International Traffic and Arms
Regulations (ITAR)
What you need to know!
Natascha Finnerty
DL Exports International dlexports@comcast.net
978 368-7940

• When and Where ITAR Applies
• Controlled Items, Activities, and
Countries
• Security Concerns w/Foreign
Employees
• Building an Effective Technology
Control Plan (TCP)

• Your Company,
• Your Customers, AND
• Your Employees

• DFAR requires DOD to state if a contract is “ITAR controlled”
• Partners and customers are asking if companies are ITAR registered
• Contracts for SBIRs state that
“technology must be transferred only to US persons”
• Larger fines imposed for ITAR errors –
ITT $100M

• Directly linked to international events
• Not taught in most business curriculums or by managers
• They are always changing
• You love’em or hate’em

TODAY, THERE ARE SEVERAL
REASONS FOR EXPORT CONTROLS
• To prevent the increase of military strength of an adversary
• To further foreign policy objectives
• To protect scarce resources
• To implement international arms/weapons bans

• Reach of U.S. Export Controls is broad. Large % of business is military-COTS
• Violations can cause you to lose your government contracts
• There are Global Alliances to that we must comply with

Companies must Comply with
Requirements of the New International
Alliances that Regulate Trade
Missile
Tech Control
Regime
NATO
MOD
Australia
Group
Wassenaar
Arrang
Nuclear
Supplier
Group

– Penalties
– Negative publicity
– Loss of Government contracts, other business

Goals:
• Protect against violations
• Control exports and transfers effectively and efficiently
• Ensure systematic approach

• Licenses can be required to submit a proposal to a foreign party
• Licenses can be required to provide detailed technical information to a foreign person
• Persons of some countries cannot even get a license!!!

EVEN In the US ! through the control of
-specific items, and
-specific activities.
-Either as Dual-use or
Military. It can be a fuzzy line!

• Ship/send/transmit items on the USML or CCL from U.S. to foreign country
• Transferring ownership of a vessel, aircraft or satellite to foreign company
• Ship/send/transmit U.S. items from one foreign consignee or country to another
• Disclosing by any means to a foreign person in the US
• Ship foreign items with U.S. content from one foreign country to another
AND …

• Release of tech data to a foreign national
• Participation in proliferation
(nuclear, chemical/biological weapons or missiles)
• Dealings with Restricted
Parties (TDO/SDNs, debarred list, others)
• Transactions involving
Embargoed countries

Transfer of “Publicly Available”
(Public Domain) information
– Brochures
– Technical information provided freely (even to competitors) at no charge
– Fundamental Research
– Information in Libraries, newsstands
– Patents

HOW THE GOVERNMENT
CONTROL THE TRANSFER OF
MILITARY DATA, ITEMS AND
SERVICES

22 U.S.C 2778 TRADING WITH THE ENEMY ACT
• Controls Imports and Exports of
Defense Articles and Services
• Broad authority to approve, deny, suspend, revoke and halt shipments from US ports
• Mandates registration and licensing
• Requires monitoring and reporting of fees, contributions and commissions

The International Traffic and
Arms Regulations (ITAR)-
Military Items
Export Administration
Regulations (EAR)-
Commercial Items

• CONTROLLED ITEMS
AND
• ACTIVITIES

• US Munitions List (USML)
• Commerce Control List
(CCL)

ITAR govern munitions items, related tech data and services:
– Items designed, configured or adapted for military use
– Items that meet listed parameters
(radiation resistance, TEMPEST)
– Predominant military Use
– Classified items and technical data
– Defense services

21 categories, from firearms to major weapons systems
I – Firearms
III – Ammunition
IV – Launch Vehicles, Guided Missiles
VII – Aircraft and associated equipment
X – Protective Personnel Equipment
XI – Military Electronics
XV – Spacecraft and Associated Equipment
XVII Classified Articles, Tech Data and
Defense Services - catch all

USML
• Broad categories
• Specially designed for military catches lots of things
• Must apply for a COMMONITY
JURISTRICTION (CJ) to get off the list
• Need a license for all destinations
• China is proscribed

USML
22 categories
• Item, components, technology
CCL
• 10 categories
• Item, production, material, software, technology

• Technical parameters that the item must meet
• Must be high level item
• Many license exceptions to
Regime members
4A003
4A994
EAR99

Communicate to
• Project Managers
• HR
• Sales
• Shipping
Make it part of your PN or contract process and program a flag
• ECCN/Cat No.
• Origin
• Schedule B

KNOW THE PROSCRIBED
COUNTRIES

126.1
Embargoed
UN Embargoes Terrorism
Belarus
Cuba
Burma
China
Eritrea
Iran
Haiti
Cuba
Iran
North Korea
Sudan
Syria
Liberia
North Korea
Somalia
Syria
Sudan
Venezuela
Restrictions
Afghanistan
Cyprus
Congo (DR)
Fiji
Indonesia
Iraq
Ivory Coast
Lebanon
Libya
Palestine
Thailand
Yemen
Zimbabwe
BEST PRACTICE – limit the ability to book orders or hire individuals from these countries in your system

• Register (PART 122)
– as a manufacturer, exporter and/or broker
• Select Empowered Official
(s)
– by letter

RED
• Customer is little known
• Customer is evasive about enduser or end-destination
• Customer knows little about the product but wants it anyway
• Customer asks for out-of-theway delivery routing
• Customer is willing to pay cash
You cannot act with knowledge of a violation or provide advice on how to evade the regulations!

Employing/Contracting
Foreign Nationals
“non U.S. Persons”

“OK, folks, today we tour the highly classified, top secret areas of our
Defense
Department.”

• "Prior approval to use Non-U.S.
Citizens to perform on this contract, at either the prime or sub-contract level, must be obtained from the
Contracting Officer. If approval is granted, such approval does not grant an exception to U.S. export law (s) and the contractor is responsible for obtaining necessary export licenses."

• Ship IC designs to foreign country
• Hire foreign engineers
• Plant tour for foreign nationals
• Foreign access to host computer
• Transfer data/software over the
Internet
• Phone, FAX, & E-mail
• Co-development project with foreign partner
• Train foreign nationals

• Assistance to foreign persons in activities involving defense articles:
– design, development, engineering
– testing, manufacturing, production, assembly
– repair, maintenance, modification
– operation
– demilitarization, destruction
• Provision of ITAR-controlled tech data to foreign persons

• Foreign nationals = all EXCEPT
– U.S. Citizens
– U.S. Permanent Residents
– Persons granted refugee status or asylum in the U.S.
• If the tech data are controlled to the home country AND no License Exception is available, obtain a license
• Considered an ITAR “deemed export”
• Applies to interns, contract employees, others, anyone who sees ITAR data

• Is it an ITAR (DSP-5 or TAA) or BIS license?
In either case
– Letter of explanation,
– Resume
– Statement of Work
– Passport documents
– EAR - Transfer of technology to foreign national per 732.2(b)(ii)
– FBI template
– End-user – provide immigration status.
– End-use -
Expiration date tied to H-IB Visa
Can be renewed – automatic 6-month extension if renewal is received 45 days prior. Include the previous license number on all applications

• Statement from Senior
Management on importance of TCP
• Employee responsibilities
• Part of Hiring Process
• Need to demonstrate management commitment

• Information for design, development, production, assembly, manufacture, use of defense article
• Classified technical information
• Basic marketing info excluded
• “Public domain” material excluded

A Day in the Life of an A&D Engineer (without export control solution)
US Engineer
US Engineer
Lack of Information barriers
1
ITAR Project
File Server
Mixed Use
Server
Weak access or flow control
2
Non-US
Engineer
Commercial
Project
Web or Collaboration
Portal
Commercial product contamination 5
Uncontrolled mobile data export 6
4
Transfers not matched to licenses
3
?
Non-US
Admin
Non-US
Transfers over Partner unapproved channels
Overseas
Remote
US Engineer

A Day in the Life of an A&D Engineer (with export control solution)
US Engineer
US Engineer Information Barriers
1
ITAR Project
File Server
Commercial
Project
Non-contamination
Nextlabs Solution
5
Data Export Control for Mobile 6
Mixed Use
Server
Controlled Access and
Flow
2
Non-US
Engineer
Web or Collaboration
Portal
Transfers matched, logged, accountable reporting
4 3
Non-US
Admin
Controlled Transfers
Non-US
Partner
Approved Channels
Overseas
Remote
US Engineer
?

Export Control for Technical Data Overview
Physical Goods
Defense Articles and
Third Party Supply Chain
Export Control for
Technical Data
Import/Export
Control Identity
Management
Export Licenses,
SPL, Embargo List
Technical Data
US persons authorized to access ITAR project information
Approve
ITAR
Technical Data
Audit
Log
US DoD images
Approve / Deny Shipment of Goods and Information
NextLabs Products
Deny /Limit
US persons and non-US persons not authorized to access ITAR project information

Information Export Solution
Information Export Control
Composite Application
ITAR/EAR
Project Mgmt
Management
Technical Data
Policy Mgmt
Management
Technical Data
Export
Export License
Export Audit Request Mgmt
Reporting Mgmt
Identity Management
ITAR Access Provisioning
Export Project Assignment
Compliant Enterprise
ITAR / EAR Policy Library
Technical Data Activity Journal
Policy
Audit Data
Import/Export Control
Export License Mgmt
License, Embargo, SPL,
Partner Systems
File Server PDM / SCM Collaboration Batch Secure Dropbox (FTP)
Laptops Design Workstation Email / Instant Messaging
Technical Data Policy Enforcement
Mobile Users

• Control access to ITAR development and manufacturing areas
• Procedures – clean desk, locked storage
• Separate areas for ITAR meetings
• Different Badges for foreign persons/visitors
• Sign In and provide status of person - US?

• Deemed exports license for new engineers that are not permanent residents
• Unique badges for FN
• Notices to employees about non-disclosure to foreign employees, contractors, vendors
• Training in rules

• Chapter 8
• Need to address -
Administrative, operational, physical, computer, communications, and personal controls
• Appointment of a IS Security
Officer
• Certification and Accreditation
• Regular Auditing of procedures

• Handling, controlling, removing, destroying of backup media.
• Control over devices containing ITAR data
• Implementation of authentication procedures
– Including laptops, PDA’s, removable devices
– Privileged and “super users”
– Protection of passwords
• Tracking of who examines HW and SW
• Don’t forget IT maintenance personnel
• Physical Security

• Nunn-Wolfowitz Best practices
• SIA: Compliance Insiders –
Toolkit for Internal
Compliance www.si.ed.org
• DL Exports Intl www.dlexports.com