Free Word download β’ Edit online β’ Save & share with Drive β’ Export to PDF
An Export Control Policy is a formal internal document that defines how a company classifies, screens, licenses, and documents the export of controlled goods, software, technology, and technical data in compliance with applicable trade laws. In the United States, the primary frameworks are the Export Administration Regulations (EAR), administered by the Bureau of Industry and Security, the International Traffic in Arms Regulations (ITAR), administered by the Directorate of Defense Trade Controls, and economic sanctions programs administered by the Office of Foreign Assets Control. A written policy translates these regulatory requirements into concrete internal procedures β covering who is responsible, what must be checked before each transaction, what records must be kept, and how violations are reported and remediated.
Operating without a written export control policy creates exposure on every international transaction your company executes. Regulators treat the absence of a documented compliance program as an aggravating factor in penalty calculations β meaning the same underlying violation draws a higher fine if the company cannot demonstrate it had functioning procedures in place. Civil penalties under the EAR can exceed $360,000 per transaction, and OFAC violations carry strict liability regardless of intent. Beyond regulatory risk, customers in defense, aerospace, and government contracting routinely require suppliers to produce a written export compliance program before awarding a contract. A documented policy also protects the company when an employee makes a mistake: it establishes that the violation was a process failure rather than a systemic one, which is a meaningful distinction in enforcement negotiations. This template gives you the framework to build that program without starting from a blank page.
| If your situation is⦠| Use this template |
|---|---|
| Company exports dual-use commercial goods and software subject to EAR | Export Control Policy (EAR-focused) |
| Defense contractor or manufacturer subject to ITAR | ITAR Compliance Policy |
| Company needs a standalone sanctions screening procedure | Sanctions Compliance Procedure |
| Company requires a broader trade compliance manual covering import and export | Trade Compliance Policy |
| Company needs to document how it handles technology transfers to foreign nationals | Deemed Export Policy |
| Company is seeking ISO or government certification requiring written compliance procedures | Export Control Compliance Program Manual |
| Company needs a shorter policy summary for employee distribution | Export Control Policy Summary (One-Page) |
Why it matters: EAR and ITAR controls apply to software downloads, API access, and technical data disclosures β not just physical shipments. A policy that covers only hardware misses the majority of modern export transactions.
Fix: Explicitly list software, source code, cloud-hosted technology, and technical data in the policy's scope section, and map each to the relevant ECCN or USML category.
Why it matters: Parties are added to the SDN List and Entity List continuously. A customer screened clean at contract signing may be sanctioned before the next shipment, and OFAC violations carry strict liability regardless of intent.
Fix: Require transaction-level screening for every shipment or technology transfer, not just a one-time check at onboarding, and document each screening result.
Why it matters: EAR99 is a classification conclusion, not a safe assumption. Exporting an unclassified item that is later determined to be controlled carries the same civil and criminal penalty exposure as a knowing violation.
Fix: Complete and retain a written classification analysis for every product and software version, referencing the specific CCL entry reviewed and the date of analysis.
Why it matters: Granting a foreign national employee access to controlled source code or technical data inside the US is legally an export to their home country. Companies that fail to address this are frequently cited in BIS enforcement actions.
Fix: Add a deemed export review step to the HR onboarding workflow and require the compliance function β not HR alone β to complete the license determination before access is granted.
Why it matters: BIS requires exporters to produce records within a short window during an audit. Records stored in individual inboxes become inaccessible when the employee departs and cannot be searched systematically.
Fix: Designate a centralized, access-controlled repository for all export documentation and migrate existing records to it when the policy is implemented.
Why it matters: BIS and OFAC treat voluntary self-disclosure as a major mitigating factor that can reduce penalties by 50% or more. Companies without a defined process often miss the disclosure window because internal escalation is too slow.
Fix: Define a specific escalation timeline in the policy β for example, report suspected violations to the compliance manager within 5 business days of discovery β and empower the compliance function to engage outside counsel promptly.
Determine which regulations apply to your company based on what you export β EAR for dual-use commercial goods and software, ITAR for defense articles and services, and OFAC sanctions for all international transactions. If your products fall under both, ITAR takes precedence.
π‘ Review BIS's Commerce Control List (CCL) and the US Munitions List (USML) simultaneously β some items migrate between the two lists following Export Control Reform, and misidentifying jurisdiction is one of the most common compliance errors.
Assign an ECCN or EAR99 designation to every product, software package, and category of technical data the company exports. Document the classification rationale in writing and record the date.
π‘ If you are unsure of a classification, submit a Classification Request (SNAP-R) to BIS β the response is binding and gives you a documented good-faith basis for your compliance decisions.
Select a denied-party screening tool or database (BIS Consolidated Screening List, Visual Compliance, Descartes MK Denied Party Screening) and document the process for screening every transaction party before each shipment or transfer.
π‘ Set the screening tool's fuzzy-match threshold to at least 85% β a 100% exact-match setting misses common name transliteration variants and intentional misspellings.
Create a documented checklist that walks through ECCN, destination country group, end user, end use, and available license exceptions for every controlled export. Attach completed checklists to the transaction record.
π‘ BIS publishes country group tables in Supplement No. 1 to Part 740 β bookmark this page and verify the destination country's group assignment for each new market you enter.
Designate a centralized repository β a compliance module in your ERP, a shared drive with access controls, or a dedicated trade compliance platform β and confirm it meets the 5-year minimum retention requirement. Map each document type to its required retention period.
π‘ Configure automatic retention holds in your system so records tied to open licenses or pending transactions cannot be deleted until the retention clock starts.
Identify every employee role that touches controlled items or foreign parties β sales, engineering, IT, HR, shipping β and assign each to an appropriate training track. Set a completion deadline and document it in your HR system.
π‘ Include a scenario-based red flag exercise in the training, not just regulatory definitions. Employees recognize violations in context far more reliably than from a list of rules.
Insert the name and title of the policy owner in the administration section, set a specific annual review date on the compliance calendar, and draft a brief summary of how updates will be communicated and acknowledged.
π‘ Tie the annual review date to a fixed calendar event β such as the first week of the fiscal year β so it is never deferred when the compliance team is busy.
Distribute the final policy to all covered employees and collect signed (or electronically confirmed) acknowledgments. Store acknowledgments in your HR system alongside training completion records.
π‘ Include a one-paragraph plain-language summary with the acknowledgment form β employees are more likely to retain the policy's key obligations when the acknowledgment is paired with a readable summary rather than the full legal document.
An export control policy is an internal company document that defines how the organization identifies controlled goods, software, and technical data and manages their transfer across international borders in compliance with applicable trade laws. In the United States, the primary frameworks are the EAR (administered by BIS), the ITAR (administered by DDTC), and OFAC sanctions programs. A written policy is evidence of a functioning compliance program and is reviewed by regulators during audits and enforcement investigations.
Any company that exports physical goods, transfers software internationally, shares technical data with foreign parties, or employs foreign nationals with access to controlled technology needs a written export control policy. This includes manufacturers, technology companies, defense contractors, distributors, and software vendors. Companies that believe their products are EAR99 and require no license still need a policy to document the classification analysis and screening procedures that support that conclusion.
The EAR covers dual-use items β commercial goods, software, and technology that have both civilian and potential military applications β and is administered by BIS within the US Department of Commerce. The ITAR covers defense articles and services specifically listed on the US Munitions List and is administered by DDTC within the US Department of State. ITAR requirements are generally stricter: registration with DDTC is mandatory for manufacturers and exporters of USML items, and licenses are required for virtually all exports. When an item could fall under either framework, ITAR takes precedence.
A deemed export is the transfer of controlled technology or source code to a foreign national inside the United States β legally treated as an export to that person's home country. It matters because companies that hire foreign national engineers, grant foreign visitors access to controlled labs, or allow foreign national contractors access to restricted source code repositories may be making unlicensed exports without realizing it. BIS has brought numerous enforcement actions on deemed export grounds, and penalties can be substantial even when the transfer was entirely internal.
Civil penalties under the EAR can reach $364,992 per violation or twice the value of the transaction, whichever is greater (amounts are adjusted periodically for inflation). Criminal penalties can include fines up to $1 million per violation and up to 20 years imprisonment for knowing violations. OFAC civil penalties can reach over $300,000 per transaction or twice the transaction value under certain programs. Penalties apply even where violations were unintentional, making a documented compliance program the primary defense.
Whether a license is required depends on the item's ECCN classification, the destination country, the end user, and the intended end use. Items classified as EAR99 generally do not require a license for most destinations, but may still be prohibited to sanctioned countries or parties on restricted lists. Controlled items with an ECCN designation require a license or a qualifying license exception for exports to certain country groups. A documented license determination analysis is required for every controlled export regardless of whether a license is ultimately needed.
At minimum, annually. The BIS Commerce Control List, USML, and OFAC sanctions programs are updated regularly β sometimes multiple times per year. Product lines, customer bases, and supply chains also change in ways that can create new export control obligations. A policy that was accurate at adoption may be materially incomplete 18 months later. Assign a named policy owner and set a fixed annual review date on the compliance calendar to ensure the review actually happens.
Yes. A well-structured template covers the core framework β scope, classification, screening, licensing, recordkeeping, training, and violation reporting β that regulators expect to see in any compliance program. Small businesses with straightforward product lines and limited international sales can typically complete the template with internal resources. Companies with ITAR-controlled products, complex supply chains, or operations in multiple countries should supplement the template with a review by a trade compliance attorney or licensed customs broker.
BIS requires exporters to retain all records related to export transactions for 5 years from the date of export or from the expiration of an applicable license, whichever is later. Required records typically include export declarations (Electronic Export Information filings), shipping documents, license determinations and exception analyses, screening results and documentation, end-use certificates, and correspondence related to controlled transactions. DDTC requires ITAR records to be retained for 5 years as well. Records must be produced for government inspection within a defined window during audits.
A trade compliance policy covers both import and export compliance β including customs valuation, tariff classification, and import controls β in a single document. An export control policy focuses exclusively on the outbound side: EAR, ITAR, and sanctions screening. Companies with significant import activity need a trade compliance policy; those focused on international sales or technology transfers can start with the narrower export control document.
An ITAR compliance policy is scoped specifically to defense articles and services listed on the US Munitions List and addresses DDTC registration, Technical Assistance Agreements, and Directorate-specific requirements. An export control policy addresses both EAR and ITAR within a unified framework, making it the better starting point for companies whose product portfolio spans both regimes.
A sanctions compliance policy focuses on OFAC-administered programs β identifying sanctioned countries, entities, and individuals and establishing screening and transaction-blocking procedures. An export control policy incorporates sanctions screening as one component within a broader framework that also covers product classification, licensing, and recordkeeping. Companies with exposure only to financial sanctions (not controlled goods) may only need the narrower sanctions document.
A code of business conduct sets general ethical standards across all company activities β including anti-bribery, conflicts of interest, and fair dealing β at a high level of abstraction. An export control policy is a specific operational procedure document with concrete checklists, roles, and recordkeeping requirements. The code of conduct typically references the export control policy rather than replacing it.
ITAR registration is mandatory for manufacturers and exporters of USML items; export control policies must address Technical Assistance Agreements (TAAs) and Manufacturing License Agreements (MLAs) alongside standard shipment procedures.
Software downloads, API access, and cloud-hosted technology are subject to EAR controls; deemed export risk is elevated given the prevalence of foreign national engineers, and encryption items require specific classification review under ECCN 5D002.
Dual-use machinery, components, and materials frequently carry ECCN designations that require license determinations for exports to Country Group D nations, and supply chain re-export obligations must be addressed with distributors.
Certain biological agents, chemical precursors, and medical devices appear on the CCL; exports to sanctioned countries may be prohibited even for humanitarian items unless an OFAC license exception applies.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Companies with EAR-only exposure, straightforward product lines, and limited ECCN-controlled items seeking a documented compliance framework | Free | 3β5 hours to complete and distribute |
| Template + professional review | Companies with ITAR-controlled products, foreign national employees with access to controlled technology, or first-time export compliance programs | $500β$2,500 for a trade compliance attorney or licensed customs broker review | 1β2 weeks |
| Custom drafted | Defense contractors subject to DDTC registration requirements, companies under BIS or OFAC investigation, or multinationals with complex re-export obligations across multiple jurisdictions | $3,000β$15,000+ depending on complexity and attorney time | 4β8 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start freeΒ Β·Β No credit card required
