FY2002 : $6,750,000 - FY2003 : $6,750,000 - FY2004 : $6,750,000 - FY2005 : $6,750,000 ** Of this Total Cost $500,000 is allocated to IT Security programs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2. U.S. Customs Service Funding Requirements AES The U.S. Customs Service (Customs) has received no appropriations for the AES since its creation. This includes the budget request for FY 2001. Additionally, the Customs' funding requests for this year, FY 2000, only covered current staffing levels. The proposed requirements imposed by the Proliferation Prevention Enhancement Act would also require additional funding for staffing from both a programming and operational standpoint. The chart below identifies the full funding requirements of Customs to support AES and the collateral additional requirements of the Proliferation Prevention Enhancement Act of 1999. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Annual Customs Budget Estimates AES FY 2001 - 2005* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Maintenance - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Production Support & Maintenance Changes - FY2001 : $5,500,000 - FY2002 : $5,500,000 - FY2003 : $5,500,000 - FY2004 : $5,500,000 - FY2005 : $5,500,000 Software Testing - FY2001 : $800,000 - FY2002 : $800,000 - FY2003 : $800,000 - FY2004 : $800,000 - FY2005 : $800,000 Travel, Supplies, Training, Equipment, Licenses - FY2001 : $200,000 - FY2002 : $200,000 - FY2003 : $200,000 - FY2004 : $200,000 - FY2005 : $200,000 Infrastructure Upgrades - FY2001 : $300,000 - FY2002 : $300,000 - FY2003 : $300,000 - FY2004 : $300,000 - FY2005 : $300,000 1. TOTAL MAINTENANCE - FY2001 : $6,800,000 - FY2002 : $6,800,000 - FY2003 : $6,800,000 - FY2004 : $6,800,000 - FY2005 : $6,800,000 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enhancements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Analysis, Design & Coding/Enhancements - FY2001 : $2,500,000 - FY2002 : $2,500,000 - FY2003 : $2,500,000 - FY2004 : $2,500,000 - FY2005 : $2,500,000 Software Testing - FY2001 : $800,000 - FY2002 : $800,000 - FY2003 : $800,000 - FY2004 : $800,000 - FY2005 : $800,000 Travel, Supplies, Training, Equipment, Licenses - FY2001 : $100,000 - FY2002 : $100,000 - FY2003 : $100,000 - FY2004 : $100,000 - FY2005 : $100,000 Infrastructure Upgrades - FY2001 : $300,000 - FY2002 : $300,000 - FY2003 : $300,000 - FY2004 : $300,000 - FY2005 : $300,000 2. TOTAL ENHANCEMENTS - FY2001 : $3,700,000 - FY2002 : $3,700,000 - FY2003 : $3,700,000 - FY2004 : $3,700,000 - FY2005 : $3,700,000 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - TOTAL MAINTENANCE & ENHANCEMENTS - FY2001 : $10,500,000 - FY2002 : $10,500,000 - FY2003 : $10,500,000 - FY2004 : $10,500,000 - FY2005 : $10,500,000 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3. OIT SUPPORT: FTE Full Year Funding 5 Gov't Programmers & 10 Client Reps ** - FY2001 : $1,807,000 - FY2002 : $1,807,000 - FY2003 : $1,807,000 - FY2004 : $1,807,000 - FY2005 : $1,807,000 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4. Operational Support FTE Full Year Funding 20 AES Coordinators *** / 50 Outbound Inspectors - FY2001 : $2,151,000 / $5,219,000 - FY2002 : $2,151,000 / $5,219,000 - FY2003 : $2,151,000 / $5,219,000 - FY2004 : $2,151,000 / $5,219,000 - FY2005 : $2,151,000 / $5,219,000 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - TOTAL - FY2001 : $19,677,000 - FY2002 : $19,677,000 - FY2003 : $19,677,000 - FY2004 : $19,677,000 - FY2005 : $19,677,000 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1. Maintenance of existing system with volume enhancements; no enhancements 2. Enhancements to increase functionality related to current proposed modules (Air, NVOCCs, drawback, in-bond, improvements for inspectors and agents, and other agency interfaces required by the legislation. 3. New FTE, Office of Information and Technology (OIT) 4. New FTE, Office of Field Operations (OFO) * The figures depicted in the budget estimates are the amounts Customs requires to both maintain and enhance the current AES system. Customs has not yet received funding for FY 2001. It is anticipated that full funding needs as requested in the certification will not be met. Therefore, the actual figures reflected in this certification report may be higher. ** The Customs client representatives establish records for new participants in the Automated Export System, test their data transmissions prior to implementation, monitor their performance once operational, and troubleshoot transmission errors. *** AES coordinators are port-based inspectors whose collateral duty is to serve as subject matter experts in AES processing. The inspectors undergo intensive training to attain this knowledge. Assumptions: 1) The projected dollar amounts, in item 1, are based on the fact that 70 percent of technical support is maintenance; 30 percent is enhancements. Testing was estimated at 50-50 percent since the complexity and size of each project is not known at this time. Infrastructure upgrades are also split 50-50 percent because a certain level of volume increase can be expected each year whether the AES is mandatory or not. (2) Volume projections from the Census Bureau increase by 5 million transactions each year through 2004, when we expect to achieve 95 percent participation or 25.5 million transactions annually. (3) The estimate in item 4, assumes that interfaces with other agencies will not be done until Stage 4. (4) An infrastructure upgrade estimate in item 5 is included each year to support the annual volume growth. The figure ($600,000) is based on the amount requested by the OIT for the 2001 upgrade. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It should be noted that approximately half of the costs identified by Customs cover expanded use of the AES information, such as more targeted inspection of export shipments. That is, there is little to gain by creating a totally automated export information system unless agencies with export control and examination responsibilities actually put the more timely and more informative AES data to use. That is part of the intent underlying Customs' cost estimate. ---------------------------------------------------------------------- END of AUTOMATED EXPORT SYSTEM (AES) CERTIFICATION REPORT ----------------------------------------------------------------------