Summary of DDTC's New ITAR Compliance Program Guidelines

Yesterday, DDTC publicly released its long-awaited, updated ITAR Compliance Program Guidelines (thanks Marissa Cloutier and DDTC team!).?I will have a lot to say over the next few days about the substance of the new guidelines, but think it's best to start with a summary of the guidelines, which I provide below.?There is a LOT packed into this document so I encourage all who are involved in ITAR compliance (and trade compliance more generally) to read and absorb the full guidelines.?

The substance of these guidelines should not be new to those who've worked on designing and implementing ITAR compliance programs in response to large-scale ITAR consent agreements.?These guidelines are, however, much (much) more detailed than previous written guidelines from DDTC - for comparison the 2016 guidelines were four pages, while these new ones weigh-in at?60+ pages! - and will now serve as a very important benchmark for all ITAR compliance programs.

One important note before the summary:?Although the guidance is pretty comprehensive, application will not be as simple as implementing all recommendations in the document.?As DDTC emphasizes, "the elements in this document provide a foundation for an ICP’s basic structure and function and are not intended to be exhaustive" and each organization must tailor their ICPs "to address [their] ITAR-controlled activities, risk factors, and size".??

Please leave your thoughts below on your key takeaways or what surprised you in the guidelines.?One issue I will be thinking through: Although there is a lot of "should" used in the document, does the publication of the guidelines now create de facto standards (including audit standards) that must be implemented??What will be the implications/consequences of ignoring suggested actions??????

On to the (somewhat lengthy) summary!

#itar #compliance #audits #internationaltrade #exportcontrols

Eight (8) High-Level Elements of an Effective ITAR Compliance Program (ICP):

1. Management Commitment
2. DDTC Registration, Jurisdiction and Classification, Authorizations, and Other ITAR Activities
3. Recordkeeping
4. Reporting and Addressing Violations
5. Training
6. Risk Assessment
7. Audits and Compliance Monitoring
8. ITAR Compliance Manual

1. Management Commitment

A. Establish Culture of Compliance

• Tone from the top is important but not fully sufficient
• Managers at all levels need to engender a culture of compliance
• Employees should understand that ITAR compliance is everyone’s responsibility within the organization
• Encourage employees to raise potential compliance issues
• Implement non-retaliation
• Incorporate compliance into employee performance plans and evaluations
• Adopt clear disciplinary procedures and consequences for addressing compliance misconduct, enforce them consistently across the organization, and ensure that they are proportionate to the misconduct and appropriate to deter future misconduct

?B. Demonstrate Commitment Through Policies & Procedures

• Create and maintain an ICP (see details below)
• Provide sufficient resourcing for ICP commensurate with organization risk, including appropriate training, funding, human capital, organizational support information technology resources, and other resources to fulfill their responsibilities
• "Appropriate" resourcing is a function of organization’s size, scope of operations, and overall risk profile
• Create and maintain an Export Compliance Management Commitment Statement personally signed by Chief Executive Officer, President, or other senior executives, communicated through all appropriate channels to employees (including in ICP) and disseminate annually for all employees and contractors, as appropriate, to sign (!)

?C. Organize Compliance Function Appropriately

• Characteristics of an effective ICP: In writing, and clearly states the organization's ITAR compliance policies and procedures; Tailored to an organization's ITAR-controlled activities and risks; Regularly reviewed and updated; Fully supported by Management
• When developing an ICP, identify risk areas and lines of authority
• After establishing an ICP, management should remain actively engaged in improving the compliance program
• Management should establish org charts (for ITAR compliance function), develop descriptions of the organization’s trade and export compliance functions, and determine the extent to which the ICP is centralized
• Org charts should clearly identify lines of authority, including management responsible for ICP oversight, points of contact for compliance questions
• Org charts should also identify individuals responsible for: Investigations and root cause analysis; Drafting, finalizing, and submitting export-related documents to DDTC; Sending other communications regarding export compliance matters to DDTC; Legal interpretation and guidance on internal export compliance matters
• Management is responsible for effectively implementing an ICP through training and hiring practices, and delegation of sufficient authority and autonomy.

2. DDTC Registration, Jurisdiction and Classification, Authorizations, and Other ITAR Activities?

A. Registration

• ICPs should include information on DDTC registration requirements, including explanation of?who needs to register
• To reduce risks of violations arising from registration requirements, DDTC suggests that organizations: Understand which activities require an organization to register with DDTC and determine whether the organization is required to do so; Assign a senior officer to oversee the registration process and to sign the required notifications; Establish and implement policies and procedures to ensure the complete and timely submission of registration renewals and required notifications for material changes; Protect registration codes and not make them publicly available

?B. Jurisdiction & Classification

• If any doubt exists regarding the proper jurisdiction or classification, err on the side of caution, and submit a CJ request to DDTC
• Understand the form and fit of the articles, as well as the function and performance capability of the articles
• Document the design and development process for new products and monitor and document modifications to existing products
• Designate employees with the necessary technical expertise, e.g., engineers or program managers, and export controls personnel to perform jurisdiction and classification review functions
• Establish formal written policies and procedures for reviewing and documenting jurisdiction and classification decisions
• Develop a system of tracking and marking jurisdiction and classification determinations at the time – or as soon as possible after – commodities are manufactured
• Consistently monitor for USML updates and adjust?internal jurisdiction and classification determinations accordingly
• If a CJ request is pending, treat the commodity as defense article or a defense service until DDTC issues the CJ determination
• Keep records of all jurisdiction and classification decisions in a central location that can easily be accessed, reviewed, referred to, and updated

C. Authorizations - Establish policies and procedures for the following:

• Incorporating licensing and other authorization considerations in appropriate processes
• Anticipating the need for licenses in advance of proposed export activities
• Ensuring that BD, sales, and marketing personnel understand timelines for obtaining licenses
• Ensuring ample time to draft, submit, and receive approval for agreements
• Ensuring all parties understand appropriate terms, conditions, and provisos of authorizations, and conduct periodic audits of export activities under the authorization
• Performing as much fact finding as practicable ahead of submitting license applications and anticipating changes
• Reviewing for restrictions on parties to the transaction, including by screening through the Consolidated Screening List
• Creating, submitting, tracking and disposition of authorizations
• Successfully implementing agreements (e.g., internal controls, technology control plans, identifying foreign person status, and employment status of meeting attendees)
• Communicating with all foreign parties to determine who will be involved in the transaction and their roles
• Working with foreign parties to understand if there will be dual or third country national employees working on the proposed activities and how the foreign party will screen those individuals
• Ensuring foreign parties have compliance safeguards in place to protect any technical data transferred under the agreements from unauthorized access
• Protecting against unauthorized release of technical data to foreign entities and foreign employees
• Recordkeeping and tracking the use of licenses and other approvals
• Assessing all conditions that must be satisfied to qualify for use of any license exemption
• Reviewing and approving use of license exemptions by appropriate compliance personnel

D. Reexports, Retransfers, and General Correspondence Requests

• Establish policies and procedures for reviewing and obtaining authorization for reexports and retransfers; tracking and keeping records regarding export authorizations for reexports or retransfers
• Understand the difference between requesting an initial export authorization and a subsequent reexport or retransfer approval
• Submit complete information on transaction to avoid RWAs
• Educate foreign recipients of U.S. defense articles about end use and other ITAR requirements

E. Restricted Parties Screening

• Screen all parties involved in a transaction prior to engaging in any ITAR-controlled activity with such parties
• Establish policies and procedures for implementing screening within the organization’s operations, and resolving positive hits and reviewing questionable transactions
• Determine the frequency of routine screening and rescreening
• Maintain detailed screening record results
• Dedicate adequate resources for screening
• Monitor updates to U.S. Government lists
• Ensure that all relevant employees understand which destinations are proscribed under ITAR § 126.1

?F. Brokering (ITAR Part 129)

• Establish policies and procedures for obtaining prior authorization for brokering activities, reporting brokering activities, and maintaining records regarding brokering activities
• Understand which activities constitute ITAR brokering activities
• Review and understand the available exemptions to brokering authorization requirements
• Submit annual brokering reports to DDTC on time

G. Political Contributions, Fees, and Commissions (ITAR Part 130)

• Understand whether organization or vendors are involved in paying political contributions, fees, or commissions
• Understand what information needs to be asked of and received from vendors
• Establish policies and procedures for accurate and accessible recordkeeping of such political contributions, fees, or commissions

?H. Cybersecurity & Encryption

• Consider how to encrypt the storage and transmission of technical data externally, including via cloud and other remote storage, and how to appropriately encrypt technical data on portable devices
• Establish policies and procedures for recurring training on travel with mobile devices for new and existing employees
• Ensure foreign person employees do not receive unauthorized access to technical data
• Ensure technical data is not backed up to servers in foreign locations
• Coordinate with IT to implement intrusion detection systems
• Educate employees about phishing, malware, and other cyber threats
• Review electronic storage options, such as cloud storage services, and understand how service providers protect ITAR-controlled technical data
• Establish security policies for file sharing and collaboration tools
• Establish measures for encryption of data on mobile devices, such as laptops and cell phones
• Establish policies and procedures for the review and approval of employee travel with mobile devices
• Ensure that IT logs and controls access to company networks that contain ITAR-controlled technical data by authorized personnel

3. Recordkeeping?

• Determine which records must be maintained pursuant to the ITAR’s recordkeeping requirements and develop a list of those records
• Must maintain certain records:?License or other approval;?License exemption;?Technical data exports;?Oral, visual, or electronic exports;?Certain information related to special comprehensive export authorizations;?Related to the Defense Trade Cooperation Treaty between the United States and Australia;?Related to the Defense Trade Cooperation Treaty between the United States and the United Kingdom;?Related to exemptions involving employees who are dual and thirdcountry nationals;?Related to voluntary disclosures;?Brokering recordkeeping requirements; and?Related to political contributions, fees, and commissions
• Develop written policies and procedures to ensure proper recordkeeping.?These should address: Responsibility for recordkeeping; Timely destruction of records, or their maintenance past required dates where relevant to ongoing matters; Determining how and where records will be maintained; Determining how and when records will be inspected for completeness, accuracy, and quality; Developing and maintaining processes for managing records by identifying classes of records and logs of record creators and keepers; Establishing record-retention requirements for emails, contracts with freight forwarders, brokers, and distributors, and other records; Creating recordkeeping redundancies, such as backup IT servers, where appropriate; Ensuring that recordkeeping methods do not allow for unrecorded alterations
• Responsibility for recordkeeping - clearly allocate responsibilities for recordkeeping among personnel in business units, records management, information technology, system administration, and other offices within the organization
• Ensure proper oversight of personnel responsible for recordkeeping
• Develop ongoing training and awareness programs to ensure personnel involved in the recordkeeping process can effectively comply with ITAR recordkeeping requirements
• Conduct periodic audits on the recordkeeping system
• Communicate the importance of recordkeeping to all employees and ensure adequate resourcing for recordkeeping
• A failure to maintain or produce relevant records in certain circumstances constitutes an ITAR violation
• Organizations that possess technical data and either employ foreign persons or conduct frequent meetings with foreign persons should consider creating and maintaining a TCP
• TCPs should address how organization will keep records regarding foreign person visitors at their facilities, and how organization will collect and store human resources records for foreign person employees involved in ITAR-controlled activities

Best Practices

• For copies of exported technical data, ensure the records are properly secured, including through encryption for digital records, to prevent unauthorized access
• Before employees depart an organization, ensure any records subject to ITAR recordkeeping requirements they possess are identified and preserved
• Evaluate the physical storage site and control procedures for disposal of records to minimize the risk of losing records or failing to properly secure technical data
• Implement a backup system for electronic storage and implement measures that will assist in the recovery of information and other electronic communications on computer systems if the primary computer system fails
• Maintain thorough records of non-disclosure agreements and screenings involving dual and third-country national employees, as appropriate
• Maintain copies of relevant records that exist on a third-party organization’s IT systems, such as copies of shipping records from freight forwarders, disclosures submitted by outside counsel, or licensing information
• Acquire or develop a central IT storage system or database for relevant records
• For offsite record storage and destruction, review the contractual terms to ensure that ITAR-controlled technical data is protected
• Periodically reevaluate the efficacy of recordkeeping policies and procedures
• Retain records of any disclosures and any supporting documentation
• Develop and implement a system to document all communications with DDTC officials, including through outside counsel, involving ITAR-related matters, which may help ensure continuity and consistency in an organization’s export compliance functions

4. Detecting, Reporting, & Disclosing Violations

? A. Identifying and Reporting Potential Violations

• Develop and disseminate policies and procedures that provide clear guidance to all employees regarding the detecting and reporting of suspected ITAR violations
• Implement clear internal reporting procedures for employees to ensure that employees understand that it is their obligation to report suspected ITAR violations. Widely promulgate these procedures
• Provide a mechanism through which employees can report suspected ITAR violations anonymously and confidentially and ensure that employees are aware of and can effectively use this mechanism
• Clearly identify and communicate to employees the office or individuals within the organization assigned the responsibility for receiving reports of suspected ITAR violations along with their contact information
• Empower employees to speak up if they are unsure about the proper course of action, if they believe they may have been involved in an activity that violated the ITAR, or if they believe another employee is violating or about to violate the ITAR
• Provide assurances that employees will not suffer any negative consequences for reporting a suspected violation in good faith
• Incorporate ITAR compliance into employee performance plans and evaluations

B. Investigations

• Establish policies and procedures to detect, stop, investigate, confirm, report, and remediate any suspected ITAR violations immediately.?
• These policies and procedures should cover how the organization will:
• Determine when to investigate suspected violations.
• Document the information reported, detected, or otherwise obtained as part of the investigation.
• Analyze the root causes of any ITAR violations.
• Draft a report describing the outcome of the investigation and the recommended corrective actions, including any recommended disciplinary measures.
• Present the report to and brief management.
• Document management’s response to the report and whether management approved the recommended corrective actions.
• Implement the corrective actions and document the implementation of the corrective actions, including who implemented them and how.
• Monitor the corrective actions to ensure they remain fully implemented and are working properly over time.
• Report back to management after the approved corrective actions are implemented.
• Use personnel qualified to conduct timely and properly scoped investigations of ITAR violations and ensure that such personnel have adequate resources and funding.
• Ensure that investigations are independent, objective, thorough, and properly documented
• Continuously update compliance programs to incorporate changes to the ITAR and lessons learned from past violations.

?C. Disclosures

• Develop written policies and procedures for disclosing ITAR violations to DDTC
• Implement reporting procedures for organizations to voluntarily disclose ITAR violations to DDTC and also to mandatorily disclose ITAR violations involving proscribed destinations pursuant to ITAR § 126.1(e)(2)
• In the event the organization’s policies and procedures should have prevented a violation, the disclosure should identify the business units that had ownership of the specific policies and procedures at issue and explain how those units have been held accountable
• Voluntary disclosures should also demonstrate that the organization developed and has either implemented or has plans to implement corrective actions that address the root causes and prevent the recurrence of similar violations

D. Discipline

• Ensure that all employees understand their legal obligations under the AECA and ITAR, as well as consequences for violating those obligations
• Make available educational materials and post visual reminders to all relevant employees that underscore importance of compliance as well as consequences of non-compliance, including possible disciplinary actions?

5. Training

? A. Basics

• ITAR training programs should be tailored, dynamic, up-to-date, and adequately resourced; clearly identify the job-specific export control responsibilities for all employees; allot sufficient time for employees to complete their training; offer training on a recurring basis, at a minimum annually
• Maintain accurate training records
• In addition to offering formal ITAR training sessions on a recurring basis, make available on-demand ITAR training resources that employees may consult at any time
• Ensure that ITAR training programs are tailored to address their specific compliance risks, including: The nature and scope of defense articles and defense services being provided; The parent, subsidiaries, affiliates, suppliers, customers, clients, business partners and other relevant parties with which the organization interacts, directly or indirectly; The geographic regions in the organization?operates; and The duties and responsibilities of the employees and other personnel being trained
• ITAR training programs should be dynamic and reviewed periodically for updates and revisions
• Establish a mechanism to disseminate ITAR-related updates to personnel in a timely manner in between training sessions, such as through organization-wide email updates
• Use "close call" incidents to provide specific training to relevant personnel within the organization, in addition to taking corrective actions
• Hire knowledgeable and experienced trainers

?B. Tiered / Role-Specific Training

• Adopt a tiered ITAR training program based on the responsibilities of each employee.?Provide employees and other personnel with different levels and types of ITAR training depending on the knowledge and skills needed to perform their job functions and the compliance risks that arise in each position
• Tailor ITAR programs as specifically as possible to help employees and other personnel understand their specific export control responsibilities in light of the organization’s risk profile

?C. Employee Accountability

• Include ITAR training as a requirement in performance plans and reviews and ensure that employees and other personnel complete their ITAR training on time
• Hold employees and other personnel accountable for completing their ITAR training (initial and refresher) in a timely manner
• At the end of each ITAR training session, organizations should test employees on the materials?

6. Risk Assessments

? A. Basics

• After understanding the full spectrum of organization's compliance risks, use that data to create effective and tailored ICPs and allocate resources as appropriate to prioritize and mitigate those risks
• Tailor risk assessment to the organization’s ITAR-controlled activities and identify and analyze all the potential ITAR-related risk factors for the organization, whether those risk arise inside or outside of the organization
• Ensure that initial risk assessments (as well as updates) are fully documented and preserved
• Analyze and prioritize risks based on all relevant factors, including the likelihood that such risks would result in ITAR violations
• Integrate risk-based analysis and prioritization into ICP and allocate resources as appropriate to mitigate those risks

B. Review and Update

• Periodically review risk assessments to determine whether its risks are properly addressed
• Regularly update ITAR risk assessment to account for changes to their risk factors
• Update when new or evolving ITAR compliance risks discovered through audit findings, ITAR violations or “close calls,” employee feedback, or any other sources
• Also important to update risk assessment following mergers, acquisitions, and divestitures, particularly if the company merges or acquires foreign persons

7. Audits and Compliance Monitoring

• ?Develop, as appropriate, an audit strategy, utilizing the different types of audits: functional-level audits, program-level audits, external audits.?

? A. Personnel

• Assemble an internal team or, as appropriate, hire external third parties to conduct periodic ITAR compliance audits.?If Internal Audit function exists, incorporate ITAR policies and procedures with corporate audits
• Ensure auditors have sufficient: qualifications, technical knowledge, ITAR expertise, and resources; authority to ensure employee compliance; independence from audited activities; and autonomy and independence from management

B. Methodology

• Audits should consist of interviews, document collection and review, access to IT systems, and site visits (as appropriate)
• Auditors should maintain detailed logs of documents requested, obtained, and reviewed

?C. Audit Reports, Findings, & Follow-Up

• Draft audit report should include an executive summary, findings and recommendations, and appendices that explain the methodology, including the interviews conducted, documents reviewed, and sites visited
• Prior to finalizing the audit report, the auditors should share their findings and recommendations with the relevant business units to correct any inaccuracies.
• After making any final modifications, auditors should brief senior management on the audit findings and recommendations.
• Organizations should ensure the final audit report is provided to all relevant business units, as well as senior management.
• Organizations should maintain audit reports for at least five years.
• If audit report contains remediation recommendations, organizations should include specific timetables and an implementation plan for management to approve.
• Track the progress of corrective actions until they are completed.
• Once corrective actions are completed, organizations should prepare an additional report to management, and compliance personnel should confirm that each corrective action has been fully implemented.

D. Mergers & Acquisitions?

• Audits may be appropriate when mergers, acquisitions, and divestitures occur
• Conduct due diligence reviews of target organizations that engage in ITAR-controlled activities
• Assess the effectiveness of the target organization’s ITAR compliance program and identify potential past ITAR violations
• Conduct an audit after closing the merger, acquisition, or divestiture
• Ensure that any continuing ITAR violations by the acquired organization identified through the post-acquisition audit are stopped and remediated

?E. Compliance Monitoring

• Regularly review ICPs and amend ITAR compliance policies and procedures as appropriate in response to:?ITAR or DDTC guidance changes; best practices and lessons learned from violations by other organizations; lessons learned from violations and "close calls" within the organization; vulnerabilities identified through audits/testing; chances to organizations risk factors

8. ITAR Compliance Manual

• Develop an ITAR Compliance Manual (ICM) and make it available to all employees
• ICMs should be periodically reviewed and updated

A. Drafting an ICM

• Export compliance team should take the lead in drafting the ICM
• Organizations should consider selecting various employees who work in different business units outside of export compliance to review and provide feedback on the draft

B. Effective ICMs:

• Are well organized, easy to understand
• Explain why export compliance is important to the organization, including the promulgation of an Export Compliance Management Commitment Statement
• Provide summaries of applicable export laws and regulations
• Explain the role and function of the ITAR Compliance Program
• Identify the roles and responsibilities of relevant export compliance personnel and other functional personnel who are responsible for ensuring the organization’s compliance with the ITAR
• Explain how employees should coordinate both within the compliance function and outwardly with other parts of the organization to ensure ITAR compliance
• Capture the day-to-day operations and ITAR compliance risks relevant to the organization, including through diagrams or other visual aids
• Describe in detail the organization’s compliance policies and procedures, covering: Preventing, detecting, and reporting AECA and ITAR violations; Identifying, classifying, and marking defense articles, defense services, and technical data, to include the evaluation of authorized limits of software version; Incorporating AECA and ITAR compliance into management business plans at the senior executive level and various business functions to ensure effective compliance; Obtaining, managing, and complying with the scope of ITAR authorizations; Maintaining appropriate records; and Meeting and maintaining adequate AECA and ITAR compliance staffing levels at all divisions and facilities
• Include templates, checklists, and/or forms that are applicable to ITAR compliance within the organization
• The organization’s ITAR compliance training plan for its employees

? C. Dissemination & Integration

• Make ICM readily available to all employees (such as by posting on internal website) and identify a point of contact for questions and concerns
• Incorporate ICM into ITAR training program?