Accession Number:



Agencies Should Assess Vulnerabilities and Improve Guidance for Protecting Export-Controlled Information at Companies

Descriptive Note:

Corporate Author:


Personal Author(s):

Report Date:


Pagination or Media Count:



U.S. government export control agencies have less oversight on exports of controlled information than they do on exports of controlled goods. Commerces and States export control requirements and processes provide physical checkpoints on the means and methods companies use to export-controlled goods to help them ensure such exports are made under license terms, but the agencies cannot easily apply these same requirements and processes to exports of controlled information. For example, companies are generally required to report their shipments of export-controlled goods overseas to Customs and Border Protection for exports made under a license, but such reporting is not applicable to export-controlled information. Commerce and State expect individual companies to be responsible for implementing practices to protect exportcontrolled information. One third of the companies we interviewed told us they do not have internal control plans to protect their export-controlled information, which set requirements for access to such material by foreign employees and visitors. Also, almost half of the company officials we interviewed told us they encounter uncertainties when determining what measures should be included within their internal control plans to help protect export-controlled information. Commerce and State have not fully assessed the risks of companies using a variety of means to protect export-controlled information. The agencies have not used existing resources, such as license data, to help identify the minimal protections for such exports. As companies use a variety of measures for protecting export-controlled information, increased knowledge of the risks associated with such information could improve agency outreach and training efforts, which now offer limited assistance to companies to mitigate those risks. Our internal control standards highlight the identification and management of risk as a key element of an organizations management control program.

Subject Categories:

  • Administration and Management
  • Information Science

Distribution Statement: