Professional Documents
Culture Documents
Regulatory, Statutory and ITAR/EAR Requirements What An Auditor Needs To Know
Regulatory, Statutory and ITAR/EAR Requirements What An Auditor Needs To Know
Atlanta, GA
July 22-23, 2010
Dr. Ingrid D. Knox
Adjunct Professor Embry Riddle
Aeronautical University and Aerospace
Engineer with FAA
Auditor Workshop
Atlanta, GA
Company Confidential July 22-23, 2010 1
Objective
Registration Management Committee (RMC)
Company Confidential
Regulations
Registration Management Committee (RMC)
Company Confidential
Regulations
Registration Management Committee (RMC)
Company Confidential
Regulations
Registration Management Committee (RMC)
Company Confidential
Regulations
Registration Management Committee (RMC)
Company Confidential
Regulations
Registration Management Committee (RMC)
Company Confidential
Regulations
Registration Management Committee (RMC)
Company Confidential
Registration Management Committee (RMC) Export
• Definition of Exports include:
– Disclosing (including oral or visual disclosure) or
transferring technical data to a foreign person
whether in the U.S. or abroad or
– Performing a defense service on behalf of, or the
benefit of, a foreign person, whether in the U.S., or
aboard.
– The transfer of anything to a Foreign Person by any
means anywhere, anytime, or the knowledge that
what you are transferring to a U.S. Person, will be
further transferred to a Foreign Person.
Company Confidential
Export
Registration Management Committee (RMC)
• Export (Cont’d)
– Or transferring in the United States any
defense articles to an embassy, any agency or
subdivision of a foreign government (e.g.,
diplomatic missions); or disclosing (including
oral or visual disclosure) or transferring
technical data to a foreign person whether in
the U.S. or aboard; or performing a defense
service on behalf of, or for the benefit of
foreign person, whether in the U.S. or abroad
Company Confidential
Technical Data
Registration Management Committee (RMC)
Company Confidential
Data
Registration Management Committee (RMC)
Company Confidential
ITAR
Registration Management Committee (RMC)
• ITAR Definitions
Company Confidential
Registration Management Committee (RMC) ITAR
• ITAR Terms
– Technical Data – Information which is required
for the design, development, production,
manufacture, assembly, operation, repair,
testing, maintenance, or modification of
defense articles; classified information related
to defense article; information covered by an
invention secrecy order; software directly
related to defense articles.
Company Confidential
Registration Management Committee (RMC) ITAR Definitions
Company Confidential
ITAR
Registration Management Committee (RMC)
• ITAR Terms
– Foreign Person – Opposite of U.S. Person
– Export –sending or taking a defense article out
of the U.S. in any manner, except by mere
travel outside of the U.S. by a person whose
personal knowledge includes technical data; or
transferring registration, control of ownership
to a foreign person of any aircraft, vessel, or
satellite covered by the USML, whether in the
U.S. or abroad; or disclosing (including oral or
visual disclosure)
Company Confidential
Proscribed
Registration Management Committee (RMC)
Company Confidential
ITAR
Registration Management Committee (RMC)
Company Confidential
Registration Management Committee (RMC) EAR
Company Confidential
EAR
Registration Management Committee (RMC)
• EAR Terms
– Export – an actual shipment or transmission of
items subject to the EAR out of the United
States; or release of technology or software
subject to the EAR to a foreign national in the
U.S.
Company Confidential
EAR
Registration Management Committee (RMC)
Company Confidential
EAR
Registration Management Committee (RMC)
Company Confidential
EAR
Registration Management Committee (RMC)
• Terms
– Re export – shipment from one foreign country
to another foreign country
– Publicly Available information –information
that is generally accessible to the interested
public in any form and; therefore, not subject
to the EAR.
Company Confidential
EAR
Registration Management Committee (RMC)
• Terms
– Publicly Available Technology and Software –
that technology and software that are already
published or will be published; arise during, or
result from fundamental research; are
educational; or are included in certain patent
applications (see 15 CFR 734).
Company Confidential
EAR
Registration Management Committee (RMC)
Company Confidential
Registration Management Committee (RMC) ITAR
• Military application is a key concept:
• Defense services and articles are regulated
by ITAR
• What is a defense article:
– An item is/was specifically design, modified, or
developed for a military application and is listed on
the United States Munitions List (USML).
– If the above statement is the case, then item is
controlled by the International Traffic in Arms
Regulations (ITAR).
Company Confidential
EAR
Registration Management Committee (RMC)
Company Confidential
ITAR
Registration Management Committee (RMC)
• ITAR – Agency
– Directorate of Defense Trade Controls (DDTC),
U.S. Department of State.
– International Traffic in Arms Regulations
» Code of Federal Regulations Parts 120-130
– EAR
» Export Administration Regulations
» Full text of the Federal Law available at
(http://pmdtc.org/reference.htm)
Company Confidential
Auditor
Registration Management Committee (RMC)
Company Confidential
Auditors
Registration Management Committee (RMC)
• Rule of Thumb 1:
• Certification bodies developed a plan as to how they are
going to ensure that restricted items in their possession are
only available person that have a need to know such as:
– U.S. Persons;
– Licensed Organization or Individuals; and
– People, companies, and countries that have a legal
access.
– Plan should be shared with auditors if it has an effect on
auditing.
Company Confidential
Auditors
Registration Management Committee (RMC)
• Rule of Thumb 2:
– Companies should be aware of their export
control status of both their categories/items
and the status of the individuals and
companies in terms of whom they are sharing
the data.
– This information can be shared with the
auditors.
Company Confidential
Auditors
Registration Management Committee (RMC)
• Rule of Thumb 3:
– Certification body first determines whether
they are going to collect and keep any
restricted data – that comes to body by the
auditor or company as part of the audit.
– Auditor should be informed of how to process
the data by the certification body if a set plan
is in place.
Company Confidential
Auditors
Registration Management Committee (RMC)
Company Confidential
Auditors
Registration Management Committee (RMC)
• Rule of Thumb 5:
– Prior to and at the beginning the audit, the
lead auditor may speak to the Supplier to
ensure that the Supplier shall identify
specifications, processes, and drawings
(referred to as “auditable material” which are
restricted under the ITAR and EAR).
– The Supplier shall contact the owner of any
information for clarification when unsure about
whether information is export controlled under
ITAR or EAR.
Company Confidential
Auditors
Registration Management Committee (RMC)
• Rule of Thumb 6:
• The auditor role is not to remind the Supplier
of ITAR and EAR obligation. The company
should be aware of obligations it is not the
auditor role to make the company aware.
• The Auditor shall not be held liable for any
unauthorized transfer of restricted data,
unless such auditor knew or should have
known of the restricted nature of the data.
Company Confidential
Auditors
Registration Management Committee (RMC)
• Rule of Thumb 7:
• The Auditor receives direction from
certification body on how to deal with ITAR
and EAR. Some bodies will restrict access to
the auditor and of course how the
information is recorded is restricted.
• Additional information can be discussed
during the opening meeting in-brief if
needed.
Company Confidential
Auditors
Registration Management Committee (RMC)
• Rule of Thumb 8:
• Auditors check with the certification body on
restriction on posting ITAR/EAR. Typically
material should not removed from the
supplier facility by the auditor.
• Contact the certification body or staff for
direction if objective evidence is necessary to
support the audit.
Company Confidential
Registration Management Committee (RMC) Auditors
• Rule of Thumb 9:
– Some Certification bodies may be vigilant to
comply with this U.S. law and avoid review of
any ITAR/EAR material.
– As an auditor you should check with your
certification body on the requirements.
Company Confidential
Auditors
Registration Management Committee (RMC)
Company Confidential
Auditors
Registration Management Committee (RMC)
Company Confidential
Auditors
Registration Management Committee (RMC)
Company Confidential
Auditors
Registration Management Committee (RMC)
Company Confidential
Auditors
Registration Management Committee (RMC)
Company Confidential
Registration Management Committee (RMC) Auditors
• Rule of Thumb 15:
• Auditors can address the subject of export control in
opening meeting in-brief.
• Their status (as a US Person or as a Foreign Person)
and what that means to the audit.
• Expectation that customer will control access to
restricted data accordingly.
• Certification body procedures if there is a problem.
• Certification body policy on data retention or purging
if applicable.
Company Confidential
Auditors
Registration Management Committee (RMC)
Company Confidential
Auditable Material
Registration Management Committee (RMC)
Company Confidential
Material
Registration Management Committee (RMC)
Company Confidential
Purchase
Registration Management Committee (RMC) Order Example
Company Confidential
Material
Registration Management Committee (RMC)
• Point of Clarification
– Suppliers located outside of the U.S. may be
licensed under the legislation and may be
processing ITAR/EAR material.
Company Confidential
Penalties
Registration Management Committee (RMC)
Company Confidential
Auditors
Registration Management Committee (RMC)
Company Confidential
Auditors
Registration Management Committee (RMC)
Company Confidential
Auditors
Registration Management Committee (RMC)
Company Confidential
Auditors
Registration Management Committee (RMC)
Company Confidential
Keys
Registration Management Committee (RMC)
• Key 2
– Auditors need to understand not to give any
kind of advice on defense service or technical
advice.
• Key 3
– Auditors need to understand how to review
accept or reject corrective actions on findings.
Company Confidential
Keys
Registration Management Committee (RMC)
• Key 4
– Auditors need to understand what is expected
of them by the certification body.
• Key 5
– Auditors need to understand the fundamentals
of export control and the company’s policies
and certification body requirements.
Company Confidential
Auditors
Registration Management Committee (RMC)
Company Confidential
Regulations
Registration Management Committee (RMC)
Company Confidential
Regulations
Registration Management Committee (RMC)
Company Confidential
Regulations
Registration Management Committee (RMC)
• Regulations Examples:
• 145.163: Training requirements: Employee training program (initial
and recurrent) approved by the FAA.
Company Confidential
Exercise
Registration Management Committee (RMC)
Company Confidential
Restricted Write-Up
Registration Management Committee (RMC)
• XYZ Manufacture
• XYZ technical engineering manufacturing
plan operation 450 on 9-15 spool (IZ876P5J)
was incorrect. The engineering planning
sheet called that heat treat operation sheet
called for Department of Navy hardness
result of HRC 50-55; the specification MIL345
018-08z called for HRC 60-70.
• Does this write up reveal technical data if so
rewrite the write-up.
Company Confidential
Registration Management Committee (RMC)
End of presentation;
remainder of slides
are provided for your
information only
Company Confidential
ITAR
Registration Management Committee (RMC)
Company Confidential
ITAR
Registration Management Committee (RMC)
Company Confidential
ITAR
Registration Management Committee (RMC)
Company Confidential
ITAR
Registration Management Committee (RMC)
Company Confidential
ITAR
Registration Management Committee (RMC)
• ITAR
– Public Domain (Cont’d)
» University research will not be considered
fundamental research if:
• the University or its researchers accept other
restrictions on publication of scientific and technical
information resulting from the project or activity, or
• the research is funded by the U.S. government and
specific access and dissemination control protecting
information resulting form the research are
applicable.
Company Confidential
Regulations
Registration Management Committee (RMC)
Company Confidential
Export
Registration Management Committee (RMC) Control Stakeholders
Company Confidential
Registration Management Committee (RMC) DEFENSE SERVICE
Company Confidential
Defense Services
Registration Management Committee (RMC)
Company Confidential
Registration Management Committee (RMC) ITAR
Company Confidential
USML
Registration Management Committee (RMC)
Company Confidential
USML
Registration Management Committee (RMC)
Company Confidential
Registration Management Committee (RMC)
Disclaimer
This brief contained information here in that is intended to be a general service to auditors and
cannot be substitute for a thorough and careful review and evaluation of readings of the
governmental laws, regulations and rulings.
No responsibility is assumed by the presenter for the accuracy or timeliness of any of the material
or information provided herein applicable to any particular case or circumstance.
These materials do not representative the Federal Aviation Administration (FAA) views or any
government agency. These materials are intended to provide concise, convenient, and helpful
concepts and information about regulations. The presenter does not representative FAA or is
speaking on behave of FAA or paid for this public service.
The material does not, and are not intended to, constitute legal or other advice or an official
reading of the reference regulations by the government.
This brief cannot be used as a substitute for the government rules, process, or procedures or
thorough reading of the actual statues, regulations, and other documents that apply to the complex
area of ITAR and regulatory requirements. These include, but are not limed to International Traffic
in Arms Regulations (ITAR) and other laws and regulations. Government source are controlling in
the event of any inconsistency with the material or information provided herein. Information does
not represent the view of ERA University or FAA. Some parts of this overview was originally
presented at the NASA Export Control Program website at
http://www.hq.nasa.gov/office/codei/nasaecp/ and has been modified for purposes of relations
to this brief. All items on the U.S. Munitions List are covered by this law. The presenter is not
providing this information as an expert for any government agency but is only providing
information she researched on the subject material. Most of the information provided was provided
from a public domain. This material is intended only as an overview tools and does not provide all
substantive information that may be needed to make a responsible decision. Auditors should
contact their certification body for assistance.
Company Confidential 77