Do As We Say, Not As We Do: Inspector General Report Criticizes NASA’s Export Compliance Program, Including Foreign National Access to ITAR-Controlled Information
"In sum, we did not find intentional misconduct by any Ames civil servants but believe some Ames managers exercised poor judgment in their dealings with foreign nationals who worked [at the Ames] Center.”
- Several foreign nationals worked on projects later determined to have involved ITAR technical data without a license.
- On two occasions, a senior Ames managed shared documents containing ITAR markings or that had been identified as containing ITAR technical data with unlicensed foreign nationals.
- Significant disagreement existed among NASA engineers, scientists, and export compliance personnel at Ames and NASA Headquarters regarding whether the projects and data to which the foreign nationals had access were subject to the ITAR.
- The foreign nationals subsequently applied for and were granted licenses authorizing their access to the ITAR-controlled technical data.
- A foreign national employee, who was licensed to receive defense technical data, carried abroad a NASA-issued laptop containing defense technical data without obtaining the required ITAR authorization. OIG could not substantiate whether that data was released to foreign nationals while abroad.
- Procedures to protect NASA property and technology were not consistently followed in a rush to hire foreign nationals.
- A foreign national employee received unescorted access privileges prior to undergoing the requisite background check and worked at Ames for nearly 3 years without a required Technology Control Plan.
- OIG was not able to substantiate allegations that any foreign nationals had been provided classified information.
- Identify and classify your technology and technical data. (Note that the ITAR uses the term "technical data" while the EAR uses the term "technology" to cover export controlled information.)
- Mark the controlled technical data appropriately.
- Determine to which countries and nationalities the technology or technical data is controlled.
- Identify the vectors for release of controlled technology or technical data.
- Identify the universe of foreign national employees, including contractors. This includes conducting a thorough review during the visa application process, as required by section 6 of the USCIS I-129 form.
- Obtain the appropriate DSP-5 from DDTC or deemed export license from BIS when necessary.
- Design and implement a Technology Control Plan (TCP) to restrict access to controlled technology unless a license is obtained or a license exception / exemption is available.
- Train relevant employees and contractors on export compliance and the TCP.
- Audit the TCP on a regular basis to make sure it is being followed and make upgrades and changes as needed.