I’m going to admit this. A few weeks ago, I was ambivalent about ITAR, the International Traffic in Arms regulations, and often literally dismissed it by telling clients “you can download a free manual off the internet and call it a day.” A few days later, I basically shit myself after finding out how horribly, horribly wrong I was.

Ignorance is not bliss, not when it comes to ITAR. Ignorance is, instead, the cold steel of handcuffs on your wrists as guys in windbreakers with big yellow letters on the back drag you kicking and screaming into some godforsaken pit for the rest of your life. Simply put: the fact that you don’t know about ITAR means you are probably, right now, a felon.

What’s worse, is nearly everyone reading this thinks they understand ITAR, and they are sniffing indignantly at any suggestion to the contrary. They also think “it’s not that big a thing,” after they downloaded a generic ITAR manual off the internet, and put in a “visitor sign-in log” on the receptionist’s desk. They don’t know what they don’t know, and it’s terrifying.

Oxebridge fans know I am not given to fear tactics or hyperbole, unless telling you how wonderful I am; then there isn’t hyperbole enough. But when I sell ISO 9001 I tell the truth: it’s not easy, but it’s also not the scary and expensive journey that some consultants would have you believe. The truth is somewhere in the boring, non-hyperbolic middle. I recoil at consultants who sell ISO 9001 on the basis of scaring the death out of people: “if you don’t get ISO 9001, your customers will take their business elsewhere!” or “if you don’t hire a consultant, your quality system will stink of fish and kill all the children in your towns and villages!”

But ITAR. Good lord, ITAR.

I’m a Felon, You’re a Felon, We’re All Felons!

During my last AS9100 Braindump in Cocoa Beach, you may know I shared the stage with representatives of ERAI — who spoke on counterfeit part controls, something I will address in an upcoming article — and Aerospace Exports Inc. Mark Stevens of AEI went over the application of ITAR, as well as EAR, FARs and DFARS, in an AS9100 setting. The Stevens bit came after I had already spent about 10 hours of the 2-day event making an idiot of myself by joking about AS9100, Godzilla movies, Eddie Izzard transvestite comedy routines and making exactly 300 inane pop culture references that nearly no one understood. In between, we learned a little about AS9100 (one hopes.)

Then Stevens got up, and scared the living shit out of everyone. We know this because the shits he scared out of us were literally alive: they got up, left the room, and immediately stormed into the local DMV to get drivers licenses so they had legal documentation to vote during the next election. Now it wasn’t Mark’s presentation style that frightened us; not at all. He was friendly and lively and engaging. But he also told everyone the truth, and we walked out like vampire victims, all gone sheet-white, the blood drained from us. Let’s just look at a few truths about ITAR, but be prepared to watch your shits march to the DMV and later vote for the exact party you hate the most.

No, You’re Not Certified. You’re Targeted.

First of all, and perhaps most importantly, get it out of your head that the Department of State — or anyone — issues an ITAR certificate for your company. There is no such thing as being “ITAR certified,” and the minute you put that bogus logo on your website, you are telegraphing to everyone — including the guys with windbreakers and handcuffs — that you’re probably violating ITAR, not complying with it. It’s the arms trafficking equivalent of a pothead rolling past the cops with smoke coming out his windows and a 3-foot wide pot leaf decal on the back of his ’72 Camaro while he plays reggae and asks directions to the closest place to buy a new bong.

You see, you actually get registered with the Department of State, who then puts you in their system. You’re now being watched. It doesn’t mean the DoS has certified you, nor verified compliance in any shape or form. It means you have identified yourself to the US government as a potential handler of material or information subject to ITAR export controls, and which must then be controlled to prevent misuse by a bad actor. Not doing so may temporarily keep you off of DoS’ line of sight, but then if you’re caught dealing with ITAR products things are much, much worse because you’ve been operating illegally. Registering your company keeps you legal, but also alerts DoS that you exist, and thus they start watching. Choose your hell wisely.

Next, it’s likely you will be faced with this reality very, very soon. Recent expansion of related regulations has forced OEM’s and other defense contractors to flow ITAR down not just to their 1st or 2nd tier suppliers, but everyone at every tier. And the deadline for this has already passed. So already, Oxebridge clients are finding themselves receiving a rash of ITAR flowdowns they had never expected, and suddenly have to comply with. It’s a perfect storm.

But Wait, There’s More!

I’d love to promise some good news in this mess, but alas, there’s none to be found, other than reading this article may save you from being hauled away in iron and fed to crocodiles at Gitmo. Because things get much, much worse.

If you thought you complied with ITAR, I can say with near 100% certainty, you are absolutely wrong. See that visitor sign-in sheet on the receptionist’s desk? The one that invites guests to indicate “Y” or “N” to the question “US citizen?” ITAR assessors call these “death logs,” because as soon as they see one, they know you’re dead. Metaphorically, that is. This is because the organization must have a “record of screening” when they check “N.” As recently as two weeks ago (as of this writing) I saw a client’s ITAR log with numerous “No’s” filled in, and nearly 100% of the visitors checked “Yes” when asked if they had recording equipment on them (cell phone cameras.) The client had no controls in place for these situations. Dead.

Here’s an easy one: have you maintained a record that your ISO 9001 registrar auditor is a US person? There are few people who have the level of unprecedented access to ITAR controlled documents than your registrar, and yet most companies allow the slovenly auditor to roam around the plant without so much as a sign-in. Ironically, the very same auditor who is tasked with ensuring you are complying with related requirements is likely violating them, and you’re complicit. It’s not like your CB is going to invest in even 30 seconds of ITAR training for their auditor pool.

So you let the UPS or FedEx guy roam freely and use the company bathroom? Congrats, you’re going to jail, you filthy felon. If you didn’t carefully watch what the driver was doing, you can’t know for sure he didn’t engage in some ITAR-prohibited action while you weren’t looking, like picking up a blueprint, or snapping a few shots of something with his cell phone. And if you can’t know for sure, you can’t really claim to be ITAR aware. You’re playing Russian roulette with five bullets loaded, using a gun that only has four chambers. (It’s a Russian gun, I guess. I dunno.)

Now say your sales guy flies out of the country for an international sales trip, and has customer emails on his laptop that have ITAR controlled drawings in them. If he simply loses control of the laptop for a moment — say, by leaving it in his hotel room while he’s at the bar, and that maid with the weird accent cleaned the room while he was out — you violated ITAR. Go, again, to jail.

You printed those technical files from the hotel printer right before the big meeting? Well, guess what: those printers are not secure, their memories can totally capture whatever is printed (and do so by default), and just yanking the USB drive out doesn’t do squat. Go to jail.

What’s that? You’ve joined they “Yay, Cloud” movement, and have all your important files backed up on Google Drive, MS OneDrive, or even Carbonite? If you can’t be sure how that backup traffic works — meaning knowing what countries it travels through in order to get between you and the storage dump — you’re screwed. Worse is if your company server physically resides outside the US, which is more common than you’d think. Jail.

(Some services, such as Iron Mountain, offer ITAR compliant backups, meaning their services are located within the US and have DoS compliant security controls. To be sure, ask your cloud backup provider, and if they don’t offer an ITAR compliant service, get your data off immediately.)

If you think we’ve hit the Ninth Circle of Hell, Dante Alighieri has much more to show you in the ITAR Divine Comedy. Inspectors tasked with assuring ITAR compliance among registered companies have lots of tricks they use. For one, if they know a company is ISO 9001 or AS9100 certified, they likewise know the company staff is used to being audited. DoS will send in a contract assessor who goes in through a back door, dressed in a nice suit and carrying a clipboard, and who then walks up to the first machine operator they see. “I’m doing an audit, can you show me that print there?” they ask. If the operator doesn’t question their authenticity — and what machine operator would? — well, you’ve got yourself a violation. If you think I’m kidding, I’m not. (In fact, test this. Have a friend dress in a suit one day and walk around the plant, to see if anyone questions them. Watch how blabbermouthed your employees get, thinking they are being helpful during an audit.)

How about this: your facility’s in-house cameras are operated and monitored by some third party security firm, and the cameras are dutifully hovering over the machining area, or engineering cubicles. Congrats, you’ve got people of unknown origin, working for the security firm, able to capture and record design data for your ITAR sensitive parts, just by using the zoom lens.

Then there are the boneyards, those hastily constructed areas outside your plant where you dump all your scrap or random parts you made from 10 years ago but still haven’t discarded. You put a chain link fence around it, and maybe even some barbwire. Who cares? With nothing more than a thick blanket I can get over that barb wire without a scratch, and rifle through all your allegedly “secured” ITAR parts.

And ITAR is just the tip of the iceberg. EAR (Export Administration Regulations) invokes a whole bigger set of requirements, having to do with a broader range of products other than the “weapons-focus” of ITAR. Federal Acquisition Regulations (FAR) clauses, and their DFARS defense industry cousins, invoke even more such requirements. Right now the US government is flowing down new cybersecurity requirements to the entire supply chain, forcing companies to update their IT activities to ensure ITAR and such records can’t be hacked or leaked.

The shift in environment comes (again) from the fact that the US government is now aggressively flowing these various requirements down to everyone, regardless of size. Previously, a ten-man machine shop didn’t have to worry much about this stuff; now they do, and the Dept. of State won’t weigh their response to violations on the basis of the size of the company.

It’s likely you’ve been ignoring, dismissing or underestimating just how serious ITAR is. It’s likely that you, like me, were just blowing it off, thinking it was something only other people had to deal with. Those days are over. They rules apply to you, whether you know it or not. Often, whether the customer tells you or not. It’s critical you get informed as soon as possible on ITAR, EAR and the related FAR/DFARS clauses.

Oxebridge doesn’t offer training in this area. We’re still learning ourselves. Instead, I urge you — nay, beg you — contact Mark Stevens at AEI and find out what you don’t know. Read his blog. Reach out to him for a quick phone call. Spend the money to have him come in and train you (it doesn’t take long, and doesn’t cost much). The ramifications of failing to do so are too severe.

One final point: it doesn’t matter if you’re running a vanilla ISO 9001 system or an aerospace AS9100 system; it’s likely ITAR and/or EAR apply to you. Both standards require you to comply with relative statutory and regulatory requirements; both require you to adhere to customer contractual requirements.

Good luck!

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO Benchmark