On December 5, 2022, the US Department of State’s Directorate of Defense Trade Controls (“DDTC”) issued the International Traffic in Arms Regulations (“ITAR”) Compliance Program Guidelines (“ITAR Guidelines”). The ITAR Guidelines set out DDTC’s expectations for an effective ITAR Compliance Program (“ICP”) and an introduction to controls contained in the Arms Export Control Act and ITAR. More specifically, the ITAR Guidelines outline key elements of an effective ICP, and identify suggestions, common compliance pitfalls, and/or tips for best practices related to those key elements. The ITAR Guidelines are similar to compliance program guidelines issued by other federal agencies, in particular, “A Framework for OFAC Compliance Commitments” issued by the US Department of the Treasury’s Office of Foreign Assets Controls (“OFAC”) (see our blog here) and the “Export Compliance Guidelines” issued by the US Department of Commerce’s Bureau of Industry and Security (“BIS”) (available here). While the broad elements of the ITAR Guidelines should be familiar to seasoned compliance practitioners, and are generally consistent with expectations of OFAC and BIS in their respective compliance program guidelines, any organization participating in ITAR-controlled activities should review the ITAR Guidelines in detail and develop an action plan to address any gaps identified in its ITAR compliance program.
Below we provide a summary of the eight critical elements of an effective ICP as outlined in the ITAR Guidelines:
- Element 1: Management Commitment
The ITAR Guidelines state that management commitment is essential for “fostering a proactive compliance posture” and internal culture of compliance. Management commitment is necessary for generating support, designing clear policies and procedures with sufficient resources, and organizing compliance functions appropriately within the organization’s structure. Additionally, the ITAR Guidelines suggest an Export Compliance Management Commitment Statement signed by the Chief Executive Officer, President, or other senior executives to underscore the organization’s commitment to ITAR compliance.
- Element 2: DDTC Registration, Jurisdiction and Classification, Authorizations & Other ITAR Activities
In Element 2, the ITAR Guidelines provide substantive summary guidance related to: (a) the DDTC registration requirement under the ITAR; (b) jurisdiction and classification, including considerations related to submitting a commodity jurisdiction request; (c) authorizations, including the types of licenses, agreements and other approvals available under the ITAR; and other (d) ITAR-controlled activities, including restricted party screening, brokering, political contributions, fees, and commissions, and cybersecurity and encryption. DDTC provides “suggestions” for each category to reduce risks of common ITAR violations, which are helpful to further understand DDTC’s compliance program expectations. For example, regarding cybersecurity and encryption, the ITAR Guidelines state that DDTC “expects organizations to take steps to protect their technical data from cyber intrusions and theft and consider carefully what cyber security solutions work most effectively for them.” Although the ITAR do not explicitly require organizations to implement specific cyber security or encryption measures, DDTC underscores that information/technical data controlled under the ITAR often needs to meet requirements of other federal agencies and programs (e.g., the Department of Defense Controlled Unclassified Information program or the National Institute of Standards and Technology standards).
- Element 3: Recordkeeping
Pursuant to 22 CFR Part 130, the ITAR require parties to maintain certain records regarding: (a) the manufacture, acquisition, and disposition of defense articles and technical data; (b) the provision of defense services; (c) brokering activities; and (d) information on political contributions, fees, and commissions. To satisfy the recordkeeping requirements, the ITAR Guidelines suggest establishing recordkeeping roles and responsibilities with written policies and procedures. For organizations that possess technical data, the ITAR Guidelines also suggest creating a Technology Control Plan with policies and procedures for protecting technical data and prevent unauthorized transfers.
- Element 4: Detecting, Reporting, and Disclosing Violations
The ITAR Guidelines suggest that organizations adopt policies and procedures to: (a) detect and report suspected ITAR violations early; (b) investigate and implement corrective actions; (c) properly submit voluntary disclosures to DDTC; and (d) communicate potential consequences of ITAR violations to employees. DDTC reminds the trade community that early detection, reporting, and corrective actions may help minimize the organization’s legal exposure and harm to US national security.
- Element 5: ITAR Training
The ITAR Guidelines recommend tiered ITAR training based on employee function. The ITAR training program should be: (a) tailored to address the organization’s specific compliance risks; (b) dynamic and reviewed periodically for updates and revisions; and (c) adequately resourced with knowledgeable and experienced compliance instructors. Additionally, the four-tiered model suggests increasingly detailed and comprehensive training spanning (1) all personnel, (2) senior management, (3) positions with export functions, and (4) the export compliance team. Providing uniform training to all company personnel will likely not meet DDTC’s compliance program expectations related to ITAR training. DDTC recommends that organizations include ITAR training within performance reviews to better ensure employee accountability.
- Element 6: Risk Assessment
The ITAR Guidelines suggest implementing risk-based risk assessments to address common ITAR risk areas. Risk assessments should be: (a) tailored to the organization’s ITAR-controlled activities; (b) regularly updated for changes in business or risk factors (e.g., exporting to a new geographic area, opening a new foreign office); (c) frequently conducted based on specific circumstances; and (d) prioritized based on likelihood and severity of violations. Lastly, DDTC lists some common ITAR risk areas, including jurisdiction and classification, foreign person employees or visitors, international travel, and inventory management.
- Element 7: Audits and Compliance Monitoring
The ITAR Guidelines recommend performing comprehensive, independent, and objective audits regularly to monitor ICP effectiveness. Audits should consist of: (a) interviews with relevant functional area personnel, compliance team members, and senior management; (b) document collection and review; (c) IT systems access; and (d) site visits, as appropriate. Based on the periodic audits, organizations should regularly review and revise their ICPs, as necessary. Additionally, DDTC provides a sample audit checklist to guide auditors and supplement interview questions for employees within ten functional areas, including management, trade compliance, technical roles, and information technology, among others.
- Element 8: ITAR Compliance Manual
Lastly, the ITAR Guidelines recommend developing an ITAR Compliance Manual (“ICM”) to provide all employees with a “written, authoritative source” of the organization’s ITAR compliance policies and procedures. ICMs should be well-organized, user-friendly, and clearly define consistent responsibilities and expectations for employees regarding ITAR compliance. Organizations should periodically review ICMs for changes in (a) ITAR or DDTC guidance, (b) best practices, lessons learned, and “close calls,” (c) vulnerabilities identified in audits, and (d) organizational risk factor changes.
* * *
DDTC cautions that the scope of ITAR activity varies substantially among different organizations, and thus, the ICPs should be tailored to address each organization’s ITAR-controlled activities, risk factors, and size. Additionally, organizations engaged in ITAR-controlled activities should ensure their compliance program considers the above ITAR-focused elements within a holistic export and sanctions compliance program.
The authors acknowledge the assistance of Alexandra Kumar with the preparation of this blog post.