What is an ITAR Compliance Program and Why Do You Need One


(Download)

By Jeffrey G. Grody

After you register your company with DDTC (see last week’s Advisory), DDTC “strongly advises” you to implement an ITAR compliance program.  Why is this necessary?

To understand DDTC’s concern about ITAR compliance programs, you first have to take a step back and look at what the ITAR is intended to accomplish. The intent of ITAR is to regulate the export of defense articles and defense technology from the United States. DDTC describes its mission as follows on its website:

“The U.S. Government views the sale, export, and re-transfer of defense articles and defense services as an integral part of safeguarding U.S. national security and furthering U.S. foreign policy objectives. Authorizations to transfer defense articles and provide defense services, if applied judiciously, can help meet the legitimate needs of friendly countries, deter aggression, foster regional stability, and promote the peaceful resolution of disputes.”

Customs and border protection mechanisms that are currently in place do a pretty good job preventing physical items from leaving the country without proper licenses, but regulating the export of defense technology is harder and can occur by exchanges between U.S. persons and foreign persons inside the United States.

Defense technology consists, in ITAR terminology, of “technical data” and “defense services.” Both concepts have to do with know-how and other intangible intellectual property. “Technical data” consists of

Information . . . required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation (but excluding “information concerning general scientific, mathematical, or engineering principles commonly taught in schools, colleges, and universities or information in the public domain . . . .

[as well as] basic marketing information on function or purpose or general system descriptions of defense articles).

“Defense services” include

(1) The furnishing of assistance (including training) to foreign persons, whether in the United States or abroad in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles;

(2) The furnishing to foreign persons of any [ITAR controlled] technical data, whether in the United States or abroad; or

(3) Military training of foreign units and forces.

Therefore, “technical data” includes all the drawings, plans, computer files, process sheets and other know-how used to make a firearm, part, accessory or ammunition, and “defense services” includes furnishing to a foreign person pretty much any information or assistance with regard to the way one of those products is made or used. Transfer of technical data or rendering of defense services to a foreign person without a license or DDTC-approved agreement is prohibited.

So, in light of the ITAR’s intent to regulate not only the export of physical defense articles but also the transfer to foreign persons of U.S. defense technology, an ITAR compliance program contains provisions to protect against the transfer of “technical data” or “defense services” to foreign persons without an appropriate license. For those readers of this Advisory who are required to register with DDTC but who never ship product outside the U.S., your ITAR compliance plan would be designed primarily to protect against unauthorized transfers of technical data or defense services by your personnel.

Pause for a moment to consider what kinds of precautions might be necessary if the objective is to prevent your ITAR-controlled technology from falling into the hands of foreign persons. Remember that your technology consists of blueprints, drawings, 3D files, proprietary tooling and the assistance that your employees and engineers are able to give to third parties. In order to make sure that intangible technology of this sort does not fall into the hands of foreign persons without proper authorization, you would think of such controls as

  • A system for knowing when your employees are interacting with foreign persons versus U.S. persons and to identify foreign persons who are visiting your facility,
  • Rules and procedures to identify foreign persons who are citizens of countries with respect to which DDTC will not approve licenses, such as China and Iran,
  • Rules and procedures to ensure that your employees do not, accidentally or intentionally, give technical data to, or render defense services for, foreign persons without proper authorization,
  • Procedures to assure that your engineers do not interact with non-U.S. engineers on technical projects without a DDTC license,
  • Facility security procedures to prevent your technical data from literally “walking out the door,” and
  • Training so your employees know the rules and procedures they are supposed to follow.

These are, in fact, some of the primary components of an ITAR compliance program.

But, “STOP!” you say. “I have three employees. We machine small parts for pistols and rifles. I don’t export anything. What does my business have to do with national security or foreign policy?”

Exactly. That’s what export control reform (ECR) is all about—shrinking the United States Munitions List so ITAR regulates the defense articles and technology that really matter, and everything else is moved to more flexible Commerce Department regulation or removed from regulation altogether. NSSF’s position statement on ECR reforms that would affect the industry can be found here.

Back to today, however. The ECR that will change Categories I, II, and III of the U.S. Munitions List is on hold. The un-reformed U.S. Munitions List continues to apply to the firearms and ammunition industry.  For the time being, the requirement to register with DDTC, discussed last week, and DDTC’s advice to implement an ITAR compliance program are the realities you should address today.

Next week we’ll take a detailed look at the features your ITAR compliance program should contain.