Best Practices, Recommendations for Defense Trade Entities Outlined in State Dept. Report
The State Department’s Office of Defense Trade Controls Compliance recently issued a report on the 15 visits it conducted between May 2015 and April 2016 under its company visit program. The CVP is designed to allow DTCC to better understand defense trade control and compliance programs and assess and disseminate industry best practices, and it includes onsite visits to industry as an extension of outreach initiatives (CVP-O) and engagement in existing compliance cases (CVP-C). This report shares some company best practices and provides recommendations for improving compliance programs but does not include observations or recommendations identified through disclosures or other enforcement activities.
Best Practices. According to the report, DTCC noted the following best practices during its visits.
- requiring suppliers to complete a standardized form identifying the jurisdiction or classification of their products and related technical data (use of such a form may drive more companies to take an active role in identifying and documenting the export control jurisdiction of their products and also serves as a standardized tool for clear and consistent recordkeeping)
- integrating export control processes into company quality systems and reviews
- physically segregating research controlled under the International Traffic in Arms Regulations (including research using ITAR-controlled articles or technical data) at universities
- incorporating export compliance reviews into information technology systems that manage project lifecycles so that the workflow requires approval from the export compliance function prior to the bid/no-bid business decision
- requiring self-classifications to be reviewed and signed by engineering and technology managers of the cognizant business and a senior technology manager from a separate business unit serving as an independent peer reviewer
- using incentive programs, such as internal recognition and/or awards, to recognize employees for compliance activities
Improvements. DTCC also made the following observations and/or recommendations for improvement.
- U.S. companies may consider additional outreach and training on ITAR compliance for foreign partners and customers.
- Processes for identifying dual and third-country nationals should include a requirement to review the bona fide regular employee status.
- A U.S. applicant should consider including in contracts with foreign parties terms and conditions that ensure it has direct physical access to its U.S. person employees providing defense services so as to allow direct oversight of their compliance.
- To maintain objectivity, universities should ensure that internal, independent reviews are used to determine the ITAR-controlled status of current programs and future opportunities.
- Compliance personnel should identify and document all IT systems that store, or have the potential to store, ITAR-controlled technical data and a current record of who has access to these applications should be maintained.
DTCC Lessons Learned. According to the report, DTCC’s visits highlighted that with growing frequency U.S. persons are employed abroad to assist with maintenance, operation, and training related to U.S. defense articles acquired by foreign military forces. These activities by U.S. persons may constitute defense services that require registration and authorization. DTCC also found that former U.S. military personnel who will be working for foreign government-owned entities while carrying out such activities may not be aware, and that their would-be employers may also not be aware, of separate Defense Department employment authorization requirements applicable to these arrangements. The report therefore states that DTCC should consider increasing its outreach and training initiatives for foreign parties to ITAR authorizations.
Further, the report recommends that the State Department consider providing guidance specifying when a company would be expected to maintain access logs that can verify potential versus actual access to technical data.