When you deal with defense-related data and services, the different compliance regulations you’re subject to can be difficult to keep straight. One set of compliance mandates, ITAR, comes from the DDTC. Learn more about the DDTC, its relation to ITAR and USML, and how to maintain compliance.
What is the DDTC?
The Directorate of Defense Trade Controls (DDTC) is an agency within the U.S. Department of Defense. The DDTC mission is: “Ensuring commercial exports of defense articles and defense services advance U.S. national security and foreign policy objectives.”
Thus, they are tasked with monitoring how defense articles are shared and services are conducted. Minimizing vulnerabilities in these two areas help to maintain security and protect national interests.
DDTC administers the International Traffic in Arms Regulations, a set of guidelines designed to keep sensitive materials out of the hands of non-authorized U.S. citizens and non-citizens. ITAR covers items listed on the United States Munitions List (USML), listed in sections 38 and 47(7) of the Arms Export Control Act, which includes items like data and services pertinent to military weapons and plans.
What Does the DDTC Regulate?
The DDTC regulates defense articles and defense services. Let’s look at defense articles first. This may seem like a vague term, but defense articles can cover any technical files related to U.S. defense data, items, and services. This could include digital and physical data.
In fact, incomplete items can fall under the defense article category. This means that even items that have reached a stage in the manufacturing process in which they can be identified as defense articles must be protected.
In addition to defense articles, defense services are covered, too. Defense services are actions or activities that assist in the creation of defense-related items. As the U.S. government puts it:
“The furnishing of assistance (including training) to foreign persons, whether in the United States or abroad in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles.”
Who Does DDTC Impact?
DDTC guidelines, including ITAR, impact anyone dealing in or using items on the USML. This includes government contractors and subcontractors, in addition to the following:
- Wholesalers
- Distributors
- Computer Software and Hardware vendors
- Third-party suppliers
For companies that fall under one of the categories listed above and are subject to ITAR regulations, it’s mandatory that you register with the DDTC. This is required for all manufacturers, exporters, importers, and brokers of defense articles. While registering with the DDTC doesn’t grant you any export or import privileges, taking this step is important as it informs the U.S. government that you are involved in activities that fall under the ITAR umbrella. Registration is usually an important first step toward being issued an import or export license.
In addition to providing essential information to the government, you also must register with the DDTC to avoid serious noncompliance consequences. Handling ITAR-related material without properly informing the government makes it difficult to ensure that defense articles are being securely shared. ITAR violations, including failure to maintain DDTC registration, could result in civil fines as high as $500,000 and criminal fines as high as $1,000,000. You could also face ten years in prison per violation.
Not only could these consequences seriously damage your company’s reputation and financial standing, but they could also come at a high personal price. That’s why it’s so important to understand your obligations under ITAR and properly register with the DDTC.
An Overview of ITAR Regulations
Now that you have a better understanding of the DDTC, let’s look at ITAR. The best way to understand ITAR is by understanding the goal of these regulations: to keep USML items out of the hands of non-U.S. citizens. It’s that simple. Only citizens are allowed to handle USML data.
While the goal of ITAR is simple, enacting that goal has become more difficult as markets expand on a global level. More and more companies are hiring teams outside the U.S. Even if a company you sub-contract work to employs non-U.S. citizens, you’re at risk of noncompliance with ITAR. The State Department can issue exemptions to this ITAR mandate, and there are some countries that are exempt from this USML blackout.
Steps to ITAR Compliance
The best way to align with ITAR regulations is to take steps to properly secure your data.
- Understand Your Role. Does your business fall under ITAR regulations? If so, what is expected of your business? Knowing your obligations and the risks areas that may require additional security is a great place to start your ITAR compliance efforts. Researching ITAR and knowing how it applies to your business is the first step.
- Address Vulnerabilities. Assess all of your networks, devices, file sharing processes, and more to identify any vulnerabilities. When issues are detected, take action to correct them.
- Register with DDTC and Obtain Proper Licensing. As stated above, registering with the DDTC is imperative. Once you’ve registered, you can secure the licensing needed for importing and exporting USML-covered data.
- Maintain Your Compliance Efforts. Compliance is an ongoing process. You must establish a thorough, repeatable compliance plan to ensure you’re in constant alignment with ITAR.
- All processes are documented.
- The plan is specific to your business.
- The plan is regularly reviewed and updated as needed.
- Compliance efforts have buy-in from the top down.
ITAR compliance is easily achieved with an effective plan and the proper tools in place. One such tool is a secure file sharing solution aligned with ITAR compliance. This allows you to limit who has access to your data on a granular level, mitigating the risk of unauthorized data leakage. You’ll maintain ITAR compliance and have a better way to manage your data.