Defense Export Controls: What Your Company Needs to Know About the New ITAR Compliance Risk Matrices
The Directorate of Defense Trade Controls (DDTC) of the U.S. Department of State recently issued an updated International Traffic in Arms Regulations (ITAR) risk matrix (Risk Matrix), including a supplemental risk matrix specific to universities, research institutes, and laboratories (University Risk Matrix). These risk matrices are used to help organizations (1) assess their ITAR compliance risk level and (2) evaluate potential compliance risks specific to each organization which, if left unaddressed, may lead to ITAR violations.
These matrices allow organizations that manufacture, export, broker, or temporarily import defense articles and services as outlined on the United States Munitions List to assess their level of ITAR compliance risk. These matrices provide organizations with tools to assess the likelihood that ITAR violations may occur and why, as well as the types of ITAR violations that the company is likely to encounter or may result in harm to U.S. national security. These guidelines help companies craft, implement, revise, and allocate resources for ITAR compliance programs.
The Risk Matrix recommends that companies approach ITAR compliance in three steps: (1) identify any ITAR-controlled activities or defense articles, including technical data; (2) recognize threats and vulnerabilities relevant to those ITAR-controlled activities or defense articles; and (3) formulate a risk-based ITAR compliance program to mitigate the company’s vulnerabilities.
The University Risk Matrix builds upon these basic principles, directing universities, research institutes, and laboratories to also consider more granular ITAR exposure risks to better assess their ITAR compliance.
DDTC identifies various risks under each of these three parts, which are then further delineated based upon their risk level: low, medium, or high. Certain regular business activities may create risks under the ITAR and can be traps for the unwary.
While the risk matrices are meant to be tools for an organization to use in reviewing and assessing their ITAR compliance risks and to achieve a general understanding of their level of ITAR compliance, they are not comprehensive, exhaustive, or specifically tailored to each organization’s operations and functions. Companies should consult with Buchanan’s national security team to assist in evaluating their specific ITAR compliance risks, developing robust compliance programs, and navigating through the ITAR and Arms Export Control Act.