Do you love sitting in traffic? No. At the same time, are you thankful when your fellow commuters follow the rules of the road for the sake of everyone’s safety? You bet.
Compliance works the same way.
International Traffic in Arms Regulations (ITAR) is designed to control access to specific types of technology and data to prevent the unintended disclosure or transfer of sensitive information to an unauthorized or suspicious foreign national. And there are strict penalties for failure of businesses to uphold its compliance.
For example, a March 2023 settlement was reached between a U.S. manufacturing company and three separate U.S. government entities with fines totalling up to $27 million. These fines follow allegations that the company violated U.S. Export Control Laws by unlawfully exporting unauthorized material overseas. Said another way, the company failed to maintain ITAR compliance, and the price tag was way more than your average $50 parking ticket…
With consequences like that, it’s no wonder discussions around ITAR compliance are so prevalent.
In this article, we’ll cover everything you need to know about ITAR compliance, standards, and protocols so that you’re armed (pun intended) with the knowledge to ensure that you’ve maintained the necessary compliance within your organization.
- What is ITAR compliance? And how does it differ from EAR compliance?
- Prevent compliance from falling through the cracks
- ITAR compliance checklist
- A word on growing prioritization of U.S. export controls and enforcement
What Is ITAR Compliance?
Being ITAR compliant means following all of the requirements of the International Traffic in Arms Regulations protocol. ITAR is an important U.S. Export Control Law that affects the manufacturing, sales, and distribution of certain technologies, technology products, software, and services.
The purpose of the law is to regulate access to certain types of sensitive information to prevent disclosure to unauthorized non-U.S. citizens.
What trips many people up, however, is that there is no strict definition of ITAR compliance other than adhering to the law that only U.S. persons can access items on the United States Munitions List (USML) list. The general steps are below, but jump down to our complete ITAR checklist for a more in-depth look:
- Register with the U.S. State Department’s Directorate of Defense Trade Controls (DDTC).
- Obtain the proper licenses for goods you plan to export.
- Ensure your policies and procedures are compliant with ITAR requirements.
- Make sure someone at your facility is educated about ITAR and trained in how to keep your policies and procedures compliant.
If that sounds somewhat vague, don’t worry – it is! Just know that you’re responsible for making sure you’re following all relevant ITAR guidelines. There’s no such thing as third-party certification for ITAR compliance — you must set up your systems appropriately and then make sure the rules are followed.
Who needs to be ITAR compliant?
All manufacturers, exporters, and brokers of defense articles, defense services, and related technical data must be ITAR compliant.
If that’s still not entirely helpful, you can skip today’s Word of the Day; the definitions are below.
A defense article is anything on the USML. The list includes, but isn’t limited to, items in the following categories:
- Firearms, close assault weapons, and combat shotguns
- Guns and armament
- Launch vehicles, guided missiles, ballistic missiles, rockets, torpedoes, bombs, and mines
- Explosives and energetic materials, propellants, incendiary agents, and their constituents
- Surface vessels of war and special naval equipment
- Ground vehicles
- Aircraft and related articles
- Military training equipment and training
- Personal protective equipment
- Military electronics
- Fire control, laser, imaging, and guidance equipment
- Materials and miscellaneous articles
- Toxicological agents, including chemical agents, biological agents, and associated equipment
- Spacecraft and related articles
- Nuclear weapons related articles
- Classified articles, technical data, and defense services not otherwise enumerated
- Directed energy weapons
- Gas turbine engines and associated equipment
- Submersible vessels and related articles
- Articles, technical data, and defense services not otherwise enumerated
Defense services fall into three main categories:
- Providing assistance, including training, to foreign persons on design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles.
- Providing foreign persons with controlled technical data (see below).
- Military training of foreign units and forces.
Finally, there are four main types of technical data:
- Information other than software for the design, development, manufacturing, and so on of defense articles. This includes blueprints, drawings, documentation, and more.
- Classified information about the defense articles and defense services listed above.
- Information covered by an invention secrecy order.
- Software directly related to defense articles.
Any information in the public domain or commonly taught in schools is not considered controlled technical data. Neither is marketing information or general descriptions of defense articles. To help you decide if ITAR applies specifically to you, see this guide from the Directorate of Defense Trade Controls: Getting Started with Defense Trade.
What are the penalties for ignoring ITAR compliance?
What happens if you don’t comply with ITAR? We guarantee this is a situation you’d rather avoid. ITAR violations can result in fines of up to $1 million per violation, as well as jail time and debarment (meaning you lose your export license). Whatever the hassle of becoming ITAR compliant, it’s considerably smaller than the consequences of not doing it.
How Is ITAR Different From EAR Compliance?
If you’ve heard about ITAR compliance, you might have also come across EAR (Export Administration Regulations) compliance. If you were concerned it wouldn’t be as ambiguous as ITAR, don’t worry – it is. To add insult to injury, ITAR and EAR are very similar.
So, to debunk a little of the confusion, we laid out their main differences below.
Prevent Compliance From Falling Through The Cracks
There are essentially two parts to ensure your ITAR compliance. Which, when put together, make up what you can call your organization’s ITAR compliance protocol (ICP).
Officially, the International Traffic in Arms Regulations (ITAR) Compliance Program Guidelines site 8 elements critical to creating an effective IPC:
Element 1: Management Commitment
Element 2: DDTC Registration, Jurisdiction and Classification, Authorizations, and Other ITAR Activities
Element 3: Recordkeeping
Element 4: Reporting and Addressing Violations
Element 5: Training
Element 6: Risk Assessment
Element 7: Audits and Compliance Monitoring
Element 8: Export Compliance Manual and Templates
With these in mind, you can determine your organization’s security needs and standards and vet the tools and systems you’ll need to uphold each element.
Setting Your Security Standards
Before you take any action, your organization needs to determine a set of security standards. Jumping right into tools and techniques to achieve compliance puts the cart before the horse.
It’s up to your organization to decide where to start. But, our intention is to cut through the fog of ambiguity that seems to engulf ITAR compliance in general. So, here’s our thoughts on where to start:
Because ITAR is a U.S. Federal regulation, using their standards for security and privacy controls seems like a logical jumping off point. Which takes us to the NIST SP 800-53.
What is NIST SP 800-53?
NIST SP 800-53 (also known as “Security and Privacy Controls for Federal Information Systems and Organizations”) is a publication from the National Institute of Standards and Technology (NIST) that provides a catalog of security and privacy controls for federal information systems and organizations. Pretty straight forward, right?
While primarily intended for use by federal agencies, many other organizations use it as a best practice for securing their information systems and protecting sensitive information.
Since the NIST SP 800-53 clocks in at almost 500 pages with 20 different control families, we’re going to keep things high-level for you. So, we’ve rounded up the basic principles that your organization should follow when determining your ITAR security standards based on those throughout the NIST SP 800-53:
- Risk management: Organizations should identify and assess the risks to their information systems and implement appropriate controls to mitigate those risks.
- Defense in depth: Information systems should be protected by multiple layers of security controls, including physical, technical, and administrative controls.
- Least privilege: Users and systems should only have access to the information and resources they need to perform their job functions.
- Continuous monitoring: Organizations should continuously monitor their information systems and user permissions to detect and respond to security incidents in a timely manner.
- System and data integrity: Information systems should be designed to ensure the accuracy, completeness, and reliability of data and to prevent unauthorized access to, modification or destruction of information.
- Personnel security: Organizations should implement appropriate security measures to ensure that personnel with access to sensitive information have undergone appropriate background checks and security clearances.
- Privacy protection: Organizations should implement appropriate controls to protect the privacy of individuals whose personal information is collected, processed, stored, or transmitted by their information systems.
Putting Practice Into Action: Tools That Maintain Compliance
This is where the rubber meets the road. Once you have your security standards in place, you can start vetting and implementing tools to maintain those standards.
1. Visitor Management Systems
Visitors can be tricky. Unlike employees, there typically isn’t an ample amount of time to run the appropriate citizenship, background, and/or security check for someone who is popping by your office. Which is why visitor management systems are an integral part of ITAR compliance.
A visitor management system is your grandparent’s pen and paper visit logs. This system is an easy, secure and comprehensive solution to recording and maintaining a record of anyone who comes into your office or facility. The most compliance-friendly functions include:
- Citizenship Check: One specific thing ITAR compliance requires is verifying the citizenship of anyone who has access to sensitive information. That’s where a visitor management system comes in. Not only can you ask for verification of citizenship status when a visitor checks in, but you can also print that status directly on each visitor’s badge in addition to capturing and storing images of a government ID.
- Badge Printing: Once a visitor has checked in using the visitor management system, a badge can then be printed with the visitor’s name and relevant information.
- Registry Check: Cross reference visitors against Watch List related to trade compliance.
- Digital Log Book: A component of ITAR requires the business to keep records of everyone who enters a facility (and thus could be exposed to sensitive information), which includes maintaining comprehensive visitor records. Visitor management systems keep a digital, easy-to-access, real-time record of every visitor. That means you’ll always be able to see at a glance who’s in your facility in addition to maintaining historical records of all visitor access events. Easily filter through the log and export the data whenever necessary, including instant availability in the event of an audit.
- Documents and Disclosures: Capture signatures on any required legal agreements, like NDAs and technology control plans, right within the system. These digital documents and signatures are securely stored within the system under each visitor’s record. This makes it easy to stay organized and ensures your business has the appropriate documentation for every visitor.
Learn more about visitor management system features to maintain ITAR compliance.
2. Document Management Systems
Fulfilling reporting requirements is a major component of ITAR compliance. So, a document management system makes sense. These systems store, manage, and control access to ITAR-related documents such as export licenses, technology control plans, and compliance manuals. Essential features to ensure sensitive information is properly managed include:
- Version control
- Document tracking
- Secure storage
3. Training and Education Programs
Organizations implement training and education programs to keep employees informed on ITAR regulations, compliance requirements, and best practices. With these programs, employees understand their roles and responsibilities, identify ITAR-controlled items and technical data, and adhere to proper handling and storage procedures.
4. Compliance Software Solutions
Specialized compliance software solutions automate various compliance processes, including screening, licensing, record-keeping, and reporting. This centralized platform executes ITAR-related activities including:
- Tracking export activities
- Managing licenses and exemptions
- Generating compliance reports
5. Internal Controls and Audits
Not so much a solution as it is a process, internal controls and audits include procedures for:
- Classifying products and technical data
- Managing exports
- Conducting due diligence on business partners
- Monitoring compliance throughout the supply chain
- Identifying areas of non-compliance and implementing corrective actions
6. Encryption and Data Security Measures
ITAR compliance requires protecting sensitive technical data from unauthorized access or disclosure. Businesses employ encryption techniques, access controls, firewalls, and secure network infrastructure to safeguard ITAR-controlled information. Regular security assessments and vulnerability scans help identify and address potential risks.
ITAR Compliance Checklist
To avoid common ITAR compliance mistakes, we’ve put together the complete ITAR Compliance Checklist:
- Determine Jurisdiction: Identify whether ITAR applies to your organization and your product is listed on the USML.
- Review ITAR: Familiarize yourself with ITAR and ensure others in your organization have access to that knowledge through training programs or instruction manuals.
- DDTC Registration: Register with the Directorate of Defense Trade Controls (DDTC) as described in ITAR part 122 (part 129 for brokers). Submit your registration by completing the following:
- Pay the registration fee
- Sign and complete the Statement of Registration. This can be done electronically.
- Collect the supporting documentation
- Upload the completed registration packet
- USML Classification: Determine classification of your product(s) according to the U.S. Munitions List.
- Monitor External Parties: Understand and screen your end users and external recipients. This includes how they are using your exported goods.
- Export Licenses: Apply for and obtain appropriate export licenses.
- Fulfill Reporting Requirements: Record all ITAR activity and maintain in an organized and easily accessible fashion.
- ITAR Compliance Program (ICP): Establish an ITAR protocol and compliance program within your organization. Remember, we’ve broken this down for you earlier in the article. But, you can always check out the complete ITAR Compliance Program Guidelines for a bit of light reading.
Growing Prioritization of U.S. Export Controls and Enforcement
ITAR compliance should always be a priority. But, in light of recent regulatory activity with U.S. trade partners, more resources are being allocated to the regulation and enforcement of export controls and sanctions in 2023. Which means, stay quick on your feet (if you haven’t been already).
Orrick Herrington & Sutcliffe LLP goes into further detail that demonstrates the magnitude of this growing prioritization, which is summarized below:
- Additional resource allocation (as mentioned above), including:
- Increased hiring of prosecutors for trade violations
- Twenty-five percent increase in budget for export controls enforcement in FY 2023
- Over 20% budget increase for sanctions enforcement (both approximate increases can be found in the FY23 Budget of the U.S. Government, but that would be cruel to make you read that whole thing)
- Additional resource allocation (as mentioned above), including:
- Enhanced federal interagency collaboration, most recently:
- Disruptive Technology Strike Force
- The DOJ, BIS, and OFAC published a first Joint Compliance Note
- Task Force KleptoCapture
- The Justice Department has pledged robust prosecution of sanctions violations
- Enhanced federal interagency collaboration, most recently:
These recent developments underscore the importance of maintaining your organization’s ITAR compliance. In response, here are a few recommendations to make sure you have all your bases covered:
- Give your ICP a thorough review, preferably with a fresh set of eyes
- Ensure you have all the right systems in place to effectively carry out your ICP
- Audit the existing systems that help you maintain compliance and make the necessary updates and upgrades
- Review past export shipments and check for accurate filing
- Confirm that you are not exporting to prohibited countries
- Confirm your customers are not sanctioned or restricted
- Confirm that you are not exporting products for prohibited end uses
ITAR compliance isn’t straightforward. But, when you weed through all the noise and arm yourself (pun still intended) with the right information, compliance can be achieved when paired with the proper tools. Understand the basics, how regulations apply to your organization, the steps you need to take to cover your bases, and – voila – consider yourself an ITAR export (get it, like expert?).
If you still have questions about how you can keep your organization ITAR-compliant when it comes to your guests, reach out to one of our visitor management experts to learn more.
Share this Post