When your company gears up to start developing ITAR/USML controlled technology projects, it’s time for your compliance group to hunker down over those internal export compliance procedures—not just restricted/denied party screening and classification—and go through those ITAR compliance checklists, to get the project team members all humming the same ITAR technology transfer compliance tune.
With the sincere hope that many of these tips are already in place within your company, here is a short list of 5 major ways that your ITAR compliance group can help prevent technology transfer slips during a United States Munitions List or ITAR controlled technology project.
Denote a Project Manager
Designate an individual as the ITAR project manager. He/she will be the premier, accountable individual for the project’s compliance with International Traffic in Arms Regulations and will also be responsible for the implementation of your company’s internal tech transfer policies.
The project manager ensures that everyone working on the project knows the content of the company’s ITAR technology transfer policy and any other specific requirements associated with the project. The project manager will also ensure that everyone working on the ITAR controlled project is authorized to receive ITAR data.
Screen Project Personnel against Restricted / Denied Party Lists
Screening is essential to help make certain that the project team is composed of only authorized personnel who can receive ITAR data. Diligent restricted and denied party screening—as well as sanctioned and embargoed country screening—should be supplemented with a dynamic rescreening policy that rescreens the personnel on your project roster whenever there are changes to any of the compliance lists. If your screening solution provider is Visual Compliance, you will automatically be notified if any previously-clear participants suddenly appear on a government watch list.
Restricted party screening is a fundamental building block of any export compliance program. You should not only be actively screening everyone on your ITAR controlled project team, but also any site visitors, suppliers, freight forwarders, and any other trade partners involved.
Maintain a Roster of Authorized Personnel for the Project
Screening your project personnel against restricted and denied party lists will automatically begin to build a roster of all the individuals authorized to work on the project. This roster will become the authoritative guide for the project team. They should know each person on the list and any significant individuals in the company who are not on the list.
The roster establishes with whom they can or cannot share project data. A copy should be made available in a location that’s accessible to everyone on the team, and anyone who is not on this list should not be allowed access to any of the project’s data.
Clearly Label All ITAR Documents
Every document—every single piece of data committed to paper, whether scribbled on a napkin, or printed on a blueprint—needs appropriate warning labels that clearly identify it as ITAR controlled. Direct warnings, such as “Export Controlled Information-ITAR,” are highly recommended in all cases, and should be clear enough to read from a distance.
Secure all of these documents in lockable cabinets when not in use. Every one of them should be thoroughly shredded and appropriately discarded into confidential material disposal bins. This is to prevent the accidental filing of controlled data in non-controlled files. The shredding keeps intact data out of your company’s waste bins.
Be Conscious of Psychological Manipulation
It’s amazing what a warm smile and an outstretched hand can achieve. Social engineering, in the context of information security, refers to the psychological manipulation of people in order to trick them into performing actions, or divulging confidential information. Always be on the lookout for social engineering techniques, whether in person, online, or on the phone. Here’s an example:
Bill is approached by a young man in a white lab coat with a warm smile and an outstretched hand.
Man: Ah, you must be Bill. I was just speaking with your supervisor about you. Great work on the engine parts, by the way. Oh, that reminds me, your supervisor asked to take a look at the latest printouts. I need to get a printout of your latest schematics. Is that possible?
Bill: Sure, follow me to the printer. She said it was great work?
Man: Your supervisor? She sure did, Bill.
Bill has never seen this man before, but he has just provided him with a printout of the latest project designs. Many of the above tips are meant to rigorously structure project procedures in such a way as to safeguard against the possibility of social engineering.
It’s never a bad idea to talk openly with your project team about social engineering and why these compliance procedures are in place. Making sure everyone knows the story means they will also know the pitfalls in the plot and the characters to watch out for. Thanks for reading, and keep compliant!