Export Control Requirements Document

Transcription

1 Export Control Document Prepared by: TSCP Export Control Working Group (ECWG) Consolidated from reviews of: United States International Traffic in Arms Regulations (ITAR), United States Export Administration Regulations (EAR), UK Export Control, Netherlands Export Control, French Export Control, EU Dual Use Document Version: 1.0 Publication Date: July 31, 2013 Copyright 2013 Transglobal Secure Collaboration Participation Inc.

2 TSCP, Inc. Copyright 2013 Page 2

3 All rights reserved Terms and Conditions Transglobal Secure Collaboration Participation, Inc. (TSCP) is a consortium comprising a number of commercial and government members (as further specified at (each a TSCP Member ). This specification was developed and is being released under this open source license by TSCP. Use of this specification is subject to the disclaimers and limitations described below. By using this specification you (the user) agree to and accept the following terms and conditions: 1. This specification may not be modified in any way. In particular, no rights are granted to alter, transform, create derivative works from, or otherwise modify this specification. Redistribution and use of this specification, without modification, is permitted provided that the following conditions are met: Redistributions of this specification must retain the above copyright notice, this list of conditions, and all terms and conditions contained herein. Redistributions in conjunction with any product or service must reproduce the above copyright notice, this list of conditions, and all terms and conditions contained herein in the documentation and/or other materials provided with the distribution of the product or service. TSCP s name may not be used to endorse or promote products or services derived from this specification without specific prior written permission. 2. The use of technology described in or implemented in accordance with this specification may be subject to regulatory controls under the laws and regulations of various jurisdictions. The user bears sole responsibility for the compliance of its products and/or services with any such laws and regulations and for obtaining any and all required authorizations, permits, or licenses for its products and/or services as a result of such laws or regulations. 3. THIS SPECIFICATION IS PROVIDED AS IS AND WITHOUT WARRANTY OF ANY KIND. TSCP AND EACH TSCP MEMBER DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF TITLE, NONINFRINGEMENT, MERCHANTABILITY, QUIET ENJOYMENT, ACCURACY, AND FITNESS FOR A PARTICULAR PURPOSE. NEITHER TSCP NOR ANY TSCP MEMBER WARRANTS (A) THAT THIS SPECIFICATION IS COMPLETE OR WITHOUT ERRORS, (B) THE SUITABILITY FOR USE IN ANY JURISDICTION OF ANY PRODUCT OR SERVICE WHOSE DESIGN IS BASED IN WHOLE OR IN PART ON THIS SPECIFICATION, OR (C) THE SUITABILITY OF ANY PRODUCT OR A SERVICE FOR CERTIFICATION UNDER ANY CERTIFICATION PROGRAM OF TSCP OR ANY THIRD PARTY. 4. IN NO EVENT SHALL TSCP OR ANY TSCP MEMBER BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY CLAIM ARISING FROM OR RELATING TO THE USE OF THIS SPECIFICATION, INCLUDING, WITHOUT LIMITATION, A CLAIM THAT SUCH USE INFRINGES A THIRD PARTY S INTELLECTUAL PROPERTY RIGHTS OR THAT IT FAILS TO COMPLY WITH APPLICABLE LAWS OR REGULATIONS. BY USE OF THIS SPECIFICATION, THE USER WAIVES ANY SUCH CLAIM AGAINST TSCP OR ANY TSCP MEMBER RELATING TO THE USE OF THIS SPECIFICATION. IN NO EVENT SHALL TSCP OR ANY TSCP MEMBER BE LIABLE FOR ANY DIRECT OR INDIRECT DAMAGES OF ANY KIND, INCLUDING CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE, OR OTHER DAMAGES WHATSOEVER ARISING OUT OF OR RELATED TO ANY USER OF THIS SPECIFICATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 5. TSCP reserves the right to modify or amend this specification at any time, with or without notice to the user, and in its sole discretion. The user is solely responsible for determining whether this specification has been superseded by a later version or a different specification. 6. These terms and conditions will be interpreted and governed by the laws of the State of Delaware without regard to its conflict of laws and rules. Any party asserting any claims related to this specification irrevocably consents to the personal jurisdiction of the U.S. District Court for the District of Delaware and to any state court located in such district of the State of Delaware and waives any objections to the venue of such court. TSCP, Inc. Copyright 2013 Page i

4 Contributors TSCP Inc. extends its gratitude to the many individuals who contributed their time and effort to produce this important document. The result of their work provides a valuable resource to TSCP and its member community. Listed below are the individual contributors and their affiliations at the time of their work: US Team Joyce Counts, Booz Allen Hamilton Inc./Air Force Rob Sherwood, Exostar Cheryl Holt, DRS Technologies, Inc./Finmeccanica Heather Sears, DRS Technologies, Inc./Finmeccanica Brian Emmet, Lockheed Martin Space Systems Company David Sizmur, Lockheed Martin Space Systems Company Doug Ingram, Lockheed Martin Space Systems Company Barry Sidebottom, Raytheon Luis Dannenfels, Raytheon Ken Burton, The Boeing Company Michael Hoffman, The Boeing Company European Team Martijn Postma, Netherlands Ministry of Defence Laura Verdijk, Netherlands Ministry of Defence Bart van Lent, Netherlands Ministry of Defence Sylvia Coburg, The Boeing Company (UK) David Townsley, BAE Systems (UK) Richard Skedd, BAE Systems (UK) Nigel Griffin, DRS Technologies, Inc./Finmeccanica (UK) Alexander Groba, EADS (Germany) Arnaud Idiart, EADS (France) Rene Wiegers, National Aerospace Laboratory (NLR, Netherlands) Hetty Raaijmakers, National Aerospace Laboratory (NLR, Netherlands) Michael Frackiewicz, Northrop Grumman (UK) Markus Sellmer, Northrop Grumman Sperry Marine (Germany) Brian Doyle, Raytheon (UK) Jean-Paul Buu-Sao, TSCP Inc. (France) TSCP, Inc. Copyright 2013 Page ii

5 Table of Contents Contributors... ii 1. Introduction Purpose Scope Definition(s) Understanding Export Control Regulations Regulations Export Control Policy Authority Item control lists Authorization system (licenses) Specific authorizations, exemptions and best practices International coordination Sanctions and embargos vs. regulations Restricted or Denied Parties Lists Transfers of dual-use goods between EU countries Specific national regulations Multiple jurisdictions Consolidated Export Control Business Scenarios Business Scenarios Overview Roles and responsibilities Business Scenario Legend Business Scenario 1: Authorization Process Business Scenario 2: Implementation Process Business Scenario 3: Release Process Business Scenario 3.10: Systemic determination Process Steps BS Process Steps BS Process Steps BS Annex I: Common Licenses and Agreements Annex II: Recordkeeping UK Recordkeeping U.S. EAR Recordkeeping U.S. ITAR Recordkeeping EU Dual Use Recordkeeping Annex III: Example of an intangible export log Annex IV: Reference tables TSCP, Inc. Copyright 2013 Page iii

6 1. Introduction 1.1 Purpose This document presents consolidated requirements for handling of items classified as Export Control (EC) according to the regulations listed in section Scope The consolidation is based on the Transglobal Secure Collaboration Program (TSCP) Export Control Working Group (ECWG) requirements analysis 1 of the following Export Control regulations: 1. The International Traffic in Arms Regulations (ITAR) as implemented by the United States Department of State and its responsibility for the control of the permanent and temporary export and temporary import of defense articles and services as governed by the Arms Export Control Act. 2. The Export Administration Regulations (EAR) that are issued by the United States Department of Commerce under the Export Administration Act, the International Emergency Economic Powers Act (IEEPA) and various other legislation relating to the control of certain exports, reexports of dual-use and civil items, as well as anti-boycott activities. 3. The United Kingdom Export Control Act (UK EC) and associated UK national law and EU law covering export control and trade control legislation for dual-use and military items. 4. The Kingdom of The Netherlands General Customs Act and the Strategic Services Act (NL EC) and associated NL national law and EU law covering export control and trade control legislation for dual-use and military items. 5. The French Republic Defence Code (FR EC) and associated French national law and EU law covering export control and trade control legislation for dual-use and military items. 6. The European Union Council Regulation EC 428/2009 (EU Dual-Use) and associated EU member state national implementations, which hold the European Community regime for the control of exports, transfer, brokering and transit of dual-use and civil items. The requirements analysis includes best practices from TSCP member organizations, to reflect common management processes such as: Definition, release and registration of an item (intended) for export. Various interactions between organizations or organizational units required when handling items classified as Export Control. The requirements have been defined in the context of TSCP and its projects, such as Secure (SE) and Information Labeling and Handling (ILH), but should be applicable to any collaborative scenario that involves exchange of classified or otherwise marked sensitive items. 1 Available through TSCP only; please see for contact details. TSCP, Inc. Copyright 2013 Page 1

7 1.3 Definition(s) The following table presents definitions used in this document. These are listed in sequence of importance for understanding Export Controls. The definitions are also included at the relevant topics (as descriptions, footnotes or requirements notes). Item Definition Comment(s) A condition whereby restrictions on one authorization are not aligned with restrictions on another authorization for releasing the same data to the same recipient. Conflict (in authorizations) Dual-Use item End User/Recipient Any item listed in a (Export Control) Dual- Use item classification list. The legal or natural person who is legally responsible for the receipt of an export/transfer. Export Authorization Managers are expected to perform a conflict analysis during the Authorization Determination Process. In the event the conflicts between Export Authorizations are identified, the Export Authorization Manager may be required to apply for a revision of one or more of the Export Authorizations. Any item normally used for civilian purposes but that may have military applications and are therefore regulated by specific export controls for dual-use items. For this document a representative who handles a controlled item (transit, broker, etc.), receives/modifies a controlled item for final use, or uses it to modify another item (integration). is considered to be End User/Recipient. That may include a variety of parties, such as: A customer (the final consignee) to whom a supplier of items (e.g., the exporter) is directly or indirectly contracted to; Third parties to the customer or supplier, including consignees, brokers, transit service organizations; Co-workers within the customer or supplier organisation; Integrators. who must be seen as the end users of an item as a component, as far as the integrated product is transformed and/or not easily possible to extract and re-use. For intangible items: any person who has (authorized) access to Export-controlled data/information or otherwise TSCP, Inc. Copyright 2013 Page 2

8 Export/Transfer Authorization Item Definition Comment(s) handles/modifies information regarding an export becomes an End User/Recipient, even if the information stays within one organization. That is also why the "deemed export" principle applies to any non-authorized national. Export/transfer or import Re-export or deemed export Exporter Implementation Plan Any legal term or document that permits sharing of an (Export Control) item to a legal or natural person in any third country is considered an Export Authorization. Distinction is made for: An Export Authorization as approval of an export from the government Policy Authority, granted to a company. A Company Authorization to Export. This is the internal approval of the company to export an item. Sharing of an (Export Control) item to a legal or natural person in any third country is considered an export/import/transfer. Re-export or deemed export could be the case if an item is re-exported (this also means sharing items within one country with a non-authorized national) or incorporated into other equipment that is subsequently re-exported. The legal or natural person who is legally responsible for sending an item as an export/transfer. A plan developed by a program based on (a subset of) the requirements in the Internal Control Plan. In some requirements Foreign or non- National is added to refer to definitions in a specific regulation or to provide clarification for a business context example. An export license is the most occurring example. Export Authorization or Transfer Authorization is used throughout this document to keep it readable. But note that this may include a variety of permits that allow transfer, transmission, movement, passage through or other exchanges of an item from a supplier to a recipient permitted by the (Export Control) regulations, such as commercial customs documents, notifications, exceptions, exemptions, intra-community transfer licenses or negotiation or assistance agreements. In this document there is no particular distinction between export/transfer or import or re-export/deemed export. Most requirements for these transfer types turned out to be very similar. Therefore all types are considered different sides of the same medal. Details are mentioned in the requirements section where particular aspects differ. Responsibility is assumed to be delegated to a Program Manager. Usually one Implementation Plan per program is written. The implementation plan may be shared with external program partners such as suppliers Implementation Statement The declaration of a program or supplier that all planned implementation is done. This statement serves as evidence in peer reviews and audits. TSCP, Inc. Copyright 2013 Page 3

9 Item Definition Comment(s) The complete plan how one company plans Usually one ICP per company is written. to manage an export/transfer under a specific authorization. Internal Control Plan (ICP) Item Military item Scope Services Any product, material, goods, technology, software, service. This could be a physical item or an intangible item like a piece of electronic data, a phone call, providing assistance. Any item listed in a (Export Control) military item classification list. Scope to enable the authorization determination by the export control manager. An (outsourced) activity performing or supporting a business process in which an (Export-controlled) item is shared in the context of that service or the service itself is listed as military or dual-use item. It outlines implementation requirements of an authorization to ensure compliance and mitigate risk. Each company may name or define this document differently. The same information may also be (partially) covered in a company s Export Compliance Plan/ Corporate Guideline. The ICP is usually an internal document. Particular examples are Technical Data / Technical Assistance under the ITAR. In the case of ITAR/EAR this includes (sharing of) agreements, such as an ITAR Technical Assistance Agreement that may serve as an Export Authorization itself. Encompasses all equipment that has been specially designed or modified for military use, such as parts, components, accessories, tools, documentation, and specific environment materials, as well as various pieces of equipment, software, technology, services and information. The Defence-related products listed in the Annex of the EU ICT 2 Directive are also considered military items. The Export Authorization application could require the inclusion of specific data about the scope of participation for each participant. Services in this context could include intangible data transfer or face to face meetings to provide assistance and is therefore not limited to physical services such as performing maintenance. 2 European Union Directive 2009/43/EC on intra-eu-transfers of defence-related products, TSCP, Inc. Copyright 2013 Page 4

10 2. Understanding Export Control Regulations Organizations 3 have considerable leeway in implementing the various regulations on Export Controls, and the details to do so are usually determined by a risk assessment conducted by the exporting organization. It is best practice to have readily available (legal) expertise on this (in company or contractor) to ensure correct understanding of regulations, commodity jurisdiction, license jurisdiction and implementation of export controls. 2.1 Regulations Foreign trade interests, national security objectives and international agreements (treaties, sanctions, etc.) require measures prohibiting the free trade of certain items of strategic value. These measures are most well-known as Export Control Regulations. This may suggest these regulations only deal with strategic items leaving national territory; however, Export Control Regulations should be considered as a set of general trade controls that put limitations on many transactions, such as: Import Export In-country transfers (so called deemed exports -U.S. controls) 4 Dual or third country nationals (U.S. controls) Extra-territorial controls Brokering and transit of items (also consider intra-company transfers across borders) The end use of the item The end user(s) or the ultimate consignee and/or country of destination Supporting services (such as financial transactions or transportation) associated with the handling of a strategic item Regardless of the purpose (import, export, re-export, etc.), every organization handling exportcontrolled items must meet the strict conditions stated in the national export control regulations of their country of residence. Examples: The International Traffic in Arms Regulations (ITAR) controls export by U.S. entities of defense articles and defense services. It is authorized by Section 38 of the Arms Export Control Act, and managed by the U.S. Department of State. In basic terms, the ITAR restricts distribution of items identified on the US Munitions List (USML) to non-u.s. entities. The French Export Control regulations defines (by arrêté of 27 June 2012) a control list for classification of military items of which the most significant in each ML sub categories of are additionally classified as matériel de guerre. These items are subject to prior authorization to be imported (except from EU member states), manufactured, sold or buy even on the French 3 Export Control Regulations consider handling of sensitive, strategic items. For a large part these items are products used and delivered by organizations in the Aerospace & Defence industry. Understanding Export Controls is therefore one of the main objectives for TSCP. However, the Export Control requirements discussed here should be valid for and applicable to other industries as well (Transport and Logistics, Oil and Gas, etc.). 4 TSCP, Inc. Copyright 2013 Page 5

11 territory. The exhaustive list of these matériel de guerre is the subject of the Article 2 of the Décret of 6 May In certain cases, additional (international) export control regulations could be placed on top of national regulations (extra-territorially). Examples: For EU member states, the EU Intra-Community Transfer (ICT) directive must be transposed and enforced as an addition to existing national controls. For a Netherlands-based company that is importing strategic items from the U.S., and by that is required to be an ITAR Technical Assistance Agreement (TAA) co-signee, the ITAR would be in force in parallel with Dutch national controls. 2.2 Export Control Policy Authority Export controls are enforced by law, orders and stipulations, and exporting items requires governmental approval (often per a license). This enforcement and approval is usually tasked to one national government body that serves as the Export Control Policy Authority (ECPA). Examples: In the UK, the Department for Business Innovation & Skills (BIS) serves as the ECPA. In France, the export control regulations consider multiple stages, and different licenses are required for each different stage of the manufacturing and import/export chain. Depending on the stage, the requested license type, and the particular nature of the intended export, authorization is approved by the Minister of Defence, the Prime Minister or the Director General of Customs. Additional examples are: Canadian Export and Import Controls Bureau (EICB) Australian Defence Export Control Office (DECO). The ECPA maintains one or more publicly available item control lists to assist organizations with determining whether items are export-controlled, and quite often supports organizations dealing with the Export Control regulations via guidelines, a manual or informal consultation Item control lists The ECPA item control lists specify products, materials, data, services or technologies that are considered of strategic importance. Distinction in lists is often made for: Military items Conventional arms, military technology and hardware, excluding materials related to Weapons of Mass Destruction (WMD) Dual-use items Products and technologies normally used for civilian purposes but that may have military applications and are therefore regulated by specific export controls for dual-use items. Commercial trade Usually not listed in exhaustive detail Authorization system (licenses) Throughout this document the approval from the ECPA is called Export Authorization. However, the majority of exports, imports or other transits are approved per a specific ECPA authorization: a license. TSCP, Inc. Copyright 2013 Page 6

12 There are multiple types and categories of licenses that may be used or required for an authorization to export. Depending on the strategic items for which they are intended, and the situations in which they may be used. Annex I: Common Licenses and Agreements provide an overview of common types of licenses used in the Aerospace & Defence industry. This is not a complete overview as the license systems differ per country / per Export Control regulation, and may change over time. Note that: An export may not need a license (when it is exempted), but a notification requirement may still apply. Issued licenses that have not yet been exhausted, but where the validity date is nearing expiration, may be renewed or extended. A license for dual-use/military goods usually has a limited validity (often between a half and two year) but some countries have open licenses that have no expiry date. A license or exemption is considered as governmental approval, for most organizations it is best practice to run the intended export/import by an internal management approval process as well. Examples: German Export Licenses are generally valid for a period of one year and/or two years, pending on the classification of goods / technology (Export control list annex 1A or 1C) and depending on the countries for which the export is destined to. UK OGEL and EU GEA are two examples of general licenses. See Annex I: Common Licenses and Agreements for detailed description. 2.3 Specific authorizations, exemptions and best practices International coordination Most governments implement national export controls in international coordination with the following important institutions: 1. Treaties and Export Regimes Most conditions and policies stated in Export Control regulations and policies are internationally coordinated through treaties and specific export regimes. The following regimes (in order that they appear in most countries regulations) are most common: the Wassenaar Arrangement (WA) 5 the Missile Technology Control Regime (MTCR) 6 the Nuclear Suppliers Group (NSG) 7 the Australia Group (AG) 8 Chemical Weapons Convention (CWC) TSCP, Inc. Copyright 2013 Page 7

13 2. The North Atlantic Treaty Organization 10 There is a specific NATO exemption, for example in NL EC and in U.S. ITAR, but that is only valid for indicated NATO-forces. Movement of Military items 11 between member states still requires a license, although a simplified license application procedure may be used. 3. The United Nations 12 UN sanctions may require additional measures on top of the regular export controls. 4. The European Union 13 Movement of almost all Dual Use items between member states may be exempted from a license requirement. EU Sanctions may require additional measures on top of the regular export controls. 5. OSCE Organisation for Security & Co-Operation in Europe Sanctions and embargos vs. regulations Sanctions (like EU and UN sanctions) or embargoes may require additional measures on top of the regular export controls. It sometimes happens that a license is required in accordance with the export regulations whereas sanctions call for a prohibition. In such cases, the prohibition takes priority Restricted or Denied Parties Lists Besides the controls of export or specific sanctions, it is regarded best practice to determine in any case of export of strategic goods whether any end user is listed on any restricted or denied parties list. The (intended) export will not be permitted or may be subject to additional restrictions if an entity is present on these denied parties and proliferation control list(s). Examples: The consolidated list of persons, groups and entities subject to EU financial sanctions 15 The UK BIS lists-to-check 16 More examples may be found in the requirements for Business Scenario 1.3, see section Transfers of dual-use goods between EU countries Items classified as EU Dual-use may be traded freely (formalities for Intra-Community Trade) within the EU except for the more sensitive items, listed in Annex IV to Regulation EC 428/2009, 17 which are subject to prior authorization. 9 (this is a treaty; often grouped with the Common Regulations on Export Control) Excluding specific items that are used for chemical warfare 12 UN: UNODA: Security Council Resolutions: 13 EU: Sanctions: TSCP, Inc. Copyright 2013 Page 8

14 Suppliers wishing to apply for that authorization (individual or global but not general licenses) should contact the competent national authorities for details of what information must be supplied to support the application Specific national regulations National authorities may require specific national export controls on (dual-use) items unlisted in common regulations (e.g., in France: tear gas or commercial helicopters). Exporters should therefore refer to their relevant national rules and check the situation with regard to their specific transactions. Such controls may apply where there is a risk that an export to a specific end-user might be diverted for terrorism, use in a weapon of mass destruction, violation of an embargo or certain other situations specified in the national regulations on export controls. Besides the controls of export of goods appearing on the item control lists, should there be cause to do so, it is possible for the ECPAs to subject exports of other goods to a license requirement by means of an ad hoc or a catch-all provision. Note that licenses approved by the national ECPA may include provisions, or specific limitations that must be understood and complied with. Examples: Items not listed on an item control list, but still may be subject to export controls. EU Dual Use (Articles 4 & 8 of the Regulation EC 428/2009) The United Kingdom Export Control regulation Annex II as well as Annex III are amended with a list of capital punishment and torture goods (also called the EU Human Rights list) Items may be required to be checked at specific border points. EU Dual Use may pose additional checks inside the EU Customs zone (Article 11 and 17 of Regulation EC 428/2009). Items that are not, in principle, subject to mandatory licensing may be subject to a catch-all provision. Where the items in question are or may be intended for projects relating to Weapons of Mass Destruction (WMD) or missiles capable of delivering such weapons Where the purchasing country or country of destination is subject to an arms embargo by the European Community, the United Nations (UN) or the Organization for Security and Co-operation in Europe (OSCE) and the items in question are or may be intended, in their entirety or in part, for a military end-use. (See Chapter II, Article 4, paragraph 2, of the Dual-use regulation) Where the items in question are or may be intended for goods appearing on the EU list of military goods that have been wrongly exported to the country of end-use without the proper license required (see Chapter II, Article 4, paragraph 3, of the Dual-use regulation). In such a case the exporter will be duly notified. Items may be declared subject to an ad hoc license requirement. In case of transit of military goods under a notification requirement. If there are indications that such a transaction is not under the effective control of the country of origin, or if in the course of 17 TSCP, Inc. Copyright 2013 Page 9

15 its transit across foreign territory a transaction appears to acquire a different destination than intended upon issuance of an export license. In the interest of (inter)national law and order or a related international agreement For the protection of the essential interests of national security, for reasons of public security or for human rights considerations Multiple jurisdictions In certain cases, items may be determined to be controlled under multiple jurisdictions. Examples: Export Controls for military/dual use items are levied from a national level, but the items could also still be extra-territorially controlled from a foreign country, dependent on their origin. See 2.1 Regulations. For an example, on import/export of a U.S. ITAR controlled item by a Dutch company. There may be additional or conflicting restrictions put on the exporting organization because of other (national) regulations like Privacy, National Security or Intellectual Property Protection. Organizations may have specific compliance restrictions that are levied upon them by suppliers, customers (such as the U.S. Department of Defense), or due to additional restrictions levied by the National Export Control Policy Authority on a specific program or organization. TSCP, Inc. Copyright 2013 Page 10

16 3. Consolidated Export Control Business Scenarios The requirements in this document are collected by the TSCP Export Control Working Group, composed of Export Control subject matter experts and Enterprise Architects from the TSCP member companies. The requirements and recommendations are collected through discussion and analysis of Export Control activities in their enterprises. However, current practices vary widely among participants and are often based on a mixture of manual and automated processes. In order to create a representative and common set of requirements /recommendations when dealing with implementation of Export Control regulations, the TSCP ECWG has identified Export Control requirements based upon the three consolidated business scenarios. These Business Scenarios, therefore, do not reflect current practice or cover every type of export/import in an exact manner. Rather, they allow the ECWG to append requirements to business processes, which could be supported by information technologies such as those proposed by TSCP. 3.1 Business Scenarios Overview Nr Title Process steps Storyline BS 1 Authorization Process BS 2 Implementation Process 1. Define Export 2. Obtain Authorization 3. Corporate approval 1. Define Internal Control Plan 2. Implement Control Plan 3. Verify Implementation BS 3 Release Process 1. Create and analyze 2. Package and label 3. Release and Register The need and the type of export must be identified on a general level before any authorization may be obtained. Authorization(s) are usually obtained from the national export control policy authority, analyzed and amended with a company approval to proceed with the export. An Internal Control Plan 18 must be written to determine how to control the export under the obtained authorizations. The defined controls should be implemented and verified regularly. With the general conditions set, individual items may now be created, packaged and labeled prior to release for export. Every release transaction should be logged. The TSCP ECWG expects that implementation of TSCP capabilities supporting these business scenarios will: 1. simplify the process of managing export authorizations; 2. ensure compliance/ simplify compliance appreciation by the various ECPAs; 3. reduce the risk of noncompliance; 4. reduce the overall cost of compliance. 18 Definition: Internal Control Plan (ICP) is a document that outlines implementation requirements of an authorization to ensure compliance and mitigate risk. Each company may name or define this document differently. The same information may also be (partially) covered in a company s Export Compliance Plan. TSCP, Inc. Copyright 2013 Page 11

17 3.2 Roles and responsibilities The process steps as listed in 3.1 Business Scenarios Overview are performed by one or more entities (persons, computers). The following table lists these entities in sequence of appearance (See Annex IV: Reference tables for the reference to the original entity descriptions). In order to keep the scenarios and their requirements understandable, and since the regulations are most well known as Export Controls, the interactions have been written from the perspective of an export transaction by an exporter under an Export Authorization. It should not be mistaken that these scenarios are only valid for export. The same or very similar entities, interactions and particularly the requirements are equally valid for any transaction of a controlled item, in any form as listed in 2.1 Regulations. To clarify that: in the Business Scenarios diagrams, swim lanes are used to indicate process involvement per entity. Interactions with the top swim lane (titled End User or external recipient) may be considered crossing organizational boundaries. Examples (in all cases the same requirements apply): In the perspective currently used for the ECWG Consolidated Business Scenarios, this means crossing from an exporting company (per a Program Manager) to the external End User. From an internal company perspective, this could be: o o crossing between office locations in two different countries (true export), or crossing between two individuals in one office location, of which one is a member of the program and authorized to access program data, the other is not (deemed export). From an importing perspective, the top swim lane title changes to exporter (but is still the external entity) and the Program Manager works for a company that is importing controlled items. In essence, the process flow follows the same sequence (determination of need and scope of the import, followed by an import license application) resulting in equivalent requirements on end user, end use, etc. Entity Name Short of the role Comment(s) End User (in this scenario an external recipient) A representative who handles (transit, broker), receives/modifies a controlled item for final use or use it to modify another item (integration). Has responsibility for handling and acting in compliance with export regulations. There has been discussion on the different understandings of End User. Please see section 1.3 Definition(s) for the intended meaning for this requirements document. Program Manager A representative within the exporting company who is assigned to a particular work effort or program, where export is required. Has responsibility for export compliance as being the owner of the item destined to be transferred (data/goods/services.) The data ownership is the important contributing fact to distinguish responsibilities. The work effort does not have to be a program but could also be a department/project/section, etc. TSCP, Inc. Copyright 2013 Page 12

18 Entity Name Short of the role Comment(s) Export Authorization Manager A representative 19 with expertise on Export Control regulations within the exporting company. This is often the official that classifies an item per export control list. Export Control Policy Authority Company Management Program personnel Has responsibility for identifying the need for Export authorizations, coordinating the application and use of Export authorizations, including conflict resolutions, and managing the overall export control activities for the company such as assisting with implementation and audit. A government representative with authority to grant authorizations, audit exporters and define the (national) export control policy. Those responsible for (executive) management support within the exporting company. An individual assigned to the program with responsibility for a) Creating and managing items that may be exported, b) Sending items to the End User. Examples of responsibilities: logistics, archiving IT, Security, Internal Audit, Human Resource, Business Continuity Note that these entities are divided in functionally separate roles based on the different responsibilities that have been defined when creating the Export Control business scenarios. In reality such roles may be fulfilled in very different ways. Examples: The Export Authorization Manager may be a full position of a trade compliance officer in a company, but could also be a side-job of someone else (e.g., legal expert, project manager). A small company may have to take on all roles and responsibilities when exporting (apart from the End User) to a customer. A large company (OEM) may act on these export control responsibilities on behalf of a smaller supplier (under the EU intra-community transfer directive). 20 Anyone importing (normally just the End User role) may be required to perform actions on all other responsibilities to (indirectly) ensure compliance (as is the case for ITAR TAA). 3.3 Business Scenario Legend The following legend shows the titles and their corresponding colors used in the Business Scenarios diagrams: Implemented by Electronic Systems Assisted by Electronic Systems Manual Process Out of scope Document(s) Regular Optional Coordination 19 Usually called an Empowered Official in the U.S. 20 "certified companies" may act on behalf of smaller partner-organizations under conditions stated in the EU Intra- Community Transfer Directive. This does not mean the certified company becomes fully liable. TSCP, Inc. Copyright 2013 Page 13

19 3.4 Business Scenario 1: Authorization Process TSCP, Inc. Copyright 2013 Page 14

20 3.5 Business Scenario 2: Implementation Process TSCP, Inc. Copyright 2013 Page 15

21 3.6 Business Scenario 3: Release Process TSCP, Inc. Copyright 2013 Page 16

22 3.7 Business Scenario 3.10: Systemic determination BS 3.10 Systemic export determination process (example flow) TSCP Inc. Export Control Working Group Verify end user and labelling Verify destination and authorization Request to export item Collected characteristics of the Item and the end user Yes BS-4.3 Have labels been applied to the item? BS-4.5 Do labels indicate "ITAR"? No Yes BS-4.9 Has the end user U.S. Person status (or exception)? No Yes BS-4.10 Is the end user an employee of the exporter? No BS-4.1 Is the end user on any governement published restriced party list (DPL)? Yes No No BS-4.2 Has the end user completed Export Awareness Training? Yes No BS-4.6 Do labels indicate "EAR", UK EC, FR EC or NL EC? No BS-4.7 Do labels indicate "EU Dual-Use"? No Yes Yes BS-4.11 Is the destination an EU trade community member? Yes No No BS-4.13 Has the exporter registered for or obtained an appropriate authorization/ exception for this export? No BS-4.14 Is the end user s access/ nationality/location/ country of incorporation permitted? No Yes Yes Yes Yes BS-4.4 Do company policies dictate appropriate labelling of all items? No BS-4.8 Do labels indicate other policies? BS-4.12 Is the item permitted to freely move within the EU Trade Communtity? No BS-4.15 Are all other authorization/ exception requirements met? Yes Yes Yes Deny Access. No Allow Access. No label hence public. Continue with processing other labels such as IP- Protection, Privacy, Financial, Security Allow Access (permitted under EU Dual Use) must add warning Deny Access must add warning Allow access: access permitted by authorization/ exception (add warning) Allow Access (permitted under ITAR) must add warning TSCP, Inc. Copyright 2013 Page 17

23 Process Steps BS 1 BS-1.1 Identify need to share goods/data/services Program Manager The exporter s Program Manager identifies a need to share or retransfer an item (goods/data/services) with partners, in the context of that program. Initiation of Export Analysis process An overview of collected items that need to be shared 1. The overview needs to contain sufficiently described items to enable export license identification. 2. The intended location(s) for all goods/data/services in the scope of a program must be identified. The Program Manager will usually coordinate with each (external) program partner to identify the items to be exchanged. Coordination commonly starts when the Program Manager: receives a specific request to deliver items, or pro-actively identifies a need to share items. The Export Authorization Manager in BS 1.3 and BS 1.6 will determine if the overview of items is sufficient. Definition: Services in this context could include intangible data transfer or face-to-face meetings and is not limited to physical services such as performing maintenance. Particularly in the case of ITAR/EAR, this includes sharing agreements, such as an export license or an ITAR Technical Assistance Agreement. BS-1.2 Identify intended end users, if required include their location and identity details Program Manager The Program Manager collects a list of intended recipients with whom program must share goods/data/services. List of end users including required details of their location and identity 1. Every recipient organization must be unambiguously identified. This includes identification of any party involved that needs access to controlled data (direct access and also third parties that are involved. These could be third parties to your partners, customers or suppliers. 2. Depending on the export regulations or company policies, individual recipient persons may have to be identified. 3. In all cases, every individual recipient location must be provided. 4. While recipient location is the most important common characteristic under the export regulations reviewed, other recipient characteristics may also be needed. 5. Sharing constraints regarding recipient characteristics must be provided for each recipient organization. TSCP, Inc. Copyright 2013 Page 18

24 BS-1.2 Identify intended end users, if required include their location and identity details The following table describes these requirements in detail, categorized in identification elements. Identification element: location Minimum required characteristic(s): country of destination company name; address Other/detailed characteristic(s): Address, facility number, intra-company transfer details organization consignee location (country name only, for recipients that are temporary stationed abroad); departments, Chamber of Commerce number or Exporter Identification Number person full personal name U.S.-Person status; (countries of) citizenship(s) or nationality(ies); business roles/position; birthplace From a regulatory perspective, identification of a person by full personal name is not always required. It is still considered a minimum required characteristic because of company best practices: For the company representative who acts as the applicant and should supply this as point of contact for the application; For verification against denied parties and proliferation control list(s) (see BS 1.3); From perspective of secure electronic communications. Examples for other characteristics: In the case of U.S. ITAR and U.S. EAR it is required to identify nationality including identification of dual nationals and 3rd country nationals. In France, a specific Identification Number (authorization de commerce) is required to export or import as well as manufacture or trade the most sensitive products classified as "Matériel de Guerre" (equivalent to Significant Military Equipment in the ITAR). A specific registration is also necessary for EU ICT General Transfer Licenses and French General Export Licenses when filling an export license application form for which the application process requires additional information. When specific export prohibitions are taken into account on top of national export regulations. Such as the EU list of embargoed countries and denied persons. 21 Example for sharing constraints: Personal data protection laws and regulations may limit an End User from sharing personal identity details or provide restrictions on the use and storage of personal identity details. Recommendation: Even though each export license application is handled in a case-by-case manner, it might help the exporter to create overviews of recipients/destinations: authorized within the program ( white list ); not authorized within the program ( black list ); that needs further scrutiny ( red flag list ) TSCP, Inc. Copyright 2013 Page 19

25 BS-1.2 BS-1.3 Identify intended end users, if required include their location and identity details It may be possible to support these lists within company export control support systems (see also BS 1.6). Using categories of persons rather than individual identities could be more pragmatic (e.g., from privacy perspective) for the administration, updating and management of these overviews. Verification against denied parties and proliferation control list(s) Export Authorization Manager The Export Authorization Manager will review the list of recipients (end users, coworkers, suppliers and consignees) to ensure that none of them are present on any EU or national government denied party list. Screened partners (against the appropriate lists). The Export Authorization Manager must: 1. ensure the current DPL is used. 2. use a verification method that o supports sufficient identification of business partners who appear on a denied party list (i.e., names may be spelled differently in a DPL and a company s CRM database). The Export Authorization Manager must be able to edit the DPL or the verification result (i.e., if companies are taken off a government DPL list, they may be included again if a company policy demands that). Examples for legally binding or non-binding lists: End use/end user restriction ( Common DPLs). National security. Proliferation. person Anti-terrorism (WMD). Company internal risk lists (e.g., a company may verify against their own defined Public Media Search list). Foreign policy controls. Financial Sanctions List (EU). Embargoed countries (see International coordination). Expectation: A company may wish to verify its partners against the above lists via an automated system. The TSCP ECWG does not expect to have TSCP develop or include a system that automatically retrieves a government denied party list and process it to disable partners. Rather, any company dealing with export controls is expected to have a manual business process supported by commercially available systems that a company representative may use to review a list. If a review identifies a person or company on the list, the company representative should be able to identify and flag the listed person or company as suspect within one or more company systems. Recommendation: Check to determine if this process violates privacy laws. TSCP, Inc. Copyright 2013 Page 20

26 BS-1.4 Develop scope(s) of goods/data/services to be shared Program Manager The Program Manager defines a set of scopes covering items to be shared / services to be provided by the company and by known business partners in the context of the program. List of scopes (of shared item and provided services), divided into scopes per program participant. Scope(s) must include characteristics for each participant. The following table describes these requirements in details, categorized in scope elements. Scope element: Minimum required Other/detailed characteristic(s): characteristic(s): Export item Country of origin, details on the content of data being shared, design origin, construction material, item reference number (whether it is controlled or not) End user Location/destination, items, quantity status information on training, 1. passed exam/ holds certificate 2. Expiration date (if applicable) Program context Purpose of sharing or end use of Program phase or work effort that should include: Start and end dates for the Program, and its contracts, A list of all parties that will be (sub) contracted and worked with during the phase/effort, List of (other) occasions when sharing of export controlled items takes place. Sharing method training, talks, a digital document or message sharing environment. Regulation /Authorization (if known at this stage) the export control classification number, (license) reference number especially when a reusable and signed authorization (e.g., an ITAR TAA) is already in place, cumulative export value, export conditions required by exceptions. Particular attention should be made to define scope/ categorize the items that may require extra authorization/classification by the government. Examples: In France, the government (Agency for National Security of Systems of Information - ANSSI) may put on extra controls for cryptography export. In the UK, the government (MoD) may require mandatory security classification. TSCP, Inc. Copyright 2013 Page 21

27 Definition: Scope = to enable the authorization determination by the export control manager. The Export Authorization application could require the inclusion of specific data about the scope of participation for each participant. BS-1.5 Assist with scope development End user If required, the End User supplies details to assist with the development of scope(s) for information to be shared and services to be provided by the End User in the context of the program. See 1.4 See 1.4 Definition: See 1.3 Definition(s) for description of End User. In short, all end users/recipients in scope of the program. BS-1.6 Perform analysis on the scope to ensure the Export Classification and if required, include a Security Classification Export Authorization Manager The Export Authorization Manager reviews all intended exports within the scope of the program and classifies the items for exports against the applicable export control regulation. In some countries, items designed in country may have to be classified by the Government and a National Security Classification obtained. This classification may place additional criteria on the export. Depending on the case, the Export Authorization Manager may need to perform an additional classification against other specific national or company control process (e.g., financial transaction controls). Recommendation of export control policy that is best suited to ensure compliance and offers the widest possible scope of operations. The export classification reference(s) of the item(s) to be exported. 1. All program exports subject to a specific Export Control regime must be identified and appropriate export classification made. 2. Export items subject to criteria in addition to Export Control Regulations must be protected as required by appropriate policy authorities. Recommendation: The Export Authorization Manager may self-determine the appropriate export control regulation and self-classify data/technology by consulting the various regulations item control lists and identifying all appropriate export control classification numbers. Various internet resources provide free tools that may support this goods classification process. TSCP, Inc. Copyright 2013 Page 22

28 BS-1.6 Perform analysis on the scope to ensure the Export Classification and if required, include a Security Classification Another method is to submit a request to the local regulators for classification determination (and/or subsequent rating). This is often done in case of grey areas in the regulation, or when particular restrictions are of concern, such as WMD or national security concerns. Recommendation: Common practice is to first consider the possible reasons for control (military/dual use/commercial/none), then determine the potential licenses available and after that classify the (individual) items against the appropriate export regulation(s) and best fit license(s). The following is a common sequence to determine the appropriate export control regulation: 1. Is the purpose of the item that is to be shared for military use? a. If Yes, determine appropriate military export regime and follow process from there (See the individual TSCP ECWG reviews 1 for example and details), b. If No, next: 2. Is the item on a Dual use list? a. If Yes, look up under which appropriate annex, the list article number and the technology classification reference and follow process from there (Go to BS 1.7) b. If No, the item is determined as commercial; follow standard customs procedures to export. Recommendation: For easy classification, recommendation is made to record a list of frequently occurring company program scopes / technology exports. This is particularly helpful as not every item on an Export Regulations control list requires an authorization/ license to export. Furthermore, some items (like those listed in EU Dual Use Annex IV) are subject under an Export Control regime but are not allowed to be exported at all. BS-1.7 Determine the need for an Export Authorization; if required, draft the application. Export Authorization Manager The Export Authorization Manager determines whether export of a certain class of technology requires an Export Authorization (i.e., a license), whether it may be exported without an authorization, or whether it qualifies for an exception. In addition, the Export Authorization Manager will identify any relevant restrictions on the export of data based on information provided in the Export Regulation item control list and the scopes of export provided by the Program Manager. It is the responsibility of the Export Authorization Manager to ensure that the program is aware of any changes of a license, including validity. It is the program s responsibility to ensure compliance with the license, in line with the Internal Control Plan, including to check the validity of its licenses. TSCP, Inc. Copyright 2013 Page 23

29 A recommendation for which Export Authorization(s) is required (for the required program scope). Identification of appropriate license(s) needed. Verification of whether such a license is already in place and if it should be applied for. Selection of preferred license (if multiple licenses may be chosen). Draft export authorization application (if needed). 1. Export Authorization Manager shall identify the appropriate export control regime and licensing vehicle (See 1.3 definitions) 2. Export Authorization Manager shall provide information to facilitate Export Authorizations and Export License applications. Each participating organization must be willing to accept responsibility for violations for failure to protect export-controlled information. U.S. Laws are stricter and require more documentation. Export Authorizations may be specific to a project phase. For example, an authorization may be in place for marketing and sales, but may not cover post sales collaboration. In some cases, enterprises are subject to Consent Agreements. These may be considered a special class of Export Authorizations that levy additional requirements on enterprises above and beyond the restrictions described in regulations, export authorizations or other enterprise policies. Definition: In this document, Export Authorizations include exceptions, exemptions, export licenses or other exchanges permitted by the regulations. Any legal term or document that permits sharing of data under EAR is considered an Export Authorization. BS-1.8 Coordinate the Export Authorization application Program Manager, Export Authorization Manager The Program Manager ensures that the Export Authorization(s) applied for cover the scope of the intended exports that are required by the program. The Program Manager and Export Authorization Manager perform a joint check if all supporting documentation is available. The Export Authorization manager will identify necessary (supporting) documentation as required by the Export License. The Export Authorization Manager will work with the Program Manager to collect this documentation. The Export Authorization Manager may request a rating prior to applying for an actual license. The rating may give the Export Authorization Manager an indication if an actual license would be granted given the current circumstances. Rating is done for commercial reasons; companies want to have an indication of their chances of getting the license (strategy planning). The Exporting Organization may also apply for a rating to identify the right classification of (military) goods. Registration at the Policy Authority for the application and use of an export Authorization (if not previously registered). This registration may also be required, TSCP, Inc. Copyright 2013 Page 24

30 BS-1.8 Coordinate the Export Authorization application for use of electronic systems (Customs export systems, license application systems, and export control rating systems). Keep record of the Policy Authority issued exporter registration (number). of documentation for supporting re-use of an existing authorization, a new application or exceptions to the regulations. o Overview of supporting documents required o Including specifics on the format of those documents o A description of how these documents must be tracked 1. Supporting documentation must be gathered up front and submitted to the appropriate Export Control Policy Authority in order to apply for issuance of an export authorization. 2. Supporting documentation should be collected and maintained with export records to support periodic audits. Systems should keep track of these documents. 3. The choice of required documents and its tracking should be based on regulations and guidance pertaining to certain licenses and their application process and may be based on company best practices since this can speed up the application process. 4. The format ideally should be government issued templates plus related guidelines. The supporting documentation requirements are usually published by the Export Control Policy Authority. This may vary per authorization type. Additional documentation may be requested by the Policy Authority prior to the approval of an export authorization or upon issuance of the authorization as a condition of usage of the authorization. Examples for supporting documentation: A duly completed and signed license application form, with a brief but detailed description of the (technical specifications of the) goods. Identity vetted as the authorized company representative. This is usually comprised of a preregistration number from the National Policy Authority. To preregister, you usually have to provide company name, Tax identification number (TIN), 22 letter written by authorized company manager, (note that names of management are verified and therefore should be listed at an independent registrar like Chamber of Commerce). A copy of the signed contract or order. End-user declaration. IIC: For countries with International Import Certificates an IIC may be submitted instead of an end-user declaration. An export license issued in the country of origin if available. Export declaration (required for export outside EU). Pro forma invoice (required for export within the EU). 22 Tax Identification Number (TIN) Tax Identification Number (TIN): This is a U.S. reference and should be substituted by equivalent, based on jurisdiction. See: Taxpayers/Taxpayer-Identification-Numbers-%28TIN%29 TSCP, Inc. Copyright 2013 Page 25

31 BS-1.8 Coordinate the Export Authorization application Screening results of parties to transaction. Rating letter from the Policy Authority indicating if the license application will be successful. Company approval to proceed (usually done in a formal process of review and approval of the analysis). Technical details to outline the items for which an authorization is requested. BS-1.9 If required, review Export Authorization application and provide supporting documentation. End user End User may receive request to review the draft export authorization application for consistency/compliance with internal country laws and to ensure the scope is covered or to provide information to support the Export (or the License Application). If required, the End User will sign supporting documents such as an end user statement for a license. Validated Export License Analysis by all participants in the program (Optional) Signed approval to proceed of Export Authorization Manager (Optional) Signed agreements by (foreign) End Users 1. Reviews by all parties of draft export authorization application for consistency/compliance with internal country laws 2. Review draft export authorization application to ensure application adequately covers the scope of activities/exports for the task or program. The actual process of review and approval of the export analysis and the gathering of required signatures is complex, and varies widely between organizations. It is not clear if a single workflow process could be agreed upon, although it is acknowledged that every organization must support such process. BS-1.10 BS-1.11 Apply for appropriate Export Authorization unless previously obtained Export Authorization Manager If an authorization (i.e., a license) is required to export within the program scope, the Export Authorization Manager applies/registers for the relevant export authorization(s) with the appropriate national authority. Applications for Export licenses from relevant national authorities Application form plus supporting documents have been filled out and submitted according to policy authority process and requirements. Different national regulatory agencies have very different application systems and processes, and widely divergent levels of automation for the process. There is not a set of worldwide valid requirements. Approve Export Authorization, if required issue a license (-number) Policy Authority After review and analysis of the Export Authorization application(s), the relevant national authority will either approve or deny the application for an Export Authorization. TSCP, Inc. Copyright 2013 Page 26

32 BS-1.11 Approve Export Authorization, if required issue a license (-number) A set of rejected/approved Export Authorizations Sometimes with additional exclusions identified and documented by the regulatory authority. Export license(s) (document) and specific number For export of technology company specific arrangements are made with the export control policy authority on format and frequency of reporting. Electronic application and approval is becoming the best practice. 1. All exports (under a license) must be registered and reported by the company. This is commonly tasked to the Program Manager. 2. In case of ITAR: a. The End User must sign the Export Authorization. b. All parties named in the export authorization are required to sign the Export Authorization prior to export. Must be handwritten. c. The identity of the individual signing the export authorization must be recorded by the entities bound by the agreement for later reference. 3. If registration is done electronically, the company systems must support computerreadable format recording of the authorization and additional restrictions on information sharing identified by Policy Authorities. In general, there may be multiple rounds of negotiation and review, and final approval of an Export Authorization may include attachment of provisos, exclusions, additional constraints and conditions determined by the policy authority. Provisos themselves may be restricted (e.g., U.S. Eyes Only) Examples for provisos: When an item is governed by EU Dual Use regulations but is also given an additional restriction due to sensitive nature of the product ( Restricted due to national considerations ), the license may levy special handling requirements on exporters. The proviso to provide regular reports to the policy authority. i.e., when exporting cryptographic material. Still, additional exclusions may be added later by the regulatory authority based on changes to regulations or license conditions. Recommendation: Systemic recording of the authorization and its additional provisos may be in simple clear text format but is ideally done in an advanced format to enable further systemic analysis. Presently, authorizations are published in the form of a physical set of legal documents. These documents should be converted to system readable documents first to allow better systemic processing of the export as well as systemic enforcement of restrictions. Recommendation: Seek agreement on format and frequency of reporting (for intangible exports) and include that as supporting document, with the submittal of the export license application (this to avoid future issues / confusion when having government audits). TSCP, Inc. Copyright 2013 Page 27

33 BS-1.12 BS-1.13 BS-1.14 BS-1.15 Sign Export Authorization, if required End user In some cases the regulations require the End User to sign the export authorization A signed Export Authorization N/A This is particularly known for ITAR/TAA Register the Export Authorization Program Manager / Export Authorization Manager Following approval of the authorization(s) are registered at the exporter. Recorded Export Authorizations N/A Enable (systemic) analysis by translating the Export Authorization into a Computer Readable Format. Distribute this if required. Export Authorization Manager Following approval of the Export Licenses required by the program, the Authorizations are translated into a computer readable format that may be directly interpreted by electronic systems or translated into an appropriate access control implementation. A complete set of approved Export Licenses recorded in a format that supports automated processing Electronic systems must support modeling and implementation of Export Licenses that meet all the requirements levied by the relevant authority. The translation occurs at this point in the process, because we assume that conflict analysis will be much easier to do if the authorizations are translated and conflict analysis is assisted by a computer. Recommendation: For a qualified, interoperable use translation should be executed according to international open standards. Analyze Export Authorizations for Conflicts Export Authorization Manager The Export Authorization Manager will compare all existing, approved export authorizations that apply to a program scope, and identify any conflicts that may have arisen during the development of the authorizations. A comprehensive collection of approved Export Authorizations that have been reviewed for conflicting terms, and have been revised to eliminate conflicts identified 1. The Export Authorization Manager shall coordinate as necessary to seek reconsideration and/or clarification of provisos, restrictions or limitations on the Export Authorizations. 2. The Export Authorization Manager must incorporate all provisos associated with the authorizations, and must include them in the conflict resolution process. TSCP, Inc. Copyright 2013 Page 28

34 BS-1.15 Analyze Export Authorizations for Conflicts Recommendation: It is recommended that this process step be automated, where a system may provide a complete overview of all authorizations that a company uses to assist manual conflict analysis by the Export Authorization Manager It is also recommended that this system be able to present supplier/partner and information asset (ideally with indication of consistency) which will allow for much more thorough search of related authorizations. The system should allow Program managers to collect all authorizations for their portion of the program Definition: Conflict: A conflict is defined as a condition whereby restrictions on one authorization are not aligned with restrictions on another authorization for releasing the same data to the same recipient. Export Authorization Managers are expected to perform a similar analysis during the Authorization Determination Process This step is required in case the terms of an authorization change during the application process. In the event the conflicts between Export Authorizations are identified, the Export Authorization Manager may be required to apply for a revision of one or more of the Export Authorizations. BS-1.16 Resolve Conflicts, if required Export Authorization Manager If any conflicts exist, a determination is made as to the best way to resolve them, and modifications are requested to one or more of the licenses in order to resolve the conflicts. A determination of the updated authorizations to use or of changes to existing licenses that will resolve the conflicts between existing authorizations The Export Authorization Manager (or a system in case this is used to perform conflict analysis) must support modification of Export Authorizations and protection rules, to reflect updates (based on conflict resolution or other changes). For example: a conflict may arise from the scope of the export. There may be a limit in the amount (articles, contractual values, etc.) of exports allowed under this license that may conflict with the desired amount. BS-1.17 Permit the export under the Export Authorization (and supporting documents) Export Authorization Manager The Export Authorization Manager shall provide an official Company Authorization to proceed with the export to the Program Manager once the Export Authorization is agreed to by company management, all program participants and all conflicts have been resolved. In BS2, an Internal Control Plan will be developed to allow each participant in the program to implement appropriate (access) controls. This is prepared in this step by: TSCP, Inc. Copyright 2013 Page 29

35 BS-1.17 BS-1.18 Permit the export under the Export Authorization (and supporting documents) associating particular Export Authorization scopes with the information shared in the context of the Program. associating the electronic systems/ services that support that information sharing under the export authorization. A comprehensive Company Authorization to Export that includes: the company s approval to proceed high level information and/or constraints about all (export) collaboration activities in the context of the program. The Export Authorization Manager will conduct regular routine checks to ensure continued authorizations validity. 1. The Company Authorization To Export must be provided and should define the scope of activities for which export authorizations have been sought. 2. The Company Authorization To Export may contain specific restrictions such as access control rules that require information about user roles (for example associated with Bill of Material, Product Breakdown or Work Breakdown). 3. Company Authorizations to Export should be part of the company internal control plan for export compliance, and may be distributed among the program participants. 4. Each participating company will manage access according to its own policies and export authorizations, as well as export authorizations managed by business partners. Because of the multi-stage system in most companies in France, the corporate authorization is a best practice prerequisite that is required first, prior to export license application. This may result in an iterative sub-process between BS and BS Based on the Internal Control Plan, IT administrators may implement the defined access control rules in systems. These access control rules grant privileges based upon evaluation of user authorization and information labeling. (See BS 2). For example, if someone uploads a document and the license does not support export to a country, participants of that country should not be able to access the document. Recommendation: Appropriate protections must be applied even on data hosted by third parties. In certain cases, additional protection requirements may be required, such as for cloud service providers, that would be needed to mitigate the additional risks involved with use of that service (e.g., multi-tenancy). Recommendation: Export agreements with external parties should reflect appropriate access restrictions. For example: Any new employee/partner employee is not allowed access prior to a check on characteristics (identity proofing) and qualifications (proof of completion of necessary training). So Business IT may not grant access without confirmation from the Export Authorization Manager. Identify New Partner Program manager During the life of the program, additional partners may be identified. Existing TSCP, Inc. Copyright 2013 Page 30

36 BS-1.18 Identify New Partner Authorizations must be reviewed and verified for use with the new partner. A validation of the new partner s characteristics against the partner profiles created previously (BS 1.2), to allow addition of the new partner. This validation also impacts the ICP (for access control decision). 1. Maintain and update list of authorized /not authorized partners (white list/black list) 2. Limit access based upon the program phase/ work-efforts. If a new partner is: not listed: return to BS 1.1 for new authorization process. already in the white list, and involved in an authorized work effort: no need for adjustment of the Authorization already in the white list, but is now involved in a new work effort, that was not captured previously: the Authorization may need to be adjusted on the black list, adding this partner to the program will never be allowed. Recommendation: Even though each export license application is handled in a case by case manner, it might help the exporter to create a specific red flag list with recipients/destinations that need further scrutiny. It may be possible to support this red flag list within company export control support systems. BS-1.19 BS-1.20 Identify additional Scope of information shared/ services provided Program manager As the program matures, additional scopes may be identified. Authorizations must be verified. Determine if the extended scope is allowed. Determination is made against the existing authorization(s) appropriate for this program. If the existing authorization(s) do not allow the new scope, an additional authorization must be applied for or existing ones must be amended. Until that s in place a scope change is not allowable. Addition of new scopes to a given program must be supported, including modification of program information classification to incorporate changes in program scope. Similar to rationale on new partner in BS 1.18, return to BS 1.1 for new authorization process if needed. Change in regulation or authorization conditions Policy Authority /Export Authorization Manager A policy authority may change the contents of the regulations or the terms of an authorization. When this occurs, the license determination process must be revisited. A change on the export or sharing items with a certain partner. New authorization or modification of an existing authorization may be required. The Export Authorization Manager (or a system in case this is used) must support modification of Export Authorizations and protection rules, to reflect updates (to TSCP, Inc. Copyright 2013 Page 31

37 accommodate changes to export regulations or authorizations). Authorizations may also be revoked completely. BS-1.21 Change in Technology Classification list(s) Policy Authority/Export Authorization Manager Rules for classifying technology may change over time. When they change, existing program scope items must be reclassified if they are affected by the change. Verification that the new classifications are still authorized for export against the current authorizations. If not, updates to authorizations based on the new classification of the program s exports. The Export Authorization Manager (or a system in case this is used) must support modification of Export Authorizations and protection rules, to reflect updates (to accommodate changes in classification of technology in the scope of the program). 4.2 Process Steps BS 2 BS-2.1 Write Internal Control Plan to manage handling of controlled items Export Authorization Manager/Program Manager Program participants will identify and communicate the rules governing the management of export-controlled items (access, labeling, distribution, storage, etc.) in accordance with the terms of the relevant Export Authorization(s) and company policies, like: Export (compliance) policies (Business Authorization to Export from BS1.15); Information Security policy; National archiving regulations; Company Best Practices on handling export-controlled data; Contractually agreed obligations (e.g., a NDA). This includes educating the program customer/consignees/end users to guarantee that the export-controlled products/information will be properly protected and managed. An Internal Control Plan with applicable rules and regulations for a specific program or entity to control their exports. Usually including specific sections for: the particular impact of these rules on the program export compliance (through a program specific Implementation Plan) the particular impact of these rules on the export compliance by the End User (through an End User specific Implementation Plan) 1. The internal control plan should contain functional specifications on (IT) systems in relation to the export authorization. Including: a. Categorization rules for determining from the content the label(s) that should be applied to a particular item (like a document); b. Labeling rules: rules determining the content of the label(s) to ensure consistent interpretation by human users and by systems; TSCP, Inc. Copyright 2013 Page 32

38 BS-2.1 Write Internal Control Plan to manage handling of controlled items c. Access rules for using the in BS 1 defined End User attributes to determine the access that a user may have (to a document with a particular label). 2. If required consult with the End User to determine appropriate implementation support (two-way). 3. If required (by company policies) have the internal control plan formally approved. A Company Authorization To Export would typically lead to an Internal Control Plan (ICP). The ICP tends to set the rules and company policies tend to tell employees what is expected overall (including implementation). A Program or if applicable- a supplier then should work on a (program specific) Implementation Plan. The work in this BS 2.1 is intended as tailor existing company policies*, export authorizations, and contractually agreed restrictions (NDA) to the program. *This could be Human Resource, IT, financial policies. There should also be a General Corporate Directive on compliance. The requirements and policies set up by that document should apply for each and every project/operation made the company. The Program manager supported by the Export Authorization Manager should be in charge of the fine tuning and the adaptations needed for the program/operation fully comply with these Corporate Directive requirements. The check on accuracy and the validity of the Corporate Authorization to export should be regularly checked (not just once as in BS 1.17). This check should be part of the ICP operations. The operation described by the ICP should be checked, on a case by case basis, if still in line with the compliance policy of the company. Proper determination of required knowledge bases (such as the Export Authorization Manager or simply helpdesk support) program participants may consult is considered a crucial part of this ICP. Examples of items that should be in such a Control Plan: License reference License validity period Program name (if applicable) Export classification(s) allowable Countries allowable (or not allowable) Exclusions (such as WMD or security level confidential or above) Recordkeeping requirements Roles and Responsibilities under the license Training requirements and other user support requirements (Manuals, Reference like intranet pages, helpdesk, etc.) Recordkeeping retention requirements Which individuals/organizations may have access to information Categorization rules, labeling rules and access rules Auditing requirements, including a compliance check/reporting guidelines for the electronic systems housing export-controlled data for the program TSCP, Inc. Copyright 2013 Page 33

39 BS-2.1 BS-2.2 Write Internal Control Plan to manage handling of controlled items Response to FAQ on export issues or redirect to other company personnel, for example in case of issues with export logistics Other items that may be in a Control Plan include transit controls. For example the allowed distribution method for export of data may contain the mandatory use of encryption and digitally signing of messages that contain export-controlled information. Most often a license does not specify particular guidelines for this; hence security policies or company best practices most likely have effect here. Note that even though export regulations may not specify any requirements regarding handling of export-controlled data, other regulations may still apply and impact the program. Definition: There are various physical documents created during BS 1 and BS2. These have generic names in these business scenarios but do exist and are usually printed and signed off by the Export Authorization Manager. For sake of clarity these are defined here: Export Authorization The approval of an export from the government Policy Authority, granted to a company. It contains the export conditions. Company Authorization to Export This is the internal approval of the company to export an item. It contains the analysis of the export authorization in the business context and includes mapping of the export on the (automated) company systems and processes. Internal Control Plan (ICP) The complete plan how one company plans to manage an export under a specific authorization (usually per program or entity). Implementation Plan A plan developed by a program based on (a subset of) the requirements in the Internal Control Plan. This document may be shared with external program partners such as suppliers. Implementation Statement The declaration of a program or supplier that all planned implementation is done. This statement serves as evidence in peer reviews and audits. Configure access control systems and assign required attributes to users Program Manager, Company Management The Program Manager directs appropriate technical personnel to configure IT systems/ procedures to enforce the rules (access controls, labeling tool profiles, distribution lists, etc.). Each organization assigns the required attributes (listed in BS1) to authorized users based on conditions from the on the internal (export) control plan (defined in BS2.1) and their scope or work effort. TSCP, Inc. Copyright 2013 Page 34

40 BS-2.2 Configure access control systems and assign required attributes to users Access control systems are configured corresponding with program rules User profiles (technical format) have been defined (containing attributes and processes for assigning, tracking and managing user attributes) Users have been assigned attributes and are able to use these. 1. The access control system must a. support definition and communication of attributes relevant to determining access control restrictions such that all participating organizations may apply appropriate access control restrictions to participants. b. support implementation of access rules that are consistent with overarching policy and compliant with specific export authorizations for the program. The correct configuration has to be verified prior to use for export of data. c. support scenarios where all parties may maintain local systems that hold their portion of the controlled data. d. help administrators to implement the defined access control rules in systems. The access control rules grant privileges based upon evaluation of user authorization and information labeling. 2. Attribute profiles must reflect local privacy regulations 3. The access control system should support mapping of Export Authorizations to traditional system specific access control mechanisms (such as Rule / Role Based Access Controls). Access authority is granted on the basis of defined attributes (see BS1.2 and BS 1.4). These differ per exporter, export authorization, security classifications, export control regulation and per situation. There will also be a range of acceptable values for these attributes. Depending on the sensitivity of the item/program this could mean that there will be an approved list of individuals (although it is not so common for EU Dual Use to get to that restrictive level). Furthermore, the way verification takes place is company specific. It might be sensible or even necessary to communicate the configuration and its verification result to the program partners. Access control systems must be pre-approved by UK MoD CESG (if UK restricted or above comes into scope). The exporter must prevent unauthorized access. End Use must be confirmed and should not be assumed. BS-2.3 Configure labeling tools and write data labeling guide Program Manager The ICP defines rules for the determination of the appropriate data classification for information objects. The appropriate labels as defined for the program are made available to all the end users because all participants in scope of the program configure their local labeling tools and the relevant IT systems such as a document management system. TSCP, Inc. Copyright 2013 Page 35

41 BS-2.3 Configure labeling tools and write data labeling guide These rules are input to training materials that assist users in identifying the policies governing information objects, and applying the correct labels on information objects to support systemic protection. Guidelines also describe which markings should be applied to various kinds of documents, and where and how they should appear on documents. Proper configuration for labeling tools used within a program context A set of guidelines identifying requirements for labeling and marking of documents Both including the following elements: Categorization rules for determining which labels to apply to documents based on their contents. Labeling rules for application of physical markings to documents that describe the wording of the physical markings and the basic details of their placement, i.e., Distribution Statement must appear on a cover sheet. Labeling tools and guidelines a. should be consistent with overarching policy and compliant with specific export authorizations and their provisos for the program. b. must be flexible to cope with other organizations policies on top of export controls. c. must be clear and concise for consistent use of the tools and understanding of the labels by all users. Ideally, labels should be managed centrally by enterprises/programs (per program within each company) so that the labels will be consistent across organizations that are exchanging data. Ideally, labels should be distributed to systems such that authoring tools may present them as choices to information suppliers. Depending on the program scope and the way labels are managed, the labeling tools may need to be able to translate labels (i.e., from Dutch into German, or from MS Office into LibreOffice). Ideally, they are also able to perform semi-automated checks and balances to assist the Program Manager with this particular task. BS-2.4 Develop training material, if required tailor this to local context Export Authorization Manager/Program Manager The Program Manager will lead the development of training materials for all program participants which, at minimum, addresses: identification of sensitive material knowledge of existing Export Authorizations and knowledge of labeling and sharing guidelines for the program. Recordkeeping requirements If necessary, the Program Manager or the End Users will supplement the developed training material with local context. Training material for use by program personnel TSCP, Inc. Copyright 2013 Page 36

42 BS-2.4 BS-2.5 Develop training material, if required tailor this to local context 1. The training materials a. must be consistent with (system) guidelines so that all companies are using the access control, labeling and other systems / processes in a similar manner. b. should address both the authorizations and any provisos associated with the authorizations that are relevant to the export in scope. 2. Therefore training has two components: a. Generic Export Compliance training not specific to a program or export authorization this may be conducted earlier, and is a requirement for system access. Generic training must be refreshed on a periodic basis, as required by enterprise policy (typically annual requirement). b. Training for program specific requirements and export authorizations. This will be defined by Export Authorization Manager for each program. Successful completion of this training is required for access to data covered under the program. 3. A separate (translated) version of the training may be developed for external users (e.g., foreign signatories). Training material developed by Export Authorization Manager may be shared with external parties to ensure consistency and compliance. This is optional, and provided only if required by enterprise/program requirements. Training is helpful, but is not a risk mitigation method and the company that provides training must not be held liable. Ultimate responsibility with export compliance requirements is every companies own responsibility. The frequency of training delivery may be determined by a proviso, a consent decree, or by enterprise policy. The Export Authorization Manager/Program Manager should ensure that any training is in compliance with all applicable requirements. Periodic re-training / recertification of users should be best practice Training is at minimum best practice. It is expected that future (i.e., new Wassenaar Arrangement guidelines) regulations may demand training as a criterion. Some Export Control Policy Authorities (e.g., EAR, ITAR) already provide guidelines that specify that all participants must have received training. Deliver tailored training to users Program Manager Appropriate individuals within each program participant organization will deliver training to their team, based on material developed in BS 2.6 and BS 2.7. Structured data recording progress/completion of training by program participants 1. Companies must ensure that a training plan is in existence to ensure exportcontrolled items are sufficiently protected. 2. User access to systems must be checked periodically regarding training completion, recertification and consequences of not completing the training in time. Training of users is a best practice. Some regulatory authorities (i.e., BIS for UK) provide compliance guidelines that specify that all participants must have received training. Status information on training then becomes a (mandatory) element in user attribute profile. TSCP, Inc. Copyright 2013 Page 37

43 Recommendation: Personal training is considered most effective for initial knowledge on export controls (awareness). Further training of users may be electronic,(effective for large number of people, effective to refresh memory. BS-2.6 Development of reporting guidelines and of support for Export Control Audits Export Authorization Manager/Program Manager The Program manager and Export Authorization Manager jointly define reporting guidelines and audit collection guidelines to ensure that Export Compliance may be verified by the Export Authorization Manager. This includes a verification of which guidelines have to be implemented as mandated by the Corporate or Third Party Audit officials. They normally should develop their own methodology and, for instance, verify that the export control documents of reference (and organizational aspects such as manpower, budget, etc.) are well defined, implemented and used by the Export Authorization Manager/Program Manager. Guidelines (expected content, reporting frequency, whom to report to, etc.) for reports / self-evaluations and improvement plans or audits. 1. Export Authorization Manager shall define the frequency and depth of the audits. 2. Export Authorization Manager shall define the parameters and information that must be auditable. Including data in collaboration systems, if these are used. 3. If required (by company policies) have the audit guidelines formally approved. Report guidelines differ by company and are usually not shared externally. Also some audits are done online (i.e., for Germany this is the case where the national export control policy authorities requires a company to fill out a form.) Depending on the regulatory environment (export control regulations, company policies, archiving regulations) audits maybe subject to specific requirements on: authenticity (audit record has been generated by a trustworthy source); integrity (audit record has not been tempered with); confidentiality (audit record must be encrypted); retention (audit record must be stored for a certain duration e.g. to allow for forensics). As an example of an audit report, the below list provides an outline with common headings and expected range of values. This may be useful for capturing the required data to (automatically) generate the report. TSCP, Inc. Copyright 2013 Page 38

44 BS-2.6 Development of reporting guidelines and of support for Export Control Audits Example heading/report element Validate access conditions for specific systems Upload/Access records for specific data items for a specific period of time All users/companies associated with a given Export Authorization Identify the number of export per export authorization over time Valid user list Access audits for specific items All data exported under a given export authorization Upload/Access records for specific companies/users List of export records based on an export authorization and a period of time List of export authorization numbers, based on a company or a person Ad hoc reports Expected values Date/Time Characteristics of the individual that exported the item (e.g., who has uploaded a document)* Characteristics of the individual that imported (e.g., who accessed the document)* which item was exported (reference number or similar) license reference number *See BS 1 for minimum required characteristics and /or parameters BS-2.7 Verify Implementation Program Manager The Program manager will verify that procedural and systemic controls comply with appropriate System Implementation Plan or Internal Control Plan. The Program manager will ensure that implemented guidelines and rules are verified and used in the program in the proper way so that they are protecting data in accordance with requirements from the Internal Control Plan and the audit guidelines. This Implementation Statement (see BS 2.1) is used here to support the verification of compliant implementation. Self- Assessment report(s) that may include technical test reports as well as verified practices and corrective actions needed. 1. Identified scope of testing. At minimum, the controls must successfully demonstrate the ability to protect information according to the requirements as defined in BS2.1 prior to exchange of information. 2. Procedural controls must have been correctly implemented and show effective program data protection. 3. Reports (generated by a system) delivered to Export Authorization Manager should be formatted according to the audit guidelines and should permit them to verify the compliance of the program with EU Dual Use requirements. 4. Access to Reports (generated by a system) shall be restricted to authorized individuals. TSCP, Inc. Copyright 2013 Page 39

45 BS-2.7 Verify Implementation The purpose of this process step is to self-assess if export compliance instructions and regulations are followed. Examples for verification: check trained personnel registry developed test book for testing of electronic systems conduct testing of technical systems periodically check export records Recommendation: Export Authorization Manager should be able to access reports without involving IT specialists, where possible. BS-2.8 BS-2.9 Peer Review of (Electronic) systems/practices Export Authorization Manager Relevant personnel working for organizations affiliated with the program will perform (periodic) review of systems and export records to confirm that controls have been correctly implemented and are effectively protecting program data. This may result in a Peer Review Report to sign-off the program s EU Dual-Use compliance. Peer Review Report, a determination by the Export Authorization Manager (or qualified others like internal auditors) that the (systemic) implementation of controls is compliant with requirements, or that modifications are needed to bring the systems and export records into compliance. N/A This is a manual process. Independent Audit of Systems/Practices Export Authorization Manager, Company Management, Third Party Auditor Coordinated by the Export Authorization Manager, as required, the Program manager will work with appropriate Company audit/compliance personnel to perform audits of systems and program practices to ensure that the program remains in compliance with Export Control. Audit Report Including statement on elements of non-compliance and closure dates of corrective actions (if within scope of the program) Observations and recommendations to improve the process Follow up with adjustment of company policies if needed Follow up with program instructions and processes if needed Scope of audit/audit agenda. The purpose of this process step is to independently audit if export compliance instructions and regulations are followed. A third party auditor (such as Government) sometimes issue audit reports via an online system. Companies may have to close out corrective actions via the same system. TSCP, Inc. Copyright 2013 Page 40

46 BS-2.9 Independent Audit of Systems/Practices Sometimes the auditor or Export Control Policy Authority dictates a format for logging export transactions and/or providing audit evidence. See also BS 3 Recordkeeping requirements. 4.3 Process Steps BS 3 BS 3.1 Develop (technical) data, goods or services Program Personnel Program personnel develop some (technical) items to be shared. The item to be exported is manufactured. This could be a physical item or a piece of electronic data/software (also known as Technical Data under the ITAR). See 1.3 Definition(s). (Detailed) description of required data to allow determination if an item is deemed to be export-controlled. Intangible items like Technical Data must be correctly controlled prior to application of a label indicating protection requirements. Checks and balances are required to ensure data is not released outside the scope of the export authorization. Locking the data up in a Program Personnel ONLY access area is a way around this. Companies internal policy will determine how this data is protected.. BS 3.2 Verified need to share goods/data/services End User (in this scenario, an external recipient) Additional or recurring requests may be submitted (by multiple individual End Users, if applicable under the license) as a follow up of the initial request to share data. Detailed description of required goods/technical data Exact date/time of the occasions of sharing. Overview of required description details to request goods/technical data. This could be an important recurrence step (in line with BS 3.3 and BS 3.4). But usually the End User usually merely confirms correctness of the details needed for shipping items (goods/data/services). Particular verification on the need to share items (e.g., when circumstances change like in case of a takeover of embargo) is done in BS 3.3 by the Program Personnel or the Program Manager in line with their Export Control training/education. Examples: because of large amount of time between initial license and the actual day of development and shipment, like in France for the time between license to negotiate and license to export (ship). in case of a (hostile) takeover of changed political situation (embargo). also looking at verification of need to share data (and its volatile character, meaning a higher frequency of verification of the end user in respect to shipping physical goods). A typical sequence in this step is: 1) the End User notifies his/her need of information, data, technology, 2) the Program Personnel who ship items/give access to the related information must TSCP, Inc. Copyright 2013 Page 41

47 BS 3.2 Verified need to share goods/data/services verify (in line with regular practice for handling any classified information) that the End User is cleared to received that information, that the End User is authorized for the particular type of information and the End User has the "need to know" this particular information. Recommendation: The request should be done in accordance with applicable company policies. BS 3.3 Determine if data is export-controlled and if appropriate export authorization is present Program Personnel (Trained/qualified) Program Personnel determines whether data is export-controlled. If the data is export-controlled, program personnel will verify if the appropriate export authorization is present to support the desired release. Determination of whether an export control authorization is applicable. Determination of whether all associated documents (such as end-user statement) in support of the authorization are valid, accurate and available. In the case of the ITAR/EAR, the determined jurisdiction and the individual making the determination must be recorded for audit purposes. Changes of jurisdiction for controlled information must be recorded, including the date of the change and the identity of the individual determining the changed jurisdiction. 1. Program personnel are qualified to make the determination whether data is exportcontrolled. 2. Determination process is followed according to written policies and procedures. 3. A system may be available to support this determination. If so, that system should be able to: a. present all available regulations that apply to the program. b. assist the user in determining applicable regulations though a guided decision tree. c. prompt the user to consider all restrictions that may apply to an information object, including proprietary information restrictions, personally identifiable information restrictions, etc. 4. Program personnel will should have: a. access to electronic copies of export authorizations to support identification of the appropriate export authorizations to support sharing of the technical data, b. the ability to search electronic copies of export authorizations in order to locate the relevant Export Authorization more easily. 5. The identity of the information supplier who associates an export authorization with a piece of technical data will be captured and recorded 6. The record of the identity of the information label applier will be maintained by the Exporter, and will not be visible to external recipients. TSCP, Inc. Copyright 2013 Page 42

48 BS A Shared Data environment hosting UK Export-controlled information must require information suppliers to select an export authorization for a given information object before sharing that information object with a non-uk recipient in a location outside the UK 8. Export Authorizations available to the user should only be company owned export authorizations determined in BS 1 This step is recurring as at this point it is often of essence to check if some parts and components are subject to particular restrictions. Examples: re-export replacement of parts partial delivery This action should be the responsibility of a trained specialist, although some less complex determination (check a predefined list) may be done by all personnel in the Program. Depending on the procedures and level of complexity in a program it may be useful to appoint a dedicated export manager for the program. (Written) procedures are company specific. Examples: a manual check against a predefined list. a full determination, where the company has implemented a training for Program Personnel so they are qualified to determine if what they just build/manufactured/developed is subject to export control. see also BS 4 where this check is done in an automated and systemic way (by use of labels). Determine if data is export-controlled and determine if appropriate export authorization is present as they are very different activities that may be carried out by different groups in different organizations. This process would be followed if the work done is part of existing contract/program. For new contracts/programs or entity set ups, a validation process needs to take place as per BS 1. Determine actions for release Program Personnel Determination of actions as preparation for release. The Export Program Manager may be consulted to provide assistance in identifying distribution method and release policies as stated in the program guidelines Overview of actions to be taken prior to release of the data/goods/services. Actions should be accordance with program internal control plan and company specific release policies. Often the program personnel at this stage merely selects a best fit option from what they have learned or have available in a digital form (e.g., a labeling tool to mark electronic documents). It is therefore best practice to strive for a uniform release approach that will be applicable for the complete program. This may be best clarified as that the Program TSCP, Inc. Copyright 2013 Page 43

49 manager and the Export Authorization Manager decide on the actions to release in full compliance with all laws, regulations and company policies. The result will be procedures or lists and form part of the ICP. The Program manager has to execute/apply the proper actions in case of an export activity. The ICP could have defined a different approach per release or per partner; e.g., as a result of the conflict analysis process in BS 1. Also, for each intended release of an item, the item still needs to be prepared for release, according to the ICP; e.g., company methods to share an item internally (secure storage) and externally (secure transport). As it therefore may well be that more than one distribution method has been defined, it is recommended that this is checked, and that the Program Manager and Program Personnel is trained to select the best fit method. Examples for determinations: Check if labeling / marking requirements are already met Perform a (peer) review of a technical document (as quality assurance) so when exported it is the correct and complete document. BS 3.5 BS 3.6 Collect intended recipient(s) characteristics Program Personnel Includes: Verification of characteristics already received in BS 1 New characteristics for this specific release (if any) Characteristics of third parties (broker) Collection of required characteristics per recipient 1. An overview of intended recipients, including brokers, must be present. 2. Required characteristics as specified by the Authorization must be known. 3. Additional characteristics of the recipients required for this specific release may be collected (e.g., the security policy may require a PKI certificate for message encryption). 4. Collected recipient characteristics must be verified and validated against the appropriate standards or trust framework. Verification and validation may be done manually or automatically. See BS 1.23 and BS3.21. Recommendation: Verify if personal data protection laws and regulations such as EU Data Protection Directive are applicable and compliant 23. Provide recipient information as required End User (in this scenario an external recipient and assumed to be authorized) Provide required information. Credentials and other details Overview of required information TSCP, Inc. Copyright 2013 Page 44

50 Detailed identity characteristics may be required in the license and in other policies/regulations although regulations do not often specify requirements for end user identification, but merely who (as per license) may have the technology sent. Access to dual use technology would be specific to either country (Generic Licenses) or a company (specific licenses). Therefore addressee and location (company name, address and country) would be the minimum required credentials. System access controls are more driven by company policies whereby minimum requirements would be requested (say for a shared environment). Recommendation: To identify a company by an agreed identifier from a Registrar may be used (e.g., U.S. or NATO CAGE 24 code, a Chamber of Commerce number, a Tax Identification Number or TIN). This number may be used in a system as identifier itself but may also be used in a query to easily retrieve further required details like company address. BS 3.7 Apply appropriate labels / visual markings Program Personnel The Information supplier will choose the appropriate label and markings as captured in the Internal Control Plan (ICP). Appropriate labels and markings applied to data. 1. Labels and markings applied to data must be applied in accordance with: a. Regulations b. company policy c. export authorizations d. and, if applicable, security classifications. 2. If labels are used, users or systems must be able to detect modification to labels or content. 3. Markings including document control, destination control and security statements, if appropriate, must be applied to all data resident in a system that may be accessed by foreign personnel in locations outside the national territory, to ensure that data is not exported without proper authorization. 4. Government, company or program policy (e.g., DODD ) may require application of specific, required markings to data that is controlled under the ITAR. Data is almost ready for release after this process step. The applied labels and markings enable supporting technology to help prevent unauthorized release or export of technical data. Modification of data may impact authorization determination and labeling. Modification could require (new) authorization or data needs to be processed again starting at 3.1. There are no requirements to update or to change labels on copies of documents that are not being exported TSCP, Inc. Copyright 2013 Page 45

51 BS 3.7 Apply appropriate labels / visual markings Recommendation: Apply qualified digital signature 25 to data to register any modifications of the data after labeling / marking. BS 3.8 BS 3.9 Select appropriate distribution method and policies Program Personnel For a given distribution method specific requirements may apply from company policies or legal aspects. This may require a choice for the best distribution method regarding the release of the data to the recipient. Choice of appropriate distribution method In accordance with regulations/company policy For a given distribution method, specific requirements may apply. For example, when is chosen as distribution method, company or legal policy may require encryption of the (export-controlled) technical data. Another example is sending information on a memory stick by regular mail through accredited couriers and encrypted only. Release Controlled information Program Personnel Program personnel take an action that results in a recipient having potential access to the controlled data. This is considered the actual point of export/import/transit. The controlled data is accessible by recipients (transaction). 1. Verify that all necessary requirements for the chosen distribution method are met. 2. Data sharing systems should enforce proper access control on upload of documents, ensuring that documents are only uploaded if properly marked, and that the markings are appropriate to the location where the document is being uploaded. 3. Export-controlled technical data received by non-u.s. parties under a U.S. export authorization must only contain markings and/or metadata about the export regime governing that technical data (e.g., ITAR), and the specific export authorizations permitting access by that particular non-u.s. recipient (e.g., TAA #1). If there are any other authorizations that can be applied to that technical data to permit sharing with other non-u.s. recipients, those authorizations must not be inferable by any of the non-u.s. recipients via any marking and/or metadata attached to the technical data. Release may be contingent on other requirements, such as intellectual property restrictions, etc. 25 A qualified electronic signature is an advanced electronic signature (as defined in the EU Electronic Signature Directive) which is based on a qualified certificate and which is created by a secure-signature-creation device (i.e., a signature as described in article 5.1 of the EU Electronic Signature Directive). TSCP, Inc. Copyright 2013 Page 46

52 BS 3.10 Systemic export determination End User (in this scenario an external recipient) A systemic determination is done if the End User is allowed to access the data. Access of export-controlled technical data by recipient End User characteristics to acquire confirmation of access to export-controlled data This process step is assumed to be fully automated. It is also business context dependent. Therefore the TSCP ECWG has performed reviews on individual Export Control regulations to determine a basis logical rule per review / Export Control regulation. This rule covers the always applicable (generic) process steps for systemic export determination required by that particular Export Control regulation. On top of that each specific export, import or other transaction may bring one or more business context depended rules. Both rules have been included in the requirements documents for each individual review. The combination and technical implementation of both types of export control rules, and/or the business rule transformation from other business context (like Intellectual Property Protection) has been tasked to the TSCP ILH project. BS 3.11 BS 3.12 End User (authorized end user) accesses exported item End User (in this scenario an external recipient and assumed to be authorized) The End User is able to access the data. Access of export-controlled technical data by recipient 1. Confirmation of access to export-controlled data. 2. Access to export-controlled data by an End User or other entities must be recorded in the appropriate audit log, as described in the ICP under Recordkeeping Most export control regulations do not explicitly define recordkeeping requirements for export of data. However, enterprises have defined best practices with regard to recordkeeping which are reproduced in Annex II: Recordkeeping. Recommendations: It is recommended that confirmation is based on a trusted authentication certificate of the recipient. It is unlikely in the near term that a single document will be able to contain markings for multiple organizations and protected such that an organization may only see the markings appropriate to them. In the short term, it is acceptable to produce multiple copies of the documents with only the appropriate markings embedded in them. Register Transaction Export Program Manager The transaction details must be registered according to the appropriate recordkeeping requirements. (Automated) registration of transactions 1. Required transaction details in accordance with audit trail requirements. TSCP, Inc. Copyright 2013 Page 47

53 BS 3.12 Register Transaction 2. Registered transaction details should be accessible for audits. In principle all in- and outgoing transactions are required: a. Oral b. Visual c. Systemic See Annex II: Recordkeeping and Annex III: Example of an intangible export logerror! Not a valid result for table.. The policy authority usually provides the requirements or it is done based on company best practices. This may differ per case or per license. For the digital world this is less strict as the physical world since the policy authority usually runs behind on new data sharing technology. However, there have been pretty strict cases in which a full audit trail was required detailing technical data access and usage to satisfy regulatory compliance audit requirements. Additionally, company policy may request and keep of who approved release, who performed release, why access was granted and when it expires. This leads to cases where recordkeeping must be done in separate logs: one for (system) access control management and one for export transactions. Examples of transaction details: export date, time recipient characteristics (location address, company name, person identity characteristics) exported data license reference System Implementation Plan reference (Implementation Statement) value of export (see 3.13) logs of (virtual) meetings, phone calls Recommendation: Cloud Services are considered very risky and if used have difficulty to comply with export control regulations. Mostly because cloud services are not simply traceable data storage on someone s premises. When Cloud Services are used an agreement should be made on liability. In most cases the data owner (usually the exporter) is the liable party, not the End User/receiving party or the cloud service provider. BS 3.13 Register export under the authorization Export Authorization Manager The transaction details must be registered according to the appropriate recordkeeping requirements. TSCP, Inc. Copyright 2013 Page 48

54 BS 3.13 Register export under the authorization Similar to BS In particular required by ITAR, upon first export under a given export authorization, a notification must be provided to the policy authority. Company policy determines whether exports are defined as release by an Information supplier or download by a non-u.s. entity signatory. 2. Individual transactions must be registered by the Program Manager (may also be for security reasons). Parts of that transaction must be registered by the Export Authorization Manager under the filed export authorization. There may be a value or quantity limitation on exports under a license (this is the case for The Netherlands Export Control). For example: A license may hold a 100k value that may be exported in portions of 10k, each portion needs to be registered. Additional demand for recordkeeping could be coming from policy authority (see BS1.12). Usually there are no explicit other demands and registries are created based on program need (sometimes just logs are sufficient). Consultation of company policies / program guidelines Export Program Manager The Export Program Manager may be consulted to provide assistance in identifying distribution method and release policies as stated in the program guidelines. Advice on release policies such as marking / labeling requirements Advice on distribution method and accompanying distribution requirements 1. Regulations 2. Program policies 3. Company policies Examples for consultation: a possible interpretation on the license, regulations there possibility of multiple options for distribution or labeling the program personnel are uncertain / still to be trained a recent policy change that is not yet reflected in a new Internal Control Plan. i.e., a UN embargo. A recent audit showing flaws in the execution of processes Larger sized / politically sensitive programs requiring daily attention on their exports Export Authorization Manager An Export Authorization Manager may be consulted. There are three levels here: 1) Regular work/consultation, selecting best fit licenses/labels, etc. 2) More critical work: be aware of regulatory changes and make sure your original choice for labels/license is still a valid choice. 3) Mandatory review. UK MoD demands this for export controlled items that are also be classified as UK restricted (and up). TSCP, Inc. Copyright 2013 Page 49

55 Consultation of company policies / program guidelines For example: to select the best fit export authorization out of multiple possibilities to assist the Program Manager in case of labeling or packaging issues. This step is critically important when there is a delay between the process of labeling the document and the process of releasing the document to ensure that there have been no changes to the regulatory requirements or license restrictions. In the case of UK RESTRICTED Review may be mandatory Decision or advice, depending upon the specifics of the request for consultation List of export authorizations, Regulations, Program policies, Company Policies, Recipient characteristics Examples: Determination if export authorization is required for technical data Overview of applicable export authorizations Overview of applicable policies Overview of required labels and markings The Export Authorization Manager may not be entitled to perform its job. In case of EAR export authorizations, this entity may not be considered a U.S. Person. Access to export authorization records should be limited appropriately in such cases. TSCP, Inc. Copyright 2013 Page 50

56 Annex I: Common Licenses and Agreements Depending on the nature of an export/transfer/import, the following licenses may be required: Licenses required for manufacturing, trading and brokering. Licenses for negotiating and concluding an export contract. Licenses to export/transfer items or import them. The following table presents common examples of licenses or other agreements from the third category. Note that many of these licenses may be applied for via forms that may/must be submitted electronically. Type Authorization Purpose IL (individual license) Military/ Dual Use Military/ Dual Use Military GL (global license) GTL (general transfer license) (equivalent licenses exist for DU; cf; infra. EU GEAs) Granted by individual EU countries. Covers exports: by a particular exporter for a particular good to a particular destination (to one end user) In UK known as Standard Individual Export License (SIEL): These licenses, issued by the UK government to an exporter, authorizes the export of specified data or technology to a specific recipient in a specific country against specific value within a limited period of time. Granted by individual EU countries. Covers exports: by a particular exporter for a type or category (categories) of goods for the export to a single or several destinations for several transactions. Uncommon but for particular destinations a global license may be issued for military items. In UK known as Open Individual Export License (OIEL): These licenses, issued by the UK government to one particular exporter, authorizes the export of data or technology to specifically named destination(s), for a limited period of time. Granted by individual EU countries: for any exporter (a single registration number is to be granted at first use) for a limited list of items of the EU Military List (Annex of the ICT Directive) to the destination of EU Member States only. For EU Defence Related Products (military) the EU authorities made 4 GTLs mandatory: 1. supplies for Armed Forces 2. shipments to other EU member states Certified Companies 3. exhibitions and demonstrations, 4. Maintenance and repairs. Additionally, the EU member states may, if needed, adopt other GTLs. In France a one step license for intra-eu exports, referred to as transfers of defense-related products. This new licensing system has been tailored for intra-eu transfers and took effect on June 30, As of 27 June 2013, there are eight types of French General licenses for transfer: (1) to the armed forces or defense procurement agency of another Member State (2) to a certified enterprise in another Member State (3) for the purposes of display and demonstration at an international trade show in another Member State (4) to the armed forces or defense procurement agency of another Member State for purposes of demonstration or evaluation (5) to an enterprise in another Member State for purposes of demonstration or TSCP, Inc. Copyright 2013 Page 51

57 Type Authorization Purpose evaluation; and (6) to the police, customs agents, border patrol, or coast guard of another Member State for sole use by those forces. (7) for the return of defense related and spatial products temporarily transferred in France from another EU Member state. (1 to 7 published by Arrêté du 6 janvier 2012). (8) for the armed forces in another EU MS, but for their exclusive use only (published by Arrêté du 6 juin 2013). In the UK Open General Export License (OGEL) cover ICT military Transfers, too. These licenses, published by the UK government, authorize exporters to transfer/export data or technology as defined within the OGEL to specific listed countries against specifically defined criteria. In France, a General Export License (published by Arrêté du 6 juin 2013) authorizes the Exports of Defense related products and satellites ground stations, for the exclusive use of the French armed forces. Consequently, French Industry benefits from General licenses to supply the French armed forces worldwide (EU and third countries). Dual Use Dual Use Military Military Military EU GEA (European Union general license) NGA (national general license) U.S. Dept. of State DSP-5 Permanent Export License U.S. Dept. of State DSP-73 Temporary Export License U.S. Dept. of State DSP-61 Temporary Import License Cover exports of certain items to certain destinations as specified EU Regulation 428/2009. There are currently 6 EU GEAs in place. May be issued by individual EU countries for dual use items, provided that they: a) do not conflict with existing EU GEAs b) do not cover any of the items listed in part 2 of Annex II to EU Regulation 428/2009 France, Germany, Greece, Italy, Sweden, the Netherlands and the UK currently have these authorizations. NGAs are published in the official journal of the issuing country. In UK, known as Open General Export License (OGEL): These licenses, published by the UK government, authorize exporters to export data or technology as defined within the OGEL to specific listed countries against specifically defined criteria. License for the permanent export of unclassified defense articles and related unclassified technical data. This license is also used for authorization for the employment of a foreign national in the United States when those employees will have access to ITAR controlled technical data. For the temporary export of unclassified defense articles subject to ITAR. This license may be used for specific end users and public trade shows. However, if demonstrations or marketing information will exceed public domain information, a DSP-5 will also be required. Technical data is not authorized under a DSP-73 Used for temporary import of defense articles into the United States. U.S. goods that were sold to a foreign owner that are being returned to the United States for overhaul, repair, or an upgrade, would require this license if not exempt under 22CFR 123.4(a). Foreign manufactured defense articles for trade shows and demonstrations would also require this license type. Military U.S. Dept. of State DSP-85 License for classified items Used for classified defense articles and related classified technical data. It is used for permanent export, and temporary export or temporary import. TSCP, Inc. Copyright 2013 Page 52

58 Type Authorization Purpose Military U.S. Dept. of State Manufacturing License Agreement (MLA) Required for defense services, if technical data is given or used to perform the defense services. Both unclassified and classified technical data may be exported in furtherance of an approved manufacturing license in accordance with 22CFR This license allows for the manufacturing of U.S. defense articles by a foreign person abroad. Military U.S. Dept. of State Technical Assist Agreement (TAA) Agreement for the performance of defense services or disclosure of technical data. Unlike a DSP-5, discussions regarding the technical data may be held. A TAA is required for the training of foreign military forces in the use of defense articles. However, manufacturing "know how" is not permitted and authorization to manufacture U.S. defense articles by a foreign person is not granted. Dual Use Dual Use U.S. Dept. of Commerce Individually Validated License U.S. Dept. of Commerce EAR General License An IVL is a specific grant of authority from the government to a particular exporter to export a specific product to a specific destination if a general license is not available. The licenses are granted on a case-by-case basis for either a single transaction or for many transactions within a specified period of time. An exporter must apply to the Department of Commerce for an IVL. One exception is munitions, which require a U.S. Department of State application and license. Other exceptions are listed in the EAR. A general license is a broad grant of authority by the government to all exporters for certain categories of products. Individual exporters do not need to apply for general licenses, since such authorization is already granted through the EAR; they only need to know the authorization is available. TSCP, Inc. Copyright 2013 Page 53

59 Annex II: Recordkeeping UK Recordkeeping The following information should be retained by any organization exporting data under UK Export regulations in order to support BIS audits against Exports. The data must be kept in a place and manner so that it is available and retrievable during audits. It does not necessarily have to be embedded in the records for every export event. Record Element Definition Identity of Exporter The identity of the organization exporting the data must be recorded. Recipient Information The following information must be recorded about the recipient of exported data: Identity of Recipient Organizational affiliation of recipient Location of Recipient at time of Export Time and Date of Export License Permitting Export The time and date of the event constituting export of the technical data. Organizations may define this event in a variety of ways: uploading a document to a shared data environment, having a document downloaded by a non-uk participant from a shared data environment, etc. Organizations must identify the event that constitutes an export for purposes of recordkeeping, and should be consistent in recording those events. The following information about the license used for the export of the data License identifier (License name, number, OGEL Registration number) License Validity Period (OIEL, SIEL only) Data Identifier for data being exported: This may be a File name, Document Control Number or other information, such as a URL or Folder Location. It should be unique for each exportable item, and traceable back to the exported document. UK Dual Use List Classification of data object UK Munitions List Classification of data object UK MoD Security Classification of the data object. Data Environment Certification Level of Data Environment, to support classified data objects. U.S. EAR Recordkeeping EAR requires all exporters to keep records regarding exported technology for a period of 5 years following the export event. Audit records must be generated by a system, but must be supplemented by records maintained by the Export Authorization Coordinator to support the reconstruction of export events with sufficient detail to demonstrate compliance with export regulations. The following data should be captured for every transaction processed by a collaboration system: Date of Transaction Program, or Scope of information object exported The identity of the parties to the recipient; Information related to the user s nationality, and location, as well as employer country of incorporation A document reference number for any exported document The Export Authorization supporting the export event (e.g., EAR Export License number or justification of No License Requirement such as exception or EAR99) (Optional) additional information for utilization of Export Authority (quantity, value, etc.) TSCP, Inc. Copyright 2013 Page 54

60 The data recorded in the previous list for every transaction is not sufficient to support an audit for export control. To support comprehensive audit and reporting requirements, additional supplemental information must be maintained in separate repositories, supporting retrieval of necessary information as required to support internal or external audit requests: A description of the software or technology exported or re-exported, including the ECCN, as identified on the Commerce Control List (CCL), or EAR99; A description of the equipment for which the software or technology is intended to be used, including the ECCN, as identified on the Commerce Control List, or EAR99; The intended end-use of the software or technology; The name and address of the end-user; The location of the equipment for which the software or technology is intended to be used, including the country of destination. U.S. ITAR Recordkeeping In addition to the record elements required by the regulations, capture of the following data element is recommended by enterprise best practices. Note that in the Methods of Access column, programmatic access alone may not guarantee sufficient protection (e.g., privacy); this should be described further, e.g., Limited Visibility. Figure 1 - Export Audit Record Data Elements TSCP, Inc. Copyright 2013 Page 55

61 Figure 2 Requester data audit record data elements Figure 3 Exporting Applications Audit Record Data Elements TSCP, Inc. Copyright 2013 Page 56

62 EU Dual Use Recordkeeping The table below provides an example of (combined) export reporting requirements. Reporting requirements EU - Dual use exports Original F D I NL UK No requirements specified Very stringent encryption requirements and information requirement on encryption 6 monthly reports on exports* *if no exports zero report must be submitted no details on reporting (is all done via online government tool) 6 monthly reports No reporting requirements No reporting requirements, must keep records Consolidated Need to be able to pull 6 monthly reports Details invoice Details invoice (ref. No) Details contract Details contract (ref. No) Amount/value Amount/value items sent items sent of the of the of the goods goods goods HTS codes HTS codes Country of destination Country of destination (this should already be part of name/address requirements of consignee/end user) Consignee / end Consignee / end user Consignee details (name/address) user details details (name/address) Export date Export date Export date Type of export (final, temporary, transit) Type of export (physical/electronic) Quantity Name/address exporter Very stringent encryption requirements and information requirement on encryption Type of export (final, temporary, transit, physical/electronic) Quantity Name/address exporter Additional requirements on encryption TSCP, Inc. Copyright 2013 Page 57

63 Annex III: Example of an intangible export log The table below provides an example of an export record. The example is built up from: EU Dual Use regulations (the EU 428/2009 requires recipient country ) national implementations of the EU regulation ( value is a good example ) and company specific demands Intangible export log Export License reference number: Export License holder: Data sent: [ref nr] [holder name] Dual use controlled data Date Recipient Name Recipient Company Recipient Country Dual Use classification Data reference number Value TSCP, Inc. Copyright 2013 Page 58

64 Annex IV: Reference tables Consolidated provides the numbers from the main process steps in the consolidated business scenarios. Original shows the process steps from which the consolidated requirements originated, including marking of the consolidated process steps that were amended with elements from the French Export Control review. Consolidated Original Process step ITAR EAR UK EC NL EC EU D U FR EC , x x , ,1.3,1.4, , , x , 1.10, , 1.7, 1.20, , , , 1.11, , 1.15, x 2.1 x 2.2, , , , , , , , , , , ,2.7 x x , , , , 3.4 x x x , TSCP, Inc. Copyright 2013 Page 59

65 Consolidated provides the functional roles in the consolidated business scenarios, including a short description with the intention of the role. Full definitions can be found in sections 1.3 Definition(s) and 3 Consolidated Export Control Business Scenarios. Original lists the roles as used in the individual reviews from which the consolidated roles originated. Consolidated Original Role Intention ITAR EAR UK EC NL EC EU D U FR EC End User Program Manager Receiving or handling an exported/ imported item. Responsible for a specific program with export / trade activity Foreign entity; signatory; non-us entity signatory (Company B) Exporter Program Manager (Company A) Non-US entity recipient (Company B) Exporter Program Manager (Company A) Non-UK entity Exporter Program Manager Authorized user (end user) Exporter Program Manager End-user Exporter Program Manager Recipient Export Authorization Manager Expert In trade controls, assists with compliance and audits Export Authorization Manager (Company A) Export Authorization Coordinator (Company A) Export Authorization Manager Export Authorizati on Manager Export Authorizati on Manager Policy Authority Governmental authority for the export control policy Policy Authority Policy Authority Export Control Policy Authority (incl. UK MOD) Export Control Policy Authority (National) Export Control Policy Authority Program Personnel Working within a program/ sharing or sending items Program personnel Program personnel Program personnel Program personnel Program personnel Company Management Supporting the export from company management IT function N/A N/A Company management N/A TSCP, Inc. Copyright 2013 Page 60