About This Framework
This framework is built on the Nunn-Wolfowitz model — the U.S. Government's benchmark for evaluating the adequacy of corporate export compliance programs — and incorporates compliance program guidelines from the Bureau of Industry and Security (BIS) under the Export Administration Regulations (EAR), the Directorate of Defense Trade Controls (DDTC) under the International Traffic in Arms Regulations (ITAR), and the Office of Foreign Assets Control (OFAC) under U.S. sanctions programs.
The framework is organized into five sections covering governance, risk assessment, operational controls, recordkeeping, and accountability. Each element is assigned an implementation tier reflecting its urgency and complexity. Downloadable templates, checklists, and process flows are available for completed deliverables — click any coloured badge to download. To assess your current program against this framework, use the Compliance Audit Report pinned at the top of this page.
This framework is provided for informational and educational purposes only and does not constitute legal advice. It is always recommended to have a qualified compliance professional to assess and review your needs before implementing the compliance program.
1
Implement immediatelyFoundation — cannot operate without these
2
Within 60 daysOperational controls & documentation
3
Within 180 daysFormalise & systematise procedures
4
As the program maturesStrengthen governance & oversight
🔷
ITAR tag marks steps that apply specifically to ITAR-controlled companies. EAR and OFAC apply by default to all exporters and are not separately tagged.
Deliverable types — click any coloured badge to download
Template (.docx)
Process flow (.docx)
Procedure (.docx)
Log / checklist (.docx)
Spreadsheet (.xlsx)
Presentation (.pptx)
Link to site
1 · Foundation & Governance
6 items
1
Senior leadership commitment & policy statement
Foundation of any program — sets tone from the top, defines scope and accountability
1
Empowered Official designation ITAR
Required before any ITAR license application or exemption use — must be in place before any controlled export
2
Written procedures & manuals
Without written procedures, compliance is person-dependent, unauditable, and unenforceable
3
Compliance council & organizational structure
Scope depends on company size — from single designated officer to full council; build as program grows
3
Export compliance resource portal / intranet availability
A central, accessible hub for compliance policies, forms, contact list, reporting mechanism, regulatory links, and updates — ensures employees can find what they need without relying solely on the compliance team. Access controls required where controlled content is stored.
4
Board & senior management briefing
↓
2 · Risk Assessment & Classification
6 items
1
Jurisdiction & classification determination
You cannot build a compliance program without knowing what you control — this is step zero
1
Denied party screening — new business partnership onboarding
One of the most common enforcement violations — screen before you transact. False hits: same name/different address → document as different entity; same address/different name → document as shared commercial address; unresolved → escalate to legal, hold transaction. Document all override decisions with authorizer signature.
1
End-use / end-user review & red flag assessment
1
Deemed export / foreign national access review ITAR also recommended for EAR-controlled technical data
If you have foreign national employees or visitors with access to controlled technology — must be assessed before access is granted
2
Sanctions & geographic risk assessment
Country groups, embargoes, sectoral restrictions — incorporate into DPS procedure initially, then formalise separately
3
High-risk area identification
Formally document which products, countries, customers, and transaction types represent elevated risk — informs training and audit focus
↓
3 · Operations & Controls
11 items
1
ITAR registration ITAR
Prerequisite for all ITAR licenses and exemptions — must be active before any controlled export
1
Technical data controls & foreign person access ITAR also recommended for EAR-controlled technical data
If you have controlled technical data and foreign nationals — TCP must be in place before access is granted
1
License / authorization determination
EAR: Classification → CCC → NLR → Exception (LVS / GBS / STA / GOV / TMP / RPL / TSU) → §740.2 → BIS license application
ITAR: DSP form selection (DSP-5/73/61/85) → Exemption (Canada / USG / Tech Data / FMS / In-furtherance) → Agreement (TAA / MLA / WDA) → License application
1
EEI filing & export documentation
Legal requirement for most physical exports — FTR violations are common and easily avoided with a standard checklist
2
Transaction hold & blocking procedures
Standardised stop-order when a red flag or screening hit is identified pending review
2
Third-party & supply chain due diligence
Extend screening and compliance obligations beyond the immediate customer — freight forwarders, logistics providers, suppliers, and subcontractors handling controlled items. Include export compliance representations and warranties in customer and supplier agreements. Flow down compliance obligations contractually where subcontractors have access to controlled items or data.
2
USML item tracking, tagging & traceability ITAR
Know what you have, where it is, who accessed it, and under what authorization at all times
3
License & agreement administration
Written plan per license/agreement covering provisos, validity timelines, and end-user acknowledgment
3
Technical data transfer tracking ITAR also recommended for EAR-controlled technical data
Log all technical data transfers — emails, shared drives, presentations, demos — and the authorization under which each occurred
4
Brokering compliance (Part 129) ITAR
Registration, prior approval where required, annual reporting covers all brokering activity including those under an approval exemption
↓
4 · Recordkeeping & Documentation
3 items
1
Transaction recordkeeping (5-year minimum)
BIS: EAR Part 762 · DDTC: 22 CFR 122.5 · OFAC: 31 CFR Part 501 · Census/CBP: FTR 15 CFR 30.66(c)
3
Foreign national & visitor access records ITAR
Name & nationality, organization, date, persons visited, purpose, technology discussed, conditions applied
3
Government communications log
Document all conversations with BIS, DDTC, OFAC on compliance interpretations — provides continuity and can assist in defending company's actions
↓
5 · Accountability & Continuous Improvement
7 items
1
Training program — Level 1 (all employees)
Definitions, red flags, violations, who to contact — must be in place before employees handle any controlled items or data
1
Violation reporting procedure & VSD
Employees must know how and to whom to escalate. EAR: 180-day full narrative to OEE. ITAR: 60-day full disclosure to DDTC. Documented reporting path is a recognized mitigating factor in enforcement proceedings
1
Mandatory disclosure — proscribed countries ITAR
22 CFR 126.1(e)(2): immediate DDTC notification required — mandatory, not optional. Failure to disclose is itself a separate violation
2
Training program — Level 2 (compliance team)
Regulations, classification, screening, recordkeeping, function-specific topics, comprehension tests for those regularly involved in export compliance
4
Internal audit & self-assessment
Business unit self-assessments + internal corporate audits at risk-based intervals; audit scope covers management commitment, policies, training, licensing, recordkeeping, high-risk areas, and corrective action
4
Third-party / external compliance audit
Periodic independent review by qualified external auditors (e.g. BSI, external export control counsel) — provides objective assessment, identifies blind spots internal audits may miss, and demonstrates program credibility to regulators and trading partners. Consider directing external audits through legal counsel to preserve attorney-client privilege over results.
4
Periodic program review & regulatory update tracking
Monitor BIS, DDTC, OFAC updates; revise classification and procedures when regulations change