Export Controls

Agencies Should Assess Vulnerabilities and Improve Guidance for Protecting Export-Controlled Information at Companies Gao ID: GAO-07-69 December 5, 2006

The U.S. government controls exports of defense-related goods and services by companies and the export of information associated with their design, production, and use, to ensure they meet U.S. interests. Globalization and communication technologies facilitate exports of controlled information providing benefits to U.S. companies and increase interactions between U.S. and foreign companies, making it challenging to protect such exports. GAO assessed (1) how the government's export control processes apply to the protection of export-controlled information, and (2) steps the government has taken to identify and help mitigate the risks in protecting export-controlled information. To do this, GAO analyzed agency regulations and practices and interviewed officials from 46 companies with a wide range of exporting experiences.

U.S. government export control agencies, primarily the departments of Commerce and State, have less oversight on exports of controlled information than they do on exports of controlled goods. Commerce's and State's export control requirements and processes provide physical checkpoints on the means and methods companies use to export controlled goods to help the agencies ensure such exports are made under their license terms, but the agencies cannot easily apply these same requirements and processes to exports of controlled information. For example, companies are generally required to report their shipments of export controlled goods overseas with Customs and Border Protection for exports made under a license, but such reporting is not applicable to the export of controlled information. Commerce and State expect individual companies to be responsible for implementing practices to protect export-controlled information. One third of the companies GAO interviewed did not have internal control plans to protect export-controlled information, which set requirements for access to such material by foreign employees and visitors. Commerce and State have not fully assessed the risks of companies using a variety of means to protect export-controlled information. The agencies have not used existing resources, such as license data, to help identify the minimal protections for such exports. As companies use a variety of measures for protecting export-controlled information, increased knowledge of the risks associated with protecting such information could improve agency outreach and training efforts, which now offer limited assistance to companies to mitigate those risks. GAO's internal control standards highlight the identification and management of risk as a key element of an organization's management control program. GAO also found that Commerce's and State's communications with companies do not focus on export-controlled information. For example, Commerce's and State's Internet Web sites do not provide specific guidance on how to protect electronic transfers of export-controlled information, a point raised by almost one fourth of the company officials GAO interviewed.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.