Agencies Should Assess Vulnerabilities and Improve Guidance for Protecting Export-Controlled Information at Companies

Abstract

U.S. government export control agencies have less oversight on exports of controlled information than they do on exports of controlled goods. Commerce's and State's export control requirements and processes provide physical checkpoints on the means and methods companies use to export-controlled goods to help them ensure such exports are made under license terms, but the agencies cannot easily apply these same requirements and processes to exports of controlled information. For example, companies are generally required to report their shipments of export-controlled goods overseas to Customs and Border Protection for exports made under a license, but such reporting is not applicable to export-controlled information. Commerce and State expect individual companies to be responsible for implementing practices to protect exportcontrolled information. One third of the companies we interviewed told us they do not have internal control plans to protect their export-controlled information, which set requirements for access to such material by foreign employees and visitors. Also, almost half of the company officials we interviewed told us they encounter uncertainties when determining what measures should be included within their internal control plans to help protect export-controlled information. Commerce and State have not fully assessed the risks of companies using a variety of means to protect export-controlled information. The agencies have not used existing resources, such as license data, to help identify the minimal protections for such exports. As companies use a variety of measures for protecting export-controlled information, increased knowledge of the risks associated with such information could improve agency outreach and training efforts, which now offer limited assistance to companies to mitigate those risks. Our internal control standards highlight the identification and management of risk as a key element of an organization's management control program.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Dec 01, 2006
Accession Number
ADA458938

Entities

Organizations

  • United States Government Accountability Office

Tags

Communities of Interest

  • Cyber
  • Space

DTIC Thesaurus Topics

  • Best Practices
  • Commerce
  • Congress
  • Control Systems
  • Department Of Defense
  • Department Of State
  • Electronic Mail
  • Information Systems
  • Interagency Coordination
  • International Organizations
  • National Security
  • Risk
  • Risk Analysis
  • Test And Evaluation
  • United States
  • United States Government
  • Vulnerability

Readers

  • Government and Public Administration Law.