Export Compliance Overlap

Cole French:

If you’re wrestling with questions like, “What is an export?”, “How do I mark export controlled information?” Or, “What is due diligence?” You’ll want to tune into today’s episode as we dig into these questions and so much more.

Welcome to the Cyber Compliance and Beyond podcast, a Kratos podcast that brings clarity to compliance helping you leverage compliance as a tool to drive your business’ ability to compete in any market. I’m your host, Cole French. Kratos is a leading cybersecurity compliance advisor and assessment organization providing services to both government and commercial clients across varying sectors, including defense, space, satellite, financial services and healthcare. Now let’s get to today’s episode and help you move cybersecurity forward.

One of the biggest challenges in the compliance world is the concept of overlap. In some way or another, all compliance frameworks have some degree of overlap with each other. What an organization puts in place to meet one framework will also meet the requirements of other frameworks. The troublesome part of this for organizations is what is the best way to leverage all of the overlap? In other words, does it make sense to expend a little more effort to implement solutions that address requirements across multiple frameworks? Organizations that leverage overlap properly set themselves up for success. But what about overlap that doesn’t derive from other frameworks? Joining me on today’s episode is Sara Hougland, a trade expert here at Kratos who specializes in export compliance. Today we’re going to dig into export compliance, which often overlaps with other compliance frameworks. We’ll cover questions like, what is an export? How do I mark export-controlled information? And what are my responsibilities and due diligence? In addition, we’ll dig a bit deeper into how you can build export compliance into other compliance efforts to leverage implementations across requirements. We hope you enjoy this episode.

Sarah, just want to say up front, thank you for taking some time to join us on the Cyber Compliance and Beyond podcast today. We look forward to what you can teach us about export compliance through your experience. Let’s jump right in. For those, our listeners out there, wondering what is export compliance, could you just start by defining exports? I guess, when defining it, just think of organizations that maybe even have no experience in this area and aren’t even sure if they have products or services that this may be applicable to.

Sara Hougland:

Sure, Cole. Well, thanks for having me. Trade compliance never gets invited to the fun party, so it’s fun to be here. To answer your question, I hear companies say all the time, we don’t ship anything so we don’t export, but physically, shipping something is the most obvious form of exporting, but it’s also defined in a few other ways that aren’t so obvious.

First, sharing any data with a non-US person, it’s an export. For example, sending an email to a non-US person or sharing a user’s manual or sending anything over an FTP site to a non-US person, these type of transactions and activities happen all the time. You think about just being so digitally inclined with emails and SharePoint and Teams.

The other way is providing a service to a non-US person, if you’re traveling overseas to provide assistance with installation, integration testing, providing a product demonstration, or even over-the-phone maintenance and warranty support. Not all exports require an authorization, but the first step is recognizing that you’re engaging in an export.

Cole French:

Do you find that distinguishing between products and services is challenging to organizations, because it sounds like a product is something very defined, something very tangible, whereas a service it sounds like, could be a lot of different things and even I guess, branching off into software and how does software factor into this? Because I guess software’s a product, but also at what point does it become an export versus if you could just dive into that a little bit.

Sara Hougland:

Sure. Obviously, all products have an export control. We can talk a little bit more about international traffic and arms regulations or the ITAR, the export administration regulations or the EAR. Both of those regulations define our export controls. A product is either ITAR or EAR. Software falls in those same two buckets and so do services, so determining, how your product deliverable is controlled is key.

Also, when just thinking about exporting, this function is very unique in that it touches every part of the organization and not a lot of people think about it that way. If we even take HR as an example, if you hire a non-US person, the US regulations see that as an export to that person’s nationality. You can be sending them data all day long. You’ve been exporting to that non-US person all day long, even though they’re an employee in a US company.

If you think about procurement, you’re sourcing from abroad. Are you sending a technical spec? Is it marked for export control purposes? A little bit more obvious is sales. Obviously, if you’re marketing to non-U.S. territories, you’re engaging in a potential export. Business development, marketing, same thing, if you’re marketing to companies abroad. All of that touches export compliance. It’s a very holistic approach, I think, with export compliance and it having an effect on the entire business.

Cole French:

Just to make sure I got that, because I don’t think I’ve ever actually thought of it quite this way, but essentially, an export is really anything that’s coming from a U.S. entity or U.S. person and going to, or being provided to, or being demonstrated to, or in some way being communicated to a non-US person, am I understanding that right?

Sara Hougland:

Absolutely, yes. That’s step one. It’s absolutely an export. Then, our step two is always, okay, now is it controlled? Do you need an authorization?

Cole French:

That’s a pretty broad and vast, that’s literally everything I guess and in a lot of these multinational corporations, I would imagine, a very difficult and tedious thing to work through. You mentioned controls, so I guess, okay, we define what an export is, so how do I know if I need to control the export and why are export controls so important? What type of enforcement is expected from the government, things like that, if you could dive into that?

Sara Hougland:

Sure. I think what makes export compliance different and more complicated than any other regulation is that there are so many regulatory bodies that govern this area. When you talk about overlap and complications, I think this is the gold standard export compliance. You have Department of State, who oversees the ITAR. You have Department of Commerce that looks after the EAR. You have Treasury Department, specifically Office of Foreign Assets Control that oversees sanctions, which are blocking of assets of certain individuals or entities or imposing the larger trade restrictions.

The United Nations also has a play in this because they oversee economic embargoes, and then Customs and Border Protection navigate the physical exports leaving the country. Then, to make it even more complicated, you have to consider the political environment. Right now, there are acts of war. It changes the international landscape so quickly. Can we walk through a ridiculous example of an export?

Cole French:

Yeah.

Sara Hougland:

You go to Best Buy or I don’t know if anyone does that anymore, you go to Amazon and you purchase a standard COTS computer that you want to ship to Canada. Okay, so that’s a pretty safe standard COTS computer going to Canada, pretty benign, you would think no license required. If I ask you who the end-user is and you say the Taliban, well, then all of a sudden, this very simple transaction is now very problematic. The Taliban is listed on various bad guy lists. The regulations, they overlap. A very seemingly benign transaction can become very complicated with politics and restrictions and a very easy transaction can be a no-go very quickly.

With your question about enforcement, so if we keep using this example and you go ahead and ship the item and say you shipped 10 of them, well, the US government can see that as 10 separate violations and fines can be about a million dollars per violation. It’s more than that with inflation. I think it’s 1.2 million at this point.

Then, there’s also the non-monetary aspects. We’ve seen headlines that company XYZ was fined however many millions of dollars for export compliance and fractions, State Department, Commerce, Treasury, even customs, none of them are shy about blasting who got caught for what. The reputation of that company can go tank very instantly.

Cole French:

That’s something we talk a lot about within cybersecurity is the reputational impact. Leaning a little bit on your expertise, doing trade compliance on a day-to-day basis, you mentioned all these different government entities, these different sort of, there’s embargoes and there’s political environment, there’s all these different things that you have to take into account and you mentioned the ridiculous example that I think is very easy to understand, but leaning more towards what you do on a day-to-day basis within trade compliance, what does this look like?

Is this is the importance on an awareness and everyone bringing it to you within trade compliance and working on it from there? How do you work these instances that come up and make affirmative determinations on what exactly needs to be done, what controls need to be put in place? If you could just elaborate on that a little bit.

Sara Hougland:

Sure. Well, with every good compliance program comes solid policies and procedures and they should all point to involvement with trade compliance very early on, whether that be product development, engaging trade compliance, early to figure out how it might be controlled so we can navigate future sales. It could be hiring that non-US person, having that insight early on so we can get proper authorizations in place before they start.

Even with procurement, having them come to trade compliance for a review of a technical spec they might need to send out for bid approval process for a vendor abroad. Sales and marketing, engaging us early to figure out can we even market to this country? What about this end-user? Do they fit all the checks? I think with every function, having defined policies where trade compliance is integrated into those steps, is very helpful.

Cole French:

Is that the concept of, I hear the concept of due diligence a lot, is that essentially what you’re referring to there? That’s what it sounds like.

Sara Hougland:

Sure, absolutely. Then, contemplating sales and transactions. We’re always conducting due diligence on the company, the end-use, the end-user.

Cole French:

Early on, you had mentioned ITAR and EAR, so I want to kind of level set what is ITAR and what is EAR and then kind of jump off from there and discuss a little bit more how those factor into compliance. If you could just talk a little bit about what is first, what is ITAR?

Sara Hougland:

Sure. At a super macro level, the ITAR is designed to control the export of defense related articles, services and all the associated information data. Think inherently military items, for example, military aircraft, naval vessels, military electronics, firearms, missiles, rockets, training of military forces, and of course, all the data associated with these items like user’s manuals, technical specifications, and even photographs depending on the item.

The EAR oversees the export of commercial and dual-use items, and of course any service and technical data related to that. There are also some military items on the EAR that are deemed not needing ITAR control. Some examples include computers, electronics, communication equipment, some aerospace systems and certain sensors and lasers.

Cole French:

From an administrative perspective, is ITAR considered to be sort of, I don’t know if managed is the right word, but is it the responsibility of the military or who maintains responsibility for ITAR?

Sara Hougland:

It’s the Department of State administers the ITAR and Department of Commerce administers the EAR.

Cole French:

Got it. I know in the work that we do from a compliance sort of broadening the discussion for a second out to compliance frameworks in general, we work with FedRAMP, we work with CMMC and in particular, and each of those frameworks has, for FedRAMP, it’s the authorization to operate, so an ATO, and with CMMC it’s a certification.

If I’m a cloud service provider, in the case of FedRAMP, and I want to sell my cloud service to the federal government or to federal government customers, I can pursue a FedRAMP authorization to operate, that essentially gives me the stamp of approval that, “Hey, the risk has been satisfactorily mitigated. All the controls are met,” et cetera, et cetera. As a government customer, I can just leverage this particular service right out of the box as it is.

On the CMMC side, this is like I want to do business with, I’m a commercial organization, I want to do business with the Department of Defense, so I get a certification, or at least in the future. Once rulemaking and all that’s done, I’ll get a certification that says, “I’m certified to handle controlled unclassified information.”

A lot of what we’re hearing, we hear this, it kind of comes and goes, ebbs and flows, I would say, specific to CMMC, since we’re in the DOD space, which I know ITAR, EAR, there’s a lot of crossover there, like you mentioned with military and things like that, and we get a lot of this. I need some help making sure my organization is ITAR compliant.

I was just wondering if you could dive in a little bit, what does it mean to be ITAR compliant? Is it like other certification frameworks where you have a certification or an authorization or is ITAR compliant more of an art and not so much a science? If you could just kind of explain what ITAR compliance looks like.

Sara Hougland:

To be honest, I’m jealous of these other frameworks that have certification requirements. We have guidelines from regulatory bodies like the ITAR and the EAR, but there’s no such thing as a certification for export or trade compliance. From my perspective, it’d be amazing because a company would have a forcing mechanism to comply on another level.

Compliance programs are expensive. Trade compliance professionals, I think industry-wide really have to sell the need for tools and resources. Often, we have to pick and choose top priorities and manage the rest the best that we can. With a solid required framework, we could get to the end goal, which is a model program very quickly. Unfortunately, there isn’t a framework. There are only best practices and guidelines posted by Department of State and Department of Commerce.

Cole French:

If there was an ITAR certification, what would be the primary elements, in your opinion, that would drive a certification? If an organization is thinking of this from a compliance mindset, what would be the most important things that they would want to make sure they have in place?

Sara Hougland:

Sure. I think it would start with a risk assessment, identifying the right resources to lead your compliance team, what kind of activity that you have. Maybe you don’t engage in exports, so you don’t need a lot of resources. Maybe you are dealing with exports on a daily basis. What does that look like? What kind of team do you need to support your program?

You definitely need written policies and procedures and not just written but administered, train and communicate on ongoing basis, the regulations, best practices, lessons learned from internal audits, as well as external newsworthy items. Of course, a program is only as good as the management support behind it, so promoting a culture of compliance is very important.

Cole French:

Yes, we talk a lot about the culture of compliance and frankly, it’s funny you mentioned a wish and desire for a certification or a compliance program for ITAR because we fight this battle all the time on the other side where we do have compliance frameworks in place and certifications and things like that, all the benefits you mentioned, I think, I hope those of you who are out there listening can see the difficulty that’s posed by not having a certification framework or a compliance framework that has a certification component.

But also, on the other side of it, I think, and we talk about this a lot in industry circles of how do we move away from compliance, check the box type security or due diligence even and move towards what you just talked about, Sarah, which is process, management, buy-in, culture, these are very important things. I think they drive security and they drive how well we do things, how well we manage things more than technical compliance controls that ensure that we’re meeting this one specific thing at this point in time and things like that.

I think it’s kind of a both and I would agree, I wish there was a certification framework of some kind or at least something an organization can measure themselves against to attest to being compliant from an ITAR perspective, but also at the same time, I agree with everything you said. You got to build a good program.

To build a good program from your perspective, what should an organization do? Are there particular types of personnel they should seek out? Should they be looking to bring on an attorney or someone like yourself that manages trade compliance, works in trade compliance? What kind of advice do you have for organizations looking to get assistance on ITAR compliance?

Sara Hougland:

Right, so I just mentioned risk profile or having a risk assessment. You should definitely know what that looks like for your organization. What I mean by that is asking certain questions. Are you manufacturing export control products? Are you sourcing material or products from abroad? Do you have customers in foreign locations? Do you have foreign subsidiaries or affiliates in foreign locations? Do you hire non-US persons? Are you executing programs that have international activity?

As you build upon your risk profile, you can start to identify the type of resource that you need. Maybe it’s enough to have a consultant or a lawyer on standby so you can phone a friend when a question arises, but if it’s obvious, you’re engaging in export activities, you want to look into a professional with experience in the area, you definitely don’t want to identify a warm body in the office and say, “Hey, you’re a resident subject matter expert.” That’s unfair to the company, that’s unfair to the employee, but make sure you have the experience to protect the company while keeping the business moving.

Cole French:

I think that’s great advice. Using our general conversation around compliance frameworks, I’m curious, so ITAR, like we’ve talked about, product, services, things like that, I specifically work within CMMC here at Kratos and our CMMC capability, assessing organizations against the CMMC framework, also helping organizations get ready to go through those assessments, and we have some similar, I think there’s some crossover because CUI, controlled unclassified information, is one of those.

It can be a technical drawing that’s provided. It can even be the output from a technical drawing. It could be considered controlled unclassified information. We’ve even had instances in which people say it’s everything on a contract, which is a bit insane and feels a little bit like somebody just didn’t want to do the classification, but is within contractual obligations, that’s where CUI is supposed to be defined. Is that true for ITAR as well? Is there a contractual obligation or when an organization enters into a contract with the government, is there anything contractually that stipulates ITAR or is ITAR just something completely sort of standing on its own?

Sara Hougland:

We think a little of both. More often than not, we’re defining it on our own. Companies who sell products should understand the product’s export control before they’re selling it. If we’re in a contractual relationship where we’re selling our products, it’s our responsibility to know how that product is controlled for contracts pertaining to building a new offering. The classification of that product starts at that phase. You should be engaging your trade compliance team at that stage to determine, “Hey, we’re going to have this end product, this end goal, how is this going to be controlled for when we have to export it?”

Then, services are tricky, right? Mostly because they’re easily overlooked for having any type of control. I think you mentioned that earlier, but if you’re providing a service for a DOD or MOD in a foreign country, you’re automatically going to start thinking about ITAR. We always think product end-use, end-user, and all of those drive how our transaction is controlled.

The other important thing to keep in mind is a lot of DOD contractors or any companies out there usually are working in two separate areas. You have the DOD contracting and then you have the commercial side. For US government projects and contracts, it’s safe to assume that the work will be ITAR-controlled. It’s definitely a starting point.

For commercial contracts, it gets a little bit more complicated because a lot of times, that information is not flowed down, so that you’re starting over with the product end-use, end-user and start to develop your [inaudible 00:22:59] compliance strategy with those different sources.

Cole French:

We see stuff like that a lot with that sort of concept of my commercial business and my government business, for a long time, they were separate things that kind of ran side by side and everything was good, but over time, things kind of came together, started to overlap, and now I got a lot of my commercial stuff mixed with my government stuff, and now all of a sudden, it’s hard for me to determine what is commercial within my organization, commercial information and what is government information, and it becomes this tangled web that’s difficult to sort of unravel.

That gets me thinking about some other things we’ve worked with, some other organizations we’ve worked with where they’re making these products that in a lot of cases, are like what we’re talking about are export controlled or subject to export compliance regulations, and they have international sites or international locations where they do some of the manufacturing or product development.

One of the things we’ve talked about is licensing for those particular foreign locations. Can you just dive into what that looks like from an export compliance perspective? What is a license to allow me to produce a product in a foreign country or leverage non-US person’s? What does the licensing process look like?

Sara Hougland:

Sure. I’m going to take one step back and just talk about the classification process first because you were just talking about DOD, commercial combining and you get this medley of a mess. Sometimes, we have to classify products that were maybe developed by DOD funding, then later, we want to use them in a commercial offering and trying to figure out how that product is then controlled. It becomes very complicated.

Department of State has a process called the commodity jurisdiction request where you essentially lay out the product’s history, why it was created, who funded it, what was the target market, obviously, the technical capability and an explanation as to why you think it falls under a certain category or not. There are thousands of these jurisdiction requests that have been filed, so that goes to show how much the regulations are very gray and oftentimes there’s almost too much room for interpretation.

There’s a fair amount of, I would say guesswork, right? We always take a conservative approach or trade compliance professionals take a conservative approach in trying to get the classification correct. Once you have that, then you can determine how you’re going to license the product. Both the ITAR and EAR have separate mechanisms.

I’ll start with the EAR because it’s cut and dry, it’s pretty easy. They have one license form that covers the export of data hardware services software. You go into their online system and you input all the things, [inaudible 00:26:37] the product, technical capability, end-use, end-user and you the scope of work for that transaction. The ITAR is more complicated. They have various licenses to do various things. They have technical assistance agreements for ongoing exchange of information, having a lot more collaborative discussions. These licenses are good for 10 years.

Same thing, you do define that the scope of work, the end-users, any party actually that is part of the transaction. They also have a manufacturing license agreement. If you contemplating manufacturing abroad, you would use that mechanism to facilitate that export. Same information that goes into a technical assistance agreement will go into a manufacturing license agreement, of course different licensing templates with slightly different information, but it’s always product end-use, end-user scope of work.

Then, there are a few others. If you are just engaging in a quick marketing activity, this is not going to be a long prolonged back and forth with a potential customer. You’re going to show a demo or just have a preliminary discussion with a customer, you would use a marketing license. That same license can be used to ship hardware. If we get a purchase order for an ITAR-controlled hardware product, we would use what’s called a DSP-5 to export that out.

Then, they have again, additional licenses for temporary transactions. If we are temporarily importing something into the US that will go back to the foreign country, there’s a mechanism for that. Then, temporary exports, for example, if we source something from a foreign country and now it needs to be RMA’d and we need to return it for service or repair, there is a license mechanism to do that.

Cole French:

Wow. There’s a lot more licensing mechanisms than I thought. The way the conversations I’ve always had about this is, now I know, have been very high level and make it seem as though a license is sort of this universal concept, which I mean, I suppose it is, but it also sounds as though it’s very dependent on what type of activity you’re doing.

As far as these licenses are concerned and obtaining them, what’s that look like? Is it you essentially submit an application, I guess, for lack of a better term, for these applications and then you wait for them to be granted? What’s the process look like from the organization to the government to allow you to go ahead and actually participate in whatever activity it is you’re looking to participate in?

Sara Hougland:

That’s exactly what it’s called. It’s an application. Each governing body, ITAR, EAR, have their own online system where you upload your letter of explanation, which defines your scope of work. It includes any of the electronic information that they’re asking for, again, end-use, end-user product information, information on the end-user in the country and whether they’ll be using the product for.

You submit the application into each designated electronic format and sometimes, there’s questions that come back and they’ll come back through that electronic system. Other times, it’s just a waiting game. You can track your license and watch it progress through the system, and eventually, it will be granted with conditions. There’s always conditions on export licenses.

Cole French:

Interesting. Could you share what those conditions, just an example or two?

Sara Hougland:

Sure. Sometimes the condition will remind the applicant that you must maintain a library of released information. If your license was for an end-user in the UK, you would have to keep a library, essentially a log of every time you export to that entity or sometimes, it will say, “You can share this, but you can’t share these other things.” For a lot of ITAR-controlled products, it’ll tell you that you can share up to a certain point, but then, items that they find sensitive to the US government, they’ll restrict you from sending.

Cole French:

Do they do any sort of auditing or checking or validation with these particular licenses? If you get a license to ship something, or like the example you said, are you shared with sending something to someone in the UK and the condition is that you have to log every instance? Is anyone checking that or is it just expected that that’s kind of part of your due diligence that we talked about earlier?

Sara Hougland:

Both, they have the right to check. You are required to obviously keep all that information as a requirement. They can knock on your door and ask for that information at any time. There is also a program called the Blue Lantern check where they physically go to the end-user in the foreign country to make sure the product that was licensed is actually still there and it wasn’t diverted or trans-shipped to another location.

Cole French:

That’s kind of like the compliance sort of... That brings the compliance approach or what we’ve talked about and the importance of it, I guess. We’ve talked about ITAR compliance and that there’s not really a certification and all that kind of stuff, but it sounds like this is a little bit more on the, when you get that license, it does come with certain requirements and conditions. Those are the things you need to make sure you’re complying with because you could be audited or checked at any time.

Sara Hougland:

Absolutely, yes.

Cole French:

Using that as a jumping off point, I guess, are there any cloud services or technical tools out there that you would recommend or that we use here at Kratos or that you’ve seen other organizations use to help manage ITAR compliance and all the activities that go into it?

Sara Hougland:

Sure. There are many service providers that provide software-based solutions. For example, to run denied party screenings. There are many products that automate that process. Many times, they’re checking over 100 lists in a matter of seconds. We definitely use one of those here at Kratos. There are a lot of them on the market.

For product classifications, there are also service providers that offer decision trees and also both the ITAR and EAR have online formats where you can have an interactive workflow to get to an end point, but they can be very complicated. I would say, with any resource, the output is as good as the input provided. If you don’t have a technical background, it probably shouldn’t be the person to navigate whether something is controlled. The regulations, we’ve been talking that they’re very technical, they overlap, they’re complicated.

It’s always good to have an engineer or a technology enthusiast to sit with you and go through the regulations as you’re going through some of these software based classification tools. I always have someone who knows the product and capability and the classification process with me. If we think about it, if you get the product classification wrong, everything that follows is wrong, you’ll mark it incorrectly, you’ll handle it incorrectly, you can ship it incorrectly, it goes south fast. I would say absolutely, absolutely make use of electronic tools, but use them wisely.

Cole French:

That’s great advice. I mean, in my experience working in cybersecurity more broadly, and I mean, I think we all know as practitioners, there’s a million tools that do a million different things, but the key is, if I don’t configure that tool, well, first of all, if I don’t understand the risk in my organization, if I don’t understand the assets in my organization, if I don’t understand essentially what you’re describing the product, if I don’t understand that or have a good grasp on that, then any tooling or technology that I use, isn’t really going to be that helpful because it’s not going to take into account all of that information.

I think that’s great advice. Tools are great, but we also need to make sure we’re understanding the risk that’s present in our organization, understanding the types of assets that we have, understanding what it is we need to comply with, and understanding the tools and technologies and how we can leverage them appropriately given that those background pieces of information and make sure, like you said, I think that’s a great point, sometimes it’s on a case-by-case basis.

I may need to talk to a certain set of folks who have a particular set of knowledge on a particular topic that’s relevant to my organization and that informs how I use tools or technology or even maybe how I build processes to deal with that particular thing that they work with.

I think, again, it’s kind of going back to what we were talking about compliance or checking the box versus sort of maturity doing things, well, I think the same thing is true here, understand when we leverage tools and technology, we also need to have the soft skills and make sure we’re leveraging the people within our organizations to get the full use out of tools and technologies that are available.

As we wrap up here, I wanted to give you an opportunity, I know trade compliance and international trade is something that does make the news on occasion and you mentioned sort of, as you called it, a ridiculous example at the beginning of heading to Best Buy or I guess, as we would probably be more likely to do now, Amazon and buying a bunch of computers and shipping them to the Taliban, but I was just curious, are there any sort of real world news headlines that are pertinent to what we’ve talked about today, trade compliance, that are kind of cautionary tales or just things to be aware of?

I know we talked about organizational reputation and how that’s a huge factor when it comes to export compliance. If you just wanted to just give you an opportunity here as we close up to share any newsworthy headlines or stories that you’ve come across in your experience.

Sara Hougland:

Sure. I think taking a very recent example from just a month ago, State Department fined Boeing $51 million after they violated a range of US export controls. You think about a large organization that has the resources to have a very robust export compliance team, is just a reminder to industry that it can happen to any DOD contractor.

The violations included illegal exports to foreign employees and contractors working in more than 15 different countries. They had a trade compliance specialist fabricating an export license to illegally ship an item abroad, and then they had some administrative violations around complying with export licenses. We just talked about how export licenses always come back with conditions, and in this case, when they went back and looked at compliance with the conditions, there was some failures in that area.

I think lessons learned for trade compliance function in every company, that this can happen to everyone and we should be putting appropriate resources and tools in place to help this function succeed and mitigate risk.

Cole French:

I think those are great, and I think stories that we hear and that we read in the news, definitely are things to pay attention to and like you kind of described, are cautionary tales. I think just lend themselves to, again, doing the due diligence, building these things into the maturity of our organizations, really focusing on process, focusing on people, and leveraging tools and technologies to support all of those.

Sarah, I just want to thank you again for taking the time to join us today. We’re really grateful for your perspective and contribution on this important and challenging topic.

Sara Hougland:

Thanks for having me. I appreciate it.