diff --git a/backend/library/libraries/itar compliance program guidelines.yaml b/backend/library/libraries/itar compliance program guidelines.yaml new file mode 100644 index 000000000..f1b3ed0b7 --- /dev/null +++ b/backend/library/libraries/itar compliance program guidelines.yaml @@ -0,0 +1,5862 @@ +urn: urn:intuitem:risk:library:itar-compliance-program-guidelines +locale: en +ref_id: ITAR-Compliance-Program-Guidelines +name: ITAR Compliance Program Guidelines +description: "The guidelines contained in this document are intended to provide an\ + \ overview of an effective compliance program and an introduction to defense trade\ + \ controls, including information on the laws and regulations the U.S. Department\ + \ of State, Bureau of Political-Military Affairs, Directorate of Defense Trade Controls\ + \ (DDTC), administers. These defense trade controls are contained in the Arms Export\ + \ Control Act (AECA) (22 U.S.C. \xA7 2751 et seq.) as amended, and the International\ + \ Traffic in Arms Regulations (ITAR), Title 22 of the Code of Federal Regulations\ + \ in parts 120-130, both of which are authoritative on defense trade controls. \n\ + version 09/15/2023\nLink : https://www.pmddtc.state.gov/ddtc_public/ddtc_public?id=ddtc_kb_article_page&sys_id=4f06583fdb78d300d0a370131f961913 " +copyright: Directorate of Defense Trade Controls +version: 1 +provider: Directorate of Defense Trade Controls +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:itar-compliance-program-guidelines + ref_id: ITAR-Compliance-Program-Guidelines + name: ITAR Compliance Program Guidelines + description: "The guidelines contained in this document are intended to provide\ + \ an overview of an effective compliance program and an introduction to defense\ + \ trade controls, including information on the laws and regulations the U.S.\ + \ Department of State, Bureau of Political-Military Affairs, Directorate of\ + \ Defense Trade Controls (DDTC), administers. These defense trade controls are\ + \ contained in the Arms Export Control Act (AECA) (22 U.S.C. \xA7 2751 et seq.)\ + \ as amended, and the International Traffic in Arms Regulations (ITAR), Title\ + \ 22 of the Code of Federal Regulations in parts 120-130, both of which are\ + \ authoritative on defense trade controls. \nversion 09/15/2023\nLink : https://www.pmddtc.state.gov/ddtc_public/ddtc_public?id=ddtc_kb_article_page&sys_id=4f06583fdb78d300d0a370131f961913 " + implementation_groups_definition: + - ref_id: DDTC + name: DDTC Suggestions + description: DDTC Suggestions + - ref_id: 7C + name: Sample Audit Checklists + description: Sample Audit Checklists + requirement_nodes: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1 + assessable: false + depth: 1 + ref_id: ELEMENT 1 + name: MANAGEMENT COMMITMENT + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1 + ref_id: ELEMENT 1A + name: Developing and Generating Support for a Culture of Compliance + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a:1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a + description: Management commitment is one of the most important factors in creating + a deep-rooted culture of ITAR compliance within organizations. While robust + management commitment alone is insufficient to ensure compliance with all + relevant U.S. export control laws and regulations, it is essential for fostering + a proactive compliance posture. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a:2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a + description: "Management includes not only senior management, but also managers\ + \ at all levels within the organization, and the most important stance management\ + \ can take to engender a culture of compliance is to lead by example. Through\ + \ their words and actions, management should encourage compliance and should\ + \ discourage the prioritization of business or other interests over compliance.\ + \ Employees should have a high level of assurance that ITAR compliance is\ + \ management\u2019s greatest priority in all export-related decisions. Management\ + \ should communicate to employees that they are encouraged to raise questions\ + \ or concerns about compliance and potential risk areas and employees will\ + \ not experience retribution or retaliation if they do so. Employees should\ + \ understand that ITAR compliance is everyone\u2019s responsibility within\ + \ the organization." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a:3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a + description: "To help generate support and buy-in among employees, management\ + \ should incorporate compliance into employee performance plans and evaluations.\ + \ Employees should be expected to think about and recommend ways to improve\ + \ compliance and raise concerns when they see a possible problem, and their\ + \ performance plans and evaluations should account for those expectations.\ + \ Additionally, management should recognize and reward employees who speak\ + \ up, even if the problem reported resulted in no specific confirmed violation,\ + \ but perhaps lead to improving the organization\u2019s compliance procedures." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a:4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a + description: "In addition, management should communicate to employees that export\ + \ control violations will not be tolerated and may result in disciplinary\ + \ action against the employee, regardless of the employee\u2019s position,\ + \ title, or performance. Management should adopt clear disciplinary procedures\ + \ and consequences for addressing compliance misconduct, should enforce them\ + \ consistently across the organization, and should ensure that they are proportionate\ + \ to the misconduct and appropriate to deter future misconduct." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1 + ref_id: ELEMENT 1B + name: Demonstrating Management Commitment Through Policies and Procedures + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b + description: "Management is ultimately responsible for ensuring its organization\u2019\ + s compliance with the ITAR. Management can demonstrate its commitment to ITAR\ + \ compliance by:" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:1:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:1 + description: Creating and maintaining an ICP; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:1:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:1 + description: "Providing sufficient resources, including time, funding, personnel,\ + \ and training, to implement and maintain an ICP commensurate with the organization\u2019\ + s risk; and" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:1:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:1 + description: Creating and maintaining an Export Compliance Management Commitment + Statement. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b + name: ITAR Compliance Program + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2 + description: "A critical aspect of management\u2019s effort to demonstrate its\ + \ commitment to compliance with the ITAR is creating and maintaining an ICP.\ + \ An effective ICP should be:" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1 + description: In writing and clearly state the organizations ITAR compliance + policies and procedures; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1 + description: "Specifically tailored to an organization\u2019s ITAR-controlled\ + \ activities and its areas of risk;" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1 + description: Regularly reviewed and updated by various business departments + responsible for complying with the ITAR; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1 + description: Fully supported by management. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2 + description: When developing an ICP, management should identify areas that could + potentially pose a risk of ITAR violations and the lines of authority, e.g., + direct, indirect, and unofficial, in those areas that can assist in preventing + ITAR violations. After an ICP is established, management should remain actively + engaged in improving the compliance program, e.g., by attending periodic ICP + resource and planning meetings at which employees can discuss any ITAR compliance + deficiencies they have identified or propose changes to enhance the ICP. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b + name: Sufficient Compliance Resources + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:3:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:3 + description: "Management should provide compliance personnel with adequate resources,\ + \ including the appropriate training, funding, human capital, organizational\ + \ support, information technology resources, and other resources to fulfill\ + \ their responsibilities and implement an effective ICP. In assessing whether\ + \ such resources are adequate, management should take account of the organization\u2019\ + s size, scope of operations, and overall risk profile." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b + name: Export Compliance Management Commitment Statement + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4 + description: 'Another critical way to demonstrate strong management support + for ITAR compliance is to have the Chief Executive Officer, President, or + other senior executives personally sign an Export Compliance Management Commitment + Statement that is communicated to employees through all appropriate channels, + including in the opening pages of an ITAR Compliance Manual, on the corporate + website, and through periodic email reminders to all employees. The organization + should review and disseminate this statement at least annually for all employees + and, as appropriate, all contractors to read and sign. The statement should:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1 + description: "Underscore the organization\u2019s commitment to export compliance\ + \ and providing sufficient resources to ensure compliance." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1 + description: Reference the role and function of the U.S. export control system + and its importance in protecting the foreign policy and national security + of the United States. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1 + description: Affirm that no export shall be made under any circumstances that + violates or potentially violates the ITAR. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1 + description: "Emphasize the importance of employees understanding the ITAR and\ + \ its impact on their job functions. Employees should also understand specific\ + \ risks of non-compliance regarding an organization\u2019s activities, technologies,\ + \ and export destinations." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1 + description: Communicate the importance of routine export compliance monitoring + and auditing. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1 + description: "Stress the importance of and/or the requirement to report known\ + \ or suspected violations to the organization\u2019s export compliance department\ + \ anonymously or via an organization\u2019s compliance hotline." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1 + description: Reiterate that reporting known or suspected ITAR violations in + good faith will not adversely affect employees. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1 + description: Reiterate that reporting known or suspected export violations will + be used to measure job performance. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1 + description: Include the name and contact information of the personnel responsible + for responding to ITAR compliance inquiries. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1 + ref_id: ELEMENT 1C + name: Organizing the Compliance Function Appropriately + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c + description: "Management is responsible for deciding where to locate compliance\ + \ personnel within an organization\u2019s structure. This includes establishing\ + \ organizational charts and developing descriptions of the organization\u2019\ + s trade and export compliance functions and determining the extent to which\ + \ the ICP is centralized. The organizational structure should clearly identify\ + \ the following areas of authority:" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1 + description: Who in management is responsible for overseeing the ICP? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1 + description: Who within the ICP is the point of contact regarding export compliance + questions? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1 + description: Who within the ICP and/or business functions is responsible for + investigating and identifying the root causes of ITAR violations? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1 + description: Who within the ICP and/or business functions is responsible for + overseeing and implementing corrective actions? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1 + description: Who within the ICP is responsible for drafting, finalizing, and + submitting export-related documents to DDTC? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1 + description: Who within the ICP is responsible for sending other communications + regarding export compliance matters to DDTC, if necessary? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1 + description: Who is responsible for legal interpretation and guidance on internal + export compliance matters? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c + description: "Empowered Officials (EOs) typically handle at least some of the\ + \ responsibilities listed above. As set forth in ITAR \xA7 120.67, some of\ + \ the primary attributes and responsibilities of an EO include, but are not\ + \ limited to:" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2 + description: Direct employment by an organization in a position having authority + for policy or management within the organization + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2 + description: Written legal empowerment to sign license applications and other + requests for approval on behalf of the organization. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2 + description: Understanding the provisions and requirements of the various export + control statutes and regulations and the criminal liability, civil liability, + and administrative penalties for violating the AECA and the ITAR. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2 + description: 'Independent authority to:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:4:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:4 + description: Inquire into any aspect of a proposed export, temporary import, + or brokering activity by the organization; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:4:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:4 + description: Verify the legality of the transaction and the accuracy of the + information to be submitted to DDTC; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:4:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:4 + description: Refuse to sign any license application or other request for approval + without prejudice or adverse recourse. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c + description: Management is responsible through training and hiring practices + for ensuring that compliance personnel possess the requisite technical knowledge, + expertise, and experience to effectively implement the ICP. Management should + also ensure that compliance personnel, including the EO, are delegated sufficient + authority and autonomy to implement the ICP, consistent with their responsibilities. + Management should hold routine and periodic meetings with the EO to ensure + that employees are following ITAR policies and procedures. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2 + assessable: false + depth: 1 + ref_id: ELEMENT 2 + name: DDTC REGISTRATION, JURISDICTION & CLASSIFICATION, AUTHORIZATIONS, & OTHER + ITAR ACTIVITIES + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2 + ref_id: ELEMENT 2A + name: Registration + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a + description: The ICP should include information on registration requirements + in the ITAR. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a + name: Who Needs to Register? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2 + description: "The organization\u2019s ICP should explain who is required to\ + \ register with DDTC. The ITAR sets forth the general requirements to register\ + \ for manufacturers, exporters, and temporary importers in ITAR part 122 and\ + \ for brokers in ITAR part 129, while also imposing registration requirements\ + \ in certain unique circumstances. See, e.g., ITAR \xA7\xA7 126.16(k) and\ + \ 126.17(k) regarding requirements for intermediate consignees under the Australia\ + \ and UK treaties, respectively." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2 + description: The ITAR requires that, subject to certain exemptions, any person + who engages in the United States in the business of manufacturing or exporting + or temporarily importing defense articles, including technical data, or furnishing + defense services, must register with DDTC. Manufacturers who do not engage + in exporting must nevertheless register. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2 + description: The ITAR also requires that, subject to certain exemptions, persons + engaged in brokering activities with respect to the manufacture, export, import, + or transfer of any foreign defense article or defense service must register + with DDTC. The brokering registration requirement applies to any U.S. person, + any foreign person located in the United States, and any foreign person located + outside of the United States and owned or controlled by a U.S. person. A manufacturing + registration does not satisfy brokering registration requirements and vice + versa, and persons engaged in both manufacturing and brokering activities + must register as both a manufacturer and broker. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2:4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2 + description: The purpose of registration is primarily to provide the U.S. Government + with visibility into who is involved in ITAR-controlled activities. Registration + does not confer any export, temporary import, or brokering rights or privileges. + Registration also does not constitute a certification of ITAR compliance or + indicate the effectiveness of an ICP. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2:5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2 + description: "Registration is generally a precondition to the issuance of any\ + \ license or other approval, including the use of certain license exemptions.\ + \ Additional DDTC registration information and FAQs can be found on DDTC\u2019\ + s website." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a + name: Types of Registration + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:3:1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:3 + description: 'There are three types of registration: manufacturer, exporter, + and broker. Organizations can apply as a manufacturer, exporter, and/or broker + in one registration application. They will receive a code that corresponds + with their registration type and a completion letter from the DDTC under their + account after payment (currently via Defense Export Control and Compliance + System (DECCS)).' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a + name: Submitting Registration Applications and Renewals + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:4:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:4 + description: "A prospective registrant must electronically submit a Statement\ + \ of Registration (Department of State form DS-2032) to the Office of Defense\ + \ Trade Controls Compliance (DTCC) by following the submission guidelines\ + \ available on the DDTC website and referring to the requirements set forth\ + \ in ITAR \xA7 122.2. Registrations are valid for 12 months and must be renewed\ + \ annually. The expiration date is included in the registration letter issued\ + \ by DDTC. Registration renewal submissions should be submitted through DECCS\ + \ up to a maximum of 60 days but no less than 30 days in advance of the renewal\ + \ expiration." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a + name: Registration Changes and Notifications + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5 + description: 'Registrants are required to notify DDTC within a specified time + period, e.g., five or 60 days, when certain changes in their organization + occur. Changes that require notification to DDTC include, but are not limited + to, when:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1 + description: Certain persons related to the organization have been indicted + or otherwise charged with or convicted of violating certain criminal statutes. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1 + description: Organizations change certain information in the Statement of Registration, + such as name, address, ownership, or persons listed on registration. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1 + description: Organizations intend to sell or transfer ownership or control to + a foreign person. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1 + description: Organizations are part of acquisitions or mergers. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5 + description: "Additional notification requirements are found in ITAR \xA7 122.4." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a + name: DDTC Registration Suggestions + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6 + description: "Organizations often submit voluntarily disclosures pursuant to\ + \ ITAR \xA7 127.12 regarding their failure to notify DDTC of registration\ + \ changes required under the ITAR. To reduce the risk of these types of ITAR\ + \ violations from occurring, DDTC recommends that organizations take the following\ + \ actions:" + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1 + description: Understand which activities require an organization to register + with DDTC and determine whether the organization is required to do so. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1 + description: Assign a senior officer to oversee the registration process and + to sign the required notifications. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1 + description: Establish and implement policies and procedures to ensure the complete + and timely submission of registration renewals and required notifications + for material changes. For example, create policies and procedures to ensure + that export compliance personnel are informed in advance of changes in senior + officers and mergers and acquisitions to ensure timely updates to the registration + statement. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1 + description: ' Protect registration codes, which are specific to the registrant + and should not be made available publicly.' + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2 + ref_id: ELEMENT 2B + name: Jurisdiction and Classification + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b + description: To determine whether organizations or individuals need to register + or obtain a DDTC license or other approval, they must determine the appropriate + jurisdiction and classification of the commodities they manufacture, export, + temporarily import, or broker. Jurisdiction refers to the set of regulations + to which a commodity is subject, e.g., the ITAR or the Export Administration + Regulations (EAR), whereas classification refers to the specific entry on + the respective control list under which the commodity is described, e.g., + USML Category VIII(a)(2), or Commerce Control List Export Control Classification + Number ECCN 9A610.a). + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b + name: Commodity Jurisdiction Requests + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:2:1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:2 + description: "Manufacturers, exporters, and temporary importers may self-classify\ + \ their items and services. However, if after reviewing the Order of Review\ + \ described in ITAR \xA7 120.11, doubt remains regarding the jurisdiction\ + \ and/or classification of an item or service, organizations may submit a\ + \ Commodity Jurisdiction (CJ) determination request to DDTC as described in\ + \ ITAR \xA7 120.12 for an authoritative determination." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:2:2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:2 + description: "To submit a CJ request, navigate to DDTC\u2019s website and under\ + \ \u201CConduct Business\u201D for instructions on how to submit a Form DS-4076\ + \ electronically via DECCS. Please note that a supporting letter from the\ + \ original equipment manufacturer (OEM) is generally required for CJ applications\ + \ by persons other than the OEM." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b + name: DDTC Jurisdiction and Classification Suggestions + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3 + description: 'Organizations routinely disclose to DDTC ITAR violations resulting + from improper jurisdiction and classification. To reduce the risk of these + types of ITAR violations from occurring, DDTC recommends that organizations + take the following actions:' + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1 + description: If any doubt exists regarding the proper jurisdiction or classification, + err on the side of caution, and submit a CJ request to DDTC. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1 + description: Understand the form and fit of the articles, as well as the function + and performance capability of the articles. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1 + description: Document the design and development process for new products and + monitor and document modifications to existing products. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1 + description: Designate employees with the necessary technical expertise, e.g., + engineers or program managers, and export controls personnel to perform jurisdiction + and classification review functions. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1 + description: Establish formal written policies and procedures for reviewing + and documenting jurisdiction and classification decisions. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1 + description: "Develop a system of tracking and marking jurisdiction and classification\ + \ determinations at the time \u2013 or as soon as possible after \u2013 commodities\ + \ are manufactured." + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1 + description: DDTC routinely updates USML categories, so organizations should + consistently monitor these updates and adjust their internal jurisdiction + and classification determinations accordingly. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1 + description: If a CJ request is pending, DDTC recommends treating the commodity + as defense article or a defense service until DDTC issues the CJ determination. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1 + description: Keep records of all jurisdiction and classification decisions in + a central location that can easily be accessed, reviewed, referred to, and + updated. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2 + ref_id: ELEMENT 2C + name: Authorizations + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c + description: "DDTC authorization via a license or other approval is required\ + \ prior to engaging in any ITAR-controlled export (see ITAR \xA7 120.50),\ + \ reexport (see ITAR \xA7 120.51), retransfer (see ITAR \xA7 120.52), temporary\ + \ import (see ITAR 120.53), or brokering activities (see ITAR 129.2(b))." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c + name: Licenses, Agreements, and Other Approvals + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2 + description: "As defined in the ITAR, a \u201Clicense\u201D is a document bearing\ + \ the word \u201Clicense\u201D that is issued by DDTC that permits the export,\ + \ reexport, retransfer, temporary import, or brokering of a specific defense\ + \ article or defense service controlled under the ITAR." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2 + description: "An \u201Cother approval\u201D is a document, other than a license,\ + \ issued by DDTC that approves an ITAR-controlled activity or the use of an\ + \ exemption to the license requirements in the ITAR. License exemptions are\ + \ therefore considered a form of DDTC authorization. Additional information\ + \ about obtaining a license or other approval from DDTC can be found on DDTC\u2019\ + s website. Licenses are submitted and tracked in DECCS." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2 + description: 'Agreements approved by the Office of Defense Trade Controls Licensing + (DTCL) may authorize U.S. persons to furnish defense services and export technical + data to foreign persons, manufacture defense articles abroad, or establish + distribution points abroad for defense articles of U.S. origin for subsequent + distribution to foreign persons or entities. Agreements are submitted and + tracked in DECCS. There are three different types of agreements that cover + these activities:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:3:1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:3 + description: 'Manufacturing Licensing Agreements (MLA): agreements whereby a + U.S. person grants a foreign person an authorization to manufacture defense + articles abroad and that involve or contemplate either the export of technical + data or defense articles or the performance of a defense service; or the use + by the foreign person of technical data or defense articles previously exported + by the U.S. person.' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:3:2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:3 + description: 'Technical Assistance Agreements (TAA): agreements for the performance + of a defense service(s) or the disclosure of technical data, as opposed to + an agreement granting a right or license to manufacture defense articles.' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:3:3 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:3 + description: 'Distribution Agreements: agreements to establish a warehouse or + distribution point abroad for defense articles exported from the United States + for subsequent distribution to entities in an approved sales territory.' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2 + description: "Additional information on agreements can be found on DDTC\u2019\ + s website and under ITAR part 124. Guidance for preparing agreements can be\ + \ found on DDTC\u2019s website in the Agreement Guidance section, and further\ + \ detail is provided in the DDTC\u2019s Guidelines for Preparing Agreements." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c + name: Reexports, Retransfers, and General Correspondence Requests + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:3:1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:3 + description: Prior written DDTC approval must be obtained before reselling, + transferring, reexporting, retransferring, transshipping, or disposing of + a defense article to any end user, end use, or destination other than as stated + on the export license or in the Electronic Export Information filing for any + exemption previously claimed. This requirement applies in all circumstances, + except where the transaction is in accordance with the provisions of an exemption + that explicitly authorizes the resale, transfer, reexport, retransfer, or + disposition of a defense article without such approval. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:3:2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:3 + description: U.S. and foreign persons may submit a written request for approval + of a reexport or retransfer of defense articles or technical data to DTCL + through DECCS. This request is typically referred to as a General Correspondence + (GC) request. Foreign persons may also submit GC requests regarding reexports, + retransfers, or changes in end use to DTCL, and they do not need to be registered + with DDTC in order to do so. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:3:3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:3 + description: Additional information about approvals for reexports or retransfers + can be found in ITAR part 123. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c + name: DDTC Licenses, Agreements, and Exemptions Suggestions + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4 + description: 'To reduce the risk of ITAR violations related to obtaining and + using licenses, agreements, and exemptions, DDTC recommends that organizations + establish policies and procedures for the following:' + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: Incorporating licensing and other authorization considerations + in all appropriate organization processes. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: Anticipating, to the extent possible, the need for licenses in + advance of proposed export activities. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: Ensuring that business development, sales, and marketing personnel + understand timelines for obtaining licenses. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: Ensuring ample time to draft, submit, and receive approval for + agreements. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: Ensuring all parties understand appropriate terms, conditions, + and provisos of the agreement, and conducting periodic audits of export activities + under the agreement. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: Performing as much fact finding as practicable ahead of submitting + license applications and anticipating changes that may occur while a license + is valid, e.g., change in freight forwarder, potential U.S. or foreign subcontractors + involved in the transaction, or changes in the end use or end user. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: Reviewing for restrictions on parties to the transaction, including + by screening through the Consolidated Screening List. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: ' Creating, submitting, tracking and disposition of licenses and + other authorizations.' + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: Successfully implementing agreements (e.g., internal controls, + technology control plans, identifying foreign person status, and employment + status of meeting attendees). + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: Communicating with all foreign parties to determine who will be + involved in the transaction and their roles, e.g., recipients of services, + providers, subcontractors. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: ' Working with foreign parties to understand if there will be dual + or third- country national employees working on the proposed activities and + how the foreign party will screen those individuals.' + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:12 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: Ensuring foreign parties have compliance safeguards in place to + protect any technical data transferred under the agreements from unauthorized + access. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: Protecting against unauthorized release of technical data to foreign + entities and foreign employees. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:14 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: Assessing all conditions that must be satisfied to qualify for + use of any license exemption. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1 + description: Reviewing and approving use of license exemptions by appropriate + compliance personnel. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c + name: 'DDTC Reexports, Retransfers, and General Correspondence Requests + + Suggestions' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5 + description: 'To reduce the risk of ITAR violations related to the reexport + or retransfer of defense articles from occurring, DDTC recommends that organizations + take the following actions:' + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1 + description: Establish policies and procedures for reviewing and obtaining authorization + for reexports and retransfers. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1 + description: Establish policies and procedures for tracking and keeping records + regarding export authorizations for reexports or retransfers. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1 + description: Ensure understanding of the difference between requesting an initial + export authorization and a subsequent reexport or retransfer approval. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1 + description: Gather all relevant information about the transaction prior to + requesting written approval to ensure the request is not returned without + action by DDTC due to lack of information. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1 + description: Educate foreign recipients of U.S. defense articles about end use + and other ITAR requirements. For example, foreign recipients should understand + that destruction is considered a change in end use, and they must request + approval from DDTC in advance of destruction or demilitarization. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2 + ref_id: ELEMENT 2D + name: Restricted Party Screening + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d + description: "An organization should screen all parties involved in a transaction\ + \ prior to engaging in any ITAR-controlled activity with such parties. This\ + \ includes screening such parties through the Consolidated Screening List\ + \ (CSL) or restricted party screening tools containing CSL information. The\ + \ CSL is a list that U.S. government agencies, including the Departments of\ + \ State, Commerce, and the Treasury, maintains restrictions on certain exports,\ + \ reexports, or transfers of items. U.S. government agencies routinely update\ + \ their lists, which are consolidated in the CSL, and DDTC encourages routine\ + \ screening against the CSL to avoid prohibited transactions. Information\ + \ on screening and the CSL can be found on the International Trade Administration\u2019\ + s website." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d + name: Proscribed Countries + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:2:1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:2 + description: "It is the policy of the U.S. Government to deny licenses for exports\ + \ and imports of defense articles and defense services destined for or originating\ + \ in certain countries listed in ITAR \xA7 126.1, subject to certain exceptions.\ + \ DDTC considers unauthorized transactions with proscribed countries to be\ + \ serious violations of the ITAR. More information on the types of prohibited\ + \ exports, imports, and sales to or from specific countries can be found in\ + \ ITAR \xA7 126.1." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d + name: DDTC Restricted Party Screening and Proscribed Countries Suggestions + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3 + description: 'To ensure effective screening and reduction of the risk of ITAR + violations involving restricted parties and proscribed countries, DDTC recommends + that organizations take the following actions:' + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1 + description: "Establish policies and procedures for implementing screening within\ + \ the organization\u2019s operations. For example, consider establishing procedures\ + \ for screening prior to each of the following activities: entering substantive\ + \ business discussions, signing contracts or other agreements, submitting\ + \ license applications, and exporting." + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1 + description: Establishing policies and procedures for resolving positive hits + and reviewing questionable transactions. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1 + description: Determine the frequency of routine screening and rescreening of + customers, suppliers, or other entities engaged in on-going transactions. + Frequency may differ depending on risk related to jurisdiction, industry, + entity, etc. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1 + description: Maintain detailed screening record results. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1 + description: Dedicate adequate resources for screening. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1 + description: Monitor updates to U.S. Government lists. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1:7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1 + description: "Ensure that all relevant employees understand which destinations\ + \ are proscribed under ITAR \xA7 126.1 and the potential consequences of exporting\ + \ without authorization to one of those destinations." + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2 + ref_id: ELEMENT 2E + name: Brokering + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e + description: "ITAR \xA7 129.1(a) states that,\u201Cpersons engaged in the business\ + \ of brokering activities shall register and pay a registration fee and that\ + \ no person may engage in the business of brokering activities without a license.\u201D" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e + description: "A broker, as defined in ITAR \xA7 129.2(a), is any person who\ + \ engaged in brokering activities who is also U.S. person wherever located,\ + \ any foreign person located in the United States, or any foreign person located\ + \ outside the United States that is owned or controlled by a U.S. person." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e + description: "Brokering activities, as defined by ITAR \xA7 129.2(b), mean any\ + \ action on behalf of another to facilitate the manufacture, export, permanent\ + \ import, transfer, reexport, or retransfer of a U.S. or foreign defense article\ + \ or defense service, regardless of its origin. Such activities include, but\ + \ are not limited to:" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:3:1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:3 + description: Financing, insuring, transporting, or freight forwarding defense + articles and defense services. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:3:2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:3 + description: Soliciting, promoting, negotiating, contracting for, arranging, + or otherwise assisting in the purchase, sale, transfer, loan, or lease of + a defense article or defense service. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e + name: Authorization Requirements + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4:1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4 + description: "ITAR \xA7 129.4 provides a list of defense articles and defense\ + \ services for which a broker must obtain written approval from DDTC prior\ + \ to engaging in brokering activities. A broker may request DDTC approval\ + \ for brokering activities by submitting a completed Form DS-4294 in DECCS.\ + \ The organization must describe in the request the who, what, where, when,\ + \ and why of the transaction. A full list of required information can be found\ + \ in ITAR \xA7 129.6." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4:2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4 + description: "Brokers can find exemptions to brokering requirements in ITAR\ + \ \xA7 129.5. Exempt activities include:" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4:2:1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4:2 + description: "Certain brokering activities undertaken for an agency of the U.S.\ + \ Government, as described in ITAR \xA7 129.5(a)." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4:2:2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4:2 + description: "Certain brokering activities involving foreign defense articles\ + \ or defense services arranged wholly within and destined exclusively for\ + \ the North Atlantic Treaty Organization (NATO), NATO countries, Australia,\ + \ Israel, Japan, New Zealand, or the Republic of Korea, as described in ITAR\ + \ \xA7 129.5(b)." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4:3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4 + description: "These brokering exemptions do not apply if the transaction involves\ + \ ITAR \xA7 126.1 countries or parties debarred pursuant to ITAR \xA7 127.7,\ + \ as set forth in ITAR \xA7 129.7." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e + name: Annual Brokering Activities Report Requirement + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:5:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:5 + description: "Any person who engages in brokering activities is required to\ + \ provide to DDTC on an annual basis a report of their brokering activities\ + \ in the previous 12 months. Reports must be submitted along with the broker\u2019\ + s annual renewal submission or, if not renewing, within 30 days after expiration\ + \ of registration. The information required for these reports can be found\ + \ in ITAR \xA7 129.10." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e + name: DDTC Brokering Suggestions + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6 + description: 'To reduce the risk of brokering-related ITAR violations, DDTC + recommends that brokers take the following actions:' + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1 + description: Establish policies and procedures for obtaining prior authorization + for brokering activities, reporting brokering activities, and maintaining + records regarding brokering activities. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1 + description: Understand which activities constitute brokering activities under + the ITAR and identify whether and to what extent the broker is engaged in + such activities. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1 + description: Review and understand the available exemptions to the brokering + authorization requirements. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1 + description: Submit annual brokering reports to DDTC on time. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2 + ref_id: ELEMENT 2F + name: Political Contributions, Fees, and Commissions + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f + description: Applicants and suppliers or vendors need to report to DDTC certain + political contributions, fees, or commissions relating to sales of defense + articles or defense services valued at $500,000 or more that are being sold + commercially to or for the use of the armed forces of a foreign country or + international organization. More information can be found in ITAR part 130. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f + description: 'A reportable fee or commission is any loan, gift, donation, or + other payment of $1,000 or more made, or offered or agreed to be made directly + or indirectly, whether in cash or in kind, and whether pursuant to a written + contract, that is:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:2:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:2 + description: To or at the direction of any person, irrespective of nationality, + whether employed by or affiliated with an applicant, a supplier, or a vendor; + and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:2:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:2 + description: For the solicitation or promotion or otherwise to secure the conclusion + of a sale of defense articles or defense services to or for the use of the + armed forces of a foreign country or international organization. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f + description: 'The phrase fee or commission does not include:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3 + description: "A political contribution or a payment excluded by ITAR \xA7 130.6\ + \ from the definition of political contribution;" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3 + description: A normal salary (excluding contingent compensation) established + at an annual rate and paid to a regular employee of an applicant, supplier, + or vendor; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3 + description: General advertising or promotional expenses not directed to any + sale or purchaser; or + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3 + description: "Payments made, or offered or agreed to be made, solely for the\ + \ purchase by an applicant, supplier, or vendor of specific goods or technical,\ + \ operational, or advisory services, when such payments are not disproportionate\ + \ in amount with the value of the specific goods or services furnished. See\ + \ ITAR \xA7 130.5(b)." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f + description: 'Political contribution means any loan, gift, donation, or other + payment of $1,000 or more made, or offered or agreed to be made, directly + or indirectly, whether in cash or in kind, which is:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:4:1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:4 + description: To or for the benefit of, or at the direction of, any foreign candidate, + committee, political party, political faction, or government or governmental + subdivision, or any individual elected, appointed or otherwise designated + as an employee or officer thereof; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:4:2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:4 + description: "For the solicitation or promotion or otherwise to secure the conclusion\ + \ of a sale of defense articles or defense services to or for the use of the\ + \ armed forces of a foreign country or international organization. Taxes,\ + \ customs duties, license fees, and other charges required to be paid by applicable\ + \ law or regulation are not regarded as political contributions. See ITAR\ + \ \xA7 130.6." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f + name: Reporting + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5 + description: "To determine whether a report needs to be provided to DDTC under\ + \ ITAR part 130, applicants (as defined in ITAR \xA7 130.2) and suppliers\ + \ (as defined in ITAR \xA7 130.7) must conduct their due diligence with respect\ + \ to their vendors (as defined in ITAR \xA7 130.8). Applicants and suppliers\ + \ should request the information listed in ITAR \xA7 130.10, which includes\ + \ any political contributions, fees, or commissions paid or offered or agreed\ + \ to be paid with respect to the sale. See ITAR \xA7 130.12 and ITAR \xA7\ + \ 130.13 for more on the information to be furnished by applicants, suppliers,\ + \ and their vendors." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5 + description: 'Each applicant or supplier must inform DDTC as to whether the + applicant, suppliers, or their vendors have paid, or offered or agreed to + pay:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:2:1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:2 + description: Political contributions in an aggregate amount of $5,000 or more. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:2:2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:2 + description: "Fees or commissions in an aggregate amount of $100,000 or more.\ + \ If so, the applicant must furnish to DDTC the information specified in ITAR\ + \ \xA7 130.10." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:2:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:2 + description: "Any payments or offers or agreements to make payments of political\ + \ contributions or fees or commissions that the applicant or supplier learns\ + \ of after submission of the license application and any value changes to\ + \ previously submitted reports must be submitted as a supplement report and\ + \ must include a detailed statement of the reasons why the applicant or supplier\ + \ did not furnish the information at the time of the application. See ITAR\ + \ \xA7 130.11 for information regarding supplementary reports." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5 + description: "See ITAR \xA7 130.10 for a full list of the required information\ + \ to be submitted in a report to DDTC." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f + name: DDTC Political Contributions, Fees, and Commissions Suggestions + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6 + description: 'To reduce the risk of ITAR part 130-related violations, DDTC recommends + that organizations take the following actions:' + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6:1 + description: Understand whether you or your vendors are involved in paying political + contributions, fees, or commissions. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6:1 + description: Understand what information needs to be asked of and received from + your vendors. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6:1 + description: Establish policies and procedures for accurate and accessible recordkeeping + of such political contributions, fees, or commissions. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2 + ref_id: ELEMENT 2G + name: Cybersecurity and Encryption + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g + description: Although the ITAR does not explicitly require organizations to + implement specific cyber security or encryption measures for the storage or + transmission of technical data, cyber intrusion events, and the theft of technical + data may result in unauthorized exports. Other U.S. Government agencies and + programs, however, have specific cyber security requirements. DDTC expects + organizations to take steps to protect their technical data from cyber intrusions + and theft and consider carefully what cyber security solutions work most effectively + for them. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g + description: Having specific policies, procedures, and tools for the encryption + of technical data is a critical part of cyber security. Organizations should + consider both how to encrypt the storage and transmission of technical data + externally, including via cloud and other remote storage, and how to appropriately + encrypt technical data on portable devices. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g + description: "For further information on activities that are not exports, reexports,\ + \ retransfers, or temporary imports related to the sending, taking, or storing\ + \ of technical data, see ITAR \xA7 120.54." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g + name: DDTC Cybersecurity and Encryption Suggestions + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4 + description: 'To reduce the risk of ITAR violations and improve cyber security + measures, DDTC recommends that organizations take the following actions:' + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1 + description: Establish policies and procedures for recurring training on travel + with mobile devices for new and existing employees. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1 + description: Ensure foreign person employees do not receive unauthorized access + to technical data. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1 + description: "Ensure technical data is not backed up to servers in foreign locations,\ + \ unless it meets the criteria set out in ITAR \xA7 120.54(a)(5) regarding\ + \ storage of unclassified technical data secured using end-to-end encryption." + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1 + description: ' Coordinate with IT to implement intrusion detection systems.' + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1 + description: Educate employees about phishing, malware, and other cyber threats. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1 + description: Review electronic storage options, such as cloud storage services, + and understand how service providers protect ITAR-controlled technical data. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1 + description: Establish security policies for file sharing and collaboration + tools. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1 + description: Establish measures for encryption of data on mobile devices, such + as laptops and cell phones. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1 + description: Establish policies and procedures for the review and approval of + employee travel with mobile devices. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1 + description: Ensure that IT logs and controls access to company networks that + contain ITAR-controlled technical data by authorized personnel. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3 + assessable: false + depth: 1 + ref_id: ELEMENT 3 + name: RECORDKEEPING + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3 + ref_id: ELEMENT 3A + name: ITAR Recordkeeping Requirements + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a + description: 'The ITAR requires all registrants to maintain records regarding + the manufacture, acquisition, and disposition of defense articles, including + technical data; the provision of defense services; brokering activities; and + information on political contributions, fees, and commissions furnished or + obtained, pursuant to ITAR part 130. The ITAR requires that such records are:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1 + description: Reproducible in paper format, if digital; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1 + description: Legible and readable; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1 + description: Unaltered once recorded or, if altered, with any alterations properly + recorded, including who made them and when; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1 + description: Readily accessible if digital images; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1 + description: Maintained for a period of five years from the expiration of the + license or other approval, to include exports using an exemption, or from + the date of the transaction. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a + description: 'The following records must be maintained:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2 + description: License or other approval; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2 + description: License exemption; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2 + description: Technical data exports; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2 + description: Oral, visual, or electronic exports; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2 + description: Certain information related to special comprehensive export authorizations; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2 + description: Related to the Defense Trade Cooperation Treaty between the United + States and Australia; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2 + description: Related to the Defense Trade Cooperation Treaty between the United + States and the United Kingdom; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2 + description: Related to exemptions involving employees who are dual and third- + country nationals; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2 + description: Related to voluntary disclosures; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:10 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2 + description: Brokering recordkeeping requirements; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:11 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2 + description: Related to political contributions, fees, and commissions. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3 + ref_id: ELEMENT 3B + name: Establishing Recordkeeping Roles and Responsibilities + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b + description: "For each transaction or activity type, organizations should determine\ + \ which records must be maintained pursuant to the ITAR\u2019s recordkeeping\ + \ requirements and develop a list of those records. Based on the list, organizations\ + \ should develop written policies and procedures to ensure that these records\ + \ are maintained properly. Such written policies and procedures should clearly\ + \ articulate who within the organization is responsible for the various recordkeeping\ + \ responsibilities. They should also include, but are not limited to, the\ + \ following:" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1 + description: Establishing policies and procedures for recordkeeping and for + timely destruction of records, or their maintenance past required dates where + relevant to ongoing matters, including, e.g., disclosures to DDTC. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1 + description: Determining how and where records will be maintained. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1 + description: Determining how and when records will be inspected for completeness, + accuracy, and quality. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1 + description: Developing and maintaining processes for managing records by identifying + classes of records and logs of record creators and keepers. If appropriate, + maintain a detailed log or index of records of more sensitive records. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1 + description: Establishing record-retention requirements for emails, contracts + with freight forwarders, brokers, and distributors, and other records. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1 + description: Creating recordkeeping redundancies, such as backup IT servers, + where appropriate. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1 + description: Ensuring that recordkeeping methods do not allow for unrecorded + alterations. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b + description: Organizations should clearly allocate responsibilities for recordkeeping + among personnel in business units, records management, information technology, + system administration, and other offices within the organization. Organizations + should also identify personnel designated with recordkeeping responsibilities + and ensure that oversight of such personnel exists to confirm they are adequately + performing their recordkeeping responsibilities. Finally, organizations should + develop ongoing training and awareness programs to ensure personnel involved + in the recordkeeping process can effectively comply with ITAR recordkeeping + requirements. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b + description: 'Organizations should ensure that every employee involved in ITAR-controlled + activities is trained on how to:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3 + description: Identify and preserve relevant records; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3 + description: Share and retrieve relevant records; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3 + description: Properly dispose of hard drives, thumb drives, and other portable + media devices on which records are stored; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3 + description: Maintain a backup system for preserving relevant records. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b + description: Organizations should ensure that all required records are captured + and correctly filed to allow for efficient search and retrieval by conducting + periodic audits on the recordkeeping system. Management should also communicate + the importance of recordkeeping to all employees and ensure that sufficient + resources exist to allow employees to perform their recordkeeping duties. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3 + ref_id: ELEMENT 3C + name: Recordkeeping and Technology Control Plans + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c + description: "Organizations that possess technical data and either employ foreign\ + \ persons or conduct frequent meetings with foreign persons should consider\ + \ creating and maintaining a Technology Control Plan (TCP). A TCP sets out\ + \ an organization\u2019s policies and procedures for protecting technical\ + \ data and includes the following elements:" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1 + description: Management commitment; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1 + description: Personnel-screening procedures; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1 + description: A physical security plan; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1 + description: An information security plan; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1 + description: Training and awareness programs. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c + description: A TCP can help reduce the risk of inadvertent ITAR violations through + telephone, facsimile, electronic mail, social media, or in-person exchanges, + particularly during informal technical exchanges with foreign persons. Organizations + can implement a TCP in several ways, including for an organization, a location, + or a defined project. Organizations should incorporate TCP requirements into + their ICP and ensure impacted employees are aware of specific TCP requirements. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c + description: 'TCPs should also address how organizations will keep records regarding + foreign- person visitors at their facilities. For example, organizations could + document all foreign person visits and any special conditions attached to + the visits. Such records should indicate:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3 + description: "The visitor\u2019s name and nationality or nationalities;" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3 + description: The name and affiliation of the organization represented; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3 + description: The date of the visit; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3 + description: Persons, physical areas, and room numbers visited; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3 + description: Purpose of the visit with specific emphasis on products or services + discussed; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3 + description: A summary of the visit, including any issues or circumstances of + note. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c + description: In addition to documenting these interactions with foreign persons, + TCPs should address how organizations will collect and store human resources + records for foreign person employees involved in ITAR-controlled activities. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c + description: Instituting these recordkeeping practices through a TCP may also + have the additional benefit of increasing awareness among employees that certain + types of interactions with foreign persons create risk areas for potential + ITAR violations, thereby minimizing the risk of an inadvertent violation. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3 + ref_id: ELEMENT 3D + name: Recordkeeping and Voluntary Disclosures + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d + description: Establishing and implementing robust recordkeeping policies and + procedures are foundational to establishing a strong ICP. In the event an + ITAR violation occurs, thorough documentation is essential for submitting + a voluntary disclosure to DDTC that meets the requirements in ITAR part 127. + Without strong recordkeeping policies and procedures, organizations may find + it difficult to provide all information and documentation described in ITAR + part 127 for voluntary disclosures and to respond to any questions that DDTC + may have regarding the violation. A failure to maintain or produce relevant + records in certain circumstances constitutes an ITAR violation. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d + name: DDTC Recordkeeping Suggestions + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2 + description: 'DDTC recommends that organizations identify and implement best + practices for recordkeeping including, but not limited to, the following:' + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1 + description: In the event records include copies of exported technical data, + ensuring the records are properly secured, including through encryption for + digital records, to prevent unauthorized access. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1 + description: Before employees depart an organization, ensuring any records subject + to ITAR recordkeeping requirements they possess are identified and preserved. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1 + description: Evaluating the physical storage site and control procedures for + disposal of records to minimize the risk of losing records or failing to properly + secure technical data. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1 + description: Implementing a backup system for electronic storage and implementing + measures that will assist in the recovery of information and other electronic + communications on computer systems if the primary computer system fails. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1 + description: Maintaining thorough records of non-disclosure agreements and screenings + involving dual and third-country national employees, as appropriate + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1 + description: "Maintaining copies of relevant records that exist on a third-party\ + \ organization\u2019s IT systems, such as copies of shipping records from\ + \ freight forwarders, disclosures submitted by outside counsel, or licensing\ + \ information." + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1 + description: Acquiring or developing a central IT storage system or database + for relevant records. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1 + description: For offsite record storage and destruction, reviewing the contractual + terms to ensure that ITAR-controlled technical data is protected. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1 + description: Periodically reevaluating the efficacy of recordkeeping policies + and procedures. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1 + description: Retaining records of any disclosures and any supporting documentation. + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1 + description: "Developing and implementing a system to document all communications\ + \ with DDTC officials, including through outside counsel, involving ITAR-related\ + \ matters, which may help ensure continuity and consistency in an organization\u2019\ + s export compliance functions." + implementation_groups: + - DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4 + assessable: false + depth: 1 + ref_id: ELEMENT 4 + name: DETECTING, REPORTING, & DISCLOSING VIOLATIONS + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4 + ref_id: ELEMENT 4A + name: Detect and Report Suspected ITAR Violations Early + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a + description: "Organizations should develop and disseminate policies and procedures\ + \ that provide clear guidance to all employees regarding the detecting and\ + \ reporting of suspected ITAR violations. Because ITAR violations can cause\ + \ serious harm to U.S. national security and foreign policy, they can result\ + \ in the imposition of criminal and/or civil penalties, to include debarment,\ + \ and/or other costs, including reputational damage and the denial or revocation\ + \ of export licenses. Early detection, reporting, and rapid corrective actions\ + \ are essential to minimize any harm to U.S. national security and foreign\ + \ policy and mitigate an organization\u2019s legal exposure." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a + description: 'Organizations should establish policies and procedures to detect, + stop, investigate, confirm, report, and remediate any suspected ITAR violations + immediately. To this end, DDTC recommendations that organizations:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2 + description: Implement clear internal reporting procedures for employees to + ensure that employees understand that it is their obligation to report suspected + ITAR violations. Organizations should widely promulgate these procedures. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2 + description: Provide a mechanism through which employees can report suspected + ITAR violations anonymously and confidentially and ensure that employees are + aware of and can effectively use this mechanism. For example, organizations + may remind employees of such reporting mechanisms through regular bulletins + or visual reminders (such as posters) and may provide templates to make reporting + suspected violations efficient and effective. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2 + description: Clearly identify and communicate to employees the office or individuals + within the organization assigned the responsibility for receiving reports + of suspected ITAR violations along with their contact information. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2 + description: Empower employees to speak up if they are unsure about the proper + course of action, if they believe they may have been involved in an activity + that violated the ITAR, or if they believe another employee is violating or + about to violate the ITAR. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2 + description: Provide assurances that employees will not suffer any negative + consequences for reporting a suspected violation in good faith. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2 + description: Incorporate ITAR compliance into employee performance plans and + evaluations. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2 + description: "Implement reporting procedures for organizations to voluntarily\ + \ disclose ITAR violations to DDTC and also to mandatorily disclose ITAR violations\ + \ involving proscribed destinations pursuant to ITAR \xA7 126.1(e)(2)." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4 + ref_id: ELEMENT 4B + name: Establish Policies and Procedures for Investigating ITAR Violations and + Implementing Corrective Actions + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b + description: 'Organizations should draft, periodically update, and make available + to employees policies and procedures for investigating and addressing potential + ITAR violations that are reported or otherwise detected. These policies and + procedures should cover, among other things, how the organization will:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1 + description: Determine when to investigate suspected violations. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1 + description: Document the information reported, detected, or otherwise obtained + as part of the investigation. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1 + description: Analyze the root causes of any ITAR violations. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1 + description: Draft a report describing the outcome of the investigation and + the recommended corrective actions, including any recommended disciplinary + measures. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1 + description: Present the report to and brief management. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1 + description: "Document management\u2019s response to the report and whether\ + \ management approved the recommended corrective actions." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1 + description: Implement the corrective actions and document the implementation + of the corrective actions, including who implemented them and how. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1 + description: ' Monitor the corrective actions to ensure they remain fully implemented + and are working properly over time.' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1 + description: Report back to management after the approved corrective actions + are implemented. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b + description: "Organizations should use personnel qualified to conduct timely\ + \ and properly scoped investigations of ITAR violations and should ensure\ + \ that such personnel have adequate resources and funding. Organizations should\ + \ ensure that investigations are independent, objective, thorough, and properly\ + \ documented. Organizations should consult in-house and outside ITAR experts,\ + \ where appropriate, during or after an investigation. Management\u2019s response\ + \ to such investigations should reflect the critical importance of ITAR compliance,\ + \ including by recognizing and rewarding employees who report suspected ITAR\ + \ violations. Organizations should also continuously update their compliance\ + \ programs to incorporate changes to the ITAR and lessons learned from past\ + \ violations." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4 + ref_id: ELEMENT 4C + name: Establish Policies and Procedures for Properly Submitting Voluntary Disclosures + to DDTC + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c + description: "Organizations should develop written policies and procedures for\ + \ disclosing ITAR violations to DDTC. Organization should ensure that these\ + \ policies and procedures are fully consistent with all requirements set forth\ + \ in ITAR \xA7 127.12 for voluntary disclosures." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c:2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c + description: "DDTC strongly encourages organizations to disclose suspected ITAR\ + \ violations promptly. DDTC may consider a voluntary disclosure pursuant to\ + \ ITAR \xA7 127.12 as a mitigating factor in determining the administrative\ + \ penalties, if any, that should be imposed. However, for a disclosure to\ + \ be considered \u201Cvoluntary\u201D for purposes of ITAR \xA7 127.12, it\ + \ must be made prior to the time the U.S. Government becomes aware of either\ + \ the same or substantially similar information from another source and initiates\ + \ an investigation or inquiry of its own. Accordingly, an organization that\ + \ wishes to obtain the significant mitigation credit for voluntary disclosures\ + \ should disclose any violations as quickly as possible to DDTC. Failure to\ + \ voluntarily disclose a violation may result in circumstances detrimental\ + \ to U.S. national security and foreign policy interests and will be an adverse\ + \ factor in determining the appropriate disposition of the matter. DDTC reviews\ + \ and closes most voluntary disclosures without any administrative action." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c:3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c + description: "Organizations should submit an initial notification to DDTC pursuant\ + \ to ITAR \xA7 127.12. If they have not yet identified all the required information\ + \ under ITAR \xA7 127.12, then they may subsequently provide a full disclosure\ + \ within 60 days. Organizations that request extensions for the submission\ + \ of a full disclosure are encouraged to do so as far in advance of the 60-day\ + \ deadline as possible. If organizations confirm that no ITAR violation occurred\ + \ after submitting an initial notification, then they may request a withdrawal\ + \ of their notification." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c:4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c + description: "Organizations should ensure that voluntary disclosure submissions\ + \ contain all the required information, provide appropriate documentation,\ + \ and enclose the certification required in ITAR \xA7 127.12(e). Consistent\ + \ with these requirements, voluntary disclosures should demonstrate that the\ + \ organization conducted a thorough root cause analysis to determine why ITAR\ + \ violations occurred, including by identifying whether the violations are\ + \ systemic." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c:5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c + description: "In the event the organization\u2019s policies and procedures should\ + \ have prevented a violation, the disclosure should identify the business\ + \ units that had ownership of the specific policies and procedures at issue\ + \ and explain how those units have been held accountable. Voluntary disclosures\ + \ should also demonstrate that the organization developed and has either implemented\ + \ or has plans to implement corrective actions that address the root causes\ + \ and prevent the recurrence of similar violations." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4 + ref_id: ELEMENT 4D + name: Communicate Potential Consequences of ITAR Violations to Employees + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d + description: 'Management should ensure that all employees understand their legal + obligations under the AECA and ITAR, as well as consequences for violating + those obligations. Management should make available educational materials + and post visual reminders to all relevant employees that underscore the following:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1 + description: ITAR controls ensure that commercial exports of defense articles + and defense services advance U.S. national security and foreign policy objectives. + Criminal and civil penalties for violating the ITAR are severe because such + violations may harm U.S. national security and foreign policy. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1 + description: Criminal convictions for willful ITAR violations can result in + a maximum criminal penalty of $1,000,000 per violation, imprisonment of up + to 20 years per violation, or both. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1 + description: Organizations and/or individuals criminally convicted of ITAR violations + will also be subject to statutory debarment that renders them ineligible to + participate directly or indirectly in defense trade for a specified period. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1 + description: Civil penalties for ITAR violations can result in a fine of more + than $1,200,000 per violation, and that amount increases annually to adjust + for inflation. DDTC imposes civil penalties based on strict liability unless + otherwise specified in the text of the ITAR. This means that organizations + and/or individuals may be held civilly liable for ITAR violations even if + they did not know or have reason to know that they were violating the ITAR. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1 + description: Any ITAR violation, regardless of intent, may trigger administrative + debarment if the violation provides DDTC with a reasonable basis to believe + that the violator cannot be relied upon to comply with the ITAR in the future. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1 + description: Administrative settlements typically include the execution of a + Consent Agreement under which the respondent is required to institute enhanced + compliance measures for a period of two to four years. Instituting these enhanced + compliance measures is typically time and resource intensive for most organizations. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1 + description: "Administrative settlements are posted publicly on DDTC\u2019s\ + \ website, which may result in both negative publicity and reputational damage\ + \ for the respondent." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d + description: Management should also ensure that employees understand other potential + consequences, including possible disciplinary actions, for ITAR violations + within an organization. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5 + assessable: false + depth: 1 + ref_id: ELEMENT 5 + name: ITAR TRAINING + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5 + ref_id: ELEMENT 5A + name: ITAR Training Programs + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a + name: ITAR Training Programs Basics + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:1:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:1 + description: ITAR training programs should be tailored, dynamic, up-to-date, + and adequately resourced. They should also clearly identify the job-specific + export control responsibilities for all employees. Programs should allot sufficient + time for employees to complete their training, and they should offer training + on a recurring basis, at a minimum annually. Organizations should maintain + accurate training records to verify that employees have completed all relevant + compliance-related training sessions. In addition to offering formal ITAR + training sessions on a recurring basis, organizations should make available + ITAR training resources that employees may consult at any time. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a + name: Tailoring ITAR Training Programs + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2 + description: 'Organizations should ensure that ITAR training programs are tailored + to address their specific compliance risks. Some of the risks that organizations + should consider when designing an ITAR training program include the following + and discussed in detail in Element 6 of this document:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1 + description: The nature and scope of their defense articles and defense services + being provided; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1 + description: The parent, subsidiaries, affiliates, suppliers, customers, clients, + business partners and other relevant parties with which they interact, directly + or indirectly; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1 + description: The geographic regions in which they operate; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1 + description: The duties and responsibilities of the employees and other personnel + being trained. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a + name: Implementing Dynamic and Up-to-Date ITAR Training Programs + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:3:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:3 + description: "ITAR training programs should be dynamic and reviewed periodically\ + \ for updates and revisions based on changes in the organization\u2019s commodities\ + \ and their end uses and end users, as well as any changes to the ITAR or\ + \ guidance from DDTC. Organizations should monitor the Federal Register and\ + \ DDTC\u2019s website routinely for ITAR-related updates that should be integrated\ + \ into recurring training sessions. Organizations should also establish a\ + \ mechanism to disseminate ITAR-related updates to personnel in a timely manner\ + \ in between training sessions, such as through organization-wide email updates" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:3:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:3 + description: "Organizations should also stay informed of export compliance best\ + \ practices and monitor relevant publications that may describe export compliance\ + \ enhancements and lessons learned from export control violations by other\ + \ organizations. For instance, upon learning of an ITAR violation or \u201C\ + close call\u201D within one\u2019s own organization, or identifying vulnerabilities\ + \ in the organization\u2019s ICP, or obtaining a negative testing result or\ + \ audit finding, organizations should use such incidents to provide specific\ + \ training to relevant personnel within the organization, in addition to taking\ + \ corrective action." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a + name: Hiring Knowledgeable and Experienced Trainers + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:4:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:4 + description: An effective ITAR training program requires knowledgeable, experienced + trainers. Organizations should ensure their trainers are subject matter experts + on the ITAR who keep well-informed regarding the latest changes to the ITAR, + guidance from DDTC, and industry best practices. Internal trainers should + pursue their own continuing education to ensure that they remain subject matter + experts in the field. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5 + ref_id: ELEMENT 5B + name: "Tiered Training Based on Each Employee\u2019s Functions" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b + description: "Organizations should adopt a tiered ITAR training program based\ + \ on the responsibilities of each employee and other personnel within the\ + \ organization. Organizations should tailor their ITAR programs as specifically\ + \ as possible to help employees and other personnel understand their specific\ + \ export control responsibilities in light of the organization\u2019s risk\ + \ profile. Organizations should provide their employees and other personnel\ + \ with different levels and types of ITAR training depending on the knowledge\ + \ and skills needed to perform their job functions and the compliance risks\ + \ that arise in each position. For example, training programs could be divided\ + \ into four tiers, directed at four categories of positions within the organization,\ + \ as reflected in the pyramid diagram above and described below. Smaller organizations\ + \ may adopt this tiered approach or provide comprehensive ITAR training to\ + \ all personnel." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b + ref_id: Tier 1 + name: General ITAR Training for All Personnel + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1 + description: "For the first and bottom tier \u2013 all personnel \u2013 training\ + \ should cover the basics of export controls and should be comprehensible\ + \ for a broad audience with little or no background in export controls or\ + \ the ITAR. Generally, this level of training is provided to all personnel\ + \ within organizations. Organizations should provide the training to all new\ + \ hires and contractors during the onboarding process and then reinforce that\ + \ training through periodic education and awareness activities to those with\ + \ little or no exposure to exports." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1 + description: "Tier 1 training should provide all personnel within the organization\ + \ a basic understanding of the ITAR and a clear understanding of everyone\u2019\ + s shared export compliance responsibilities within the organization. Tier\ + \ 1 training should, at a minimum, cover the following topics:" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2 + description: 'Basic ITAR overview, including:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1:1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1 + description: Regulated activities; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1:2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1 + description: Key ITAR definitions, including export, foreign person, technical + data, defense service, and defense article, and provide real world examples + specific to the organization's business; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1:3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1 + description: Licenses or other approvals; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1:4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1 + description: How ITAR violations occur. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2 + description: "Overview of the organization\u2019s ICP" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2 + description: Recordkeeping procedures + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2 + description: "Red flags specific to the organization\u2019s business" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2 + description: Screening requirements + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2 + description: Practical advice and case studies to address real-life scenarios + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2 + description: Company-specific risk profile and high-risk compliance areas + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2 + description: Reporting ITAR violations + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2 + description: 'Potential consequences of violating the ITAR:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9:1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9 + description: Strict liability for civil violations; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9:2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9 + description: Civil and/or criminal monetary penalties; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9:3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9 + description: Imprisonment for criminal violations; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9:4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9 + description: Debarment + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2 + description: Enhancing ITAR-compliance processes + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2 + description: Organization charts and contact information for key export compliance + personnel, Empowered Officials, and other relevant personnel. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b + ref_id: Tier 2 + name: Senior Management + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2 + description: "For the second tier \u2013 senior management \u2013 training should\ + \ be more detailed and include more than just the basics of export controls.\ + \ Senior management must have a thorough understanding of export controls\ + \ to properly comprehend the compliance risks associated with the organization\u2019\ + s activities and risk profile. Organizations with a Board of Directors or\ + \ a Board of Trustees should conduct the same type of top-level briefing for\ + \ them as well." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2 + description: 'Tier 2 training should provide senior management with an intermediate + level of understanding of the ITAR and a clear understanding of the critical + role senior management plays in ITAR compliance within the organization. In + addition to topics covered in Tier 1, Tier 2 training should, at minimum, + include an intermediate ITAR overview and the following topics:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2 + description: "Detailed description of the organization\u2019s ICP;" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2 + description: The importance of communicating management commitment to complying + with U.S. export controls; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2 + description: Allocating appropriate resources and hiring adequate staff to ensure + ITAR compliance; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2 + description: Creating and maintaining a culture of ITAR compliance within the + organization; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2 + description: A detailed description of the potential consequences of violating + the ITAR. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b + ref_id: Tier 3 + name: Positions with Export Functions + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3 + description: "The specific personnel that fall in the third tier \u2013 positions\ + \ with export functions \u2013 will vary from one organization to another,\ + \ depending on the organization\u2019s activities. For most companies, it\ + \ will likely include program management, technical, and/or engineering personnel\ + \ with access to ITAR-controlled defense articles, shipping and receiving,\ + \ supply chain, business development, human resources, and IT." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3 + description: For universities, it will likely include administrative staff, + researchers, faculty and/or principal investigators involved in activities, + including, e.g., contracts and grants, product development, and research labs, + as well visiting foreign students and scholars participating in controlled + research. Organizations should provide more detailed and targeted ITAR training + to such personnel, at a minimum, on an annual basis. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3 + description: 'Tier 3 training should provide relevant employees with export + functions with an advanced- level understanding of the ITAR and their significant + export compliance responsibilities within the organization. In addition to + topics covered in Tiers 1 and 2, as appropriate, Tier 3 training should, at + minimum, cover the following additional topics:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3 + description: How to handle technical data, including marking procedures; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3 + description: Deemed exports; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3 + description: Jurisdiction and classification; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3 + description: Pertinent USML Categories; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3 + description: Export authorization approval process; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3 + description: License conditions and exceptions; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3 + description: Exemptions applicable to business; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3 + description: Agreement and license types; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3 + description: Non-Disclosure Agreements; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3 + description: Recordkeeping; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3 + description: Targeted training to individual roles. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b + ref_id: Tier 4 + name: Export Compliance Team + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4 + description: "The final and top tier of the training program comprises the export\ + \ compliance team, including the EO, export compliance manager, compliance\ + \ supporting staff, and legal counsel advising on export compliance issues.\ + \ Training for this group should be thorough and detailed and include not\ + \ only the organization\u2019s ICP but training on all export control regulations\ + \ that could impact the organization\u2019s exporting activities." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4 + description: Compliance managers and their team also need to receive training + on potential future needs for their organization, including mergers, acquisitions, + or divestitures, development of a new product line, expansion into a new region + of the globe, or new developments in U.S. foreign policy. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4 + description: 'Tier 4 training should provide the export compliance team with + an expert-level understanding of the ITAR and their export compliance responsibilities + within the organization. In addition to topics covered in Tiers 1, 2, and + 3, as appropriate, Tier 4 training should, at minimum, cover the following + additional topics:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3 + description: Establishing and maintaining ITAR policies and procedures, including + the ICP. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3 + description: "Obtaining and tracking the use of the organization\u2019s licenses\ + \ and other approvals." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3 + description: Establishing TCPs. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3 + description: 'Other detailed training in specific areas of export regulations + relevant to the organization, such as:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4:1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4 + description: Export document preparation, + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4:2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4 + description: Country-specific diversion risks, + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4:3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4 + description: Recordkeeping requirements, and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4:4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4 + description: Self-assessments and internal audits. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3 + description: Attending DDTC seminars and other outside training programs as + appropriate. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b + name: Employee Accountability + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b:2:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b:2 + description: Organizations should include ITAR training as a requirement in + performance plans and reviews and ensure that employees and other personnel + complete their ITAR training on time. Organizations should also hold employees + and other personnel accountable for both completing their ITAR training in + a timely manner and for completing refresher training to retain their knowledge + from their initial training. Further, at the end of each ITAR training session, + organizations should test employees on the materials and issue a certificate + of completion when they successfully complete the test. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6 + assessable: false + depth: 1 + ref_id: ELEMENT 6 + name: RISK ASSESSMENT + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6 + ref_id: ELEMENT 6A + name: ITAR Risk Assessments + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a + name: Basics of ITAR Risk Assessments + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:1:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:1 + description: Risk assessments are essential tools for building an effective + ICP. Risk assessments in the defense trade controls context are evaluations + of the potential compliance risks that are specific to each organization and + that, if left unaddressed, may lead to ITAR violations. Risk assessments therefore + allow organizations to ascertain and analyze the likelihood that ITAR violations + may occur, the most common reasons violations may occur, and the types of + violations that are most likely to occur or would result in the greatest harm. + After understanding the full spectrum of their compliance risks, organizations + should use that data to create effective and tailored ICPs and allocate resources + as appropriate to prioritize and mitigate those risks. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a + name: Tailoring ITAR Risk Assessments + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2 + description: "Risk assessments should be tailored to the organization\u2019\ + s ITAR-controlled activities and should identify and analyze all the potential\ + \ ITAR-related risk factors for the organization, whether those risk arise\ + \ inside or outside of the organization. Such potential risk factors may include\ + \ the following:" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1 + description: "Nature and scope of the organization\u2019s commodities;" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1 + description: "Organization\u2019s customers, suppliers, freight forwarders,\ + \ partners, or other third parties involved in its activities;" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1 + description: "Organization\u2019s physical and cyber security infrastructure;" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1 + description: Any foreign parents, subsidiaries, or affiliates; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1 + description: " Structure of the organization\u2019s product development, engineering,\ + \ and sales activities;" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1 + description: Any foreign person employees; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1:7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1 + description: Geographic regions that the organization operates in or exports + to. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a + name: Development of ITAR Risk Assessments + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:3:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:3 + description: "Organizations should develop a risk-assessment to identify, assess,\ + \ and track risks associated with ITAR compliance. Organizations should regularly\ + \ update their ITAR risk assessments to account for changes to their risk\ + \ factors. For example, if an organization begins exporting to a new geographic\ + \ area or opens a new foreign office, the organization should update its risk\ + \ assessment accordingly. Updating the risk assessment is also important following\ + \ mergers, acquisitions, and divestitures, particularly if the company merges\ + \ or acquires foreign persons. In addition, organizations should update their\ + \ risk assessment if they discover new or evolving ITAR compliance risks through\ + \ audit findings, ITAR violations or \u201Cclose calls,\u201D employee feedback,\ + \ or any other sources." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:3:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:3 + description: Organizations may internally design, update, and conduct the ITAR + risk assessment, or they may retain outside ITAR experts to do so. Organizations + should ensure that their original risk assessments and any updates, as well + as any changes to ICPs because of their risk assessments, are fully documented + and preserved. DDTC recommends examining the Sample Audit Checklists in Element + 7 to help assess and determine possible risk factors. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a + name: Frequency of ITAR Risk Assessments + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:4:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:4 + description: Organization should periodically review risk assessments to determine + whether its risks are properly addressed. Periodic risk assessments will depend + on specific circumstances and how quickly risks change. There is no one-size-fits-all + approach for updating risk assessments, but organizations should ensure that + the frequency is adequate to accurately account for the potential ITAR compliance + risks at any given time. For example, the organization may decide to conduct + a company-wide risk assessment every year or perform targeted risk assessments + focused on certain risk areas on an ad-hoc basis throughout the year. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a + name: Prioritizing and Mitigating ITAR Compliance Risks + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:5:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:5 + description: After performing their ITAR risk assessments, organizations should + analyze and prioritize those risks based on all relevant factors, including + the likelihood that such risks would result in ITAR violations. Organizations + should then integrate their risk-based analysis and prioritization into their + ICPs and allocate resources as appropriate to mitigate those risks. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6 + ref_id: ELEMENT 6B + name: Addressing Common ITAR Risk Areas + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b + description: 'This section identifies some common risk areas for purposes of + conducting ITAR risk assessments and developing and updating ICPs. As described + above, ITAR compliance risks may vary across organizations. Organizations + have frequently identified risks in the following areas:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1 + description: 'Jurisdiction and Classification: ITAR violations frequently result + from the incorrect jurisdiction and classification of defense articles and + defense services.' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1 + description: 'Authorization Management: ITAR violations frequently result from + failing to adhere to the terms and conditions of licenses and agreements.' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1 + description: 'Foreign Person Employees or Visitors: foreign person employees, + visitors, etc. may pose a compliance risk to organizations if they are not + properly authorized to have access to defense articles, including technical + data, or receive defense services. ITAR violations frequently result from + companies that allow foreign person employees to access technical data stored + on internal company networks without first obtaining a license.' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1 + description: "Vetting of Parties and Verification of End Users: customers and\ + \ other parties to a transaction present a compliance risk for exporters.\ + \ It is the exporter\u2019s responsibility to vet customers and other parties\ + \ to a transaction. ITAR violations regularly occur when organizations fail\ + \ to perform sufficient due diligence and defense articles are used in a manner\ + \ that is inconsistent with the DDTC authorization." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1 + description: "License Exemptions: the ITAR contains various license exemptions\ + \ that do not require a request for approval from DDTC. ITAR violations routinely\ + \ result from failing to meet and document each exemption\u2019s requirements." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1 + description: "International Travel: employees that travel internationally with\ + \ organization-issued hardware or software and employees that can access their\ + \ employer\u2019s networks and databases while overseas may present a substantial\ + \ compliance risk, particularly if ITAR-controlled technical data is saved\ + \ on portable devices or if it is accessible or downloadable without adequate\ + \ IT security measures. Employees may provide defense services during trade\ + \ shows, business development, or training/maintenance on defense articles." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1 + description: 'Facility Visits: failing to verify the U.S.-person status of all + visitors in advance of plant tours or facility visits in the U.S. creates + the risk of inadvertent release of ITAR-controlled technical data. Organizations + may seek a license or other approval from DDTC, as appropriate, in advance + of foreign person visits. For facility visits at non-U.S. subsidiaries, failing + to verify citizenship and the organization they represent against the license + or other approval.' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1 + description: 'Inventory Management: Inventory management and tracking of ITAR- + controlled items can also present compliance risks. ITAR violations may result + from organizations not adequately securing their inventory of defense articles + and not tracking them appropriately once exported.' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b + description: See DDTC's website for the DDTC ITAR Risk Matrix, and supplementing + University- specific Risk Matrix, that outline important areas of risk to + consider when analyzing an ITAR compliance program. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7 + assessable: false + depth: 1 + ref_id: ELEMENT 7 + name: AUDITS & COMPLIANCE MONITORING + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7 + ref_id: ELEMENT 7A + name: Audits + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a + description: Comprehensive, independent, and objective audits, performed regularly, + assist organizations in determining the effectiveness of their ICP. Such audits + allow organizations to identify deficiencies in their ICP and remediate them. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a + name: Audit Personnel + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2 + description: 'Organizations should assemble an internal team or, as appropriate, + hire external third parties to conduct periodic ITAR compliance audits. If + the organization already has an auditing team, it should incorporate ITAR + policies and procedures with corporate audits. Auditors, whether internal + or external, should determine the appropriate type and scope of the audit. + Organizations should ensure their auditors have sufficient:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1 + description: Qualifications, technical knowledge, strong ITAR expertise, and + sufficient resources to conduct the audit; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1 + description: Authority to ensure employees comply with audit-related requests + for information; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1 + description: Independence from the audited activities; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1 + description: "Autonomy and independence from management, including direct access\ + \ to any relevant employees, the board of directors, and/or the board\u2019\ + s audit committee." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a + name: Audit Methodology + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3 + description: 'Audits should consist of:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1 + description: Interviews with relevant functional area personnel, as well as + the compliance team and senior management, as appropriate; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1 + description: Document collection and review; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1 + description: Access to IT systems; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1 + description: Site visits, as appropriate. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3 + description: "Auditors should maintain a detailed log to track the progress\ + \ of documents requested and obtained, interviews requested and completed,\ + \ and sites visited. The auditors should coordinate all interviews with the\ + \ organization\u2019s compliance department, as appropriate. The audit team\ + \ should review all documents provided by the relevant business units in the\ + \ development of checklists to be used when conducting the interviews and\ + \ site visits. See Section C below for examples of such checklists." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a + name: Types of Audits + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4:1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4 + description: Different types of audits serve different purposes, and organizations + should develop, as appropriate, an audit strategy, utilizing the different + types of audits listed below, that is right for their circumstances. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4:1:1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4:1 + description: 'Functional-Level Audits: functional-level audits look at distinct + areas of compliance programs, e.g., recordkeeping or shipping procedures. + This audit type can help identify risk areas at an early stage and provide + an opportunity to correct any deficiencies. Functional-level audits should + be conducted more frequently than program-level audits because they are smaller + in scale.' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4:1:2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4:1 + description: 'Program-Level Audits: at the program-level, organizations should + conduct internal audits as periodically as appropriate. Program-level audits + should include both a review of all export policies and procedures and an + assessment of whether each business unit implemented such policies and procedures.' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4:1:3 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4:1 + description: "External Audits: external audits can provide an unbiased, third-party\ + \ evaluation of an organization\u2019s overall compliance program and practices.\ + \ Organizations should consider the use of an outside auditor periodically,\ + \ as appropriate." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a + name: Audits in the Context of Mergers, Acquisitions, and Divestitures + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5 + description: Audits may be appropriate when mergers, acquisitions, and divestitures + (MAD) occur. Pursuant to ITAR part 122, DDTC registrants must notify DDTC + within specific timeframes regarding certain changes in registration, including + ownership and legal organizational structure. Many of these notice requirements + arise during the pre- and post-closing processes of MAD transactions. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5 + description: "Acquiring organizations should conduct due diligence reviews of\ + \ target organizations that engage in ITAR-controlled activities. Due diligence\ + \ reviews should assess the effectiveness of the target organization\u2019\ + s ITAR compliance program and identify potential past ITAR violations. In\ + \ the event such ITAR violations have not already been reported to DDTC, the\ + \ target organization or the acquiring organization are strongly encouraged\ + \ to submit a voluntary disclosure prior to or immediately after closing,\ + \ as appropriate." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5 + description: The acquiring organization should conduct an audit after closing + the merger, acquisition, or divestiture. The appropriate scope of any post-closing + audit will vary depending upon the circumstances. If the acquiring organization + uncovers numerous unresolved compliance issues in its pre- closing due diligence, + an in- depth audit may be appropriate. If, on the other hand, the target organization + had a robust compliance program and provided documentation of regular audits + and remedial actions, the acquiring organization may choose to perform a functional + audit instead. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5 + description: "Acquiring organizations should ensure that any continuing ITAR\ + \ violations by the acquired organization identified through the post-acquisition\ + \ audit are stopped and remediated. Organizations should follow the relevant\ + \ procedures in ITAR \xA7 127.12 to investigate and voluntarily disclose the\ + \ violations to DDTC." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a + name: Sharing Audit Findings and Following Up + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:6:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:6 + description: After the auditors complete their interviews, document collection + and review, and site visits, they should write a draft audit report. The draft + audit report should include an executive summary, findings and recommendations, + and appendices that explain the methodology, including the interviews conducted, + documents reviewed, and sites visited. Prior to finalizing the audit report, + the auditors should share their findings and recommendations with the relevant + business units to correct any inaccuracies. After making any final modifications, + auditors should brief senior management on the audit findings and recommendations. + Organizations should ensure the final audit report is provided to all relevant + business units, as well as senior management. Organizations should maintain + audit reports for at least five years. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:6:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:6 + description: If an audit report includes recommendations for revisions to procedures + or corrective actions, organizations should include specific timetables and + an implementation plan for management to approve. Organizations should continue + to track the progress of corrective actions until they are completed. Once + corrective actions are completed, organizations should prepare an additional + report to management, and compliance personnel should confirm that each corrective + action has been fully implemented. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:6:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:6 + description: Each vulnerability or violation identified in an audit is an opportunity + for organizations to improve their ICP. Organizations should incorporate these + lessons learned into training programs and their ICP in order to share them + across business units and functions. Organizations should also actively plan + to remediate deficiencies in their ICPs that audit findings identify. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7 + ref_id: ELEMENT 7B + name: Compliance Monitoring + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b + description: 'In addition to conducting periodic audits, organizations should + regularly review their ICPs and amend their ITAR compliance policies and procedures + as appropriate in response to:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1 + description: Any changes to the ITAR or DDTC guidance; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1 + description: Export compliance best practices and lessons learned from export + control violations by other organizations; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1 + description: "Lessons learned from any ITAR violations or \u201Cclose calls\u201D\ + \ within the organization;" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1 + description: "Vulnerabilities identified in the organization\u2019s ICP, or\ + \ negative testing results or audit findings; and/or" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1 + description: "Changes to an organization\u2019s ITAR risk factors, including\ + \ where such risk factors have changed because of a merger, acquisition, and/or\ + \ divestiture, or where there are changes to the organization\u2019s product\ + \ line, services, or customers." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7 + ref_id: ELEMENT 7C + name: Sample Audit Checklists + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c + description: "The following are sample checklists that auditors should further\ + \ develop before conducting an audit. Auditors should use these sample checklists\ + \ to formulate document requests and interview questions for employees within\ + \ the relevant functional areas of organizations. These sample checklists\ + \ are not intended to be exhaustive, and they may not all be applicable to\ + \ every organization. Auditors should customize checklists based on relevant\ + \ factors, including an organization\u2019s specific activities and risk profile." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c + name: Management + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: &id001 + - 'Yes' + - 'No' + - Alternate + - N/A + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:question:1 + text: "Has senior management issued a formal statement clearly communicating\ + \ your organization\u2019s commitment to compliance with U.S. export control\ + \ laws and regulations?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:1:question:1 + text: "Does this statement include contact information for the person and\ + \ Empowered Official primarily responsible for your organization\u2019\ + s export compliance?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:2:question:1 + text: Is this statement easily accessible online or in print? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:3:question:1 + text: Has this statement been distributed to all employees whose work is + impacted by export regulations? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:4:question:1 + text: "Are employees whose work is impacted by export regulations required\ + \ to sign an acknowledgment that they understand the organization\u2019\ + s obligation to comply with U.S. export laws and its commitment to compliance?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:5:question:1 + text: Does your management assess ITAR compliance resource needs at least + on an annual basis? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:6:question:1 + text: Has senior management communicated its commitment to compliance directly + to those in leadership/authority positions, particularly business leads + over the areas of the organization where export-controlled work is performed? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2:question:1 + text: Has your organization drafted, implemented, and disseminated written + policies and procedures regarding export trade compliance? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2:1:question:1 + text: Are these policies and procedures widely disseminated and readily + accessible throughout your organization? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2:2:question:1 + text: Does your organization ensure that the policies and procedures are + followed? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2:3:question:1 + text: Does your organization make available to all employees an organizational + chart that clearly identifies personnel with authority over export control + matters? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:question:1 + text: " How does the trade compliance office support your organization\u2019\ + s different divisions in general and management in particular?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:1:question:1 + text: How many trade compliance personnel do you have on staff? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:2:question:1 + text: Do you believe the trade compliance function is adequately staffed + to support your organization? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:3:question:1 + text: To whom does the trade compliance function report? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:4:question:1 + text: Do trade compliance personnel participate in staff meetings? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:5:question:1 + text: Are trade compliance staff integrated into business development decisions? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c + name: Trade Compliance + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:1:question:1 + text: Does the trade compliance function have sufficient support from management? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:2:question:1 + text: Is trade compliance your primary area of responsibility? Do you have + any other responsibilities within your organization? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:2:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:2 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:2:1:question:1 + text: Who is your backup when you are out of the office? Is that person + properly trained, and do they have the authority to act on your behalf? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3:question:1 + text: Does your organization provide tailored training for different functional + areas, e.g., program management, business development, contracts, procurement, + etc.? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3:1:question:1 + text: How often and what type of training do trade control personnel receive + annually? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3:2:question:1 + text: Who is responsible for export control training? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4:question:1 + text: Does the trade compliance office routinely conduct risk assessments + for the organization? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4:1:question:1 + text: Have you determined areas of your organization that currently perform + or are likely to perform ITAR-related activities? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4:2:question:1 + text: Have you identified and implemented measures to address risk areas? + If so, have you conducted an inventory of these areas to confirm whether + they currently contain or are likely to receive or develop any defense + articles, defense services or technical data? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:5:question:1 + text: How does your organization classify its commodities? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:6:question:1 + text: Does your organization maintain a product/technology matrix with USML + categories? If so, how and by whom is the matrix maintained and updated? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:question:1 + text: What processes are in place for reporting potential ITAR violations? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:1:question:1 + text: "Does a \u201Chotline\u201D within the organization exist where employees\ + \ can report potential violations, including anonymously?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:2:question:1 + text: Does management support investigations into potential violations? + Is there support from management to hold personnel responsible for violations? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:3:question:1 + text: Who is responsible for investigating potential violations? If outside + counsel is involved, is the Empowered Official also involved in the review + and findings? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:4:question:1 + text: What process is used to ensure corrective actions, if any, are put + in place and verified? Who is responsible for this action? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:5:question:1 + text: Does the Empowered Official have the authority and backing from management + to stop any actions that may lead to a violation? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:question:1 + text: Do you have a system/process in place to assess, review, and identify + areas where a license, exemption, or other approval will be required? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:1:question:1 + text: What is the volume of licensing activity in each business unit? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:2:question:1 + text: Who determines whether a license is needed from DDTC? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:3:question:1 + text: Who is responsible for submitting export license requests to the DDTC? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:4:question:1 + text: How is party screening performed and who is responsible for this process? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:5:question:1 + text: What are the procedures for responding to negative/positive screening + responses? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:6:question:1 + text: "When a license or other approval is received, explain the process\ + \ for implementing the authorization within your organization\u2019s divisions,\ + \ e.g., how do you ensure that licenses are properly decremented and that\ + \ temporary exports are returned? Who is responsible for meeting any conditions\ + \ of approvals?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:7:question:1 + text: Explain how you track licenses, agreements, and other approvals to + ensure you properly close them out, seek a replacement, or request an + extension for an authorization. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:8:question:1 + text: How do you track the release of technical data via telephone, fax, + email, hand carry or other means? How do you document these releases to + authorized foreign person employees? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:9:question:1 + text: "How often does the organization\u2019s trade compliance office perform\ + \ audits on licenses and other authorizations? What percentage (random,\ + \ 5-10%, 50%, or 100%) is used when conducting such audits? Where are\ + \ the results of the audits stored?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:10:question:1 + text: Do policies and procedures exist regarding the recordkeeping and reporting + requirements under the ITAR and are those policies and procedures readily + available to employees? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:11:question:1 + text: "Who ensures that employees are complying with ITAR recordkeeping\ + \ and reporting requirements, as well as whether personnel are complying\ + \ with our organization\u2019s policies and procedures?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:question:1 + text: Does your organization verify that suppliers are able to properly + handle ITAR-controlled defense articles and defense services, including + technical data? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:1:question:1 + text: Do your suppliers employ foreign persons? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:2:question:1 + text: "Do your suppliers always provide an export classification of the\ + \ parts being procured? If not, the organization may want to obtain the\ + \ proper classification of suppliers\u2019 parts." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:3:question:1 + text: Do you have a supplier due diligence process? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:4:question:1 + text: If you provide ITAR-controlled technical data to suppliers, do you + consistently identify defense articles, including technical data, as such? + Do you include markings on the technical data itself and on packing materials, + emails, etc.? Do you ensure that suppliers understand their obligations + under the ITAR not to export, reexport, or retransfer that technical data + without first obtaining DDTC approval? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:5:question:1 + text: Do your terms and conditions include trade controls related requirements + such as compliance with the ITAR? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:10 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:10:question:1 + text: Are trade compliance personnel invited to business development meetings + so that they can properly anticipate and prepare for business pursuits + that may require authorizations from DDTC in the future? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:11 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:11:question:1 + text: Are engineering or business development personnel aware that a license + is needed to export technical data or provide defense services to foreign + customers? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:11:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:11 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:11:1:question:1 + text: If not, what level of training is provided to business development + personnel prior to meeting with a foreign customer. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:question:1 + text: Are trade compliance personnel aware of meetings with foreign customers + concerning ITAR-controlled programs? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:1:question:1 + text: What is the process for approving any international travel? Are trade + compliance personnel aware of all such travel? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:2:question:1 + text: Is export compliance training provided prior to any international + travel? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:3:question:1 + text: Does your organization have a mobile device (laptop and hand- held + devices) policy? Are employees trained on the appropriate use of such + devices when traveling abroad? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:4:question:1 + text: What policy is in place to address hand-carry of defense articles + outside of the U.S.? Who is responsible for overseeing this process and + what measures are in place to control this type of export? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c + name: Program Management / Principal Investigators + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:1:question:1 + text: What training have you received regarding export compliance, and how + often is it repeated? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:1 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:1:1:question:1 + text: Do you know whom to contact if you have any questions regarding export + compliance? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:2:question:1 + text: What procedures exist for approving international travel? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:3:question:1 + text: What procedures exist for safeguarding technical data or other proprietary + information on mobile devices while traveling internationally? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:4:question:1 + text: What procedures exist for approving what information may be shared + during meetings with foreign nationals, regardless of the location, domestic + or internally? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:5:question:1 + text: How do you comply with the terms of any export license or other approvals? + Who is ultimately responsible for managing authorizations? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:6:question:1 + text: How do you coordinate with the shipping and receiving department regarding + exports and temporary imports of ITAR-controlled defense articles? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:7:question:1 + text: What is the process for repair and return of parts? How is this coordinated + with the various functional areas of the business unit and customers? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:8:question:1 + text: Does your organization have a system to capture and track all exports, + including technical data under licenses or other approvals? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:8:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:8 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:8:1:question:1 + text: How is this coordinated with the trade compliance team? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:9:question:1 + text: What is the process for determining when a license is required? If + doubts exist, who do you contact? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:10 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:10:question:1 + text: Is the trade compliance office available to assist and provide you + and your office with timely and sound advice? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:11 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:11:question:1 + text: What is the process for hosting foreign persons to your facility. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c + name: Human Resources + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:question:1 + text: "What is your organization\u2019s process for hiring a foreign person?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:1:question:1 + text: When an internal request is made to hire a foreign person, does human + resources (HR) verify whether that person will have access to controlled + data or any manufacturing processes? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:2:question:1 + text: Does HR screen potential applicants before they hired? How do they + screen? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:3:question:1 + text: Once a potential foreign person hire is screened, does HR share the + results with the office over trade compliance before extending an employment + offer? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:4:question:1 + text: Is proof of the U.S.-person status verified at the time of hiring? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:5:question:1 + text: How are foreign person employees identified within your organization + (special badge, IT, etc.)? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:6:question:1 + text: Are foreign person employees required to sign non-disclosure agreements? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:7:question:1 + text: Does your organization hire from third-party vendors, e.g., a temp + agency? If so, how are nationalities of the persons hired confirmed? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:8:question:1 + text: Does your organization hire contractors that employ foreign persons? + If so, how is that process conducted and coordinated? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2:question:1 + text: If foreign persons are hired, how does HR coordinate the hiring with + the trade compliance office? When is the process started? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2:1:question:1 + text: "Does the trade compliance office include HR in the export compliance\ + \ training module, and, if so, how is HR\u2019s role characterized?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2:2:question:1 + text: Is there a process in place between HR and the trade compliance office + and/or program management for obtaining a license or other authorization + and, if needed, any renewals necessary for the continued employment of + a foreign person employee? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2:3:question:1 + text: If a foreign person is relocated to another location/program within + your organization, how is HR/trade compliance office notified? What are + the procedures for handling the transfer process? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:3:question:1 + text: If a foreign person employee is terminated, does HR coordinate with + trade compliance office, and, if so, in what manner? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c + name: Business Development / Sales + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:question:1 + text: In general, how does Business Development (BD) handle potential opportunities + outside the United States, and how does BD coordinate with the trade compliance + office? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:1:question:1 + text: "Does BD receive tailored export control training? Who is BD\u2019\ + s POC within the trade compliance office?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:2:question:1 + text: "For international proposals, how would you assess BD\u2019s knowledge\ + \ and training regarding whether export authorization is necessary?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:3:question:1 + text: At what point is the trade compliance office consulted and brought + into the process when dealing in international opportunities or proposals? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:4:question:1 + text: Is the trade compliance office consulted in the early stages of internal + opportunities? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:5:question:1 + text: What procedures exist to screen potential business opportunities (parties)? + How do you coordinate screening with the trade compliance office? If you + obtain a negative result, who makes the final call? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:6:question:1 + text: Does your organization use any international consultants? If so, how + is this coordinated and controlled? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:7:question:1 + text: What processes exist for determining whether any BD activity requires + reporting of fees or commissions pursuant to ITAR part 130, and who is + responsible for filing those reports? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:question:1 + text: What is the process for attending a general trade show? How does BD + coordinate with the trade compliance office for trade shows? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:1:question:1 + text: Does BD think of the trade compliance office as a partner in planning + for participation in trade shows? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:2:question:1 + text: Does export compliance provide accurate and timely guidance to BD + in advance of trade shows? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:3:question:1 + text: ' If controlled technical data or a mockup or model are used at a + trade show, how does BD coordinate the licensing requirements with the + trade compliance office?' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:4:question:1 + text: Who is responsible for protecting and securing defense articles at + trade shows? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:5:question:1 + text: Is there a process for determining what is considered public domain + information that may be used at trade shows? Who and how is that determination + made? Is such material appropriately marked? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:6:question:1 + text: Is BD aware of and does it understand how to obtain authorization + to designate controlled data into the public domain? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:3:question:1 + text: If operating under a license, how is the license is implemented and + how are its conditions of approval met? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:4:question:1 + text: What is the policy for BD personnel traveling overseas with mobile + devices? Please explain how this is coordinated with IT and the trade + compliance office. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:5:question:1 + text: Does your organization permit hand-carry exports to occur? If so, + please explain the procedures. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:6:question:1 + text: ' How are meetings with foreign persons recorded? What is the procedure + for conducting such meetings?' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:question:1 + text: How does your organization handle a visit by a foreign person? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:1:question:1 + text: Does your organization have an established procedure to conduct a + plant tour? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:2:question:1 + text: Does trade compliance review and approve foreign person visitors in + advance, e.g., are your foreign person visitors screened against restricted/denied + party lists before they visit? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:3:question:1 + text: Are foreign person visitors always escorted by a U.S. person employee + of your organization? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:4:question:1 + text: While visiting your organization, do visitors always wear badges that + clearly indicate they are non-U.S. Persons? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c + name: Engineering / Product Development / Technical Roles + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:1:question:1 + text: How are products or technologies developed? Is it a global or multiparty + process? Are the parties you work with screened prior to collaboration? + If so, who conducts the screening and where are the records kept? If not, + why not? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:2:question:1 + text: What are the procedures used to develop and distribute product or + technology export classifications? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:3:question:1 + text: Are relevant employees trained on processes of jurisdiction and classification, + including the order of review? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:4:question:1 + text: What are the procedures for controlling visitors to access facilities, + especially foreign nationals if involved in the process? Visitor access + to company computer systems? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:5:question:1 + text: Are there formal procedures for the release of sensitive data to third + parties? Is there a mechanism in place to notify and bind recipients of + such data to follow company policy and export control laws? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:6:question:1 + text: "Who is responsible for assessing a commodity\u2019s end use or application?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:7:question:1 + text: With whom in the company is end-use or application specific evaluations/determinations + shared? Does that include trade compliance personnel for purposes of export + classification? Where in the development process is export compliance + consulted? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:8:question:1 + text: "Where is product or technology development information stored? In\ + \ hard copy, on site? In hard copy, with the third parties? Electronically\ + \ \u2013 e.g., File Transfer Protocol? Cloud-band? Closed system (i.e.,\ + \ non- networked electronic library)? Other?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c + name: Commodity Jurisdiction Process/Classification of Products + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:1:question:1 + text: Is there a process for determining what data is considered general + marketing or public domain information versus technical data that requires + a license or the use of an exemption? What is the process for reviewing + whether the data is in the public domain? Do you clearly identify on the + information itself the ITAR-controlled status of the information? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:2:question:1 + text: Have you developed a standard operating procedure for classification + and designated trained individuals to conduct classification? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:3:question:1 + text: Is a classification review conducted by the Empowered Official in + the compliance office? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:4:question:1 + text: Are procedures in place for ensuring that no technical data is exported + to potential foreign customers or suppliers prior to a review by the trade + compliance office to determine the proper jurisdiction and classification + and any licensing requirements? If so, is there a process for ensuring + that all functional areas (i.e., sales, marketing, business development, + procurement, and program management, etc.) are aware and properly trained + to those requirements? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5:question:1 + text: 'If the company purchases or obtains controlled products or technology, + does it:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5:1:question:1 + text: Determine the proper jurisdiction of the article from the original + equipment manufacturer? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5:2:question:1 + text: If required, implement a technology control plan for the products + or technology obtained? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5:3:question:1 + text: Maintain records of export activities concerning the product(s)? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c + name: Shipping + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:1:question:1 + text: Explain in general the process for handling international shipment + of goods. How is this coordinated with trade compliance? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:2:question:1 + text: Does shipping coordinate sufficiently with the trade compliance office? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:3:question:1 + text: Does shipping and receiving receive adequate support and tailored + training from the trade compliance office? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:4:question:1 + text: Who is responsible for obtaining, contracting, and coordinating with + your freight forwarders or customs brokers? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:5:question:1 + text: How is domestic shipping handled? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:6:question:1 + text: Who in shipping is empowered to authorize a shipment? Who is their + backup, and are they sufficiently trained? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:7:question:1 + text: Do written procedures exist for handling incoming shipments from international + customers? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:8:question:1 + text: "Does your organization have procedures in place to provide freight\ + \ forwarders with direction on how to export and temporarily import your\ + \ goods, including obtaining assurances that shipments of ITAR-controlled\ + \ defense articles will not transit ITAR \xA7 126.1 countries?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:9:question:1 + text: What procedures exist for placing a destination control statement + on the necessary paperwork and shipping documents, and who is responsible + for this placement? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:10 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:10:question:1 + text: What is the procedure for maintaining shipping records? Where are + they located and for how long are they kept? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:11 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:11:question:1 + text: Who is responsible for maintaining empowered attorneys for the freight + forwarders and brokers? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c + name: Information Technology + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:1:question:1 + text: Are all IT personnel sufficiently trained regarding export controls? + Is tailored training provided? If so, how, by whom, and how often? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:2:question:1 + text: To what extent and how does IT coordinate with trade compliance regarding + storage and access to export-controlled data? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:3:question:1 + text: What are the procedures and criteria for granting access to the system + for employees and contractors? Are they different? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:4:question:1 + text: What limitations and/or restrictions are placed on others who are + not full- time employees of your organization? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:5:question:1 + text: What types of controls are used to prevent unauthorized external access? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:6:question:1 + text: Is there a mechanism in place for tracking what and by whom documents + were accessed, copied, shared, or emailed outside the business? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:7:question:1 + text: What is the policy for remote access of the server by employees and + or contractors, including at both domestic and international locations? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:8:question:1 + text: "Explain in detail your organization\u2019s process for transmitting\ + \ any technical data overseas." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:9:question:1 + text: Does a process exist to label technical data before it is sent out + outside of your organization? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:10 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:10:question:1 + text: "When transmitting unclassified technical data using end-to-end encryption,\ + \ are all the requirements of ITAR \xA7 120.54 met?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:11 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:11:question:1 + text: Is there a system in place to mark or identify electronically technical + data, e.g., do documents containing such data have an export legend citing + the regulatory authority? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:12 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:12:question:1 + text: "How are cyber-attacks identified and what is the organization\u2019\ + s investigation and mitigation strategy?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:13 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:13:question:1 + text: Is the trade compliance office informed of cyber-attacks? What government + agencies does the organization notify of any cyber-attack? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:14 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:14:question:1 + text: Is there a mechanism to check-in and check-out to track the use of + technical data? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15:question:1 + text: Does your organization have procedures for issuing and using mobile + devices? Does it cover international travel? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15:1:question:1 + text: Do employees receive or can they access ITAR-controlled technical + data on mobile devices? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15:2:question:1 + text: For international travel, does your organization issue and ensure + that employees travel with clean or sanitized mobile devices? Please explain. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:question:1 + text: What type of server system does your organization use, e.g., are the + servers in-house or leased? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:1:question:1 + text: Is there a protocol in place to retain and backup all emails and documents + on the server? If so, explain how long the documents and emails are retained. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:2:question:1 + text: If necessary, can emails from former employees be retrieved or reconstructed? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:3:question:1 + text: "Where is your server located? If located overseas, do you ensure\ + \ that ITAR-controlled technical data is not stored or backed up to the\ + \ foreign server, unless it meets the criteria set out in ITAR \xA7 120.54(a)(5)\ + \ regarding storage of unclassified technical data secured using end-to-end\ + \ encryption?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:4:question:1 + text: What procedures exist for limiting foreign access to the server by + foreign customers or partners? Does your organization ever allow such + access? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:5:question:1 + text: Are your cloud software systems FedRAMP certified? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:17 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:17:question:1 + text: "What is your organization\u2019s process regarding access to IT servers\ + \ when an employee is terminated from your organization? What measures\ + \ are taken to ensure the former employee can no longer access your organization\u2019\ + s server and information?" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c + name: Physical Security + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:1:question:1 + text: Do you have a process for visitor access? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:2:question:1 + text: How do you process foreign national visitors? For example, screening, + export analysis, badging, IT access, etc. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:3:question:1 + text: How do you prevent visitor access to areas containing sensitive technology + or data? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:4:question:1 + text: Do you train physical security personnel to understand where export + control compliance issues arise? Who conducted the training? How often? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:5:question:1 + text: Are export control requirements incorporated in all access procedures? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11 + implementation_groups: + - 7C + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:6:question:1 + text: Are there any specific technology control plans in place that govern + physical or visual access to controlled products or technical data? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11 + implementation_groups: + - 7C + question: + question_type: text + question_choices: null + questions: + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:7:question:1 + text: Who manages technology control plans? How often are they reviewed + and updated? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8 + assessable: false + depth: 1 + ref_id: ELEMENT 8 + name: ITAR COMPLIANCE MANUAL + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8a + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8 + ref_id: ELEMENT 8A + name: Objectives of the ITAR Compliance Manual + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8a:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8a + description: "Organizations should develop an ITAR Compliance Manual (ICM) and\ + \ make it available to all employees. The primary objective of the ICM is\ + \ to provide all employees with a written, authoritative source that sets\ + \ forth the organization\u2019s policies and procedures for ITAR compliance\ + \ and that defines clear and consistent responsibilities and expectations\ + \ for employees with respect to ITAR compliance. ICMs are also useful for\ + \ helping organizations preserve institutional memory and share best practices\ + \ regarding ITAR compliance." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8 + ref_id: ELEMENT 8B + name: Drafting an Effective ITAR Compliance Manual + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b + description: "The export compliance team should take the lead in drafting the\ + \ ICM. After the export compliance team has developed a draft manual, organizations\ + \ should consider selecting various employees who work in different business\ + \ units outside of export compliance to review and provide feedback on the\ + \ draft. This ensures that the manual incorporates suggestions and clarifications\ + \ from the organization\u2019s various business units. This also helps to\ + \ get their support and buy-in for the ICM. Organizations should obtain final\ + \ approval for the ICM from senior leadership before finalizing the document." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b + description: 'An effective ICM should be well organized, easy to understand, + and should:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2 + description: Explain why export compliance is important to the organization, + including the promulgation of an Export Compliance Management Commitment Statement. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2 + description: Provide summaries of applicable export laws and regulations. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2 + description: What is the role and function of the ITAR Compliance Program? + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2 + description: "Identify the roles and responsibilities of relevant export compliance\ + \ personnel and other functional personnel who are responsible for ensuring\ + \ the organization\u2019s compliance with the ITAR." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2 + description: Explain how employees should coordinate both within the compliance + function and outwardly with other parts of the organization to ensure ITAR + compliance. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2 + description: Capture the day-to-day operations and ITAR compliance risks relevant + to the organization, including through diagrams or other visual aids. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2 + description: "Describe in detail the organization\u2019s compliance policies\ + \ and procedures.The ICM should either include or reference the organization\u2019\ + s policies and procedures, which should cover:" + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7:1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7 + description: Preventing, detecting, and reporting AECA and ITAR violations; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7:2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7 + description: Identifying, classifying, and marking defense articles, defense + services, and technical data, to include the evaluation of authorized limits + of software version; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7:3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7 + description: Incorporating AECA and ITAR compliance into management business + plans at the senior executive level and various business functions to ensure + effective compliance; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7:4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7 + description: Obtaining, managing, and complying with the scope of ITAR authorizations; + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7:5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7 + description: Maintaining appropriate records; and + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7:6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7 + description: Meeting and maintaining adequate AECA and ITAR compliance staffing + levels at all divisions and facilities. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2 + description: Include templates, checklists, and/or forms that are applicable + to ITAR compliance within the organization. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2 + description: "The organization\u2019s ITAR compliance training plan for its\ + \ employees." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8c + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8 + ref_id: ELEMENT 8C + name: Publication and Access + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8c:1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8c + description: Organizations should make their ICMs readily available to all employees, + such as by posting the ICMs on internal websites and emailing the ICMs periodically. + ICMs should clearly identify an appropriate point of contact for any questions + and export control concerns. Organizations should also incorporate their ICMs + into their export compliance training programs and encourage employees to + use the ICMs as a reference. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8 + ref_id: ELEMENT 8D + name: Updating the ITAR Compliance Manual + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d + description: 'Organizations should periodically review their ICMs for updates, + revisions, and improvements based on these factors:' + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1:1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1 + description: Any changes to the ITAR or DDTC guidance. + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1:2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1 + description: "Best practices and lessons learned from ITAR violations or \u201C\ + close calls\u201D within the organization or other organizations." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1:3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1 + description: "Vulnerabilities identified in the organization\u2019s ITAR Compliance\ + \ Program, or negative ad-hoc testing results or audit findings." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1:4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1 + description: "Key risk aeras and changes to an organization\u2019s ITAR risk\ + \ factors, including where such risk factors have changed because of a merger,\ + \ acquisition, and/or divestiture, or where there are changes to the organization\u2019\ + s product line, services, or customers." + - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d + description: Compliance personnel should have the ability to make suggestions + or changes to internal ITAR-compliance processes and procedures. ICMs should + be updated on a regular basis, at least annually. diff --git a/tools/ITAR/ITAR Compliance Program Guidelines.xlsx b/tools/ITAR/ITAR Compliance Program Guidelines.xlsx new file mode 100644 index 000000000..b38fbc4a9 Binary files /dev/null and b/tools/ITAR/ITAR Compliance Program Guidelines.xlsx differ