The International Traffic in Arms Regulation (ITAR) mandates that access to physical materials or technical data related to defense and military technologies is restricted to US persons only. It, however, does not impose requirements concerning the recruitment, selection, employment, promotion, or retention of a foreign person. Instead, ITAR requires that employers obtain authorization/export licenses for non-U.S. persons if their positions require access to unencrypted export-controlled data or technology.
Certain departments within ITS have chosen to provide services that may interact with export-controlled data and technology. Principal Investigators have the option use ITS services to analyze, store, transfer, or otherwise come into contact with export-controlled data as part of their research projects. A breach of export-controlled data to a non-U.S. Person comes with potentially heavy financial, criminal, and reputational sanctions, thus it is imperative that ITS units that choose to provide these compliant services determine who on their team (existing or future) may need government authorization or internal workarounds prior to allowing that person to perform regular job duties.
If a non-U.S. ITS employee (existing or future) will have access to unencrypted export-controlled data, please work with the IT Security Office to determine what internal workarounds can be implemented. These internal workarounds may include a change in job duties, internal documentation and policies, etc. If it is determined that there are no plausible internal workarounds, managers will need to work with the Export Control office to submit for a government authorization for that employee. Remember, it may be an option for your unit to decide to no longer provide “ITAR compliant” services, however, please work with the IT Security Office prior to making that decision.
In short, ITS units that provide compliant services to researchers that work with export-controlled information are not restricted to only hiring U.S. persons, but will need to take additional steps prior to hiring non-U.S. persons for roles that work with unencrypted export-controlled data.