NCMA Workshop International Traffic and Arms Regulations (ITAR) What you need to know! Natascha Finnerty DL Exports International [email protected].

NCMA WorkshopNCMA Workshop

International Traffic and Arms International Traffic and Arms Regulations (ITAR)Regulations (ITAR)

What you need to know!What you need to know!Natascha FinnertyNatascha Finnerty

DL Exports InternationalDL Exports International

[email protected]@comcast.net978 368-7940978 368-7940

What We’ll Cover• When and Where ITAR Applies• Controlled Items, Activities, and

Countries• Security Concerns w/Foreign

Employees• Building an Effective Technology

Control Plan (TCP)

ITAR Applies to

• Your Company, • Your Customers, AND

• Your Employees

RECENT TRENDSRECENT TRENDS

• DFAR requires DOD to state if a contract is “ITAR controlled”

• Partners and customers are asking if companies are ITAR registered

• Contracts for SBIRs state that “technology must be transferred only to US persons”

• Larger fines imposed for ITAR errors – ITT $100M

TRUTHS ABOUT TRUTHS ABOUT EXPORT REGULATIONSEXPORT REGULATIONS

• Directly linked to international events

• Not taught in most business curriculums or by managers

• They are always changing

• You love’em or hate’em

TODAY, THERE ARE SEVERAL TODAY, THERE ARE SEVERAL REASONS FOR EXPORT CONTROLSREASONS FOR EXPORT CONTROLS

• To prevent the increase of military strength of an adversary

• To further foreign policy objectives

• To protect scarce resources• To implement international

arms/weapons bans

EXPORT CONTROLS ARE EXPORT CONTROLS ARE IMPORTANT TO IMPORTANT TO

EXPORTERSEXPORTERS• Reach of U.S. Export Controls is

broad. Large % of business is military-COTS

• Violations can cause you to lose your government contracts

• There are Global Alliances to that we must comply with

GLOBALGLOBALCONTROL REGIMESCONTROL REGIMES

GLOBAL COMPLIANCE ISSUES THAT AFFECT

EXPORTERS

Companies must Comply with Requirements of the New International

Alliances that Regulate Trade

AustraliaGroup

MissileTech Control

Regime

Wassenaar

Arrang

NuclearSupplierGroup

NATO

MOD

CONSEQUENCES OF FAILURE TO COMPLY– Penalties – Negative publicity– Loss of Government

contracts, other business

EXPORTING COMPANIES EXPORTING COMPANIES ARE EXPECTED TO HAVE ARE EXPECTED TO HAVE AN EXPORT COMPLIANCE AN EXPORT COMPLIANCE

PROGRAMPROGRAM

Goals:• Protect against violations• Control exports and

transfers effectively and efficiently

• Ensure systematic approach

COMPANIES MUST SHOW COMPANIES MUST SHOW DUE DILIGENCE FROM THE DUE DILIGENCE FROM THE FIRST EMAIL OR TELECOMFIRST EMAIL OR TELECOM

• Licenses can be required to submit a proposal to a foreign party

• Licenses can be required to provide detailed technical information to a foreign person

• Persons of some countries cannot even get a license!!!

The US Government controls The US Government controls the export of goods, the export of goods,

software and technologysoftware and technology

EVEN In the US ! through the control of-specific items, and -specific activities.-Either as Dual-use or Military. It can be a fuzzy line!

WHAT’S AN “EXPORT” OR WHAT’S AN “EXPORT” OR REEXPORT?REEXPORT?

• Ship/send/transmit items on the USML or CCL from U.S. to foreign country

• Transferring ownership of a vessel, aircraft or satellite to foreign company

• Ship/send/transmit U.S. items from one foreign consignee or country to another

• Disclosing by any means to a foreign person in the US

• Ship foreign items with U.S. content from one foreign country to another

AND …

MORE “EXPORTS”MORE “EXPORTS”

• Release of tech data to a foreign national

• Participation in proliferation (nuclear, chemical/biological weapons or missiles)

• Dealings with Restricted Parties (TDO/SDNs, debarred list, others)

• Transactions involving Embargoed countries

SOME ACTIVITIES ARE SOME ACTIVITIES ARE OUTSIDE EXPORT REGSOUTSIDE EXPORT REGS

Transfer of “Publicly Available”(Public Domain) information

– Brochures– Technical information provided

freely (even to competitors) at no charge

– Fundamental Research– Information in Libraries, newsstands– Patents

Law and the Regulations

HOW THE GOVERNMENT CONTROL THE TRANSFER OF MILITARY DATA, ITEMS AND SERVICES

Arms Export Control ActArms Export Control Act22 U.S.C 2778 TRADING WITH THE ENEMY ACT22 U.S.C 2778 TRADING WITH THE ENEMY ACT

• Controls Imports and Exports of Defense Articles and Services

• Broad authority to approve, deny, suspend, revoke and halt shipments from US ports

• Mandates registration and licensing

• Requires monitoring and reporting of fees, contributions and commissions

ITAR AND EAR

The International Traffic and Arms Regulations (ITAR)-Military Items

Export Administration Regulations (EAR)-Commercial Items

YOU NEED TO YOU NEED TO UNDERSTAND THE SCOPE!UNDERSTAND THE SCOPE!

• CONTROLLED ITEMS

AND

• ACTIVITIES

CONTROLLED ITEMSCONTROLLED ITEMS

• US Munitions List (USML)

• Commerce Control List (CCL)

ITAR govern munitions items, related tech data and services:– Items designed, configured or adapted

for military use– Items that meet listed parameters

(radiation resistance, TEMPEST)– Predominant military Use– Classified items and technical data– Defense services

ITAR CONTROLSITAR CONTROLS

US ML PART 121US ML PART 121

21 categories, from firearms to major weapons systems

I – FirearmsIII – AmmunitionIV – Launch Vehicles, Guided MissilesVII – Aircraft and associated equipmentX – Protective Personnel EquipmentXI – Military ElectronicsXV – Spacecraft and Associated EquipmentXVII Classified Articles, Tech Data and

Defense Services - catch all

LISTSLISTS

USML• Broad categories• Specially designed for

military catches lots of things

• Must apply for a COMMONITY JURISTRICTION (CJ) to get off the list

• Need a license for all destinations

• China is proscribed

USML vs. CCLUSML vs. CCL

USML 22 categories• Item, components, technology

CCL• 10 categories• Item, production, material,

software, technology

CCLCCL

• Technical parameters that the item must meet

• Must be high level item

• Many license exceptions to Regime members

4A003 4A994EAR99

DEVELOP A DEVELOP A PRODUCT MATRIXPRODUCT MATRIX

Communicate to • Project Managers• HR• Sales• ShippingMake it part of your PN or

contract process and program a flag

• ECCN/Cat No.• Origin• Schedule B

KNOW THE PROSCRIBED COUNTRIES

KNOW THE PROSCRIBED KNOW THE PROSCRIBED COUNTRIESCOUNTRIES

126.1 Embargoed UN Embargoes Terrorism RestrictionsBelarus AfghanistanCuba Cuba Cyprus Burma Iran Congo (DR)ChinaEritrea North Korea FijiIran Sudan IndonesiaHaiti Syria Iraq

Ivory CoastLiberia Lebanon North Korea LibyaSomalia PalestineSyria ThailandSudan YemenVenezuela Zimbabwe

BEST PRACTICE – limit the ability to book orders or hire individuals from these countries in your system

UNDER THE ITAR – UNDER THE ITAR – ALL COMPANIES MUSTALL COMPANIES MUST

• Register (PART 122)– as a manufacturer, exporter and/or

broker

• Select Empowered Official (s) – by letter

KNOW THE KNOW THE REDRED FLAGS! FLAGS!

• Customer is little known• Customer is evasive about end-user

or end-destination• Customer knows little about the

product but wants it anyway• Customer asks for out-of-the-way

delivery routing• Customer is willing to pay cashYou cannot act with knowledge of

a violation or provide advice on how to evade the regulations!

Security Concerns Security Concerns w/Foreign Employeesw/Foreign Employees

Employing/Contracting Employing/Contracting Foreign NationalsForeign Nationals

“non U.S. Persons”

“OK, folks, today we tour the highly classified, top secret areas of our Defense Department.”

ITAR HINTITAR HINT

• "Prior approval to use Non-U.S. Citizens to perform on this contract, at either the prime or sub-contract level, must be obtained from the Contracting Officer. If approval is granted, such approval does not grant an exception to U.S. export law (s) and the contractor is responsible for obtaining necessary export licenses."

WHAT IS AWHAT IS A TECHNICAL DATA TECHNICAL DATA

EXPORT (RELEASE)?EXPORT (RELEASE)?• Ship IC designs to foreign country• Hire foreign engineers• Plant tour for foreign nationals• Foreign access to host computer• Transfer data/software over the

Internet• Phone, FAX, & E-mail • Co-development project with

foreign partner • Train foreign nationals

DEFENSE SERVICESDEFENSE SERVICES

• Assistance to foreign persons in activities involving defense articles:– design, development, engineering– testing, manufacturing,

production, assembly– repair, maintenance, modification– operation – demilitarization, destruction

• Provision of ITAR-controlled tech data to foreign persons

TECHNOLOGY TRANSFERS TO TECHNOLOGY TRANSFERS TO FOREIGN NATIONALSFOREIGN NATIONALS

• Foreign nationals = all EXCEPT– U.S. Citizens– U.S. Permanent Residents – Persons granted refugee status or

asylum in the U.S.• If the tech data are controlled to the home

country AND no License Exception is available, obtain a license

• Considered an ITAR “deemed export”• Applies to interns, contract employees, others,

anyone who sees ITAR data

IF YOU GOTTA HAVE IF YOU GOTTA HAVE HIM/HER ON A PROJECT!HIM/HER ON A PROJECT!

• Is it an ITAR (DSP-5 or TAA) or BIS license?In either case

– Letter of explanation, – Resume– Statement of Work– Passport documents– EAR - Transfer of technology to foreign national per 732.2(b)(ii)– FBI template– End-user – provide immigration status.– End-use -

Expiration date tied to H-IB VisaCan be renewed – automatic 6-month extension if renewal

is received 45 days prior. Include the previous license number on all applications

Company PolicyCompany Policyand ITAR NDAand ITAR NDA

• Statement from Senior Management on importance of TCP

• Employee responsibilities• Part of Hiring Process• Need to demonstrate

management commitment

ITAR TECHNICAL DATAITAR TECHNICAL DATA

• Information for design, development, production, assembly, manufacture, use of defense article

• Classified technical information• Basic marketing info excluded• “Public domain” material

excluded

?

A Day in the Life of an A&D Engineer (without export control A Day in the Life of an A&D Engineer (without export control solution)solution)

ITAR ProjectFile Server

Mixed UseServer

Non-US Engineer

1

2

345

6

Web or CollaborationPortal

Non-US Partner

CommercialProject

US EngineerUS Engineer

Non-US Admin

US Engineer

OverseasRemote

Weak access or flow control

Lack of Informationbarriers

Transfers not matched to licenses

Transfers overunapproved channels

Commercial productcontamination

Uncontrolled mobiledata export

2

345

6

A Day in the Life of an A&D Engineer (with export control A Day in the Life of an A&D Engineer (with export control solution)solution)

ITAR ProjectFile Server

Mixed UseServer

1

Non-US Engineer

Web or CollaborationPortal

CommercialProject

US EngineerUS Engineer

?Non-US Admin

US Engineer

OverseasRemote

Non-US Partner

Controlled Access and Flow

Information Barriers

Transfers matched, logged, accountable reporting

Controlled TransfersApproved Channels

Non-contamination

Data Export Controlfor Mobile

Nextlabs Solution

Export Control for Technical Data OverviewExport Control for Technical Data Overview

US persons authorized to access ITAR project

information

US persons and non-US persons not authorized to access ITAR project

information

Deny/Limit

ITARTechnical Data

Technical Data

Approve

Approve/Deny Shipment of Goods

and Information

Export Control forTechnical Data

IdentityManagement

Export Licenses,SPL, Embargo List

AuditLog

Import/Export Control

Physical GoodsDefense Articles and

Third Party Supply Chain

US DoD images

NextLabs Products

Technical Data Policy Enforcement

`

Secure Dropbox (FTP)

Email / Instant Messaging

CollaborationPDM / SCMFile Server

Design WorkstationLaptopsMobile Users

`

Partner SystemsBatch

Compliant Enterprise

Policy Audit Data

Identity Management

ITAR Access Provisioning

Export Project Assignment

Information Export SolutionInformation Export Solution

ITAR / EAR Policy Library

Technical Data Activity Journal

Tech Data PolicyManagement

Export ProjectManagement

Export Audit Reporting

Export License Mgmt

Import/Export Control

Tech Data Export

Export License Mgmt

License, Embargo, SPL,

Information Export Control

Composite Application

ITAR/EARProject Mgmt

Technical DataPolicy Mgmt

Technical DataExport

Export LicenseRequest Mgmt

FACILITIES FACILITIES CONTROLSCONTROLS

• Control access to ITAR development and manufacturing areas

• Procedures – clean desk, locked storage

• Separate areas for ITAR meetings

• Different Badges for foreign persons/visitors

• Sign In and provide status of person - US?

HR ControlsHR Controls

• Deemed exports license for new engineers that are not permanent residents

• Unique badges for FN• Notices to employees

about non-disclosure to foreign employees, contractors, vendors

• Training in rules

NISPOM IS ControlsNISPOM IS Controls

• Chapter 8 • Need to address - Administrative,

operational, physical, computer, communications, and personal controls

• Appointment of a IS Security Officer

• Certification and Accreditation• Regular Auditing of procedures

System ManagementSystem Management• Handling, controlling, removing,

destroying of backup media. • Control over devices containing ITAR

data• Implementation of authentication

procedures– Including laptops, PDA’s, removable devices– Privileged and “super users”– Protection of passwords

• Tracking of who examines HW and SW • Don’t forget IT maintenance personnel • Physical Security

ReferencesReferences

• Nunn-Wolfowitz Best practices

• SIA: Compliance Insiders – Toolkit for Internal Compliance www.si.ed.org

• DL Exports Intl www.dlexports.com