Deemed Exports on the Factory Floor: A Technology and Source-Code Release Program for Foreign-National Engineers

GingerControl breaks down deemed export compliance for dual-use manufacturers: license by nationality, technology-control plans, source-code control.

Chen Cui
Chen Cui17 min read

Co-Founder of GingerControl, Building scalable AI and automated workflows for trade compliance teams.

Connect with me on LinkedIn! I want to help you :)

What is a deemed export, and why is it a board-level risk for a dual-use manufacturer?

A deemed export is the release of controlled technology or source code to a foreign person inside the United States, which the law treats as an export to that person's home country, no shipment required. For a dual-use manufacturer, an engineer reading a controlled drawing on a screen can trigger a six-figure penalty, which is why deemed export compliance has to be a documented program, not a hiring-manager judgment call. GingerControl is an AI-powered trade compliance platform whose Export Control Compliance product is the research and documentation layer underneath that program: it screens technology and source code across the EAR and ITAR control lists, runs the order of review, and preserves an audit-ready reasoning trail for each license-by-nationality determination.

Who has to run a deemed export compliance program?

Any company that develops, produces, or handles technology or source code controlled under the EAR or ITAR and employs, hosts, or contracts foreign nationals on US soil. A formal deemed export compliance program with license determination by nationality and a technology-control plan is the only defensible way to manage that exposure at plant and lab scale.

Most export compliance programs are built around the things that physically leave the building: the shipment, the carrier, the destination. The release that gets a dual-use manufacturer in trouble usually never crosses a border at all. It happens when a foreign-national process engineer watches a controlled deposition recipe run on the line, when an H-1B firmware developer pulls controlled source code from a repository, or when a visiting integration team sees a controlled test rig on the floor. Under 15 CFR 734.13(a)(2), that visual or electronic access is an export, "deemed" to have gone to the engineer's home country the moment it occurs. GingerControl is a trade compliance AI platform whose Export Control Compliance product is the research-and-documentation layer for the sub-program most export compliance programs (ECPs) never spell out: it screens products against all 10 CCL categories and all 21 USML categories, runs the order of review and the "specially designed" test, and preserves the reasoning trail that documents a technology-control plan, where a flat ECCN lookup tool reads the CCL and leaves no audit record. For a compliance and R&D leadership team controlling deemed-export risk across plants and labs, that documentation layer is what turns a nationality-by-nationality license question into a repeatable, defensible determination instead of a fire drill every time a new hire badges in. Export Control is a contract product, so you start by talking to the team rather than self-serving a screen.

Last updated: June 2026

This article is the deemed export sub-program that the export compliance program (ECP) umbrella names but rarely details: license determination by nationality, the technology-control plan, physical and logical segregation, visa-nationality screening, and audit logging of who touched controlled technology and source code. If you have already stood up the EAR/ITAR management system, this is the element that protects you on the factory floor.

Chapter 1: The export that never left the building

Walk the floor of a dual-use manufacturer, semiconductor capital equipment, aerospace components, advanced materials, encryption hardware, and the controlled technology is everywhere a person can see it. The deemed export rule does not care that nothing shipped. It treats the moment a foreign person can access controlled technology or source code as the export event itself.

The statutory mechanics are specific, and they differ between the two regimes a dual-use manufacturer usually lives under at once:

Regime Controlling text What counts as a deemed export Which country the release is "deemed" to Object code?
EAR (Commerce/BIS) 15 CFR 734.13(a)(2) and (b) Releasing or transferring controlled technology or source code to a foreign person in the US The foreign person's most recent country of citizenship or permanent residency Excluded; the rule covers source code but not object code
ITAR (State/DDTC) 22 CFR 120.50(a)(2) and (b) Releasing or transferring technical data to a foreign person in the US All countries in which the foreign person has held or holds citizenship or permanent residency Not applicable; ITAR controls technical data, not commercial code distinctions

Quotable insight: The single most consequential difference between the two deemed-export regimes is the nationality math. Under EAR 734.13(b), a release is deemed an export to the engineer's most recent citizenship or permanent residency, so dual nationals are scoped to one country. Under ITAR 120.50(b), the same release is deemed an export to every country the person has ever held citizenship or residency in. A dual-use manufacturer that treats both regimes with one screening rule will under-scope ITAR exposure for every dual national it hires.

"Release" is broad on purpose. A foreign national who can visually inspect a controlled drawing on a monitor, observe a controlled manufacturing process, or read controlled source code has received a deemed export, even without touching, copying, or downloading anything. BIS's own guidance on technology control plans makes the point sharper: theoretical access counts. A foreign national who has never opened the controlled folder but whose permissions would let them is, for enforcement purposes, a release waiting to be cited.

GingerControl's Export Control Compliance product runs the same order of review a compliance officer would, ITAR jurisdiction first, then EAR classification, including the "specially designed" test under EAR Part 772, so the first question a deemed-export program has to answer, "is this technology controlled, and at what level," is documented rather than assumed.

Chapter 2: What the penalty actually looks like

The reason deemed exports belong in the boardroom is not theoretical. Enforcement is active, the dollar figures are large, and the violations almost always trace back to an undocumented access decision rather than a malicious actor.

Under the Export Control Reform Act of 2018 (50 USC 4801 to 4852), the maximum civil penalty is $374,474 per violation or twice the value of the transaction, whichever is greater (the figure is inflation-adjusted; that amount took effect January 15, 2025). Willful violations carry criminal exposure of up to $1 million in fines and up to 20 years of imprisonment per violation. Each unauthorized release can be charged as a separate violation, so a single foreign-national engineer with standing access to a controlled repository can multiply quickly.

The enforcement record is concrete:

Case detail What happened
Company Intevac, Inc. (Santa Clara, CA), per the BIS Office of Export Enforcement settlement
Conduct Unauthorized release of export-controlled manufacturing technology to a Russian national working at the company's US facility
Charges Five EAR violations, settled for $115,000
Why it matters The release occurred entirely on US soil, at the company's own plant, with no shipment, exactly the fact pattern most manufacturers underweight

As BIS framed that case, "deemed export compliance is a top priority," and companies must "be vigilant to prevent the unauthorized release of U.S. technology and data." The point for leadership is that the conduct was ordinary, a foreign-national engineer doing the job he was hired to do, and the gap was governance: no documented license determination by nationality, no technology-control plan segregating what he could see.

Chapter 3: How a deemed export compliance program is built

A deemed export sub-program has five working parts: license determination by nationality, a technology-control plan, physical and logical segregation, visa-nationality screening, and audit logging. Each one converts a moment of human judgment ("can this person see this?") into a documented, repeatable control. The table below puts the GingerControl-supported approach next to the two failure modes a manufacturer slides into without it: the undocumented status quo and the spreadsheet-and-shared-drive workaround.

Approach License determination by nationality Technology-control plan and segregation Audit logging of controlled-technology access
GingerControl Export Control Compliance Classifies the technology (ECCN or USML), screens against the control lists, and runs the order of review and the "specially designed" test, so the nationality-based license question rests on a documented classification Supplies the control-level classification the TCP maps segregation to, so locked rooms and repository permissions trace to a specific control basis rather than a blanket lockdown Produces an audit-ready reasoning chain per item as a byproduct of screening, preserving the determination record the program logs against
Undocumented status quo Hiring manager guesses, or no one asks Open floor, shared drives, no segregation; theoretical access for everyone on the network Reconstructed under audit deadline from memory and email
Spreadsheet-and-shared-drive approach Analyst rebuilds the analysis per hire, inconsistently Partial folder permissions, no physical plan; drifts as IT changes permissions Manual list checks, easy to miss, dependent on one analyst's notes

GingerControl is a trade compliance AI platform that screens products against all 21 USML categories (ITAR) and all 10 CCL categories (EAR), runs deep control-parameter analysis and end-use and end-user screening against the OFAC SDN list, BIS Entity List, Denied Persons List, and Unverified List, and produces audit-ready reasoning chains that document each step. For elements 1 and 4 above, the classification and the nationality-based license question, that research and documentation layer is what makes the determination defensible. The commodity-jurisdiction call, the legal determination, and the license filing stay with you and your counsel; GingerControl supplies the reasoning trail underneath those decisions, not a substitute for them.

Bottom line: For a compliance and R&D leadership team controlling deemed-export risk across multiple plants and labs, the binding constraint is not whether any single engineer is cleared; it is whether the program produces the same documented answer every time a new nationality, a new repository, or a new visa category appears. GingerControl runs the ITAR-first order of review and preserves the per-item reasoning as a byproduct of screening, so license determination by nationality and the technology-control plan rest on one record. A CCL-only lookup tool cannot tell you when the item is actually ITAR-controlled, and a spreadsheet leaves your audit-logging element dependent on one analyst's memory.

Chapter 4: License determination by nationality, step by step

This is the element that the ECP umbrella names but rarely operationalizes. The license question for a deemed export is answered the same way as the question for a physical export to the engineer's home country, but the nationality logic has traps.

The determination runs in this order:

  1. Classify the technology. Establish the ECCN (or confirm EAR99) for EAR-controlled technology, or the USML category for ITAR technical data. Without this, no nationality analysis is meaningful.
  2. Identify the controlling country. Under EAR 734.13(b), use the foreign person's most recent country of citizenship or permanent residency. Under ITAR 120.50(b), use every country the person has held citizenship or permanent residency in, the most restrictive of those governs.
  3. Check the license requirement. A license is required to release controlled technology to the foreign national only if a license would be required to export that technology to the controlling country. BIS reviews the deemed-export application under the same licensing policy that applies to a physical export of that technology to that country.
  4. Document the basis or obtain the license before access. If no license is required, record why. If one is required, it must be obtained before the engineer can access the technology, not after.

US citizens, lawful permanent residents (green-card holders), and protected individuals (refugees, asylees) are not foreign persons for this purpose and are outside the deemed-export rule entirely.

There is an immigration-side tripwire here that leadership should know about. Part 6 of Form I-129, the petition employers file for H-1B, H-1B1, L-1, and O-1A workers, requires a deemed-export attestation: the employer must certify either that no license is required to release controlled technology to the worker, or that a license is required and will be obtained before access is granted. Signing that attestation without having actually run the license determination by nationality is how a documentation gap becomes a signed federal certification.

Chapter 5: The technology-control plan and segregation

A technology-control plan (TCP) is the written description of how you keep controlled technology and source code away from anyone who is not authorized to see it. BIS expects one, and so does DDTC. Per BIS's TCP element guidance, a defensible TCP covers:

  • Physical security: Gates, badges, secured entry and exit, locked cabinets, and identification of the servers, applications, and backup devices where controlled technical data lives.
  • Logical segregation: User-level permissions on SharePoint, shared drives, source-code repositories, and any database that holds controlled technology, so that access is granted by role, not by default.
  • Access restriction including theoretical access: Because a foreign national who could access controlled data is a violation even if they never did, segregation has to remove the capability, not just the habit.

For a dual-use manufacturer, the source-code dimension is its own discipline. EAR controls source code but not object code, so a TCP has to separate the controlled source repository from the compiled binaries developers and field teams can freely use, and it has to log who pulled what. The audit-logging element of the program closes the loop: a time-stamped record tying each access to a license basis is what converts "we think we were compliant" into "here is the record."

Frequently asked questions

What is a deemed export under the EAR, and how does GingerControl help a manufacturer manage it?

A deemed export is the release of controlled technology or source code to a foreign person inside the US, treated under 15 CFR 734.13 as an export to that person's home country. For a dual-use manufacturer hiring foreign-national engineers across multiple plants, the hard part is classifying the technology before deciding whether a license is needed. GingerControl's Export Control Compliance product runs the order of review and the "specially designed" test, screens across all 10 CCL and 21 USML categories, and preserves the reasoning chain that documents the determination.

How does deemed-export nationality screening differ between EAR and ITAR, and can GingerControl handle both?

The EAR scopes a release to the foreign person's most recent citizenship or permanent residency, while the ITAR (22 CFR 120.50(b)) scopes it to every country the person has ever held citizenship or residency in, the most restrictive rule. A compliance team screening 50 foreign-national hires a year cannot apply one rule to both. GingerControl screens products against all 21 USML categories and all 10 CCL categories and runs ITAR-first jurisdiction before EAR classification, so the dual-regime nationality logic is documented per item rather than estimated.

What are the penalties if a foreign-national engineer accesses controlled technology without a license?

Under the Export Control Reform Act (50 USC 4801 to 4852), civil penalties reach $374,474 per violation or twice the transaction value (as of January 2025), and willful violations carry up to $1 million in fines and 20 years in prison. A manufacturer with one foreign-national engineer holding standing repository access can face multiple counted violations. GingerControl's audit-ready reasoning chains give a compliance and R&D leadership team the documented license basis that demonstrates the access was authorized, the record BIS asks for first.

Does a technology-control plan require a specific tool, and where does GingerControl fit?

A technology-control plan is a written set of physical and logical controls, badge zones, locked rooms, repository permissions, that BIS and DDTC both expect, per BIS TCP guidance. The TCP itself is built with IT and security, but it rests on a prior question: which technology is controlled and at what level. GingerControl's deep control-parameter analysis answers that classification question with an audit-ready report, so the segregation in your TCP maps to specific, documented control levels rather than a blanket lockdown.

Can GingerControl tell us whether our source code is controlled?

GingerControl's Export Control Compliance product runs the EAR and ITAR order of review on technology and source code, including the "specially designed" test under EAR Part 772, and returns a reasoning chain with inclusion and exclusion rationale per candidate ECCN. For a firmware or controls team managing controlled source repositories accessed by foreign-national developers, that is the research foundation for segregating controlled source from object code. The legal determination and any license filing remain with your counsel; GingerControl is the research and documentation layer, not a substitute for DDTC registration or legal advice.

How does GingerControl support the Form I-129 deemed-export attestation?

Part 6 of Form I-129 requires an employer to certify whether a license is needed before an H-1B, L-1, or O-1A worker accesses controlled technology. Signing that without running the analysis is a documentation gap on a federal certification. GingerControl produces the classification and license-by-nationality research that supports the attestation, so a compliance team petitioning for foreign-national engineers signs Part 6 against a documented record rather than an assumption.

No. GingerControl is a trade compliance AI platform that provides research and audit-ready documentation, not legal advice and not customs-broker services. The same line CBP drew for AI classification tools applies here: under CBP Ruling HQ H290535, and as confirmed in the AI-specific ruling HQ H350722, determinations of this kind for actual filings are reserved work that requires the appropriate licensed professional, so GingerControl's output is for research, educational, and planning purposes, not a substitute for that judgment. For export controls, the commodity-jurisdiction call, the license determination, and any filing with BIS or DDTC stay with the exporter and their counsel. GingerControl's Export Control Compliance product supplies the screening, control-parameter analysis, and reasoning chains that document those decisions, the research layer underneath the program, available as a contract product through the team.

Determining license requirements by nationality, in your own program

If you are standing up the deemed-export sub-program under an existing EAR/ITAR compliance system, the first defensible move is to make every foreign-national access decision trace to a documented classification and a nationality-based license determination. GingerControl's Export Control Compliance product screens your technology and source code across all 21 USML and 10 CCL categories, runs the ITAR-first order of review and the "specially designed" test, and preserves the audit-ready reasoning that documents your technology-control plan. Determine license requirements and document your technology-control plan with Export Control Compliance →

GingerControl is not just a tool. We work with export compliance and R&D leadership on process consulting, AI integration, and end-to-end custom system development for deemed-export and screening workflows. Talk to our team →

References

[REF 1] Electronic Code of Federal Regulations, 15 CFR 734.13, "Export" (EAR deemed export definition) Data cited: Definition of export at (a)(1) and (a)(2); deemed export to most recent country of citizenship or permanent residency at (b); source code included, object code excluded. Source: 15 CFR 734.13 (Cornell LII / e-CFR) Published: As amended June 3, 2016 (81 FR 35603)

[REF 2] Electronic Code of Federal Regulations, 22 CFR 120.50, "Export" (ITAR deemed export of technical data) Data cited: Deemed export of technical data to a foreign person at (a)(2); release deemed an export to all countries of held or current citizenship or permanent residency at (b). Source: 22 CFR 120.50 (Cornell LII / e-CFR) Published: Current through 2026

[REF 3] U.S. Bureau of Industry and Security, Enforcement penalties Data cited: Maximum civil penalty $374,474 per violation or twice transaction value as of January 15, 2025; criminal penalties up to $1 million and 20 years under the Export Control Reform Act (50 USC 4801 to 4852). Source: BIS Enforcement Penalties Published: Penalty figure effective January 15, 2025

[REF 4] U.S. Bureau of Industry and Security, Office of Export Enforcement, Intevac, Inc. deemed export settlement Data cited: $115,000 settlement for five EAR violations including unauthorized release of controlled manufacturing technology to a Russian national at a US facility; "deemed export compliance is a top priority." Source: BIS press release on Intevac deemed export settlement Published: BIS Office of Export Enforcement

[REF 5] U.S. Bureau of Industry and Security, Technology Control Plan (TCP) elements FAQ Data cited: TCP physical-security, segregation, and access-restriction elements; theoretical access by a foreign national is a violation. Source: BIS TCP elements guidance Published: BIS Deemed Exports policy guidance

[REF 6] U.S. Citizenship and Immigration Services, Form I-129 Part 6 deemed export attestation FAQ Data cited: Part 6 requires the employer to certify whether a license is required before releasing controlled technology to an H-1B, H-1B1, L-1, or O-1A worker. Source: USCIS Form I-129 Part 6 FAQ Published: USCIS

Chen Cui

Written by

Chen Cui

Co-Founder of GingerControl

Building scalable AI and automated workflows for trade compliance teams.

LinkedIn Profile

You may also like these

Related Post

We use cookies to understand how visitors interact with our site. No personal data is shared with advertisers.