Defense contracts for the vast array of services PSC members proudly provide to the federal government routinely include Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) clauses that explicitly or implicitly reference U.S. export controls and sanctions requirements. But what do enforcement actions look like? How much does it cost? And how do contractors handle potential instances of non-compliance and navigate the voluntary disclosure process? Let’s take a deeper look at recent enforcement trends as we give you the required information on export controls and sanctions compliance for defense services contractors.

Enforcement, Errors, and Export Control
Enforcement actions for alleged violations of these requirements often involve companies that were either unaware of the requirements altogether, mistakenly believed their “domestic” operations did not constitute “export” activity, and/or or engaged the services of noncompliant subcontractors that acted without the contractor’s knowledge. Another common contractor error is to conflate the security requirements of confidential or classified information with those of export controls and sanctions programs. U.S. export controls and sanctions requirements arise under a strict liability regime, in which intentional conduct is not required for a finding of violation. Inadvertent non-compliance may still result in steep civil and criminal penalties, commercial liability, contractor debarment, loss of export privileges and significant reputational damage.

Regulatory Landscape: Defining Key Terms
U.S. export controls requirements arise under the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR). The ITAR governs
the export of defense articles, defense services and controlled technical data to any foreign destination, or to any foreign person, whether domestic or abroad. Under the ITAR, “defense serviceentails providing or furnishing assistance (including training) to foreign persons, whether in the U.S. or abroad, in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing, or use of defense articles. If a contractor’s services are performed in connection with U.S. or foreign militaries and the use of articles, software or data described in the U.S. Munitions List (USML), the service provider should implement protocols to track and satisfy ITAR applicable requirements. A contractor may be required to obtain one or more ITAR authorizations from DDTC before they can perform under the contract. 

The EAR governs the export of commercial and dualuse goods, software and technology, including hardware and software containing certain encryption algorithms. If services are performed in connection with commodities, technology, or software described in the Commerce Control List (CCL), contractors should implement procedures to verify fulfillment of EAR requirements. A contractor may be required to obtain one or more EAR authorizations before they can perform under their contract.

For purposes of the ITAR and EAR, the term “export” covers a broad range of activities that includes the transfer of products, services or information. Typically, one may think of an export as the physical movement of hardware across borders. While this is certainly the case, the term also broadly covers any transfer to any non-U.S. person, either within or outside of the U.S., of controlled items, technology, software, or information, by physical, electronic, oral, or visual means.

As such, sending an e-mail with controlled information to an overseas colleague may constitute an export requiring prior authorization. An export may have occurred if a non-U.S. person providing facilities maintenance services in a U.S. facility had physical or visual access to controlled information. Such personnel may need to be identified on one or more authorizations prior to starting work. Certain contracts may prohibit the employment of non-U.S. citizens in any capacity. Research collaborations where non-U.S. persons or U.S. persons located overseas have shared access to electronic files and folders may also give rise to export activity requiring prior authorization. The Department of the Treasury’s Office of Foreign Assets Control (OFAC) administers country-specific economic and trade sanctions that restrict or prohibit transactions with and exports to targeted countries and persons in furtherance of U.S. foreign policy, national security and economic objectives. U.S.  government contractors may be required to obtain authorizations from the U.S. government before they can perform under a contract if targeted parties are directly or indirectly involved. Any
time a third-party vendor or supplier is expected to provide goods or services in support of a defense services contract, the contractor is responsible for performing due diligence on the third party and carrying forward any/all flow-down clauses that may apply.

Counting the Cost and Tracking Trends
So, what’s the penalty for non-compliance and what could it cost? If a defense services provider learns of unauthorized export activity or activity involving a restricted party, the company must
investigate the issue. Failure to identify and correct compliance problems can be costly. Under the ITAR, civil penalties may be levied up to $1,000,000 per violation with criminal penalties up to $1,000,000 and/or 20 years of imprisonment. Under the EAR, civil penalties could be $300,000—or twice the transaction value per violation—with criminal penalties up to $1,000,000 and/or 20 years imprisonment. Under the OFAC  regs, civil penalties vary by program. Generally, these penalties may be levied up to $250,000 per violation, with criminal penalties up to $10,000,000 and/or 30 years of imprisonment.

Under all three frameworks, government contractors may receive significant penalty mitigation (50% or more) if they voluntarily disclose instances of potential non-compliance to the authorities and implement effective corrective actions. Over the past few years, regulatory authorities have continued to aggressively enforce the requirements of ITAR, EAR and OFAC programs. Some common themes stand out: in nearly all cases, defense services providers subject to enforcement did not realize that their activities required an authorization, lacked adequate training on export and sanctions requirements, and/or failed to appoint compliance personnel with adequate knowledge or institutional decision-making authority to implement effective controls. Defense services providers often did not have compliance policies in place nor periodically stress test their compliance programs. Providers interfacing with third parties occasionally failed to have consistent compliance measures to govern interparty liability. Failure to properly classify products and data under the USML or CCL and poor management of specific provisos in issued licenses are a recurring liability source for contractors. In some cases, the excessive delay in submitting voluntary disclosures from the date of discovery also served as a penalizing factor.

Lessons Learned
The key lesson for defense services providers: be proactive and not reactive. Having a U.S. government entity as the primary customer is by no means a shield from the requirements. Many defense service providers’ activities will not be subject to licensing requirements. However, there should be a well-documented and standardized approach to deciding whether and to what extent the requirements apply to a defense service providers’ business activities. Remember the following to stay on top of export controls and sanctions compliance: periodically examine business process; have measures in place to respond to identified compliance issues; communicate process enhancements to all personnel and train employees accordingly; disclose potential non-compliance in close coordination with the company’s legal team; and be forthright in those disclosures. So when it comes to export controls and sanctions compliance, be sure to have all the right information to make the most informed decisions. 

This article was published Oct. 30, 2019 in the Fall 2019 edition of PSC's Service Contractor magazine. Click here to view the PDF of this article.

For example, common export and sanctions related clauses include FAR 52.225-13, DFARS 252.204-7008, DFARS 252.204-7009, DFARS 252.204-7012, DFARS 252.209-7004, DFARS 252.225-7002, and DFARS 252.225-7048.
22 C.F.R. § 120 et seq.
15 C.F.R. § 730 et seq.
22 CFR § 120.9.
22 C.F.R. § 121.1.
Supplement No. 1 to Part 774 of the EAR.
31 C.F.R. § 501 et seq.
See Appendix A to OFAC’s Economic Sanctions Enforcement Guidelines at 31 C.F.R Part 501.
See BIS Administrative Enforcement Guidelines, 83 FR 706 (January 8, 2018).
See DDTC Penalties & Oversight Agreements (; BIS Annual Report of Enforcement (; and OFAC Civil Penalties and Enforcement Information (