ITAR Compliance Checklist
Has the company properly determined if its products being exported are on the U.S. Munitions List (“USML”) and subject to ITAR?
Has the company determined the proper classification for the product under the Export Administration Regulations (“EAR”)?
This could be under the 600 Series on the Commerce Control List (“CCL”) under Export Control Reform, under another CCL category or EAR99. If the company is not certain of the jurisdiction of a particular product it can submit a commodity jurisdiction request to DDTC.
Are any items listed as “Significant Military Equipment” and therefore subject to heightened ITAR requirements?
Has the company checked to see if jurisdiction for the item has been transferred to the Bureau of Industry and Security (“BIS”) under Export Control Reform?
Has the company maintained adequate records of the basis of its classification for each of its products?
Has the company complied with the ITAR recordkeeping requirements as set forth at 22 CFR § 122.5?
Is an export license required for a transaction?
If the shipment is to foreign subsidiaries or foreign offices of the company, an export license must still be obtained unless an exemption applies.
If an export license is required for a transaction, has the company obtained the license (e.g. DSP-5, DSP-6, DSP- 73, DSP-74)?
Has the company complied with the terms, conditions, and provisos set forth in the license?
Has the company disclosed ITAR-controlled technical data to Foreign Persons in the U.S. (including to employees) with a license or applicable exemption?
Has the company transferred technical data regarding ITAR-controlled items with a license or applicable exemption to 1) Foreign sales agents or marketing intermediaries; 2) Foreign prospective customers as part of marketing proposals; 3) Prime or subcontractors, suppliers, program partners; and 4) Persons in trade shows, marketing presentations?
Has the company transferred ITAR-controlled technical data to company employees who are Foreign Persons specifically authorized in the company’s Technical Assistance Agreements or other DDTC authorizations? (This includes in both foreign offices and in U.S. offices.)
Have company employees taken ITAR-controlled technical data in overseas travel, including in documents, laptop computers, PDA’s, iPhones, iPads and similar devices with a license?
Employees should avoid taking defense articles and ITAR-controlled technical data and software in foreign travel on laptops, iPhones, iPads, other PDA’s, flash drives and other devices unless a license is obtained or an exemption is available.
Has the company NOT posted ITAR-controlled technical data or software on websites, chat rooms or transferred such items to Foreign Persons through e-mails, text messages, e-mail attachments, faxes, videos, telephone calls or other electronic communications?
Has the company performed any services for Foreign Persons related to any items on the USML, or items within the definition of Defense Services, with a Technical Assistance Agreement (“TAA”) or other applicable agreement approved by DDTC? (This includes services performed in the U.S. and overseas.)
Were the services performed by the company within the terms, conditions, and provisos of such agreement?
Has the company performed services for a foreign military organization or foreign defense industry company in connection with an item regulated under the EAR?
Will the company be performing services for foreign military customers in connection with the sale of items subject to EAR?
Such transactions involve a heightened level of risk for possible ITAR violations due to possibility that the company could also be performing defense services regulated under ITAR and companies should use an extra level of caution in such transactions.
Has the company imported any items on the USML in temporary import transactions or on the USML in permanent import transactions with a license?
Were all aspects of the import transaction within the terms, conditions, and provisos of such license?
Is the company registered with DDTC as a manufacturer and/or an exporter?
Has the company notified DDTC within 5 days of changes of the information set forth in its Registration Statement?
Does the company engage in brokering activities that require the company to register as a broker?
Has the company conducted reviews of all parties to its transactions involving ITAR-controlled items to verify that such parties are not listed on DDTC’s Debarred Parties List?
Has the company complied with the export procedures for its exports of ITAR-controlled hardware?
* Depositing license (DSP-5’s, etc.) and license documentation with Customs and Border Protection (“CBP”) at U.S. port of export
* Decrementing licenses based upon the value of each export transaction
* Electronic filing of export information under the Automated Export System (“AES”)
* Applying destination control statement to documents under 22 CFR § 123.9(b)
* Obtaining required documentation including End-Use Statements, DSP-83 Nontransfer and Use Statements (if required), etc.
Has the company complied with the export procedures for exports of ITAR-controlled unclassified technical data?
* Retaining export license document in company’s possession
* Notifying DDTC of the export under 22 C.F.R. § 123.22(b)(3) (Form DS-4071)
* Obtaining required export documentation (Form DSP-83, etc.)
Has the company complied with the export procedures for the performance of Defense Services?
* DDTC approves TAA or other agreement
* Foreign recipient executes TAA
* Fully executed TAA is submitted to DDTC within 30 days after it enters into force
* If agreement not executed within one year of approval, notify DDTC in writing
* Inform DDTC of initiation of export of technical data under 22 C.F.R. § 123.22(b)(3) (Form DS-4071)
* Advise DDTC in writing if the agreement is not concluded
* Advise DDTC of impending termination of TAA not less than 30 days prior to termination
If an ITAR-controlled item was properly exported (including ITAR-controlled technical data), was proper authorization obtained for reexports or retransfers of such items?
Has the company followed the requirements for the proper administration of licenses and agreements?
Examples of such requirements include:
* Returning expended, expired or unused licenses to DDTC
* Modifying TAA’s and other agreements in accordance with DDTC provisos
* Executing TAA’s and providing copies to DDTC
* Amending agreements as required due to changes such as scope, value, parties, etc. and submitting amended agreements to DDTC
* Maintaining temporary export and import licenses and related shipment records
* Filing annual reports under Manufacturing License Agreements and Distribution Agreements
Has the company exported, reexported or retransferred an item that incorporates ITAR-controlled parts, components, attachments or accessories or is based upon ITAR-controlled technical data?
If an item contains a part or component that is ITAR-controlled, under the DDTC “See-Through Rule” the entire end-item thereafter becomes subject to ITAR.
Has the company or its Vendors (as defined at 22 CFR § 130.8) paid or offered to pay sales fees or commissions in connection with the sale of ITAR-controlled items in excess of $100,000, or political contributions in excess of $5,000?
Determine if the company is required to file the requisite reports with DDTC and comply with the other requirements
under 22 CFR Part 130.
Does the company properly mark all ITAR-controlled products, technical data, and software within the company’s facilities to provide adequate notice that such items are ITAR-controlled?
Does the company provide adequate security within its facilities to prevent unauthorized access to ITAR-controlled items (including access by Foreign Persons)?
Does the company provide adequate notice to customers and other parties to which the company transfers ITAR-controlled items that such items are ITAR-controlled, through the use of destination control statements and other forms of notice such as under 22 CFR § 123.9(b)? (This includes transfers in the U.S. as well as transfers to overseas parties.)
Does the company track ITAR-controlled items if it receives them within its facilities?
Even if a company merely receives, processes, stores, or otherwise handles USML items without providing any other value-added functions, ITAR requirements will arise. Companies should review their supply chain operations and inventory to determine if ITAR-controlled items are received, stored or otherwise handled by the company in its operations and take protective measures including marking, securing and controlling such items.
Does the company maintain adequate controls in its information technology system to protect against unauthorized access, disclosure and transfer of ITAR-controlled technical data and software?
* Adequate security processes to limit access by Foreign Persons to ITAR-controlled technical data and software
* Procedures for prominently marking ITAR-controlled technical data and software such as in e-mails, attachments, Word documents, PowerPoint slides, spreadsheets, electronic drawings
* Limitations on the transfer and copying of ITAR-controlled technical data and software stored in the company’s IT system
Is the company licensing ITAR-controlled technical data to permit the manufacture overseas of an item on the USML?
The company will most likely be required to enter into a Manufacturing License Agreement (“MLA”) approved by DDTC unless an exemption applies. See 22 CFR Part 124.
Has the company operated within the terms and conditions set forth in such agreements?
Has the company filed its annual reports with DDTC related to operations under the MLA?
Has the company maintained records related to its manufacturing of ITAR-controlled products as required under the MLAs?
Is the Company establishing a warehouse or distribution point abroad for defense articles exported from the U.S. for subsequent distribution to entities in a sales territory approved by DDTC?
The Company will most likely be required to enter into a Distribution Agreement (“DA”) approved by DDTC unless an exemption applies. See 22 CFR Part 124.
Has the company operated within the terms and conditions set forth in such agreements?
Has the company filed its annual reports with DDTC related to operations under the DA?
Has the company maintained records related to its manufacturing of ITAR-controlled products as required under the DAs?
Has the company engaged in “brokering” activity as defined at 22 C.F.R. Part 129?
Has it registered as a broker with DDTC?
has it obtained the requisite licenses, filed its annual reports, and complied with the other requirements under 22 CFR Part 129?
If the company retains third parties to engage in “brokering activity” on behalf of the company as defined in § 129.2(a) and (b), have such third parties registered with DDTC under 22 CFR Part 129?
Has the company relied on exemptions from requirements under ITAR?
Has the company complied with all of the applicable conditions for use of such ITAR exemptions?
For example, in many instances use of exemptions under ITAR is not permitted in transactions:
(i) involving “proscribed destinations” set forth at 22 CFR § 126.1; (ii) for which
Congressional notification is required pursuant to 22 CFR §123.15; (iii) involving items
designated as Significant Military Equipment (See 22 CFR §120.7); (iv) involving persons
who are ineligible under 22 CFR § 120.1(c); (v) involving the establishment of offshore
procurement arrangements or producing defense articles offshore; and (vi) by parties that are
not registered with DDTC under 22 CFR Part 122. See 22 CFR §§123.16, 125.4, 125.6 and
Has the company maintained adequate records of its reliance on the exemptions in specific transactions as required under ITAR?
Has the company engaged in any unauthorized transactions involving ITAR-controlled items with any of the “§ 126.1 Proscribed Countries”?
The company is required to report such transactions to DDTC.
Special heightened restrictions exist under ITAR for transactions involving: (i) the “proscribed countries” set forth at 22 CFR 126.1, including China (and will be subject to a policy of denial for license applications); (ii) items that are designated on the U.S. Munitions List as “Significant Military Equipment” (See 22 CFR 120.7); (iii) Major Defense Equipment (See 22 CFR § 120.8); and (iv) classified technical data and services (See USML Category XVII – Note for classified technical data the company will be subject to requirements under ITAR as well as under NISPOM).
Is the company relying on the exemption for Foreign Military Sales transactions set forth at 22 CFR § 126.6 (c)?
Has the company complied with all of the conditions applicable to the use of such exemption?
The company will be required to obtain a license or other authorization from DDTC unless another exemption applies.
Have the company’s exports of classified defense articles and technical data complied with the provisions of 22 CFR § 125.3 and 125.9, including use of DSP-85, as well as the NISPOM?
Classified articles, technical data and defense services not otherwise enumerated are listed on the USML under Category XVII
Will the Company be working with subcontractors, teaming partners or other independent parties in the transaction?
The company should coordinate with such parties regarding ITAR compliance in performing the transaction. Prime contractors are advised to verify that subcontractors are conducting their operations involving the transaction in compliance with ITAR requirements, including complying with registration requirements, obtaining licenses and TAA’s, reporting and recordkeeping requirements.
Has Congressional Notification been provided in connection with exports of defense articles that exceed the threshold amounts set forth at 22 CFR § 123.15, or major defense equipment as defined at 22 CFR § 120.8?
Has Congressional Notification been provided for TAA’s and MLA’s for manufacturing abroad defense items classified as Significant Military Equipment as set forth in 22 CFR § 124.11?
For parts, components, attachments, and accessories that are still covered under USML “catch-all” provisions following Export Control Reform, do such items fall within the definition of “Specially Designed” as set forth at 22 CFR § 120.41?
Is the company undertaking acquisition transactions?
A common entry point for ITAR-controlled items into a company is through mergers and acquisitions. If a company acquires another company and the target company has items in its possession that are on the USML (including in the form of finished products, parts and components, research and development, inventory, or other items elsewhere in its supply chain), upon consummation of the acquisition the acquiring company will own the USML items and be subject to ITAR controls. This can occur regardless of whether the acquisition is structured as the purchase of stock, purchase of assets or merger. (In addition, if the target company has committed ITAR violations prior to the acquisition, the acquiring company could step into the target company’s shoes and become liable for such violations if proper precautions are not taken.)
Conduct detailed ITAR due diligence review of the target company prior to the acquisition to ascertain if there will be any impact on the acquirer related to ITAR following the completion of the acquisition transaction.
Does the company face the risk of illegal diversion, transshipment, reexport or retransfer in its transactions?
A U.S. exporter should lawfully export an item to a foreign party, and the foreign party without the knowledge of the U.S. exporter will then transfer the item to a prohibited country, prohibited party or use it for a prohibited or unauthorized end-use. (In certain instances, U.S. exporters can have liability in such transactions for violations under U.S. export control laws.) The company should consider adopting a compliance procedure to reduce the risk of illegal diversion, transshipment, reexport or retransfer.
If a violation or possible violation has occurred, has the company considered submitting a voluntary disclosure to DDTC to reduce or mitigate potential penalties and eliminate past compliance risks?
Penalties for ITAR violations include up to 20 years imprisonment and financial fines of up to $1,000,000 per violation for criminal violations, and lesser amounts for civil violations.