Do As We Say, Not As We Do: Inspector General Report Criticizes NASA’s Export Compliance Program, Including Foreign National Access to ITAR-Controlled Information
By Michael
Burton and Doug Jacobson, Jacobson Burton PLLC
Complying
with the International Traffic in Arms Regulations (ITAR) poses significant
challenges not only to industry but also to U.S. Government agencies.
On February
26, 2014, the National Aeronautics and Space Administration's (NASA) Office of
the Inspector General (OIG) published a summary of its investigatory “Review of International
Traffic in Arms Regulations and Foreign National Access Issues at Ames Research
Center” (OIG Review) that strongly criticized NASA’s export compliance
program, including how the agency handled access to ITAR-controlled technical
data by foreign national contractors.
The OIG
Review was the continuation of a four-year criminal investigation by the
Federal Bureau of Investigation, Department of Homeland Security and NASA’s OIG
into allegations that foreign national contractors at NASA’s Ames Research
Center (Ames) in California had been given “improper access” to information
subject to the ITAR.
In February
2013, the U.S. Attorney for the Northern District of California closed the matter
without bringing any criminal charges. However, NASA's OIG continued its investigation.
One year later, the OIG presented a 41-page report describing its investigation
and findings to the NASA Administrator. The full report was not released to the
public due to privacy concerns, but a summary was recently published “given the
importance of the allegations and the media and congressional attention they
received.”
In its public
summary, the NASA OIG concluded:
"In sum, we did not find intentional misconduct by any Ames civil servants but believe some Ames managers exercised poor judgment in their dealings with foreign nationals who worked [at the Ames] Center.”
The OIG’s main
findings, which illustrate a number of perennial deemed export and technology
transfer pitfalls arising under the ITAR as well as the U.S. Export Administration
Regulations (EAR), were as follows:
- Several foreign nationals worked on projects later determined to have involved ITAR technical data without a license.
- On two occasions, a senior Ames managed shared documents containing ITAR markings or that had been identified as containing ITAR technical data with unlicensed foreign nationals.
- Significant disagreement existed among NASA engineers, scientists, and export compliance personnel at Ames and NASA Headquarters regarding whether the projects and data to which the foreign nationals had access were subject to the ITAR.
- The foreign nationals subsequently applied for and were granted licenses authorizing their access to the ITAR-controlled technical data.
- A foreign national employee, who was licensed to receive defense technical data, carried abroad a NASA-issued laptop containing defense technical data without obtaining the required ITAR authorization. OIG could not substantiate whether that data was released to foreign nationals while abroad.
- Procedures to protect NASA property and technology were not consistently followed in a rush to hire foreign nationals.
- A foreign national employee received unescorted access privileges prior to undergoing the requisite background check and worked at Ames for nearly 3 years without a required Technology Control Plan.
- OIG was not able to substantiate allegations that any foreign nationals had been provided classified information.
Rather, you
should consult qualified legal counsel, export compliance consultants or,
depending on the nature of the hardware, software or technology, obtain a written
determination from the agency with jurisdiction over the matter at hand before
proceeding. (Either a Commodity Jurisdiction from the State Department's
Directorate of Defense Trade Controls for items and technical data subject to
the ITAR or a Commodity Classification from the Commerce Department's Bureau of
Industry and Security for items and technology subject to the EAR.)
While the ongoing
Export Control Reform Initiative should help minimize the confusion, ECR has added an additional layer of complexity since the jurisdiction between the ITAR and the EAR is in flux, at least in the short
run.
Ultimately,
the OIG “concluded that these incidents resulted more from carelessness and a
genuine disagreement about whether the information qualified for ITAR
protection than an intentional effort to bypass ITAR restrictions.” This observation is common to probably 97% or
more of the cases we see. While this
determination was apparently sufficient to avoid liability against those
involved at NASA, it would be cold comfort to the private sector and would
likely invite a civil enforcement action by DDTC or BIS and a hefty fine, as
companies in Washington
and California
recently experienced.
To help
organize and simplify the approach to compliance in this complex area of
technology export controls, we leave you with a basic outline of the key
compliance steps:
- Identify and classify your technology and technical data. (Note that the ITAR uses the term "technical data" while the EAR uses the term "technology" to cover export controlled information.)
- Mark the controlled technical data appropriately.
- Determine to which countries and nationalities the technology or technical data is controlled.
- Identify the vectors for release of controlled technology or technical data.
- Identify the universe of foreign national employees, including contractors. This includes conducting a thorough review during the visa application process, as required by section 6 of the USCIS I-129 form.
- Obtain the appropriate DSP-5 from DDTC or deemed export license from BIS when necessary.
- Design and implement a Technology Control Plan (TCP) to restrict access to controlled technology unless a license is obtained or a license exception / exemption is available.
- Train relevant employees and contractors on export compliance and the TCP.
- Audit the TCP on a regular basis to make sure it is being followed and make upgrades and changes as needed.
The NASA Administrator's
response
to the OIG Report indicated that NASA will consider the information contained
in the report as they "further evaluate and strengthen NASA's foreign national access and export control processes." Companies that deal with ITAR and other
export controlled information should commence their review of foreign national
access and compliance sooner rather than later, as they might not be as lucky
as NASA.