Think about the technology that your company has developed recently and planning to have a patent. You are even ready to roll this out commercially, but then you suddenly learn that some legal requirements may apply. And these requirements include civil and criminal sanctions that can land you in jail for up to 10 years. To avoid such violation of the law, take some time off and understand the term ITAR (International Traffic in Arms Regulations, 22 CFR 120-130).
Some people in the industry might claim that ITAR rules are obvious, and one just needs to review the appropriate federal government website for information. Don’t fall for such traps; ITAR is as easy as the US tax code. Therefore, take special care to determine what aspects or elements of ITAR, if any, needs your attention.
In this post, we will be covering the following points:
What is ITAR?
International Traffic in Arms Regulations is a set of rules specified by the U.S. government. It governs the manufacture, sale, and distribution of defense and military-related articles, services, and technologies stated in the U.S. Munitions List (USML) to ensure security. Quite heavy! It sounds more like something related to missiles and nuclear weapons, but it has more to it.
If you check the USML, you will find the majority of headings are truly defense items – firearms, guns, explosives, and tanks. But that’s not it. If you look further down the list, you will see that the categories start to overlap with commercial items like electronics, chemicals, and satellites.
Again, besides military hardware, the USML also restricts the plans, diagrams, photos, and other documentation used to build ITAR-controlled military gear. This is referred to by ITAR as “technical data.” Limiting access to physical materials is straightforward; limiting access to digital data is more complicated.
What do you mean by ITAR-compliant or ITAR-certified?
In order to be ITAR-compliant, all manufacturers, exporters, and brokers, including the technical data must follow the ITAR rules prescribed by the U.S. government. It requires the supply chain services to be ITAR-compliant too.
Suppose a company is involved in the manufacturing, sale, or distribution of the items mentioned under the USML, the requirement of being ‘ITAR-complaint or ITAR-certified’ means that the company must be registered with the state department’s Directorate of Defense Trade Controls (DDTC). It is also mandatory for a company to validate that they operate within the ITAR-specified rules. Get more insight on our 9 must-knows to design and build a circuit board for aviation and aerospace post.
ITAR compliance checklist
Suppliers use an International Traffic in Arms Regulations compliance checklist (derived from USML) to determine:
- If they are compliant or not based on registration, licenses, and voluntary disclosure
- To build an identification system for products to take corrective actions for non-ITAR compliance items.
- To implement an effective ITAR compliance program (digital signatures and auto report generation)
Benefits of being ITAR compliant
For every company, it is essential to have a properly documented ITAR compliance program. It helps with violations and future discrepancies. Check the following points to reap benefits:
- Excellent manufacturing output: Defence article manufacturers who consider ITAR compliance as a priority also guarantee the production of safe products by default. They work on productivity improvement by verifying the product design and manufacturing process for ITAR regulations.
- Reliable export operations: Exporters and importers of defense items who follow International Traffic in Arms Regulations gain visibility across their entire operations because of accurate maintenance of records. It also helps with illegal exports by obtaining licenses and other approvals.
- Avoid violations and save time and money: Just one violation and it will cost you both time and money. This compliance protects the companies from costly civil or criminal penalties.
- Boost employee morale: If any company follows these regulations, it can assure employees’ job security and retention.
- Reputation: ITAR-compliant businesses easily acquire more government contracts and win bids in weapons and ammunition. It attracts potential customers, expands the company’s network by strengthening their supply chain.
How do you protect ITAR controlled data?
Apart from ITAR compliance and penalties associated with ITAR violations, the second important thing to consider is ITAR-controlled data protection. Every company has different data security requirements. Follow the under mentioned practices for ITAR data protection:
- Adopt a reliable information security policy
- Build a secure network by installing and maintaining firewall configuration to protect data
- Use firewall protection to avoid the use of vendor-supplied passwords and other security defaults
- Provide a unique ID to each person with computer access
- Keep regular checks on test security systems and processes
- Encryption for sensitive data protection
- Implement adequate access control measures
- Track and monitor all access to network resources and sensitive information
- Build a vulnerability management program
- Adopt measures to avoid the loss of ITAR-controlled data
By keeping the above points in mind, you can ensure that ITAR data is accessible and at the same time remain protected against loss or unauthorized access.
ITAR registration is a way to provide the U.S. government with needful information on who is involved in particular manufacturing and exporting activities.
Any person/company who engages in manufacturing, exporting, temporarily importing defense articles, or furnishing defense services must register with the Directorate of Defense Trade Controls under part 122.2.
The ITAR registration does not apply to:
- The U.S. government officers and employees acting in an official capacity
- Personnel whose business activity is limited to the production of unclassified technical data only
- Personnel whose manufacturing and export activities come under the Atomic Energy Act of 1954, as amended
- Personnel who engage in the manufacturing of articles entirely for experimental or scientific purposes, including research and development
DOWNLOAD OUR IPC CLASS 3 DESIGN GUIDE:
ITAR registration fees
- Frequency of registration and fee: Registration can be done annually by submitting a statement of registration (form DS-2032) following the fee payment with respect to the guidelines available on the DDTC website. A notice for the next year’s registration is sent to those looking for renewal at least 60 days prior to the expiration date.
- Expiration of registration: A request for registration renewal must be submitted at least 30 days but no earlier than 60 days prior to the expiration date.
- Lapse in registration: A registrant who fails to renew, and seeks to register again must pay the registration fee for the lapse period. The lapse period is the time during which the registrant engaged in the manufacturing or exporting of defense articles.
Wondering where do PCBs fit in ITAR?
ITAR is quite vague with regards to PCBs on the grounds that it records them under the catch-all phrase “specifically designed” parts and components. A PCB is a “specifically designed” platform to which components are attached to perform a particular function. It clearly falls under ITAR regulations under certain circumstances.
A PCB has a lot of technical data that can be categorized as ITAR-controlled, like the fabrication drawing, artwork, CNC data, netlist information, customer manufacturing specification, and/or ODB++ data.
ITAR mandates that access to physical materials or technical data related to defense and military technologies is restricted to U.S. citizens only. Meanwhile, nowhere does it state that ITAR-restricted parts must be made in the USA. The U.S. allies have been making ITAR-restricted parts for ages. Read our post on the military-grade PCB design rules and considerations.
Does ITAR require U.S. citizenship?
Under the export laws, if a foreign person is in the U.S. and has permanent resident alien status (a green card), they are treated as if they are a U.S. citizen under the export laws.
Most regulatory restrictions placed on electronics and PCBs are intended to ensure that their quality meets the requirements for reliable operation of the systems in which they are deployed. These regulations are primarily rolled out for public protection. But it also aims at limiting access to certain devices, systems, or data. By doing so, it prevents mal-intended or unqualified usage. Most ITAR violations involving PCBs are usually unintentional.
Ignorance is no excuse when it comes to national security. It will not help those in the defense electronics community when they are found to be in violation of the law. Domestically, this is accomplished by laws and statutes. Internationally, trade regulations such as the Export Administration Regulations (EAR) and ITAR are used to prevent defense devices and technologies from winding up in the wrong hands.
Why should you follow ITAR compliance?
The answer is crystal-clear, you must make sure that you are working under rules defined for your industry. Also, you want to avoid any related penalties that your business may arise from not following the ITAR regulations.
As they say, ‘prevention is better than cure.’ It provides you with better security of information and peace of mind to know that you are in full compliance with the law regarding imports and exports. Being vigilant to ITAR rules, PCB industries can avoid future ITAR violation penalties.
Registering with the DDTC is not enough; a company must be sure not to infringe ITAR regulations. Not following ITAR rules may cost in criminal/civil penalties and can also prohibit a company from future exports, including:
- Civil fines: $500,000 per violation
- Criminal fines: up to $1,000,000 per violation with 10 years of imprisonment
While each organization that is liable to ITAR prerequisites is in charge of knowing and following ITAR rules, accidental violations do occur. There are chances that you are uninformed or misinformed about your safety efforts that aren’t sufficient. Or maybe your present measures have lapsed by and are not up to ITAR norms. That’s the point where you’re accidentally in violation. These kinds of ITAR violations, for the most part, result in civil punishment. However, frequently, these punishments can be deferred if the culpable organization pursues an elective disclosure program.
Rather than accidental violations, a few organizations intentionally disregard ITAR guidelines. Perhaps they would prefer not to put resources into sufficient data security efforts, or they will not be confronted for non-compliance. Regardless of your explanation behind intentionally disregarding ITAR necessities, you could confront genuine ramifications. These outcomes could incorporate criminal or common punishments.
Omission of facts
A last kind of violation that numerous organizations commit is overlooking data that might be pertinent to ITAR. On the off chance that you adjust or forget factual data when submitting ITAR reports or neglect to report a violation, you may confront criminal or common punishments.
There’s no room for non-compliance when it comes to meeting ITAR requirements. Unfortunately, you are not given a choice. So, before you go out on the streets with your newly innovated PCBs, just make sure you are equipped enough to deal with ITAR restrictions.
In December 2019, the Department of State added an amendment to ITAR. According to the amendment, it is essential to “describe more precisely the articles that provide a critical military or intelligence advantage or, in the case of weapons, perform an inherently military function and thus warrant export and temporary import control on the USML.”
The new rule was considered in practice on March 9th, 2020, and changed the way how organizations store and share ITAR data in the cloud. With this latest amendment, data won’t be considered an ‘export’ as long as it’s unclassified, kept safe with end-to-end encryption, and cryptographically secured.
ITAR is all about U.S. national security. Not following ITAR regulations may lead to a hefty penalty. The International Traffic in Arms Regulations needs to be understood and followed religiously during the export and temporary import of sensitive materials/items, services, and technologies.
Even PCB manufacturers with no international business are also prone to unexpected ITAR compliance risks. For example, dealing with foreign nationals who have access to technology-sensitive projects. Additionally, if you are purchasing a US-made product from a domestically located supplier. In such a case, you must ensure that such PCB suppliers abide by the ITAR rules.
We believe ITAR is a big arena. Let us know in the comment section if there is anything, in particular, you want us to write about. We would love to address your concerns.
DOWNLOAD OUR DFM HANDBOOK:
This post was first published on: Sierra Circuits