itar-compliance-program-guidelines.yaml

urn: urn:intuitem:risk:library:itar-compliance-program-guidelines
locale: en
ref_id: ITAR-Compliance-Program-Guidelines
name: ITAR Compliance Program Guidelines
description: "The guidelines contained in this document are intended to provide an\
  \ overview of an effective compliance program and an introduction to defense trade\
  \ controls, including information on the laws and regulations the U.S. Department\
  \ of State, Bureau of Political-Military Affairs, Directorate of Defense Trade Controls\
  \ (DDTC), administers. These defense trade controls are contained in the Arms Export\
  \ Control Act (AECA) (22 U.S.C. \xA7 2751 et seq.) as amended, and the International\
  \ Traffic in Arms Regulations (ITAR), Title 22 of the Code of Federal Regulations\
  \ in parts 120-130, both of which are authoritative on defense trade controls. \n\
  version 09/15/2023\nLink : https://www.pmddtc.state.gov/ddtc_public/ddtc_public?id=ddtc_kb_article_page&sys_id=4f06583fdb78d300d0a370131f961913 "
copyright: Directorate of Defense Trade Controls
version: 1
provider: Directorate of Defense Trade Controls
packager: intuitem
objects:
  framework:
    urn: urn:intuitem:risk:framework:itar-compliance-program-guidelines
    ref_id: ITAR-Compliance-Program-Guidelines
    name: ITAR Compliance Program Guidelines
    description: "The guidelines contained in this document are intended to provide\
      \ an overview of an effective compliance program and an introduction to defense\
      \ trade controls, including information on the laws and regulations the U.S.\
      \ Department of State, Bureau of Political-Military Affairs, Directorate of\
      \ Defense Trade Controls (DDTC), administers. These defense trade controls are\
      \ contained in the Arms Export Control Act (AECA) (22 U.S.C. \xA7 2751 et seq.)\
      \ as amended, and the International Traffic in Arms Regulations (ITAR), Title\
      \ 22 of the Code of Federal Regulations in parts 120-130, both of which are\
      \ authoritative on defense trade controls. \nversion 09/15/2023\nLink : https://www.pmddtc.state.gov/ddtc_public/ddtc_public?id=ddtc_kb_article_page&sys_id=4f06583fdb78d300d0a370131f961913 "
    implementation_groups_definition:
    - ref_id: DDTC
      name: DDTC  Suggestions
      description: DDTC  Suggestions
    - ref_id: 7C
      name: Sample Audit Checklists
      description: Sample Audit Checklists
    requirement_nodes:
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1
      assessable: false
      depth: 1
      ref_id: ELEMENT 1
      name: MANAGEMENT COMMITMENT
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1
      ref_id: ELEMENT 1A
      name: Developing and Generating Support for a Culture of Compliance
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a:1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a
      description: Management commitment is one of the most important factors in creating
        a deep-rooted culture of ITAR compliance within organizations. While robust
        management commitment alone is insufficient to ensure compliance with all
        relevant U.S. export control laws and regulations, it is essential for fostering
        a proactive compliance posture.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a:2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a
      description: "Management includes not only senior management, but also managers\
        \ at all levels within the organization, and the most important stance management\
        \ can take to engender a culture of compliance is to lead by example. Through\
        \ their words and actions, management should encourage compliance and should\
        \ discourage the prioritization of business or other interests over compliance.\
        \ Employees should have a high level of assurance that ITAR compliance is\
        \ management\u2019s greatest priority in all export-related decisions. Management\
        \ should communicate to employees that they are encouraged to raise questions\
        \ or concerns about compliance and potential risk areas and employees will\
        \ not experience retribution or retaliation if they do so. Employees should\
        \ understand that ITAR compliance is everyone\u2019s responsibility within\
        \ the organization."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a:3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a
      description: "To help generate support and buy-in among employees, management\
        \ should incorporate compliance into employee performance plans and evaluations.\
        \ Employees should be expected to think about and recommend ways to improve\
        \ compliance and raise concerns when they see a possible problem, and their\
        \ performance plans and evaluations should account for those expectations.\
        \ Additionally, management should recognize and reward employees who speak\
        \ up, even if the problem reported resulted in no specific confirmed violation,\
        \ but perhaps lead to improving the organization\u2019s compliance procedures."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a:4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1a
      description: "In addition, management should communicate to employees that export\
        \ control violations will not be tolerated and may result in disciplinary\
        \ action against the employee, regardless of the employee\u2019s position,\
        \ title, or performance. Management should adopt clear disciplinary procedures\
        \ and consequences for addressing compliance misconduct, should enforce them\
        \ consistently across the organization, and should ensure that they are proportionate\
        \ to the misconduct and appropriate to deter future misconduct."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1
      ref_id: ELEMENT 1B
      name: Demonstrating Management Commitment Through Policies and Procedures
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b
      description: "Management is ultimately responsible for ensuring its organization\u2019\
        s compliance with the ITAR. Management can demonstrate its commitment to ITAR\
        \ compliance by:"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:1:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:1
      description: Creating and maintaining an ICP;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:1:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:1
      description: "Providing sufficient resources, including time, funding, personnel,\
        \ and training, to implement and maintain an ICP commensurate with the organization\u2019\
        s risk; and"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:1:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:1
      description: Creating and maintaining an Export Compliance Management Commitment
        Statement.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b
      name: ITAR Compliance Program
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2
      description: "A critical aspect of management\u2019s effort to demonstrate its\
        \ commitment to compliance with the ITAR is creating and maintaining an ICP.\
        \ An effective ICP should be:"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1
      description: In writing and clearly state the organizations ITAR compliance
        policies and procedures;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1
      description: "Specifically tailored to an organization\u2019s ITAR-controlled\
        \ activities and its areas of risk;"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1
      description: Regularly reviewed and updated by various business departments
        responsible for complying with the ITAR; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:1
      description: Fully supported by management.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:2
      description: When developing an ICP, management should identify areas that could
        potentially pose a risk of ITAR violations and the lines of authority, e.g.,
        direct, indirect, and unofficial, in those areas that can assist in preventing
        ITAR violations. After an ICP is established, management should remain actively
        engaged in improving the compliance program, e.g., by attending periodic ICP
        resource and planning meetings at which employees can discuss any ITAR compliance
        deficiencies they have identified or propose changes to enhance the ICP.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b
      name: Sufficient Compliance Resources
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:3:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:3
      description: "Management should provide compliance personnel with adequate resources,\
        \ including the appropriate training, funding, human capital, organizational\
        \ support, information technology resources, and other resources to fulfill\
        \ their responsibilities and implement an effective ICP. In assessing whether\
        \ such resources are adequate, management should take account of the organization\u2019\
        s size, scope of operations, and overall risk profile."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b
      name: Export Compliance Management Commitment Statement
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4
      description: 'Another critical way to demonstrate strong management support
        for ITAR compliance is to have the Chief Executive Officer, President, or
        other senior executives personally sign an Export Compliance Management Commitment
        Statement that is communicated to employees through all appropriate channels,
        including in the opening pages of an ITAR Compliance Manual, on the corporate
        website, and through periodic email reminders to all employees. The organization
        should review and disseminate this statement at least annually for all employees
        and, as appropriate, all contractors to read and sign. The statement should:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1
      description: "Underscore the organization\u2019s commitment to export compliance\
        \ and providing sufficient resources to ensure compliance."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1
      description: Reference the role and function of the U.S. export control system
        and its importance in protecting the foreign policy and national security
        of the United States.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1
      description: Affirm that no export shall be made under any circumstances that
        violates or potentially violates the ITAR.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1
      description: "Emphasize the importance of employees understanding the ITAR and\
        \ its impact on their job functions. Employees should also understand specific\
        \ risks of non-compliance regarding an organization\u2019s activities, technologies,\
        \ and export destinations."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1
      description: Communicate the importance of routine export compliance monitoring
        and auditing.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1
      description: "Stress the importance of and/or the requirement to report known\
        \ or suspected violations to the organization\u2019s export compliance department\
        \ anonymously or via an organization\u2019s compliance hotline."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1
      description: Reiterate that reporting known or suspected ITAR violations in
        good faith will not adversely affect employees.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:8
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1
      description: Reiterate that reporting known or suspected export violations will
        be used to measure job performance.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1:9
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1b:4:1
      description: Include the name and contact information of the personnel responsible
        for responding to ITAR compliance inquiries.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1
      ref_id: ELEMENT 1C
      name: Organizing the Compliance Function Appropriately
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c
      description: "Management is responsible for deciding where to locate compliance\
        \ personnel within an organization\u2019s structure. This includes establishing\
        \ organizational charts and developing descriptions of the organization\u2019\
        s trade and export compliance functions and determining the extent to which\
        \ the ICP is centralized. The organizational structure should clearly identify\
        \ the following areas of authority:"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1
      description: Who in management is responsible for overseeing the ICP?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1
      description: Who within the ICP is the point of contact regarding export compliance
        questions?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1
      description: Who within the ICP and/or business functions is responsible for
        investigating and identifying the root causes of ITAR violations?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1
      description: Who within the ICP and/or business functions is responsible for
        overseeing and implementing corrective actions?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1
      description: Who within the ICP is responsible for drafting, finalizing, and
        submitting export-related documents to DDTC?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1
      description: Who within the ICP is responsible for sending other communications
        regarding export compliance matters to DDTC, if necessary?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:1
      description: Who is responsible for legal interpretation and guidance on internal
        export compliance matters?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c
      description: "Empowered Officials (EOs) typically handle at least some of the\
        \ responsibilities listed above. As set forth in ITAR \xA7 120.67, some of\
        \ the primary attributes and responsibilities of an EO include, but are not\
        \ limited to:"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2
      description: Direct employment by an organization in a position having authority
        for policy or management within the organization
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2
      description: Written legal empowerment to sign license applications and other
        requests for approval on behalf of the organization.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2
      description: Understanding the provisions and requirements of the various export
        control statutes and regulations and the criminal liability, civil liability,
        and administrative penalties for violating the AECA and the ITAR.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2
      description: 'Independent authority to:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:4:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:4
      description: Inquire into any aspect of a proposed export, temporary import,
        or brokering activity by the organization;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:4:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:4
      description: Verify the legality of the transaction and the accuracy of the
        information to be submitted to DDTC; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:4:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:2:4
      description: Refuse to sign any license application or other request for approval
        without prejudice or adverse recourse.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c:3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-1c
      description: Management is responsible through training and hiring practices
        for ensuring that compliance personnel possess the requisite technical knowledge,
        expertise, and experience to effectively implement the ICP. Management should
        also ensure that compliance personnel, including the EO, are delegated sufficient
        authority and autonomy to implement the ICP, consistent with their responsibilities.
        Management should hold routine and periodic meetings with the EO to ensure
        that employees are following ITAR policies and procedures.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2
      assessable: false
      depth: 1
      ref_id: ELEMENT 2
      name: DDTC REGISTRATION, JURISDICTION & CLASSIFICATION, AUTHORIZATIONS, & OTHER
        ITAR ACTIVITIES
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2
      ref_id: ELEMENT 2A
      name: Registration
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a
      description: The ICP should include information on registration requirements
        in the ITAR.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a
      name: Who Needs to Register?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2
      description: "The organization\u2019s ICP should explain who is required to\
        \ register with DDTC. The ITAR sets forth the general requirements to register\
        \ for manufacturers, exporters, and temporary importers in ITAR part 122 and\
        \ for brokers in ITAR part 129, while also imposing registration requirements\
        \ in certain unique circumstances. See, e.g., ITAR \xA7\xA7 126.16(k) and\
        \ 126.17(k) regarding requirements for intermediate consignees under the Australia\
        \ and UK treaties, respectively."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2
      description: The ITAR requires that, subject to certain exemptions, any person
        who engages in the United States in the business of manufacturing or exporting
        or temporarily importing defense articles, including technical data, or furnishing
        defense services, must register with DDTC. Manufacturers who do not engage
        in exporting must nevertheless register.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2
      description: The ITAR also requires that, subject to certain exemptions, persons
        engaged in brokering activities with respect to the manufacture, export, import,
        or transfer of any foreign defense article or defense service must register
        with DDTC. The brokering registration requirement applies to any U.S. person,
        any foreign person located in the United States, and any foreign person located
        outside of the United States and owned or controlled by a U.S. person. A manufacturing
        registration does not satisfy brokering registration requirements and vice
        versa, and persons engaged in both manufacturing and brokering activities
        must register as both a manufacturer and broker.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2:4
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2
      description: The purpose of registration is primarily to provide the U.S. Government
        with visibility into who is involved in ITAR-controlled activities. Registration
        does not confer any export, temporary import, or brokering rights or privileges.
        Registration also does not constitute a certification of ITAR compliance or
        indicate the effectiveness of an ICP.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2:5
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:2
      description: "Registration is generally a precondition to the issuance of any\
        \ license or other approval, including the use of certain license exemptions.\
        \ Additional DDTC registration information and FAQs can be found on DDTC\u2019\
        s website."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a
      name: Types of Registration
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:3:1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:3
      description: 'There are three types of registration: manufacturer, exporter,
        and broker. Organizations can apply as a manufacturer, exporter, and/or broker
        in one registration application. They will receive a code that corresponds
        with their registration type and a completion letter from the DDTC under their
        account after payment (currently via Defense Export Control and Compliance
        System (DECCS)).'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a
      name: Submitting Registration Applications and Renewals
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:4:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:4
      description: "A prospective registrant must electronically submit a Statement\
        \ of Registration (Department of State form DS-2032) to the Office of Defense\
        \ Trade Controls Compliance (DTCC) by following the submission guidelines\
        \ available on the DDTC website and referring to the requirements set forth\
        \ in ITAR \xA7 122.2. Registrations are valid for 12 months and must be renewed\
        \ annually. The expiration date is included in the registration letter issued\
        \ by DDTC. Registration renewal submissions should be submitted through DECCS\
        \ up to a maximum of 60 days but no less than 30 days in advance of the renewal\
        \ expiration."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a
      name: Registration Changes and Notifications
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5
      description: 'Registrants are required to notify DDTC within a specified time
        period, e.g., five or 60 days, when certain changes in their organization
        occur. Changes that require notification to DDTC include, but are not limited
        to, when:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1
      description: Certain persons related to the organization have been indicted
        or otherwise charged with or convicted of violating certain criminal statutes.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1
      description: Organizations change certain information in the Statement of Registration,
        such as name, address, ownership, or persons listed on registration.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1
      description: Organizations intend to sell or transfer ownership or control to
        a foreign person.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:1
      description: Organizations are part of acquisitions or mergers.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5:2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:5
      description: "Additional notification requirements are found in ITAR \xA7 122.4."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a
      name: DDTC Registration Suggestions
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6
      description: "Organizations often submit voluntarily disclosures pursuant to\
        \ ITAR \xA7 127.12 regarding their failure to notify DDTC of registration\
        \ changes required under the ITAR. To reduce the risk of these types of ITAR\
        \ violations from occurring, DDTC recommends that organizations take the following\
        \ actions:"
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1
      description: Understand which activities require an organization to register
        with DDTC and determine whether the organization is required to do so.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1
      description: Assign a senior officer to oversee the registration process and
        to sign the required notifications.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1
      description: Establish and implement policies and procedures to ensure the complete
        and timely submission of registration renewals and required notifications
        for material changes. For example, create policies and procedures to ensure
        that export compliance personnel are informed in advance of changes in senior
        officers and mergers and acquisitions to ensure timely updates to the registration
        statement.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2a:6:1
      description: ' Protect registration codes, which are specific to the registrant
        and should not be made available publicly.'
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2
      ref_id: ELEMENT 2B
      name: Jurisdiction and Classification
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b
      description: To determine whether organizations or individuals need to register
        or obtain a DDTC license or other approval, they must determine the appropriate
        jurisdiction and classification of the commodities they manufacture, export,
        temporarily import, or broker. Jurisdiction refers to the set of regulations
        to which a commodity is subject, e.g., the ITAR or the Export Administration
        Regulations (EAR), whereas classification refers to the specific entry on
        the respective control list under which the commodity is described, e.g.,
        USML Category VIII(a)(2), or Commerce Control List Export Control Classification
        Number ECCN 9A610.a).
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b
      name: Commodity Jurisdiction Requests
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:2:1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:2
      description: "Manufacturers, exporters, and temporary importers may self-classify\
        \ their items and services. However, if after reviewing the Order of Review\
        \ described in ITAR \xA7 120.11, doubt remains regarding the jurisdiction\
        \ and/or classification of an item or service, organizations may submit a\
        \ Commodity Jurisdiction (CJ) determination request to DDTC as described in\
        \ ITAR \xA7 120.12 for an authoritative determination."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:2:2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:2
      description: "To submit a CJ request, navigate to DDTC\u2019s website and under\
        \ \u201CConduct Business\u201D for instructions on how to submit a Form DS-4076\
        \ electronically via DECCS. Please note that a supporting letter from the\
        \ original equipment manufacturer (OEM) is generally required for CJ applications\
        \ by persons other than the OEM."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b
      name: DDTC Jurisdiction and Classification Suggestions
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3
      description: 'Organizations routinely disclose to DDTC ITAR violations resulting
        from improper jurisdiction and classification. To reduce the risk of these
        types of ITAR violations from occurring, DDTC recommends that organizations
        take the following actions:'
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1
      description: If any doubt exists regarding the proper jurisdiction or classification,
        err on the side of caution, and submit a CJ request to DDTC.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1
      description: Understand the form and fit of the articles, as well as the function
        and performance capability of the articles.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1
      description: Document the design and development process for new products and
        monitor and document modifications to existing products.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1
      description: Designate employees with the necessary technical expertise, e.g.,
        engineers or program managers, and export controls personnel to perform jurisdiction
        and classification review functions.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1
      description: Establish formal written policies and procedures for reviewing
        and documenting jurisdiction and classification decisions.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1
      description: "Develop a system of tracking and marking jurisdiction and classification\
        \ determinations at the time \u2013 or as soon as possible after \u2013 commodities\
        \ are manufactured."
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1
      description: DDTC routinely updates USML categories, so organizations should
        consistently monitor these updates and adjust their internal jurisdiction
        and classification determinations accordingly.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:8
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1
      description: If a CJ request is pending, DDTC recommends treating the commodity
        as defense article or a defense service until DDTC issues the CJ determination.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1:9
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2b:3:1
      description: Keep records of all jurisdiction and classification decisions in
        a central location that can easily be accessed, reviewed, referred to, and
        updated.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2
      ref_id: ELEMENT 2C
      name: Authorizations
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c
      description: "DDTC authorization via a license or other approval is required\
        \ prior to engaging in any ITAR-controlled export (see ITAR \xA7 120.50),\
        \ reexport (see ITAR \xA7 120.51), retransfer (see ITAR \xA7 120.52), temporary\
        \ import (see ITAR 120.53), or brokering activities (see ITAR 129.2(b))."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c
      name: Licenses, Agreements, and Other Approvals
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2
      description: "As defined in the ITAR, a \u201Clicense\u201D is a document bearing\
        \ the word \u201Clicense\u201D that is issued by DDTC that permits the export,\
        \ reexport, retransfer, temporary import, or brokering of a specific defense\
        \ article or defense service controlled under the ITAR."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2
      description: "An \u201Cother approval\u201D is a document, other than a license,\
        \ issued by DDTC that approves an ITAR-controlled activity or the use of an\
        \ exemption to the license requirements in the ITAR. License exemptions are\
        \ therefore considered a form of DDTC authorization. Additional information\
        \ about obtaining a license or other approval from DDTC can be found on DDTC\u2019\
        s website. Licenses are submitted and tracked in DECCS."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2
      description: 'Agreements approved by the Office of Defense Trade Controls Licensing
        (DTCL) may authorize U.S. persons to furnish defense services and export technical
        data to foreign persons, manufacture defense articles abroad, or establish
        distribution points abroad for defense articles of U.S. origin for subsequent
        distribution to foreign persons or entities. Agreements are submitted and
        tracked in DECCS. There are three different types of agreements that cover
        these activities:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:3:1
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:3
      description: 'Manufacturing Licensing Agreements (MLA): agreements whereby a
        U.S. person grants a foreign person an authorization to manufacture defense
        articles abroad and that involve or contemplate either the export of technical
        data or defense articles or the performance of a defense service; or the use
        by the foreign person of technical data or defense articles previously exported
        by the U.S. person.'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:3:2
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:3
      description: 'Technical Assistance Agreements (TAA): agreements for the performance
        of a defense service(s) or the disclosure of technical data, as opposed to
        an agreement granting a right or license to manufacture defense articles.'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:3:3
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:3
      description: 'Distribution Agreements: agreements to establish a warehouse or
        distribution point abroad for defense articles exported from the United States
        for subsequent distribution to entities in an approved sales territory.'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2:4
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:2
      description: "Additional information on agreements can be found on DDTC\u2019\
        s website and under ITAR part 124. Guidance for preparing agreements can be\
        \ found on DDTC\u2019s website in the Agreement Guidance section, and further\
        \ detail is provided in the DDTC\u2019s Guidelines for Preparing Agreements."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c
      name: Reexports, Retransfers, and General Correspondence Requests
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:3:1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:3
      description: Prior written DDTC approval must be obtained before reselling,
        transferring, reexporting, retransferring, transshipping, or disposing of
        a defense article to any end user, end use, or destination other than as stated
        on the export license or in the Electronic Export Information filing for any
        exemption previously claimed. This requirement applies in all circumstances,
        except where the transaction is in accordance with the provisions of an exemption
        that explicitly authorizes the resale, transfer, reexport, retransfer, or
        disposition of a defense article without such approval.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:3:2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:3
      description: U.S. and foreign persons may submit a written request for approval
        of a reexport or retransfer of defense articles or technical data to DTCL
        through DECCS. This request is typically referred to as a General Correspondence
        (GC) request. Foreign persons may also submit GC requests regarding reexports,
        retransfers, or changes in end use to DTCL, and they do not need to be registered
        with DDTC in order to do so.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:3:3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:3
      description: Additional information about approvals for reexports or retransfers
        can be found in ITAR part 123.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c
      name: DDTC Licenses, Agreements, and Exemptions Suggestions
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4
      description: 'To reduce the risk of ITAR violations related to obtaining and
        using licenses, agreements, and exemptions, DDTC recommends that organizations
        establish policies and procedures for the following:'
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: Incorporating licensing and other authorization considerations
        in all appropriate organization processes.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: Anticipating, to the extent possible, the need for licenses in
        advance of proposed export activities.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: Ensuring that business development, sales, and marketing personnel
        understand timelines for obtaining licenses.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: Ensuring ample time to draft, submit, and receive approval for
        agreements.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: Ensuring all parties understand appropriate terms, conditions,
        and provisos of the agreement, and conducting periodic audits of export activities
        under the agreement.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: Performing as much fact finding as practicable ahead of submitting
        license applications and anticipating changes that may occur while a license
        is valid, e.g., change in freight forwarder, potential U.S. or foreign subcontractors
        involved in the transaction, or changes in the end use or end user.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: Reviewing for restrictions on parties to the transaction, including
        by screening through the Consolidated Screening List.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:8
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: ' Creating, submitting, tracking and disposition of licenses and
        other authorizations.'
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:9
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: Successfully implementing agreements (e.g., internal controls,
        technology control plans, identifying foreign person status, and employment
        status of meeting attendees).
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:10
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: Communicating with all foreign parties to determine who will be
        involved in the transaction and their roles, e.g., recipients of services,
        providers, subcontractors.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:11
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: ' Working with foreign parties to understand if there will be dual
        or third- country national employees working on the proposed activities and
        how the foreign party will screen those individuals.'
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:12
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: Ensuring foreign parties have compliance safeguards in place to
        protect any technical data transferred under the agreements from unauthorized
        access.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:13
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: Protecting against unauthorized release of technical data to foreign
        entities and foreign employees.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:14
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: Assessing all conditions that must be satisfied to qualify for
        use of any license exemption.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1:15
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:4:1
      description: Reviewing and approving use of license exemptions by appropriate
        compliance personnel.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c
      name: 'DDTC Reexports, Retransfers, and General Correspondence Requests

        Suggestions'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5
      description: 'To reduce the risk of ITAR violations related to the reexport
        or retransfer of defense articles from occurring, DDTC recommends that organizations
        take the following actions:'
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1
      description: Establish policies and procedures for reviewing and obtaining authorization
        for reexports and retransfers.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1
      description: Establish policies and procedures for tracking and keeping records
        regarding export authorizations for reexports or retransfers.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1
      description: Ensure understanding of the difference between requesting an initial
        export authorization and a subsequent reexport or retransfer approval.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1
      description: Gather all relevant information about the transaction prior to
        requesting written approval to ensure the request is not returned without
        action by DDTC due to lack of information.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2c:5:1
      description: Educate foreign recipients of U.S. defense articles about end use
        and other ITAR requirements. For example, foreign recipients should understand
        that destruction is considered a change in end use, and they must request
        approval from DDTC in advance of destruction or demilitarization.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2
      ref_id: ELEMENT 2D
      name: Restricted Party Screening
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d
      description: "An organization should screen all parties involved in a transaction\
        \ prior to engaging in any ITAR-controlled activity with such parties. This\
        \ includes screening such parties through the Consolidated Screening List\
        \ (CSL) or restricted party screening tools containing CSL information. The\
        \ CSL is a list that U.S. government agencies, including the Departments of\
        \ State, Commerce, and the Treasury, maintains restrictions on certain exports,\
        \ reexports, or transfers of items. U.S. government agencies routinely update\
        \ their lists, which are consolidated in the CSL, and DDTC encourages routine\
        \ screening against the CSL to avoid prohibited transactions. Information\
        \ on screening and the CSL can be found on the International Trade Administration\u2019\
        s website."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d
      name: Proscribed Countries
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:2:1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:2
      description: "It is the policy of the U.S. Government to deny licenses for exports\
        \ and imports of defense articles and defense services destined for or originating\
        \ in certain countries listed in ITAR \xA7 126.1, subject to certain exceptions.\
        \ DDTC considers unauthorized transactions with proscribed countries to be\
        \ serious violations of the ITAR. More information on the types of prohibited\
        \ exports, imports, and sales to or from specific countries can be found in\
        \ ITAR \xA7 126.1."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d
      name: DDTC Restricted Party Screening and Proscribed Countries Suggestions
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3
      description: 'To ensure effective screening and reduction of the risk of ITAR
        violations involving restricted parties and proscribed countries, DDTC recommends
        that organizations take the following actions:'
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1
      description: "Establish policies and procedures for implementing screening within\
        \ the organization\u2019s operations. For example, consider establishing procedures\
        \ for screening prior to each of the following activities: entering substantive\
        \ business discussions, signing contracts or other agreements, submitting\
        \ license applications, and exporting."
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1
      description: Establishing policies and procedures for resolving positive hits
        and reviewing questionable transactions.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1
      description: Determine the frequency of routine screening and rescreening of
        customers, suppliers, or other entities engaged in on-going transactions.
        Frequency may differ depending on risk related to jurisdiction, industry,
        entity, etc.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1
      description: Maintain detailed screening record results.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1
      description: Dedicate adequate resources for screening.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1
      description: Monitor updates to U.S. Government lists.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1:7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2d:3:1
      description: "Ensure that all relevant employees understand which destinations\
        \ are proscribed under ITAR \xA7 126.1 and the potential consequences of exporting\
        \ without authorization to one of those destinations."
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2
      ref_id: ELEMENT 2E
      name: Brokering
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e
      description: "ITAR \xA7 129.1(a) states that,\u201Cpersons engaged in the business\
        \ of brokering activities shall register and pay a registration fee and that\
        \ no person may engage in the business of brokering activities without a license.\u201D"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e
      description: "A broker, as defined in ITAR \xA7 129.2(a), is any person who\
        \ engaged in brokering activities who is also U.S. person wherever located,\
        \ any foreign person located in the United States, or any foreign person located\
        \ outside the United States that is owned or controlled by a U.S. person."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e
      description: "Brokering activities, as defined by ITAR \xA7 129.2(b), mean any\
        \ action on behalf of another to facilitate the manufacture, export, permanent\
        \ import, transfer, reexport, or retransfer of a U.S. or foreign defense article\
        \ or defense service, regardless of its origin. Such activities include, but\
        \ are not limited to:"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:3:1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:3
      description: Financing, insuring, transporting, or freight forwarding defense
        articles and defense services.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:3:2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:3
      description: Soliciting, promoting, negotiating, contracting for, arranging,
        or otherwise assisting in the purchase, sale, transfer, loan, or lease of
        a defense article or defense service.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e
      name: Authorization Requirements
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4:1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4
      description: "ITAR \xA7 129.4 provides a list of defense articles and defense\
        \ services for which a broker must obtain written approval from DDTC prior\
        \ to engaging in brokering activities. A broker may request DDTC approval\
        \ for brokering activities by submitting a completed Form DS-4294 in DECCS.\
        \ The organization must describe in the request the who, what, where, when,\
        \ and why of the transaction. A full list of required information can be found\
        \ in ITAR \xA7 129.6."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4:2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4
      description: "Brokers can find exemptions to brokering requirements in ITAR\
        \ \xA7 129.5. Exempt activities include:"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4:2:1
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4:2
      description: "Certain brokering activities undertaken for an agency of the U.S.\
        \ Government, as described in ITAR \xA7 129.5(a)."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4:2:2
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4:2
      description: "Certain brokering activities involving foreign defense articles\
        \ or defense services arranged wholly within and destined exclusively for\
        \ the North Atlantic Treaty Organization (NATO), NATO countries, Australia,\
        \ Israel, Japan, New Zealand, or the Republic of Korea, as described in ITAR\
        \ \xA7 129.5(b)."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4:3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:4
      description: "These brokering exemptions do not apply if the transaction involves\
        \ ITAR \xA7 126.1 countries or parties debarred pursuant to ITAR \xA7 127.7,\
        \ as set forth in ITAR \xA7 129.7."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e
      name: Annual Brokering Activities Report Requirement
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:5:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:5
      description: "Any person who engages in brokering activities is required to\
        \ provide to DDTC on an annual basis a report of their brokering activities\
        \ in the previous 12 months. Reports must be submitted along with the broker\u2019\
        s annual renewal submission or, if not renewing, within 30 days after expiration\
        \ of registration. The information required for these reports can be found\
        \ in ITAR \xA7 129.10."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e
      name: DDTC Brokering Suggestions
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6
      description: 'To reduce the risk of brokering-related ITAR violations, DDTC
        recommends that brokers take the following actions:'
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1
      description: Establish policies and procedures for obtaining prior authorization
        for brokering activities, reporting brokering activities, and maintaining
        records regarding brokering activities.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1
      description: Understand which activities constitute brokering activities under
        the ITAR and identify whether and to what extent the broker is engaged in
        such activities.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1
      description: Review and understand the available exemptions to the brokering
        authorization requirements.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2e:6:1
      description: Submit annual brokering reports to DDTC on time.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2
      ref_id: ELEMENT 2F
      name: Political Contributions, Fees, and Commissions
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f
      description: Applicants and suppliers or vendors need to report to DDTC certain
        political contributions, fees, or commissions relating to sales of defense
        articles or defense services valued at $500,000 or more that are being sold
        commercially to or for the use of the armed forces of a foreign country or
        international organization. More information can be found in ITAR part 130.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f
      description: 'A reportable fee or commission is any loan, gift, donation, or
        other payment of $1,000 or more made, or offered or agreed to be made directly
        or indirectly, whether in cash or in kind, and whether pursuant to a written
        contract, that is:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:2:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:2
      description: To or at the direction of any person, irrespective of nationality,
        whether employed by or affiliated with an applicant, a supplier, or a vendor;
        and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:2:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:2
      description: For the solicitation or promotion or otherwise to secure the conclusion
        of a sale of defense articles or defense services to or for the use of the
        armed forces of a foreign country or international organization.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f
      description: 'The phrase fee or commission does not include:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3
      description: "A political contribution or a payment excluded by ITAR \xA7 130.6\
        \ from the definition of political contribution;"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3
      description: A normal salary (excluding contingent compensation) established
        at an annual rate and paid to a regular employee of an applicant, supplier,
        or vendor;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3
      description: General advertising or promotional expenses not directed to any
        sale or purchaser; or
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:3
      description: "Payments made, or offered or agreed to be made, solely for the\
        \ purchase by an applicant, supplier, or vendor of specific goods or technical,\
        \ operational, or advisory services, when such payments are not disproportionate\
        \ in amount with the value of the specific goods or services furnished. See\
        \ ITAR \xA7 130.5(b)."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f
      description: 'Political contribution means any loan, gift, donation, or other
        payment of $1,000 or more made, or offered or agreed to be made, directly
        or indirectly, whether in cash or in kind, which is:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:4:1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:4
      description: To or for the benefit of, or at the direction of, any foreign candidate,
        committee, political party, political faction, or government or governmental
        subdivision, or any individual elected, appointed or otherwise designated
        as an employee or officer thereof; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:4:2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:4
      description: "For the solicitation or promotion or otherwise to secure the conclusion\
        \ of a sale of defense articles or defense services to or for the use of the\
        \ armed forces of a foreign country or international organization. Taxes,\
        \ customs duties, license fees, and other charges required to be paid by applicable\
        \ law or regulation are not regarded as political contributions. See ITAR\
        \ \xA7 130.6."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f
      name: Reporting
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5
      description: "To determine whether a report needs to be provided to DDTC under\
        \ ITAR part 130, applicants (as defined in ITAR \xA7 130.2) and suppliers\
        \ (as defined in ITAR \xA7 130.7) must conduct their due diligence with respect\
        \ to their vendors (as defined in ITAR \xA7 130.8). Applicants and suppliers\
        \ should request the information listed in ITAR \xA7 130.10, which includes\
        \ any political contributions, fees, or commissions paid or offered or agreed\
        \ to be paid with respect to the sale. See ITAR \xA7 130.12 and ITAR \xA7\
        \ 130.13 for more on the information to be furnished by applicants, suppliers,\
        \ and their vendors."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5
      description: 'Each applicant or supplier must inform DDTC as to whether the
        applicant, suppliers, or their vendors have paid, or offered or agreed to
        pay:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:2:1
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:2
      description: Political contributions in an aggregate amount of $5,000 or more.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:2:2
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:2
      description: "Fees or commissions in an aggregate amount of $100,000 or more.\
        \ If so, the applicant must furnish to DDTC the information specified in ITAR\
        \ \xA7 130.10."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:2:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:2
      description: "Any payments or offers or agreements to make payments of political\
        \ contributions or fees or commissions that the applicant or supplier learns\
        \ of after submission of the license application and any value changes to\
        \ previously submitted reports must be submitted as a supplement report and\
        \ must include a detailed statement of the reasons why the applicant or supplier\
        \ did not furnish the information at the time of the application. See ITAR\
        \ \xA7 130.11 for information regarding supplementary reports."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5:3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:5
      description: "See ITAR \xA7 130.10 for a full list of the required information\
        \ to be submitted in a report to DDTC."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f
      name: DDTC Political Contributions, Fees, and Commissions Suggestions
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6
      description: 'To reduce the risk of ITAR part 130-related violations, DDTC recommends
        that organizations take the following actions:'
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6:1
      description: Understand whether you or your vendors are involved in paying political
        contributions, fees, or commissions.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6:1
      description: Understand what information needs to be asked of and received from
        your vendors.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2f:6:1
      description: Establish policies and procedures for accurate and accessible recordkeeping
        of such political contributions, fees, or commissions.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2
      ref_id: ELEMENT 2G
      name: Cybersecurity and Encryption
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g
      description: Although the ITAR does not explicitly require organizations to
        implement specific cyber security or encryption measures for the storage or
        transmission of technical data, cyber intrusion events, and the theft of technical
        data may result in unauthorized exports. Other U.S. Government agencies and
        programs, however, have specific cyber security requirements. DDTC expects
        organizations to take steps to protect their technical data from cyber intrusions
        and theft and consider carefully what cyber security solutions work most effectively
        for them.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g
      description: Having specific policies, procedures, and tools for the encryption
        of technical data is a critical part of cyber security. Organizations should
        consider both how to encrypt the storage and transmission of technical data
        externally, including via cloud and other remote storage, and how to appropriately
        encrypt technical data on portable devices.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g
      description: "For further information on activities that are not exports, reexports,\
        \ retransfers, or temporary imports related to the sending, taking, or storing\
        \ of technical data, see ITAR \xA7 120.54."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g
      name: DDTC Cybersecurity and Encryption Suggestions
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4
      description: 'To reduce the risk of ITAR violations and improve cyber security
        measures, DDTC recommends that organizations take the following actions:'
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1
      description: Establish policies and procedures for recurring training on travel
        with mobile devices for new and existing employees.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1
      description: Ensure foreign person employees do not receive unauthorized access
        to technical data.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1
      description: "Ensure technical data is not backed up to servers in foreign locations,\
        \ unless it meets the criteria set out in ITAR \xA7 120.54(a)(5) regarding\
        \ storage of unclassified technical data secured using end-to-end encryption."
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1
      description: ' Coordinate with IT to implement intrusion detection systems.'
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1
      description: Educate employees about phishing, malware, and other cyber threats.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1
      description: Review electronic storage options, such as cloud storage services,
        and understand how service providers protect ITAR-controlled technical data.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1
      description: Establish security policies for file sharing and collaboration
        tools.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:8
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1
      description: Establish measures for encryption of data on mobile devices, such
        as laptops and cell phones.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:9
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1
      description: Establish policies and procedures for the review and approval of
        employee travel with mobile devices.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1:10
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-2g:4:1
      description: Ensure that IT logs and controls access to company networks that
        contain ITAR-controlled technical data by authorized personnel.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3
      assessable: false
      depth: 1
      ref_id: ELEMENT 3
      name: RECORDKEEPING
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3
      ref_id: ELEMENT 3A
      name: ITAR Recordkeeping Requirements
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a
      description: 'The ITAR requires all registrants to maintain records regarding
        the manufacture, acquisition, and disposition of defense articles, including
        technical data; the provision of defense services; brokering activities; and
        information on political contributions, fees, and commissions furnished or
        obtained, pursuant to ITAR part 130. The ITAR requires that such records are:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1
      description: Reproducible in paper format, if digital;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1
      description: Legible and readable;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1
      description: Unaltered once recorded or, if altered, with any alterations properly
        recorded, including who made them and when;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1
      description: Readily accessible if digital images; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:1
      description: Maintained for a period of five years from the expiration of the
        license or other approval, to include exports using an exemption, or from
        the date of the transaction.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a
      description: 'The following records must be maintained:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2
      description: License or other approval;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2
      description: License exemption;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2
      description: Technical data exports;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2
      description: Oral, visual, or electronic exports;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2
      description: Certain information related to special comprehensive export authorizations;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2
      description: Related to the Defense Trade Cooperation Treaty between the United
        States and Australia;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2
      description: Related to the Defense Trade Cooperation Treaty between the United
        States and the United Kingdom;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2
      description: Related to exemptions involving employees who are dual and third-
        country nationals;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:9
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2
      description: Related to voluntary disclosures;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:10
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2
      description: Brokering recordkeeping requirements; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2:11
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3a:2
      description: Related to political contributions, fees, and commissions.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3
      ref_id: ELEMENT 3B
      name: Establishing Recordkeeping Roles and Responsibilities
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b
      description: "For each transaction or activity type, organizations should determine\
        \ which records must be maintained pursuant to the ITAR\u2019s recordkeeping\
        \ requirements and develop a list of those records. Based on the list, organizations\
        \ should develop written policies and procedures to ensure that these records\
        \ are maintained properly. Such written policies and procedures should clearly\
        \ articulate who within the organization is responsible for the various recordkeeping\
        \ responsibilities. They should also include, but are not limited to, the\
        \ following:"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1
      description: Establishing policies and procedures for recordkeeping and for
        timely destruction of records, or their maintenance past required dates where
        relevant to ongoing matters, including, e.g., disclosures to DDTC.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1
      description: Determining how and where records will be maintained.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1
      description: Determining how and when records will be inspected for completeness,
        accuracy, and quality.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1
      description: Developing and maintaining processes for managing records by identifying
        classes of records and logs of record creators and keepers. If appropriate,
        maintain a detailed log or index of records of more sensitive records.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1
      description: Establishing record-retention requirements for emails, contracts
        with freight forwarders, brokers, and distributors, and other records.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1
      description: Creating recordkeeping redundancies, such as backup IT servers,
        where appropriate.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:1
      description: Ensuring that recordkeeping methods do not allow for unrecorded
        alterations.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b
      description: Organizations should clearly allocate responsibilities for recordkeeping
        among personnel in business units, records management, information technology,
        system administration, and other offices within the organization. Organizations
        should also identify personnel designated with recordkeeping responsibilities
        and ensure that oversight of such personnel exists to confirm they are adequately
        performing their recordkeeping responsibilities. Finally, organizations should
        develop ongoing training and awareness programs to ensure personnel involved
        in the recordkeeping process can effectively comply with ITAR recordkeeping
        requirements.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b
      description: 'Organizations should ensure that every employee involved in ITAR-controlled
        activities is trained on how to:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3
      description: Identify and preserve relevant records;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3
      description: Share and retrieve relevant records;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3
      description: Properly dispose of hard drives, thumb drives, and other portable
        media devices on which records are stored; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:3
      description: Maintain a backup system for preserving relevant records.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b:4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3b
      description: Organizations should ensure that all required records are captured
        and correctly filed to allow for efficient search and retrieval by conducting
        periodic audits on the recordkeeping system. Management should also communicate
        the importance of recordkeeping to all employees and ensure that sufficient
        resources exist to allow employees to perform their recordkeeping duties.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3
      ref_id: ELEMENT 3C
      name: Recordkeeping and Technology Control Plans
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c
      description: "Organizations that possess technical data and either employ foreign\
        \ persons or conduct frequent meetings with foreign persons should consider\
        \ creating and maintaining a Technology Control Plan (TCP). A TCP sets out\
        \ an organization\u2019s policies and procedures for protecting technical\
        \ data and includes the following elements:"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1
      description: Management commitment;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1
      description: Personnel-screening procedures;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1
      description: A physical security plan;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1
      description: An information security plan; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:1
      description: Training and awareness programs.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c
      description: A TCP can help reduce the risk of inadvertent ITAR violations through
        telephone, facsimile, electronic mail, social media, or in-person exchanges,
        particularly during informal technical exchanges with foreign persons. Organizations
        can implement a TCP in several ways, including for an organization, a location,
        or a defined project. Organizations should incorporate TCP requirements into
        their ICP and ensure impacted employees are aware of specific TCP requirements.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c
      description: 'TCPs should also address how organizations will keep records regarding
        foreign- person visitors at their facilities. For example, organizations could
        document all foreign person visits and any special conditions attached to
        the visits. Such records should indicate:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3
      description: "The visitor\u2019s name and nationality or nationalities;"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3
      description: The name and affiliation of the organization represented;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3
      description: The date of the visit;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3
      description: Persons, physical areas, and room numbers visited;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3
      description: Purpose of the visit with specific emphasis on products or services
        discussed; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:3
      description: A summary of the visit, including any issues or circumstances of
        note.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c
      description: In addition to documenting these interactions with foreign persons,
        TCPs should address how organizations will collect and store human resources
        records for foreign person employees involved in ITAR-controlled activities.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c:5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3c
      description: Instituting these recordkeeping practices through a TCP may also
        have the additional benefit of increasing awareness among employees that certain
        types of interactions with foreign persons create risk areas for potential
        ITAR violations, thereby minimizing the risk of an inadvertent violation.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3
      ref_id: ELEMENT 3D
      name: Recordkeeping and Voluntary Disclosures
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d
      description: Establishing and implementing robust recordkeeping policies and
        procedures are foundational to establishing a strong ICP. In the event an
        ITAR violation occurs, thorough documentation is essential for submitting
        a voluntary disclosure to DDTC that meets the requirements in ITAR part 127.
        Without strong recordkeeping policies and procedures, organizations may find
        it difficult to provide all information and documentation described in ITAR
        part 127 for voluntary disclosures and to respond to any questions that DDTC
        may have regarding the violation. A failure to maintain or produce relevant
        records in certain circumstances constitutes an ITAR violation.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d
      name: DDTC Recordkeeping Suggestions
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2
      description: 'DDTC recommends that organizations identify and implement best
        practices for recordkeeping including, but not limited to, the following:'
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1
      description: In the event records include copies of exported technical data,
        ensuring the records are properly secured, including through encryption for
        digital records, to prevent unauthorized access.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1
      description: Before employees depart an organization, ensuring any records subject
        to ITAR recordkeeping requirements they possess are identified and preserved.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1
      description: Evaluating the physical storage site and control procedures for
        disposal of records to minimize the risk of losing records or failing to properly
        secure technical data.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1
      description: Implementing a backup system for electronic storage and implementing
        measures that will assist in the recovery of information and other electronic
        communications on computer systems if the primary computer system fails.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1
      description: Maintaining thorough records of non-disclosure agreements and screenings
        involving dual and third-country national employees, as appropriate
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1
      description: "Maintaining copies of relevant records that exist on a third-party\
        \ organization\u2019s IT systems, such as copies of shipping records from\
        \ freight forwarders, disclosures submitted by outside counsel, or licensing\
        \ information."
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1
      description: Acquiring or developing a central IT storage system or database
        for relevant records.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:8
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1
      description: For offsite record storage and destruction, reviewing the contractual
        terms to ensure that ITAR-controlled technical data is protected.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:9
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1
      description: Periodically reevaluating the efficacy of recordkeeping policies
        and procedures.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:10
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1
      description: Retaining records of any disclosures and any supporting documentation.
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1:11
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-3d:2:1
      description: "Developing and implementing a system to document all communications\
        \ with DDTC officials, including through outside counsel, involving ITAR-related\
        \ matters, which may help ensure continuity and consistency in an organization\u2019\
        s export compliance functions."
      implementation_groups:
      - DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4
      assessable: false
      depth: 1
      ref_id: ELEMENT 4
      name: DETECTING, REPORTING, & DISCLOSING VIOLATIONS
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4
      ref_id: ELEMENT 4A
      name: Detect and Report Suspected ITAR Violations Early
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a
      description: "Organizations should develop and disseminate policies and procedures\
        \ that provide clear guidance to all employees regarding the detecting and\
        \ reporting of suspected ITAR violations. Because ITAR violations can cause\
        \ serious harm to U.S. national security and foreign policy, they can result\
        \ in the imposition of criminal and/or civil penalties, to include debarment,\
        \ and/or other costs, including reputational damage and the denial or revocation\
        \ of export licenses. Early detection, reporting, and rapid corrective actions\
        \ are essential to minimize any harm to U.S. national security and foreign\
        \ policy and mitigate an organization\u2019s legal exposure."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a
      description: 'Organizations should establish policies and procedures to detect,
        stop, investigate, confirm, report, and remediate any suspected ITAR violations
        immediately. To this end, DDTC recommendations that organizations:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2
      description: Implement clear internal reporting procedures for employees to
        ensure that employees understand that it is their obligation to report suspected
        ITAR violations. Organizations should widely promulgate these procedures.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2
      description: Provide a mechanism through which employees can report suspected
        ITAR violations anonymously and confidentially and ensure that employees are
        aware of and can effectively use this mechanism. For example, organizations
        may remind employees of such reporting mechanisms through regular bulletins
        or visual reminders (such as posters) and may provide templates to make reporting
        suspected violations efficient and effective.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2
      description: Clearly identify and communicate to employees the office or individuals
        within the organization assigned the responsibility for receiving reports
        of suspected ITAR violations along with their contact information.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2
      description: Empower employees to speak up if they are unsure about the proper
        course of action, if they believe they may have been involved in an activity
        that violated the ITAR, or if they believe another employee is violating or
        about to violate the ITAR.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2
      description: Provide assurances that employees will not suffer any negative
        consequences for reporting a suspected violation in good faith.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2
      description: Incorporate ITAR compliance into employee performance plans and
        evaluations.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4a:2
      description: "Implement reporting procedures for organizations to voluntarily\
        \ disclose ITAR violations to DDTC and also to mandatorily disclose ITAR violations\
        \ involving proscribed destinations pursuant to ITAR \xA7 126.1(e)(2)."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4
      ref_id: ELEMENT 4B
      name: Establish Policies and Procedures for Investigating ITAR Violations and
        Implementing Corrective Actions
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b
      description: 'Organizations should draft, periodically update, and make available
        to employees policies and procedures for investigating and addressing potential
        ITAR violations that are reported or otherwise detected. These policies and
        procedures should cover, among other things, how the organization will:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1
      description: Determine when to investigate suspected violations.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1
      description: Document the information reported, detected, or otherwise obtained
        as part of the investigation.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1
      description: Analyze the root causes of any ITAR violations.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1
      description: Draft a report describing the outcome of the investigation and
        the recommended corrective actions, including any recommended disciplinary
        measures.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1
      description: Present the report to and brief management.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1
      description: "Document management\u2019s response to the report and whether\
        \ management approved the recommended corrective actions."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1
      description: Implement the corrective actions and document the implementation
        of the corrective actions, including who implemented them and how.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1
      description: ' Monitor the corrective actions to ensure they remain fully implemented
        and are working properly over time.'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1:9
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:1
      description: Report back to management after the approved corrective actions
        are implemented.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b:2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4b
      description: "Organizations should use personnel qualified to conduct timely\
        \ and properly scoped investigations of ITAR violations and should ensure\
        \ that such personnel have adequate resources and funding. Organizations should\
        \ ensure that investigations are independent, objective, thorough, and properly\
        \ documented. Organizations should consult in-house and outside ITAR experts,\
        \ where appropriate, during or after an investigation. Management\u2019s response\
        \ to such investigations should reflect the critical importance of ITAR compliance,\
        \ including by recognizing and rewarding employees who report suspected ITAR\
        \ violations. Organizations should also continuously update their compliance\
        \ programs to incorporate changes to the ITAR and lessons learned from past\
        \ violations."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4
      ref_id: ELEMENT 4C
      name: Establish Policies and Procedures for Properly Submitting Voluntary Disclosures
        to DDTC
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c
      description: "Organizations should develop written policies and procedures for\
        \ disclosing ITAR violations to DDTC. Organization should ensure that these\
        \ policies and procedures are fully consistent with all requirements set forth\
        \ in ITAR \xA7 127.12 for voluntary disclosures."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c:2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c
      description: "DDTC strongly encourages organizations to disclose suspected ITAR\
        \ violations promptly. DDTC may consider a voluntary disclosure pursuant to\
        \ ITAR \xA7 127.12 as a mitigating factor in determining the administrative\
        \ penalties, if any, that should be imposed. However, for a disclosure to\
        \ be considered \u201Cvoluntary\u201D for purposes of ITAR \xA7 127.12, it\
        \ must be made prior to the time the U.S. Government becomes aware of either\
        \ the same or substantially similar information from another source and initiates\
        \ an investigation or inquiry of its own. Accordingly, an organization that\
        \ wishes to obtain the significant mitigation credit for voluntary disclosures\
        \ should disclose any violations as quickly as possible to DDTC. Failure to\
        \ voluntarily disclose a violation may result in circumstances detrimental\
        \ to U.S. national security and foreign policy interests and will be an adverse\
        \ factor in determining the appropriate disposition of the matter. DDTC reviews\
        \ and closes most voluntary disclosures without any administrative action."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c:3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c
      description: "Organizations should submit an initial notification to DDTC pursuant\
        \ to ITAR \xA7 127.12. If they have not yet identified all the required information\
        \ under ITAR \xA7 127.12, then they may subsequently provide a full disclosure\
        \ within 60 days. Organizations that request extensions for the submission\
        \ of a full disclosure are encouraged to do so as far in advance of the 60-day\
        \ deadline as possible. If organizations confirm that no ITAR violation occurred\
        \ after submitting an initial notification, then they may request a withdrawal\
        \ of their notification."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c:4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c
      description: "Organizations should ensure that voluntary disclosure submissions\
        \ contain all the required information, provide appropriate documentation,\
        \ and enclose the certification required in ITAR \xA7 127.12(e). Consistent\
        \ with these requirements, voluntary disclosures should demonstrate that the\
        \ organization conducted a thorough root cause analysis to determine why ITAR\
        \ violations occurred, including by identifying whether the violations are\
        \ systemic."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c:5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4c
      description: "In the event the organization\u2019s policies and procedures should\
        \ have prevented a violation, the disclosure should identify the business\
        \ units that had ownership of the specific policies and procedures at issue\
        \ and explain how those units have been held accountable. Voluntary disclosures\
        \ should also demonstrate that the organization developed and has either implemented\
        \ or has plans to implement corrective actions that address the root causes\
        \ and prevent the recurrence of similar violations."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4
      ref_id: ELEMENT 4D
      name: Communicate Potential Consequences of ITAR Violations to Employees
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d
      description: 'Management should ensure that all employees understand their legal
        obligations under the AECA and ITAR, as well as consequences for violating
        those obligations. Management should make available educational materials
        and post visual reminders to all relevant employees that underscore the following:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1
      description: ITAR controls ensure that commercial exports of defense articles
        and defense services advance U.S. national security and foreign policy objectives.
        Criminal and civil penalties for violating the ITAR are severe because such
        violations may harm U.S. national security and foreign policy.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1
      description: Criminal convictions for willful ITAR violations can result in
        a maximum criminal penalty of $1,000,000 per violation, imprisonment of up
        to 20 years per violation, or both.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1
      description: Organizations and/or individuals criminally convicted of ITAR violations
        will also be subject to statutory debarment that renders them ineligible to
        participate directly or indirectly in defense trade for a specified period.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1
      description: Civil penalties for ITAR violations can result in a fine of more
        than $1,200,000 per violation, and that amount increases annually to adjust
        for inflation. DDTC imposes civil penalties based on strict liability unless
        otherwise specified in the text of the ITAR. This means that organizations
        and/or individuals may be held civilly liable for ITAR violations even if
        they did not know or have reason to know that they were violating the ITAR.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1
      description: Any ITAR violation, regardless of intent, may trigger administrative
        debarment if the violation provides DDTC with a reasonable basis to believe
        that the violator cannot be relied upon to comply with the ITAR in the future.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1
      description: Administrative settlements typically include the execution of a
        Consent Agreement under which the respondent is required to institute enhanced
        compliance measures for a period of two to four years. Instituting these enhanced
        compliance measures is typically time and resource intensive for most organizations.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:1
      description: "Administrative settlements are posted publicly on DDTC\u2019s\
        \ website, which may result in both negative publicity and reputational damage\
        \ for the respondent."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d:2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-4d
      description: Management should also ensure that employees understand other potential
        consequences, including possible disciplinary actions, for ITAR violations
        within an organization.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5
      assessable: false
      depth: 1
      ref_id: ELEMENT 5
      name: ITAR TRAINING
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5
      ref_id: ELEMENT 5A
      name: ITAR Training Programs
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a
      name: ITAR Training Programs Basics
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:1:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:1
      description: ITAR training programs should be tailored, dynamic, up-to-date,
        and adequately resourced. They should also clearly identify the job-specific
        export control responsibilities for all employees. Programs should allot sufficient
        time for employees to complete their training, and they should offer training
        on a recurring basis, at a minimum annually. Organizations should maintain
        accurate training records to verify that employees have completed all relevant
        compliance-related training sessions. In addition to offering formal ITAR
        training sessions on a recurring basis, organizations should make available
        ITAR training resources that employees may consult at any time.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a
      name: Tailoring ITAR Training Programs
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2
      description: 'Organizations should ensure that ITAR training programs are tailored
        to address their specific compliance risks. Some of the risks that organizations
        should consider when designing an ITAR training program include the following
        and discussed in detail in Element 6 of this document:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1
      description: The nature and scope of their defense articles and defense services
        being provided;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1
      description: The parent, subsidiaries, affiliates, suppliers, customers, clients,
        business partners and other relevant parties with which they interact, directly
        or indirectly;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1
      description: The geographic regions in which they operate; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:2:1
      description: The duties and responsibilities of the employees and other personnel
        being trained.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a
      name: Implementing Dynamic and Up-to-Date ITAR Training Programs
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:3:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:3
      description: "ITAR training programs should be dynamic and reviewed periodically\
        \ for updates and revisions based on changes in the organization\u2019s commodities\
        \ and their end uses and end users, as well as any changes to the ITAR or\
        \ guidance from DDTC. Organizations should monitor the Federal Register and\
        \ DDTC\u2019s website routinely for ITAR-related updates that should be integrated\
        \ into recurring training sessions. Organizations should also establish a\
        \ mechanism to disseminate ITAR-related updates to personnel in a timely manner\
        \ in between training sessions, such as through organization-wide email updates"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:3:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:3
      description: "Organizations should also stay informed of export compliance best\
        \ practices and monitor relevant publications that may describe export compliance\
        \ enhancements and lessons learned from export control violations by other\
        \ organizations. For instance, upon learning of an ITAR violation or \u201C\
        close call\u201D within one\u2019s own organization, or identifying vulnerabilities\
        \ in the organization\u2019s ICP, or obtaining a negative testing result or\
        \ audit finding, organizations should use such incidents to provide specific\
        \ training to relevant personnel within the organization, in addition to taking\
        \ corrective action."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a
      name: Hiring Knowledgeable and Experienced Trainers
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:4:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5a:4
      description: An effective ITAR training program requires knowledgeable, experienced
        trainers. Organizations should ensure their trainers are subject matter experts
        on the ITAR who keep well-informed regarding the latest changes to the ITAR,
        guidance from DDTC, and industry best practices. Internal trainers should
        pursue their own continuing education to ensure that they remain subject matter
        experts in the field.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5
      ref_id: ELEMENT 5B
      name: "Tiered Training Based on Each Employee\u2019s Functions"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b
      description: "Organizations should adopt a tiered ITAR training program based\
        \ on the responsibilities of each employee and other personnel within the\
        \ organization. Organizations should tailor their ITAR programs as specifically\
        \ as possible to help employees and other personnel understand their specific\
        \ export control responsibilities in light of the organization\u2019s risk\
        \ profile. Organizations should provide their employees and other personnel\
        \ with different levels and types of ITAR training depending on the knowledge\
        \ and skills needed to perform their job functions and the compliance risks\
        \ that arise in each position. For example, training programs could be divided\
        \ into four tiers, directed at four categories of positions within the organization,\
        \ as reflected in the pyramid diagram above and described below. Smaller organizations\
        \ may adopt this tiered approach  or provide comprehensive ITAR training to\
        \ all personnel."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b
      ref_id: Tier 1
      name: General ITAR Training for All Personnel
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1
      description: "For the first and bottom tier \u2013 all personnel \u2013 training\
        \ should cover the basics of export controls and should be comprehensible\
        \ for a broad audience with little or no background in export controls or\
        \ the ITAR. Generally, this level of training is provided to all personnel\
        \ within organizations. Organizations should provide the training to all new\
        \ hires and contractors during the onboarding process and then reinforce that\
        \ training through periodic education and awareness activities to those with\
        \ little or no exposure to exports."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1
      description: "Tier 1 training should provide all personnel within the organization\
        \ a basic understanding of the ITAR and a clear understanding of everyone\u2019\
        s shared export compliance responsibilities within the organization. Tier\
        \ 1 training should, at a minimum, cover the following topics:"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2
      description: 'Basic ITAR overview, including:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1:1
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1
      description: Regulated activities;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1:2
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1
      description: Key ITAR definitions, including export, foreign person, technical
        data, defense service, and defense article, and provide real world examples
        specific to the organization's business;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1:3
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1
      description: Licenses or other approvals; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1:4
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:1
      description: How ITAR violations occur.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2
      description: "Overview of the organization\u2019s ICP"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2
      description: Recordkeeping procedures
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2
      description: "Red flags specific to the organization\u2019s business"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2
      description: Screening requirements
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2
      description: Practical advice and case studies to address real-life scenarios
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2
      description: Company-specific risk profile and high-risk compliance areas
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:8
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2
      description: Reporting ITAR violations
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2
      description: 'Potential consequences of violating the ITAR:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9:1
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9
      description: Strict liability for civil violations;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9:2
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9
      description: Civil and/or criminal monetary penalties;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9:3
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9
      description: Imprisonment for criminal violations; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9:4
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:9
      description: Debarment
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:10
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2
      description: Enhancing ITAR-compliance processes
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2:11
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-1:2
      description: Organization charts and contact information for key export compliance
        personnel, Empowered Officials, and other relevant personnel.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b
      ref_id: Tier 2
      name: Senior Management
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2
      description: "For the second tier \u2013 senior management \u2013 training should\
        \ be more detailed and include more than just the basics of export controls.\
        \ Senior management must have a thorough understanding of export controls\
        \ to properly comprehend the compliance risks associated with the organization\u2019\
        s activities and risk profile. Organizations with a Board of Directors or\
        \ a Board of Trustees should conduct the same type of top-level briefing for\
        \ them as well."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2
      description: 'Tier 2 training should provide senior management with an intermediate
        level of understanding of the ITAR and a clear understanding of the critical
        role senior management plays in ITAR compliance within the organization. In
        addition to topics covered in Tier 1, Tier 2 training should, at minimum,
        include an intermediate ITAR overview and the following topics:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2
      description: "Detailed description of the organization\u2019s ICP;"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2
      description: The importance of communicating management commitment to complying
        with U.S. export controls;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2
      description: Allocating appropriate resources and hiring adequate staff to ensure
        ITAR compliance;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2
      description: Creating and maintaining a culture of ITAR compliance within the
        organization; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-2:2
      description: A detailed description of the potential consequences of violating
        the ITAR.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b
      ref_id: Tier 3
      name: Positions with Export Functions
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3
      description: "The specific personnel that fall in the third tier \u2013 positions\
        \ with export functions \u2013 will vary from one organization to another,\
        \ depending on the organization\u2019s activities. For most companies, it\
        \ will likely include program management, technical, and/or engineering personnel\
        \ with access to ITAR-controlled defense articles, shipping and receiving,\
        \ supply chain, business development, human resources, and IT."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3
      description: For universities, it will likely include administrative staff,
        researchers, faculty and/or principal investigators involved in activities,
        including, e.g., contracts and grants, product development, and research labs,
        as well visiting foreign students and scholars participating in controlled
        research. Organizations should provide more detailed and targeted ITAR training
        to such personnel, at a minimum, on an annual basis.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3
      description: 'Tier 3 training should provide relevant employees with export
        functions with an advanced- level understanding of the ITAR and their significant
        export compliance responsibilities within the organization. In addition to
        topics covered in Tiers 1 and 2, as appropriate, Tier 3 training should, at
        minimum, cover the following additional topics:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3
      description: How to handle technical data, including marking procedures;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3
      description: Deemed exports;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3
      description: Jurisdiction and classification;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3
      description: Pertinent USML Categories;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3
      description: Export authorization approval process;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3
      description: License conditions and exceptions;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3
      description: Exemptions applicable to business;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:8
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3
      description: Agreement and license types;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:9
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3
      description: Non-Disclosure Agreements;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:10
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3
      description: Recordkeeping; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3:11
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-3:3
      description: Targeted training to individual roles.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b
      ref_id: Tier 4
      name: Export Compliance Team
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4
      description: "The final and top tier of the training program comprises the export\
        \ compliance team, including the EO, export compliance manager, compliance\
        \ supporting staff, and legal counsel advising on export compliance issues.\
        \ Training for this group should be thorough and detailed and include not\
        \ only the organization\u2019s ICP but training on all export control regulations\
        \ that could impact the organization\u2019s exporting activities."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4
      description: Compliance managers and their team also need to receive training
        on potential future needs for their organization, including mergers, acquisitions,
        or divestitures, development of a new product line, expansion into a new region
        of the globe, or new developments in U.S. foreign policy.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4
      description: 'Tier 4 training should provide the export compliance team with
        an expert-level understanding of the ITAR and their export compliance responsibilities
        within the organization. In addition to topics covered in Tiers 1, 2, and
        3, as appropriate, Tier 4 training should, at minimum, cover the following
        additional topics:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3
      description: Establishing and maintaining ITAR policies and procedures, including
        the ICP.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3
      description: "Obtaining and tracking the use of the organization\u2019s licenses\
        \ and other approvals."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3
      description: Establishing TCPs.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3
      description: 'Other detailed training in specific areas of export regulations
        relevant to the organization, such as:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4:1
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4
      description: Export document preparation,
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4:2
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4
      description: Country-specific diversion risks,
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4:3
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4
      description: Recordkeeping requirements, and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4:4
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:4
      description: Self-assessments and internal audits.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:tier-4:3
      description: Attending DDTC seminars and other outside training programs as
        appropriate.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b
      name: Employee Accountability
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b:2:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-5b:2
      description: Organizations should include ITAR training as a requirement in
        performance plans and reviews and ensure that employees and other personnel
        complete their ITAR training on time. Organizations should also hold employees
        and other personnel accountable for both completing their ITAR training in
        a timely manner and for completing refresher training to retain their knowledge
        from their initial training. Further, at the end of each ITAR training session,
        organizations should test employees on the materials and issue a certificate
        of completion when they successfully complete the test.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6
      assessable: false
      depth: 1
      ref_id: ELEMENT 6
      name: RISK ASSESSMENT
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6
      ref_id: ELEMENT 6A
      name: ITAR Risk Assessments
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a
      name: Basics of ITAR Risk Assessments
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:1:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:1
      description: Risk assessments are essential tools for building an effective
        ICP. Risk assessments in the defense trade controls context are evaluations
        of the potential compliance risks that are specific to each organization and
        that, if left unaddressed, may lead to ITAR violations. Risk assessments therefore
        allow organizations to ascertain and analyze the likelihood that ITAR violations
        may occur, the most common reasons violations may occur, and the types of
        violations that are most likely to occur or would result in the greatest harm.
        After understanding the full spectrum of their compliance risks, organizations
        should use that data to create effective and tailored ICPs and allocate resources
        as appropriate to prioritize and mitigate those risks.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a
      name: Tailoring ITAR Risk Assessments
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2
      description: "Risk assessments should be tailored to the organization\u2019\
        s ITAR-controlled activities and should identify and analyze all the potential\
        \ ITAR-related risk factors for the organization, whether those risk arise\
        \ inside or outside of the organization. Such potential risk factors may include\
        \ the following:"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1
      description: "Nature and scope of the organization\u2019s commodities;"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1
      description: "Organization\u2019s customers, suppliers, freight forwarders,\
        \ partners, or other third parties involved in its activities;"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1
      description: "Organization\u2019s physical and cyber security infrastructure;"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1
      description: Any foreign parents, subsidiaries, or affiliates;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1
      description: " Structure of the organization\u2019s product development, engineering,\
        \ and sales activities;"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1
      description: Any foreign person employees; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1:7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:2:1
      description: Geographic regions that the organization operates in or exports
        to.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a
      name: Development of ITAR Risk Assessments
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:3:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:3
      description: "Organizations should develop a risk-assessment to identify, assess,\
        \ and track risks associated with ITAR compliance. Organizations should regularly\
        \ update their ITAR risk assessments to account for changes to their risk\
        \ factors. For example, if an organization begins exporting to a new geographic\
        \ area or opens a new foreign office, the organization should update its risk\
        \ assessment accordingly. Updating the risk assessment is also important following\
        \ mergers, acquisitions, and divestitures, particularly if the company merges\
        \ or acquires foreign persons. In addition, organizations should update their\
        \ risk assessment if they discover new or evolving ITAR compliance risks through\
        \ audit findings, ITAR violations or \u201Cclose calls,\u201D employee feedback,\
        \ or any other sources."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:3:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:3
      description: Organizations may internally design, update, and conduct the ITAR
        risk assessment, or they may retain outside ITAR experts to do so. Organizations
        should ensure that their original risk assessments and any updates, as well
        as any changes to ICPs because of their risk assessments, are fully documented
        and preserved. DDTC recommends examining the Sample Audit Checklists in Element
        7 to help assess and determine possible risk factors.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a
      name: Frequency of ITAR Risk Assessments
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:4:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:4
      description: Organization should periodically review risk assessments to determine
        whether its risks are properly addressed. Periodic risk assessments will depend
        on specific circumstances and how quickly risks change. There is no one-size-fits-all
        approach for updating risk assessments, but organizations should ensure that
        the frequency is adequate to accurately account for the potential ITAR compliance
        risks at any given time. For example, the organization may decide to conduct
        a company-wide risk assessment every year or perform targeted risk assessments
        focused on certain risk areas on an ad-hoc basis throughout the year.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a
      name: Prioritizing and Mitigating ITAR Compliance Risks
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:5:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6a:5
      description: After performing their ITAR risk assessments, organizations should
        analyze and prioritize those risks based on all relevant factors, including
        the likelihood that such risks would result in ITAR violations. Organizations
        should then integrate their risk-based analysis and prioritization into their
        ICPs and allocate resources as appropriate to mitigate those risks.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6
      ref_id: ELEMENT 6B
      name: Addressing Common ITAR Risk Areas
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b
      description: 'This section identifies some common risk areas for purposes of
        conducting ITAR risk assessments and developing and updating ICPs. As described
        above, ITAR compliance risks may vary across organizations. Organizations
        have frequently identified risks in the following areas:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1
      description: 'Jurisdiction and Classification: ITAR violations frequently result
        from the incorrect jurisdiction and classification of defense articles and
        defense services.'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1
      description: 'Authorization Management: ITAR violations frequently result from
        failing to adhere to the terms and conditions of licenses and agreements.'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1
      description: 'Foreign Person Employees or Visitors: foreign person employees,
        visitors, etc. may pose a compliance risk to organizations if they are not
        properly authorized to have access to defense articles, including technical
        data, or receive defense services. ITAR violations frequently result from
        companies that allow foreign person employees to access technical data stored
        on internal company networks without first obtaining a license.'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1
      description: "Vetting of Parties and Verification of End Users: customers and\
        \ other parties to a transaction present a compliance risk for exporters.\
        \ It is the exporter\u2019s responsibility to vet customers and other parties\
        \ to a transaction. ITAR violations regularly occur when organizations fail\
        \ to perform sufficient due diligence and defense articles are used in a manner\
        \ that is inconsistent with the DDTC authorization."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1
      description: "License Exemptions: the ITAR contains various license exemptions\
        \ that do not require a request for approval from DDTC. ITAR violations routinely\
        \ result from failing to meet and document each exemption\u2019s requirements."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1
      description: "International Travel: employees that travel internationally with\
        \ organization-issued hardware or software and employees that can access their\
        \ employer\u2019s networks and databases while overseas may present a substantial\
        \ compliance risk, particularly if ITAR-controlled technical data is saved\
        \ on portable devices or if it is accessible or downloadable without adequate\
        \ IT security measures. Employees may provide defense services during trade\
        \ shows, business development, or training/maintenance on defense articles."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1
      description: 'Facility Visits: failing to verify the U.S.-person status of all
        visitors in advance of plant tours or facility visits in the U.S. creates
        the risk of inadvertent release of ITAR-controlled technical data. Organizations
        may seek a license or other approval from DDTC, as appropriate, in advance
        of foreign person visits. For facility visits at non-U.S. subsidiaries, failing
        to verify citizenship and the organization they represent against the license
        or other approval.'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1:8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:1
      description: 'Inventory Management: Inventory management and tracking of ITAR-
        controlled items can also present compliance risks. ITAR violations may result
        from organizations not adequately securing their inventory of defense articles
        and not tracking them appropriately once exported.'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-6b
      description: See DDTC's website for the DDTC ITAR Risk Matrix, and supplementing
        University- specific Risk Matrix, that outline important areas of risk to
        consider when analyzing an ITAR compliance program.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7
      assessable: false
      depth: 1
      ref_id: ELEMENT 7
      name: AUDITS & COMPLIANCE MONITORING
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7
      ref_id: ELEMENT 7A
      name: Audits
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a
      description: Comprehensive, independent, and objective audits, performed regularly,
        assist organizations in determining the effectiveness of their ICP. Such audits
        allow organizations to identify deficiencies in their ICP and remediate them.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a
      name: Audit Personnel
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2
      description: 'Organizations should assemble an internal team or, as appropriate,
        hire external third parties to conduct periodic ITAR compliance audits. If
        the organization already has an auditing team, it should incorporate ITAR
        policies and procedures with corporate audits. Auditors, whether internal
        or external, should determine the appropriate type and scope of the audit.
        Organizations should ensure their auditors have sufficient:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1
      description: Qualifications, technical knowledge, strong ITAR expertise, and
        sufficient resources to conduct the audit;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1
      description: Authority to ensure employees comply with audit-related requests
        for information;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1
      description: Independence from the audited activities; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:2:1
      description: "Autonomy and independence from management, including direct access\
        \ to any relevant employees, the board of directors, and/or the board\u2019\
        s audit committee."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a
      name: Audit Methodology
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3
      description: 'Audits should consist of:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1
      description: Interviews with relevant functional area personnel, as well as
        the compliance team and senior management, as appropriate;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1
      description: Document collection and review;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1
      description: Access to IT systems; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:1
      description: Site visits, as appropriate.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:3
      description: "Auditors should maintain a detailed log to track the progress\
        \ of documents requested and obtained, interviews requested and completed,\
        \ and sites visited. The auditors should coordinate all interviews with the\
        \ organization\u2019s compliance department, as appropriate. The audit team\
        \ should review all documents provided by the relevant business units in the\
        \ development of checklists to be used when conducting the interviews and\
        \ site visits. See Section C below for examples of such checklists."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a
      name: Types of Audits
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4:1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4
      description: Different types of audits serve different purposes, and organizations
        should develop, as appropriate, an audit strategy, utilizing the different
        types of audits listed below, that is right for their circumstances.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4:1:1
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4:1
      description: 'Functional-Level Audits: functional-level audits look at distinct
        areas of compliance programs, e.g., recordkeeping or shipping procedures.
        This audit type can help identify risk areas at an early stage and provide
        an opportunity to correct any deficiencies. Functional-level audits should
        be conducted more frequently than program-level audits because they are smaller
        in scale.'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4:1:2
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4:1
      description: 'Program-Level Audits: at the program-level, organizations should
        conduct internal audits as periodically as appropriate. Program-level audits
        should include both a review of all export policies and procedures and an
        assessment of whether each business unit implemented such policies and procedures.'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4:1:3
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:4:1
      description: "External Audits: external audits can provide an unbiased, third-party\
        \ evaluation of an organization\u2019s overall compliance program and practices.\
        \ Organizations should consider the use of an outside auditor periodically,\
        \ as appropriate."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a
      name: Audits in the Context of Mergers, Acquisitions, and Divestitures
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5
      description: Audits may be appropriate when mergers, acquisitions, and divestitures
        (MAD) occur. Pursuant to ITAR part 122, DDTC registrants must notify DDTC
        within specific timeframes regarding certain changes in registration, including
        ownership and legal organizational structure. Many of these notice requirements
        arise during the pre- and post-closing processes of MAD transactions.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5
      description: "Acquiring organizations should conduct due diligence reviews of\
        \ target organizations that engage in ITAR-controlled activities. Due diligence\
        \ reviews should assess the effectiveness of the target organization\u2019\
        s ITAR compliance program and identify potential past ITAR violations. In\
        \ the event such ITAR violations have not already been reported to DDTC, the\
        \ target organization or the acquiring organization are strongly encouraged\
        \ to submit a voluntary disclosure prior to or immediately after closing,\
        \ as appropriate."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5
      description: The acquiring organization should conduct an audit after closing
        the merger, acquisition, or divestiture. The appropriate scope of any post-closing
        audit will vary depending upon the circumstances. If the acquiring organization
        uncovers numerous unresolved compliance issues in its pre- closing due diligence,
        an in- depth audit may be appropriate. If, on the other hand, the target organization
        had a robust compliance program and provided documentation of regular audits
        and remedial actions, the acquiring organization may choose to perform a functional
        audit instead.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:5
      description: "Acquiring organizations should ensure that any continuing ITAR\
        \ violations by the acquired organization identified through the post-acquisition\
        \ audit are stopped and remediated. Organizations should follow the relevant\
        \ procedures in ITAR \xA7 127.12 to investigate and voluntarily disclose the\
        \ violations to DDTC."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a
      name: Sharing Audit Findings and Following Up
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:6:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:6
      description: After the auditors complete their interviews, document collection
        and review, and site visits, they should write a draft audit report. The draft
        audit report should include an executive summary, findings and recommendations,
        and appendices that explain the methodology, including the interviews conducted,
        documents reviewed, and sites visited. Prior to finalizing the audit report,
        the auditors should share their findings and recommendations with the relevant
        business units to correct any inaccuracies. After making any final modifications,
        auditors should brief senior management on the audit findings and recommendations.
        Organizations should ensure the final audit report is provided to all relevant
        business units, as well as senior management. Organizations should maintain
        audit reports for at least five years.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:6:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:6
      description: If an audit report includes recommendations for revisions to procedures
        or corrective actions, organizations should include specific timetables and
        an implementation plan for management to approve. Organizations should continue
        to track the progress of corrective actions until they are completed. Once
        corrective actions are completed, organizations should prepare an additional
        report to management, and compliance personnel should confirm that each corrective
        action has been fully implemented.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:6:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7a:6
      description: Each vulnerability or violation identified in an audit is an opportunity
        for organizations to improve their ICP. Organizations should incorporate these
        lessons learned into training programs and their ICP in order to share them
        across business units and functions. Organizations should also actively plan
        to remediate deficiencies in their ICPs that audit findings identify.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7
      ref_id: ELEMENT 7B
      name: Compliance Monitoring
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b
      description: 'In addition to conducting periodic audits, organizations should
        regularly review their ICPs and amend their ITAR compliance policies and procedures
        as appropriate in response to:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1
      description: Any changes to the ITAR or DDTC guidance;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1
      description: Export compliance best practices and lessons learned from export
        control violations by other organizations;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1
      description: "Lessons learned from any ITAR violations or \u201Cclose calls\u201D\
        \ within the organization;"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1
      description: "Vulnerabilities identified in the organization\u2019s ICP, or\
        \ negative testing results or audit findings; and/or"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7b:1
      description: "Changes to an organization\u2019s ITAR risk factors, including\
        \ where such risk factors have changed because of a merger, acquisition, and/or\
        \ divestiture, or where there are changes to the organization\u2019s product\
        \ line, services, or customers."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7
      ref_id: ELEMENT 7C
      name: Sample Audit Checklists
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c
      description: "The following are sample checklists that auditors should further\
        \ develop before conducting an audit. Auditors should use these sample checklists\
        \ to formulate document requests and interview questions for employees within\
        \ the relevant functional areas of organizations. These sample checklists\
        \ are not intended to be exhaustive, and they may not all be applicable to\
        \ every organization. Auditors should customize checklists based on relevant\
        \ factors, including an organization\u2019s specific activities and risk profile."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c
      name: Management
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: &id001
        - 'Yes'
        - 'No'
        - Alternate
        - N/A
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:question:1
          text: "Has senior management issued a formal statement clearly communicating\
            \ your organization\u2019s commitment to compliance with U.S. export control\
            \ laws and regulations?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:1:question:1
          text: "Does this statement include contact information for the person and\
            \ Empowered Official primarily responsible for your organization\u2019\
            s export compliance?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:2:question:1
          text: Is this statement easily accessible online or in print?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:3:question:1
          text: Has this statement been distributed to all employees whose work is
            impacted by export regulations?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:4:question:1
          text: "Are employees whose work is impacted by export regulations required\
            \ to sign an acknowledgment that they understand the organization\u2019\
            s obligation to comply with U.S. export laws and its commitment to compliance?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:5:question:1
          text: Does your management assess ITAR compliance resource needs at least
            on an annual basis?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:1:6:question:1
          text: Has senior management communicated its commitment to compliance directly
            to those in leadership/authority positions, particularly business leads
            over the areas of the organization where export-controlled work is performed?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2:question:1
          text: Has your organization drafted, implemented, and disseminated written
            policies and procedures regarding export trade compliance?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2:1:question:1
          text: Are these policies and procedures widely disseminated and readily
            accessible throughout your organization?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2:2:question:1
          text: Does your organization ensure that the policies and procedures are
            followed?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:2:3:question:1
          text: Does your organization make available to all employees an organizational
            chart that clearly identifies personnel with authority over export control
            matters?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:question:1
          text: " How does the trade compliance office support your organization\u2019\
            s different divisions in general and management in particular?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:1:question:1
          text: How many trade compliance personnel do you have on staff?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:2:question:1
          text: Do you believe the trade compliance function is adequately staffed
            to support your organization?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:3:question:1
          text: To whom does the trade compliance function report?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:4:question:1
          text: Do trade compliance personnel participate in staff meetings?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:2:3:5:question:1
          text: Are trade compliance staff integrated into business development decisions?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c
      name: Trade Compliance
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:1:question:1
          text: Does the trade compliance function have sufficient support from management?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:2:question:1
          text: Is trade compliance your primary area of responsibility? Do you have
            any other responsibilities within your organization?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:2:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:2
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:2:1:question:1
          text: Who is your backup when you are out of the office? Is that person
            properly trained, and do they have the authority to act on your behalf?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3:question:1
          text: Does your organization provide tailored training for different functional
            areas, e.g., program management, business development, contracts, procurement,
            etc.?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3:1:question:1
          text: How often and what type of training do trade control personnel receive
            annually?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:3:2:question:1
          text: Who is responsible for export control training?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4:question:1
          text: Does the trade compliance office routinely conduct risk assessments
            for the organization?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4:1:question:1
          text: Have you determined areas of your organization that currently perform
            or are likely to perform ITAR-related activities?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:4:2:question:1
          text: Have you identified and implemented measures to address risk areas?
            If so, have you conducted an inventory of these areas to confirm whether
            they currently contain or are likely to receive or develop any defense
            articles, defense services or technical data?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:5:question:1
          text: How does your organization classify its commodities?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:6:question:1
          text: Does your organization maintain a product/technology matrix with USML
            categories? If so, how and by whom is the matrix maintained and updated?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:question:1
          text: What processes are in place for reporting potential ITAR violations?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:1:question:1
          text: "Does a \u201Chotline\u201D within the organization exist where employees\
            \ can report potential violations, including anonymously?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:2:question:1
          text: Does management support investigations into potential violations?
            Is there support from management to hold personnel responsible for violations?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:3:question:1
          text: Who is responsible for investigating potential violations? If outside
            counsel is involved, is the Empowered Official also involved in the review
            and findings?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:4:question:1
          text: What process is used to ensure corrective actions, if any, are put
            in place and verified? Who is responsible for this action?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:7:5:question:1
          text: Does the Empowered Official have the authority and backing from management
            to stop any actions that may lead to a violation?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:question:1
          text: Do you have a system/process in place to assess, review, and identify
            areas where a license, exemption, or other approval will be required?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:1:question:1
          text: What is the volume of licensing activity in each business unit?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:2:question:1
          text: Who determines whether a license is needed from DDTC?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:3:question:1
          text: Who is responsible for submitting export license requests to the DDTC?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:4:question:1
          text: How is party screening performed and who is responsible for this process?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:5:question:1
          text: What are the procedures for responding to negative/positive screening
            responses?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:6:question:1
          text: "When a license or other approval is received, explain the process\
            \ for implementing the authorization within your organization\u2019s divisions,\
            \ e.g., how do you ensure that licenses are properly decremented and that\
            \ temporary exports are returned? Who is responsible for meeting any conditions\
            \ of approvals?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:7:question:1
          text: Explain how you track licenses, agreements, and other approvals to
            ensure you properly close them out, seek a replacement, or request an
            extension for an authorization.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:8
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:8:question:1
          text: How do you track the release of technical data via telephone, fax,
            email, hand carry or other means? How do you document these releases to
            authorized foreign person employees?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:9
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:9:question:1
          text: "How often does the organization\u2019s trade compliance office perform\
            \ audits on licenses and other authorizations? What percentage (random,\
            \ 5-10%, 50%, or 100%) is used when conducting such audits? Where are\
            \ the results of the audits stored?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:10
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:10:question:1
          text: Do policies and procedures exist regarding the recordkeeping and reporting
            requirements under the ITAR and are those policies and procedures readily
            available to employees?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:11
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:8:11:question:1
          text: "Who ensures that employees are complying with ITAR recordkeeping\
            \ and reporting requirements, as well as whether personnel are complying\
            \ with our organization\u2019s policies and procedures?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:question:1
          text: Does your organization verify that suppliers are able to properly
            handle ITAR-controlled defense articles and defense services, including
            technical data?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:1:question:1
          text: Do your suppliers employ foreign persons?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:2:question:1
          text: "Do your suppliers always provide an export classification of the\
            \ parts being procured? If not, the organization may want to obtain the\
            \ proper classification of suppliers\u2019 parts."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:3:question:1
          text: Do you have a supplier due diligence process?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:4:question:1
          text: If you provide ITAR-controlled technical data to suppliers, do you
            consistently identify defense articles, including technical data, as such?
            Do you include markings on the technical data itself and on packing materials,
            emails, etc.? Do you ensure that suppliers understand their obligations
            under the ITAR not to export, reexport, or retransfer that technical data
            without first obtaining DDTC approval?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:9:5:question:1
          text: Do your terms and conditions include trade controls related requirements
            such as compliance with the ITAR?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:10
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:10:question:1
          text: Are trade compliance personnel invited to business development meetings
            so that they can properly anticipate and prepare for business pursuits
            that may require authorizations from DDTC in the future?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:11
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:11:question:1
          text: Are engineering or business development personnel aware that a license
            is needed to export technical data or provide defense services to foreign
            customers?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:11:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:11
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:11:1:question:1
          text: If not, what level of training is provided to business development
            personnel prior to meeting with a foreign customer.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:question:1
          text: Are trade compliance personnel aware of meetings with foreign customers
            concerning ITAR-controlled programs?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:1:question:1
          text: What is the process for approving any international travel? Are trade
            compliance personnel aware of all such travel?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:2:question:1
          text: Is export compliance training provided prior to any international
            travel?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:3:question:1
          text: Does your organization have a mobile device (laptop and hand- held
            devices) policy? Are employees trained on the appropriate use of such
            devices when traveling abroad?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:3:12:4:question:1
          text: What policy is in place to address hand-carry of defense articles
            outside of the U.S.? Who is responsible for overseeing this process and
            what measures are in place to control this type of export?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c
      name: Program Management / Principal Investigators
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:1:question:1
          text: What training have you received regarding export compliance, and how
            often is it repeated?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:1
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:1:1:question:1
          text: Do you know whom to contact if you have any questions regarding export
            compliance?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:2:question:1
          text: What procedures exist for approving international travel?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:3:question:1
          text: What procedures exist for safeguarding technical data or other proprietary
            information on mobile devices while traveling internationally?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:4:question:1
          text: What procedures exist for approving what information may be shared
            during meetings with foreign nationals, regardless of the location, domestic
            or internally?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:5:question:1
          text: How do you comply with the terms of any export license or other approvals?
            Who is ultimately responsible for managing authorizations?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:6:question:1
          text: How do you coordinate with the shipping and receiving department regarding
            exports and temporary imports of ITAR-controlled defense articles?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:7:question:1
          text: What is the process for repair and return of parts? How is this coordinated
            with the various functional areas of the business unit and customers?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:8:question:1
          text: Does your organization have a system to capture and track all exports,
            including technical data under licenses or other approvals?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:8:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:8
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:8:1:question:1
          text: How is this coordinated with the trade compliance team?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:9
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:9:question:1
          text: What is the process for determining when a license is required? If
            doubts exist, who do you contact?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:10
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:10:question:1
          text: Is the trade compliance office available to assist and provide you
            and your office with timely and sound advice?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:11
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:4:11:question:1
          text: What is the process for hosting foreign persons to your facility.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c
      name: Human Resources
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:question:1
          text: "What is your organization\u2019s process for hiring a foreign person?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:1:question:1
          text: When an internal request is made to hire a foreign person, does human
            resources (HR) verify whether that person will have access to controlled
            data or any manufacturing processes?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:2:question:1
          text: Does HR screen potential applicants before they hired? How do they
            screen?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:3:question:1
          text: Once a potential foreign person hire is screened, does HR share the
            results with the office over trade compliance before extending an employment
            offer?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:4:question:1
          text: Is proof of the U.S.-person status verified at the time of hiring?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:5:question:1
          text: How are foreign person employees identified within your organization
            (special badge, IT, etc.)?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:6:question:1
          text: Are foreign person employees required to sign non-disclosure agreements?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:7:question:1
          text: Does your organization hire from third-party vendors, e.g., a temp
            agency? If so, how are nationalities of the persons hired confirmed?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:8
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:1:8:question:1
          text: Does your organization hire contractors that employ foreign persons?
            If so, how is that process conducted and coordinated?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2:question:1
          text: If foreign persons are hired, how does HR coordinate the hiring with
            the trade compliance office? When is the process started?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2:1:question:1
          text: "Does the trade compliance office include HR in the export compliance\
            \ training module, and, if so, how is HR\u2019s role characterized?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2:2:question:1
          text: Is there a process in place between HR and the trade compliance office
            and/or program management for obtaining a license or other authorization
            and, if needed, any renewals necessary for the continued employment of
            a foreign person employee?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:2:3:question:1
          text: If a foreign person is relocated to another location/program within
            your organization, how is HR/trade compliance office notified? What are
            the procedures for handling the transfer process?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:5:3:question:1
          text: If a foreign person employee is terminated, does HR coordinate with
            trade compliance office, and, if so, in what manner?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c
      name: Business Development / Sales
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:question:1
          text: In general, how does Business Development (BD) handle potential opportunities
            outside the United States, and how does BD coordinate with the trade compliance
            office?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:1:question:1
          text: "Does BD receive tailored export control training? Who is BD\u2019\
            s POC within the trade compliance office?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:2:question:1
          text: "For international proposals, how would you assess BD\u2019s knowledge\
            \ and training regarding whether export authorization is necessary?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:3:question:1
          text: At what point is the trade compliance office consulted and brought
            into the process when dealing in international opportunities or proposals?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:4:question:1
          text: Is the trade compliance office consulted in the early stages of internal
            opportunities?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:5:question:1
          text: What procedures exist to screen potential business opportunities (parties)?
            How do you coordinate screening with the trade compliance office? If you
            obtain a negative result, who makes the final call?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:6:question:1
          text: Does your organization use any international consultants? If so, how
            is this coordinated and controlled?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:1:7:question:1
          text: What processes exist for determining whether any BD activity requires
            reporting of fees or commissions pursuant to ITAR part 130, and who is
            responsible for filing those reports?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:question:1
          text: What is the process for attending a general trade show? How does BD
            coordinate with the trade compliance office for trade shows?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:1:question:1
          text: Does BD think of the trade compliance office as a partner in planning
            for participation in trade shows?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:2:question:1
          text: Does export compliance provide accurate and timely guidance to BD
            in advance of trade shows?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:3:question:1
          text: ' If controlled technical data or a mockup or model are used at a
            trade show, how does BD coordinate the licensing requirements with the
            trade compliance office?'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:4:question:1
          text: Who is responsible for protecting and securing defense articles at
            trade shows?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:5:question:1
          text: Is there a process for determining what is considered public domain
            information that may be used at trade shows? Who and how is that determination
            made? Is such material appropriately marked?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:2:6:question:1
          text: Is BD aware of and does it understand how to obtain authorization
            to designate controlled data into the public domain?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:3:question:1
          text: If operating under a license, how is the license is implemented and
            how are its conditions of approval met?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:4:question:1
          text: What is the policy for BD personnel traveling overseas with mobile
            devices? Please explain how this is coordinated with IT and the trade
            compliance office.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:5:question:1
          text: Does your organization permit hand-carry exports to occur? If so,
            please explain the procedures.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:6:question:1
          text: ' How are meetings with foreign persons recorded? What is the procedure
            for conducting such meetings?'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:question:1
          text: How does your organization handle a visit by a foreign person?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:1:question:1
          text: Does your organization have an established procedure to conduct a
            plant tour?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:2:question:1
          text: Does trade compliance review and approve foreign person visitors in
            advance, e.g., are your foreign person visitors screened against restricted/denied
            party lists before they visit?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:3:question:1
          text: Are foreign person visitors always escorted by a U.S. person employee
            of your organization?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:6:7:4:question:1
          text: While visiting your organization, do visitors always wear badges that
            clearly indicate they are non-U.S. Persons?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c
      name: Engineering / Product Development / Technical Roles
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:1:question:1
          text: How are products or technologies developed? Is it a global or multiparty
            process? Are the parties you work with screened prior to collaboration?
            If so, who conducts the screening and where are the records kept? If not,
            why not?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:2:question:1
          text: What are the procedures used to develop and distribute product or
            technology export classifications?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:3:question:1
          text: Are relevant employees trained on processes of jurisdiction and classification,
            including the order of review?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:4:question:1
          text: What are the procedures for controlling visitors to access facilities,
            especially foreign nationals if involved in the process? Visitor access
            to company computer systems?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:5:question:1
          text: Are there formal procedures for the release of sensitive data to third
            parties? Is there a mechanism in place to notify and bind recipients of
            such data to follow company policy and export control laws?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:6:question:1
          text: "Who is responsible for assessing a commodity\u2019s end use or application?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:7:question:1
          text: With whom in the company is end-use or application specific evaluations/determinations
            shared? Does that include trade compliance personnel for purposes of export
            classification? Where in the development process is export compliance
            consulted?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:7:8:question:1
          text: "Where is product or technology development information stored? In\
            \ hard copy, on site? In hard copy, with the third parties? Electronically\
            \ \u2013 e.g., File Transfer Protocol? Cloud-band? Closed system (i.e.,\
            \ non- networked electronic library)? Other?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c
      name: Commodity Jurisdiction Process/Classification of Products
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:1:question:1
          text: Is there a process for determining what data is considered general
            marketing or public domain information versus technical data that requires
            a license or the use of an exemption? What is the process for reviewing
            whether the data is in the public domain? Do you clearly identify on the
            information itself the ITAR-controlled status of the information?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:2:question:1
          text: Have you developed a standard operating procedure for classification
            and designated trained individuals to conduct classification?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:3:question:1
          text: Is a classification review conducted by the Empowered Official in
            the compliance office?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:4:question:1
          text: Are procedures in place for ensuring that no technical data is exported
            to potential foreign customers or suppliers prior to a review by the trade
            compliance office to determine the proper jurisdiction and classification
            and any licensing requirements? If so, is there a process for ensuring
            that all functional areas (i.e., sales, marketing, business development,
            procurement, and program management, etc.) are aware and properly trained
            to those requirements?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5:question:1
          text: 'If the company purchases or obtains controlled products or technology,
            does it:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5:1:question:1
          text: Determine the proper jurisdiction of the article from the original
            equipment manufacturer?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5:2:question:1
          text: If required, implement a technology control plan for the products
            or technology obtained?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:8:5:3:question:1
          text: Maintain records of export activities concerning the product(s)?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c
      name: Shipping
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:1:question:1
          text: Explain in general the process for handling international shipment
            of goods. How is this coordinated with trade compliance?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:2:question:1
          text: Does shipping coordinate sufficiently with the trade compliance office?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:3:question:1
          text: Does shipping and receiving receive adequate support and tailored
            training from the trade compliance office?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:4:question:1
          text: Who is responsible for obtaining, contracting, and coordinating with
            your freight forwarders or customs brokers?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:5:question:1
          text: How is domestic shipping handled?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:6:question:1
          text: Who in shipping is empowered to authorize a shipment? Who is their
            backup, and are they sufficiently trained?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:7:question:1
          text: Do written procedures exist for handling incoming shipments from international
            customers?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:8:question:1
          text: "Does your organization have procedures in place to provide freight\
            \ forwarders with direction on how to export and temporarily import your\
            \ goods, including obtaining assurances that shipments of ITAR-controlled\
            \ defense articles will not transit ITAR \xA7 126.1 countries?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:9
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:9:question:1
          text: What procedures exist for placing a destination control statement
            on the necessary paperwork and shipping documents, and who is responsible
            for this placement?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:10
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:10:question:1
          text: What is the procedure for maintaining shipping records? Where are
            they located and for how long are they kept?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:11
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:9:11:question:1
          text: Who is responsible for maintaining empowered attorneys for the freight
            forwarders and brokers?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c
      name: Information Technology
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:1:question:1
          text: Are all IT personnel sufficiently trained regarding export controls?
            Is tailored training provided? If so, how, by whom, and how often?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:2:question:1
          text: To what extent and how does IT coordinate with trade compliance regarding
            storage and access to export-controlled data?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:3:question:1
          text: What are the procedures and criteria for granting access to the system
            for employees and contractors? Are they different?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:4:question:1
          text: What limitations and/or restrictions are placed on others who are
            not full- time employees of your organization?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:5:question:1
          text: What types of controls are used to prevent unauthorized external access?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:6:question:1
          text: Is there a mechanism in place for tracking what and by whom documents
            were accessed, copied, shared, or emailed outside the business?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:7:question:1
          text: What is the policy for remote access of the server by employees and
            or contractors, including at both domestic and international locations?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:8:question:1
          text: "Explain in detail your organization\u2019s process for transmitting\
            \ any technical data overseas."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:9
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:9:question:1
          text: Does a process exist to label technical data before it is sent out
            outside of your organization?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:10
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:10:question:1
          text: "When transmitting unclassified technical data using end-to-end encryption,\
            \ are all the requirements of ITAR \xA7 120.54 met?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:11
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:11:question:1
          text: Is there a system in place to mark or identify electronically technical
            data, e.g., do documents containing such data have an export legend citing
            the regulatory authority?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:12
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:12:question:1
          text: "How are cyber-attacks identified and what is the organization\u2019\
            s investigation and mitigation strategy?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:13
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:13:question:1
          text: Is the trade compliance office informed of cyber-attacks? What government
            agencies does the organization notify of any cyber-attack?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:14
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:14:question:1
          text: Is there a mechanism to check-in and check-out to track the use of
            technical data?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15:question:1
          text: Does your organization have procedures for issuing and using mobile
            devices? Does it cover international travel?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15:1:question:1
          text: Do employees receive or can they access ITAR-controlled technical
            data on mobile devices?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:15:2:question:1
          text: For international travel, does your organization issue and ensure
            that employees travel with clean or sanitized mobile devices? Please explain.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:question:1
          text: What type of server system does your organization use, e.g., are the
            servers in-house or leased?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:1:question:1
          text: Is there a protocol in place to retain and backup all emails and documents
            on the server? If so, explain how long the documents and emails are retained.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:2:question:1
          text: If necessary, can emails from former employees be retrieved or reconstructed?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:3:question:1
          text: "Where is your server located? If located overseas, do you ensure\
            \ that ITAR-controlled technical data is not stored or backed up to the\
            \ foreign server, unless it meets the criteria set out in ITAR \xA7 120.54(a)(5)\
            \ regarding storage of unclassified technical data secured using end-to-end\
            \ encryption?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:4:question:1
          text: What procedures exist for limiting foreign access to the server by
            foreign customers or partners? Does your organization ever allow such
            access?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:16:5:question:1
          text: Are your cloud software systems FedRAMP certified?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:17
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:10:17:question:1
          text: "What is your organization\u2019s process regarding access to IT servers\
            \ when an employee is terminated from your organization? What measures\
            \ are taken to ensure the former employee can no longer access your organization\u2019\
            s server and information?"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c
      name: Physical Security
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:1:question:1
          text: Do you have a process for visitor access?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:2:question:1
          text: How do you process foreign national visitors? For example, screening,
            export analysis, badging, IT access, etc.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:3:question:1
          text: How do you prevent visitor access to areas containing sensitive technology
            or data?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:4:question:1
          text: Do you train physical security personnel to understand where export
            control compliance issues arise? Who conducted the training? How often?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:5:question:1
          text: Are export control requirements incorporated in all access procedures?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11
      implementation_groups:
      - 7C
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:6:question:1
          text: Are there any specific technology control plans in place that govern
            physical or visual access to controlled products or technical data?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11
      implementation_groups:
      - 7C
      question:
        question_type: text
        question_choices: null
        questions:
        - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-7c:11:7:question:1
          text: Who manages technology control plans? How often are they reviewed
            and updated?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8
      assessable: false
      depth: 1
      ref_id: ELEMENT 8
      name: ITAR COMPLIANCE MANUAL
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8
      ref_id: ELEMENT 8A
      name: Objectives of the ITAR Compliance Manual
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8a:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8a
      description: "Organizations should develop an ITAR Compliance Manual (ICM) and\
        \ make it available to all employees. The primary objective of the ICM is\
        \ to provide all employees with a written, authoritative source that sets\
        \ forth the organization\u2019s policies and procedures for ITAR compliance\
        \ and that defines clear and consistent responsibilities and expectations\
        \ for employees with respect to ITAR compliance. ICMs are also useful for\
        \ helping organizations preserve institutional memory and share best practices\
        \ regarding ITAR compliance."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8
      ref_id: ELEMENT 8B
      name: Drafting an Effective ITAR Compliance Manual
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b
      description: "The export compliance team should take the lead in drafting the\
        \ ICM. After the export compliance team has developed a draft manual, organizations\
        \ should consider selecting various employees who work in different business\
        \ units outside of export compliance to review and provide feedback on the\
        \ draft. This ensures that the manual incorporates suggestions and clarifications\
        \ from the organization\u2019s various business units. This also helps to\
        \ get their support and buy-in for the ICM. Organizations should obtain final\
        \ approval for the ICM from senior leadership before finalizing the document."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b
      description: 'An effective ICM should be well organized, easy to understand,
        and should:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2
      description: Explain why export compliance is important to the organization,
        including the promulgation of an Export Compliance Management Commitment Statement.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2
      description: Provide summaries of applicable export laws and regulations.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2
      description: What is the role and function of the ITAR Compliance Program?
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2
      description: "Identify the roles and responsibilities of relevant export compliance\
        \ personnel and other functional personnel who are responsible for ensuring\
        \ the organization\u2019s compliance with the ITAR."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2
      description: Explain how employees should coordinate both within the compliance
        function and outwardly with other parts of the organization to ensure ITAR
        compliance.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2
      description: Capture the day-to-day operations and ITAR compliance risks relevant
        to the organization, including through diagrams or other visual aids.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2
      description: "Describe in detail the organization\u2019s compliance policies\
        \ and procedures.The ICM should either include or reference the organization\u2019\
        s policies and procedures, which should cover:"
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7:1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7
      description: Preventing, detecting, and reporting AECA and ITAR violations;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7:2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7
      description: Identifying, classifying, and marking defense articles, defense
        services, and technical data, to include the evaluation of authorized limits
        of software version;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7:3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7
      description: Incorporating AECA and ITAR compliance into management business
        plans at the senior executive level and various business functions to ensure
        effective compliance;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7:4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7
      description: Obtaining, managing, and complying with the scope of ITAR authorizations;
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7:5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7
      description: Maintaining appropriate records; and
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7:6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:7
      description: Meeting and maintaining adequate AECA and ITAR compliance staffing
        levels at all divisions and facilities.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2
      description: Include templates, checklists, and/or forms that are applicable
        to ITAR compliance within the organization.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2:9
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8b:2
      description: "The organization\u2019s ITAR compliance training plan for its\
        \ employees."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8c
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8
      ref_id: ELEMENT 8C
      name: Publication and Access
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8c:1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8c
      description: Organizations should make their ICMs readily available to all employees,
        such as by posting the ICMs on internal websites and emailing the ICMs periodically.
        ICMs should clearly identify an appropriate point of contact for any questions
        and export control concerns. Organizations should also incorporate their ICMs
        into their export compliance training programs and encourage employees to
        use the ICMs as a reference.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8
      ref_id: ELEMENT 8D
      name: Updating the ITAR Compliance Manual
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d
      description: 'Organizations should periodically review their ICMs for updates,
        revisions, and improvements based on these factors:'
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1:1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1
      description: Any changes to the ITAR or DDTC guidance.
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1:2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1
      description: "Best practices and lessons learned from ITAR violations or \u201C\
        close calls\u201D within the organization or other organizations."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1:3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1
      description: "Vulnerabilities identified in the organization\u2019s ITAR Compliance\
        \ Program, or negative ad-hoc testing results or audit findings."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1:4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:1
      description: "Key risk aeras and changes to an organization\u2019s ITAR risk\
        \ factors, including where such risk factors have changed because of a merger,\
        \ acquisition, and/or divestiture, or where there are changes to the organization\u2019\
        s product line, services, or customers."
    - urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d:2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:itar-compliance-program-guidelines:element-8d
      description: Compliance personnel should have the ability to make suggestions
        or changes to internal ITAR-compliance processes and procedures. ICMs should
        be updated on a regular basis, at least annually.