Embed Size (px)
Citation preview
NCMA WorkshopNCMA Workshop
International Traffic and Arms International Traffic and Arms Regulations (ITAR)Regulations (ITAR)
What you need to know!What you need to know!Natascha FinnertyNatascha Finnerty
DL Exports InternationalDL Exports International
[email protected]@comcast.net978 368-7940978 368-7940
What We’ll Cover• When and Where ITAR Applies• Controlled Items, Activities, and
Countries• Security Concerns w/Foreign
Employees• Building an Effective Technology
Control Plan (TCP)
ITAR Applies to
• Your Company, • Your Customers, AND
• Your Employees
RECENT TRENDSRECENT TRENDS
• DFAR requires DOD to state if a contract is “ITAR controlled”
• Partners and customers are asking if companies are ITAR registered
• Contracts for SBIRs state that “technology must be transferred only to US persons”
• Larger fines imposed for ITAR errors – ITT $100M
TRUTHS ABOUT TRUTHS ABOUT EXPORT REGULATIONSEXPORT REGULATIONS
• Directly linked to international events
• Not taught in most business curriculums or by managers
• They are always changing
• You love’em or hate’em
TODAY, THERE ARE SEVERAL TODAY, THERE ARE SEVERAL REASONS FOR EXPORT CONTROLSREASONS FOR EXPORT CONTROLS
• To prevent the increase of military strength of an adversary
• To further foreign policy objectives
• To protect scarce resources• To implement international
arms/weapons bans
EXPORT CONTROLS ARE EXPORT CONTROLS ARE IMPORTANT TO IMPORTANT TO
EXPORTERSEXPORTERS• Reach of U.S. Export Controls is
broad. Large % of business is military-COTS
• Violations can cause you to lose your government contracts
• There are Global Alliances to that we must comply with
GLOBALGLOBALCONTROL REGIMESCONTROL REGIMES
GLOBAL COMPLIANCE ISSUES THAT AFFECT
EXPORTERS
Companies must Comply with Requirements of the New International
Alliances that Regulate Trade
AustraliaGroup
MissileTech Control
Regime
Wassenaar
Arrang
NuclearSupplierGroup
NATO
MOD
CONSEQUENCES OF FAILURE TO COMPLY– Penalties – Negative publicity– Loss of Government
contracts, other business
EXPORTING COMPANIES EXPORTING COMPANIES ARE EXPECTED TO HAVE ARE EXPECTED TO HAVE AN EXPORT COMPLIANCE AN EXPORT COMPLIANCE
PROGRAMPROGRAM
Goals:• Protect against violations• Control exports and
transfers effectively and efficiently
• Ensure systematic approach
COMPANIES MUST SHOW COMPANIES MUST SHOW DUE DILIGENCE FROM THE DUE DILIGENCE FROM THE FIRST EMAIL OR TELECOMFIRST EMAIL OR TELECOM
• Licenses can be required to submit a proposal to a foreign party
• Licenses can be required to provide detailed technical information to a foreign person
• Persons of some countries cannot even get a license!!!
The US Government controls The US Government controls the export of goods, the export of goods,
software and technologysoftware and technology
EVEN In the US ! through the control of-specific items, and -specific activities.-Either as Dual-use or Military. It can be a fuzzy line!
WHAT’S AN “EXPORT” OR WHAT’S AN “EXPORT” OR REEXPORT?REEXPORT?
• Ship/send/transmit items on the USML or CCL from U.S. to foreign country
• Transferring ownership of a vessel, aircraft or satellite to foreign company
• Ship/send/transmit U.S. items from one foreign consignee or country to another
• Disclosing by any means to a foreign person in the US
• Ship foreign items with U.S. content from one foreign country to another
AND …
MORE “EXPORTS”MORE “EXPORTS”
• Release of tech data to a foreign national
• Participation in proliferation (nuclear, chemical/biological weapons or missiles)
• Dealings with Restricted Parties (TDO/SDNs, debarred list, others)
• Transactions involving Embargoed countries
SOME ACTIVITIES ARE SOME ACTIVITIES ARE OUTSIDE EXPORT REGSOUTSIDE EXPORT REGS
Transfer of “Publicly Available”(Public Domain) information
– Brochures– Technical information provided
freely (even to competitors) at no charge
– Fundamental Research– Information in Libraries, newsstands– Patents
Law and the Regulations
HOW THE GOVERNMENT CONTROL THE TRANSFER OF MILITARY DATA, ITEMS AND SERVICES
Arms Export Control ActArms Export Control Act22 U.S.C 2778 TRADING WITH THE ENEMY ACT22 U.S.C 2778 TRADING WITH THE ENEMY ACT
• Controls Imports and Exports of Defense Articles and Services
• Broad authority to approve, deny, suspend, revoke and halt shipments from US ports
• Mandates registration and licensing
• Requires monitoring and reporting of fees, contributions and commissions
ITAR AND EAR
The International Traffic and Arms Regulations (ITAR)-Military Items
Export Administration Regulations (EAR)-Commercial Items
YOU NEED TO YOU NEED TO UNDERSTAND THE SCOPE!UNDERSTAND THE SCOPE!
• CONTROLLED ITEMS
AND
• ACTIVITIES
CONTROLLED ITEMSCONTROLLED ITEMS
• US Munitions List (USML)
• Commerce Control List (CCL)
ITAR govern munitions items, related tech data and services:– Items designed, configured or adapted
for military use– Items that meet listed parameters
(radiation resistance, TEMPEST)– Predominant military Use– Classified items and technical data– Defense services
ITAR CONTROLSITAR CONTROLS
US ML PART 121US ML PART 121
21 categories, from firearms to major weapons systems
I – FirearmsIII – AmmunitionIV – Launch Vehicles, Guided MissilesVII – Aircraft and associated equipmentX – Protective Personnel EquipmentXI – Military ElectronicsXV – Spacecraft and Associated EquipmentXVII Classified Articles, Tech Data and
Defense Services - catch all
LISTSLISTS
USML• Broad categories• Specially designed for
military catches lots of things
• Must apply for a COMMONITY JURISTRICTION (CJ) to get off the list
• Need a license for all destinations
• China is proscribed
USML vs. CCLUSML vs. CCL
USML 22 categories• Item, components, technology
CCL• 10 categories• Item, production, material,
software, technology
CCLCCL
• Technical parameters that the item must meet
• Must be high level item
• Many license exceptions to Regime members
4A003 4A994EAR99
DEVELOP A DEVELOP A PRODUCT MATRIXPRODUCT MATRIX
Communicate to • Project Managers• HR• Sales• ShippingMake it part of your PN or
contract process and program a flag
• ECCN/Cat No.• Origin• Schedule B
KNOW THE PROSCRIBED COUNTRIES
KNOW THE PROSCRIBED KNOW THE PROSCRIBED COUNTRIESCOUNTRIES
126.1 Embargoed UN Embargoes Terrorism RestrictionsBelarus AfghanistanCuba Cuba Cyprus Burma Iran Congo (DR)ChinaEritrea North Korea FijiIran Sudan IndonesiaHaiti Syria Iraq
Ivory CoastLiberia Lebanon North Korea LibyaSomalia PalestineSyria ThailandSudan YemenVenezuela Zimbabwe
BEST PRACTICE – limit the ability to book orders or hire individuals from these countries in your system
UNDER THE ITAR – UNDER THE ITAR – ALL COMPANIES MUSTALL COMPANIES MUST
• Register (PART 122)– as a manufacturer, exporter and/or
broker
• Select Empowered Official (s) – by letter
KNOW THE KNOW THE REDRED FLAGS! FLAGS!
• Customer is little known• Customer is evasive about end-user
or end-destination• Customer knows little about the
product but wants it anyway• Customer asks for out-of-the-way
delivery routing• Customer is willing to pay cashYou cannot act with knowledge of
a violation or provide advice on how to evade the regulations!
Security Concerns Security Concerns w/Foreign Employeesw/Foreign Employees
Employing/Contracting Employing/Contracting Foreign NationalsForeign Nationals
“non U.S. Persons”
“OK, folks, today we tour the highly classified, top secret areas of our Defense Department.”
ITAR HINTITAR HINT
• "Prior approval to use Non-U.S. Citizens to perform on this contract, at either the prime or sub-contract level, must be obtained from the Contracting Officer. If approval is granted, such approval does not grant an exception to U.S. export law (s) and the contractor is responsible for obtaining necessary export licenses."
WHAT IS AWHAT IS A TECHNICAL DATA TECHNICAL DATA
EXPORT (RELEASE)?EXPORT (RELEASE)?• Ship IC designs to foreign country• Hire foreign engineers• Plant tour for foreign nationals• Foreign access to host computer• Transfer data/software over the
Internet• Phone, FAX, & E-mail • Co-development project with
foreign partner • Train foreign nationals
DEFENSE SERVICESDEFENSE SERVICES
• Assistance to foreign persons in activities involving defense articles:– design, development, engineering– testing, manufacturing,
production, assembly– repair, maintenance, modification– operation – demilitarization, destruction
• Provision of ITAR-controlled tech data to foreign persons
TECHNOLOGY TRANSFERS TO TECHNOLOGY TRANSFERS TO FOREIGN NATIONALSFOREIGN NATIONALS
• Foreign nationals = all EXCEPT– U.S. Citizens– U.S. Permanent Residents – Persons granted refugee status or
asylum in the U.S.• If the tech data are controlled to the home
country AND no License Exception is available, obtain a license
• Considered an ITAR “deemed export”• Applies to interns, contract employees, others,
anyone who sees ITAR data
IF YOU GOTTA HAVE IF YOU GOTTA HAVE HIM/HER ON A PROJECT!HIM/HER ON A PROJECT!
• Is it an ITAR (DSP-5 or TAA) or BIS license?In either case
– Letter of explanation, – Resume– Statement of Work– Passport documents– EAR - Transfer of technology to foreign national per 732.2(b)(ii)– FBI template– End-user – provide immigration status.– End-use -
Expiration date tied to H-IB VisaCan be renewed – automatic 6-month extension if renewal
is received 45 days prior. Include the previous license number on all applications
Company PolicyCompany Policyand ITAR NDAand ITAR NDA
• Statement from Senior Management on importance of TCP
• Employee responsibilities• Part of Hiring Process• Need to demonstrate
management commitment
ITAR TECHNICAL DATAITAR TECHNICAL DATA
• Information for design, development, production, assembly, manufacture, use of defense article
• Classified technical information• Basic marketing info excluded• “Public domain” material
excluded
?
A Day in the Life of an A&D Engineer (without export control A Day in the Life of an A&D Engineer (without export control solution)solution)
ITAR ProjectFile Server
Mixed UseServer
Non-US Engineer
1
2
345
6
Web or CollaborationPortal
Non-US Partner
CommercialProject
US EngineerUS Engineer
Non-US Admin
US Engineer
OverseasRemote
Weak access or flow control
Lack of Informationbarriers
Transfers not matched to licenses
Transfers overunapproved channels
Commercial productcontamination
Uncontrolled mobiledata export
2
345
6
A Day in the Life of an A&D Engineer (with export control A Day in the Life of an A&D Engineer (with export control solution)solution)
ITAR ProjectFile Server
Mixed UseServer
1
Non-US Engineer
Web or CollaborationPortal
CommercialProject
US EngineerUS Engineer
?Non-US Admin
US Engineer
OverseasRemote
Non-US Partner
Controlled Access and Flow
Information Barriers
Transfers matched, logged, accountable reporting
Controlled TransfersApproved Channels
Non-contamination
Data Export Controlfor Mobile
Nextlabs Solution
Export Control for Technical Data OverviewExport Control for Technical Data Overview
US persons authorized to access ITAR project
information
US persons and non-US persons not authorized to access ITAR project
information
Deny/Limit
ITARTechnical Data
Technical Data
Approve
Approve/Deny Shipment of Goods
and Information
Export Control forTechnical Data
IdentityManagement
Export Licenses,SPL, Embargo List
AuditLog
Import/Export Control
Physical GoodsDefense Articles and
Third Party Supply Chain
US DoD images
NextLabs Products
Technical Data Policy Enforcement
`
Secure Dropbox (FTP)
Email / Instant Messaging
CollaborationPDM / SCMFile Server
Design WorkstationLaptopsMobile Users
`
Partner SystemsBatch
Compliant Enterprise
Policy Audit Data
Identity Management
ITAR Access Provisioning
Export Project Assignment
Information Export SolutionInformation Export Solution
ITAR / EAR Policy Library
Technical Data Activity Journal
Tech Data PolicyManagement
Export ProjectManagement
Export Audit Reporting
Export License Mgmt
Import/Export Control
Tech Data Export
Export License Mgmt
License, Embargo, SPL,
Information Export Control
Composite Application
ITAR/EARProject Mgmt
Technical DataPolicy Mgmt
Technical DataExport
Export LicenseRequest Mgmt
FACILITIES FACILITIES CONTROLSCONTROLS
• Control access to ITAR development and manufacturing areas
• Procedures – clean desk, locked storage
• Separate areas for ITAR meetings
• Different Badges for foreign persons/visitors
• Sign In and provide status of person - US?
HR ControlsHR Controls
• Deemed exports license for new engineers that are not permanent residents
• Unique badges for FN• Notices to employees
about non-disclosure to foreign employees, contractors, vendors
• Training in rules
NISPOM IS ControlsNISPOM IS Controls
• Chapter 8 • Need to address - Administrative,
operational, physical, computer, communications, and personal controls
• Appointment of a IS Security Officer
• Certification and Accreditation• Regular Auditing of procedures
System ManagementSystem Management• Handling, controlling, removing,
destroying of backup media. • Control over devices containing ITAR
data• Implementation of authentication
procedures– Including laptops, PDA’s, removable devices– Privileged and “super users”– Protection of passwords
• Tracking of who examines HW and SW • Don’t forget IT maintenance personnel • Physical Security
ReferencesReferences
• Nunn-Wolfowitz Best practices
• SIA: Compliance Insiders – Toolkit for Internal Compliance www.si.ed.org
• DL Exports Intl www.dlexports.com
