By Jenny Hahn

President, FD Associates, Inc.

Keysight Technologies, Inc., Enters Into a 3 Year Consent Agreement With DDTC

The U.S. Department of State's Directorate of Defense Trade Controls (DDTC), Office of Defense Trade Controls Compliance (DTCC) has announced that Keysight Technologies, Inc., of Santa Rosa, California ("Keysight"), has entered into a 3-year Consent Agreement to settle allegations that it violated the International Traffic in Arms Regulations (ITAR) in connection with unauthorized exports of technical data, to include software, to various countries, including a proscribed destination. According to the Proposed Charging Letter:

• On November 9, 2017, the Office of Defense Trade Controls Policy ("DTCP") raised concern over Keysight's potential misclassification of its Signal Studio for Multi-Emitter Scenario Generation software ("MESG software"). It recommended Keysight submit a CJ to determine the jurisdiction of the software. The MESG software can be used with certain hardware equipment to model and simulate multi-emitter electronic warfare threat scenarios for testing radar equipment on fixed or mobile platforms.
• Between December 5, 2015, and April 18, 2018, Keysight exported the MESG software as both trial and full versions of the software. Keysight exported full versions of the software installed on hardware or electronically. Further, Keysight exported trial versions of the software via downloads from their website.
• In response to DTCP's recommendation, Keysight submitted CJ-0005-18 on January 4, 2018. On April 27, 2018, DDTC provided Keysight with a determination that the MESG software was controlled under USML Category XI(d) based on the software's direct relation to electronic warfare test sets described by USML Category XI(a)(11).
• Between January 9, 2018, and April 18, 2018, while CJ-0005-18 was under review, Keysight exported without authorization the MESG software on eight separate occasions to the PRC, Russia, Japan, Israel, and Canada. Keysight claimed that these exports were based on good faith but misguided belief that the MESG software was not subject to ITAR controls, and once Keysight learned of DDTC's formal CJ determination, it stopped any further unlicensed exports of MESG software and treated MESG software as ITAR controlled.
• On May 21, 2018, Keysight submitted an initial disclosure assigned DTCC case number 18-0000493. Subsequently, on July 24, 2018, Keysight submitted its full disclosure in which it disclosed unauthorized exports to multiple countries of its MESG software, as described above. Keysight's disclosure stated the exports of the MESG software were conducted pursuant to the Export Administration Regulations (EAR), under Export Control Classification Number (ECCN)EAR99.
• Keysight believed the ITAR jurisdiction was in error, and on August 30, 2018, Keysight appealed CJ-0005-18 by submitting a reconsideration request in accordance with ITAR § 120.4(g), which was assigned CJ-0391-18. On February 13, 2019, DDTC provided Keysight with the determination of CJ-0391-18, reaffirming the determination of CJ-0005-18. DDTC maintained that the MESG software was controlled under USML Category XI(d) based on the software's direct relation to electronic warfare test sets described by USML Category XI(a)(11).

In accordance with the Consent Agreement and Order issued in this matter, Keysight has agreed to the following enforcement measures:

• A civil penalty of $6,600,000, with $1,100,000 payable within ten days of signing the Order and $1 million payable each year on the anniversary of the Order for the next three years, the remaining $2.5 million suspended on the condition that Keysight applies the amount to Consent Agreement-authorized remedial compliance costs.
• Appointment of an outside Special Compliance Officer in consultation with the Director, DTCC to serve for a minimum of two years, and thereafter Keysight may request that DTCC allow it to substitute an Internal Special Compliance Officer.
• Conduct a review within 90 days of the appointment of the Special Compliance Officer to ensure adequate/sufficient resources are dedicated to ITAR Compliance throughout Keysight's ITAR regulated operating divisions, subsidiaries, and business units.
• Strengthen compliance policies and procedures within 9 months of the implementation of the consent agreement, including  training for persons responsible for supervising Keysight employees and senior managers to ensure they are knowledgeable about the underlying principles of the AECA and ITAR.
• Within 12 months, complete a classification review of all hardware and software pertaining to Keysight's ITAR-regulated business activities and any technical data or defense services directly related to such hardware and/or software.
• Complete at least one third-party audit conducted within 12 months of the Order. DTCC has the option of requesting additional audits.
• Permit on-site reviews by DTCC during the 36 month period.

What is the lesson learned?

Heed the call and follow the GOLDEN RULE.

What is the GOLDEN RULE?

When filing a Commodity Jurisdiction (CJ) request for a product, software, or technology, treat the product, software, or technology as ITAR controlled until the CJ is adjudicated.

When the Office of Defense Trade Controls Policy (DTCP) came knocking raising concerns over the potential misclassification of the Keysight  MESG software and recommending the filing of a Commodity Jurisdiction to validate the export jurisdiction and classification of the MESG software, Keysight missed a clear compliance signal regarding how they were and should be treating the export jurisdiction of the MESG software.

The product and software description, available on the Keysight website, describes a software used for signal generation for Electronic Warfare systems, which are sophisticated systems crucial to the U.S. natural security, with clear elaboration in the U.S.M.L. category XI(a)(4) and designated as Significant Military Equipment. Test sets for testing electronic warfare systems and radars are enumerated in USML XI(a)(11). The software which is treated as technical data under the ITAR is classified as USML XI(d).

When Keysight was instructed to file a Commodity Jurisdiction request to receive a formal USG ruling from the Department of State regarding the export jurisdiction and classification of the MESG software, Keysight acted promptly and filed the Commodity Jurisdiction request within 2 months of the DTCP request. But instead of following the GOLDEN RULE of compliance and treating the MESG software as ITAR until formally advised otherwise, they continued to make exports of the MESG software as EAR99.

In doing so, they made exports of an ITAR software to an ITAR 126.1 sanctioned country (China); exports to Russia, when Russia required export licenses and was deemed a very sensitive destination; and made exports to 3 other countries. The DTCC determined that the exports to China and Russia caused harm to the national security of the U.S.

In total, Keysight made unauthorized exports to 17 countries during the 2015 - 2018 period.

DTCC considered the exports as aggravating factors in weighing the 24 violations alleged in the proposed charging letter. Mitigating factors included Keysight's cooperation with DTCC, filing the voluntary disclosure that acknowledged the conduct, implementation of remedial measures, and agreement to toll the statutory time limitations of the review period. Accordingly, DTCC determined it was not appropriate to debar Keysight in addition to the financial and compliance measures required by the consent agreement.

This case highlights the critical and fundamental first step for all exports. Conducting the export jurisdiction and classification analysis. Both at the time of design but on a continued basis, as the export regulations are evolving. While the ITAR and DTCP do not require filing Commodity Jurisdiction requests for each item to be exported, self-classification must follow the Order of Review set out in the ITAR and EAR. If conducted with export control and technical input, the export classification determination should clearly detail the analysis performed and stand the test of a government inquiry.

Keysight is a publicly traded company and a spin-off from Agilent Technologies, which has many ITAR regulated and EAR regulated products. Therefore, it is expected that Keysight had conducted its due diligence in classification and reached a very different conclusion for export control.

Here are the key takeaways:

1) DTCP regularly reviews exporters' websites for products that might be ITAR regulated but not promoted by the exporter as such.

2) If contacted by DTCP and requested to file a CJ, immediately start treating the item as ITAR. Not all CJs result in an ITAR outcome. In fact, at least 60% provide an EAR determination. Voluntary Disclosures can be filed based on the outcome of the CJ if needed.

2) When performing self-classification, exporters should research the Department of State Commodity Jurisdiction (CJ) database (DDTC CJ database) to see if there have been any prior CJs for similar products that would give insight into how the government adjudicated a similar product.

3) When filing a CJ because you are unsure if your product is ITAR or EAR, ALWAYS treat the product as ITAR until the CJ is adjudicated.

4) Self Classification of company products should be periodically reevaluated by compliance personnel, as the ITAR USML and the EAR CCL have undergone an overhaul, thus changing export jurisdiction and export classification of many items.

5) Regular and periodic internal and external audits should review export jurisdiction and classification of products

6) Exporters should never presume that a product, software, or technology, if not ITAR controlled it is EAR99. If a product is truly not ITAR, there may be an applicable ECCN classification on the CCL before reaching EAR99 status.

The Proposed Charging Letter, Consent Agreement, and Order can be found here.

Proposed Charging Letter

Consent Agreement 

Order