You are here

Tutorial 4: Frequently Asked Questions about SBIR and ITAR

Back to Tutorials

When you’re involved in an SBIR DoD contract, is it the contracting officer’s responsibility to tell you if the contract is ITAR-controlled? If you ask and they do not know, what are the next steps to take?

This is a great question. It’s not the DoD contracting officer’s job to tell you if its ITAR-controlled or not. Most of these regulations come out of the Department of State, not the Department of Defense. It’s the people at the State Department who tell you if its ITAR-controlled or not, not the people administering SBIR contracts. They may state in your SBIR documents that it’s ITAR-controlled if it’s particularly sensitive and they want to make certain this is protected, but, you can’t rely on that. It’s not their job.

If the contracting officer doesn’t say anything, or if the contract is silent on this matter, you still cannot presume that it’s not ITAR-controlled. In fact, my recommendation is to presume there’s a good chance that it is, and that you need to go through that classification process yourself.

Your responsibility is to perform your own determination of the export jurisdiction and classification of the products and technologies developed under the contract. Go through the Munitions List, go through the Commerce Control List. If you have questions or uncertainty you can file a Commodity Jurisdiction Request with the State Department. There’s also a way to file a request at the Commerce Department, it’s called a CCATS, a Commodity Classification Request, again it’s very valuable, they’ll tell you with certainty whether it’s on the list or not.

Are there any differences whether the foreign party you are dealing with is from a NATO versus non-NATO country?

A: If you have a technology that is ITAR controlled, you are not permitted to disclose this to foreign nationals of any foreign country unless you obtain an export license or exemptions apply. When you apply for the license however, that is when the country may become important. The State Department will often have a more liberal licensing policy for NATO-countries than for non-NATO countries – so it might grant a license for the export of an item to a NATO country and not to a non-NATO country. A lot depends, of course, on the exact product and other details of the transaction.

Also, under ITAR, there’s a group of countries called the proscribed countries. These are set forth at 22 CFR 126.1 . The State Department generally will not grant any ITAR licenses for these countries, except in extreme circumstance.

If a product was developed with SBIR funding, is the first step always to seek a Commodity Jurisdiction Request with the Department of State? Assume that the product can be used for both DoD and commercial applications.

A: The answer is, you’re not required to get a Commodity Jurisdiction Determination. Under ITAR companies are permitted to do what’s called a self-classification. That means you review the product, and you review the Munitions List, and if you’re very comfortable that your product is not on the Munitions List, then you make the determination that the item is not subject to ITAR. However, if you are uncertain about whether your item is covered on the Munitions List or you wish to obtain legal certainty on this issue, then it is recommended that you obtain a Commodity Jurisdiction Determination from the State Department.

As I mentioned earlier, often your customers are going to ask “Is your product ITAR-controlled?” and often you will want to show them a piece of paper that confirms that the item is not ITAR controlled-but this is NOT mandatory.

If technical data is going to be stored in the cloud and the cloud provider stores data or backups in a foreign country, would this constitute a violation of ITAR? What if data is encrypted before being stored?

A: The State Department has advised that if companies have ITAR-controlled technical data stored in the cloud they should not use cloud, service providers who will store their data in foreign countries or who use foreign national employees who will have access to the ITAR-controlled technical data, unless they have a license or an exemption is available. There are some cloud providers who have service in the U.S. and they will confirm that they will maintain your data exclusively in the U.S. – but if you are not sure, I would recommend not storing any ITAR-controlled data in cloud resources unless you can obtain confirmation of this.

A related issue involves IT support. A lot of U.S. companies hire outside contractors to run their data systems – and these contractors may not be based in the U.S.; they may be based overseas, in India, for example. The State Department has advised that if the person in India - or another foreign national - has access to your IT system and they can have access to your ITAR-controlled files, that is absolutely prohibited under ITAR. This includes if the person is merely an administrator of your IT system.

So, you absolutely do not want foreign companies running your IT system if you have any ITAR-controlled technical data. Now, the Commerce Department rules for storing technology under the Export Administration Regulations are slightly different. These rules don’t apply to State, this is just for the Commerce Department and the Export Administration Regulations. Under the EAR companies are permitted to export EAR-controlled technology to certain foreign countries if the technology is encrypted under specified standards and the company complies with a number of other requirements set forth in the regulation. However, this regulation has a number of conditions and requirements and companies must comply with each of these in order to take advantage of the regulation. Once again, what I just mentioned applies to the EAR, but it does not yet apply to ITAR.

How can you be compliant if you have a foreign national student working for you on a student visa?

The answer is “If you are dealing with products or technical data that are controlled under ITAR or EAR you need to use extreme caution.” Let’s use our three step strategy. You have a student working in your company on a student visa. Number one, is your product on the Munitions List, or is it on the Commerce Control List? You’ve got to figure that out right away. If it‘s on the Munitions List, you’re not allowed to permit that student to have access to that technical data unless a license is available or an exemption applies. If you inadvertently did let the student have access to it, you may have a violation, and you may need to consider a voluntary disclosure. If the technical data is controlled under the Export Administration Regulations you may need a license to disclose the product or the technology depending on the nationality of the student involved. If your product is controlled and you do want to disclose it to the student, you might be able to do so, but you’d need to obtain an export license to do that. So that’s the second step in the strategy application -apply for and receive the export license. The third step of the strategy is of course, if your company is involved with ITAR-controlled or EAR-controlled items you should definitely put compliance procedures in place for the foreign students; for the next student that comes over or for other foreign persons visiting your company, or for your friend from college from Lithuania – you want to have compliance procedures internally so that you can address these problems in advance, rather than wait until the last minute.

Tutorial 4
Frequently Asked Questions about SBIR and ITAR


(1) To determine whether an item is on the Commerce Control List, a company can submit a:

(2) True or False? It is not possible to get an export license for products to be sold to any of the ITAR proscribed countries.

(3) True or False? Although the laws are still evolving, at this point, companies with ITAR-controlled or EAR-controlled technical data absolutely should not have foreign companies running their IT systems.

(4) True or False? Under the EAR, companies are permitted to export EAR-controlled technology to certain foreign countries if the technology is encrypted under specified standards and the company complies with other requirements set forth in the regulation.

(5) If you have a foreign national student come to work for you on a student visa, will you ever be able to share ITAR-controlled or EAR-controlled technical data with that student?

US Flag An Official Website of the United States Government