In December 2022, the U.S. Department of State’s Directorate of Defense Trade Controls issued updated Compliance Program Guidelines. These Guidelines are an overview of an effective ITAR Compliance Program (ICP) and an introduction to defense trade controls.
The Guidelines are divided into eight sections:
- Management Commitment
- DDTC Registration, Jurisdiction & Classification, Authorizations, & Other ITAR Activities
- Recordkeeping
- Detecting, Reporting, & Disclosing Violations
- ITAR Training
- Risk Assessment
- Audits & Compliance Monitoring
- ITAR Compliance Manual
This article will focus on the first four sections: Management Commitment,
DDTC Registration, Jurisdiction & Classification, Authorizations, & Other ITAR Activities, Recordkeeping, and Detecting, Reporting, & Disclosing Violations.
This guidance is not an official part of the International Traffic in Arms Regulations. Instead, it serves as a way for the Directorate of Defense Trade Controls to express their expectations for export compliance. DDTC also understands that different companies have unique levels of ITAR activity and may need different approaches.
Management Commitment
Management commitment to export compliance sets the tone for the entire organization. Management commitment can be expressed through communications to employees, as well as integration into performance evaluations, including both rewards and disciplinary actions. It can also be expressed through the maintenance of the ICP and its management commitment statement, as well as sufficient and well-organized staff who are given thorough training (to be discussed in our next article). Empowered Officials must be truly empowered. They must also be sufficiently trained to understand and perform their compliance responsibilities.
DDTC Registration, Jurisdiction & Classification, Authorizations, & Other ITAR Activities
The Directorate of Defense Trade Controls provides an overview of registration requirements and processes. They also go over the need to determine jurisdiction and classification of products, and obtain authorizations when required. A written ICP should provide an overview of each of these areas as they pertain to the specific organization. Important reminders include:
- Timely renewal of DDTC registrations
- Informing DDTC of material changes to registration (within five days of the event, or in some cases, 60 days before)
- Determining jurisdiction and classification of any product manufactured, exported, temporarily imported, or brokered (including self-classifications and Commodity Jurisdiction requests)
- How to prepare for and obtain authorizations, including export licenses, Technical Assistance Agreements, Manufacturing License agreements, retransfer requests, and license exemptions
- Restricted party screening (ECS offers the ECScreening service, which expands on and provides additional features not found in the Consolidated Screening List) and screening for proscribed countries (ITAR 126.1).
- Registration and authorization requirements for brokering (ITAR Part 129)
- Recording and reporting political contributions, fees, and commissions (ITAR Part 130)
There is also guidance on cybersecurity. The ITAR does not require organizations to have specific cybersecurity measures such as encryption. However, organizations are expected to take steps to protect technical data. ITAR §120.54 does include some specific standards for how technical data can be stored and transmitted internationally without being considered an ITAR “export.”
Recordkeeping
The ITAR requires recordkeeping in §122.5, but how it is implemented is up to your organization. However, records must be:
- Reproducible in paper format, if digital;
- Legible and readable;
- Unaltered once recorded or, if altered, with any alterations properly recorded, including who made them and when;
- Readily accessible if digital images; and
- Maintained for a period of five years from the expiration of the license or other approval, to include exports using an exemption, or from the date of the transaction.
Records must be maintained for:
- Licenses or other approvals;
- Licenses exemptions (including the Australia and UK treaties);
- Technical data exports;
- Oral, visual, or electronic exports;
- Certain information related to special comprehensive export authorizations;
- Exemptions involving employees who are dual and third-country nationals;
- Voluntary disclosures;
- Brokering recordkeeping requirements; and
- Political contributions, fees, and commissions.
If your organization is using ITAR exemptions, internal recordkeeping is the only way to justify the use of an exemption. Recordkeeping is both a specific and general responsibility and may be subject to a Technology Control Plan (TCP). If you are unsure of where to start, the Guidelines include a list of recordkeeping suggestions.
Detecting, Reporting, & Disclosing Violations
While the major goal of a compliance program is to avoid violations, it is also important to detect violations when they happen, encourage reporting throughout the organization, and submit voluntary disclosures to DDTC when appropriate. The quality of the organization’s compliance program and efforts to report and contain violations are very important. Management should communicate the seriousness of export violations by reminding employees of civil and criminal penalties and other potential consequences. This should be balanced with the need to encourage reporting without retribution.
Additional detail on all of these elements is available in the Guidelines themselves. Watch this space for our review of the remaining elements: ITAR training, risk assessment, audits and compliance monitoring, and the ITAR compliance manual. Every element is crucial to the success of your export compliance program.
As always, if you need help with meeting, understanding, or tailoring any export compliance obligations, ECS is here to help!