Guidelines for ITAR Compliance and Sharing Your Technical Data
Help ensure your company's information is ITAR compliant!
ITAR Requirements: The Consequences of Non-Compliance
Is your company subject to ITAR (International Traffic in Arms Regulations)? Compliance with these ITAR requirements isn’t optional, and non-compliance could have serious, negative impacts on your company. To mitigate the risk of violating ITAR, you need to learn more about common violations, consequences for those violations, and what to do when a violation occurs.
Who Should Comply with ITAR Requirements?
A basic rule of thumb is that if you work with any defense-related data, you should comply with ITAR guidelines. This includes government contractors like manufacturers and exporters, or any other company that works with the U.S. military or defense agencies.
The USML (United States Munitions List) outlines all items, services, and data protected by ITAR. Included in the USML is a list of 21 categories of data that must be protected. If your business deals with even a single type of data listed on the USML, you’re required to comply with ITAR.
Common ITAR Violations
If you’re not knowledgeable about ITAR requirements or careful with how you share data, you could violate ITAR guidelines. There are three ways that companies generally fail to comply with ITAR:
- Accidental Violations - While every company that is subject to ITAR requirements is responsible for knowing and following ITAR guidelines, accidental violations do happen. If you are unaware that your security measures aren’t strong enough, or perhaps your current measures have lapsed and are no longer up to ITAR standards, there’s a chance you’re unknowingly in violation. These types of ITAR violations generally result in a civil penalty, but often these penalties can be waived if the offending company follows an alternative disclosure program.
- A Knowing Failure to Comply with ITAR - In contrast to accidental violations, some companies knowingly violate ITAR regulations. Maybe they don’t want to invest in adequate data security measures or they don’t think they will face any consequences for non-compliance. Regardless of the reason for knowingly violating ITAR requirements, you could face serious consequences for doing so. These consequences could include criminal or civil penalties.
- Omissions of Facts - A final type of violation that many companies commit is omitting information that may be relevant to ITAR compliance. If you alter or leave out factual information when submitting ITAR reports or fail to report a violation altogether, you may face a criminal or civil penalties.
The Consequences of Non-Compliance with ITAR
While we’ve mentioned civil and criminal penalties above, the level of consequence for ITAR violation is contingent upon the scope of the violation and your company’s level of negligence regarding the violation. Take a closer look at some of the consequences ITAR compliance violators could face.
Fines and Prison Time
While the threat of prison time may seem extreme for an ITAR compliance violation, it’s vital that you keep in mind the serious ramifications of an ITAR violation. You could be putting crucial government data at risk. Criminal penalties are most common for companies in which ITAR regulations were knowingly violated. These violators could face up to ten years in prison for their failure to protect ITAR data.
You could also lose a lot of money as a consequence for ITAR violations. Violators could be fined up to $1 million per violation. The Secretary of State could also choose to impart civil penalties up to $500,000. However, these civil penalties can be reduced if you take action to correct the violations.
Criminal penalties like prison time and the highest fines are generally reserved for those who knowingly violate ITAR regulations, as with the case of one University of Tennessee professor. This professor shared sensitive Air Force research material with foreign nationals, one of whom was his research assistant, even though he did not have an export license. This ITAR violation landed him in prison for 4 years.
Debarment or Loss of Export License
In addition to monetary loss, you could also lose your right to conduct business. One common consequence companies face when violating ITAR regulations is the loss of an export license. This license gives the holder the right to conduct business as a government contractor. If you violate ITAR requirements, you may demonstrate that your company is no longer fit to hold the export license and may have it removed.
You may also be placed on a federal debarred list, no longer permitted to win government contracts. In fact, the United States government debarred 186 people and entities in 2018 for conspiring to violate ITAR requirements. Losing your export license or being debarred could mean the end of your company.
If you have a long history of ITAR violations or you’re a recurring violator, you could be subject to annual audits. These audits would determine whether or not you are following ITAR procedures and policies, and it could identify any potential issues.
Non-compliance can put a negative cloud over your business. If you are found guilty of non-compliance with ITAR requirements, you will be forced to sign a Consent Agreement pledging to improve your processes, and your company will be placed on a public list. Potential partners and government agencies may not be interested in working with your organization if you have a history of ITAR violations. This could result in loss of business and a decrease in profits.
Increase in Employees
If your company fails to properly manage your compliance efforts and align with ITAR requirements, you may need to hire a special compliance officer (SCO) to ensure future compliance. This compliance officer will help you remedy areas of non-compliance, mitigating the risk of future violations.
How to Voluntarily Report Violations
If your organization has violated ITAR requirements or a data breach has occurred, you are required to voluntarily report these violations to the regulating body within 60 days of detection. In your violation report, you must include the following information:
- Who is responsible for the violation, what the violation entails, when and where the violation happened, and how the violation occurred
- Any prior violations or disclosures
- A timeline of the incident and a list of all actions that were taken to address the violation
Once you have drafted your violation report, you will send a hard copy of the report to either of these two addresses:
- Postal Mail:
PM/DDTC, SA-1, 12th Floor
Office of Defense Trade Controls Compliance
Directorate of Defense Trade Controls
Bureau of Political Military Affairs
U.S. Department of State
Washington, D.C. 20522-0112
- Express Mail and Couriers:
U.S. Department of State
PM/DDTC, SA-1, 12th Floor
2401 E Street, NW
Washington, D.C. 20037
The best way to avoid violating ITAR requirements when sharing pertinent data files with business partners is by adopting a secure file sharing solution. A top solution likeGOVFTP from FTP Today will be compliant with government regulations, including ITAR. From the moment your organization adopts this solution, you will be in alignment with ITAR requirements. You can avoid the costly consequences of non-compliance and ensure your company’s reputation and revenue are protected for the future.
Ensure you’re in alignment with ITAR requirements. Download this guide on ITAR compliance now.
About Arvind Mistry
Arvind is Director of Compliance and Programs at FTP Today. He came to FTP Today with 11+ years of experience in offering cloud solutions to the Federal Government and public sector channels at companies such at Rackspace, IBM, UNICOM, A10 and Radware Alteon. He is based in the Washington, D.C. area.