Export Controls: Agencies Should Assess Vulnerabilities and
Improve Guidance for Protecting Export-Controlled Information at
Companies (05-DEC-06, GAO-07-69).
The U.S. government controls exports of defense-related goods and
services by companies and the export of information associated
with their design, production, and use, to ensure they meet U.S.
interests. Globalization and communication technologies
facilitate exports of controlled information providing benefits
to U.S. companies and increase interactions between U.S. and
foreign companies, making it challenging to protect such exports.
GAO assessed (1) how the government's export control processes
apply to the protection of export-controlled information, and (2)
steps the government has taken to identify and help mitigate the
risks in protecting export-controlled information. To do this,
GAO analyzed agency regulations and practices and interviewed
officials from 46 companies with a wide range of exporting
experiences.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-69
ACCNO: A63906
TITLE: Export Controls: Agencies Should Assess Vulnerabilities
and Improve Guidance for Protecting Export-Controlled Information
at Companies
DATE: 12/05/2006
SUBJECT: Data integrity
Data transmission
Dual-use technologies
Export regulation
Exporting
Federal regulations
Government information
Information security
Information technology
Internal controls
Licenses
Regulation
Risk assessment
Strategic planning
System vulnerabilities
Dept. of Commerce Export Control
Automated Support System
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-69
* [1]Results in Brief
* [2]Background
* [3]Agency Processes Provide Limited Oversight of Export-Control
* [4]Some Current Export Control Processes and Requirements Are N
* [5]Companies Use a Variety of Practices to Protect Export-Contr
* [6]Government Lacks Sufficient Knowledge of the Risks Associate
* [7]Agencies Have Not Systematically Assessed the Risks with Com
* [8]Improved Knowledge of the Risks Associated with the Protecti
* [9]Conclusion
* [10]Recommendations
* [11]Agency Comments and our Evaluation
* [12]GAO's Mission
* [13]Obtaining Copies of GAO Reports and Testimony
* [14]Order by Mail or Phone
* [15]To Report Fraud, Waste, and Abuse in Federal Programs
* [16]Congressional Relations
* [17]Public Affairs
Report to Congressional Requesters
United States Government Accountability Office
GAO
December 2006
EXPORT CONTROLS
Agencies Should Assess Vulnerabilities and Improve Guidance for Protecting
Export- Controlled Information at Companies
GAO-07-69
Contents
Letter 1
Results in Brief 3
Background 4
Agency Processes Provide Limited Oversight of Export-Controlled
Information and Rely on Companies for Its Protection 9
Government Lacks Sufficient Knowledge of the Risks Associated with the
Protection of Export-Controlled Information to Identify the Minimal
Safeguards 15
Conclusion 23
Recommendations 23
Agency Comments and our Evaluation 24
Appendix I Scope and Methodology 27
Appendix II Comments from the Department of Commerce 31
Appendix III Comments from the Department of State 33
Table
Table 1: Key Agency Checkpoints on Exports of Controlled Goods and
Information 12
Figures
Figure 1: Illustration of Various Types of Exchanges of Export-Controlled
Information in Relation to the Export of Goods 5
Figure 2: Risk Assessment and Agency Decision-Making Model 17
Abbreviations
BIS Bureau of Industry and Security CBP Customs and Border Protection DDTC
Directorate of Defense Trade Controls DETRA Defense Trade Application
DFARS Defense Federal Acquisition Regulation Supplement DOD Department of
Defense DOL Department of Labor DTSA Defense Technology Security
Administration EAR Export Administration Regulations ECASS Export Control
Automated Support System FBI Federal Bureau of Investigations ITAR
International Traffic in Arms Regulations OMB Office of Management and
Budget RDT&E Research Development Test and Evaluation SED Shippers' Export
Declaration SIA Society for International Affairs TCP Technology Control
Plan USML U.S. Munitions List
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office
Washington, DC 20548
December 5, 2006 December 5, 2006
The Honorable F. James Sensenbrenner, Jr. Chairman Committee on the
Judiciary House of Representatives The Honorable F. James Sensenbrenner,
Jr. Chairman Committee on the Judiciary House of Representatives
The Honorable Lamar Smith Chairman The Honorable Howard L. Berman Ranking
Minority Member Subcommittee on Courts, The Internet, and Intellectual
Property House of Representatives The Honorable Lamar Smith Chairman The
Honorable Howard L. Berman Ranking Minority Member Subcommittee on Courts,
The Internet, and Intellectual Property House of Representatives
The U.S. government controls the export of defense-related goods and
services by U.S. companies--as well as the export of information
associated with their design, production, and use--to help ensure they are
consistent with national security and foreign policy interests. However,
significant advancements in communications technology have changed the
face of global commerce and sped the communication of business information
to promote economic growth, increasing interactions between U.S. and
foreign companies and making it challenging to protect the cutting-edge
technologies that U.S. firms develop or acquire. For example, U.S.
businesses increasingly rely on daily exchanges of information with
foreign parties abroad and foreign nationals they employ domestically to
share services, technical data, and software more efficiently. These
information transfers between U.S. businesses and foreign nationals can
occur with ease in a wide variety of commonplace business practices, such
as using e-mails to send data files, site visits that involve visual
inspections of U.S. equipment and facilities, and oral exchanges of
information in the U.S. or abroad when foreign nationals work side-by-side
with U.S. citizens. U.S. companies have also used such means to
collaborate with international partners to design and develop fighter
aircraft currently being produced by the U.S. military. Such "intangible"
information exchanges, should they involve export-controlled technology,
can be subject to U.S. government's export control laws and regulations
just like the physical shipment of defense-related goods. For purposes of
this report such exports, regardless of whether they are transmitted The
U.S. government controls the export of defense-related goods and services
by U.S. companies--as well as the export of information associated with
their design, production, and use--to help ensure they are consistent with
national security and foreign policy interests. However, significant
advancements in communications technology have changed the face of global
commerce and sped the communication of business information to promote
economic growth, increasing interactions between U.S. and foreign
companies and making it challenging to protect the cutting-edge
technologies that U.S. firms develop or acquire. For example, U.S.
businesses increasingly rely on daily exchanges of information with
foreign parties abroad and foreign nationals they employ domestically to
share services, technical data, and software more efficiently. These
information transfers between U.S. businesses and foreign nationals can
occur with ease in a wide variety of commonplace business practices, such
as using e-mails to send data files, site visits that involve visual
inspections of U.S. equipment and facilities, and oral exchanges of
information in the U.S. or abroad when foreign nationals work side-by-side
with U.S. citizens. U.S. companies have also used such means to
collaborate with international partners to design and develop fighter
aircraft currently being produced by the U.S. military. Such "intangible"
information exchanges, should they involve export-controlled technology,
can be subject to U.S. government's export control laws and regulations
just like the physical shipment of defense-related goods. For purposes of
this report such exports, regardless of whether they are transmitted
electronically or conducted through other intangible means, are referred
to as export-controlled information.^1
The U.S. government's export control functions are largely carried out by
the departments of Commerce and State and are based on laws established
decades ago, before rapid advances in communications technologies and the
increasingly globalized economy. Based on your request that we review how
the government oversees the protection of export-controlled information at
companies and recognizing the ease with which such information can be
shared, this report assesses: (1) how the government's export control
processes apply to the protection of export-controlled information, and
(2) steps the government has taken to identify and help mitigate the risks
in protecting export-controlled information.
To determine how the government's existing export control processes apply
to the protection of export-controlled information, we analyzed Commerce's
and State's export control regulations and policies. We interviewed agency
officials from Commerce's Bureau of Industry and Security (BIS), State's
Directorate of Defense Trade Controls (DDTC), and reviewed and analyzed
both agencies' activities to mitigate the risks in protecting such
information, such as company visit and compliance planning documents,
training, and outreach programs. We also interviewed Department of Defense
(DOD) officials who review State and Commerce export licenses for national
security concerns and analyzed applicable policies. We interviewed
officials from 46 companies of various sizes representing defense and
commercial sectors with a range of exporting experiences to obtain
information on the companies' policies for export-controlled information
and the officials' perspectives on agency training and outreach efforts to
help them mitigate risks in protecting such information. The information
and insights provided from these companies may not be generalizable to the
broad universe of U.S. companies that export. Additional information on
our methodology is provided in appendix I. We performed our review from
January through November 2006 in accordance with generally accepted
government auditing standards.
^1Specifically, export-controlled information includes technical data,
which is required for the design, development, production, manufacture,
assembly, operation, repair, testing, maintenance or modification of
defense articles and software directly related to defense articles (22
C.F.R. Sec. 120.10). It also includes specific information necessary for
the development, production, or use of items on the Commerce Control List
(15 C.F.R. Sec. 772.1, defining technology), commonly referred to as
dual-use items, which can serve defense and commercial purposes.
Results in Brief
U.S. government export control agencies have less oversight on exports of
controlled information than they do on exports of controlled goods.
Commerce's and State's export control requirements and processes provide
physical checkpoints on the means and methods companies use to
export-controlled goods to help them ensure such exports are made under
license terms, but the agencies cannot easily apply these same
requirements and processes to exports of controlled information. For
example, companies are generally required to report their shipments of
export-controlled goods overseas to Customs and Border Protection for
exports made under a license, but such reporting is not applicable to
export-controlled information. Commerce and State expect individual
companies to be responsible for implementing practices to protect
export-controlled information. One third of the companies we interviewed
told us they do not have internal control plans to protect their
export-controlled information, which set requirements for access to such
material by foreign employees and visitors. Also, almost half of the
company officials we interviewed told us they encounter uncertainties when
determining what measures should be included within their internal control
plans to help protect export-controlled information.
Commerce and State have not fully assessed the risks of companies' using a
variety of means to protect export-controlled information. The agencies
have not used existing resources, such as license data, to help identify
the minimal protections for such exports. As companies use a variety of
measures for protecting export-controlled information, increased knowledge
of the risks associated with such information could improve agency
outreach and training efforts, which now offer limited assistance to
companies to mitigate those risks. Our internal control standards
highlight the identification and management of risk as a key element of an
organization's management control program. Further, Commerce's and State's
communications with companies do not focus on export-controlled
information. For example, Commerce's and State's Internet Web sites do not
provide specific guidance on how to protect electronic transfers of
export-controlled information, a point raised by about one fourth of the
company officials we interviewed.
We are making several recommendations aimed at improving the departments
of Commerce's and State's knowledge of the potential vulnerabilities in
the protection of export-controlled information at companies, the guidance
both agencies provide to companies to improve their understanding of how
to protect export-controlled information, and compliance activities on
company protection of export-controlled information. We provided a draft
of this report to the departments of Commerce, Defense, and State for
their review and comment. Commerce and State provided written comments,
which are reprinted in appendixes II and III, respectively. Defense did
not have any comments. Commerce generally agreed with our recommendations
to assess potential vulnerabilities related to export-controlled
information and to conduct more targeted outreach and compliance
activities. State agreed with our recommendation to improve guidance for
exports of controlled information and disagreed with our report's finding
that it does not assess the potential vulnerabilities associated with
export-controlled information. While the actions State cited in its
response may help inform it in making individual licensing decisions and
identifying specific companies for compliance visits, it is not using such
information to strategically assess the vulnerabilities specifically
associated with the transfer of export-controlled information. Such
assessments will help the department identify ways to improve its
oversight of export-controlled information and its guidance to companies.
Background
Under the U.S. export control system, agencies expect companies to be
responsible for determining if the items or information they intend to
export are controlled by the government's export control regulations and
for implementing procedures to safeguard their protection and transfer.
The corresponding regulations are designed to keep specific military and
dual-use items^2 and technologies from being diverted to improper end
users. These export control regulations, initially established more than
30-years ago, aim to balance national security, foreign policy, and
economic interests. In today's global economy, U.S. companies' exchanges
of technology and information occur with ease and include the transfer of
export-controlled technologies to foreign nationals through routine
business practices such as
o transmission of a data file via an e-mail sent from a laptop
computer, cell phone, or a personal digital assistant,
o using company electronic networks to make intra-company
transfers of information to overseas subsidiaries or affiliates,
o visual inspection of U.S. equipment and facilities during
company site visits,
o e-commerce transactions--sales of software over the Internet to
overseas customers, and
o oral exchanges of information when working side-by-side with
U.S. citizens.
^2Dual use items and technologies can serve both military and commercial
purposes.
See figure 1 for an illustration of various types of exchanges of
export-controlled information in relation to the export of goods.
Figure 1: Illustration of Various Types of Exchanges of Export-Controlled
Information in Relation to the Export of Goods
While an export often involves the actual shipment of goods or technology
out of the U.S., under Commerce's and State's export control regulations,
transfers of U.S. export-controlled information to foreign nationals
within the U.S. are also considered to be an export to the home country of
the foreign national and thus may require an export license.^3 For export
control purposes, the term "foreign national" includes any person who is
not a U.S. citizen or lawful permanent resident.^4
The U.S. government's controls on the export of defense-related items are
primarily divided between the departments of Commerce and State, with the
assistance of the Department of Defense (DOD).
Department of Commerce: Commerce, through its Bureau of Industry and
Security (BIS), controls the export of dual-use items and information
primarily through implementation of the Export Administration Act.^5
Commerce's Export Administration Regulations (EAR)^6 establish the
Commerce Control List, which generally contains detailed controls for
dual-use items. BIS has two branches: Export Administration and Export
Enforcement. Export Administration is responsible for processing export
license applications, outreach, and counseling efforts to help ensure
exporters' compliance with the EAR as well as monitoring certain license
conditions to determine exporters' compliance with their conditions.
Export Enforcement investigates alleged dual-use export control violations
and coordinates its enforcement activities with other federal agencies,
such as the Department of Justice's Federal Bureau of Investigations (FBI)
and the Department of Homeland Security's Customs and Border Protection
(CBP).
^3These transfers are commonly referred to as "deemed" exports. Commerce's
export control regulations (15 C.F.R. Sec. 734.2(b)(2)(ii) specifically
utilizes the term "deemed export" to describe these transfers. While the
ITAR does not use a precise corresponding term, State Department officials
told us the concept of a "deemed" export is covered under the ITAR's
general definition of an export--i.e., an export means "Disclosing
(including oral or visual disclosure) or transferring technical data to a
foreign person, whether in the United States or abroad." (see 22 C.F.R.
Sec. 120.17), and the ITAR requirements for the export of unclassified
technical data which state "...a license is required for the oral, visual,
or documentary disclosure of technical data by U.S. persons to foreign
persons...regardless of the manner in which the technical data is
transmitted (e.g., in person, by telephone, correspondence, electronic
means, etc.) (see 22 C.F.R. Sec. 125.2(a) and (c). State officials told us
they also refer to these transfers as "deemed exports."
^4"Foreign national" is the term used in the EAR 15 C.F.R. Sec. 734.2
(b)(2)(ii). "Foreign person" is the term used in the ITAR, 22 C.F.R. Sec.
120.16, and also includes a foreign corporation or business entity or
group incorporated to do business in the U.S. as well international
organizations and foreign governments.
^550 U.S.C. App. Secs. 2401 et seq. Although the Act has lapsed, export
control regulations have been extended through executive orders, of which
Executive Order 13222 (Aug. 17, 2001) is the most recent.
^615 C.F.R. Secs. 730-774.
Department of State: State, through its Directorate of Defense Trade
Controls (DDTC), regulates exports of defense items and information under
the authority of the Arms Export Control Act.^7 State's International
Traffic in Arms Regulations (ITAR)^8 provides controls over defense
articles and services, which are identified in broad categories on the
U.S. Munitions List (USML). DDTC works to implement and enforce these laws
and regulations using three key offices: Licensing, Compliance, and
Policy. The Office of Licensing is responsible for reviewing license
applications and addressing correspondence from exporters, such as
providing advice on questions to businesses, known as advisory opinions.
The Office of Compliance checks for company violations of the export
regulations and conducts end-use checks on exports and company visits to
achieve this goal. The Policy Office provides training through a third
party organization, and outreach to companies on the export regulations.
DOD: The Defense Technology Security Administration (DTSA) represents DOD
on export control issues and administers development and implementation of
technology security policies for the international transfers of
defense-related goods, services and technologies, which DOD oversees. DTSA
serves an advisory role in State's and Commerce's export license review
processes and offers technical reviews on licenses for national security
concerns. DTSA may also provide guidance regarding commodity jurisdiction
requests from State, and DTSA often issues advice regarding advisory
opinions submitted to both State and Commerce. The agency is responsible
for maintaining contact with industry regarding changes in technologies
and licensing initiatives. DTSA plays a significant role in coordinating
any proposed changes to the ITAR or EAR, with DTSA's opinion serving as
the final DOD position regarding such matters.
Recent congressional hearings and intelligence reports have highlighted
threats to U.S. companies' sensitive information--such as intellectual
property, trade secrets, and financial data--from foreign economic and
military surveillance and the associated challenges of balancing U.S.
security and economic interests. These threats may weaken U.S. military
capability and hinder U.S. industry's competitive position in the world
marketplace.^9 According to a recent counterintelligence estimate, factors
that have contributed to U.S. economic and technological success have also
facilitated foreign entities' technology acquisition efforts. For example,
the openness of the United States has provided foreign entities easy
access to sophisticated technologies; new electronic devices have vastly
simplified the potential for illegal retrieval, storage, and
transportation of massive amounts of information, including trade secrets
and proprietary data; and information systems that create, store, process,
and transmit sensitive information have become increasingly vulnerable to
hacking attempts.^10
722 U.S.C. Sec. 2778 authorizes the President to control the export of
defense articles and services. The statutory authority of the President to
promulgate regulations on these exports was delegated to the Secretary of
State by Executive Order 11958, as amended.
^822 C.F.R. Secs. 120-130.
The challenges to the government in protecting export-controlled
information at companies are interrelated to the challenges we previously
reported facing the departments of Commerce, State, and Defense in
overseeing the export of controlled technologies in today's rapidly
evolving international security and business environments. For example, in
June 2006, we reported Commerce has not systematically evaluated the
overall effectiveness and efficiency of its dual-use export control
processes to determine whether it is meeting its goal of protecting U.S.
national security and economic interests in the wake of the September 2001
terror attacks.^11 In 2005, we reported that State has not made
significant changes to its arms export control regulations in response to
the terror attacks.^12
9For example, Sources And Methods of Foreign Nationals Engaged In Economic
And Military Espionage, Hearing before the Subcommittee on Immigration,
Border Security, and Claims of the Committee on the Judiciary, House of
Representatives (Washington, D.C.: Sept. 15, 2005).
^10Office of the National Counterintelligence Executive, Annual Report to
Congress on Foreign Economic Collection and Industrial Espionage, 2004
(April 2005).
^11GAO, Export Controls: Improvements to Commerce's Dual-Use System Needed
to Ensure Protection of U.S. Interests in the Post-9/11 Environment,
[18]GAO-06-638 (Washington, D.C.: June 26, 2006).
^12GAO, Defense Trade: Arms Export Control System in the Post-9/11
Environment, [19]GAO-05-234 (Washington, D.C.: Feb. 16, 2005).
Agency Processes Provide Limited Oversight of Export-Controlled Information and
Rely on Companies for Its Protection
U.S. government export control agencies have less oversight on exports of
controlled information than they do on exports of controlled goods.
Commerce's and State's export control requirements and processes--such as
export documentation, reporting requirements, and monitoring--provide
physical checkpoints on the means and methods companies use to export
controlled goods to help them ensure such exports are made under their
license terms, but the agencies cannot easily apply these same
requirements and processes to exports of controlled information.
Consequently, U.S. export control agencies rely on individual companies to
develop practices for the protection of export-controlled information.
Officials from one third of the companies we interviewed told us they do
not have internal control plans to protect their export-controlled
information.
Some Current Export Control Processes and Requirements Are Not Easily Applied to
Export-Controlled Information
Government export control processes provide physical checkpoints for the
export of goods, but the same checkpoints are not easily applied to
electronic and other intangible transfers of export-controlled
information. Both Commerce and State oversee exports of goods and
information--regardless of their form or method of transfer--through their
licensing and compliance programs. Both agencies' programs require
companies to apply for export licenses under their respective regulations
and to keep records on such exports for possible agency monitoring and
inspection. However, certain export documentation, agency reporting
requirements, and agency monitoring processes for exports of controlled
goods are not easy or practical to apply to the oversight of exports of
information, which limits the agencies' ability to monitor exports of
licensed controlled information.
o Means of Transportation or Transfer Reported on Export
Documentation: When shipping a controlled good overseas, a company
is generally required to file a Census Bureau Shippers' Export
Declaration (SED) form with CBP, within the Department of Homeland
Security.^13 Companies generally are required to file the SED form
for every export made under a specific license, which requires
companies to specify the method of transportation for the exported
goods, such as vessel or air. However, exports of controlled
information transmitted electronically or in an otherwise
intangible form are specifically exempted from SED filing.^14
Commerce and State export license applications require exporting
companies to report the name of the freight forwarder or other
agents to be used for the shipment of goods, which provides the
agencies with some oversight on how companies intend to conduct
such exports. However, agency export license applications do not
require companies to report information on the means of
transmission they intend to use to transfer export-controlled
information.^15 In the absence of information on the means of
transmission used to export-controlled information, Commerce and
State lack information that could help provide some level of
oversight as they do for physical shipment of goods.
o Agency Reporting Requirements: Certain agency reporting
requirements for goods do not apply to export-controlled
information. Companies are generally required to present the SED
form before any export.^16 As previously described, the SED Form
is not required for electronically transmitted export-controlled
information.^17 Further, companies are not otherwise required to
notify Commerce when exports of licensed controlled information
take place. While in certain circumstances State requires
companies to notify it when they transmit licensed
export-controlled information, this requirement only applies to
the first instance of transfer.^18 Beyond these notifications,
Commerce and State cannot be sure that all exports of controlled
information under the license are made to the designated end-user
and are within the terms of the license approval.
o Agency Monitoring: Commerce and State monitor exports to help
ensure company compliance with license requirements and to assess
industry areas where export licenses may be required. However, the
two agencies' efforts focus on export-controlled goods, and not
information, due in part to the nature of transfers of
export-controlled information, which makes elements of agency
monitoring processes inapplicable. For goods, the SED can be used
to aid the government in tracking exported goods and determining
whether or not they reach the specified end-user. The SED also
provides a feedback mechanism, which the lead export-control
agencies may use to measure the effectiveness of their activities
and processes. A similar feedback mechanism does not exist for
export-controlled information transmitted electronically and by
other intangible methods. Since the agencies cannot completely
monitor these exports, their reliance on companies to implement
control mechanisms becomes increasingly important for protecting
export-controlled information.
For example, Commerce and State do not systematically monitor
whether companies abide by the conditions of their "deemed" export
licenses, which permit the transfer of export-controlled
information to specific foreign nationals. Consequently, agencies
have no way of knowing if all licensed export-controlled
information was exported according to the terms of the
license--for example, if it was sent within the permitted time
period, if the information exported was appropriate, and if the
export reached its intended end-user. In 2002, we recommended that
Commerce--in consultation with the Secretaries of Defense, State,
and Energy--establish a risk-based program to monitor compliance
with deemed export license conditions.^19 Commerce officials told
us they recently completed a limited pilot program to monitor
company compliance with deemed exports and did not find any
compliance issues in the sample of deemed export licenses they
reviewed. However, Commerce officials told us that this pilot did
not address the issue of export-controlled information transferred
by electronic means, such as e-mail, and that they have not
decided whether they will perform similar monitoring efforts on an
annual basis.
^13The SED form is an export document that requires companies to report a
detailed description of exported commodities including their export
control number, quantity and weight, method of transport, loading pier,
dollar value, and the forwarding agent. The Census Bureau uses this
information to compile the official export statistics for the U.S. 15
C.F.R. Part 30 and Sec. 758.1(f).
^1415 C.F.R. Secs. 30.1(d), 30.55, and 758.1(b).
^15In this regard, Commerce requires an additional letter of explanation
for license applications of controlled technology, which by definition
includes information. 15 C.F.R., Pt. 748, Supp. 2 (o) and Sec. 772.1
(defining technology). While the information is required for the letter,
the means of transfer or transmission is not specifically required.
^1615 C.F.R. Secs. 30.12, 758.1; 22 C.F.R. Sec. 123.22.
^1715 C.F.R. Sec. 758.1(b).
^1822 C.F.R. Sec. 123.22(b)(3).
Table 1 provides an overview of the key agency checkpoints generally
related to export-controlled goods and information.
^19GAO, Export Controls: Department of Commerce Controls over Transfers of
Technology to Foreign Nationals Need Improvement, [20]GAO-02-972
(Washington, D.C.: Sept. 6, 2002). In March 2004, the Commerce OIG also
released a report recommending that BIS implement a compliance program for
deemed exports, such as on-site company inspections to ensure compliance
with license conditions. See Commerce Department, Deemed Export Controls
May Not Stop the Transfer of Sensitive Technology to Foreign Nationals in
the U.S. (Washington, D.C.: March 2004).
Table 1: Key Agency Checkpoints on Exports of Controlled Goods and
Information
Source: GAO analysis.
a15 C.F.R. Secs. 30.1, 30.7, as exempted in 15 C.F.R. 30.50 through 30.58.
b For export-controlled information transmitted electronically or in
otherwise intangible form, 15 C.F.R. Sec. 758.1(b).
c15 C.F.R. Sec. 748.5 and Pt. 748, Supp. 1; 22 C.F.R. Sec. 126.13.
d15 C.F.R. Sec. 30.6 requires a separate SED form for each shipment,
unless otherwise exempted.
e15 C.F.R. Sec. 30.12.
Companies Use a Variety of Practices to Protect Export-Controlled Information
Under the U.S. export control system, companies are responsible for
implementing procedures to protect export-controlled information
regardless of how it is exported. We found a range of company practices
for protecting export-controlled information from our discussions with
officials from 46 companies, including the use of internal control plans,
limiting employee access, and computer security technologies. Almost two
thirds of the company officials we interviewed told us their companies use
internal control plans, which establish procedures to protect proprietary
and export-controlled information and also set requirements for access to
such material by foreign employees and visitors.^20 However, other
companies we interviewed exported controlled information or employed
foreign nationals, but had not yet developed internal control plans for
such transactions. While Commerce and State generally do not require
companies that export controlled information to use such plans, an
industry report on export control best practices includes internal control
plans as a best practice to safeguard export-controlled products and
technologies against improper access by foreign nationals--employees,
customers, and visitors.^21 For example, companies can use such internal
control plans to provide specific procedures and processes addressing
physical and computer access to export-controlled information; such as
employee badging, record-keeping procedures for all relevant
export-related documents; the use of internal audits on export
transactions; and the use of electronic surveillance, such as hidden
cameras, where appropriate, for physical security. Almost half of the
company officials we interviewed told us they encounter uncertainties when
determining what measures should be included within their internal control
plans to help ensure the proper protection of export-controlled
information. Officials from larger companies who expressed such concerns
added that these uncertainties may be magnified in smaller companies due
to their inexperience with export regulations, a point confirmed by
officials from five small companies we interviewed.
In addition to the companies' stated use of internal control plans, we
found companies also had practices related to employee access and foreign
national access to export-controlled information. Examples include the
following:
^20In some cases, DOD requires companies to use specific Technology
Control Plans (TCP), which provide specific measures to control access for
all export-controlled information and protect it from improper access by
foreign nationals assigned to or employed at security-cleared contractor
facilities. DOD 5220.22-M, National Industrial Security Program Operating
Manual, Sec. 10-509 (Feb. 2006). State and Commerce require companies to
use TCPs and Internal Control Plans, respectively for a limited set of
technologies, such as satellites (22 C.F.R Sec. 124.15) and items under
the Special Comprehensive License (15 C.F.R. Sec. 752.11). State provides
that export-license-application processing will be facilitated by
providing a TCP when foreign nationals are employed at or assigned to
security-cleared facilities. 22 C.F.R. Sec. 126.13. Also, Commerce's Web
site provides basic guidelines to companies submitting license
applications for foreign nationals pursuant to the "deemed export" rule
encouraging them to provide a description of any internal technology
control plan or measures they intend to use to prevent unauthorized access
by foreign nationals to controlled technologies or software.
^21Nunn-Wolfowitz Task Force Report: Industry "Best Practices" Regarding
Export Compliance Programs (July 25, 2000).
o Two thirds of the companies indicated that all
employees--including foreign nationals--wear identification badges
that contain information such as a picture, a color-code
indicating the employee's security clearance, and encoded data
that allows access to only those areas authorized for the
employee.
o About three fifths of the companies we interviewed indicated
that they protect export-controlled information by storing it
within restricted components of the company's computer server, and
requiring employees to gain permission through a network
administrator before obtaining access to such information.
Some companies also use information security protections for their
electronic transfers of export-controlled information. More than two
fifths of the companies we interviewed use encryption; an information
technology process used to obscure data files, making them inaccessible
without the appropriate code to decipher the meaning. Neither Commerce's
nor State's regulations require companies to use encryption when
transferring export-controlled information. According to the International
Standards Organization, a nongovernmental organization that provides
technical standards to the public and private sectors, organizations
should consider using some form of encryption when transferring sensitive
information.^22 Commerce and State export control officials told us they
do not specifically recommend that companies use encryption for various
reasons, such as agencies' inability to keep current on rapid developments
in this field and possible liability issues surrounding their
recommendation of a particular encryption product for e-mail security.
Our review of selected companies' export control internal control
practices highlights how uneven company practices can contribute to
vulnerabilities associated with the protection of export-controlled
information. For example, officials from three of the companies we
interviewed told us that they exported controlled information--through
electronic transmissions or interpersonal interactions with foreign
nationals--but that they did not have technology control plans that
provided company-wide policies and procedures to limit their foreign
national employees' access to export-controlled information. However, in
situations when companies manufacture or research sensitive technologies
that are export-controlled, they are required to register with the
government, even if they are not planning to export.^23 In situations
including these, the extent of company internal control practices could
affect its vulnerability. For example, a nanotechnology company official
intending to export technology in the immediate future told us a former
Chinese foreign national employee had full electronic access to the same
sensitive company information as its U.S. employees. The official also
told us this foreign employee was not physically segregated from any
portions of the company facilities or lab where more sensitive technology
functions were performed. Under these circumstances, we believe that the
company official could not have determined whether the employee improperly
accessed company information that potentially could be export-controlled.
^22See the following International Standards Organization guidelines:
International Standards Organization /IEC 17799:2005 Code of Practice for
Information Security Management and International Standards
Organization/IEC 18033, Encryption Algorithms.
Government Lacks Sufficient Knowledge of the Risks Associated with the
Protection of Export-Controlled Information to Identify the Minimal Safeguards
The lead government agencies have not fully assessed the risks of
protecting export-controlled information to help identify the minimal
level of protection for such exports. Commerce and State do not
strategically use existing resources, such as export license data, to
identify potential risks when such information is exported and are not
fully aware of the consequences of companies using a variety of measures
for protecting export-controlled information. Such analysis is critical
because government export-control processes provide less oversight for
export-controlled information than exports of goods. Improved knowledge of
the risks associated with such exports could improve agency outreach and
training efforts, which now offer limited assistance to companies to
mitigate risks when protecting such information.
^23Under the ITAR, all manufacturers, exporters, and brokers of defense
articles, defense services, or related technical data, as defined in the
United States Munitions List, are required to register with the State
Department and maintain records concerning their manufacture, acquisition,
and disposition of defense articles, services, and technical data. (22
C.F.R. Sec. 122.1) Manufacturers who do not export must nevertheless
register; such registration does not confer export rights or privileges,
but is a precondition for the issuance of any license or other approval
for export. Under the EAR, companies are required to obtain export
licenses from the Commerce Department when foreign nationals access
export-controlled information.
Agencies Have Not Systematically Assessed the Risks with Company Protection of
Export-Controlled Information
Commerce and State have not strategically used existing information
resources, such as export license data, to identify possible
vulnerabilities and risks related to company protection of
export-controlled information for use in oversight of such exports. GAO
has identified managing risk both as an emerging area of high risk for the
government and a part of governance challenges for the 21st century.^24
Commerce and State do collect a range of basic information on company
exports, some of which could prove valuable in understanding
export-controlled information, such as technologies exported and their
end-users. However, neither Commerce nor State has implemented systematic
risk-assessment practices for its oversight of export-controlled
information. Applying systematic risk-based strategies to
export-controlled information could enable Commerce and State officials to
focus their resources on information exports that may pose a higher risk
to national security. As shown in figure 2, risk management aims to
integrate systematic concern for risk into the usual cycle of agency
decision-making and implementation.
^24See GAO, High-Risk Series: An Update, [21]GAO-05-207 (Washington, D.C.:
January 2005), and GAO, 21st Century Challenges: Reexamining the Base of
the Federal Government, [22]GAO-05-325SP (Washington, D.C.: February
2005).
Figure 2: Risk Assessment and Agency Decision-Making Model
Threat, vulnerability, and criticality are frequently used aspects of risk
assessment.^25 Our internal control standards state that once risks have
been identified, they should be analyzed for their possible effects.^26
Our standards also state that because economic and industry conditions
continually change, entities should provide mechanisms to identify and
deal with any special risks prompted by such changes. Risk analysis
generally includes estimating the risk's significance, assessing the
likelihood of its occurrence, and deciding how to manage the risk and what
actions should be taken. The threats to the protection and transfer of
export-controlled information include the inadvertent exposure of such
information to unauthorized foreign parties as well as foreign economic
espionage. For example, several of the larger defense and commercial
companies we interviewed told us their computer networks are routinely
subject to hacking attempts by individuals attempting to steal or corrupt
information, which officials said can number in the hundreds daily.
Currently, Commerce and State rely on companies to identify and protect
export-controlled information whether it is transferred orally,
electronically, or visually--or through traditional physical shipment
methods used for goods, such as a courier transporting a compact disk
containing export-controlled information to a customer. The vulnerability
of export-controlled information may be increased by companies not using
computer or physical security mechanisms that help protect against
physical and electronic diversions during its transmission. The
consequences of such risks to export-controlled information may include
the loss of sensitive information to foreign entities with interests
contrary to our own as well as significant and costly civil and criminal
penalties for violations of the export control regulations.
^25Carl A. Roper, Risk Management for Security Professionals (Boston:
Butterworth Heinemann, 1999); J. Moteff, Risk Management and Critical
Infrastructure Protection: Assessing, Integrating, and Managing Threats,
Vulnerabilities, and Consequences, CRS, RL32561 (Washington, D.C.: Sept.
2, 2004); R. E. Chapman and C. J. Leng, Cost-Effective Responses to
Terrorist Risks in Constructed Facilities, (National Institute of
Standards and Technology, March 2004).
^26GAO, Standards for Internal Control in the Federal Government,
(Washington, D.C.: November 1999).
At present, both agencies' approaches to conducting company compliance
visits generally target specific industries and industry practices, but
are not based on thorough knowledge of possible weaknesses and
vulnerabilities in company protection of export-controlled information.
Commerce officials told us the agency primarily conducts company visits
based on company size and technology produced. Commerce officials also
told us they also target companies and industry associations based on a
variety of other factors, including their analysis of license data and
publicized company export control developments, such as announcements in
local business newsletters reviewed by Commerce export officials. Through
its company visit plan, State performs its company compliance visits based
on general knowledge of topic areas its staff believe may be vulnerable to
compliance problems and discrete compliance issues, such as companies that
employ foreign nationals. However, Commerce and State do not use available
licensing data to strategically target both established and emerging
business sectors to aid in their monitoring and oversight of exports of
controlled information. For example, agency license databases and company
records provide a pool of information, which Commerce and State could
analyze to help them discern trends in export-controlled information, such
as identifying which companies are involved in cutting-edge commercial and
military technology developments. Increased agency knowledge in these
technology fields that transmit export-controlled information and are
known to be subject to foreign espionage^27 would help increase agency
oversight and may reduce such vulnerabilities.^28
State and Commerce told us they perform company outreach and training
visits as part of their oversight of company export control activities,
but neither agency considers export-controlled information in determining
which companies they should visit. For example, State officials told us
they conduct these visits when requested by companies. Consequently,
companies without knowledge of the export regulations would not know to
request this additional assistance. Commerce officials told us the agency
conducts over 100 company training seminars nationwide annually on topics
ranging from an exporting primer, product classifications, and deemed
exports for both novice and experienced exporters. These seminars are held
in conjunction with local business cosponsors, and Commerce develops
specific training topics to reflect the interests of local industry.
Commerce officials told us they conduct a limited number of visits to
specific companies as part of their company outreach, which are usually
prompted by information and intelligence obtained through their compliance
efforts. Such training and outreach is particularly important because we
found during our company interviews that newly-formed smaller businesses
working in advanced technology areas were not as aware of the extent of
their responsibilities to protect export-controlled information, and their
company officials suggested that their protection measures did not follow
best practices to safeguard such information as used by experienced
exporters. Furthermore, in our prior work we recommended that Commerce and
State should better coordinate their efforts on analysis and export
oversight.^29
27Office of the National Counterintelligence Executive, Annual Report to
Congress on Foreign Economic Collection and Industrial Espionage, 2004,
(April 2005).
^28BIS recently established a Deemed Export Advisory Committee,
compromised of representatives from academia and business to address
issues surrounding transfers of dual-use technologies to foreign
nationals. BIS officials told us they believe the committee will help
improve its oversight of deemed exports.
^29See GAO, Export Controls: Improvements to Commerce's Dual-Use System
Needed to Ensure Protection of U.S. Interests in the Post-9/11
Environment, [23]GAO-06-638 (Washington, D.C.: June 26, 2006); GAO, Export
Controls: Department of Commerce Controls over Transfers of Technology to
Foreign Nationals Need Improvement, [24]GAO-02-972 (Washington, D.C.:
Sept. 6, 2002); and GAO, Export Controls: Processes for Determining Proper
Control of Defense-Related Items Need Improvement, [25]GAO-02-996
(Washington, D.C.: Sept. 20, 2002).
Improved Knowledge of the Risks Associated with the Protection of
Export-Controlled Information Could Improve Agency Outreach and Training
Government export control agencies use a variety of means--including
Internet Web sites, advisory opinions, and company training to communicate
information on export controls to industry. However, we found that because
these agency outreach and training efforts are not developed based on a
thorough knowledge of the risks associated with such exports, they do not
specifically address the protection of export-controlled information.
o Agency Internet Web sites: Commerce and State have Internet Web
sites that provide the public information about the agencies'
export control roles and responsibilities. However, these Web
sites do not communicate information such as industry best
practices or identify specific protection measures for companies
to use to securely transfer export-controlled information
electronically. For example, we found while Commerce's Web site
provides information to businesses on the Export Administration
Regulations, such as frequently asked questions and guidance for
deemed exports, it does not provide information on measures
companies could use to protect the transmission of
export-controlled information, such as encrypting e-mails used to
transmit export-controlled information to a company's foreign
subsidiary. State's Web site does not provide information or
guidance to exporters on accepted practices for protecting
export-controlled information and managing deemed exports, such as
suggested security measures to implement when foreign employees
work in close proximity to export-controlled information. Almost
one fourth of the company officials we interviewed told us they
would like additional guidance on export-controlled information
posted on Commerce's and State's Web sites, such as
agency-accepted employee training on export-controlled
information. Commerce and State export control officials told us
they have not provided such guidance on their Internet Web sites
for reasons such as their inability to keep current on
developments in these areas, such as recommended particular
encryption standards, and possible liability issues related to
recommending a particular protection measure.
In 2004, the Office of Management and Budget (OMB) endorsed
recommendations from the Interagency Committee on Government
Information on guidelines to help make federal agency Web sites
more user-friendly and to better enable companies to understand
agencies' regulatory requirements.^30 These standards for agency
Web sites include providing a list of frequently asked questions
to users and Web links to other federal agencies that can provide
additional information on a particular issue. State's Web site
does not provide users with answers to frequently asked questions,
such as common questions companies have on the export process. The
State Web site also does not link to the Commerce Web site or
provide information on best practices companies use to comply with
the regulations. By providing this type of information on its Web
site, State could help enhance its communication to companies and
alleviate company confusion surrounding the protection of
export-controlled information.
o Advisory Opinions: As part of their export control activities,
Commerce and State provide nonbinding advice to companies, called
advisory opinions, on specific questions they submit to the
agencies regarding the export regulations. Officials from about
two fifths of the companies we interviewed told us they submitted
questions to the agencies regarding export-controlled information.
However, under the Commerce and State advisory opinion programs,
the agencies do not publicly share all agency responses to these
requests for guidance and information due to concerns about
inadvertently releasing a company's proprietary information to the
public as well as agency officials' judgment that such opinions do
not have broad utility to the export community. From our review of
Commerce's and State's export control activities, we found while
Commerce provides a few public examples of advisory opinions on
its Web site that address deemed exports and the employment of
foreign nationals, none specifically address the electronic
transfer of export-controlled information. State officials told us
State does not provide any advisory opinions to the public. By
publicizing their advisory opinions, Commerce and State could
possibly leverage their limited outreach resources and help a
greater number of companies attain clarifying information on
agency policies on export-controlled information.
Other federal agencies, such as the Department of Labor (DOL),
share advisory opinions with the public on their Web sites but
redact company proprietary information to protect identifying
information. This allows other companies with similar questions to
benefit from the additional agency guidance. One company export
control official we interviewed suggested companies could submit
two letters simultaneously to either Commerce or State to request
advisory opinions on export control issues. In the first letter
the company would include all necessary information to distinguish
the export, so the agency could make an appropriate decision on
the specific export control matter. In the second letter the
company would redact all proprietary and company identifying
information, which the agency would be allowed to publicize to
other companies. DOL uses this approach to alleviate itself of the
burden from identifying and redacting proprietary information from
advisory opinions it shares publicly.
o Agency Training on Export-Controlled Information: While Commerce
and State provide export-control training to companies, we found
the agencies do not strategically target companies and industry
sectors where the greatest risk of violations of the export
regulations on export-controlled information may exist. While
Commerce and State have significantly different approaches towards
company training,^31 neither offers specific training
opportunities focusing exclusively on export-controlled
information. Furthermore, officials from approximately 20 percent
of the companies we interviewed told us agency training on export
controls does not provide specific guidance to companies on the
adequate protection of export-controlled information. For example,
these officials said agency training does not provide information
protection options to companies, such as using dedicated
communication lines for e-mail transmissions or limiting employee
access to servers that contain export-controlled information.
Company officials told us government-sponsored training does not
target smaller companies new to the exporting process, which may
not be familiar with necessary measures to securely transfer
export-controlled information. Furthermore, we found agency
training, in particular State's training, is limited to specific
geographic regions of the U.S., which company officials stated
hinders smaller companies with limited budgets from attending.
Although State and Commerce have separate export control
jurisdictions, the 2004 Interagency Offices of Inspector General
report stated that Commerce and State could improve their outreach
by providing joint training that explains the differences between
the two agencies' licensing requirements and procedures--a
recommendation that, according to the report, was shared by
company officials.^32
^30See Recommendations for the Effective Management of Government
Information on the Internet and Other Electronic Records, Interagency
Committee on Government Information (Washington, D.C.: Dec. 16, 2004).
OMB, as the lead agency overseeing the management of these initiatives,
developed a strategy to expand electronic government, which it published
in February 2002. The Interagency Committee on Government Information
(ICGI) was created in June 2003 to implement Section 207 of the
[26]E-Government Act of 2002 , Pub. L. No. 107-347 (2002).
^31Commerce conducts over 100 training events per year. State relies on a
third-party provider for all of its training events. Specifically, State
uses the Society for International Affairs (SIA), a non-profit
organization to run its company training events, which number four events
annually.
Conclusion
The globalization of the U.S. economy and economic interdependence with
the rest of the world has many dimensions. While the export of controlled
information from U.S. companies to foreign business partners is a key
component to maintaining a strong and developing economy, the improper
export of such technology can be detrimental to U.S. security and economic
interests. Developing effective oversight to help ensure the protection of
export-controlled information poses a challenge to the federal agencies
responsible for export control. These risks may increase as electronic
communications and information-transfer capabilities used by companies
that export-controlled information continue to grow. Moreover, the lack of
coordination between Commerce and State on outreach, analysis, and
oversight could hamper their ability to determine whether
export-controlled information may be at risk when foreign nationals are in
U.S. company settings. Without leveraging and properly utilizing available
export license data, these agencies will not be able to fully understand
and assess potential risks associated with the export of controlled
information and develop the proper protections and outreach to help
mitigate the risks associated with such information. Further, in the
absence of guidance from the government, some U.S. companies may not fully
understand these associated risks and the need for applying corresponding
measures of protection.
Recommendations
To improve the Department of Commerce's oversight of export-controlled
information at companies, we recommend that the Secretary of Commerce
direct the Administrator of the Bureau of Industry and Security to take
the following actions:
^32Offices of Inspectors General, Interagency Review of Foreign National
Access to Export-Controlled Technology in the United States, Report No.
D-2004-062 (Washington, D.C.: Apr. 16, 2004).
o Strategically assess potential vulnerabilities in the protection
of export-controlled information using available resources, such
as licensing data, and evaluate company practices for protecting
such information.
o Based on such a strategic assessment, improve its interagency
coordination with the Department of State in the following areas
(1) provide specific guidance, outreach, and training on how to
protect export-controlled information and (2) better target
compliance activities on company protection of export-controlled
information.
To improve the Department of State's oversight of export-controlled
information at companies, we recommend that the Secretary of State direct
the Director of the Directorate of Defense Trade Controls to take the
following actions:
o Strategically assess potential vulnerabilities in the protection
of export-controlled information using available resources, such
as licensing data, and evaluate company practices for protecting
such information.
o Based on such a strategic assessment, improve its interagency
coordination with the Department of Commerce in the following
areas (1) provide specific guidance, outreach, and training on how
to protect export-controlled information and (2) better target
compliance activities on company protection of export-controlled
information.
Agency Comments and our Evaluation
We provided a draft of this report to the departments of Commerce,
Defense, and State for their review and comment. Commerce and State
provided written comments, which are reprinted in appendixes II and III,
respectively.^33 Defense did not have any comments on our draft report.
Commerce generally agreed with our recommendations to assess potential
vulnerabilities related to export-controlled information and to conduct
more targeted outreach and compliance activities. Commerce, in its
response, described planned and recent activities related to its oversight
and outreach efforts on deemed exports, such as the Deemed Export Advisory
Committee and increased export outreach and compliance activities. While
these activities address some unique cases where companies are required to
have a Technology Control Plan (TCP) in place when employing foreign
nationals, they do not fully address how to protect export-controlled
information when transferred electronically and by other intangible means.
As noted in our report, almost half of the company officials we
interviewed told us they have difficulty determining the proper measures
to protect export-controlled information. Commerce also cited a September
2006 American Society for Industrial Security trade association meeting
where it addressed the protection of export-controlled information.
Actions such as this, if conducted on a regular basis, could improve
companies' understanding of how to protect export-controlled information
in today's commonplace business transactions, such as e-mail, e-commerce
exchanges, and intracompany transfers.
^33Commerce's response letter also included comments on our draft report
on export controls at universities, GAO, Export Controls: Agencies Should
Assess Vulnerabilities and Improve Guidance for Protecting
Export-Controlled Information at Universities, [27]GAO-07-70 (Washington,
D.C.: Dec. 5, 2006).
State agreed with our recommendation to improve guidance for exports of
controlled information and disagreed with our report's finding that it
does not assess the potential vulnerabilities associated with
export-controlled information. State responded that it recently tasked its
Defense Trade Advisory Group to develop a best practice guide for industry
on how to comply with the regulations. Such guidance, particularly if it
addresses export-controlled information and is shared on State's Web site,
can help to improve companies' understanding of accepted practices for
protecting such information. Regarding its assessment of potential
vulnerabilities associated with export-controlled information, State
responded that its individual licensing and compliance activities
strategically target its concerns related to exports of controlled
technical data. State added that its assessments of the vulnerabilities
and risks associated with export-controlled information form the basis for
topics addressed at training events and industry conferences, as well as
many regulatory changes. While State's activities may help inform its
individual licensing decisions and identification of specific companies
for possible compliance visits, we found that State is not proactively
using available information to strategically assess the vulnerabilities
associated with the transfer of export-controlled information. For
example, we found State does not use available data from its licensing
activities to strategically target established and emerging business
sectors to aid in its monitoring and oversight of exports of controlled
information. These license data and company records provide a pool of
information, which State could analyze to help discern trends in
export-controlled information. Furthermore, State told us its outreach
visits do not consider export-controlled information in determining
companies to visit and we found that State's training does not provide
specific guidance on export-controlled information. Broader assessments of
the risks and vulnerabilities associated with export-controlled
information will help the department identify ways to improve its
oversight of these exports and its guidance to companies.
We are sending copies of this report to appropriate congressional
committees and to the Secretary of Commerce, the Secretary of Defense, the
Secretary of State. Copies will be made available to others upon request.
In addition, this report will be available at no charge on the GAO Web
site at http://www.gao.gov .
If you or your staff have any questions about this report, please contact
me at (202) 512-4841 or John Neumann, Assistant Director. Other major
contributors to this report were Marie Ahearn, Patrick Baetjer, Jessica
Berkholtz, Amanda Seese, Karen Sloan, Najeema Washington, and Anthony
Wysocki.
John P. Hutton, Acting Director
Acquisition and Sourcing Management
Appendix I: Scope and Methodology
To assess how the government's export control processes apply to the
protection of export-controlled information by U.S. companies, we analyzed
the export control regulations, policies, and compliance practices of the
Department of State and the Department of Commerce. Our analyses of the
regulations included the review, comparison, and contrast of the
Department of State's International Traffic in Arms Regulations (ITAR) and
the Department of Commerce's Export Administration Regulations (EAR),
identifying information pertinent to the export of controlled information
via electronic means and other intangible transfers, or through foreign
national access. We also reviewed export-control policies and practices
within the Department of Defense, including proposed changes to the
Defense Federal Acquisition Regulation Supplement (DFARS) to identify
requirements related to export controls and foreign national access to
sensitive information. We interviewed officials from DTSA to gain more
information regarding the agency's activities as they relate to the export
control practices and policies of Commerce and State. We interviewed
agency officials from the Commerce Department's Bureau of Industry and
Security (BIS) who perform export control related functions, such as
enforcement and administration. Within the State Department's Directorate
of Defense Trade Controls (DDTC), we interviewed officials from the areas
of licensing, compliance, and policy to obtain information on agency
efforts to protect export-controlled information. We also analyzed
information on existing data the lead agencies have at their disposal
regarding the export of controlled information.
To assess steps the government has taken to identify and mitigate risks in
protecting export-controlled information, we analyzed Commerce's and
State's use of existing resources, such as licensing data, to identify
trends and vulnerable areas within company transfers of controlled
information and assessed each agency's export control training and
outreach programs. We examined the extent to which agency resources are
leveraged to mitigate risks associated with the export of controlled
information by reviewing other government-accepted forms of risk
assessment. We reviewed our prior work on risk assessment, which includes
items such as the Federal Information Systems Controls Audit Manual and
the Internal Control Management and Evaluation Tool.
To assess Commerce's and State's export control training and outreach
programs, we reviewed each agency's Web site and training materials issued
by the agencies. We assessed training seminars sponsored by the
Departments of State and Commerce. Specifically, we reviewed information
and practices used at Society for International Affairs (SIA) conferences,
which State sponsors, and BIS training seminars. We also reviewed the
agencies' methodologies for conducting company outreach visits. As part of
our work, we attended several agency-sponsored export control training
events aimed at increasing company knowledge of the export control
regulations.
To further assess our objectives, we interviewed officials from 46 U.S.
companies. We asked them how they protect export-controlled information
through the use of internal controls. We reviewed, and in some instances
obtained various company export control-related documents including,
internal control plans, technology control plans, training manuals related
to export controls, and policies regarding the transfer of electronic
controlled information, including when accessed by foreign national
employees. We also asked company officials to share their views and
experiences regarding government training and outreach pertinent to the
area of export-controlled information. Company officials responded to our
targeted questions regarding export-controlled information, including
views on the effectiveness of government training seminars, the extent of
content provided on agency Web sites, and the quality of advice provided
on agency customer service telephone lines.
We selected our sample of 46 companies from a universe of companies we
developed to represent a wide variety of companies, industry types, and
exporting experiences by analyzing the following sources and databases:
o Commerce Department's Export Control Automated Support System
(ECASS) export license database, looking specifically for
companies that held licenses in the D (Software) and E
(Technology) product groups, which are more prone to be
export-controlled information, for fiscal years 2000-2004.^1
o State Department's Defense Trade Application (DETRA) licensing
database, looking specifically for companies that held a permanent
license for the export of technical data, which are more prone to
be export-controlled information over fiscal years 2000-2004.
o DOD's Contracting Action Report database (DD 350), for Research
Development Test and Evaluation (RDT&E) contracts with small
businesses that are more prone to be export-controlled
information, for fiscal years 2000-2004.
o Commerce's and State's industry outreach, training, and advisory
committee membership lists.
o Industry-specific company directories and our work with agency
and industry experts.
^1At the time of our request, fiscal year 2004 was the most current
license data available from Commerce and State.
To select companies from the universe that represented a range of company
experiences, we applied selection criteria, specifically; companies had to
meet at least one of the following criteria:
o Held a Commerce Department ECASS export license in the D
(Software) and E (Technology) product groups.
o Held a State Department DETRA permanent license for technical
data.
o Held both Commerce and State export licenses. Specifically, the
company held both the aforementioned Commerce Department ECASS
export licenses as well as the State Department DETRA licenses.
o Exporter frequency. We classified a company as a high, medium,
or low frequency exporter based upon its number of export
applications submitted to Commerce, for the Commerce ECASS D&E
product group licenses; and State for DETRA permanent technical
data licenses, using the following categories:
o high--800 or more licenses,
o medium--100-799 licenses, and
o low--1-99 licenses.
o Had a foreign employee presence. The company held Commerce
and/or State export licenses for the export of controlled
information to its foreign national employees, or conducts
business with foreign subsidiaries or partners.
o Was a small business recipient of a DOD RDT&E contract, for
fiscal years 2000-2004.
o Were new exporters or potential exporters, in the process of
applying for an export license to either Commerce or State.
We did not generalize the information and findings we developed from our
work with these 46 companies to the broad universe of all U.S. companies
that export. We conducted this review from January through November 2006
in accordance with generally accepted government auditing standards.
Appendix II: Comments from the Department of Commerce
Appendix III: Comments from the Department of State
(120513)
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail:
[email protected] Automated answering system: (800) 424-5454 or (202)
512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
www.gao.gov/cgi-bin/getrpt?GAO-07-69 .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact John Hutton at (202) 512-4841 or
[email protected].
Highlights of [36]GAO-07-69 , a report to congressional requesters
December 2006
EXPORT CONTROLS
Agencies Should Assess Vulnerabilities and Improve Guidance for Protecting
Export-Controlled Information at Companies
The U.S. government controls exports of defense-related goods and services
by companies and the export of information associated with their design,
production, and use, to ensure they meet U.S. interests. Globalization and
communication technologies facilitate exports of controlled information
providing benefits to U.S. companies and increase interactions between
U.S. and foreign companies, making it challenging to protect such exports.
GAO assessed (1) how the government's export control processes apply to
the protection of export-controlled information, and (2) steps the
government has taken to identify and help mitigate the risks in protecting
export-controlled information. To do this, GAO analyzed agency regulations
and practices and interviewed officials from 46 companies with a wide
range of exporting experiences.
[37]What GAO Recommends
To improve oversight of export-controlled information at companies, GAO
recommends Commerce and State strategically assess vulnerabilities and
improve guidance for protecting such exports. Commerce agreed with GAO's
recommendations. State agreed to improve its guidance, but disagreed on
the need to improve risk assessments. Broader assessments would increase
its knowledge of risks and help improve its guidance to companies.
U.S. government export control agencies, primarily the departments of
Commerce and State, have less oversight on exports of controlled
information than they do on exports of controlled goods. Commerce's and
State's export control requirements and processes provide physical
checkpoints on the means and methods companies use to export controlled
goods to help the agencies ensure such exports are made under their
license terms, but the agencies cannot easily apply these same
requirements and processes to exports of controlled information. (These
checkpoints are summarized in table 1.) For example, companies are
generally required to report their shipments of export controlled goods
overseas with Customs and Border Protection for exports made under a
license, but such reporting is not applicable to the export of controlled
information. Commerce and State expect individual companies to be
responsible for implementing practices to protect export-controlled
information. One third of the companies GAO interviewed did not have
internal control plans to protect export-controlled information, which set
requirements for access to such material by foreign employees and
visitors.
Table 1: Key Agency Checkpoints on Exports of Controlled Goods and
Information
Source: GAO analysis.
Commerce and State have not fully assessed the risks of companies using a
variety of means to protect export-controlled information. The agencies
have not used existing resources, such as license data, to help identify
the minimal protections for such exports. As companies use a variety of
measures for protecting export-controlled information, increased knowledge
of the risks associated with protecting such information could improve
agency outreach and training efforts, which now offer limited assistance
to companies to mitigate those risks. GAO's internal control standards
highlight the identification and management of risk as a key element of an
organization's management control program. GAO also found that Commerce's
and State's communications with companies do not focus on
export-controlled information. For example, Commerce's and State's
Internet Web sites do not provide specific guidance on how to protect
electronic transfers of export-controlled information, a point raised by
almost one fourth of the company officials GAO interviewed.
References
Visible links
18. http://www.gao.gov/cgi-bin/getrpt?GAO-06-638
19. http://www.gao.gov/cgi-bin/getrpt?GAO-05-234
20. http://www.gao.gov/cgi-bin/getrpt?GAO-02-972
21. http://www.gao.gov/cgi-bin/getrpt?GAO-05-207
22. http://www.gao.gov/cgi-bin/getrpt?GAO-05-325SP
23. http://www.gao.gov/cgi-bin/getrpt?GAO-06-638
24. http://www.gao.gov/cgi-bin/getrpt?GAO-02-972
25. http://www.gao.gov/cgi-bin/getrpt?GAO-02-996
26. http://www.cio.gov/archive/e_gov_act_2002.pdf
27. http://www.gao.gov/cgi-bin/getrpt?GAO-07-70
28. http://www.gao.gov/
29. http://www.gao.gov/
30. http://www.gao.gov/
31. http://www.gao.gov/fraudnet/fraudnet.htm
32. file:///home/webmaster/infomgt/d0769.htm#mailto:[email protected]
33. file:///home/webmaster/infomgt/d0769.htm#mailto:[email protected]
34. file:///home/webmaster/infomgt/d0769.htm#mailto:[email protected]
35. http://www.gao.gov/cgi-bin/getrpt?GAO-07-69
36. http://www.gao.gov/cgi-bin/getrpt?GAO-07-69
*** End of document. ***