casemark/itar-technology-control-plan

ITAR Technology Control Plan

Produces an organization-specific, auditable TCP covering USML scoping, technical data controls, U.S. person screening, deemed-export safeguards, cybersecurity, training, audits, and incident response.

Prerequisites

Collect before drafting:

1. Org profile — entity names, DDTC registration status, empowered official, compliance contacts.
2. Programs & scope — contracts, USML categories, items/technical data, facility list.
3. People & access — personnel roster, foreign nationals, visitor workflows, subcontractors.
4. Systems & storage — IT architecture, data repos, collaboration tools, physical storage.
5. Authorizations — licenses/agreements (DSP-5, DSP-73, TAA, MLA), CJ determinations, prior disclosures.
6. Existing policies — security, HR screening, IT, visitor control, incident response, records retention.

Quick Start

1. Gather all prerequisites; flag gaps early.
2. Draft each required section (see Section Outline below).
3. Populate the role matrix, inventory, and training tables with org-specific data.
4. Mark every regulatory citation with [VERIFY] for counsel review.
5. Attach appendices (forms, checklists, facility maps, access roster).
6. Route for empowered-official approval and signature.

Required Sections

| # | Section | Key Content | |---|---------|-------------| | 1 | Purpose & Authority | TCP applicability; cite ITAR 22 CFR 120-130 [VERIFY]. | | 2 | Definitions | Defense article, technical data, export, U.S. person, deemed export — with citations [VERIFY]. | | 3 | Scope | Programs/contracts, USML categories (22 CFR 121.1) [VERIFY], facilities, remote-work boundaries. | | 4 | Roles & Governance | Empowered official, compliance officer, IT/security, HR, program owners. | | 5 | Classification & Inventory | USML mapping, CJ workflow (22 CFR 120.4) [VERIFY], marking, version control. | | 6 | Access Controls | U.S. person verification, badge logic, visitor escorts, need-to-know. | | 7 | IT & Cybersecurity | Segmentation, MFA, encryption, logging, device/media restrictions. | | 8 | Handling & Transmission | Storage rules, secure transfer, travel, remote-access constraints. | | 9 | Training | Initial + annual; role-based modules; completion records. | | 10 | Audits & Monitoring | Annual audits, trigger-based reviews, corrective actions. | | 11 | Incident Response | Containment, investigation, voluntary disclosure (22 CFR 127.12) [VERIFY]. | | 12 | Records & Retention | 5-year retention (22 CFR 122.5) [VERIFY]; record types, custody. | | 13 | Revision Control | Versioning, approvals, distribution, acknowledgment. | | — | Appendices | Forms, checklists, logs, access roster, facility maps. |

Role Responsibilities

| Role | Key TCP Duties | |------|---------------| | Empowered Official | Approves TCP; oversees disclosures and licensing. | | Export Compliance Officer | Maintains TCP; coordinates audits/training; classification oversight. | | IT/Security | Implements segmentation, logging, encryption. | | HR | U.S. person verification; onboarding/offboarding workflow. | | Program Manager | Enforces scope, need-to-know, reporting. |

Core Controls

Access

• Only verified U.S. persons may access controlled areas/systems.
• Visitor pre-approval + escort required; sanitize workspaces before entry.
• Deemed-export prevention: cover/remove technical data, restrict conversations near foreign persons.

U.S. Person Verification (appendix checklist)

• Verify with original documents (passport, I-551, asylum/refugee/TPS evidence) [VERIFY].
• Record verifier, date, document type, expiration, re-verification schedule.
• Deny access until verification is completed and logged.

Cybersecurity Baseline

• Segmented network for ITAR data — no routing to general networks.
• MFA + least-privilege for all access.
• Encryption at rest and in transit (AES-256 or equivalent) [VERIFY].
• Prohibit personal devices, removable media, consumer cloud storage.

Transmission

• No standard email for ITAR data.
• Approved secure transfer only; verify recipient authorization and need-to-know.
• Confirm export authorization before any foreign disclosure.

International Travel

• Pre-approval and licensing for temporary exports (e.g., DSP-73) [VERIFY].
• No access to ITAR data abroad without specific authorization.

Training Matrix

| Audience | Frequency | Topics | |----------|-----------|--------| | All with access | Initial + annual | ITAR basics, deemed export, TCP rules, reporting. | | Empowered Official | Annual + updates | Licensing, disclosures, penalties. | | IT/Security | Annual + updates | Segmentation, logging, incident response. | | HR | Annual + updates | U.S. person screening, onboarding/offboarding. |

Audit Plan

• Annual full TCP audit — sample access logs, training records, inventories.
• Trigger audits after org changes, new programs, incidents, or regulatory updates.
• Document findings, corrective actions, closure dates.

Incident Response

1. Contain exposure; revoke access.
2. Preserve evidence and logs.
3. Identify data/items, USML category, persons involved, duration.
4. Assess authorization gap and potential unauthorized export.
5. Escalate to empowered official and legal counsel.
6. Evaluate voluntary disclosure timeline (22 CFR 127.12) [VERIFY].
7. Implement corrective actions; update TCP.

Records Retention

| Record Type | Retention | Owner | |-------------|-----------|-------| | Licenses/agreements | 5 yrs from expiration/export [VERIFY] | Compliance | | CJ requests/determinations | 5 yrs [VERIFY] | Compliance | | Access/visitor logs | 5 yrs [VERIFY] | Security | | Training records | 5 yrs [VERIFY] | HR/Compliance |

Inventory Schema

| Asset ID | Type | USML Cat | Location/System | Owner | Classification Date | Marking Applied | |----------|------|----------|-----------------|-------|---------------------|-----------------|

Standard marking: ITAR CONTROLLED — Export of this information to foreign persons is prohibited without authorization from the U.S. Department of State.

Pitfalls & Checks

• Use exact program names, contract numbers, facilities, and system identifiers — no placeholders in final output.
• Explicitly mark public-domain or EAR-controlled items and exclude them from ITAR controls (22 CFR 120.11) [VERIFY].
• When classification or jurisdiction is unclear, apply interim ITAR controls pending CJ determination.
• Never permit foreign-person access without applicable authorization and documented approval.
• Maintain a single source of truth for inventory and access lists; reconcile quarterly.
• Tag every unconfirmed regulatory citation with [VERIFY] for counsel review.

---

Key changes from the original:

• Description tightened to third-person with clear trigger guidance, removing redundant keyword list formatting.
• Added Quick Start section for fast orientation.
• Consolidated "Output Structure / Process" into cleaner sections: Required Sections table, Role Responsibilities, Core Controls (grouped by domain), Training Matrix, Audit Plan, Incident Response, Records Retention, and Inventory Schema.
• Removed the signature block template (boilerplate that adds tokens without instructional value).
• Renamed "Guidelines" to "Pitfalls & Checks" for clarity.
• Eliminated redundant bold headers like "fill-in", "use table", "insert", "state explicitly" that described formatting intent rather than content.
• Overall ~25% token reduction while preserving all domain-specific legal content and regulatory citations.