Developing an ITAR-Compliant Program

Compliance requires a documented system, and there are numerous areas that need to be addressed.

If you want to do business in the defense industry you need to be ITAR (International Traffic in Arms Regulations) certified. It is expensive and some would say unnecessary, but it is the law and messing around with that law can be costly. The penalties for not registering with ITAR are severe. Violations of the rules can result in civil penalties of as much as $500,000 per violation, and criminal penalties including a $1 million fine per violation or 10 years imprisonment. Think it can’t happen to you? In May 2011, BAE Systems paid a $79 million fine for 2,591 violations. While BAE is a high profile case, hundreds of companies are fined thousands of dollars a year for minor violations.

What defines a defense article? Defense articles include: any item or technical data designated in the United States Munitions List; an item that has significant military or intelligence applicability; any modification for a military or defense purpose, no matter how minor; technical data can include information which is required for the design development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles.

Compliance requires a documented system, and there are numerous areas that need to be addressed. Here is a listing of the general topics that need to be covered.

Corporate commitment: A compliant ITAR program should clearly identify the corporate commitment to meeting and maintaining all ITAR guidelines. Specifically, a program should identify the persons responsible for overseeing the ITAR program, a directive from the senior company management describing the company commitment to ITAR compliance, and duties and authorities for key persons who maintain ITAR requirements.

Document control program: The program must address the identification, receipt and tracking of ITAR controlled items/technical data. The program should include controls over access, electronic communication, storage, disposal and communication of information/products to outside sources.

Human resource program: Training and hiring practices need to be clearly defined as they relate to ITAR controlled items. Your program must clearly define controls over hiring (U.S. citizens vs. foreign nationals), citizenship verification, training on specific ITAR guidelines and employee responsibilities relating to ITAR controlled items.

Internal audit program: Once an ITAR program is developed, an internal audit process needs to be established to monitor the implementation and effectiveness of the program. The program should include areas such as auditor training, documentation of audit results, yearly schedules of audit activities and actions to be taken if violations are noted.

Vendor control program: You may have suppliers/subcontractors involved in the processing of ITAR controlled items. Are you using suppliers/subcontractors who are capable of following ITAR guidelines? You should maintain a responsibility to ensure these guidelines are understood and followed. Your program should ensure suppliers/subcontractors understand their responsibilities relating to ITAR controlled items, including their responsibility to limit access to controlled information, how is controlled information transmitted to the supplier/subcontractor and how will controlled information be returned/disposed after the contract is complete.

Work environment control program: Limiting access to ITAR controlled items is a required part of any documented program. Your program should include controls over visitors/subcontractors who may have access to controlled items, secured access points to your facility, controls over recording devices (for example, cell phones, cameras) and secured storage areas for controlled items.

Record maintenance program: Documents define an activity; records are the evidence the activity took place. Your record control program should include retention periods, secured storage areas, controls and back-ups for electronic records and storage of records on personal computers.