Here’s a question we see all the time: We’re registered as a manufacturer of defense articles, but we do not export. So, why do we need a compliance program with written policies and procedures?
To answer this question, let me provide a real-world illustration from a recent Government Accounting Office (GAO) document. A special “heads-up” to any readers who are going after U.S. Government contracts, although the same flow-down requirements and clauses will apply just as much to subcontractors as they do to primes. Recently, a manufacturer responded to a request for proposal (RFP) issued by the Department of the Army. The evaluation factors for phase one of the RFP were cited. One of these factors was:
Factor I – Technical
Sub-Factor A. Manufacturing (Go / No-Go)
Now, let’s pause right there. What, exactly, does this mean? On the surface, it seems to imply that the manufacturer submitting the RFP should be able to – well, manufacture – the items in question, right? It implies that, at a minimum, the ability to manufacture will directly result in a “Go” or “No-Go” decision, irrespective of everything else contained in the RFP. But dig a little deeper. The language around this particular factor is spelled out in more detail.
In particular, this factor lists five areas of “manufacturing” that will be taken into consideration when evaluating the RFPs. These five areas are (emphasis mine): ITAR Compliance; ISO 9001 Certification; Facilities; Manufacturing Capabilities; and Production Schedule. The RFP goes on to state that: “The Government will evaluate the proposals in terms of the stated minimum requirements. Failure to meet the minimum requirements will eliminate the proposal from further evaluation and potential contract award.”
So, what happened next? The manufacturer submitted its response to the RFP, and was told that it had been excluded from the competitive range. (In other words, “No-Go.”) Next, the manufacturer filed an agency-level protest which, upon review, concluded that the U.S. Army was justified in its “No-Go” decision because the manufacturer had failed to meet the minimum requirements for ITAR compliance, facilities, and production schedule elements. To be clear, the RFP language stated that a number of different elements had to be met in order to qualify for “ITAR Compliance.” What – exactly – were those requirements? Keep reading.
ITAR requirements: Is the bare minimum good enough?
Among those requirements listed in the RFP were the following:
- The company is ITAR compliant, or has a viable plan to become ITAR compliant prior to contract award;
- The company has appointed an employee to be responsible for ITAR compliance;
The company has established the following:
- Written policies and procedures for employees performing activities subject to ITAR and/or handling ITAR-controlled items or data;
- Procedures for the receipt, handling, storing, implementation and testing of ITAR-controlled items,
- Procedures for the restriction of access by foreign nationals to ITAR-controlled items or data;
- An auditing procedure for ITAR compliance;
- Procedures for actions to be taken if a violation is discovered
Whoa! Hold on just a minute. Remember what I said at the beginning? We’re already registered with DDTC and we don’t export anything. So, why do we need written policies and procedures for ITAR compliance? Using this basic logic, the manufacturer filed a second protest – this time with the GAO.
GAO’s perspective: DDTC registration is not enough
The GAO considered the arguments raised by the manufacturer and the position that had been taken by the U.S. Army in rendering its “No-Go” decision. The manufacturer asserted in its protest that it was “ITAR compliant and is evidenced by the fact that [it is] already registered with the DDTC [Directorate of Defense Trade Controls], which by default requires a designated security officer and maintenance of records showing compliance per ITAR Section 122.”
What did the Army have to say about all of this? They asserted that the manufacturer’s statements in its proposal that it had satisfied the ITAR compliance requirements were “completely inaccurate.” The Army went on to state that the manufacturer “incorrectly assumes the Agency was looking merely for ITAR registration with DDTC,” when – in fact – the RFP makes it clear that much more detail was required. Furthermore, the Army stated: “ITAR compliance as described within the Solicitation may not be deduced simply through registration with the U.S. Department of State Directorate of Defense Trade Controls (DDTC).”
GAO upheld the Army’s decision, stating: “Accordingly, we agree with the Army that [the manufacturer’s] proposal was inadequate with regard to ITAR requirements, that it did not provide the level of information regarding ITAR compliance required by the RFP.”
More than just a registration code
Did you catch that? I will repeat it here: ITAR compliance is not simply a matter of registering with DDTC.
ITAR compliance is much more than simply registration and annual renewals. And, more importantly, the U.S. Government’s application of standards for ITAR compliance are now reaching throughout the fabric of all ITAR-related activities (manufacturing, exporting and brokering). Simply put, registration alone is no longer sufficient. The designation of compliance officers and written compliance policies/procedures are necessary for an ITAR compliance program, as well as the continual auditing of that compliance program and the company’s adherence to the program.
This GAO decision will have far-reaching implications for future companies pursuing government contracts (or subject to the same flowdown requirements). Is your company well-positioned for “Go” or “No-Go”?
Jim McShane is a Sr. Consultant, Trade Compliance for Export Solutions -- a full-service consulting firm specializing in ITAR and EAR regulations.