2024-2025 Global AI Trends Guide
On April 10, 2024, the U.S. Department of State’s Directorate of Defense Trade Controls (“DDTC”) published guidance for universities and research centers to comply with International Traffic in Arms Regulations (“ITAR”). DDTC visited several universities and research centers between 2020 and early 2024 and issued this guidance to highlight best practices and recommendations to identify and address ITAR compliance risks. This guidance follows DDTC’s publication of its Compliance Risk Matrix and Supplemental Matrix for Universities in September 2023. DDTC’s guidance is another indication of the U.S. Government’s increased focus on universities’ export control compliance. The U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) has also increased its focus on universities through its Academic Outreach Initiative.
On April 10, 2024, DDTC issued guidance summarizing best practices and recommendations from DDTC’s visits to universities and research centers over the past few years (“the Guidance”). On September 8, 2023, DDTC published “Supplemental Compliance Risk Matrix for Universities” (“Universities Risk Matrix”), in addition to the “ITAR Compliance Risk Matrix”. The Universities Risk Matrix identifies points categories of ITAR risk and approaches to tailor a compliance program to address those risks. DDTC’s focus on universities and research centers is in conjunction with BIS’s Academic Outreach Initiative released on June 28, 2022. The Academic Outreach Initiative is a four pronged approach by BIS to: (1) strategically engage with universities that have higher risk profiles, (2) connect BIS Outreach Agents to universities, (3) provide background briefings to the universities to explain the national security risks, and (4) provide trainings to universities on compliance with the Export Administration Regulations ("EAR") to address these risks.
The Universities Risk Matrix outlines categories of ITAR exposure so that universities, research institutions, and laboratories can understand, review, and assess their ITAR compliance risks. It should be used with DDTC’s ITAR Compliance Risk Assessment Matrix (“ITAR Compliance Matrix”). The Universities Risk Matrix is organized by low, high, and medium risk in several categories, including type of research performed, foreign persons, international travel, international collaboration, information technology and security, publication restrictions, technology transfer/patents, classified work, media/public relations/filming requests, and access/release/operation of defense articles, technical data, and software controlled under the ITAR.
The ITAR Compliance Matrix provides organizations that engage in activities subject to the ITAR information organized by low, medium, and high risk to assess their level of ITAR compliance risk. The ITAR Compliance Matrix is organized into enterprise risks (risks applicable to the entire organization), organizational function risks (typically most applicable to function or group within identified responsibilities), and ITAR Compliance Program Risk Elements. The ITAR Compliance Program Risk Elements are organized in the same categories as DDTC’s Compliance Program Guidelines: Management Commitment; DDTC Registration, Jurisdiction & Classification, Authorizations, and other ITAR Activities; Recordkeeping; Detecting, Reporting, and Disclosing Violations; ITAR Training; Risk Assessment; Audits & Compliance Monitoring; and ITAR Compliance Manual.
The Guidance makes clear that DDTC expects universities and research centers to implement compliance programs that are tailored to the universities and research centers’ risk based on the type, scope, and volume of activities subject to the ITAR conducted by the universities and research centers. The Guidance is not only focused on screening, research and development, transfers of technology, and technology control plans. It also makes clear that universities and research centers need to understand and assess the involvement of foreign persons, including through foreign gifts, provision of defense services, and use of automated tools to improve compliance.
The Guidance is organized into several categories: export controls awareness/commitment; compliance approach; organizational structure; training; outreach/participation; fundamental/controlled research; foreign students/faculty; IT resources; travel; personnel resources; technology control plans; policies and procedures; physical security; technical data controls; and auditing/assessments.
Examples of best practices include:
DDTC also issued recommendations to universities and research centers to improve their ITAR compliance programs. These recommendations include pursuing research projects that require DDTC authorization instead of being ITAR-risk averse and regular meetings with the Defense Technology Security Administration ("DTSA") to provide an overview of research projects, discuss potential limitations, and communicate future licensing needs. Other recommendations include:
On June 28, 2022, BIS issued a memorandum, “Addressing the National Security Risk that Foreign Adversaries Pose to Academic Research Institutions.” This memorandum reiterated the concept that the majority of technology released in an academic setting is not subject to the EAR through the fundamental research exception. However, proprietary research is often subject to the EAR. The memorandum also outlined the BIS’s Academic Outreach Initiative’s four pronged approach to address the national security threat to universities:
On March 28, 2024, BIS’s Assistant Secretary for Export Enforcement, Matthew Axelrod, announced that the Academic Outreach Initiative has grown from 20 universities to 29 universities.
DDTC’s guidance highlights its increasing focus on universities and research institutions. Taken together with BIS’s Academic Outreach Initiative, the U.S. Government is prioritizing universities’ export control compliance and expects the universities and research centers to understand and respond to export control risks under the ITAR and EAR. DDTC’s Guidance and Universities Risk Matrix place universities on notice for known risks and best practices and recommendations to improve their compliance programs.
Authored by Beth Peters, Ashley Roberts, and Feven Yohannes.