here is an area of regulation that is of vital importance to government contracting firms – the ITAR. The ITAR – the International Traffic In Arms Regulations - are State Department controls that regulate the U.S. defense industry. Companies regulated under ITAR are subject to a number of broad requirements including registration requirements, restrictions on transfer of regulated software and technical data, restrictions on the performance of defense services for foreign parties, the requirement to obtain export licenses and recordkeeping requirements. Since violations can result in criminal liability for the company, including imprisonment for the company’s owners and employees, it is imperative for government contracting firms to have a clear understanding of this important area of the law.
A. Is My Company Subject To ITAR?
(1) Military Versus Commercial Products. The ITAR was developed originally to regulate military products and services. However, these controls also cover many products that are commercial in nature. Many of these items were developed originally for military purposes but have evolved into mainstream commercial products – in the electronics, navigation, computer security, maritime, aviation and other industries. Today it is often very difficult to determine if a product is subject to ITAR, and this presents a challenge for business executives. However it is important to understand this distinction, especially for firms that provide products and services to government customers, to avoid costly legal violations.
(2) Items Covered On The USML. At the core of the ITAR is a list of products called the U.S. Munitions List (“USML”). The USML contains a wide array of products as well as software, technical data and services. If a company’s product, software, technical data or services are identified on the list, the company is subject to the ITAR requirements.
The USML contains twenty-one broad categories of products, ranging from firearms and military vehicles to computers and communication equipment. As described above, the intent behind the regulations is to cover military products, however, over time the USML has expanded to cover many items that have become commercial in nature. Examples of items covered on the USML are:
- Electronic systems and computers designed, modified or configured for intelligence, security or military purposes;
- Military training services and equipment;
- Drone aircraft;
- Command, control and communications systems including radios (transceivers) and identification equipment;
- Navigation systems;
- Protective personnel equipment and shelters;
- Naval vessels and related equipment, parts, technologies and software;
- Underwater sound equipment;
- Flight control products, software and technologies;
- Satellites, launch vehicles and ground control equipment, including parts, technologies and software;
- Classified products, technical data and software;
- Anti-gravity and pressure suits, atmosphere diving suits;
- Body armor;
- Auxiliary military equipment.
A complete list of the 21 Categories covered on the USML is attached below in Exhibit A.
(3) Category XXI. One of the broadest categories on the USML is Category XXI, a broad catch-all which includes: any other product, software, service or technical data with substantial military capability that was designed, developed, configured, adapted or modified for a military purposes. This opens up the USML to a broad, open-ended range of products and services. Category XXI is an important provision for government contracting firms since, when a firm develops a product or service for a U.S. military customer, this often results in the product, technical data, software or service being on the USML and the company being subject to ITAR.
(4) Regulation of Technical Data and Software. The ITAR covers not just products, but software and technical data as well. If an item is listed on the USML, software required to run that item is typically also covered on the USML. Similarly, technical data related to the item is also usually listed on the USML. Technical data is defined to include information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of articles on the USML. If a company produces any of these items. it is subject to ITAR.
(5) Services. In addition, the ITAR covers defense services. If an item is listed on the USML, services related to such item for foreign parties are also covered on the USML and subject to ITAR. This includes services involving installation, design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles. In addition, providing military training to foreign defense forces as well as “military advice” to such parties are considered defense services subject to ITAR. Even if a company does not manufacture a product that is listed on the USML, if it performs services related to such product, the services may be covered under the USML and the company may be subject to ITAR. As of the writing of this memorandum, the State Department has promulgated a proposed regulation that, if adopted, would amend certain aspects of the regulation of defense services, including expanding exceptions from ITAR requirements for certain types of services. However, the major portion of the ITAR controls on defense services are expected to continue following the adoption of such regulation.
(6) Products and Technologies Developed From Government Research Funding. A key factor that the State Department considers in determining if a product should go on the USML is whether the product or technology was developed originally for military use. If a product, technology or software was developed originally using U.S. defense research funding, such as SBIR grants or other DOD research grants – State will often consider these to be military products and place the products and related technical data, software and services on the USML.
(7) ITAR’s Broad Reach. Clearly, the ITAR reaches into many corners of the business world and covers a broad range of activities: the many categories of the USML, the “catch-all” under USML Category XXI, software and technical data related to these items and services related to these items. There is a growing trend for the State Department to place an increasing number of products, software, services and technical data supplied to federal defense agencies on the USML, and within the reach of ITAR. Every government contracting firm should check the USML to determine if its products or services are set forth on the USML and, hence, subject to ITAR.
B. Obligations Under ITAR.
(1) Requirements For US Companies. If a company’s products, software, technical data or services are on the USML, ITAR imposes a number of requirements, and the company may become subject to one or more of the following:
- Registration - the company must register with the U.S. State Department, even if it does not export any of its products;
- Transfer of Technical Data And Software to Foreign Nationals – the company is prohibited from transferring software or technical data on the USML to foreign nationals, either in the US or abroad, without an export license;
- Defense Services – the company is prohibited from performing services for foreign parties related to items on the USML, either in the US or abroad, without obtaining a State Department authorization called a Technical Assistance Agreement (“TAA”);
- Export License – the company is prohibited from exporting products listed on the USML without obtaining an export license;
- Temporary Imports – The company is prohibited from importing defense items listed on the U.S. Munitions List in temporary import transactions without obtaining a temporary import license;
- Recordkeeping Requirement – the company is required to maintain records in accordance with the ITAR recordkeeping requirements;
- Brokering – the company is prohibited from brokering the sale of defense items without complying with the DDTC brokering requirements;
- Reports For Payments of Sales Commission, Fees and Political Contributions – the company is subject to restrictions on the payment of sales commissions, fees and political contributions made in connection with defense transactions;
- Transactions With Debarred Parties – the company is prohibited from entering transactions subject to ITAR regulation with certain debarred parties identified on the State Department’s two Debarred Party Lists.
(2) More Than Just Exports. Many executives view ITAR as a part of the export control laws and assume that ITAR regulates only exports. However the ITAR regulations are far broader than just exports and regulate a wide variety of activities in purely domestic commercial activity, such as:
- The prohibition on the transfer of technical data or software subject to ITAR to foreign nationals in the United States;
- The prohibition of the performance of defense services for foreign parties in the United States;
- The requirement for U.S. companies to register with the State Department as munitions manufacturers, even if they do not export any products;
- The requirement to comply with ITAR recordkeeping requirements;
- The requirement to obtain import authorization for the import of defense items;
- The prohibition of the transfer of USML products to representatives of foreign governments and military organizations (including NATO, the United Nations, etc.) in the United States.
(3) Even Just In Contracts For U.S. Government Customers. The ITAR applies even if the company’s only customer is the US Government. If the company is exporting products to DOD customers overseas – the company may be required to obtain an export license or otherwise comply with the ITAR requirements depending on the facts of the transaction in question. Similarly, if in the performance of contracts for a US government agency a US company discloses technical data or software on the USML to a foreign party, or performs a service for a foreign party (including a foreign military organization such as NATO or a foreign country’s military agency), the US company may be required to obtain an export license or TAA.
C. Sanctions and Enforcement.
(1) Penalties. Sanctions for violations of ITAR include severe criminal and civil penalties. Penalties can include imprisonment of up to ten years and fines of up to $1,000,000 per violation. Criminal sanctions can be imposed on the company defendants as well as officers, directors and employees in their personal capacities.
Another penalty under ITAR is debarment – companies can be barred from selling products and services to the federal government. This can often be the most severe sanction of all for a government contracting firm. Other sanctions include denial of export privileges and seizure of goods being transferred in violation of ITAR requirements.
Finally, if sanctions are imposed, DDTC usually issues a press release announcing the violation and posts a notice on its website. This can often be another major penalty for the company – from press releases and website notices, a company’s employees, customers, shareholders, competitors all learn that the company has violated the law and has been subjected to sanctions.
D. Voluntary Disclosures – Clearing Up Past Violations.
If a company has violated ITAR requirements, there is a procedure available for companies to voluntarily disclose previous violations to the State Department, which often results in a reduction in penalties or no penalties being assessed against the company. In many cases this procedure provides an opportunity to “wipe the slate clean” of past violations if companies commit to improved compliance activities in future operations. This procedure, called “voluntary disclosures,” can be extremely valuable for government contracting firms in organizing their export compliance activities. However voluntary disclosures must be undertaken properly to be effective and to avoid compounding the legal liability for the company.
E. Compliance Strategy.
Due to the complexity of this area of the law, a company cannot simply rely on good intentions to avoid ITAR violations. If a company is subject to the ITAR requirements, what strategy should it adopt to reduce its legal risk and comply with this complex and dangerous area of the law? We recommend a three step strategy: (i) Classification; (ii) Application; and (iii) Compliance Program. These are applied as follows.
(1) Classification. Classification is the review of a company’s contracts and business activities to determine if they are subject to ITAR. This process involves a careful review of a company’s contracts, products, software, technical data and services and comparison to the categories of the USML. The time required for this process will vary depending on the size of the company and the complexity of its products and services, but this is a necessary first step for any serious compliance effort.
(2) Application. This step means that, if a product is subject to ITAR regulation and an export license or TAA is required, the company should apply for the requisite license or authorization necessary to pursue the transaction or identify appropriate exceptions that may be available under ITAR. This could mean:
- Applying for a Technical Assistance Agreement (“TAA”) for the performance of defense services for foreign parties;
- Applying for an export license on Form DSP-5 (or other application, as required) for the export of defense articles;
- Applying for export authorization for the disclosure to foreign nationals of technical data or software that is on the USML;
- Applying for the appropriate temporary import license for temporary imports of defense items;
- Registering with the State Department.
Applying for licenses or TAA’s is not an arduous process, and customers in the defense sector are used to dealing with these requirements.
(3) Compliance Program. The third, and arguably the most important, step in the compliance effort is the adoption of an ITAR compliance program. This involves the implementation of a formal company-wide management program for following ITAR requirements. This includes: (i) the appointment of a company employee to be in charge of ITAR compliance; (ii) establishing written policies and procedures for employees to follow in performing activities that are subject to ITAR; (iii) conducting training for key employees; (iv) adopting company procedures for the receipt, handling, storing and shipping of ITAR-controlled items; (v) adopting a procedure for dealing with foreign nationals; (vi) adopting an auditing procedure; and (vii) adopting a procedure for actions to be taken if a violation is discovered.
If a company is found to have an ITAR violation, prosecutors, enforcement agents and the courts will often reduce or “mitigate” penalties for companies that have adopted compliance programs.
Taken together, these three steps provide the formal structure and process for a company to undertake a serious effort to protect against ITAR violations. They also provide a firm foundation for a company’s defense in the event the company is subject to an ITAR investigation in the future.
F. Operations Under ITAR.
Selling products and services to government customers, especially in the defense industry, has become a global business. In order to remain competitive in this arena, a company must understand the rules that govern this business sector – it must incorporate the ITAR procedures into its business model.