export control requirements document · 2.2.2 authorization system ... export and temporary import...

Export Control

Requirements Document

Prepared by: TSCP Export Control Working Group (ECWG)

Consolidated from reviews of:

United States International Traffic in Arms Regulations (ITAR), United States

Export Administration Regulations (EAR), UK Export Control, Netherlands Export Control,

French Export Control, EU Dual Use

Document Version: 1.0

Publication Date: July 31, 2013

Copyright © 2013 Transglobal Secure Collaboration Participation Inc.

TSCP Export Control Consolidated Requirements

All rights reserved

Terms and Conditions

Transglobal Secure Collaboration Participation, Inc. (TSCP) is a consortium comprising a number of commercial and government members (as further specified at http://www.tscp.org) (each a “TSCP Member”). This specification was developed and is being released under this open source license by TSCP.

Use of this specification is subject to the disclaimers and limitations described below. By using this specification you (the user) agree to and accept the following terms and conditions:

1. This specification may not be modified in any way. In particular, no rights are granted to alter, transform, create derivative works from, or otherwise modify this specification. Redistribution and use of this specification, without modification, is permitted provided that the following conditions are met:

Redistributions of this specification must retain the above copyright notice, this list of conditions, and all terms and conditions contained herein.

Redistributions in conjunction with any product or service must reproduce the above copyright notice, this list of conditions, and all terms and conditions contained herein in the documentation and/or other materials provided with the distribution of the product or service.

TSCP’s name may not be used to endorse or promote products or services derived from this specification without specific prior written permission.

2. The use of technology described in or implemented in accordance with this specification may be subject to regulatory controls under the laws and regulations of various jurisdictions. The user bears sole responsibility for the compliance of its products and/or services with any such laws and regulations and for obtaining any and all required authorizations, permits, or licenses for its products and/or services as a result of such laws or regulations.

3. THIS SPECIFICATION IS PROVIDED “AS IS” AND WITHOUT WARRANTY OF ANY KIND. TSCP AND EACH TSCP MEMBER DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF TITLE, NONINFRINGEMENT, MERCHANTABILITY, QUIET ENJOYMENT, ACCURACY, AND FITNESS FOR A PARTICULAR PURPOSE. NEITHER TSCP NOR ANY TSCP MEMBER WARRANTS (A) THAT THIS SPECIFICATION IS COMPLETE OR WITHOUT ERRORS, (B) THE SUITABILITY FOR USE IN ANY JURISDICTION OF ANY PRODUCT OR SERVICE WHOSE DESIGN IS BASED IN WHOLE OR IN PART ON THIS SPECIFICATION, OR (C) THE SUITABILITY OF ANY PRODUCT OR A SERVICE FOR CERTIFICATION UNDER ANY CERTIFICATION PROGRAM OF TSCP OR ANY THIRD PARTY.

4. IN NO EVENT SHALL TSCP OR ANY TSCP MEMBER BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY CLAIM ARISING FROM OR RELATING TO THE USE OF THIS SPECIFICATION, INCLUDING, WITHOUT LIMITATION, A CLAIM THAT SUCH USE INFRINGES A THIRD PARTY’S INTELLECTUAL PROPERTY RIGHTS OR THAT IT FAILS TO COMPLY WITH APPLICABLE LAWS OR REGULATIONS. BY USE OF THIS SPECIFICATION, THE USER WAIVES ANY SUCH CLAIM AGAINST TSCP OR ANY TSCP MEMBER RELATING TO THE USE OF THIS SPECIFICATION. IN NO EVENT SHALL TSCP OR ANY TSCP MEMBER BE LIABLE FOR ANY DIRECT OR INDIRECT DAMAGES OF ANY KIND, INCLUDING CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE, OR OTHER DAMAGES WHATSOEVER ARISING OUT OF OR RELATED TO ANY USER OF THIS SPECIFICATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

5. TSCP reserves the right to modify or amend this specification at any time, with or without notice to the user, and in its sole discretion. The user is solely responsible for determining whether this specification has been superseded by a later version or a different specification.

6. These terms and conditions will be interpreted and governed by the laws of the State of Delaware without regard to its conflict of laws and rules. Any party asserting any claims related to this specification irrevocably consents to the personal jurisdiction of the U.S. District Court for the District of Delaware and to any state court located in such district of the State of Delaware and waives any objections to the venue of such court.

TSCP, Inc. Copyright © 2013 Page i


Contributors

TSCP Inc. extends its gratitude to the many individuals who contributed their time and effort to produce this important document. The result of their work provides a valuable resource to TSCP and its member community. Listed below are the individual contributors and their affiliations at the time of their work: US Team Joyce Counts, Booz Allen Hamilton Inc./Air Force Rob Sherwood, Exostar Cheryl Holt, DRS Technologies, Inc./Finmeccanica Heather Sears, DRS Technologies, Inc./Finmeccanica Brian Emmet, Lockheed Martin Space Systems Company David Sizmur, Lockheed Martin Space Systems Company Doug Ingram, Lockheed Martin Space Systems Company Barry Sidebottom, Raytheon Luis Dannenfels, Raytheon Ken Burton, The Boeing Company Michael Hoffman, The Boeing Company

European Team Martijn Postma, Netherlands Ministry of Defence Laura Verdijk, Netherlands Ministry of Defence Bart van Lent, Netherlands Ministry of Defence Sylvia Coburg, The Boeing Company (UK) David Townsley, BAE Systems (UK) Richard Skedd, BAE Systems (UK) Nigel Griffin, DRS Technologies, Inc./Finmeccanica (UK) Alexander Groba, EADS (Germany) Arnaud Idiart, EADS (France) Rene Wiegers, National Aerospace Laboratory (NLR, Netherlands) Hetty Raaijmakers, National Aerospace Laboratory (NLR, Netherlands) Michael Frackiewicz, Northrop Grumman (UK) Markus Sellmer, Northrop Grumman Sperry Marine (Germany) Brian Doyle, Raytheon (UK) Jean-Paul Buu-Sao, TSCP Inc. (France)

TSCP, Inc. Copyright © 2013 Page ii

TSCP Export Control Consolidated Requirements Table of Contents

Contributors .................................................................................................................................................. ii 1. Introduction .......................................................................................................................................... 1

1.1 Purpose ......................................................................................................................................... 1 1.2 Scope ............................................................................................................................................. 1 1.3 Definition(s) .................................................................................................................................. 2

2. Understanding Export Control Regulations .......................................................................................... 5 2.1 Regulations .................................................................................................................................... 5 2.2 Export Control Policy Authority .................................................................................................... 6

2.2.1 Item control lists ................................................................................................................... 6 2.2.2 Authorization system (licenses) ............................................................................................ 6

2.3 Specific authorizations, exemptions and best practices ............................................................... 7 2.3.1 International coordination .................................................................................................... 7 2.3.2 Sanctions and embargos vs. regulations ............................................................................... 8 2.3.3 Restricted or Denied Parties Lists ......................................................................................... 8 2.3.4 Transfers of dual-use goods between EU countries ............................................................. 8 2.3.5 Specific national regulations ................................................................................................. 9 2.3.6 Multiple jurisdictions .......................................................................................................... 10

3. Consolidated Export Control Business Scenarios ................................................................................ 11 3.1 Business Scenarios Overview ...................................................................................................... 11 3.2 Roles and responsibilities ............................................................................................................ 12 3.3 Business Scenario Legend ........................................................................................................... 13 3.4 Business Scenario 1: Authorization Process ............................................................................... 14 3.5 Business Scenario 2: Implementation Process ........................................................................... 15 3.6 Business Scenario 3: Release Process ......................................................................................... 16 3.7 Business Scenario 3.10: Systemic determination ....................................................................... 17

4. Requirements ...................................................................................................................................... 18 4.1 Process Steps – Requirements BS 1 ............................................................................................ 18 4.2 Process Steps – Requirements BS 2 ............................................................................................ 32 4.3 Process Steps – Requirements BS 3 ............................................................................................ 41

Annex I: Common Licenses and Agreements .............................................................................................. 51 Annex II: Recordkeeping Requirements ..................................................................................................... 54

UK Recordkeeping Requirements ........................................................................................................... 54 U.S. EAR Recordkeeping Requirements .................................................................................................. 54 U.S. ITAR Recordkeeping Requirements ................................................................................................. 55 EU Dual Use Recordkeeping Requirements ............................................................................................ 57

Annex III: Example of an intangible export log ........................................................................................... 58 Annex IV: Reference tables ......................................................................................................................... 59

TSCP, Inc. Copyright © 2013 Page iii


1. Introduction 1.1 Purpose

This document presents consolidated requirements for handling of items classified as Export Control (EC) according to the regulations listed in section 1.2.

1.2 Scope

The consolidation is based on the Transglobal Secure Collaboration Program (TSCP) Export Control Working Group (ECWG) requirements analysis1 of the following Export Control regulations:

1. The International Traffic in Arms Regulations (ITAR) as implemented by the United States Department of State and its responsibility for the control of the permanent and temporary export and temporary import of defense articles and services as governed by the Arms Export Control Act.

2. The Export Administration Regulations (EAR) that are issued by the United States Department of Commerce under the Export Administration Act, the International Emergency Economic Powers Act (IEEPA) and various other legislation relating to the control of certain exports, re-exports of dual-use and civil items, as well as anti-boycott activities.

3. The United Kingdom Export Control Act (UK EC) and associated UK national law and EU law covering export control and trade control legislation for ‘dual-use’ and military items.

4. The Kingdom of The Netherlands General Customs Act and the Strategic Services Act (NL EC) and associated NL national law and EU law covering export control and trade control legislation for ‘dual-use’ and military items.

5. The French Republic Defence Code (FR EC) and associated French national law and EU law covering export control and trade control legislation for ‘dual-use’ and military items.

6. The European Union Council Regulation EC 428/2009 (EU Dual-Use) and associated EU member state national implementations, which hold the European Community regime for the control of exports, transfer, brokering and transit of dual-use and civil items.

The requirements analysis includes best practices from TSCP member organizations, to reflect common management processes such as:

• Definition, release and registration of an item (intended) for export. • Various interactions between organizations or organizational units required when handling

items classified as Export Control.

The requirements have been defined in the context of TSCP and its projects, such as Secure Email (SE) and Information Labeling and Handling (ILH), but should be applicable to any collaborative scenario that involves exchange of classified or otherwise marked sensitive items.

1 Available through TSCP only; please see www.tscp.org for contact details.

TSCP, Inc. Copyright © 2013 Page 1

http://www.tscp.org/


1.3 Definition(s)

The following table presents definitions used in this document. These are listed in sequence of importance for understanding Export Controls. The definitions are also included at the relevant topics (as descriptions, footnotes or requirements notes).

Item Definition Comment(s) Conflict (in authorizations)

A condition whereby restrictions on one authorization are not aligned with restrictions on another authorization for releasing the same data to the same recipient.

Export Authorization Managers are expected to perform a conflict analysis during the Authorization Determination Process. In the event the conflicts between Export Authorizations are identified, the Export Authorization Manager may be required to apply for a revision of one or more of the Export Authorizations.

Dual-Use item Any item listed in a (Export Control) Dual-Use item classification list.

Any item normally used for civilian purposes but that may have military applications and are therefore regulated by specific export controls for dual-use items.

End User/Recipient The legal or natural person who is legally responsible for the receipt of an export/transfer.

For this document a representative who

• handles a controlled item (transit, broker, etc.),

• receives/modifies a controlled item for final use, or

• uses it to modify another item (integration).

is considered to be End User/Recipient.

That may include a variety of parties, such as:

• A customer (the final consignee) to whom a supplier of items (e.g., the exporter) is directly or indirectly contracted to;

• Third parties to the customer or supplier, including consignees, brokers, transit service organizations;

• Co-workers within the customer or supplier organisation;

• Integrators. who must be seen as the end users of an item as a component, as far as the integrated product is transformed and/or not easily possible to extract and re-use.

For intangible items: any person who has (authorized) access to Export-controlled data/information or otherwise



Item Definition Comment(s) handles/modifies information regarding an export becomes an End User/Recipient, even if the information stays within one organization. That is also why the "deemed export" principle applies to any non-authorized national.

In some requirements ‘Foreign’ or ‘non-National’ is added to refer to definitions in a specific regulation or to provide clarification for a business context example.

Export/Transfer Authorization

Any legal term or document that permits sharing of an (Export Control) item to a legal or natural person in any third country is considered an Export Authorization. Distinction is made for: • An Export Authorization as approval of

an export from the government Policy Authority, granted to a company.

• A ‘Company Authorization to Export’. This is the internal approval of the company to export an item.

An export license is the most occurring example.

Export Authorization or Transfer Authorization is used throughout this document to keep it readable. But note that this may include a variety of permits that allow transfer, transmission, movement, passage through or other exchanges of an item from a supplier to a recipient permitted by the (Export Control) regulations, such as commercial customs documents, notifications, exceptions, exemptions, intra-community transfer licenses or negotiation or assistance agreements.

Export/transfer or import Re-export or deemed export

Sharing of an (Export Control) item to a legal or natural person in any third country is considered an export/import/transfer. Re-export or deemed export could be the case if an item is re-exported (this also means sharing items within one country with a non-authorized national) or incorporated into other equipment that is subsequently re-exported.

In this document there is no particular distinction between export/transfer or import or re-export/deemed export.

Most requirements for these transfer types turned out to be very similar. Therefore all types are considered different sides of the same medal. Details are mentioned in the requirements section where particular aspects differ.

Exporter The legal or natural person who is legally responsible for sending an item as an export/transfer.

Responsibility is assumed to be delegated to a Program Manager.

Implementation Plan

A plan developed by a program based on (a subset of) the requirements in the Internal Control Plan.

Usually one Implementation Plan per program is written.

The implementation plan may be shared with external program partners such as suppliers

Implementation Statement

The declaration of a program or supplier that all planned implementation is done.

This statement serves as evidence in peer reviews and audits.



Item Definition Comment(s) Internal Control Plan (ICP)

The complete plan how one company plans to manage an export/transfer under a specific authorization.

Usually one ICP per company is written.

It outlines implementation requirements of an authorization to ensure compliance and mitigate risk. Each company may name or define this document differently. The same information may also be (partially) covered in a company’s Export Compliance Plan/ Corporate Guideline. The ICP is usually an internal document.

Item Any product, material, goods, technology, software, service. This could be a physical item or an intangible item like a piece of electronic data, a phone call, providing assistance.

Particular examples are Technical Data / Technical Assistance under the ITAR.

In the case of ITAR/EAR this includes (sharing of) agreements, such as an ITAR Technical Assistance Agreement that may serve as an Export Authorization itself.

Military item Any item listed in a (Export Control) military item classification list.

Encompasses all equipment that has been specially designed or modified for military use, such as parts, components, accessories, tools, documentation, and specific environment materials, as well as various pieces of equipment, software, technology, services and information. The Defence-related products listed in the Annex of the EU ICT2 Directive are also considered military items.

Scope Scope to enable the authorization determination by the export control manager.

The Export Authorization application could require the inclusion of specific data about the scope of participation for each participant.

Services An (outsourced) activity performing or supporting a business process in which an (Export-controlled) item is shared in the context of that service or the service itself is listed as military or dual-use item.

Services in this context could include intangible data transfer or face to face meetings to provide assistance and is therefore not limited to physical services such as performing maintenance.

2 European Union Directive 2009/43/EC on intra-EU-transfers of defence-related products, https://www.gov.uk/intra-community-transfer-directive-2009-43-ec



2. Understanding Export Control Regulations Organizations3 have considerable leeway in implementing the various regulations on Export Controls, and the details to do so are usually determined by a risk assessment conducted by the exporting organization.

It is best practice to have readily available (legal) expertise on this (in company or contractor) to ensure correct understanding of regulations, commodity jurisdiction, license jurisdiction and implementation of export controls.

2.1 Regulations

Foreign trade interests, national security objectives and international agreements (treaties, sanctions, etc.) require measures prohibiting the free trade of certain items of strategic value. These measures are most well-known as Export Control Regulations.

This may suggest these regulations only deal with strategic items leaving national territory; however, Export Control Regulations should be considered as a set of general trade controls that put limitations on many transactions, such as:

• Import • Export • In-country transfers (so called ‘deemed exports’ -U.S. controls)4 • Dual or third country nationals (U.S. controls) • Extra-territorial controls • Brokering and transit of items (also consider intra-company transfers across borders) • The end use of the item • The end user(s) or the ultimate consignee and/or country of destination • Supporting services (such as financial transactions or transportation) associated with the

handling of a strategic item

Regardless of the purpose (import, export, re-export, etc.), every organization handling export-controlled items must meet the strict conditions stated in the national export control regulations of their country of residence.

Examples:

• The International Traffic in Arms Regulations (ITAR) controls export by U.S. entities of defense articles and defense services. It is authorized by Section 38 of the Arms Export Control Act, and managed by the U.S. Department of State. In basic terms, the ITAR restricts distribution of items identified on the US Munitions List (USML) to non-U.S. entities.

• The French Export Control regulations defines (by arrêté of 27 June 2012) a control list for classification of military items of which the most significant in each ML sub categories of are additionally classified as “matériel de guerre”. These items are subject to prior authorization to be imported (except from EU member states), manufactured, sold or buy even on the French

3 Export Control Regulations consider handling of sensitive, strategic items. For a large part these items are products used and delivered by organizations in the Aerospace & Defence industry. Understanding Export Controls is therefore one of the main objectives for TSCP. However, the Export Control requirements discussed here should be valid for and applicable to other industries as well (Transport and Logistics, Oil and Gas, etc.). 4 http://www.bis.doc.gov/index.php/policy-guidance/deemed-exports


http://www.bis.doc.gov/index.php/policy-guidance/deemed-exports


territory. The exhaustive list of these “matériel de guerre” is the subject of the Article 2 of the Décret 95-589 of 6 May 1995.

In certain cases, additional (international) export control regulations could be placed on top of national regulations (extra-territorially).

Examples:

• For EU member states, the EU Intra-Community Transfer (ICT) directive must be transposed and enforced as an addition to existing national controls.

• For a Netherlands-based company that is importing strategic items from the U.S., and by that is required to be an ITAR Technical Assistance Agreement (TAA) co-signee, the ITAR would be in force in parallel with Dutch national controls.

2.2 Export Control Policy Authority

Export controls are enforced by law, orders and stipulations, and exporting items requires governmental approval (often per a license). This enforcement and approval is usually tasked to one national government body that serves as the Export Control Policy Authority (ECPA).

Examples:

• In the UK, the Department for Business Innovation & Skills (BIS) serves as the ECPA. • In France, the export control regulations consider multiple stages, and different licenses are

required for each different stage of the manufacturing and import/export chain. Depending on the stage, the requested license type, and the particular nature of the intended export, authorization is approved by the Minister of Defence, the Prime Minister or the Director General of Customs.

Additional examples are:

• Canadian Export and Import Controls Bureau (EICB) • Australian Defence Export Control Office (DECO).

The ECPA maintains one or more publicly available item control lists to assist organizations with determining whether items are export-controlled, and quite often supports organizations dealing with the Export Control regulations via guidelines, a manual or informal consultation.

2.2.1 Item control lists

The ECPA item control lists specify products, materials, data, services or technologies that are considered of strategic importance. Distinction in lists is often made for:

• Military items Conventional arms, military technology and hardware, excluding materials related to Weapons of Mass Destruction (WMD)

• Dual-use items Products and technologies normally used for civilian purposes but that may have military applications and are therefore regulated by specific export controls for dual-use items.

• Commercial trade Usually not listed in exhaustive detail

2.2.2 Authorization system (licenses)

Throughout this document the approval from the ECPA is called Export Authorization. However, the majority of exports, imports or other transits are approved per a specific ECPA authorization: a license.



There are multiple types and categories of licenses that may be used or required for an authorization to export. Depending on the strategic items for which they are intended, and the situations in which they may be used.

Annex I: Common Licenses and Agreements provide an overview of common types of licenses used in the Aerospace & Defence industry. This is not a complete overview as the license systems differ per country / per Export Control regulation, and may change over time.

Note that:

• An export may not need a license (when it is exempted), but a notification requirement may still apply.

• Issued licenses that have not yet been exhausted, but where the validity date is nearing expiration, may be renewed or extended.

• A license for dual-use/military goods usually has a limited validity (often between a half and two year) but some countries have open licenses that have no expiry date.

• A license or exemption is considered as governmental approval, for most organizations it is best practice to run the intended export/import by an internal management approval process as well.

Examples:

• German Export Licenses are generally valid for a period of one year and/or two years, pending on the classification of goods / technology (Export control list annex 1A or 1C) and depending on the countries for which the export is destined to.

• UK OGEL and EU GEA are two examples of general licenses. See Annex I: Common Licenses and Agreements for detailed description.

2.3 Specific authorizations, exemptions and best practices

2.3.1 International coordination

Most governments implement national export controls in international coordination with the following important institutions:

1. Treaties and Export Regimes Most conditions and policies stated in Export Control regulations and policies are internationally coordinated through treaties and specific export regimes. The following regimes (in order that they appear in most countries’ regulations) are most common:

• the Wassenaar Arrangement (WA)5 • the Missile Technology Control Regime (MTCR)6 • the Nuclear Suppliers Group (NSG)7 • the Australia Group (AG)8 • Chemical Weapons Convention (CWC)9

5 http://www.wassenaar.org 6 http://www.mtcr.info 7 http://www.nuclearsuppliersgroup.org 8 http://www.australiagroup.net


http://www.wassenaar.org/

http://www.mtcr.info/

http://www.nuclearsuppliersgroup.org/

http://www.australiagroup.net/


2. The North Atlantic Treaty Organization10

There is a specific NATO exemption, for example in NL EC and in U.S. ITAR, but that is only valid for indicated NATO-forces. Movement of Military items11 between member states still requires a license, although a simplified license application procedure may be used.

3. The United Nations12

UN sanctions may require additional measures on top of the regular export controls.

4. The European Union13 Movement of almost all Dual Use items between member states may be exempted from a license requirement. EU Sanctions may require additional measures on top of the regular export controls.

5. OSCE – Organisation for Security & Co-Operation in Europe14 2.3.2 Sanctions and embargos vs. regulations

Sanctions (like EU and UN sanctions) or embargoes may require additional measures on top of the regular export controls. It sometimes happens that a license is required in accordance with the export regulations whereas sanctions call for a prohibition. In such cases, the prohibition takes priority.

2.3.3 Restricted or Denied Parties Lists

Besides the controls of export or specific sanctions, it is regarded best practice to determine in any case of export of strategic goods whether any end user is listed on any restricted or denied parties list. The (intended) export will not be permitted or may be subject to additional restrictions if an entity is present on these denied parties and proliferation control list(s).

Examples:

• The consolidated list of persons, groups and entities subject to EU financial sanctions15 • The UK BIS lists-to-check16

More examples may be found in the requirements for Business Scenario 1.3, see section 4.1.

2.3.4 Transfers of dual-use goods between EU countries

Items classified as EU Dual-use may be traded freely (formalities for Intra-Community Trade) within the EU except for the more sensitive items, listed in Annex IV to Regulation EC 428/2009,17 which are subject to prior authorization.

9 http://www.opcw.org/chemical-weapons-convention (this is a treaty; often grouped with the Common Regulations on Export Control) 10 http://www.nato.int 11 Excluding specific items that are used for chemical warfare 12 UN: http://www.un.org, UNODA: http://www.un.org/disarmament/convarms/ArmsTrade/, Security Council Resolutions: http://www.un.org/en/sc/documents/resolutions/index.shtml 13 EU: http://europa.eu, Sanctions: http://eeas.europa.eu/cfsp/sanctions/index_en.htm 14 http://www.osce.org/what/arms-control 15 http://eeas.europa.eu/cfsp/sanctions/consol-list_en.htm, 16 http://www.bis.doc.gov/complianceandenforcement/liststocheck.htm


http://www.opcw.org/chemical-weapons-convention

http://www.nato.int/

http://www.un.org/

http://www.un.org/disarmament/convarms/ArmsTrade/

http://www.un.org/en/sc/documents/resolutions/index.shtml

http://eeas.europa.eu/cfsp/sanctions/index_en.htm

http://www.osce.org/what/arms-control

http://eeas.europa.eu/cfsp/sanctions/consol-list_en.htm

http://www.bis.doc.gov/complianceandenforcement/liststocheck.htm


Suppliers wishing to apply for that authorization (individual or global but not general licenses) should contact the competent national authorities for details of what information must be supplied to support the application.

2.3.5 Specific national regulations

National authorities may require specific national export controls on (dual-use) items unlisted in common regulations (e.g., in France: tear gas or commercial helicopters). Exporters should therefore refer to their relevant national rules and check the situation with regard to their specific transactions.

Such controls may apply where there is a risk that an export to a specific end-user might be diverted for terrorism, use in a weapon of mass destruction, violation of an embargo or certain other situations specified in the national regulations on export controls.

Besides the controls of export of goods appearing on the item control lists, should there be cause to do so, it is possible for the ECPAs to subject exports of other goods to a license requirement by means of an ad hoc or a catch-all provision.

Note that licenses approved by the national ECPA may include provisions, or specific limitations that must be understood and complied with.

Examples:

Items not listed on an item control list, but still may be subject to export controls.

• EU Dual Use (Articles 4 & 8 of the Regulation EC 428/2009) • The United Kingdom Export Control regulation Annex II as well as Annex III are amended with a

list of capital punishment and torture goods (also called the EU Human Rights list)

Items may be required to be checked at specific border points.

• EU Dual Use may pose additional checks inside the EU Customs zone (Article 11 and 17 of Regulation EC 428/2009).

Items that are not, in principle, subject to mandatory licensing may be subject to a catch-all provision.

• Where the items in question are or may be intended for projects relating to Weapons of Mass Destruction (WMD) or missiles capable of delivering such weapons

• Where the purchasing country or country of destination is subject to an arms embargo by the European Community, the United Nations (UN) or the Organization for Security and Co-operation in Europe (OSCE) and the items in question are or may be intended, in their entirety or in part, for a military end-use. (See Chapter II, Article 4, paragraph 2, of the Dual-use regulation)

• Where the items in question are or may be intended for goods appearing on the EU list of military goods that have been wrongly exported to the country of end-use without the proper license required (see Chapter II, Article 4, paragraph 3, of the Dual-use regulation). In such a case the exporter will be duly notified.

Items may be declared subject to an ad hoc license requirement.

• In case of transit of military goods under a notification requirement. If there are indications that such a transaction is not under the effective control of the country of origin, or if in the course of

17 http://ec.europa.eu/trade/creating-opportunities/trade-topics/dual-use


http://ec.europa.eu/trade/creating-opportunities/trade-topics/dual-use


its transit across foreign territory a transaction appears to acquire a different destination than intended upon issuance of an export license.

• In the interest of (inter)national law and order or a related international agreement • For the protection of the essential interests of national security, for reasons of public security or

for human rights considerations

2.3.6 Multiple jurisdictions

In certain cases, items may be determined to be controlled under multiple jurisdictions.

Examples:

• Export Controls for military/dual use items are levied from a national level, but the items could also still be extra-territorially controlled from a foreign country, dependent on their origin. See 2.1 Regulations. For an example, on import/export of a U.S. ITAR controlled item by a Dutch company.

• There may be additional or conflicting restrictions put on the exporting organization because of other (national) regulations like Privacy, National Security or Intellectual Property Protection.

• Organizations may have specific compliance restrictions that are levied upon them by suppliers, customers (such as the U.S. Department of Defense), or due to additional restrictions levied by the National Export Control Policy Authority on a specific program or organization.



3. Consolidated Export Control Business Scenarios The requirements in this document are collected by the TSCP Export Control Working Group, composed of Export Control subject matter experts and Enterprise Architects from the TSCP member companies.

The requirements and recommendations are collected through discussion and analysis of Export Control activities in their enterprises. However, current practices vary widely among participants and are often based on a mixture of manual and automated processes.

In order to create a representative and common set of requirements /recommendations when dealing with implementation of Export Control regulations, the TSCP ECWG has identified Export Control requirements based upon the three consolidated business scenarios.

These Business Scenarios, therefore, do not reflect current practice or cover every type of export/import in an exact manner. Rather, they allow the ECWG to append requirements to business processes, which could be supported by information technologies such as those proposed by TSCP.

3.1 Business Scenarios Overview

Nr Title Process steps Storyline BS 1 Authorization

Process 1. Define Export 2. Obtain Authorization 3. Corporate approval

The need and the type of export must be identified on a general level before any authorization may be obtained. Authorization(s) are usually obtained from the national export control policy authority, analyzed and amended with a company approval to proceed with the export.

BS 2 Implementation Process

1. Define Internal Control Plan 2. Implement Control Plan 3. Verify Implementation

An Internal Control Plan18 must be written to determine how to control the export under the obtained authorizations. The defined controls should be implemented and verified regularly.

BS 3 Release Process 1. Create and analyze 2. Package and label 3. Release and Register

With the general conditions set, individual items may now be created, packaged and labeled prior to release for export. Every release transaction should be logged.

The TSCP ECWG expects that implementation of TSCP capabilities supporting these business scenarios will:

1. simplify the process of managing export authorizations; 2. ensure compliance/ simplify compliance appreciation by the various ECPAs; 3. reduce the risk of noncompliance; 4. reduce the overall cost of compliance.

18 Definition: Internal Control Plan (ICP) is a document that outlines implementation requirements of an authorization to ensure compliance and mitigate risk. Each company may name or define this document differently. The same information may also be (partially) covered in a company’s Export Compliance Plan.



3.2 Roles and responsibilities

The process steps as listed in 3.1 Business Scenarios Overview are performed by one or more entities (persons, computers). The following table lists these entities in sequence of appearance (See Annex IV: Reference tables for the reference to the original entity descriptions).

In order to keep the scenarios and their requirements understandable, and since the regulations are most well known as Export Controls, the interactions have been written from the perspective of an export transaction by an exporter under an Export Authorization.

It should not be mistaken that these scenarios are only valid for export. The same or very similar entities, interactions and particularly the requirements are equally valid for any transaction of a controlled item, in any form as listed in 2.1 Regulations.

To clarify that: in the Business Scenarios diagrams, swim lanes are used to indicate process involvement per entity. Interactions with the top swim lane (titled End User or external recipient) may be considered crossing organizational boundaries.

Examples (in all cases the same requirements apply):

• In the perspective currently used for the ECWG Consolidated Business Scenarios, this means crossing from an exporting company (per a Program Manager) to the external End User.

• From an internal company perspective, this could be: o crossing between office locations in two different countries (true export), or o crossing between two individuals in one office location, of which one is a member of the

program and authorized to access program data, the other is not (deemed export). • From an importing perspective, the top swim lane title changes to exporter (but is still the

external entity) and the Program Manager works for a company that is importing controlled items. In essence, the process flow follows the same sequence (determination of need and scope of the import, followed by an import license application) resulting in equivalent requirements on end user, end use, etc.

Entity Name Short Description of the role Comment(s) End User (in this scenario an external recipient)

A representative who handles (transit, broker), receives/modifies a controlled item for final use or use it to modify another item (integration). Has responsibility for handling and acting in compliance with export regulations.

There has been discussion on the different understandings of End User. Please see section 1.3 Definition(s) for the intended meaning for this requirements document.

Program Manager A representative within the exporting company who is assigned to a particular work effort or program, where export is required. Has responsibility for export compliance as being the owner of the item destined to be transferred (data/goods/services….)

The data ownership is the important contributing fact to distinguish responsibilities. The work effort does not have to be a program but could also be a department/project/section, etc.



Entity Name Short Description of the role Comment(s) Export Authorization Manager

A representative 19 with expertise on Export Control regulations within the exporting company.

Has responsibility for identifying the need for Export authorizations, coordinating the application and use of Export authorizations, including conflict resolutions, and managing the overall export control activities for the company such as assisting with implementation and audit.

This is often the official that classifies an item per export control list.

Export Control Policy Authority

A government representative with authority to grant authorizations, audit exporters and define the (national) export control policy.

Company Management

Those responsible for (executive) management support within the exporting company.

Examples of responsibilities: logistics, archiving IT, Security, Internal Audit, Human Resource, Business Continuity

Program personnel An individual assigned to the program with responsibility for

a) Creating and managing items that may be exported,

b) Sending items to the End User.

Note that these entities are divided in functionally separate roles based on the different responsibilities that have been defined when creating the Export Control business scenarios. In reality such roles may be fulfilled in very different ways.

Examples:

• The Export Authorization Manager may be a full position of a trade compliance officer in a company, but could also be a side-job of someone else (e.g., legal expert, project manager).

• A small company may have to take on all roles and responsibilities when exporting (apart from the End User) to a customer.

• A large company (OEM) may act on these export control responsibilities on behalf of a smaller supplier (under the EU intra-community transfer directive).20

• Anyone importing (normally just the End User role) may be required to perform actions on all other responsibilities to (indirectly) ensure compliance (as is the case for ITAR TAA).

3.3 Business Scenario Legend

The following legend shows the titles and their corresponding colors used in the Business Scenarios’ diagrams:

Assisted by Electronic Systems

Implemented by Electronic Systems Out of scopeManual Process Document(s) Regular

OptionalCoordination

19 Usually called an “Empowered Official” in the U.S. 20 "certified companies" may act on behalf of smaller partner-organizations under conditions stated in the EU Intra-Community Transfer Directive. This does not mean the certified company becomes fully liable.



3.4 Business Scenario 1: Authorization Process



3.5 Business Scenario 2: Implementation Process



3.6 Business Scenario 3: Release Process



3.7 Business Scenario 3.10: Systemic determination

Request to export item

BS-4.1Is the end user on any

governement published restriced party

list (DPL)?

BS-4.11Is the destination

an EU trade community member?

Allow Access (permitted under EU

Dual Use) – must add warning

BS-4.12 Is the item permitted to freely move within

the EU Trade Communtity?

BS-4.3Have labels

been applied to the item?

BS-4.7Do labels

indicate "EU Dual-Use"?

Continue with processing other labels such as IP-

Protection, Privacy, Financial, Security

BS-4.15 Are all other

authorization/exception

requirements met?

BS-4.13Has the exporter

registered for or ob-tained an appropriate

authorization/exception for this

export?

Deny Access– must add warning

Allow access: access permitted by

authorization/exception

(add warning)

Verify end user and labelling

BS 3.10 Systemic export determination process (example flow) © TSCP Inc.Export Control Working Group

Verify destination and authorization

Allow Access. No label hence public.

No

BS-4.4Do company

policies dictate appropriate labelling

of all items?

No

Yes

Deny Access.

BS-4.8Do labels

indicate other policies?

No

Yes

No

BS-4.5Do labels indicate "ITAR"?

BS-4.6Do labels indicate

"EAR", “UK EC”, “FR EC” or “NL EC”?

No

No

Yes

Yes

Yes

Yes

No

No

No

Yes

No

Yes Yes

Collected characteristics of the Item and the

end user

Yes

Yes

Yes

BS-4.9Has the end user

U.S. Person status (or exception)?

BS-4.10Is the end user an employee of the

exporter?

Yes

BS-4.14Is the end user’s access/

nationality/location/country of incorporation

permitted?

BS-4.2Has the end user completed Export

Awareness Training?

No

No

No

No

No

Allow Access (permitted under ITAR) – must add

warning

Yes

Yes



4. Requirements 4.1 Process Steps – Requirements BS 1

BS-1.1 Identify need to share goods/data/services Participants Program Manager Description The exporter’s Program Manager identifies a need to share or retransfer an item

(goods/data/services) with partners, in the context of that program. Outputs • Initiation of Export Analysis process

• An overview of collected items that need to be shared Requirements 1. The overview needs to contain sufficiently described items to enable export license

identification. 2. The intended location(s) for all goods/data/services in the scope of a program must

be identified. Notes The Program Manager will usually coordinate with each (external) program partner to

identify the items to be exchanged. Coordination commonly starts when the Program Manager:

• receives a specific request to deliver items, or • pro-actively identifies a need to share items.

The Export Authorization Manager in BS 1.3 and BS 1.6 will determine if the overview of items is sufficient. Definition: Services in this context could include intangible data transfer or face-to-face meetings and is not limited to physical services such as performing maintenance. Particularly in the case of ITAR/EAR, this includes sharing agreements, such as an export license or an ITAR Technical Assistance Agreement.

BS-1.2 Identify intended end users, if required include their location and identity details Participants Program Manager Description The Program Manager collects a list of intended recipients with whom program must

share goods/data/services. Outputs List of end users including required details of their location and identity Requirements 1. Every recipient organization must be unambiguously identified. This includes

identification of any party involved that needs access to controlled data (direct access and also third parties that are involved. These could be third parties to your partners, customers or suppliers.

2. Depending on the export regulations or company policies, individual recipient persons may have to be identified.

3. In all cases, every individual recipient location must be provided. 4. While recipient location is the most important common characteristic under the

export regulations reviewed, other recipient characteristics may also be needed. 5. Sharing constraints regarding recipient characteristics must be provided for each

recipient organization.



BS-1.2 Identify intended end users, if required include their location and identity details The following table describes these requirements in detail, categorized in identification elements.

Identification element:

Minimum required characteristic(s):

Other/detailed characteristic(s):

location country of destination

Address, facility number, intra-company transfer details

organization company name; address

consignee location (country name only, for recipients that are temporary stationed abroad); departments, Chamber of Commerce number or Exporter Identification Number

person full personal name U.S.-Person status; (countries of) citizenship(s) or nationality(ies); business roles/position; birthplace

Notes From a regulatory perspective, identification of a person by full personal name is not always required. It is still considered a minimum required characteristic because of company best practices: • For the company representative who acts as the applicant and should supply this as

point of contact for the application; • For verification against denied parties and proliferation control list(s) (see BS 1.3); • From perspective of secure electronic communications.

Examples for other characteristics: • In the case of U.S. ITAR and U.S. EAR it is required to identify nationality including

identification of dual nationals and 3rd country nationals. • In France, a specific Identification Number (authorization de commerce) is required

to export or import as well as manufacture or trade the most sensitive products classified as "Matériel de Guerre" (equivalent to Significant Military Equipment in the ITAR). A specific registration is also necessary for EU ICT General Transfer Licenses and French General Export Licenses when filling an export license application form for which the application process requires additional information.

• When specific export prohibitions are taken into account on top of national export regulations. Such as the EU list of embargoed countries and denied persons.21

Example for sharing constraints: • Personal data protection laws and regulations may limit an End User from sharing

personal identity details or provide restrictions on the use and storage of personal identity details.

Recommendation: Even though each export license application is handled in a case-by-case manner, it might help the exporter to create overviews of recipients/destinations:

• authorized within the program (‘white list’); • not authorized within the program (‘black list’); • that needs further scrutiny (‘red flag list’).

21 http://eeas.europa.eu/cfsp/sanctions/docs/measures_en.pdf



BS-1.2 Identify intended end users, if required include their location and identity details It may be possible to support these lists within company export control support systems (see also BS 1.6). Using categories of persons rather than individual identities could be more pragmatic (e.g., from privacy perspective) for the administration, updating and management of these overviews.

BS-1.3 Verification against denied parties and proliferation control list(s) Participants Export Authorization Manager Description The Export Authorization Manager will review the list of recipients (end users, co-

workers, suppliers and consignees) to ensure that none of them are present on any EU or national government denied party list.

Outputs Screened partners (against the appropriate lists). Requirements The Export Authorization Manager must:

1. ensure the current DPL is used. 2. use a verification method that

o supports sufficient identification of business partners who appear on a denied party list (i.e., names may be spelled differently in a DPL and a company’s CRM database).

The Export Authorization Manager must be able to edit the DPL or the verification result (i.e., if companies are taken off a government DPL list, they may be included again if a company policy demands that).

Notes Examples for legally binding or non-binding lists: • End use/end user restriction (≥Common DPLs). • National security. • Proliferation. • person Anti-terrorism (WMD). • Company internal risk lists (e.g., a company may verify against their own

defined Public Media Search list). • Foreign policy controls. • Financial Sanctions List (EU). • Embargoed countries (see 2.3.1 International coordination).

Expectation: A company may wish to verify its partners against the above lists via an automated system. The TSCP ECWG does not expect to have TSCP develop or include a system that automatically retrieves a government denied party list and process it to disable partners. Rather, any company dealing with export controls is expected to have a manual business process supported by commercially available systems that a company representative may use to review a list. If a review identifies a person or company on the list, the company representative should be able to identify and flag the listed person or company as suspect within one or more company systems. Recommendation: Check to determine if this process violates privacy laws.



BS-1.4 Develop scope(s) of goods/data/services to be shared Participants Program Manager Description The Program Manager defines a set of scopes covering items to be shared / services to

be provided by the company and by known business partners in the context of the program.

Outputs List of scopes (of shared item and provided services), divided into scopes per program participant.

Requirements Scope(s) must include characteristics for each participant.

The following table describes these requirements in details, categorized in scope elements.

Scope element: Minimum required characteristic(s):

Other/detailed characteristic(s):

Export item Description

Country of origin, details on the content of data being shared, design origin, construction material, item reference number (whether it is controlled or not)

End user Location/destination, items, quantity

status information on training, 1. passed exam/ holds

certificate 2. Expiration date (if applicable)

Program context Purpose of sharing or end use Description of Program phase or work effort that should include: • Start and end dates for the

Program, and its contracts, • A list of all parties that will

be (sub) contracted and worked with during the phase/effort,

• List of (other) occasions when sharing of export controlled items takes place.

Sharing method training, talks, a digital document or message sharing environment.

Regulation /Authorization (if known at this stage)

the export control classification number, (license) reference number especially when a re-usable and signed authorization (e.g., an ITAR TAA) is already in place, cumulative export value, export conditions required by exceptions.

Notes Particular attention should be made to define scope/ categorize the items that may require extra authorization/classification by the government. Examples:

• In France, the government (Agency for National Security of Systems of Information - ANSSI) may put on extra controls for cryptography export.

• In the UK, the government (MoD) may require mandatory security classification.



Definition:

Scope = to enable the authorization determination by the export control manager. The Export Authorization application could require the inclusion of specific data about the scope of participation for each participant.

BS-1.5 Assist with scope development Participants End user Description If required, the End User supplies details to assist with the development of scope(s) for

information to be shared and services to be provided by the End User in the context of the program.

Outputs See 1.4 Requirements See 1.4 Notes Definition:

See 1.3 Definition(s) for description of End User. In short, all end users/recipients in scope of the program.

BS-1.6 Perform analysis on the scope to ensure the Export Classification and if required,

include a Security Classification Participants Export Authorization Manager Description The Export Authorization Manager reviews all intended exports within the scope of the

program and classifies the items for exports against the applicable export control regulation.

In some countries, items designed in country may have to be classified by the Government and a National Security Classification obtained. This classification may place additional criteria on the export.

Depending on the case, the Export Authorization Manager may need to perform an additional classification against other specific national or company control process (e.g., financial transaction controls).

Outputs • Recommendation of export control policy that is best suited to ensure compliance and offers the widest possible scope of operations.

• The export classification reference(s) of the item(s) to be exported.

Requirements 1. All program exports subject to a specific Export Control regime must be identified and appropriate export classification made.

2. Export items subject to criteria in addition to Export Control Regulations must be protected as required by appropriate policy authorities.

Notes Recommendation: The Export Authorization Manager may self-determine the appropriate export control regulation and self-classify data/technology by consulting the various regulations item control lists and identifying all appropriate export control classification numbers. Various internet resources provide free tools that may support this goods classification process.



BS-1.6 Perform analysis on the scope to ensure the Export Classification and if required, include a Security Classification Another method is to submit a request to the local regulators for classification determination (and/or subsequent rating). This is often done in case of grey areas in the regulation, or when particular restrictions are of concern, such as WMD or national security concerns.

Recommendation: Common practice is to first consider the possible reasons for control (military/dual use/commercial/none), then determine the potential licenses available and after that classify the (individual) items against the appropriate export regulation(s) and best fit license(s).

The following is a common sequence to determine the appropriate export control regulation:

1. Is the purpose of the item that is to be shared for military use? a. If Yes, determine appropriate military export regime and follow process

from there (See the individual TSCP ECWG reviews1 for example and details),

b. If No, next: 2. Is the item on a Dual use list?

a. If Yes, look up under which appropriate annex, the list article number and the technology classification reference and follow process from there (Go to BS 1.7)

b. If No, the item is determined as commercial; follow standard customs procedures to export.

Recommendation: For easy classification, recommendation is made to record a list of frequently occurring company program scopes / technology exports. This is particularly helpful as not every item on an Export Regulations control list requires an authorization/ license to export. Furthermore, some items (like those listed in EU Dual Use Annex IV) are subject under an Export Control regime but are not allowed to be exported at all.

BS-1.7 Determine the need for an Export Authorization; if required, draft the application. Participants Export Authorization Manager Description The Export Authorization Manager determines whether export of a certain class of

technology requires an Export Authorization (i.e., a license), whether it may be exported without an authorization, or whether it qualifies for an exception.

In addition, the Export Authorization Manager will identify any relevant restrictions on the export of data based on information provided in the Export Regulation item control list and the scopes of export provided by the Program Manager.

It is the responsibility of the Export Authorization Manager to ensure that the program is aware of any changes of a license, including validity. It is the program’s responsibility to ensure compliance with the license, in line with the Internal Control Plan, including to check the validity of its licenses.



Outputs A recommendation for which Export Authorization(s) is required (for the required program scope).

• Identification of appropriate license(s) needed. • Verification of whether such a license is already in place and if it should be

applied for. • Selection of preferred license (if multiple licenses may be chosen). • Draft export authorization application (if needed).

Requirements 1. Export Authorization Manager shall identify the appropriate export control regime and licensing vehicle (See §1.3 definitions)

2. Export Authorization Manager shall provide information to facilitate Export Authorizations and Export License applications.

Notes • Each participating organization must be willing to accept responsibility for violations for failure to protect export-controlled information. U.S. Laws are stricter and require more documentation.

• Export Authorizations may be specific to a project phase. For example, an authorization may be in place for marketing and sales, but may not cover post sales collaboration.

• In some cases, enterprises are subject to “Consent Agreements.” These may be considered a special class of “Export Authorizations” that levy additional requirements on enterprises above and beyond the restrictions described in regulations, export authorizations or other enterprise policies.

Definition: In this document, “Export Authorizations” include exceptions, exemptions, export licenses or other exchanges permitted by the regulations. Any legal term or document that permits sharing of data under EAR is considered an “Export Authorization”.

BS-1.8 Coordinate the Export Authorization application Participants Program Manager, Export Authorization Manager Description • The Program Manager ensures that the Export Authorization(s) applied for

cover the scope of the intended exports that are required by the program. • The Program Manager and Export Authorization Manager perform a joint check

if all supporting documentation is available. • The Export Authorization manager will identify necessary (supporting)

documentation as required by the Export License. • The Export Authorization Manager will work with the Program Manager to

collect this documentation. • The Export Authorization Manager may request a rating prior to applying for an

actual license. The rating may give the Export Authorization Manager an indication if an actual license would be granted given the current circumstances. Rating is done for commercial reasons; companies want to have an indication of their chances of getting the license (strategy planning).

• The Exporting Organization may also apply for a rating to identify the right classification of (military) goods.

Outputs • Registration at the Policy Authority for the application and use of an export Authorization (if not previously registered). This registration may also be required,



BS-1.8 Coordinate the Export Authorization application for use of electronic systems (Customs export systems, license application systems, and export control rating systems).

• Keep record of the Policy Authority issued exporter registration (number). • Requirements of documentation for supporting re-use of an existing authorization,

a new application or exceptions to the regulations. o Overview of supporting documents required o Including specifics on the format of those documents o A description of how these documents must be tracked

Requirements 1. Supporting documentation must be gathered up front and submitted to the appropriate Export Control Policy Authority in order to apply for issuance of an export authorization.

2. Supporting documentation should be collected and maintained with export records to support periodic audits. Systems should keep track of these documents.

3. The choice of required documents and its tracking should be based on regulations and guidance pertaining to certain licenses and their application process and may be based on company best practices since this can speed up the application process.

4. The format ideally should be government issued templates plus related guidelines. Notes The supporting documentation requirements are usually published by the Export

Control Policy Authority. This may vary per authorization type. Additional documentation may be requested by the Policy Authority prior to the approval of an export authorization or upon issuance of the authorization as a condition of usage of the authorization.

Examples for supporting documentation:

• A duly completed and signed license application form, with a brief but detailed description of the (technical specifications of the) goods.

• Identity vetted as the authorized company representative. This is usually comprised of a preregistration number from the National Policy Authority. To preregister, you usually have to provide company name, Tax identification number (TIN),22 letter written by authorized company manager, (note that names of management are verified and therefore should be listed at an independent registrar like Chamber of Commerce).

• A copy of the signed contract or order. • End-user declaration. • IIC: For countries with International Import Certificates an IIC may be submitted

instead of an end-user declaration. • An export license issued in the country of origin if available. • Export declaration (required for export outside EU). • Pro forma invoice (required for export within the EU).

22 Tax Identification Number (TIN) Tax Identification Number (TIN): This is a U.S. reference and should be substituted by equivalent, based on jurisdiction. See: http://www.irs.gov/Individuals/International-Taxpayers/Taxpayer-Identification-Numbers-%28TIN%29 http://ec.europa.eu/taxation_customs/taxation/tax_cooperation/mutual_assistance/tin/index_en.htm


http://www.irs.gov/Individuals/International-Taxpayers/Taxpayer-Identification-Numbers-%28TIN%29

http://www.irs.gov/Individuals/International-Taxpayers/Taxpayer-Identification-Numbers-%28TIN%29

http://ec.europa.eu/taxation_customs/taxation/tax_cooperation/mutual_assistance/tin/index_en.htm


BS-1.8 Coordinate the Export Authorization application • Screening results of parties to transaction. • Rating letter from the Policy Authority indicating if the license application will be

successful. • Company approval to proceed (usually done in a formal process of review and

approval of the analysis). • Technical details to outline the items for which an authorization is requested.

BS-1.9 If required, review Export Authorization application and provide supporting

documentation. Participants End user Description End User may receive request to review the draft export authorization application for

consistency/compliance with internal country laws and to ensure the scope is covered or to provide information to support the Export (or the License Application).

If required, the End User will sign supporting documents such as an end user statement for a license.

Outputs • Validated Export License Analysis by all participants in the program • (Optional) Signed approval to proceed of Export Authorization Manager • (Optional) Signed agreements by (foreign) End Users

Requirements 1. Reviews by all parties of draft export authorization application for consistency/compliance with internal country laws

2. Review draft export authorization application to ensure application adequately covers the scope of activities/exports for the task or program.

Notes The actual process of review and approval of the export analysis and the gathering of required signatures is complex, and varies widely between organizations. It is not clear if a single workflow process could be agreed upon, although it is acknowledged that every organization must support such process.

BS-1.10 Apply for appropriate Export Authorization unless previously obtained Participants Export Authorization Manager Description If an authorization (i.e., a license) is required to export within the program scope, the

Export Authorization Manager applies/registers for the relevant export authorization(s) with the appropriate national authority.

Outputs Applications for Export licenses from relevant national authorities Requirements Application form plus supporting documents have been filled out and submitted

according to policy authority process and requirements. Notes Different national regulatory agencies have very different application systems and

processes, and widely divergent levels of automation for the process. There is not a set of worldwide valid requirements.

BS-1.11 Approve Export Authorization, if required issue a license (-number) Participants Policy Authority Description After review and analysis of the Export Authorization application(s), the relevant

national authority will either approve or deny the application for an Export Authorization.



BS-1.11 Approve Export Authorization, if required issue a license (-number) Outputs A set of rejected/approved Export Authorizations

• Sometimes with additional exclusions identified and documented by the regulatory authority.

• Export license(s) (document) and specific number • For export of technology company specific arrangements are made with the

export control policy authority on format and frequency of reporting. • Electronic application and approval is becoming the best practice.

Requirements 1. All exports (under a license) must be registered and reported by the company. This is commonly tasked to the Program Manager.

2. In case of ITAR: a. The End User must sign the Export Authorization. b. All parties named in the export authorization are required to sign the

Export Authorization prior to export. Must be handwritten. c. The identity of the individual signing the export authorization must be

recorded by the entities bound by the agreement for later reference. 3. If registration is done electronically, the company systems must support computer-

readable format recording of the authorization and additional restrictions on information sharing identified by Policy Authorities.

Notes In general, there may be multiple rounds of negotiation and review, and final approval of an Export Authorization may include attachment of provisos, exclusions, additional constraints and conditions determined by the policy authority. Provisos themselves may be restricted (e.g., U.S. Eyes Only)

Examples for provisos:

• When an item is governed by EU Dual Use regulations but is also given an additional restriction due to sensitive nature of the product (“Restricted due to national considerations”), the license may levy special handling requirements on exporters.

• The proviso to provide regular reports to the policy authority. i.e., when exporting cryptographic material.

Still, additional exclusions may be added later by the regulatory authority based on changes to regulations or license conditions.

Recommendation:

Systemic recording of the authorization and its additional provisos may be in simple clear text format but is ideally done in an advanced format to enable further systemic analysis. Presently, authorizations are published in the form of a physical set of legal documents. These documents should be converted to system readable documents first to allow better systemic processing of the export as well as systemic enforcement of restrictions.

Recommendation:

Seek agreement on format and frequency of reporting (for intangible exports) and include that as supporting document, with the submittal of the export license application (this to avoid future issues / confusion when having government audits).



BS-1.12 Sign Export Authorization, if required Participants End user Description In some cases the regulations require the End User to sign the export authorization Outputs A signed Export Authorization Requirements N/A Notes This is particularly known for ITAR/TAA BS-1.13 Register the Export Authorization Participants Program Manager / Export Authorization Manager Description Following approval of the authorization(s) are registered at the exporter. Outputs Recorded Export Authorizations Requirements N/A Notes BS-1.14 Enable (systemic) analysis by translating the Export Authorization into a Computer

Readable Format. Distribute this if required. Participants Export Authorization Manager Description Following approval of the Export Licenses required by the program, the Authorizations

are translated into a computer readable format that may be directly interpreted by electronic systems or translated into an appropriate access control implementation.

Outputs A complete set of approved Export Licenses recorded in a format that supports automated processing

Requirements Electronic systems must support modeling and implementation of Export Licenses that meet all the requirements levied by the relevant authority.

Notes The translation occurs at this point in the process, because we assume that conflict analysis will be much easier to do if the authorizations are translated and conflict analysis is assisted by a computer.

Recommendation: For a qualified, interoperable use translation should be executed according to international open standards.

BS-1.15 Analyze Export Authorizations for Conflicts Participants Export Authorization Manager Description The Export Authorization Manager will compare all existing, approved export

authorizations that apply to a program scope, and identify any conflicts that may have arisen during the development of the authorizations.

Outputs A comprehensive collection of approved Export Authorizations that have been reviewed for conflicting terms, and have been revised to eliminate conflicts identified

Requirements 1. The Export Authorization Manager shall coordinate as necessary to seek reconsideration and/or clarification of provisos, restrictions or limitations on the Export Authorizations.

2. The Export Authorization Manager must incorporate all provisos associated with the authorizations, and must include them in the conflict resolution process.



BS-1.15 Analyze Export Authorizations for Conflicts Notes Recommendation:

It is recommended that this process step be automated, where a system may provide a complete overview of all authorizations that a company uses to assist manual conflict analysis by the Export Authorization Manager

It is also recommended that this system be able to present supplier/partner and information asset (ideally with indication of consistency) which will allow for much more thorough search of related authorizations. The system should allow Program managers to collect all authorizations for their portion of the program

Definition:

Conflict: A conflict is defined as a condition whereby restrictions on one authorization are not aligned with restrictions on another authorization for releasing the same data to the same recipient.

Export Authorization Managers are expected to perform a similar analysis during the Authorization Determination Process – This step is required in case the terms of an authorization change during the application process.

In the event the conflicts between Export Authorizations are identified, the Export Authorization Manager may be required to apply for a revision of one or more of the Export Authorizations.

BS-1.16 Resolve Conflicts, if required Participants Export Authorization Manager Description If any conflicts exist, a determination is made as to the best way to resolve them, and

modifications are requested to one or more of the licenses in order to resolve the conflicts.

Outputs A determination of the updated authorizations to use or of changes to existing licenses that will resolve the conflicts between existing authorizations

Requirements The Export Authorization Manager (or a system in case this is used to perform conflict analysis) must support modification of Export Authorizations and protection rules, to reflect updates (based on conflict resolution or other changes).

Notes For example: a conflict may arise from the scope of the export. There may be a limit in the amount (articles, contractual values, etc.) of exports allowed under this license that may conflict with the desired amount.

BS-1.17 Permit the export under the Export Authorization (and supporting documents) Participants Export Authorization Manager Description The Export Authorization Manager shall provide an official Company Authorization to

proceed with the export to the Program Manager once the Export Authorization is agreed to by company management, all program participants and all conflicts have been resolved.

In BS2, an Internal Control Plan will be developed to allow each participant in the program to implement appropriate (access) controls. This is prepared in this step by:



BS-1.17 Permit the export under the Export Authorization (and supporting documents) • associating particular Export Authorization scopes with the information shared

in the context of the Program. • associating the electronic systems/ services that support that information

sharing under the export authorization. Outputs A comprehensive ‘Company Authorization to Export’ that includes:

• the company’s approval to proceed • high level information and/or constraints about all (export) collaboration

activities in the context of the program. The Export Authorization Manager will conduct regular routine checks to ensure continued authorizations validity.

Requirements 1. The ‘Company Authorization To Export’ must be provided and should define the scope of activities for which export authorizations have been sought.

2. The Company Authorization To Export may contain specific restrictions such as access control rules that require information about user roles (for example associated with Bill of Material, Product Breakdown or Work Breakdown).

3. Company Authorizations to Export should be part of the company internal control plan for export compliance, and may be distributed among the program participants.

4. Each participating company will manage access according to its own policies and export authorizations, as well as export authorizations managed by business partners.

Notes Because of the multi-stage system in most companies in France, the corporate authorization is a best practice prerequisite that is required first, prior to export license application. This may result in an iterative sub-process between BS 1.6-1.7 and BS 1.17. Based on the Internal Control Plan, IT administrators may implement the defined access control rules in systems. These access control rules grant privileges based upon evaluation of user authorization and information labeling. (See BS 2). For example, if someone uploads a document and the license does not support export to a country, participants of that country should not be able to access the document. Recommendation: Appropriate protections must be applied even on data hosted by third parties. In certain cases, additional protection requirements may be required , such as for cloud service providers, that would be needed to mitigate the additional risks involved with use of that service (e.g., multi-tenancy). Recommendation: Export agreements with external parties should reflect appropriate access restrictions. For example: Any new employee/partner employee is not allowed access prior to a check on characteristics (identity proofing) and qualifications (proof of completion of necessary training). So Business IT may not grant access without confirmation from the Export Authorization Manager.

BS-1.18 Identify New Partner Participants Program manager Description During the life of the program, additional partners may be identified. Existing



BS-1.18 Identify New Partner Authorizations must be reviewed and verified for use with the new partner.

Outputs A validation of the new partner’s characteristics against the partner profiles created previously (BS 1.2), to allow addition of the new partner.

This validation also impacts the ICP (for access control decision).

Requirements 1. Maintain and update list of authorized /not authorized partners (white list/black list)

2. Limit access based upon the program phase/ work-efforts. Notes If a new partner is:

• not listed: return to BS 1.1 for new authorization process. • already in the white list, and involved in an authorized work effort: no need for

adjustment of the Authorization • already in the white list, but is now involved in a new work effort, that was not

captured previously: the Authorization may need to be adjusted • on the black list, adding this partner to the program will never be allowed.

Recommendation:

Even though each export license application is handled in a case by case manner, it might help the exporter to create a specific ‘red flag’ list with recipients/destinations that need further scrutiny. It may be possible to support this ‘red flag’ list within company export control support systems.

BS-1.19 Identify additional Scope of information shared/ services provided Participants Program manager Description As the program matures, additional scopes may be identified. Authorizations must be

verified. Outputs Determine if the extended scope is allowed. Determination is made against the existing

authorization(s) appropriate for this program.

If the existing authorization(s) do not allow the new scope, an additional authorization must be applied for or existing ones must be amended. Until that’s in place a scope change is not allowable.

Requirements Addition of new scopes to a given program must be supported, including modification of program information classification to incorporate changes in program scope.

Notes Similar to rationale on new partner in BS 1.18, return to BS 1.1 for new authorization process if needed.

BS-1.20 Change in regulation or authorization conditions Participants Policy Authority /Export Authorization Manager Description A policy authority may change the contents of the regulations or the terms of an

authorization. When this occurs, the license determination process must be revisited. Outputs A change on the export or sharing items with a certain partner.

New authorization or modification of an existing authorization may be required. Requirements The Export Authorization Manager (or a system in case this is used) must support

modification of Export Authorizations and protection rules, to reflect updates (to



accommodate changes to export regulations or authorizations). Notes Authorizations may also be revoked completely. BS-1.21 Change in Technology Classification list(s) Participants Policy Authority/Export Authorization Manager Description Rules for classifying technology may change over time. When they change, existing

program scope items must be reclassified if they are affected by the change. Outputs Verification that the new classifications are still authorized for export against the

current authorizations.

If not, updates to authorizations based on the new classification of the program’s exports.

Requirements The Export Authorization Manager (or a system in case this is used) must support modification of Export Authorizations and protection rules, to reflect updates (to accommodate changes in classification of technology in the scope of the program).

Notes 4.2 Process Steps – Requirements BS 2

BS-2.1 Write Internal Control Plan to manage handling of controlled items Participants Export Authorization Manager/Program Manager Description Program participants will identify and communicate the rules governing the

management of export-controlled items (access, labeling, distribution, storage, etc.) in accordance with the terms of the relevant Export Authorization(s) and company policies, like:

• Export (compliance) policies (Business Authorization to Export from BS1.15); • Information Security policy; • National archiving regulations; • Company Best Practices on handling export-controlled data; • Contractually agreed obligations (e.g., a NDA).

This includes educating the program customer/consignees/end users to guarantee that the export-controlled products/information will be properly protected and managed.

Outputs An Internal Control Plan with applicable rules and regulations for a specific program or entity to control their exports. Usually including specific sections for:

• the particular impact of these rules on the program export compliance (through a program specific Implementation Plan)

• the particular impact of these rules on the export compliance by the End User (through an End User specific Implementation Plan)

Requirements 1. The internal control plan should contain functional specifications on (IT) systems in relation to the export authorization. Including: a. Categorization rules for determining from the content the label(s) that should

be applied to a particular item (like a document); b. Labeling rules: rules determining the content of the label(s) to ensure

consistent interpretation by human users and by systems;



BS-2.1 Write Internal Control Plan to manage handling of controlled items c. Access rules for using the in BS 1 defined End User attributes to determine the

access that a user may have (to a document with a particular label).

2. If required consult with the End User to determine appropriate implementation support (two-way).

3. If required (by company policies) have the internal control plan formally approved.

Notes A ‘Company Authorization To Export’ would typically lead to an Internal Control Plan (ICP). The ICP tends to set the rules and company policies tend to tell employees what is expected overall (including implementation). A Program or – if applicable- a supplier then should work on a (program specific) Implementation Plan. The work in this BS 2.1 is intended as tailor existing company policies*, export authorizations, and contractually agreed restrictions (NDA) to the program. *This could be Human Resource, IT, financial policies. There should also be a General Corporate Directive on compliance. The requirements and policies set up by that document should apply for each and every project/operation made the company. The Program manager supported by the Export Authorization Manager should be in charge of the fine tuning and the adaptations needed for the program/operation fully comply with these Corporate Directive requirements. The check on accuracy and the validity of the Corporate Authorization to export should be regularly checked (not just once as in BS 1.17). This check should be part of the ICP operations. The operation described by the ICP should be checked, on a case by case basis, if still in line with the compliance policy of the company. Proper determination of required knowledge bases (such as the Export Authorization Manager or simply helpdesk support) program participants may consult is considered a crucial part of this ICP. Examples of items that should be in such a Control Plan:

• License reference • License validity period • Program name (if applicable) • Export classification(s) allowable • Countries allowable (or not allowable) • Exclusions (such as WMD or security level – confidential or above) • Recordkeeping requirements • Roles and Responsibilities under the license • Training requirements and other user support requirements (Manuals, Reference

like intranet pages, helpdesk, etc.) • Recordkeeping retention requirements • Which individuals/organizations may have access to information • Categorization rules, labeling rules and access rules • Auditing requirements, including a compliance check/reporting guidelines for the

electronic systems housing export-controlled data for the program



BS-2.1 Write Internal Control Plan to manage handling of controlled items • Response to FAQ on export issues or redirect to other company personnel, for

example in case of issues with export logistics Other items that may be in a Control Plan include transit controls. For example the allowed distribution method for export of data may contain the mandatory use of encryption and digitally signing of e-mail messages that contain export-controlled information.

Most often a license does not specify particular guidelines for this; hence security policies or company best practices most likely have effect here.

Note that even though export regulations may not specify any requirements regarding handling of export-controlled data, other regulations may still apply and impact the program.

Definition:

There are various physical documents created during BS 1 and BS2. These have generic names in these business scenarios but do exist and are usually printed and signed off by the Export Authorization Manager.

For sake of clarity these are defined here:

Export Authorization The approval of an export from the government Policy Authority, granted to a company. It contains the export conditions. ‘Company Authorization to Export’ This is the internal approval of the company to export an item. It contains the analysis of the export authorization in the business context and includes mapping of the export on the (automated) company systems and processes. Internal Control Plan (ICP) The complete plan how one company plans to manage an export under a specific authorization (usually per program or entity). Implementation Plan A plan developed by a program based on (a subset of) the requirements in the Internal Control Plan. This document may be shared with external program partners such as suppliers. Implementation Statement The declaration of a program or supplier that all planned implementation is done. This statement serves as evidence in peer reviews and audits.

BS-2.2 Configure access control systems and assign required attributes to users Participants Program Manager, Company Management Description The Program Manager directs appropriate technical personnel to configure IT systems/

procedures to enforce the rules (access controls, labeling tool profiles, distribution lists, etc.). Each organization assigns the required attributes (listed in BS1) to authorized users based on conditions from the on the internal (export) control plan (defined in BS2.1) and their scope or work effort.



BS-2.2 Configure access control systems and assign required attributes to users Outputs • Access control systems are configured corresponding with program rules

• User profiles (technical format) have been defined (containing attributes and processes for assigning, tracking and managing user attributes)

• Users have been assigned attributes and are able to use these. Requirements 1. The access control system must

a. support definition and communication of attributes relevant to determining access control restrictions such that all participating organizations may apply appropriate access control restrictions to participants.

b. support implementation of access rules that are consistent with overarching policy and compliant with specific export authorizations for the program. The correct configuration has to be verified prior to use for export of data.

c. support scenarios where all parties may maintain local systems that hold their portion of the controlled data.

d. help administrators to implement the defined access control rules in systems. The access control rules grant privileges based upon evaluation of user authorization and information labeling.

2. Attribute profiles must reflect local privacy regulations 3. The access control system should support mapping of Export Authorizations to

traditional system specific access control mechanisms (such as Rule / Role Based Access Controls).

Notes Access authority is granted on the basis of defined attributes (see BS1.2 and BS 1.4).

These differ per exporter, export authorization, security classifications, export control regulation and per situation. There will also be a range of acceptable values for these attributes. Depending on the sensitivity of the item/program this could mean that there will be an approved list of individuals (although it is not so common for EU Dual Use to get to that restrictive level).

Furthermore, the way verification takes place is company specific. It might be sensible or even necessary to communicate the configuration and its verification result to the program partners.

Access control systems must be pre-approved by UK MoD CESG (if UK restricted or above comes into scope).

The exporter must prevent unauthorized access. End Use must be confirmed and should not be assumed.

BS-2.3 Configure labeling tools and write data labeling guide Participants Program Manager Description The ICP defines rules for the determination of the appropriate data classification for

information objects. The appropriate labels as defined for the program are made available to all the end users because all participants in scope of the program configure their local labeling tools and the relevant IT systems such as a document management system.



BS-2.3 Configure labeling tools and write data labeling guide These rules are input to training materials that assist users in identifying the policies governing information objects, and applying the correct labels on information objects to support systemic protection. Guidelines also describe which markings should be applied to various kinds of documents, and where and how they should appear on documents.

Outputs • Proper configuration for labeling tools used within a program context • A set of guidelines identifying requirements for labeling and marking of documents Both including the following elements:

• Categorization rules for determining which labels to apply to documents based on their contents.

• Labeling rules for application of physical markings to documents that describe the wording of the physical markings and the basic details of their placement, i.e., Distribution Statement must appear on a cover sheet.

Requirements Labeling tools and guidelines a. should be consistent with overarching policy and compliant with specific export

authorizations and their provisos for the program. b. must be flexible to cope with other organizations policies on top of export

controls. c. must be clear and concise for consistent use of the tools and understanding of

the labels by all users.

Notes Ideally, labels should be managed centrally by enterprises/programs (per program within each company) so that the labels will be consistent across organizations that are exchanging data.

Ideally, labels should be distributed to systems such that authoring tools may present them as choices to information suppliers.

Depending on the program scope and the way labels are managed, the labeling tools may need to be able to “translate” labels (i.e., from Dutch into German, or from MS Office into LibreOffice). Ideally, they are also able to perform semi-automated checks and balances to assist the Program Manager with this particular task.

BS-2.4 Develop training material, if required tailor this to local context Participants Export Authorization Manager/Program Manager Description The Program Manager will lead the development of training materials for all program

participants which, at minimum, addresses: • identification of sensitive material • knowledge of existing Export Authorizations • and knowledge of labeling and sharing guidelines for the program. • Recordkeeping requirements

If necessary, the Program Manager or the End Users will supplement the developed training material with local context.

Outputs Training material for use by program personnel



BS-2.4 Develop training material, if required tailor this to local context Requirements 1. The training materials

a. must be consistent with (system) guidelines so that all companies are using the access control, labeling and other systems / processes in a similar manner.

b. should address both the authorizations and any provisos associated with the authorizations that are relevant to the export in scope.

2. Therefore training has two components: a. Generic Export Compliance training – not specific to a program or export

authorization – this may be conducted earlier, and is a requirement for system access. Generic training must be refreshed on a periodic basis, as required by enterprise policy (typically annual requirement).

b. Training for program specific requirements and export authorizations. This will be defined by Export Authorization Manager for each program. Successful completion of this training is required for access to data covered under the program.

3. A separate (translated) version of the training may be developed for external users (e.g., foreign signatories).

Notes Training material developed by Export Authorization Manager may be shared with external parties to ensure consistency and compliance. This is optional, and provided only if required by enterprise/program requirements. Training is helpful, but is not a risk mitigation method and the company that provides training must not be held liable. Ultimate responsibility with export compliance requirements is every companies own responsibility. The frequency of training delivery may be determined by a proviso, a consent decree, or by enterprise policy. The Export Authorization Manager/Program Manager should ensure that any training is in compliance with all applicable requirements. Periodic re-training / recertification of users should be best practice

• Training is at minimum best practice. It is expected that future (i.e., new Wassenaar Arrangement guidelines) regulations may demand training as a criterion.

• Some Export Control Policy Authorities (e.g., EAR, ITAR) already provide guidelines that specify that all participants must have received training.

BS-2.5 Deliver tailored training to users Participants Program Manager Description Appropriate individuals within each program participant organization will deliver

training to their team, based on material developed in BS 2.6 and BS 2.7. Outputs Structured data recording progress/completion of training by program participants Requirements 1. Companies must ensure that a training plan is in existence to ensure export-

controlled items are sufficiently protected. 2. User access to systems must be checked periodically regarding training completion,

recertification and consequences of not completing the training in time. Notes Training of users is a best practice. Some regulatory authorities (i.e., BIS for UK) provide

compliance guidelines that specify that all participants must have received training. Status information on training then becomes a (mandatory) element in user attribute profile.



Recommendation: • Personal training is considered most effective for initial knowledge on export

controls (awareness). • Further training of users may be electronic,(effective for large number of people,

effective to refresh memory. BS-2.6 Development of reporting guidelines and of support for Export Control Audits Participants Export Authorization Manager/Program Manager Description The Program manager and Export Authorization Manager jointly define reporting

guidelines and audit collection guidelines to ensure that Export Compliance may be verified by the Export Authorization Manager.

This includes a verification of which guidelines have to be implemented as mandated by the Corporate or Third Party Audit officials. They normally should develop their own methodology and, for instance, verify that the export control documents of reference (and organizational aspects such as manpower, budget, etc.) are well defined, implemented and used by the Export Authorization Manager/Program Manager.

Outputs Guidelines (expected content, reporting frequency, whom to report to, etc.) for reports / self-evaluations and improvement plans or audits.

Requirements 1. Export Authorization Manager shall define the frequency and depth of the audits.

2. Export Authorization Manager shall define the parameters and information that must be auditable. Including data in collaboration systems, if these are used.

3. If required (by company policies) have the audit guidelines formally approved. Notes Report guidelines differ by company and are usually not shared externally. Also some

audits are done online (i.e., for Germany this is the case where the national export control policy authorities requires a company to fill out a form.)

Depending on the regulatory environment (export control regulations, company policies, archiving regulations) audits maybe subject to specific requirements on:

• authenticity (audit record has been generated by a trustworthy source); • integrity (audit record has not been tempered with); • confidentiality (audit record must be encrypted); • retention (audit record must be stored for a certain duration e.g. to allow for

forensics).

As an example of an audit report , the below list provides an outline with common headings and expected range of values. This may be useful for capturing the required data to (automatically) generate the report.



BS-2.6 Development of reporting guidelines and of support for Export Control Audits

Example heading/report element Expected values • Validate access conditions for specific

systems • Upload/Access records for specific data

items for a specific period of time • All users/companies associated with a

given Export Authorization • Identify the number of export per export

authorization over time • Valid user list • Access audits for specific items • All data exported under a given export

authorization • Upload/Access records for specific

companies/users • List of export records based on an export

authorization and a period of time • List of export authorization numbers,

based on a company or a person • Ad hoc reports

• Date/Time • Characteristics of the individual that

exported the item (e.g., who has uploaded a document)*

• Characteristics of the individual that imported (e.g., who accessed the document)*

• which item was exported (reference number or similar)

• license reference number

*See BS 1 for minimum required characteristics and /or parameters

BS-2.7 Verify Implementation Participants Program Manager Description The Program manager will verify that procedural and systemic controls comply with

appropriate System Implementation Plan or Internal Control Plan. The Program manager will ensure that implemented guidelines and rules are verified and used in the program in the proper way so that they are protecting data in accordance with requirements from the Internal Control Plan and the audit guidelines. This “Implementation Statement” (see BS 2.1) is used here to support the verification of compliant implementation.

Outputs Self- Assessment report(s) that may include technical test reports as well as verified practices and corrective actions needed.

Requirements 1. Identified scope of testing. At minimum, the controls must successfully demonstrate the ability to protect information according to the requirements as defined in BS2.1 prior to exchange of information.

2. Procedural controls must have been correctly implemented and show effective program data protection.

3. Reports (generated by a system) delivered to Export Authorization Manager should be formatted according to the audit guidelines and should permit them to verify the compliance of the program with EU Dual Use requirements.

4. Access to Reports (generated by a system) shall be restricted to authorized individuals.



BS-2.7 Verify Implementation Notes The purpose of this process step is to self-assess if export compliance instructions and

regulations are followed. Examples for verification:

• check trained personnel registry • developed test book for testing of electronic systems • conduct testing of technical systems • periodically check export records

Recommendation: Export Authorization Manager should be able to access reports without involving IT specialists, where possible.

BS-2.8 Peer Review of (Electronic) systems/Practices Participants Export Authorization Manager Description Relevant personnel working for organizations affiliated with the program will perform

(periodic) review of systems and export records to confirm that controls have been correctly implemented and are effectively protecting program data. This may result in a Peer Review Report to sign-off the program’s EU Dual-Use compliance.

Outputs Peer Review Report, a determination by the Export Authorization Manager (or qualified others like internal auditors) that the (systemic) implementation of controls is compliant with requirements, or that modifications are needed to bring the systems and export records into compliance.

Requirements N/A Notes This is a manual process. BS-2.9 Independent Audit of Systems/Practices Participants Export Authorization Manager, Company Management, Third Party Auditor Description Coordinated by the Export Authorization Manager, as required, the Program manager

will work with appropriate Company audit/compliance personnel to perform audits of systems and program practices to ensure that the program remains in compliance with Export Control Requirements.

Outputs Audit Report • Including statement on elements of non-compliance and closure dates of

corrective actions (if within scope of the program) • Observations and recommendations to improve the process • Follow up with adjustment of company policies – if needed • Follow up with program instructions and processes – if needed

Requirements Scope of audit/audit agenda. Notes The purpose of this process step is to independently audit if export compliance

instructions and regulations are followed. A third party auditor (such as Government) sometimes issue audit reports via an online system. Companies may have to close out corrective actions via the same system.



BS-2.9 Independent Audit of Systems/Practices Sometimes the auditor or Export Control Policy Authority dictates a format for logging export transactions and/or providing audit evidence. See also BS 3 Recordkeeping requirements.

4.3 Process Steps – Requirements BS 3

BS 3.1 Develop (technical) data, goods or services Participants Program Personnel Description Program personnel develop some (technical) items to be shared. Outputs The item to be exported is manufactured. This could be a physical item or a piece of

electronic data/software (also known as Technical Data under the ITAR). See 1.3 Definition(s).

Requirements (Detailed) description of required data to allow determination if an item is deemed to be export-controlled.

Notes Intangible items like Technical Data must be correctly controlled prior to application of a label indicating protection requirements. Checks and balances are required to ensure data is not released outside the scope of the export authorization. Locking the data up in a Program Personnel ONLY access area is a way around this. Companies’ internal policy will determine how this data is protected..

BS 3.2 Verified need to share goods/data/services Participants End User (in this scenario, an external recipient) Description Additional or recurring requests may be submitted (by multiple individual End Users, if

applicable under the license) as a follow up of the initial request to share data. Outputs • Detailed description of required goods/technical data

• Exact date/time of the occasions of sharing. Requirements Overview of required description details to request goods/technical data. Notes This could be an important recurrence step (in line with BS 3.3 and BS 3.4). But usually

the End User usually merely confirms correctness of the details needed for shipping items (goods/data/services). Particular verification on the need to share items (e.g., when circumstances change like in case of a takeover of embargo) is done in BS 3.3 by the Program Personnel or the Program Manager in line with their Export Control training/education. Examples:

• because of large amount of time between initial license and the actual day of development and shipment, like in France for the time between license to negotiate and license to export (ship).

• in case of a (hostile) takeover of changed political situation (embargo). • also looking at verification of need to share data (and its volatile character,

meaning a higher frequency of verification of the end user in respect to shipping physical goods).

A typical sequence in this step is: 1) the End User notifies his/her need of information, data, technology, 2) the Program Personnel who ship items/give access to the related information must



BS 3.2 Verified need to share goods/data/services verify (in line with regular practice for handling any classified information) that the End User is cleared to received that information, that the End User is authorized for the particular type of information and the End User has the "need to know" this particular information. Recommendation: The request should be done in accordance with applicable company policies.

BS 3.3 Determine if data is export-controlled and if appropriate export authorization is

present Participants Program Personnel Description (Trained/qualified) Program Personnel determines whether data is export-controlled.

If the data is export-controlled, program personnel will verify if the appropriate export authorization is present to support the desired release.

Outputs • Determination of whether an export control authorization is applicable. • Determination of whether all associated documents (such as end-user statement)

in support of the authorization are valid, accurate and available. • In the case of the ITAR/EAR, the determined jurisdiction and the individual making

the determination must be recorded for audit purposes. • Changes of jurisdiction for controlled information must be recorded, including the

date of the change and the identity of the individual determining the changed jurisdiction.

Requirements 1. Program personnel are qualified to make the determination whether data is export-controlled.

2. Determination process is followed according to written policies and procedures. 3. A system may be available to support this determination. If so, that system should

be able to: a. present all available regulations that apply to the program. b. assist the user in determining applicable regulations though a guided decision

tree. c. prompt the user to consider all restrictions that may apply to an information

object, including proprietary information restrictions, personally identifiable information restrictions, etc.

4. Program personnel will should have: a. access to electronic copies of export authorizations to support identification of

the appropriate export authorizations to support sharing of the technical data, b. the ability to search electronic copies of export authorizations in order to locate

the relevant Export Authorization more easily. 5. The identity of the information supplier who associates an export authorization

with a piece of technical data will be captured and recorded 6. The record of the identity of the information label applier will be maintained by the

Exporter, and will not be visible to external recipients.



7. A Shared Data environment hosting UK Export-controlled information must require information suppliers to select an export authorization for a given information object before sharing that information object with a non-UK recipient in a location outside the UK

8. Export Authorizations available to the user should only be company owned export authorizations determined in BS 1

Notes This step is recurring as at this point it is often of essence to check if some parts and components are subject to particular restrictions.

Examples: • re-export • replacement of parts • partial delivery

This action should be the responsibility of a trained specialist, although some less complex determination (check a predefined list) may be done by all personnel in the Program. Depending on the procedures and level of complexity in a program it may be useful to appoint a dedicated export manager for the program. (Written) procedures are company specific.

Examples: • a manual check against a predefined list. • a full determination, where the company has implemented a training for

Program Personnel so they are qualified to determine if what they just build/manufactured/developed is subject to export control.

• see also BS 4 where this check is done in an automated and systemic way (by use of labels).

“Determine if data is export-controlled” and determine if appropriate export authorization is present” as they are very different activities that may be carried out by different groups in different organizations. This process would be followed if the work done is part of existing contract/program. For new contracts/programs or entity set ups, a validation process needs to take place as per BS 1.

BS 3.4 Determine actions for release Participants Program Personnel Description Determination of actions as preparation for release.

The Export Program Manager may be consulted to provide assistance in identifying distribution method and release policies as stated in the program guidelines

Outputs Overview of actions to be taken prior to release of the data/goods/services. Requirements Actions should be accordance with program internal control plan and company specific

release policies. Notes Often the program personnel at this stage merely selects a best fit option from what

they have learned or have available in a digital form (e.g., a labeling tool to mark electronic documents). It is therefore best practice to strive for a uniform release approach that will be applicable for the complete program. This may be best clarified as that the Program



manager and the Export Authorization Manager decide on the actions to release in full compliance with all laws, regulations and company policies. The result will be procedures or lists and form part of the ICP. The Program manager has to execute/apply the proper actions in case of an export activity. The ICP could have defined a different approach per release or per partner; e.g., as a result of the conflict analysis process in BS 1. Also, for each intended release of an item, the item still needs to be prepared for release, according to the ICP; e.g., company methods to share an item internally (secure storage) and externally (secure transport). As it therefore may well be that more than one distribution method has been defined, it is recommended that this is checked, and that the Program Manager and Program Personnel is trained to select the best fit method. Examples for determinations:

• Check if labeling / marking requirements are already met • Perform a (peer) review of a technical document (as quality assurance) so when

exported it is the correct and complete document. BS 3.5 Collect intended recipient(s) characteristics Participants Program Personnel Description Includes:

• Verification of characteristics already received in BS 1 • New characteristics for this specific release (if any) • Characteristics of third parties (broker)

Outputs Collection of required characteristics per recipient Requirements 1. An overview of intended recipients, including brokers, must be present.

2. Required characteristics as specified by the Authorization must be known. 3. Additional characteristics of the recipients required for this specific release may be

collected (e.g., the security policy may require a PKI certificate for email message encryption).

4. Collected recipient characteristics must be verified and validated against the appropriate standards or trust framework.

Notes Verification and validation may be done manually or automatically. See BS 1.23 and BS3.21.

Recommendation: Verify if personal data protection laws and regulations such as EU Data Protection Directive are applicable and compliant23.

BS 3.6 Provide recipient information as required Participants End User (in this scenario an external recipient and assumed to be authorized) Description Provide required information. Outputs Credentials and other details Requirements Overview of required information.

23 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT



Notes Detailed identity characteristics may be required in the license and in other policies/regulations although regulations do not often specify requirements for end user identification, but merely who (as per license) may have the technology sent.

Access to dual use technology would be specific to either country (Generic Licenses) or a company (specific licenses). Therefore addressee and location (company name, address and country) would be the minimum required credentials.

System access controls are more driven by company policies whereby minimum requirements would be requested (say for a shared environment).

Recommendation:

To identify a company by an agreed identifier from a Registrar may be used (e.g., U.S. or NATO CAGE24 code, a Chamber of Commerce number, a Tax Identification Number or TIN). This number may be used in a system as identifier itself but may also be used in a query to easily retrieve further required details like company address.

BS 3.7 Apply appropriate labels / visual markings Participants Program Personnel Description The Information supplier will choose the appropriate label and markings as captured in

the Internal Control Plan (ICP). Outputs Appropriate labels and markings applied to data. Requirements 1. Labels and markings applied to data must be applied in accordance with:

a. Regulations b. company policy c. export authorizations d. and, if applicable, security classifications.

2. If labels are used, users or systems must be able to detect modification to labels or content.

3. Markings including document control, destination control and security statements, if appropriate, must be applied to all data resident in a system that may be accessed by foreign personnel in locations outside the national territory, to ensure that data is not exported without proper authorization.

4. Government, company or program policy (e.g., DODD 5230.24) may require application of specific, required markings to data that is controlled under the ITAR.

Notes Data is almost ready for release after this process step. The applied labels and markings enable supporting technology to help prevent unauthorized release or export of technical data.

Modification of data may impact authorization determination and labeling. Modification could require (new) authorization or data needs to be processed again starting at 3.1.

There are no requirements to update or to change labels on copies of documents that are not being exported.

24 https://www.fsd.gov/app/answers/detail/a_id/186/~/what-is-a-cage-code%3F-how-are-cage-codes-assigned%3F


https://www.fsd.gov/app/answers/detail/a_id/186/%7E/what-is-a-cage-code%3F-how-are-cage-codes-assigned%3F

https://www.fsd.gov/app/answers/detail/a_id/186/%7E/what-is-a-cage-code%3F-how-are-cage-codes-assigned%3F


BS 3.7 Apply appropriate labels / visual markings Recommendation:

Apply qualified digital signature25 to data to register any modifications of the data after labeling / marking.

BS 3.8 Select appropriate distribution method and policies Participants Program Personnel Description For a given distribution method specific requirements may apply from company policies

or legal aspects. This may require a choice for the best distribution method regarding the release of the data to the recipient.

Outputs Choice of appropriate distribution method Requirements In accordance with regulations/company policy Notes For a given distribution method, specific requirements may apply. For example, when

email is chosen as distribution method, company or legal policy may require encryption of the (export-controlled) technical data. Another example is sending information on a memory stick by regular mail through accredited couriers and encrypted only.

BS 3.9 Release Controlled information Participants Program Personnel Description Program personnel take an action that results in a recipient having potential access to

the controlled data. This is considered the actual point of export/import/transit.

Outputs The controlled data is accessible by recipients (transaction). Requirements 1. Verify that all necessary requirements for the chosen distribution method are met.

2. Data sharing systems should enforce proper access control on upload of documents, ensuring that documents are only uploaded if properly marked, and that the markings are appropriate to the location where the document is being uploaded.

3. Export-controlled technical data received by non-U.S. parties under a U.S. export authorization must only contain markings and/or metadata about the export regime governing that technical data (e.g., ITAR), and the specific export authorizations permitting access by that particular non-U.S. recipient (e.g., TAA #1). If there are any other authorizations that can be applied to that technical data to permit sharing with other non-U.S. recipients, those authorizations must not be inferable by any of the non-U.S. recipients via any marking and/or metadata attached to the technical data.

Notes Release may be contingent on other requirements, such as intellectual property restrictions, etc.

25 A qualified electronic signature is an advanced electronic signature (as defined in the EU Electronic Signature Directive) which is based on a qualified certificate and which is created by a secure-signature-creation device (i.e., a signature as described in article 5.1 of the EU Electronic Signature Directive).



BS 3.10 Systemic export determination Participants End User (in this scenario an external recipient) Description A systemic determination is done if the End User is allowed to access the data. Outputs Access of export-controlled technical data by recipient Requirements End User characteristics to acquire confirmation of access to export-controlled data Notes This process step is assumed to be fully automated. It is also business context

dependent.

Therefore the TSCP ECWG has performed reviews on individual Export Control regulations to determine a basis logical rule per review / Export Control regulation. This rule covers the always applicable (generic) process steps for systemic export determination required by that particular Export Control regulation.

On top of that each specific export, import or other transaction may bring one or more business context depended rules.

Both rules have been included in the requirements documents for each individual review.

The combination and technical implementation of both types of export control rules, and/or the business rule transformation from other business context (like Intellectual Property Protection) has been tasked to the TSCP ILH project.

BS 3.11 End User (authorized end user) accesses exported item Participants End User (in this scenario an external recipient and assumed to be authorized) Description The End User is able to access the data. Outputs Access of export-controlled technical data by recipient Requirements 1. Confirmation of access to export-controlled data.

2. Access to export-controlled data by an End User or other entities must be recorded in the appropriate audit log, as described in the ICP under Recordkeeping Requirements

Notes Most export control regulations do not explicitly define recordkeeping requirements for export of data. However, enterprises have defined “best practices” with regard to recordkeeping which are reproduced in Annex II: Recordkeeping Requirements. Recommendations: It is recommended that confirmation is based on a trusted authentication certificate of the recipient. It is unlikely in the near term that a single document will be able to contain markings for multiple organizations and protected such that an organization may only see the markings appropriate to them. In the short term, it is acceptable to produce multiple copies of the documents with only the appropriate markings embedded in them.

BS 3.12 Register Transaction Participants Export Program Manager Description The transaction details must be registered according to the appropriate recordkeeping

requirements. Outputs (Automated) registration of transactions Requirements 1. Required transaction details in accordance with audit trail requirements.



BS 3.12 Register Transaction 2. Registered transaction details should be accessible for audits. In principle all in- and

outgoing transactions are required: a. Oral b. Visual c. Systemic

Notes See Annex II: Recordkeeping Requirements and Annex III: Example of an intangible export logError! Not a valid result for table..

The policy authority usually provides the requirements or it is done based on company best practices. This may differ per case or per license. For the ‘digital world’ this is less strict as the physical world since the policy authority usually ‘runs behind’ on new data sharing technology.

However, there have been pretty strict cases in which a full audit trail was required detailing technical data access and usage to satisfy regulatory compliance audit requirements.

Additionally, company policy may request and keep of who approved release, who performed release, why access was granted and when it expires.

This leads to cases where recordkeeping must be done in separate logs: one for (system) access control management and one for export transactions.

Examples of transaction details: • export date, time • recipient characteristics (location address, company name, person identity

characteristics) • exported data • license reference • System Implementation Plan reference (Implementation Statement) • value of export (see 3.13) • logs of (virtual) meetings, phone calls

Recommendation:

Cloud Services are considered very risky and if used have difficulty to comply with export control regulations. Mostly because cloud services are not simply traceable data storage on someone’s premises. When Cloud Services are used an agreement should be made on liability. In most cases the data owner (usually the exporter) is the liable party, not the End User/receiving party or the cloud service provider.

BS 3.13 Register export under the authorization

Participants Export Authorization Manager

Description The transaction details must be registered according to the appropriate recordkeeping requirements.



BS 3.13 Register export under the authorization

Outputs Similar to BS 3.12

Requirements 1. In particular required by ITAR, upon first export under a given export authorization, a notification must be provided to the policy authority. Company policy determines whether exports are defined as release by an Information supplier or download by a non-U.S. entity signatory.

2. Individual transactions must be registered by the Program Manager (may also be for security reasons). Parts of that transaction must be registered by the Export Authorization Manager under the filed export authorization. There may be a value or quantity limitation on exports under a license (this is the case for The Netherlands Export Control).

Notes For example: A license may hold a 100k value that may be exported in portions of 10k, each portion needs to be registered.

Additional demand for recordkeeping could be coming from policy authority (see BS1.12). Usually there are no explicit other demands and registries are created based on program need (sometimes just email logs are sufficient).

Consultation of company policies / program guidelines Participants Export Program Manager Description The Export Program Manager may be consulted to provide assistance in identifying

distribution method and release policies as stated in the program guidelines. Outputs • Advice on release policies such as marking / labeling requirements

• Advice on distribution method and accompanying distribution requirements Requirements 1. Regulations

2. Program policies 3. Company policies

Notes Examples for consultation: • a possible interpretation on the license, regulations • there possibility of multiple options for distribution or labeling • the program personnel are uncertain / still to be trained • a recent policy change that is not yet reflected in a new Internal Control Plan. i.e., a

UN embargo. • A recent audit showing flaws in the execution of processes • Larger sized / politically sensitive programs requiring daily attention on their

exports Participants Export Authorization Manager Description An Export Authorization Manager may be consulted.

There are three levels here: 1) Regular work/consultation, selecting best fit licenses/labels, etc. 2) More critical work: be aware of regulatory changes and make sure your original choice

for labels/license is still a valid choice.

3) Mandatory review. UK MoD demands this for export controlled items that are also be classified as UK restricted (and up).



Consultation of company policies / program guidelines For example:

• to select the best fit export authorization out of multiple possibilities • to assist the Program Manager in case of labeling or packaging issues.

• This step is critically important when there is a delay between the process of labeling the document and the process of releasing the document to ensure that there have been no changes to the regulatory requirements or license restrictions. • In the case of UK RESTRICTED – Review may be mandatory

Outputs Decision or advice, depending upon the specifics of the request for consultation Requirements List of export authorizations, Regulations, Program policies, Company Policies,

Recipient characteristics Notes Examples:

• Determination if export authorization is required for technical data • Overview of applicable export authorizations • Overview of applicable policies • Overview of required labels and markings

The Export Authorization Manager may not be entitled to perform its job. In case of EAR export authorizations, this entity may not be considered a U.S. Person. Access to export authorization records should be limited appropriately in such cases.



Annex I: Common Licenses and Agreements Depending on the nature of an export/transfer/import, the following licenses may be required:

• Licenses required for manufacturing, trading and brokering. • Licenses for negotiating and concluding an export contract. • Licenses to export/transfer items or import them.

The following table presents common examples of licenses or other agreements from the third category. Note that many of these licenses may be applied for via forms that may/must be submitted electronically.

Type Authorization Purpose Military/ Dual Use

IL (individual license)

Granted by individual EU countries. Covers exports: • by a particular exporter • for a particular good • to a particular destination (to one end user) In UK known as Standard Individual Export License (SIEL): These licenses, issued by the UK government to an exporter, authorizes the export of specified data or technology to a specific recipient in a specific country against specific value within a limited period of time.

Military/ Dual Use

GL (global license)

Granted by individual EU countries. Covers exports: • by a particular exporter • for a type or category (categories) of goods • for the export to a single or several destinations • for several transactions. Uncommon but for particular destinations a global license may be issued for military items. In UK known as Open Individual Export License (OIEL): These licenses, issued by the UK government to one particular exporter, authorizes the export of data or technology to specifically named destination(s), for a limited period of time.

Military GTL (general transfer license) (equivalent licenses exist for DU; cf; infra. EU GEAs)

Granted by individual EU countries: • for any exporter (a single registration number is to be granted at first use) • for a limited list of items of the EU Military List (Annex of the ICT Directive) • to the destination of EU Member States only. For EU “Defence Related Products” (military) the EU authorities made 4 GTLs mandatory:

1. supplies for Armed Forces 2. shipments to other EU member states “Certified Companies” 3. exhibitions and demonstrations, 4. Maintenance and repairs.

Additionally, the EU member states may, if needed, adopt other GTLs. • In France a “one step” license for intra-EU exports, referred to as “transfers” of defense-related products. This new licensing system has been tailored for intra-EU transfers and took effect on June 30, 2012. As of 27 June 2013, there are eight types of French General licenses for transfer:

(1) to the armed forces or defense procurement agency of another Member State (2) to a certified enterprise in another Member State (3) for the purposes of display and demonstration at an international trade show in another Member State (4) to the armed forces or defense procurement agency of another Member State for purposes of demonstration or evaluation (5) to an enterprise in another Member State for purposes of demonstration or



Type Authorization Purpose evaluation; and (6) to the police, customs agents, border patrol, or coast guard of another Member State for sole use by those forces. (7) for the return of defense related and spatial products temporarily transferred in France from another EU Member state. (1 to 7 published by Arrêté du 6 janvier 2012). (8) for the armed forces in another EU MS, but for their exclusive use only (published by Arrêté du 6 juin 2013).

• In the UK Open General Export License (OGEL) cover ICT military “Transfers,” too. These licenses, published by the UK government, authorize exporters to transfer/export data or technology as defined within the OGEL to specific listed countries against specifically defined criteria.

In France, a General Export License (published by Arrêté du 6 juin 2013) authorizes the” Exports” of Defense related products and satellites ground stations, for the exclusive use of the French armed forces. Consequently, French Industry benefits from General licenses to supply the French armed forces worldwide (EU and third countries).

Dual Use

EU GEA (European Union general license)

Cover exports of certain items to certain destinations as specified EU Regulation 428/2009. There are currently 6 EU GEAs in place.

Dual Use

NGA (national general license)

May be issued by individual EU countries for dual use items, provided that they: a) do not conflict with existing EU GEAs b) do not cover any of the items listed in part 2 of Annex II to EU Regulation

428/2009

France, Germany, Greece, Italy, Sweden, the Netherlands and the UK currently have these authorizations. NGAs are published in the official journal of the issuing country.

In UK, known as Open General Export License (OGEL): These licenses, published by the UK government, authorize exporters to export data or technology as defined within the OGEL to specific listed countries against specifically defined criteria.

Military U.S. Dept. of State DSP-5 Permanent Export License

License for the permanent export of unclassified defense articles and related unclassified technical data. This license is also used for authorization for the employment of a foreign national in the United States when those employees will have access to ITAR controlled technical data.

Military U.S. Dept. of State DSP-73 Temporary Export License

For the temporary export of unclassified defense articles subject to ITAR. This license may be used for specific end users and public trade shows. However, if demonstrations or marketing information will exceed public domain information, a DSP-5 will also be required. Technical data is not authorized under a DSP-73

Military U.S. Dept. of State DSP-61 Temporary Import License

Used for temporary import of defense articles into the United States. U.S. goods that were sold to a foreign owner that are being returned to the United States for overhaul, repair, or an upgrade, would require this license if not exempt under 22CFR 123.4(a). Foreign manufactured defense articles for trade shows and demonstrations would also require this license type.

Military U.S. Dept. of State DSP-85 License for classified items

Used for classified defense articles and related classified technical data. It is used for permanent export, and temporary export or temporary import.



Type Authorization Purpose Military U.S. Dept. of

State Manufacturing License Agreement (MLA)

Required for defense services, if technical data is given or used to perform the defense services. Both unclassified and classified technical data may be exported in furtherance of an approved manufacturing license in accordance with 22CFR124.3. This license allows for the manufacturing of U.S. defense articles by a foreign person abroad.

Military U.S. Dept. of State Technical Assist Agreement (TAA)

Agreement for the performance of defense services or disclosure of technical data. Unlike a DSP-5, discussions regarding the technical data may be held. A TAA is required for the training of foreign military forces in the use of defense articles. However, manufacturing "know how" is not permitted and authorization to manufacture U.S. defense articles by a foreign person is not granted.

Dual Use

U.S. Dept. of Commerce Individually Validated License

An IVL is a specific grant of authority from the government to a particular exporter to export a specific product to a specific destination if a general license is not available. The licenses are granted on a case-by-case basis for either a single transaction or for many transactions within a specified period of time. An exporter must apply to the Department of Commerce for an IVL.

One exception is munitions, which require a U.S. Department of State application and license. Other exceptions are listed in the EAR.

Dual Use

U.S. Dept. of Commerce EAR General License

A general license is a broad grant of authority by the government to all exporters for certain categories of products. Individual exporters do not need to apply for general licenses, since such authorization is already granted through the EAR; they only need to know the authorization is available.



Annex II: Recordkeeping Requirements UK Recordkeeping Requirements

The following information should be retained by any organization exporting data under UK Export regulations in order to support BIS audits against Exports. The data must be kept in a place and manner so that it is available and retrievable during audits. It does not necessarily have to be embedded in the records for every export event.

Record Element Definition Identity of Exporter The identity of the organization exporting the data must be recorded. Recipient Information The following information must be recorded about the recipient of exported data:

• Identity of Recipient • Organizational affiliation of recipient • Location of Recipient at time of Export

Time and Date of Export

The time and date of the event constituting “export” of the technical data. Organizations may define this event in a variety of ways: uploading a document to a shared data environment, having a document downloaded by a non-UK participant from a shared data environment, etc. Organizations must identify the event that constitutes an “export” for purposes of recordkeeping, and should be consistent in recording those events.

License Permitting Export

The following information about the license used for the export of the data • License identifier (License name, number, OGEL Registration number) • License Validity Period (OIEL, SIEL only)

Data • Identifier for data being exported: This may be a File name, Document Control Number or other information, such as a URL or Folder Location. It should be unique for each exportable item, and traceable back to the exported document.

• UK Dual Use List Classification of data object • UK Munitions List Classification of data object • UK MoD Security Classification of the data object.

Data Environment Certification Level of Data Environment, to support classified data objects. U.S. EAR Recordkeeping Requirements

EAR requires all exporters to keep records regarding exported technology for a period of 5 years following the export event. Audit records must be generated by a system, but must be supplemented by records maintained by the Export Authorization Coordinator to support the reconstruction of export events with sufficient detail to demonstrate compliance with export regulations.

The following data should be captured for every transaction processed by a collaboration system: • Date of Transaction • Program, or Scope of information object exported • The identity of the parties to the recipient; • Information related to the user’s nationality, and location, as well as employer country of

incorporation • A document reference number for any exported document • The Export Authorization supporting the export event (e.g., EAR Export License number or

justification of No License Requirement such as exception or EAR99) • (Optional) additional information for utilization of Export Authority (quantity, value, etc.)



The data recorded in the previous list for every transaction is not sufficient to support an audit for export control. To support comprehensive audit and reporting requirements, additional supplemental information must be maintained in separate repositories, supporting retrieval of necessary information as required to support internal or external audit requests:

• A description of the software or technology exported or re-exported, including the ECCN, as identified on the Commerce Control List (CCL), or EAR99;

• A description of the equipment for which the software or technology is intended to be used, including the ECCN, as identified on the Commerce Control List, or EAR99;

• The intended end-use of the software or technology; • The name and address of the end-user; • The location of the equipment for which the software or technology is intended to be used,

including the country of destination.

U.S. ITAR Recordkeeping Requirements

In addition to the record elements required by the regulations, capture of the following data element is recommended by enterprise best practices.

Note that in the Methods of Access column, “programmatic access” alone may not guarantee sufficient protection (e.g., privacy); this should be described further, e.g., “Limited Visibility.”

Figure 1 - Export Audit Record Data Elements



Figure 2 – Requester data audit record data elements

Figure 3 – Exporting Applications Audit Record Data Elements



EU Dual Use Recordkeeping Requirements

The table below provides an example of (combined) export reporting requirements.

Reporting requirements EU - Dual use exports

Original Consolidated

F D I NL UK

No requirements specified

6 monthly reports on exports* *if no exports zero report must be submitted no details on reporting (is all done via online government tool)

6 monthly reports No reporting requirements

No reporting requirements, must keep records

Need to be able to pull 6 monthly reports

Details invoice Details invoice (ref. No) Details contract Details contract (ref. No)

Amount/value items sent

Amount/value items sent

Description of the goods



HTS codes HTS codes

Country of destination

Country of destination (this should already be part of name/address requirements of consignee/end user)

Consignee / end user details

Consignee / end user details (name/address)

Consignee details (name/address)

Export date Export date Export date

Type of export (final, temporary, transit)

Type of export (physical/electronic)

Type of export (final, temporary, transit, physical/electronic)

Quantity Quantity

Name/address exporter Name/address exporter

Very stringent encryption requirements and information requirement on encryption

Very stringent encryption requirements and information requirement on encryption

Additional requirements on encryption



Annex III: Example of an intangible export log The table below provides an example of an export record. The example is built up from: • EU Dual Use regulations (the EU 428/2009 requires “recipient country”) • national implementations of the EU regulation (“value” is a good example ) • and company specific demands

Intangible export log

Export License

reference number:

[ref nr]

Export License holder:

[holder name]

Data sent: Dual use controlled data

Date Recipient

Name Recipient Company

Recipient Country

Dual Use classification

Data reference number

Value



Annex IV: Reference tables • ‘Consolidated’ provides the numbers from the main process steps in the consolidated business

scenarios. • ‘Original’ shows the process steps from which the consolidated requirements originated, including

marking of the consolidated process steps that were amended with elements from the French Export Control review.

Consolidated Original Process step ITAR EAR UK EC NL EC EU D U FR EC

1.1 1.1 1.1 1.1 1.1 1.2 1.1 1.2 1.6 1.4, 1.23 1.2 x 1.3 1.3 1.4 1.2 1.3 1.4 x 1.5 1.3 1.4 1.5 1.6 1.5, 1.6 1.2,1.3,1.4,1.5 1.3, 1.22 1.6 1.7 1.4 1.7 1.7 1.2, 1.5 1.7 x 1.8 1.5 1.8 1.8, 1.10, 1.11 1.6, 1.7, 1.20,

1.8

1.9 1.6 1.9 1.12 1.8, 1.25 1.9 1.10 1.7 1.10 1.13 1.9 1.10 1.11 1.8 1.11 1.9, 1.14 1.10 1.11 1.12 1.8.5 1.13 1.12 1.14 1.9, 1.11, 1.12 1.12, 1.15, 1.16 1.12 1.15 1.10 1.13 1.11 1.13 1.16 1.14 1.26 1.14 1.17 1.13 1.17 1.15 1.15 x 2.1 x 2.2,2.3 2.1 2.1 2.1 2.1, 2.3 2.1 2.4 2.2, 2.3 2.2, 2.3 2.2 2.2 2.2, 2.3 2.5 2.4, 2.5 2.4, 2.5 2.3, 2.4 2.4, 2.5 2.6 2.6,2.7 2.6,2.7 2.5 2.6,2.7 x 2.7 2.8 2.8 2.6 2.23 2.8 2.8 2.10 2.10 2.8 2.9 2.9 2.9 2.9 2.7 2.5 2.10 2.10 2.12 2.12 2.10 2.6 2.11 2.11 2.11 2.11 2.9 2.24 2.12 3.1 3.1 3.1 3.1 3.1 3.1 3.2 3.20 3.2 x 3.3 3.2, 3.4 3.2, 3.4 3.2, 3.4 3.2 3.3, 3.4 x 3.4 3.4 3.7 x 3.5 3.3 3.5 3.6 3.21 3.6 3.7 3.3 3.3 3.3 3.5 3.8 3.8 3.6 3.9 3.9 3.7 3.7 3.7 3.7 3.10 3.10 x 3.11 3.8 3.8 3.8 3.8 3.11 3.12 3.9 3.9 3.9 3.12 3.13 3.9, 3.10 3.24 3.13



• ‘Consolidated’ provides the functional roles in the consolidated business scenarios, including a short description with the intention of the role. Full definitions can be found in sections 1.3 Definition(s) and 3 Consolidated Export Control Business Scenarios.

• ‘Original’ lists the roles as used in the individual reviews from which the consolidated roles originated.

Consolidated Original Role Intention ITAR EAR UK EC NL EC EU D U FR EC End User Receiving or

handling an exported/ imported item.

Foreign entity; signatory; non-US entity signatory (Company B)

Non-US entity recipient (Company B)

Non-UK entity Authorized user (end user)

End-user Recipient

Program Manager

Responsible for a specific program with export / trade activity

Exporter Program Manager (Company A)

Exporter Program Manager (Company A)

Exporter Program Manager



Export Authoriz-ation Manager

Expert In trade controls, assists with compliance and audits

Export Authorization Manager (Company A)

Export Authorization Coordinator (Company A)

Export Authorization Manager



Policy Authority

Governmental authority for the export control policy

Policy Authority

Policy Authority

Export Control Policy Authority (incl. UK MOD)

Export Control Policy Authority

(National) Export Control Policy Authority

Program Personnel

Working within a program/ sharing or sending items

Program personnel

Program personnel

Program personnel

Program personnel

Program personnel

Company Manage-ment

Supporting the export from company management

IT function N/A N/A Company manage-ment

N/A


export control requirements document · 2.2.2 authorization system ... export and temporary import...

Documents