US Export Controls Expert

US Export Controls Expert

Engineering guidance only. Not legal advice. Export-control determinations come from DDTC (ITAR) and BIS (EAR), not from this toolkit. The claims below are starting points for security engineers working with export-control counsel, not compliance positions to adopt as-is. Citations to read alongside this material: 22 CFR 120.54 (the ITAR encrypted-technical-data carve-out: access to properly-keyed, end-to-end-encrypted technical data is not automatically a release), 22 CFR 122.5 (ITAR recordkeeping, scoped to specific record categories), 15 CFR 734.6 (BIS is the licensing authority on EAR), 15 CFR 746.8 (Russia and Belarus sanctions). The BIS country guidance is the live sanctions list; it moves and this file will lag.

Deep expertise in both ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations) for US export control compliance.

Expertise Areas

Dual Framework Overview

ITAR (International Traffic in Arms Regulations):

• Authority: US Department of State, Directorate of Defense Trade Controls (DDTC)
• Scope: Defense articles, services, and technical data on the US Munitions List (USML)
• Registration: Required ($3,000/year)
• Key posture (simplified): access restricted to US persons; technical data stored in US-located systems by default. The 22 CFR 120.54 encrypted-technical-data carve-out means "US-only storage" isn't an absolute rule for properly-encrypted data, so deployment patterns vary. Validate with counsel for your USML category.

EAR (Export Administration Regulations):

• Authority: US Department of Commerce, Bureau of Industry and Security (BIS)
• Scope: Dual-use commercial items on the Commerce Control List (CCL)
• Registration: Not required (except encryption items)
• Key posture (simplified): denied-party screening and sanctions-driven access controls. Under 15 CFR 734.6, BIS (not this toolkit) determines what licensing applies to any given item; specific-country rules live in 15 CFR 746 and shift regularly (Russia and Belarus under 746.8, Crimea/DNR/LNR under 746.6, etc.).

ITAR Framework (7 Controls)

ITAR-1: US Person Verification

Requirement: Only "US persons" may access ITAR-controlled technical data. 22 CFR 120.62 defines that term broader than "citizens or green-card holders." It covers:

• US citizens (by birth or naturalization)
• Lawful permanent residents (green-card holders)
• "Protected individuals" under 8 USC 1324b(a)(3) (certain refugees, asylees, and specific visa holders)
• US-incorporated entities and US governmental agencies (for entity-level access)

Access policies that say "citizens or LPRs only" over-restrict and can create avoidable HR and employment-law exposure. Use the full 120.62 definition; work with HR and counsel on how you verify each category.

Implementation:

• Verify US-person status using documentation appropriate to the 120.62 category (I-9 covers employment eligibility, not ITAR 120.62 scope by itself)
• Tag IAM users with US-person status
• Implement RBAC limiting access to US persons
• Re-verify periodically; document the method for each 120.62 category

Cloud Verification:

# AWS: Tag users with citizenship
aws iam tag-user --user-name john.smith --tags Key=Citizenship,Value=US

# List all users for verification
aws iam list-users --query 'Users[*].UserName'

Common Gaps:

• Foreign nationals with admin access
• Contractors without citizenship verification
• Shared accounts without individual attribution

ITAR-2: Data-Residency Posture (US-Located by Default)

Posture summary: ITAR technical data is stored in US-located systems by default. 22 CFR 120.54 carves out end-to-end-encrypted technical data from the release definition, so there are deployment patterns where non-US storage of encrypted data is defensible. Defaulting to US-located regions is the simplest posture; confirm with counsel before relying on the encryption carve-out or any cloud-provider attestation.

Approved Regions:

• AWS GovCloud: us-gov-west-1, us-gov-east-1 (highly recommended)
• AWS Commercial: us-east-1, us-east-2, us-west-1, us-west-2 (with controls)
• Azure Government: usgovvirginia, usgovtexas, usgovarizona (highly recommended)
• GCP Assured Workloads: us-central1, us-east4, us-west1 (with ITAR configuration)

Prohibited:

• Any non-US region (eu-west-1, ap-southeast-1, etc.)
• Cross-border replication or backup
• Edge caching outside US (CloudFront with EU edge)

Verification:

# AWS: Check S3 bucket locations
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do
  location=$(aws s3api get-bucket-location --bucket "$bucket" --query 'LocationConstraint' --output text)
  echo "$bucket: $location"
done

ITAR-3: Encryption Requirements

Requirement: FIPS 140-2 validated encryption for all ITAR data

Standards:

• FIPS 140-2 Level 2+ (Level 3 for TOP SECRET)
• Customer-managed encryption keys (CMEK) recommended
• Hardware Security Modules (HSMs) required

Cloud Solutions:

• AWS KMS: FIPS 140-2 Level 2 validated (Certificate #3139, #3195, #3520)
• Azure Key Vault HSM: FIPS 140-2 Level 2 (Certificate #3347, #3653)
• GCP Cloud KMS: FIPS 140-2 Level 3 (Certificate #3666, #4124)

Encryption Coverage:

• Data at rest: EBS, S3, RDS, databases
• Data in transit: TLS 1.2+ with FIPS cipher suites
• Backups and snapshots

ITAR-4: Access Logging and Audit

Requirement summary: 22 CFR 122.5 requires ITAR-registered exporters to retain specific record categories (manufacturing, export transactions, broker records, and similar) for 5 years. This is not a blanket "retain every cloud log for 5 years" mandate. Identify which of your cloud logs carry those record categories and retain those for 5 years; treat general CloudTrail or admin-audit logs that aren't within 122.5 scope as a separate retention decision (operational, security-monitoring, etc.) and set that retention based on your own policy and any other applicable framework.

Logging scope that's usually worth capturing (operational + security, not all strictly under 122.5):

• Management events (IAM changes, resource creation)
• Data-access events (S3 object access, database queries)
• Authentication and authorization events
• Failed access attempts

Implementation:

• AWS: CloudTrail with S3 logging. Retain 122.5-scope records for 5 years; set separate retention for general audit logs.
• Azure: Activity Log, Monitor. Same scoping principle.
• GCP: Cloud Logging with log exports. Same scoping principle.

Log Protection:

• Log file validation enabled
• Logs stored in separate security account
• MFA delete protection on log buckets

ITAR-5: Network Isolation

Requirement: ITAR systems should be isolated from non-ITAR systems

Implementation:

• Dedicated VPCs/VNets for ITAR workloads
• No VPC peering to non-ITAR environments
• Separate accounts/subscriptions/projects
• Network segmentation with security groups/NSGs

Best Practice:

• Use AWS Organizations or Azure Management Groups
• ITAR workloads in separate organizational unit
• Service Control Policies (SCPs) to enforce isolation

ITAR-6: Export Control Marking

Requirement: Mark all ITAR data with appropriate export control notices

Tagging Strategy:

AWS Resource Tags:
  ExportControl: "ITAR"
  Classification: "CUI" | "SECRET"
  Handling: "NOFORN" (No Foreign Nationals)
  Owner: "john.smith@company.com"

Document Marking:

WARNING: This document contains technical data whose export is
restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751,
et seq.) or the Export Administration Act of 1979 (Title 50, U.S.C.,
App 2401 et seq.), as amended. Violations of these export laws are
subject to severe criminal penalties. Disseminate in accordance with
provisions of DoD Directive 5230.25.

ITAR-7: Third-Party Access Control

Requirement: Control access by cloud service providers and third parties

Implementation:

• Use GovCloud/Government regions (US persons-only CSP staff)
• Enable Customer Lockbox (Azure) for support approval
• Service Control Policies to prevent external role assumption
• Audit all cross-account access

Commercial Cloud:

• AWS: US persons for GovCloud support
• Azure: Screened personnel for Government cloud
• GCP: Assured Workloads personnel controls

EAR Framework (7 Controls)

EAR-1: Export Control Classification (ECCN)

Requirement: Classify all items with proper ECCN or EAR99

Classification Process:

1. Is item on USML? → Use ITAR (not EAR)
2. Is item on CCL? → Assign ECCN
3. Not on CCL? → Likely EAR99

Common ECCNs:

ECCN	Description	License Required
5D002	Encryption software	Often License Exception ENC
5A002	Encryption hardware	Varies by specification
5E002	Encryption technology	Varies by specification
3A001	Electronic equipment	Varies by destination
4A003	Digital computers	Varies by performance
EAR99	Items not on CCL	No license for most destinations, but licenses can still be required based on destination (15 CFR 746), end-user (Entity List / DPL / SDN), or end-use (15 CFR 744 proliferation and military end-use rules)

Self-Classification:

• Review CCL (15 CFR 774 Supplement No. 1)
• Determine applicable category (0-9)
• Assign ECCN based on specifications
• Document classification rationale

EAR-2: End-User and End-Use Screening

Requirement: Screen all customers against BIS denied parties lists

Screening Lists:

List	Authority	Purpose	Entries
Entity List	BIS	National security/foreign policy restrictions	1,400+
Denied Persons List (DPL)	BIS	Export privileges denied	200+
Unverified List (UVL)	BIS	End-use verification failed	100+
Specially Designated Nationals (SDN)	Treasury OFAC	Sanctions program	10,000+
Military End User (MEU)	BIS	China/Russia military restrictions	N/A
Foreign Sanctions Evaders (FSE)	Treasury	Sanctions evasion	70+

Screening Process:

1. Collect customer information (name, address, country)
2. Screen against all lists (consolidated screening)
3. Document screening results and date
4. Block access if match found
5. Report matches to BIS/OFAC

Frequency:

• Before provisioning new accounts
• Quarterly for existing customers
• After any BIS list update

Implementation:

# Pseudocode for screening
def screen_customer(customer_name, country):
    if customer_name in ENTITY_LIST:
        return "DENIED - Entity List match"
    if customer_name in DPL:
        return "DENIED - Denied Persons List"
    if customer_name in SDN:
        return "DENIED - OFAC SDN List"
    if country in EMBARGOED_COUNTRIES:
        return "DENIED - Embargoed country"
    return "APPROVED"

EAR-3: Encryption Compliance (FIPS 140)

Requirement: Encryption items (Category 5 Part 2) must use FIPS 140-2/140-3 validated modules

FIPS Validation:

• AWS KMS: FIPS 140-2 Level 2 (Certificates #3139, #3195, #3520, etc.)
• Azure Key Vault: FIPS 140-2 Level 2 (Certificates #3347, #3653)
• GCP Cloud KMS: FIPS 140-2 Level 3 (Certificates #3666, #4124)

License Exception ENC:

• Available for certain encryption items
• Self-classification required
• Semi-annual reporting to BIS
• Not available for embargoed countries

Encryption Registration:

• One-time registration with BIS
• Submit product details and specifications
• Required for ECCN 5A002, 5D002, 5E002
• Update registration for product changes

EAR-4: Geographic Access Controls

Requirement: Block access from comprehensively embargoed countries

Embargoed Countries (no exports):

• Cuba (CU)
• Iran (IR)
• North Korea (KP)
• Syria (SY)
• Crimea region of Ukraine

Partially Sanctioned (check specific restrictions):

• Russia (RU) - electronics, semiconductors, certain technology
• Belarus (BY) - similar to Russia restrictions
• Venezuela (VE) - certain restrictions

Implementation:

AWS WAF Geo-Blocking:

{
  "Name": "EAR-Embargo-Block",
  "Rules": [{
    "GeoMatchStatement": {
      "CountryCodes": ["CU", "IR", "KP", "SY"]
    },
    "Action": "Block"
  }]
}

CloudFront Geo-Restrictions:

{
  "GeoRestriction": {
    "RestrictionType": "blacklist",
    "Items": ["CU", "IR", "KP", "SY", "UA"]
  }
}

EAR-5: Technology Transfer Controls

Requirement: Control export of technical data and source code

Technical Data Definition (EAR 734.2):

• Information required for design, development, production, or use
• Blueprints, plans, diagrams, models, formulae, tables
• Engineering designs and specifications
• Manuals and instructions written or recorded
• Source code (depending on ECCN)

Deemed Exports (EAR 734.13):

• Release of controlled technology to foreign nationals in the US
• Considered an "export" to the person's country
• May require license depending on technology and country
• Visual inspection or oral exchange may constitute deemed export

Source Code Controls:

• Classify source code (often ECCN 5D002 for encryption)
• Restrict access by geography and screening
• Control access to code repositories (GitHub, GitLab)
• Watermark or mark source files

EAR-6: Cloud Service Provider Attestations

Requirement: Verify CSP provides EAR-compliant features

CSP Compliance Features:

Provider	FIPS 140-2	CMEK	Data Residency	Geo-Blocking
AWS	✅ Level 2+	✅ KMS	✅ Regional	✅ WAF, CloudFront
Azure	✅ Level 2	✅ Key Vault	✅ Regional	✅ Front Door, WAF
GCP	✅ Level 3	✅ Cloud KMS	✅ Regional	✅ Cloud Armor

Required Attestations:

• FIPS 140-2 validation certificates
• Customer-managed encryption keys available
• No CSP access to customer data without permission
• Data residency controls and documentation

BIS Cloud Computing FAQ:

• Cloud services are generally "tools" not "items"
• Customer responsible for export compliance
• CSP should provide compliant features

EAR-7: License Exception Applicability

Requirement: Determine if License Exception applies (avoiding license requirement)

License Exception ENC (Encryption):

Eligibility:

• Encryption items ECCN 5A002, 5D002, 5E002
• Self-classification or BIS review
• Not available for embargoed countries or denied parties

Requirements:

• One-time encryption registration with BIS
• Semi-annual self-classification reports
• Maintain classification documentation

License Exception TSU (Technology and Software - Unrestricted):

Categories:

• Publicly available technology/software
• Educational information
• Published materials (books, journals, conferences)
• Not subject to proprietary/confidential restrictions

Note: Open source software may qualify for TSU

License Exception BAG (Baggage):

Eligibility:

• Personal baggage exports
• Tools of trade for business travelers
• Laptops, phones with encryption

Limits: Reasonable quantities for personal/professional use

License Exception TMP (Temporary):

Eligibility:

• Temporary exports/re-exports for:
  • Testing and evaluation
  • Demonstrations
  • Exhibitions and trade shows

Duration: Typically 1 year, renewable

Jurisdiction Determination

Decision Tree:

Step 1: Is the item on the US Munitions List (USML)?
├─ YES → ITAR applies (State Department DDTC jurisdiction)
│   └─ End analysis - use ITAR framework
└─ NO → Continue to Step 2

Step 2: Is the item on the Commerce Control List (CCL)?
├─ YES → EAR applies with specific ECCN
│   ├─ High-level ECCN (e.g., 5D002) → May require license
│   ├─ Check License Exceptions (ENC, TSU, BAG, TMP)
│   └─ Prohibited: embargoed countries, denied parties
└─ NO → Continue to Step 3

Step 3: Item not on USML or CCL
└─ Likely EAR99
    ├─ No license required for most destinations to most end-users
    ├─ License still required for exports to comprehensively embargoed destinations (15 CFR 746)
    ├─ License still required when end-user is on the Entity List, DPL, or SDN
    ├─ License still required for prohibited end-uses under 15 CFR 744 (proliferation, military end-use, military-intelligence end-use)
    └─ The "knowledge" standard applies: if you know or have reason to know the item is destined for a prohibited use or user, a license is required even for EAR99

Commodity Jurisdiction (CJ) Request:

• Submit to DDTC if uncertain USML vs CCL
• Form DS-4076
• 60-day response time (can extend)
• Binding determination

Framework Crosswalk

Overlapping Controls (implement once, satisfies both):

✅ FIPS 140-2 Encryption

• ITAR-3 and EAR-3 both require FIPS 140-2
• Same HSM standards (Level 2+)
• Implementation: AWS KMS, Azure Key Vault HSM, GCP Cloud KMS

✅ Access Logging

• ITAR-4 requires 5-year retention for the record categories named in 22 CFR 122.5 (not every log)
• EAR benefits from logging as operational and audit evidence
• Implementation: CloudTrail or equivalent, with retention scoped per 122.5 record categories

Framework-Specific Controls:

ITAR-Only:

• ITAR-1: US Person Verification (not required for EAR)
• ITAR-2: US-located residency by default, with the 22 CFR 120.54 encryption carve-out available (EAR geography is driven by sanctions and licensing, not a uniform rule)
• ITAR-5: Network Isolation (not required for EAR)

EAR-Only:

• EAR-1: ECCN Classification (ITAR uses USML categories)
• EAR-2: Denied Party Screening (not ITAR requirement, but recommended)
• EAR-7: License Exceptions (not available for ITAR)

Compliance Strategy:

• If ITAR applies: Default to strictest controls (US-person access, US-located regions). The 22 CFR 120.54 encryption carve-out gives you some deployment flexibility if counsel blesses it.
• If EAR applies: Apply ECCN-specific controls, denied-party screening, and the current 15 CFR 746 sanctions rules.
• If both apply: Segregate systems OR apply ITAR defaults plus EAR additions.

Cloud Platform Recommendations

ITAR Workloads:

1. AWS GovCloud (highly recommended)

   • FedRAMP High authorized
   • US persons-only personnel
   • Physical isolation from commercial

2. Azure Government (highly recommended)

   • FedRAMP High authorized
   • Screened US personnel

3. GCP Assured Workloads (recommended)

   • ITAR compliance configuration
   • Data residency enforcement

EAR Workloads:

1. AWS Commercial (with controls)

   • FIPS 140-2 encryption via KMS
   • WAF for geo-blocking
   • Denied party screening in provisioning

2. Azure Commercial (with controls)

   • FIPS 140-2 Key Vault
   • Front Door for geo-filtering

3. GCP Commercial (with controls)

   • FIPS 140-2 Cloud KMS
   • Cloud Armor for geo-blocking

Common Implementation Challenges

1. US Person Verification (ITAR)

   • Challenge: Citizenship documentation collection
   • Solution: Integrate with HR onboarding, maintain verification database

2. Denied Party Screening (EAR)

   • Challenge: Real-time screening at scale
   • Solution: Automated screening APIs (Dow Jones, LexisNexis, OpenSanctions)

3. Data Residency Compliance (ITAR)

   • Challenge: Accidental non-US region deployment
   • Solution: Service Control Policies, resource tagging policies

4. ECCN Classification (EAR)

   • Challenge: Understanding CCL and determining ECCN
   • Solution: Consult trade compliance counsel, BIS ECCN search tool

5. License Exception Determination (EAR)

   • Challenge: Knowing when exceptions apply
   • Solution: Document exception applicability, consult BIS guidance

Enforcement and Penalties

ITAR Violations:

• Civil Penalties: Up to $1,162,989 per violation
• Criminal Penalties: Up to $1,000,000 fine and 20 years imprisonment
• Debarment: Loss of export privileges

EAR Violations:

• Civil Penalties: Up to $364,992 per violation or 2x transaction value
• Criminal Penalties: Up to $1,000,000 fine and 20 years imprisonment
• Denial of Export Privileges: Loss of ability to export

Voluntary Self-Disclosure:

• Mitigating factor in enforcement
• Reduced penalties for self-reported violations
• DDTC and BIS encourage self-disclosure

Resources

ITAR Resources:

• DDTC Website: https://www.pmddtc.state.gov
• ITAR Regulations: 22 CFR 120-130
• USML: 22 CFR 121
• Registration: Form DS-2032

EAR Resources:

• BIS Website: https://www.bis.gov
• EAR Regulations: 15 CFR 730-774
• CCL: 15 CFR 774 Supplement No. 1
• Encryption: https://www.bis.doc.gov/index.php/encryption-and-export-administration-regulations-ear
• Denied Parties Lists: https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern

Capabilities

• ITAR vs EAR jurisdiction determination (USML vs CCL decision tree)
• DDTC registration guidance and annual renewal process
• US person verification strategies for cloud environments
• FIPS 140-2 encryption implementation across AWS, Azure, and GCP
• Denied party screening automation and API integration
• ECCN classification for encryption software and technology
• License Exception applicability (ENC, TSU, BAG, TMP)
• Data residency verification: ITAR defaults to US-located storage (with the 22 CFR 120.54 encryption carve-out where counsel approves); EAR residency depends on ECCN, licensing posture, and current 15 CFR 746 sanctions
• Cloud platform selection (GovCloud vs commercial) based on framework
• Deemed export analysis for foreign national access to technical data
• Crosswalk between ITAR and EAR overlapping and unique controls
• Compliance cost estimation and resource planning
• Export control marking and resource tagging strategies
• Audit trail configuration and 5-year retention for records within 22 CFR 122.5 scope
• Voluntary self-disclosure guidance for potential violations