In accordance with the International Traffic in Arms Regulations (22 CFR 120-130 – herein, “ITAR”) technical data may not be exported to any Non-US Person, including to any location outside of the United States, without specific authorization by the U.S. State Department. Managing the physical location of any servers used for email or data storage is critical to maintaining trade compliance and preventing a violation of U.S. export regulations.
For reference purposes, the ITAR includes the following applicable definitions:
22 CFR §120.17 Export.
Export means:
- (1) Sending or taking a defense article out of the United States in any manner, except by mere travel outside of the United States by a person whose personal knowledge includes technical data; or
… - (4) Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad; or
22 CFR §120.10 Technical data.
Technical data means, for purposes of this subchapter:
- Information, other than software as defined in §120.10(a)(4), which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation.
§120.15 U.S. person.
U.S. person means:
- a person (as defined in §120.14 of this part) who is a lawful permanent resident as defined by 8 U.S.C. 1101(a)(20) or who is a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any corporation, business association, partnership, society, trust, or any other entity, organization or group that is incorporated to do business in the United States.
22 CFR §120.16 Foreign person.
A foreign person means:
- any natural person who is not a lawful permanent resident as defined by 8 U.S.C. 1101(a)(20) or who is not a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any foreign corporation, business association, partnership, trust, society, or any other entity or group that is not incorporated or organized to do business in the United States, as well as international organizations, foreign governments, and any agency or subdivision of foreign governments (e.g., diplomatic missions).
The interpretation of U.S. State Department policy is that if a Foreign Person has the ability to access export controlled technical data, it is considered a potential export thus requiring an export license. Whether or not a foreign person actually accesses the technical data or not is not relevant to this interpretation. Presently, this even includes data that may be encrypted. When multinational companies consider centralizing and managing email or data servers that includes data from their US facilities, they must ascertain if those locations may receive and/or electronically store ITAR-controlled technical data. If so, then U.S. export regulations must be considered.
Under the current regulations, ITAR technical data that is emailed from a US Person to a Foreign Person is considered to be an export. This includes technical data that may be routed via an email exchange server to a location outside of the United States, regardless if the intended and ultimate recipient is a US Person located within the territory of the United States. Similarly, any technical data that may be stored on a server or other electronic storage device is transferred or backed up outside of the United States and is considered to be exported. As stated above, this is regardless of whether the data is encrypted or otherwise accessed by the Non-US Person.
Presently, the only way to legally allow this activity to occur outside of the U.S. is to license the foreign parties that may have access to the data. Such a license would need to be broad enough to cover all of the types of technical data that is or may be present on a server or email and all of the nationalities of the foreign party must be included in the authorization. This includes all dual and third-country nationalities of the facility’s employees who may obtain physical or virtual access as well as those of any sub-contractors. Experience has shown that obtaining such a license would be difficult and the internal control plan required by the Non-US location(s) would be onerous.
In the future, the U.S. US export licensing requirements may change to allow for some “cloud storage” under very specific requirements. Until that time, maintaining a U.S.-based email exchange server and file servers for ITAR-controlled technical data is the industry standard.
An export control question for services performed and tests conducted on various types of hardware:
How do we know if the results are export controlled or not? Great question and potentially complicated to work through.
A simple rule of thumb (and fair rule) is to treat the results at the “highest” export level.
Four Simple Scenarios
Starting Definitions:
Non-controlled – Not ITAR and no ECCN thus EAR99
Controlled – ITAR or ECCN (like 8A992(e))
Scenario 1
A non-controlled item with non-controlled test results or software is non-controlled.
Example – Baseball bat tested for basic impact strength.
Results – Bat and test results are not controlled.
Scenario 2
A controlled item with non-controlled test results or software is controlled.
Example – Military Tank tested for basic impact strength.
Results – Military Tank and results are controlled.
Scenario 3
A non-controlled item with controlled test results or software is controlled.
Example – Baseball bat tested for “special” ballistics normally done on military tanks.
Results – Bat is not controlled, but results are controlled as they may reveal something about the test itself.
Scenario 4
A controlled item with controlled test results or software is controlled.
Example – Military Tank tested for “special” ballistics normally done on tanks etc.
Results – Tank and results are controlled.
Too many times, export compliance procedures are a meaningless clump of definitions and a menagerie of content collected from seminars or templates found on the internet. What you are left with is a set of written documents that do not reflect your unique business culture. Other times, export compliance procedures are so detailed and restrictive that, following them as part of your day-to-day activity, becomes a full-time job in itself. Here are six (6) tips to help you develop procedures that work for your company:
Tips for Effective ITAR Export Compliance Procedures:
1. You Actually Do Need Procedures
Export compliance procedures are not a specific requirement of the International Traffic in Arms Regulations (ITAR). However, the U.S. State Department, Directorate of Defense Trade Controls, expects all ITAR Registered Companies to follow their Compliance Program Guidelines. The Guidelines describe the basic elements of a compliance program including the statement that “comprehensive operational compliance programs include manuals that articulate the processes”. Applying this to your business often means a combination of Policy Statements, Procedures, and desktop procedures, where applicable. In some instances, the State may actually ask for a copy of your company’s procedures so make sure you have them… and follow them!
2. Export Compliance Procedures Should Be a Reflection of Your Business
Your procedures should be customized to fit what your business does and to address the compliance risks it may actually face. If your company does not manufacture products or have an engineering department, then your procedures do not have significant content about how those areas will incorporate ITAR compliance into their operations. The procedures should define compliance measures for the personnel, departments, and activities within your company and delineated the requirements appropriately. As your business changes, then you can add or modify your procedures accordingly (see Tip #5)
3. Make The Procedures Useful
You want to make the procedure useful and user-friendly. While defining the requirements is important, including checklists and forms with steps to follow helps to ensure that the procedures will be utilized and not just filed in the back of a drawer. Familiarization with, and the use of, procedures help to greatly reduce the risk of unauthorized deviation. And when it comes to the ITAR and other export regulations, deviations may mean violations that can have serious consequences.
4. Don’t Include Too Much Detail
Some companies make the mistake of incorporating too much information into the procedures. This includes the duplication of entire sections of the regulations, step-by-step descriptions of compliance decisions, etc. I have witnessed companies that have developed ~ 200 pages of information into their export procedures and had all employees attest to the fact that they had read them and agree to abide by them. This was their entire compliance plan. I call it their “disaster plan”.
Forms and checklists attached to the procedures are a great way to incorporate the details of a process, but the procedures are best reserved for addressing key compliance elements and important requirements. An experienced export compliance consultant can help you navigate between too much and too little.
5. Update Export Compliance Procedures Often
Products, services, customers, and employees often change within a business and your export compliance procedures are no different. Regularly review your procedures and make modifications to accommodate changes in your business or to adopt improvements. Modifications to your procedures will also give a Compliance Officer an opportunity to send out updates and reminders to the employees that should be using them.
6. Make Export Compliance Procedures Audit Friendly
A good compliance program will include internal and external audits on a regular basis. On occasion, you may be required to hire an outside consultant to audit your compliance program. Regardless of the reason for an audit, your procedures will be one of the major focuses. Make sure that: What you have in the procedures is what you do; and, What you do is in the procedures. Having extraneous requirements in the procedures that don’t help to mitigate risk or do not align with current and effective compliance practices, should be removed or modified.
I call this the “Green Tennis Shoe” test. If for some reason your procedures state that every Tuesday, all employees will wear green tennis shoes (even though it has nothing to do with export compliance), then that requirement should be enforced and tested in an audit. If that requirement is not being followed and does not affect compliance, then modify or remove the requirement. Having onerous requirements in your procedures that don’t support a good compliance program can only lead to findings and issues during an audit.
A simple three-step process can make product jurisdiction and classification an easier project for many compliance organizations.
If your organization is like many, the focus is on selling first, handling issues second, and planning for future sales third. Simple planning can ease the compliance efforts associated with these business-related tasks.
Here is a simple three-step process.
Step 1 – Segmentation
Segmentation is the dividing of a broad product offering into subsets that have similar attributes for the purpose of determining product jurisdiction and classification.
Segment your set of sellable final products into appropriate subsets.
We will call these various subsets – a “technology” grouping since similar products are grouped by similar “technology” attributes.
Generally, companies have 4-5 different attribute levels for a “technology” group.
Scenario:
My company sells floor cleaning technologies.
Attribute 1 (Type) – We have two product types:
Mops or Brooms
Attribute 2 (Material) – The material utilized for the cleaning contact area is significant:
Sponge or Synthetic or Natural
Attribute 3 (Handle Type) – The handle design is significant:
Curved or Straight
Although, handle lengths, handle material (metal or wood) and handle / cleaning contact material color are additional attributes, they add little distinction to the subset or “technology” group.
This would give us 8 possible technology groupings:
Attribute 1 possibility (2) times Attribute 2 possibilities (3) times Attribute 3 possibilities (2)
2*3*2 = 8
Most likely not all 8 groupings may exist. For example, brooms may NOT use sponge materials – giving us 7 groupings.
Give each subset or technology grouping a label (even if it is Group A, Group B…).
Watch Outs:
• Sales organizations are trained to focus on a customer or market segment. Sales may look at mops and brooms as the same thing.
• Engineers create technology attributes so quickly that you have a 1-1 relationship with your technology groups and product catalog.
• Keep future technology groups in consideration. There may be other attribute values or attributes coming down the new product development pipeline not currently being offered by your organization.
Step 2 – Analyze
To analyze is to study something in order to understand it or discover more about it for structure.
Taking the technology groupings from Step 1, match individual products within a grouping to previous (past 5 years at least) sales. The sales should account for customer, end-use, end-user (if different from customer), quantity, and sales dollars. This matching provides keen insight into product jurisdiction. Although military customers do purchase commercial goods and commercial customers do purchase military goods, this sales matching can identify products with more potential for ITAR designation.
Although other potential areas for matching technology groupings are important, sales history and end-user/use have a dominate nature on product jurisdiction.
Other potential areas for matching include:
• Design Origin of Product
• Special military characteristics found outside “normal” commercial use.
One of the most significant challenges is obtaining end-user/use, if not previously done for past sales.
However, if the end-user/use is not readily known, most sales groups have quality insight into this area.
Keep future sales and business development efforts in consideration. There may be future sales or end-user/uses that previous sales history does not identify for the technology grouping.
Step 3 – Target
Target means to select as a product of attention.
The key to targeting is to pick likely product candidate(s) that can represent the functional nature of the entire technology grouping. These targeted products can become the basis for a singular Commodity Jurisdiction (CJ) submission to the Directorate of Defense Trade Controls (DDTC) or for a Commodity Classification Request (CCR) to the Bureau of Industry and Security (BIS). Just remember that all CCR requests come with an initial implication as being Non-ITAR, which if incorrect can have serious consequences.
The outcomes for CJ or CCR submissions can become your foundation for future product self-analyzed jurisdiction and classification determinations.
Contrary to popular belief, there is no official “certification” in the same way that there are ISO certifications. However, there are industry-accepted standards that are applicable and a certain expectation by the US State Department for companies that register in accordance with the ITAR Section 122.
The ITAR has a requirement for any company that manufactures and/or exports defense articles to register with them. Defense Articles may include any hardware, technical data, and/or services related to an item that has been manufactured or modified for a military application. Exports can occur with shipments overseas or by even providing technical data to a Foreign Person in the US.
We are also very familiar with the DoD and prime defense contractors flowing down the requirement for “ITAR Certification” to their US suppliers as a way of ensuring compliance within their supply chain.
As a general statement, the process includes the following:
- Registration with the US State Department in accordance with ¶ 122 of the ITAR
- Establish an “Empowered Official” at your company to help ensure compliance with the ITAR regulations
- Train your Empowered Official and core employees on the ITAR
- Establish policies/procedures related to ITAR compliance to help educate and prevent unauthorized exports of ITAR defense articles (data/hardware/services)
- Obtain necessary export licenses/agreements to cover any exports of defense articles
There are other items including recordkeeping, disclosure, audits, etc. that the State Department outlines in their “Compliance Program Guidelines”
The services we provide to companies include support with the registration process as well as providing the training to employees and compliance officers, developing the procedures, drafting necessary export licenses, and other services to ensure that the elements expected by the State Department are aptly addressed.
