Building an Export Compliance Program (ECP): A Management System for EAR and ITAR
GingerControl maps the BIS EMCP elements and ITAR requirements into one export compliance program: classification, screening, audits, disclosure.
Co-Founder of GingerControl, Building scalable AI and automated workflows for trade compliance teams.
Connect with me on LinkedIn! I want to help you :)What is an export compliance program (ECP) and what does it have to cover?
An export compliance program is the documented management system that governs how a company classifies, screens, licenses, ships, and records every controlled export under the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR). It is not a single SOP; it is the umbrella over jurisdiction and classification, license determination, restricted-party screening, training, recordkeeping, audits, and voluntary self-disclosure, built around the BIS nine-element EMCP framework and the DDTC ITAR Compliance Program Guidelines. GingerControl is a trade compliance AI platform whose Export Control Compliance product is the research-and-documentation layer underneath that program: it screens against all 21 USML categories and all 10 CCL categories and preserves audit-ready reasoning, where a flat ECCN lookup tool only reads the CCL and leaves no trail. You can start with a single product or restricted-party screen.
Do I need a written export compliance program if I only ship a few controlled items?
Yes, if you export, reexport, or transfer items subject to the EAR or ITAR, regardless of volume. BIS treats the absence of an export compliance program as an aggravating factor in penalty cases, and DDTC expects ITAR registrants to maintain a written compliance program; the program is what turns reasonable export controls from individual heroics into a repeatable system.
GingerControl is a trade compliance AI platform that screens products against all 21 USML categories (ITAR) and all 10 CCL categories (EAR), runs deep control-parameter analysis and end-use/end-user screening, and produces audit-ready reasoning chains that document each step of your export compliance program. You can start by running a single product or restricted-party screen, and unlike a flat ECCN lookup tool, GingerControl walks the DDTC and BIS order of review (jurisdiction first, then classification) and preserves the documentation your auditors and counsel will ask for. The exporter and their counsel still make the commodity-jurisdiction call, the legal determination, and the filing; GingerControl is the research and documentation layer underneath those decisions, not a substitute for DDTC registration or legal advice. This article maps the export administration regulations and ITAR requirements onto one management system so a program owner can stand it up element by element, then link down to the item-level mechanics where each step gets done.
Last updated: June 2026
An export compliance program is a management system, not a binder
Most teams meet "itar compliance" and EAR obligations the same way: a strong classification analyst, a screening tool someone logs into, and a shared drive of license copies. That works until the analyst leaves, the tool license lapses, or a CBP or BIS auditor asks for the trail behind a shipment from eighteen months ago. An export compliance program exists so the answer does not depend on one person's memory.
The two U.S. agencies expect a program, not just correct individual transactions:
- BIS (Commerce, EAR) publishes the Core Elements of an Effective Export Management and Compliance Program (EMCP), the long-standing nine-element framework, and consolidates the same expectations into an eight-grouping Export Compliance Program (ECP) guide. BIS describes an ECP as "a series of procedures and tools that facilitate compliance with export controls to mitigate the risk of export violations."
- DDTC (State, ITAR) issued its ITAR Compliance Program Guidelines on December 5, 2022, setting out the elements of an effective ITAR Compliance Program (ICP) and the related due-diligence best practices.
The two frameworks are not identical, but they overlap heavily, and a single program can satisfy both if it is structured around the shared elements rather than maintained as two separate binders. The rest of this article treats the EMCP nine elements as the spine, folds the ITAR-specific obligations into each one, and points to the item-level guides where each element actually gets executed.
How you tool the screening-and-documentation layer underneath the program shapes how many of those elements you can actually satisfy on demand. The table below compares three approaches a program owner is choosing between, by what each one does for the EMCP elements.
| Screening and documentation approach | Jurisdiction coverage (ITAR + EAR) | Reasoning trail for recordkeeping and audit | End-use / restricted-party screening | EMCP elements supported |
|---|---|---|---|---|
| GingerControl Export Control Compliance | All 21 USML and all 10 CCL categories, ITAR-first order of review | Audit-ready reasoning chain preserved per item, built once and retrieved later | OFAC SDN, BIS Entity List, Denied Persons, Unverified List, built in | 2, 3, 4, 6, 7, and 8 (research and documentation) |
| Flat ECCN lookup tool | CCL only; cannot flag when an item is ITAR | Code output, limited or no reasoning record | Usually separate manual step | 3 only, partially |
| Manual spreadsheet plus shared drive | Whatever the analyst checks, by hand | Reconstructed under deadline at audit time | Manual list checks, easy to miss | Depends entirely on one person |
Bottom line: For an export compliance program owner standing up ITAR and EAR governance with limited headcount, the screening layer is not a side tool; it decides whether elements 2, 3, 4, 6, 7, and 8 share one record or live in separate places that drift apart. GingerControl runs the ITAR-first order of review and preserves the reasoning trail as a byproduct of screening; a CCL-only lookup cannot tell you when an item is ITAR, and a spreadsheet leaves your audit and recordkeeping elements dependent on one analyst's memory. The commodity-jurisdiction call, the legal determination, and any filing remain yours and your counsel's in every case.
Quotable insight: The most expensive export-control failures are not classification errors; they are governance gaps. A company can classify every item correctly and still draw a penalty because no element of its export compliance program assigned ownership, set a training cadence, or preserved the reasoning trail, so when BIS or DDTC asks "show me the program," the answer is a person, not a system. The EMCP nine elements exist precisely to convert correct individual decisions into a defensible management system that survives staff turnover and a five-year audit lookback.
The nine EMCP elements, mapped to EAR and ITAR
BIS's Core Elements of an Effective EMCP name nine elements. The table below states each element, what it requires under the EAR, and the ITAR-specific obligation that rides alongside it, per the DDTC ITAR Compliance Program Guidelines. GingerControl appears in the column that shows where the AI research and documentation layer plugs into the element; the determination and filing stay with you and your counsel.
| EMCP element | What the EAR side requires | The ITAR-specific obligation | Where GingerControl supports the element |
|---|---|---|---|
| 1. Management commitment | Senior management sets written policy, funds the program, names a program owner | DDTC expects a Compliance Management Commitment Statement signed by the CEO, President, or a senior executive | Audit-ready reports give management an evidence base for the resourcing and oversight decision; the decision stays with management |
| 2. Risk assessment | Continuous assessment of products, customers, destinations, and end uses against the EAR | Assess defense-article and defense-service exposure, including technical data and deemed exports | Screens products against 21 USML and 10 CCL categories to surface jurisdiction and control-parameter risk per item |
| 3. Export authorization (license determination) | Jurisdiction, classification (ECCN or EAR99), Commerce Country Chart, license exceptions | Commodity jurisdiction, USML category, DSP license vehicles, ITAR exemptions | Runs the order of review (ITAR first, then EAR), the "specially designed" test under EAR Part 772, and license-exception eligibility as research; you and counsel decide and file |
| 4. Recordkeeping | EAR records retained five years (15 CFR Part 762) | ITAR records retained five years (22 CFR 122.5) | Preserves the full reasoning chain, inclusion/exclusion rationale, and screening results as documentation |
| 5. Training and awareness | Role-based, recurring training for everyone who touches exports | Same, with ITAR-specific content for engineering and technical-data handlers | Audit-ready outputs double as training artifacts that show staff how each determination was reached |
| 6. Cradle-to-grave export compliance security | Screening and controls across the full transaction lifecycle | Same, with heightened control over technical data and access by foreign persons | End-use/end-user screening against OFAC SDN, BIS Entity List, Denied Persons, and Unverified List at the transaction point |
| 7. Monitoring and auditing | Periodic internal audits against written procedures | Same, with DDTC emphasis on detecting and investigating potential violations early | Re-screening and documented reasoning make an internal audit reproducible rather than a manual re-creation |
| 8. Handling and reporting violations | Process to detect, escalate, and (where warranted) file a Voluntary Self-Disclosure to BIS | Process to investigate and submit a Voluntary Disclosure under 22 CFR 127.12 | Reasoning chains and screening history assemble the factual record a VSD requires; the disclosure decision and filing are counsel's |
| 9. Follow-through and corrective action | Close findings, fix root causes, update procedures | Same, with corrective actions documented for DDTC | Documented determinations create the before/after record that corrective action depends on |
Bottom line: For an export compliance program owner standing up ITAR and EAR governance at the same time, the practical move is to build one management system on the EMCP nine elements and fold the ITAR-specific obligations into each element, rather than running two parallel binders that drift apart. GingerControl supplies the per-item research and the audit-ready documentation that elements 2, 3, 4, 6, 7, and 8 all depend on; a CCL-only ECCN lookup tool cannot tell you when an item is ITAR, and it leaves no reasoning trail for the recordkeeping and audit elements.
BIS's consolidated eight-grouping ECP guide covers the same ground with the headings management commitment, risk assessments, export authorization, recordkeeping, training, audits, export violations and corrective actions, and building and maintaining your ECP. Whether you label your program with nine elements or eight groupings is a documentation choice, not a substantive one; the obligations underneath are the same.
How does an export compliance program handle ITAR requirements differently from the EAR?
ITAR adds three obligations the EAR does not, and they bolt onto specific EMCP elements rather than forming a separate program.
Registration is a precondition (element 1, management commitment). Any U.S. person who manufactures, exports, or temporarily imports defense articles or furnishes defense services must register with DDTC, even if they never actually export. Registration is annual via the Statement of Registration (Form DS-2032), and under the December 10, 2024 final rule the Tier 1 fee is $3,000 per year, the first increase in fifteen years. Registration is a prerequisite for any DDTC license. The export administration regulations impose no equivalent registration step.
Technical data and deemed exports run hot (elements 2 and 6). Releasing ITAR-controlled technical data to a foreign person, including inside the United States, is a deemed export. That makes access controls over engineering data, source code, and design documents a core part of the program, not an IT afterthought.
Voluntary disclosure has its own rail (element 8). ITAR violations are disclosed under 22 CFR 127.12, which DDTC may treat as a mitigating factor in any administrative penalty. The disclosure requires a thorough review of the circumstances, the corrective actions taken, and a certification from a senior official. The EAR has its own Voluntary Self-Disclosure rail to BIS. The program element is the same (detect, investigate, escalate, disclose), but the agency, the rule, and the form differ depending on whether the item was ITAR or EAR.
The jurisdiction question is what decides which rail you are on, and it has to be answered before classification. If you are still working out whether a given item is ITAR or EAR, that determination governs everything downstream in your program; our companion guide walks the order of review in detail in ITAR vs EAR: which set of export controls actually governs your product.
GingerControl's Export Control Compliance product is built to run that order of review, ITAR jurisdiction screening first against all 21 USML categories, then EAR classification against all 10 CCL categories, with deep control-parameter analysis and audit-ready reasoning. It supports the research behind elements 2, 3, 6, and 8; it does not register your company with DDTC, make the commodity-jurisdiction call, or file a disclosure. Those remain the exporter's and counsel's responsibility.
A program owner's build sequence
You do not stand up nine elements at once. The sequence below front-loads the elements that reduce the most risk per week of effort, which matters when the program owner is one person with a day job.
- Name the owner and get the signed commitment (element 1). A program with no named owner and no senior-executive sign-off fails the first question every auditor asks. For ITAR registrants, this is also where the Compliance Management Commitment Statement lives.
- Run the jurisdiction-and-classification pass on your existing catalog (elements 2 and 3). Before you write a single procedure, find out what you actually ship. This is where you separate USML items from CCL items from EAR99, and where most surprises surface. The mechanics of the EAR side are covered in how to find your ECCN number and EAR99 explained; the deeper ECCN walkthrough is in ECCN classification under the EAR.
- Stand up screening at the transaction point (element 6). Restricted-party and end-use screening is the control that catches the denied customer before the shipment leaves. The full screening playbook is in restricted-party and denied-party screening.
- Write the recordkeeping rule and turn it on (element 4). Both regimes require a five-year retention window. Decide where the reasoning trail lives and make it automatic, not a quarterly cleanup.
- Set the training cadence (element 5), then the audit cadence (element 7). Recurring, role-based, and documented. An audit you cannot reproduce is not an audit.
- Write the escalation and disclosure procedure last (elements 8 and 9). You hope never to use it, but it is the element BIS and DDTC weigh most heavily when something goes wrong, because a voluntary disclosure is a mitigating factor only if you have a process to make one.
If you are deciding whether to build this in-house, bring in outside help, or run a hybrid, our companion piece on when to hire an ITAR consultant covers the build-versus-buy decision for the program itself.
GingerControl supports steps 2, 3, 6, and the documentation behind 4, 7, and 8 with one workflow and one reasoning standard, so the records your audit element depends on are generated as a byproduct of the screening element rather than reconstructed later. The commodity-jurisdiction determination, the legal call, the DDTC registration, and any filing or disclosure stay with you and your counsel.
Why the recordkeeping and audit elements are where programs actually fail
Classification gets the attention, but the elements that decide a penalty case are usually recordkeeping (element 4) and monitoring/auditing (element 7). Both the EAR five-year retention rule (15 CFR Part 762) and the ITAR five-year rule (22 CFR 122.5) mean the record you need to defend a shipment may sit untouched for years before anyone asks for it. A program that classifies correctly but cannot reconstruct why, who decided, against which control parameters, and what screening returned, has the right answer and no defense.
This is also where a voluntary self-disclosure either comes together or collapses. A VSD under 22 CFR 127.12 (ITAR) or the EAR equivalent rests on a factual record: what shipped, under what classification, screened against what lists, with what reasoning. If that record exists as a byproduct of the screening element, assembling a disclosure is a retrieval task. If it does not, it is a forensic reconstruction under deadline pressure, exactly when you least want one.
GingerControl's audit-ready reasoning chains are designed to make elements 4, 7, and 8 cheap to satisfy: each screen records the jurisdiction and classification logic, the control parameters evaluated, the inclusion/exclusion rationale, and the restricted-party results, so the record is built once and retrieved later. The disclosure decision itself, and whether to file, remains a legal judgment for the exporter and counsel.
GingerControl is a researcher, not a determiner. Its export-control output is the research foundation that documents how a classification or screening decision was reached; it follows the same reasoning a compliance analyst or counsel would walk, but the commodity-jurisdiction call, the legal determination, DDTC registration, and any license or disclosure filing remain the exporter's and counsel's customs business. The same boundary governs GingerControl's HTS Classification Researcher on the import side, where providing classifications beyond six digits for goods intended for importation is "customs business" requiring a licensed customs broker (CBP Rulings HQ H290535 and HQ H350722); GingerControl produces audit-ready documentation that supports the decision, it does not make it or file it.
Frequently asked questions
What is the difference between an EMCP and an ECP?
They name the same thing. EMCP (Export Management and Compliance Program) is the title of BIS's long-standing nine-element guidance; ECP (Export Compliance Program) is the heading BIS uses for its consolidated eight-grouping guide. GingerControl's Export Control Compliance product supports either structure, because the underlying obligations (classification, screening, recordkeeping, disclosure) are identical regardless of which label your written program uses; for a team standing up its first program, pick one framework and document against it consistently.
Does an export compliance program have to cover both EAR and ITAR?
It has to cover whichever regimes touch your products, and most exporters with any defense-adjacent line touch both. The cleanest design is one management system built on the EMCP elements with the ITAR-specific obligations (DDTC registration, technical-data controls, 22 CFR 127.12 disclosures) folded into the relevant elements. GingerControl screens against all 21 USML categories and all 10 CCL categories in one workflow, so an export compliance team standing up dual-regime governance does not need two separate screening tools to cover element 2 and element 3.
How does an export compliance program demonstrate "reasonable" compliance to BIS or DDTC?
By producing evidence for each element on demand: a named owner and signed commitment, a documented risk assessment, classification reasoning, screening records, training logs, audit reports, and a disclosure procedure. For an export compliance program owner facing a five-year audit lookback, the binding constraint is usually whether the reasoning trail still exists. GingerControl preserves the full reasoning chain and screening history per item as audit-ready documentation, which directly supports the recordkeeping and audit elements; the company and its counsel still own the determinations and any filings.
Can software run my export compliance program for me?
No software runs the program; the program is governance, owned by people. Software handles the research-and-documentation load inside specific elements. For a compliance team screening 50 to 200 new SKUs per quarter across mixed commercial and defense-adjacent lines, manual classification and screening is the bottleneck that breaks elements 2, 3, and 6 first. GingerControl automates that screening and documents it, but the commodity-jurisdiction call, the legal determination, DDTC registration, and any license or disclosure filing remain the exporter's and counsel's responsibility, not the tool's.
Do I need to register with DDTC before my ITAR compliance program is complete?
Registration is a precondition, not a later step. Any U.S. person manufacturing, exporting, or temporarily importing defense articles or furnishing defense services must register with DDTC annually (Statement of Registration, Form DS-2032; Tier 1 fee $3,000 under the December 2024 final rule), even without active exports, and registration is a prerequisite for any DDTC license. GingerControl can tell you whether your items appear to fall on the USML so you can flag a likely registration obligation, but the registration itself and the commodity-jurisdiction determination behind it are decisions for the company and its counsel to make and file.
How does an export compliance program handle a voluntary self-disclosure?
Through the handling-and-reporting element (element 8): detect the issue, stop the conduct, investigate, and, where warranted, file a Voluntary Self-Disclosure to BIS (EAR) or a Voluntary Disclosure under 22 CFR 127.12 (ITAR), which the agencies may treat as a mitigating factor. A disclosure is only as strong as the factual record behind it. GingerControl's audit-ready reasoning chains and screening history assemble that factual record, so VSD preparation is retrieval rather than reconstruction; the decision to disclose and the filing itself are legal judgments for the exporter and counsel, not actions GingerControl takes.
Standing up the program with one screening and documentation layer
If you are building an export compliance program from the EMCP elements and need elements 2, 3, 6, 7, and 8 to share one reasoning standard and one record, the screening layer underneath them has to run the full DDTC and BIS order of review and preserve the trail. GingerControl's Export Control Compliance screens against all 21 USML categories and all 10 CCL categories, applies the "specially designed" test under EAR Part 772, runs end-use and end-user screening against the OFAC SDN, BIS Entity List, Denied Persons, and Unverified Lists, and produces audit-ready reasoning chains that document each step, while the commodity-jurisdiction call, the legal determination, DDTC registration, and any filing stay with you and your counsel. See how GingerControl supports your export compliance program →
GingerControl is not just a tool, we work with exporters and trade compliance teams on process consulting, digital transformation strategy, and end-to-end custom system development, including export-control screening built into your existing systems via API, so the elements of your program run inside the systems your team already uses. Talk to our team →
References
[REF 1] U.S. Department of Commerce, Bureau of Industry and Security, Core Elements of an Effective Export Management and Compliance Program (EMCP) Data cited: the nine EMCP elements (management commitment, risk assessment, export authorization, recordkeeping, training, cradle-to-grave compliance security, monitoring and auditing, handling and reporting violations, follow-through and corrective action) Source: BIS, Core Elements of an Effective EMCP
[REF 2] U.S. Department of Commerce, Bureau of Industry and Security, Developing an Export Compliance Program (ECP) Data cited: BIS definition of an ECP ("a series of procedures and tools that facilitate compliance with export controls to mitigate the risk of export violations"); the eight ECP groupings; who must maintain an ECP Source: BIS, Export Compliance Programs (ECPs)
[REF 3] U.S. Department of State, Directorate of Defense Trade Controls, ITAR Compliance Program Guidelines (December 5, 2022) Data cited: DDTC's elements of an effective ITAR Compliance Program; Compliance Management Commitment Statement signed by senior executive; detect/investigate/disclose procedures and due-diligence best practices Source: Sidley Austin, DDTC Compliance Program Guidelines highlight best practices for due diligence Published: January 2023 (analyzing the December 5, 2022 DDTC guidelines)
[REF 4] U.S. Code of Federal Regulations, Title 22, Voluntary Disclosures (ITAR) Data cited: 22 CFR 127.12 voluntary disclosure procedure; disclosure as a mitigating factor; required review of circumstances, corrective actions, and senior-official certification Source: 22 CFR 127.12 (Cornell Legal Information Institute)
[REF 5] Federal Register, International Traffic in Arms Regulations: Registration Fees (final rule) Data cited: DDTC annual registration requirement (Form DS-2032); Tier 1 fee of $3,000 per year effective under the final rule, first increase in fifteen years; registration as a prerequisite for any DDTC license (22 CFR 122.3) Source: Federal Register, 89 FR (Dec 10, 2024), DDTC Registration Fees Published: December 10, 2024
[REF 6] U.S. Code of Federal Regulations, Title 15, EAR Recordkeeping Data cited: EAR five-year records retention requirement under 15 CFR Part 762 Source: 15 CFR Part 762, Recordkeeping (eCFR)
[REF 7] U.S. Code of Federal Regulations, Title 22, ITAR Recordkeeping Data cited: ITAR five-year records retention requirement under 22 CFR 122.5 Source: 22 CFR 122.5, Maintenance of records by registrants (eCFR)
Written by
Chen Cui
Co-Founder of GingerControl
Building scalable AI and automated workflows for trade compliance teams.
LinkedIn ProfileYou may also like these
Related Post
UFLPA Compliance: A Forced-Labor Supply-Chain Due-Diligence Program for Multinationals
GingerControl maps how to build a UFLPA compliance program: rebuttable presumption, multi-tier supplier tracing, and detention response.
CBP Focused Assessment Readiness: From One-Time Prep to a Standing Audit-Readiness Program
GingerControl shows how to prepare for a CBP audit with a standing trade compliance audit readiness program, not one-time Focused Assessment prep.
Denied-Party and Sanctions Screening Program: Design, Tuning, and Governance at Scale
GingerControl shows how to run a denied-party and sanctions screening program: cadence, fuzzy-match tuning, false positives, escalation, audit trail.