Navigating ITAR Compliance

Manufacturing a product for the US Military today is much more than just meeting a request for quotes or testing products to make sure they meet stringent military environmental and performance standards. The product must be properly licensed by the U.S. State Department under the International Trafficking in Arms Regulations (ITAR) and other export compliance standards including the Export Administration Regulations (EAR). All suppliers who make parts and provide services to build those systems must also be licensed.

These regulations implement the provisions of the Arms Export Control Act (AECA), and are described in Title 22 (Foreign Relations), Chapter I (Department of State), Subchapter M of the Code of Federal Regulations. The Department of State interprets and enforces ITAR. Complying with these regulations is just as complicated and detailed a task for compliance officers and attorneys as designing fire control system components is for defense electronics engineers. Failure is not an option for either task, but in the case of ITAR compliance, it could result in multi-million dollar fines and even jail time for individuals who knowingly violate the law.

ITAR regulations dictate that information and material pertaining to defense and military related technologies (for items listed on the U.S. Munitions List) may only be shared with U.S. Persons unless authorization from the Department of State is received or a special exemption is used. U.S. Persons (including organizations) can face heavy fines if they have, without authorization or the use of an exemption, provided foreign (non-US) persons with access to ITAR-protected defense articles, services or technical data.

These rules have been in place since 1976, and were implemented for U.S. National Security and other foreign policy objectives. Because of this, the Federal government can impose criminal and civil penalties. The government, in fact, has been known to prosecute individuals for willfully violating the ITAR or the EAR. An innocent mistake can be the basis for very substantial civil fines and penalties and possibly imprisonment.

Penalties and Enforcement

Civil and criminal penalties have grown since the terrorist attacks of Sept. 11, 2001, but that is due less to the volatile conflicts around the world and more to the fact that the U.S. Government has hired more enforcement personnel. Since 9/11, the creation of Homeland Security has enabled better coordinated enforcement between agencies. The U.S. Department of Justice made export enforcement a priority.

This is only going to become more problematic today as commercial companies, finding their own markets shrinking, try to break into the defense business. The defense industry is one of the few bright spots in this economy and already designers of commercial technology are looking for ways to attract military system integrators to their products.

In 2007 the Department of Justice formed a taskforce focused on educating federal prosecutors and agents on making cases in this area. Prior to this not many prosecutors and very few agents throughout the ninety-three U.S. Attorney’s offices paid much attention to ITAR prosecution. In addition, penalties for violations in this area have been significantly increased to as much as $250,000 per violation. This degree of pain can be unbearable for many small and large companies alike. Companies are also being required self-report violations or their problem is compounded.

Evolving Regulations

As with any type of law, how the regulations are enforced or interpreted depends on the person interpreting the laws. This is often the case in commodity jurisdiction issues. Which agency–State, Commerce, etc.–has jurisdiction depends on who is being asked at the time. The key here is to make sure complete and correct information is provided when doing a commodity jurisdiction request, otherwise it could get placed in the wrong jurisdiction and the fault will be with the company not the government.

The laws and regulations do evolve and companies must keep abreast of these changes. The State Department will update its U.S. Munitions list but not as often as the Commerce Department adjusts its Commerce Control List (CCL).

Any technology used for space–commercial, NASA-related, or defense–typically is ITAR controlled because it is integrated with launch vehicles, such as the Aries, which automatically come under the ITAR, say legal experts.

The Bureau of Industry and Security (BIS) part of the Department of Commerce, frequently updates the Export Control Classification Numbers (ECCNs) on the CCL because major multi-national agreements that govern many of the ECCN controls are frequently changed.

It is also important to keep up with lists of which countries receive a friendly status and which are off limits, as well as which countries that fall under U.S. sanctions and United Nations sanctions. Countries currently off limits include Iran, Cuba, Syria, Sudan, and North Korea, for virtually all products and technology. There are many restrictions on the export of defense articles and technology to China.

Export compliance should not be an afterthought. Many companies, unfortunately, think that their business is exempt when they are ‘just making small metal parts and shipping them to Lockheed or Harris.’ If they are found in violation the individuals may face jail time and the company may be subjected to hefty civil fines and penalties.

Most Common ITAR Mistakes

The ITAR is fraught with complications that make it easy for companies to break the law if they are not vigilant. There are seven areas where many companies may slip up.

1. The most common mistake among small businesses new to export compliance is the lack of any compliance program internally. They need to invest in training at least one person internally to handle the compliance process.
2. Many businesses in this economy are so focused on sales that they do not spend the appropriate time making sure all their products are properly licensed.
3. Some companies also believe that having a compliance program on paper is enough, which is a mistake. Their program may be largely ineffective because it does not tie in with their actual company procedures or because they do not have trained export compliance personnel to help with issues.
4. A mistake that results in a vast number of violations is company failure to classify long-term products as ITAR or Commerce controlled. Many companies have been making a product for decades and have not licensed it. Without this license it is a violation. Compliance oversight often occurs when a company has missed something in their program such as foreign national employees or foreign procurement of controlled parts. They may not have controls that follow shifting programs or products. This situation can be termed “ITAR creep” when the company thinks they have covered every angle, but something sneaks up on them and they have a violation.
5. When a company sees a potential export problem with one of its orders, knows it is a red flag, but goes ahead anyway because they want to make the delivery and fill the order. It is a critical and dangerous mistake to go ahead and ship without identifying potential problems and resolving them prior to the product leaving the facility.
6. One of the biggest mistakes companies make is with their record keeping. They have a tendency to focus on getting the license, but then fail to maintain their records. They need to answer all the requirements to show that they did what they said they would do. Just knowing what the proper records are is still not enough. When doing export compliance, it is important to become intimately familiar with the process that supports the generation of each record, so that when a third-party wants to review or validate what you did, no one has to scramble.
7. Another area that requires close attention is writing product descriptions for a license application. Companies need to be aware of who their audience is.
8. Prime contractors are set up well with large export compliance staffs and systems, but in such large organizations miscommunications sometimes happen. Often someone will say “I didn’t know that was ITAR controlled, or a defense item, etc.”

Sometimes they are so focused on what is happening today they do not plan for what may happen down the road with inventory that may be exported a year or two years later. They still get the license and do the paperwork correctly, but find themselves scrambling at the last minute because they lacked foresight.

At small corporations, people are often too busy and need to focus on the definitions. They need to understand what they are doing, and keep it simple, breaking the compliance process down into simple elements.

Foreign Nationals under ITAR

Another area that companies may not understand is where and when a foreign national is allowed to be involved on defense technology development.

If they become U.S. citizens or permanent residents, they are no longer foreign nationals and no license is required to work on unclassified military projects. But even if they are not a citizen or permanent resident, it is fairly easy to get a license to work on unclassified programs. However, if they fall under the list of proscribed nations, they will not get a license. This list does change from time to time depending on U.S. policy and politics, so companies need to monitor it. Countries such as China (for defense) and Iran (more broadly), however, will probably not be coming off the lists any time soon.

Dual-Use

One ITAR compliance issue that can range from black and white to extreme shades of gray is the concept of dual-use when a technology is used for commercial and military applications. Many dual use cases are very simple. Missiles, for example, are on the U.S munitions list. A laptop computer for commercial applications, moreover, typically falls under dual use and is not a problem. Where it can be confusing is when an integrated circuit designed for commercial applications is modified for an ITAR-controlled application. Here, the company will have to ensure it does not need a license; the company should not assume the IC is okay because it was originally a commercial product.

A Compliance Officer at the DDTC (Directorate of Defense Trade Compliance) several years ago stated, “If you make bolts and they are used to build bridges they are commercial. If you make these same bolts and they are a specific length to hold the wings up on an F-16 Fighter, they are defense related and ITAR Restricted.”

If the intent was to design a particular product for the commercial market, but it ends up unchanged in a military program, it typically will fall under dual-use and not ITAR. Companies must monitor the CCL (Commerce Control List) as some commercial integrated circuits are subject to high-level Commerce controls. Service companies who make small fabricated metal parts or apply mil-spec paint for military programs are also subject to DDTC registration and required to have an ITAR Compliance Program.

Do Not Go It Alone

Some ITAR compliance issues need to be addressed by attorneys, while others, can be successfully addressed with consultants at a lower cost to help develop procedures and internally train employees to handle their export compliance. Arcadier and Associates, P.A. has partnered with CVG Strategy (cvgstrategy.com) who are a consulting firm experienced and capable to address the consulting aspects of ITAR compliance including regulations, such as the safety control or quality assurance manager.

Companies also need to hire law firms to advise them on key strategic issues, such as voluntary disclosures and commodity jurisdiction issues, and legal opinion letters. Arcadier and Associates is here to help in that regard. We can provide proper guidance and help keep you, the company, and its owners to resolve issues

Leadership

Leadership and management support are very important to the success of a Company’s ITAR Policy implementation. Senior Management must have a daily focus to provide leadership for the company to be compliant, without it the program will likely fail.

ITAR Violations and Penalties

When a small company makes an ITAR violation, it does not typically make a ripple in the news industry. However, over the years, there have been a few cases that grabbed the world’s attention.

Export compliance made headlines in 2003 when Loral Space & Communications Corp., Boeing, and Hughes Electronics allegedly provided satellite launch rocket integration and failure analysis services in China during the 1990s. Boeing acquired Hughes in the interim. The problem was that the satellites themselves were commercial but the launch vehicles were defense items and fell under the ITAR. The process of integrating the satellites with the launch vehicles and determining the causes of launch failure subjected the services to the ITAR. In reaction to these investigations, Congress placed virtually all commercial satellites and space equipment under ITAR controls.

In 2009 Boeing was ordered to pay $15,000,000 for violations of the ITAR with respect to the unauthorized export of the QRS-11 quartz rate sensor, a defense article. A company the size of Boeing has a full-blown ITAR Compliance Policy and constant training and re-training programs for its employees, yet they still have problems. They have continued to make expensive mistakes as they have suffered an ITAR Compliance problem, according to the DDTC website, every other year since 9/11.

The most high profile of fines hit ITT. In 2007 ITT was charged with illegally transferring classified and export-controlled night-vision technology to foreign countries. Managers had to plead guilty to two felony charges and the company had to pay $100 million in fines and forfeitures, a $20 million fine to the Department of State (DOS), $2 million statutory fine as part of the guilty plea; $28 million forfeiture to the U.S. government some of which will be shared with state, local, and federal law enforcement agencies for their work during this investigation.

In 2008 the Department of State charged Lockheed Martin with violations of the Arms Export Control Act and the ITAR for providing classified and unclassified technical data related to the sales of Hellfire missiles to the United Arab Emirates in 2003 through 2004. Lockheed Martin officials had thought that “because the UAE already possessed inventory of the missiles an export license to export the associated technical data (i.e., performance specifications) must have already been in place.” According to the State Department Order document, Lockheed Martin had to pay a civil fine of $4 million and provide full disclosure to the DOS.

Solution

Any company that provides contracted products or services that are for the US Military are likely going to be considered by the DDTC as subject to the ITAR.

Here are the options:

1. Ignore the problem, hope to not get caught and face large fines and possible imprisonment.
2. Create an ITAR Compliance Officer position and hire an external expert to fill the role or send existing staff to outside training. Then wait while they create and implement an ITAR Compliance Program.
3. Hire a consultant and/or law firm who will both educate the company, create the program and advice on legal issues.

An ITAR Compliance Program (ICP) is a comprehensive written system to assist a company in complying with the International Traffic in Arms Regulations (ITAR). An ICP should provide an organized, integrated operating system that: (1) ensures compliance with U.S. export control laws and regulations; (2) manages military item / export-related questions, decisions and transactions; (3) provides a streamlined management structure for processing customer transactions in a transparent and accountable manner; and (4) protects the company from penalties.

The establishment of an ICP can greatly reduce the risk of involuntarily exporting of technical information or products to an unauthorized party or for an unauthorized end-use. However, having an ICP, by itself, will not relieve a company of criminal and administrative liability under the law if a violation occurs.

CVG Strategy can assist in the development and implementation of an ICP to allow clients to engage in compliant and protected transfer of goods and information confident that they are in compliance with the laws with regard to ITAR / EAR rules and regulations.