Posture assessment, Internal Compliance Programme build, and end-user / end-use due diligence for US-headquartered defence and dual-use suppliers, and for non-US suppliers with US-touching transactions.
The boundary protects the client and keeps the work durable under regulator scrutiny. State it. Hold to it.
Whether the Internal Compliance Programme you have, or do not yet have, would withstand a regulator visit, a prime contractor audit or a licence renewal. Scored across the seven ICP elements.
Where findings are material, or where there is no programme at all, we build the ICP. Policies, procedures, screening protocols, training, recordkeeping, audit framework, handover to the designated officer.
For specific shipments, the management-system due diligence. Red Flag analysis per BIS Know Your Customer guidance, restricted-party screening, diversion risk, evidence pack for the file.
Programmes decay. Counterparty risk shifts. Lists update. Where the work continues past first build, a quarterly governance retainer keeps the programme current and the screening cadence live.
Each runs through the six-gate quality system from intake to handover. Final scope, sequencing and fee are set at engagement letter.
If DDTC, BIS or a prime walked in tomorrow, would the export controls hold up? A maturity read against the seven ICP elements.
Where findings are material, or where no programme exists. The ICP built end-to-end, handed over to the designated officer.
Per-transaction due diligence on consignee, end-user and ultimate consignee. The evidence pack for the file, the decision record for the client.
The US export-controls surface and the cyber-assurance regimes that travel alongside it. Drafted within. Not certified, not represented.
International Traffic in Arms Regulations. Defense articles, defense services and technical data on the US Munitions List. Registration, licensing, recordkeeping, the deemed-export rule, the brokering regime. Where ITAR applies, the ICP scope expands accordingly.
Export Administration Regulations. Dual-use items classified by Export Control Classification Number, plus end-user / end-use controls including the catch-all under EAR §744. ICP must show classification discipline, screening discipline and recordkeeping discipline.
Country, list-based and sectoral sanctions administered by the Office of Foreign Assets Control. SDN List, sectoral programmes, secondary sanctions exposure. Travels alongside ITAR and EAR in every transaction-level due diligence.
For DoD suppliers, the cyber regime that travels with the contract. Covered Defense Information handling, incident reporting, the maturity expectations under CMMC 2.0. Drafted within the ICP where the contract surface requires it.
The Foreign Corrupt Practices Act and the International Emergency Economic Powers Act. Anti-bribery controls and emergency sanctions authority both surface in counterparty diligence and in the programme's books-and-records obligations.
Most defence-sector transactions land in more than one regime. The ICP is built to recognise this, not to ignore it.
A UK-incorporated supplier wins a flow-down contract to a US prime contractor. The goods, services or technical data may be subject to ITAR or EAR on the US side, the UK Export Control Order on the UK side, and DFARS cyber expectations under the prime's flow-down clauses.
The ICP must hold both regimes simultaneously: a single management system, two regulator audiences, one consistent set of records.
A US-headquartered defence supplier operates a UK subsidiary. The subsidiary is subject to UK export controls; the parent remains accountable for ITAR re-export and re-transfer obligations on any US-origin content.
The ICP at subsidiary level must operate UK rules natively while remaining auditable from the US compliance function and consistent with parent-level ITAR registration.
Where exposure is genuinely dual, the diagnostic (C-07) is scoped to both regimes from the outset. The programme build (C-08) produces one set of artefacts that hold under either audience. The per-transaction work (I-07) screens against both list sets in a single pass. See also ECJU & OFSI → for the UK and EU framings.
Honest indicators that this work is the right step right now.
A prime contractor has issued a supplier questionnaire on export controls or cyber, and the answers cannot honestly be given today.
A DDTC registration is due for renewal, or an active licence is up for re-application, and the supporting programme needs to look the part.
A specific shipment, sale or technical-data transfer is on the table, and the end-user / end-use needs to be diligenced before it ships.
The regime, the trigger, the timeframe. We'll come back with a scoped C-07, C-08 or I-07 and the boundary written plain.