This is the accessible text file for GAO report number GAO-14-315 entitled 'Export Controls: NASA Management Action and Improved Oversight Needed to Reduce the Risk of Unauthorized Access to Its Technologies' which was released on May 15, 2014. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Requesters: April 2014: Export Controls: NASA Management Action and Improved Oversight Needed to Reduce the Risk of Unauthorized Access to Its Technologies: GAO-14-315: GAO Highlights: Highlights of GAO14-315, a report to congressional requesters. Why GAO Did This Study: NASA develops sophisticated technologies and shares them with its international partners and others. U.S. export control regulations require NASA to identify and protect its sensitive technology; NASA delegates implementation of export controls to its 10 research and space centers. Recent allegations of export control violations at two NASA centers have raised questions about NASA's ability to protect its sensitive technologies. GAO was asked to review NASA's export control program. This report assessed (1) NASA's export control policies and how centers implement them, and (2) the extent to which NASA Headquarters and CEAs apply oversight of center compliance with its export control policies. To do this, GAO reviewed export control laws and regulations, NASA export control policies, and State and Commerce export control compliance guidance. GAO also reviewed NASA information on foreign national visits and technical papers and interviewed officials from NASA and its 10 centers as well as from other agencies. What GAO Found: Weaknesses in the National Aeronautics and Space Administration (NASA) export control policy and implementation of foreign national access procedures at some centers increase the risk of unauthorized access to export-controlled technologies. NASA policies provide Center Directors wide latitude in implementing export controls at their centers. Federal internal control standards call for clearly defined areas of authority and establishment of appropriate lines of reporting. However, NASA procedures do not clearly define the level of Center Export Administrator (CEA) authority and organizational placement, leaving it to the discretion of the Center Director. GAO found that 7 of the 10 CEAs are at least three levels removed from the Center Director. Three of these 7 stated that their placement detracted from their ability to implement export control policies by making it difficult to maintain visibility to staff, communicate concerns to the Center Director, and obtain resources; the other four did not express concerns about their placement. However, in a 2013 meeting of export control officials, the CEAs recommended placing the CEA function at the same organizational level at each center for uniformity, visibility, and authority. GAO identified and the NASA Inspector General also reported instances in which two centers did not comply with NASA policy on foreign national access to NASA technologies. For example, during a 4-month period in 2013, one center allowed foreign nationals on a major program to fulfill the role of sponsors for other foreign nationals, including determining access rights for themselves and others. Each instance risks damage to national security. Due to access concerns, the NASA Administrator restricted foreign national visits in March 2013, and directed each center to assess compliance with foreign national access and develop corrective plans. By June 2013, six centers identified corrective actions, but only two set time frames for completion and only one planned to assess the effectiveness of actions taken. Without plans and time frames to monitor corrective actions, it will be difficult for NASA to ensure that actions are effective. NASA headquarters export control officials and CEAs lack a comprehensive inventory of the types and location of export-controlled technologies and NASA headquarters officials have not addressed deficiencies raised in oversight tools, limiting their ability to take a risk-based approach to compliance. Export compliance guidance from the regulatory agencies of State and Commerce states the importance of identifying controlled items and continuously assessing risks. NASA headquarters officials acknowledge the benefits of identifying controlled technologies, but stated that current practices, such as foreign national screening, are sufficient to manage risk and that they lack resources to do more. Recently identified deficiencies in foreign national visitor access discussed above suggest otherwise. Three CEAs have early efforts under way to better identify technologies which could help focus compliance on areas of greatest risk. For example, one CEA is working with NASA's Office of Protective Services Counterintelligence Division to identify the most sensitive technologies at the center to help tailor oversight efforts. Such approaches, implemented NASAwide, could enable the agency to better target existing resources to protect sensitive technologies. What GAO Recommends: GAO recommends that the NASA Administrator establish guidance to better define the CEA function, establish time frames to implement foreign national access corrective actions and assess results, and establish a more risk-based approach to oversight, among other actions. NASA concurred with all of our recommendations and provided information on actions taken or planned to address them. View [hyperlink, http://www.gao.gov/products/GAO-14-315]. For more information, contact Belva Martin at (202) 512-4841 or martinb@gao.gov. [End of section] Contents: Letter: Background: Weaknesses in Implementation of NASA Export Control, Foreign National Access, and Scientific and Technical Information Procedures at Some Centers Create Export Control Vulnerabilities: NASA Lacks a Comprehensive Inventory of Export-Controlled Technologies and NASA Headquarters Is Not Fully Utilizing Oversight Tools: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Department of Commerce Elements of an Effective Compliance Program: Appendix III: Comments from National Aeronautics and Space Administration: Appendix IV: GAO Contact and Staff Acknowledgments: Tables: Table 1: NASA Key Offices for Export Controls and Their Responsibilities: Table 2: Selected Export Control Program Concerns Raised by NASA Center Export Administrators (CEA): Figures: Figure 1: Organizational Relationship of NASA Headquarters and Centers for Export Controls: Figure 2: Notional Reporting Structure: Figure 3: NASA Center Export Control Staff Resources (as of Fiscal Year 2013): Figure 4: CEA Export Control Workload Activities in Fiscal Year 2013: Figure 5: Foreign National Visits at NASA Centers and Headquarters, Fiscal Year 2013: Abbreviations: CEA: Center Export Administrator: EAR: Export Administration Regulations: ECR: Export Control Representative: HEA: Headquarters Export Administrator: ITAR: International Traffic in Arms Regulations: JPL: Jet Propulsion Laboratory: NAPA: National Academy for Public Administration: NASA: National Aeronautics and Space Administration: NPD: NASA Policy Directive: NPR: NASA Procedural Requirement: STI: Scientific and Technical Information: [End of section] United States Government Accountability Office: GAO: 441 G St. N.W. Washington, DC 20548: April 15, 2014: The Honorable Lamar Smith: Chairman: Committee on Science, Space, and Technology: House of Representatives: The Honorable Paul Broun: Chairman: Subcommittee on Oversight: Committee on Science, Space, and Technology: House of Representatives: The National Aeronautics and Space Administration (NASA) develops new and sophisticated technologies to accomplish its missions in areas such as robotic probes to explore the surface of Mars, and spacecraft to transport humans and cargo beyond low-earth orbit. The National Aeronautics and Space Act directs NASA to provide the widest practical and appropriate dissemination of information concerning its activities and results. The U.S. export control system, regulated primarily by two agencies--the Departments of State and Commerce--seeks to limit the risk of sensitive information and items falling into the wrong hands while allowing legitimate sharing of information and trade to occur. U.S. export control regulations require any exporter, including NASA, to protect its sensitive information and technology. NASA delegates primary responsibility for export control implementation to its 10 research and space centers.[Footnote 1] Recent allegations of export control violations at the Ames and Langley Research centers, involving foreign national visits, among other things, as well as export-controlled technical data published on the NASA website without prior review have raised questions about NASA's ability to protect its sensitive technologies from unauthorized access. You asked us to review issues related to NASA's export control program. In this report we assess (1) NASA's export control policy and procedure and how centers implement them, and (2) the extent to which NASA headquarters and Center Export Administrators apply oversight of center compliance with its export control policy and procedure. To do our work, we identified export control laws and regulations, assessed NASA export control policy and procedure against the export control regulatory agencies' elements of an effective compliance program, as well as Standards for Internal Control in the Federal Government.[Footnote 2] We evaluated NASA implementation and oversight of export controls through reviews of export control documents, such as NASA export control audits and NASA-reported data on the number of foreign national visits as well as number of reviews of scientific and technical information. We assessed the reliability of these data by reviewing existing information about the data and the system that produced them, and interviewing agency officials knowledgeable about the data. We determined that the data were sufficiently reliable for the purposes of this report. We interviewed export control and other relevant officials at NASA Headquarters and its nine centers and the Jet Propulsion Laboratory (JPL). We also reviewed documents and interviewed officials involved in export controls at the Departments of Commerce, Justice, and State. Appendix I provides a more detailed description of our scope and methodology. We performed our review from May 2013 through April 2014, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: The United States controls the export of certain goods and technologies for national security, foreign policy, or nonproliferation reasons, and the export control system seeks to limit sensitive items from falling into the wrong hands while, at the same time, allow legitimate trade to occur. The U.S. government's control over the export of defense and dual-use items is intended to ensure that U.S. interests are protected in accordance with the Arms Export Control Act and the Export Administration Act.[Footnote 3],[Footnote 4] The Departments of State and Commerce are the regulatory agencies for export controls. Generally, exporters may submit a license application for approval to export items to State if their items are controlled on the International Traffic in Arms Regulations (ITAR) U.S. Munitions List or to Commerce if their items are controlled on the Export Administration Regulations (EAR) Commerce Control List. Both the ITAR and EAR provide for exemptions and exceptions to licensing requirements, respectively. NASA's exports involve the transfer of commodities, software, or technologies to foreign individuals or organizations, mainly through international agreements.[Footnote 5] NASA is to ensure that exports and transfers of commodities, technical data, or software to foreign persons are carried out in accordance with U.S. export control laws and regulations.[Footnote 6] NASA's export control program is governed by a NASA Policy Directive (NPD) and NASA Procedural Requirement (export control NPR).[Footnote 7] NASA export control policy outlines the goals of the export control program and NASA export control procedures contain detailed requirements and responsibilities for implementing the policy. NASA policy is to maximize the benefits of its international efforts while ensuring that it complies with U.S. export control laws and regulations, and states that this compliance is each employee's personal responsibility. NASA's International Agreements are to contain a clause on transfers of controlled goods and data for export control purposes. Per NASA's export control NPR, programs with international involvement are recommended to prepare a Technology Transfer Control Plan, which is a document intended to identify the technologies subject to export controls; identify foreign persons and nations involved in the project; and determine which export-controlled technologies can be transferred or disclosed to foreign persons and how export-controlled technologies will be protected from unauthorized transfer. Much of NASA's work is published in papers, called Scientific and Technical Information (STI). STI consists of the collected set of facts, analyses, and conclusions resulting from scientific, technical, and related engineering research and development efforts, both basic and applied; and is generally available to the public through NASA's Technical Reports Server database and other publication services.[Footnote 8] As shown in figure 1, NASA has 10 centers, including the JPL. NASA performs its missions through numerous programs and projects; working with contractors and grantees, as well as with foreign nationals. Figure 1: Organizational Relationship of NASA Headquarters and Centers for Export Controls: [Refer to PDF for image: organizational chart] Top level: NASA administrator. Second level: Associate administrator; Deputy administrator. Third level, reporting to Associate administrator: Mission directorates: * Human exploration; * Aeronautics; * Science; * Space technology; NASA Centers: * Ames Research Center; * Dryden Flight Research Center; * Glenn Research Center; * Goddard Space Flight Center; * Johnson Space Center; * Kennedy Space Center; * Langley Research Center; * Marshall Space Flight Center; * Jet Propulsion Laboratory; * Stennis Space Center. Third level, reporting to Deputy administrator: Office of International and Interagency Relations; Office of the Chief Information Officer; Mission support: * Office of Protective Services: Counterintelligence/Counterterrorism; * NASA Management Office. Additional relationships: NASA centers with Office of International and Interagency Relations; Both with Office of Protective Services; Jet Propulsion Laboratory with NASA Management Office. Source: GAO analysis of documents. Note: Dryden Flight Research Center is undergoing a name change to Armstrong Flight Research Center. [End of figure] NASA Headquarters Export Administrator (HEA), the Center Directors, and their appointed Center Export Administrators (CEA), as well as Center Project Managers are some of the key personnel responsible for implementing NASA's export control program, as shown in table 1. Table 1: NASA Key Offices for Export Controls and Their Responsibilities: NASA key offices for export controls: NASA's Office of International and Interagency Relations; Export control responsibilities: Formulates NASA's export control program and includes the HEA, who is responsible for ensuring compliance of all NASA program activities and exports with U.S. export control laws and regulations. NASA key offices for export controls: Center Directors; Export control responsibilities: Ensure all international projects under their purview comply with U.S. export control laws and regulations, and NASA policy and procedure; appoint a senior-level CEA; and ensure that the CEA's other responsibilities do not conflict with their export control duties. NASA key offices for export controls: Center Export Administrators (CEA); Export control responsibilities: Ensure center compliance of all center program activities with U.S. export control laws and regulations; participate in the review process for approving foreign person visitors and hires; confirm the appropriate export controls for publishing and disseminating scientific and technical information; and provide export control training. CEAs may also establish a network of Export Control Representatives (ECR) to assist with export determinations and reviews and coordinate export control issues with the CEA. The ECR is to maintain a working knowledge of the export control laws and regulations. NASA key offices for export controls: Center Program and Project Managers; Export control responsibilities: In consultation with the CEA, ensure that international activities under their direction provide appropriate safeguards for exported or transferred technical data or commodities; oversee NASA-directed contractor export activities; provide export control training; and ensure programs and projects include a technology transfer control plan, as appropriate. NASA key offices for export controls: Office of Protective Services; Export control responsibilities: Provide policy direction and procedural requirements for the physical security of NASA assets; Located at each center, the International Visit Coordinator is to vet foreign national visitors to NASA; NASA's Counterintelligence/Counterterrorism Division is to detect, deter, neutralize, and exploit Counterintelligence and Counterterrorism threats to NASA employees, information, technologies, and property by foreign intelligence services, other foreign adversarial entities, and domestic/international terrorism; conducts threat assessments of NASA facilities. NASA key offices for export controls: Office of the Chief Information Officer; Export control responsibilities: Develop and maintain an agency-wide information security program and implement identity credential and access management, which includes overall responsibility for implementation of requirements related to verifying identities of persons who require access to NASA's physical and information technology assets and issuing agency credentials that are used for access to both physical and information technology assets. Source: NASA procedural requirements for export controls, physical security, and virtual security. [End of table] Weaknesses in Implementation of NASA Export Control, Foreign National Access, and Scientific and Technical Information Procedures at Some Centers Create Export Control Vulnerabilities: Weaknesses in NASA's export control policy concerning the CEA function, and implementation of foreign national access and STI review procedures at some centers increase the risk of unauthorized access to export-controlled technology. NASA's export control policy is silent in terms of CEA organizational placement and resources and gives Center Directors wide latitude in how the CEA function and export controls are implemented at their centers. Center management decisions regarding the export control function caused CEA concerns such as a lack of visibility, authority, and resources to carry out export control responsibilities. Further, we identified and the NASA Inspector General also reported instances in which two centers did not comply with NASA policy on foreign national access to NASA technologies. We also found that some centers did not adhere to NASA procedures for export reviews of scientific and technical papers prior to public release. Every instance of unapproved access or unapproved release of information is important as inadvertent disclosure of export-controlled information or technology can damage national security and U.S. foreign policy interests. NASA centers have corrective actions underway to improve management of foreign national access to export-controlled technology, as well as the release of STI. Management Decisions on Center Export Administrator Authority, Organizational Placement, and Resources Affect Export Control Implementation at Centers: Limited Authority and Low Organizational Placement: NASA's export control NPD gives the CEA the responsibility to ensure center compliance with export control laws and regulations and the NPD provides that the position is to be "senior-level," but does not define this level. NASA headquarters export control officials define senior-level as a person in the senior executive service or at the GS- 15 level. However, we found that no CEAs were at the senior executive service level and only three CEAs were GS-15s.[Footnote 9] By contrast, CEAs at the remaining seven centers were at the GS-14 and GS- 13 levels. In addition, NASA's export control NPR does not contain a provision on the placement of the export control function and CEA within the center's organizational structure, and, according to NASA Headquarters' export control officials, each Center Director has the discretion of where to place the export control function. At seven of the centers, CEAs reported being at least three organizational levels from the Center Director, as shown in figure 2. Figure 2: Notional Reporting Structure: [Refer to PDF for image: illustration] Center Export Administrator: reports to: Security/Logistics; reports to: Operations Directorate; reports to: Center Director. Source: GAO analysis of NASA documents. [End of figure] CEAs at three of the seven centers stated this placement in the organization makes it difficult to maintain authority, visibility to staff, communicate concerns to the Center Director, and obtain the resources necessary to carry out export control responsibilities to their fullest extent; the remaining four did not cite specific concerns about their placement. For example, two CEAs told us of instances where program officials went directly to the Center Director or other directorate level management officials to dispute an export control decision of the CEA that conflicted with the program's priorities. Specifically, a branch chief at one center told us that he will go to the CEA's directorate head when he does not like the CEA's decision. In some cases, the CEAs felt pressure from center management and subsequently overturned their decision. Further, one of the three centers has two appointed CEAs, who share authority and have differed on their responses to project inquiries. For example, one of these CEAs stated that the other CEA made errors and/or a different decision during the month he/she assumed CEA responsibilities. These officials noted that this practice resulted in a lack of consistent export control guidance from this center's export control office. According to NASA headquarters export control officials, differing guidance within a center's export control office is not desirable, but they did not intervene, citing that NASA policy empowers Center Directors to appoint the CEA. In the remaining four centers, including JPL, that did not express concerns with organizational placement, the export control function and CEAs were organizationally at a level close to the Center Director. One of these CEAs stated that his placement as Special Assistant to the Center Director creates a supportive environment to incorporate export controls into the project management processes and to require and provide export control training for the majority of center staff. State and Commerce guidance suggest that authority of key empowered officials is a core element of an effective compliance program;[Footnote 10] federal internal control standards require an organizational structure that clearly defines key areas of authority and establishment of appropriate lines of reporting.[Footnote 11] In a 2013 annual meeting with NASA Headquarters' export control officials, a document produced by the CEAs recommended that CEAs should be located at the same organizational level at each center for uniformity, visibility, and authority. Variation in Center Export Control Resources: NASA headquarters' export control officials, as well as several CEAs, noted that limitations in staff resources and time spent on export control functions makes it difficult to carry out the full range of export control duties, such as improving center export control procedures or providing a more robust export control training program. State and Commerce guidance also suggest that an effective compliance program include provision of sufficient resources. However, NASA's export control NPR does not discuss the allocation of resources for the export control function or for the CEA within the center, and, according to NASA headquarters' export control officials, each Center Director has the discretion of how to allocate resources to the export control function. We found variation among the centers in the staff resources assigned to the export control function, as shown in figure 3. Specifically, we found that centers dedicated from as little as one civil servant staff to three staff, with additional staff that could be available to support the export control function, as needed. Further, CEAs at five of the centers told us they are routinely assigned duties other than export control that sometimes result in competing priorities with export control duties. For example, the CEA at one center also serves as the Branch Head for logistics and transportation management branch, while another CEA is the Division Chief for the center's facility planning and utilization division. In addition to CEA staff, six of the centers also had established networks of Export Control Representatives (ECR). The NPR allows CEAs to establish a network of ECR--in the Center Directorate or program organization--to assist with export control determinations and reviews, and coordinate export control issues with the CEA. ECRs assist with export control determinations and reviews, and coordinate export control issues with the CEA. The ECR is to maintain a working knowledge of the export control laws and regulations and can assist the Center Directorate or program with compliance and development of Technology Transfer Control Plans. Figure 3: NASA Center Export Control Staff Resources (as of Fiscal Year 2013): [Refer to PDF for image: illustration] Ames Research Center: Center Export Administrator's percentage of time spent on export control function: Less than full-time Civil servant: 2 Contractor personnel: 0; Number of export control representatives: 18 (approximately). Dryden Flight Research Center: Center Export Administrator's percentage of time spent on export control function: Full-time; Civil servant: 1; Contractor personnel: 0; Number of export control representatives: 0. Glenn Research Center: Center Export Administrator's percentage of time spent on export control function: Less than full-time; Civil servant: 1; Contractor personnel: 1; Number of export control representatives: 38. Goddard Space Flight Center: Center Export Administrator's percentage of time spent on export control function: Less than full-time; Civil servant: 2; Contractor personnel: 2.5; Number of export control representatives: 0. Jet Propulsion Laboratory: Center Export Administrator's percentage of time spent on export control function: Less than full-time; Civil servant: 1; Contractor personnel: 9; Number of export control representatives: 600. Johnson Space Center: Center Export Administrator's percentage of time spent on export control function: Full-time; Civil servant: 3; Contractor personnel: 6; Number of export control representatives: 80. Kennedy Space Center: Center Export Administrator's percentage of time spent on export control function: Full-time; Civil servant: 3; Contractor personnel: 0; Number of export control representatives: 0. Langley Research Center: Center Export Administrator's percentage of time spent on export control function: Full-time; Civil servant: 2; Contractor personnel: 2; Number of export control representatives: 0. Marshall Space Flight Center: Center Export Administrator's percentage of time spent on export control function: Full-time; Civil servant: 2; Contractor personnel: 1; Number of export control representatives: 70 (approximately). Stennis Space Center: Center Export Administrator's percentage of time spent on export control function: Less than full-time; Civil servant: 1; Contractor personnel: 0; Number of export control representatives: 1. Source: GAO analysis of NASA data. [End of figure] We also found indications that the resources assigned to export controls at centers did not always appear to be commensurate with the export control workload. Specifically, 8 of the 10 centers had two or fewer civil servant staff and 6 with some contractor support to carry out export control activities for hundreds to thousands of foreign national visits, STI reviews, international agreements, and technical assistance agreements. For example, at one center in 2013, two civilian export control officials working less than full time on export control activities were responsible for reviewing and providing any needed export control restrictions for over 3,000 foreign national visitors and conducting STI reviews for over 2,000 publications. See figure 4 for export control workload by center for fiscal year 2013. Figure 4: CEA Export Control Workload Activities in Fiscal Year 2013: [Refer to PDF for image: illustrated U.S. map] Ames Research Center, Mountain View, CA: Foreign national visits: 1,986; Number of scientific and technical information reviews: 811; International agreements: 42; Technical assistance agreements: 5. Dryden Flight Research Center, Edwards Air Force Base, CA: Foreign national visits: 258; Number of scientific and technical information reviews: 223; International agreements: 5; Technical assistance agreements: 2. Glenn Research Center, Cleveland, OH: Foreign national visits: 383; Number of scientific and technical information reviews: 1,056; International agreements: 15; Technical assistance agreements: 3. Goddard Space Flight Center, Greenbelt, MD: Foreign national visits: 3,003; Number of scientific and technical information reviews: 2,442; International agreements: 116; Technical assistance agreements: 81. Jet Propulsion Laboratory, Pasadena, CA: Foreign national visits: 1,713; Number of scientific and technical information reviews: 9,258; International agreements: 34; Technical assistance agreements: 28. Johnson Space Center, Houston, TX: Foreign national visits: 1,761; Number of scientific and technical information reviews: 1,408; International agreements: 76; Technical assistance agreements: 51. Kennedy Space Center, Merritt Island, FL: Foreign national visits: 373; Number of scientific and technical information reviews: 390; International agreements: 3; Technical assistance agreements: 7. Langley Research Center, Hampton, VA: Foreign national visits: 319; Number of scientific and technical information reviews: 2,158; International agreements: 31; Technical assistance agreements: 4. Marshall Space Flight Center, Huntsville, AL: Foreign national visits: 570; Number of scientific and technical information reviews: 875; International agreements: 14; Technical assistance agreements: 10. NASA Headquarters, Washington, DC: Foreign national visits: 558; Number of scientific and technical information reviews: 262; International agreements: 31; Technical assistance agreements: 207. Stennis Space Center, Hancock County, MS: Foreign national visits: 522; Number of scientific and technical information reviews: 21; International agreements: 2; Technical assistance agreements: 0. Source: GAO analysis of NASA data. [End of figure] The CEA at one of the eight centers expressed concerns that limited resources affect her ability to fully conduct export control duties. Specifically, she stated that the time to complete required activities, including reviews of STI, foreign national visits, and license requests leaves little time to improve procedures or provide more robust training. Additionally, in 2013, another center was provided two additional export control staff after an internal study found that having one civil servant and one contractor employee dedicated to export control functions created review backlogs and was not sufficient to carry out the workload. As stated above, NASA's NPR is silent on the provision of resources, including consideration of such factors as workload. NASA has Efforts Under Way to Address Weaknesses in Foreign National Access and Release of Scientific and Technical Information: Foreign National Access to NASA Technologies: Throughout fiscal year 2013, and as shown in figure 5, NASA centers and Headquarters approved over 11,000 foreign national visits for periods ranging from less than 30 days to greater than 6 months. Figure 5: Foreign National Visits at NASA Centers and Headquarters, Fiscal Year 2013: [Refer to PDF for image: vertical bar graph] Number of days: Less than 30; Number of visit approvals: 5,129. Number of days: 30-179; Number of visit approvals: 2,415. Number of days: More than 180; Number of visit approvals: 3,902. Total: Number of visit approvals: 11,446. Source: GAO analysis of NASA data. [End of figure] NASA's security procedure requires screening of all foreign national visitors, prior to gaining approval for access to any NASA facility; and this procedure applies to foreign national visits and other foreign national access, including by civil servants, contractors, researchers, and news media. NASA Offices of Security and Chief Information have responsibilities for developing and implementing agency-wide physical and information technology security policies and programs, including ensuring safeguards for physical and information technology access. NASA security procedures provide that the sponsors for foreign nationals will be NASA civil servants or JPL employees who are U.S. citizens. We identified instances where NASA security procedures for foreign national access were not followed, which were significant given the potential impact on national security or foreign policy from unauthorized access to NASA technologies. Specifically, at one center, export control officials' statements and our review of documentation showed that, in seven instances between March and July of 2013, foreign nationals fulfilled the role of sponsors--typically NASA project managers or other NASA officials who establish and endorse the need for a relationship between the foreign national and NASA and request their access to: NASA facilities and information technology systems--by identifying the access rights to NASA technology for themselves and other foreign nationals for one NASA program. This is not in compliance with NASA's security procedures which provide that only NASA civil servants or JPL employees who are U.S. citizens can act as sponsors for foreign nationals, which is a step in NASA's process of determining the level of foreign national access to program controlled technologies or information. Ultimately, the NASA center International Visit Coordinator conducts the final approval and activation of a foreign national's access to NASA systems. This center is taking action to address this issue and, as of December 2013, it developed a new approval process and criteria for foreign nationals requesting access to center automated databases and made revisions to center policies for information systems and foreign national access. Most centers use an access control plan outlining individual access rights for foreign nationals. This plan sets the general parameter of a foreign national's access to a NASA facility and to NASA technology resources and information. As required in NASA security procedures, the International Visit Coordinator is to report to the foreign national's sponsor the terms and conditions of the visit which include, but are not limited to, the security and export control provisos; and the sponsor shall ensure adherence to the foreign national's access requirements. According to a NASA October 2013 Inspector General report, NASA sponsors are to brief foreign nationals on their access restrictions and to ensure that co-workers in the area in which the foreign national will work are aware of these restrictions, such as access to export-controlled information. [Footnote 12] CEAs and Security officials from three centers cited instances where sponsors, escorts and personnel working at the facility being visited by foreign nationals were not aware of their roles and responsibilities or the provisos that detailed the level of physical and virtual access for the foreign national visitor. Similarly, the NASA Inspector General reported in October 2013, that the sponsors for a foreign national employee at Langley Research Center did not provide copies of the foreign nationals access restrictions to other NASA employees who may have had contact with the foreign national nor briefed them on the Plan's provisos, including that the foreign national be escorted at all times. In March 2013, due to congressional concerns about NASA's ability to control sensitive information, appropriately screen and supervise foreign nationals working at NASA programs or with access to NASA information, and respond to possible security violations in a timely manner, the NASA Administrator placed a moratorium on foreign national visitors from certain designated countries, including China and Iran, at all of the NASA centers. The Administrator also ordered each center to complete a review of NASA's compliance with foreign national access procedures, including compliance with NASA's export control NPR. In response, each center conducted an assessment of its foreign national access procedures and reported deficiencies and corrective action plans to NASA headquarters. We reviewed each center's assessment, which identified a range of corrective actions including strengthening escort and sponsor responsibilities, augmenting required training, and updating security procedures. For example, six centers and NASA Headquarters identified actions to strengthen their foreign national escort procedures or training in response to the moratorium. Specifically, one CEA told us that prior to the moratorium, her center did not require escorts for foreign visitors to be briefed on export controls and that the center now requires the escort to sign an agreement which details their obligations. The center's response to the moratorium showed that it is updating its center-level escort policy. We found that NASA lifted the moratorium on foreign national visitors by June 2013, and six centers identified corrective actions, but are still in the process of implementing these actions. Federal internal control standards highlight the importance of managers developing plans with specific timeframes and comparing actual performance to expected results;[Footnote 13] however, only two centers developed timeframes for completing actions and only one had developed plans for assessing the effectiveness of actions taken. For example, the international visitor and counterintelligence offices at one center are updating foreign national escort training and plan to verify that escorts have received the appropriate training, but the center did not provide a timeframe for completion of this task. NASA Headquarters export control officials acknowledged the lack of specific timeframes for completing the corrective actions, but stated that it is each center's responsibility to ensure corrective actions are fully implemented. Without plans and timeframes to monitor corrective actions identified, it will be difficult for NASA to ensure that actions are implemented and effectively address foreign national access related issues. Use of Technology Transfer Control Plans: NASA's export control NPR provides that CEAs are to provide assistance in the development of appropriate Technology Transfer Control Plans (control plan), and that NASA program and project managers should consult with CEAs in the development of appropriate control plans for their programs/projects that involve foreign participation and exports. NASA's NPR recommends a control plan for all programs with international partners, but plans are only required when working with countries that are not members of NATO or are not major non-NATO allies. Control plans assist in the identification of technologies subject to export controls; identification of foreign persons and nations involved in the project; and the determination of which technologies can be shared and how other technologies are to be protected from unauthorized transfer. However, according to one CEA, control plans are not written unless the export control office pushes programs to write them. Another CEA explained that programs do not review control plans often enough to keep up with changing access needs for foreign nationals. Further, in March 2013, CEAs requested that NASA headquarters clarify the control plan requirements and update the export control NPR to make control plans mandatory for all programs and projects with foreign national participation, regardless of country of origin. Additionally, in October 2013, a NASA Inspector General report recommended that NASA further improve NASA's foreign visitor approval process by examining the roles of the different offices that have input into the foreign visitor approval process and ensure that all appropriate offices are represented and that responsibilities are appropriately assigned.[Footnote 14] In its response to this report, NASA stated that, in July 2013, it had requested that the National Academy of Public Administration (NAPA) conduct an independent review of NASA's foreign national access management; and that NASA had formed a working group to revise the format and content of control plans. According to NASA headquarters export control officials, this working group is considering standardizing the format for control plans and determining when a control plan should be required, but is still in the formative stages.[Footnote 15] Review and Release of NASA Scientific and Technical Information: NASA's procedural requirement for STI requires that all STI intended for release outside of NASA or presented at internal meetings where foreign persons may be present undergo technical, legal, and export control reviews, among others, to ensure that information is not unintentionally released through publication.[Footnote 16] The CEA or a designated representative is required to sign a form showing confirmation of their export control review electronically or on a hard copy document STI form. NASA's Office of the Chief Information Officer is responsible for implementing the STI requirements and does so through its program office at Langley Research Center. This office is required to collect and maintain STI data to measure performance trends to determine the value of the STI Program. The STI program also conducts compliance audits annually at all centers (excluding JPL) to determine how well centers are complying with the STI process and whether all STI released went through the process. NASA established the annual STI audits in response to a 2008 NASA Inspector General report that found that over 8 percent of STI papers from four centers were released without an export control review in fiscal years 2005 and 2006.[Footnote 17] Based on our review of NASA's most recent STI compliance audits, most centers continue to release STI that has not been reviewed for export control purposes. Specifically, NASA's most recent compliance audits at each center, in 2011, found that about 20 percent of sampled documents from seven centers did not follow the STI process. In addition, we identified at least 50 STI products at one center that were publicly released from August 2012 through February 2013--prior to an export control review. According to NASA officials, this center reviewed approximately 2,100 STI products per year in fiscal years 2012 and 2013. Further, a 2013 NASA review at this center found that approximately 10 percent of total STI products were released without export control review, due to a lack of resources, as well as deliberate action by authors to avoid export control review of papers prior to release. In addition, five CEAs told us they were concerned that information posted by NASA's Office of Public Affairs or posted on NASA websites, including social media, may not go through an export control review. The NPR for export controls requires the HEA or CEAs to conduct an export control review of STI prior to publication--including website postings--and determine if the data subject to export control are suitably protected. According to NASA Headquarters export control officials, not all the information NASA releases qualifies as STI. However, we found that the Office of Public Affairs at two centers is not providing this information to CEAs for export control review in advance of publication. Three CEAs expressed further concerns to NASA headquarters about videos posted on a NASA website that provided what they believed were sensitive details on a major NASA program. According to one of these CEAs, there was no coordination with export control at any of the centers associated with the program prior to posting the videos. NASA headquarters has not provided guidance to the CEAs regarding these videos, and a headquarters official told us they are still determining whether the videos contained export-controlled information. We did not assess STI documents that were not reviewed or information that was posted on NASA websites without export control review to determine if their release violated export controls, but without the completion of these required reviews, NASA is at increased risk of inadvertently releasing controlled technologies. According to NASA headquarters export control officials, the STI program office is working with STI managers at each center to emphasize the existing requirement for export control review of STI before it is released outside of NASA. NASA Lacks a Comprehensive Inventory of Export-Controlled Technologies and NASA Headquarters Is Not Fully Utilizing Oversight Tools: NASA headquarters export control officials and CEAs lack a comprehensive inventory of export-controlled technologies, and NASA headquarters officials have not addressed deficiencies raised in oversight tools, limiting their ability to take a risk-based approach to compliance. NASA headquarters officials acknowledge the benefits of identifying controlled technologies, but stated that current practices such as foreign national screening are sufficient to manage risk and that they lack resources to do more. We found that three centers have begun efforts to identify technologies and focus export compliance activities. Among oversight tools, NASA headquarters export control officials have annual audits, export control conferences with CEA, and voluntary disclosures, but have taken limited steps to address deficiencies identified through these tools. NASA Lacks a Comprehensive Inventory of Types and Locations of Export- Controlled Technologies at Its Centers, Limiting Ability to Identify Risk: NASA's export control NPR provides that NASA program managers are to identify, in consultation with the CEA, export-controlled technical data and technologies. However, NASA headquarters export control officials and CEAs lack a comprehensive inventory of the types and location of export-controlled technologies at the centers, limiting their ability to identify internal and external risks to export control compliance. In addition, State and Commerce elements of an effective compliance program state the importance of identification of controlled items, as well as continuous risk assessment of the program. For example, Commerce's Compliance Guidelines suggest nine elements of an effective compliance program, as shown in appendix II, and that a key step in addressing risk is to assess areas of vulnerability, including a technical assessment of export-controlled items.[Footnote 18] Five CEAs told us that they do not know the types and locations of export-controlled technologies, but rather rely on NASA program and project managers to have knowledge of this information. Per the export control NPR, NASA program and project managers are required to ensure export-controlled items and technical data are marked or identified, to help ensure that exports and transfers to foreign parties are consistent with export control regulations. The CEA and security chief at one center told us that they requested a plan identifying where export-controlled and sensitive technologies are located within a research branch in order to facilitate foreign national visit requests. According to the branch manager, he was unable to provide this information, stating it would be too cumbersome to map out all of that information and try to restrict access to the areas with sensitive technologies. According to Commerce's Compliance Guidelines, to ensure that consistent procedures are practiced; it is recommended that the export-controlled items are listed on an item classification sheet, which is shared with the export control team. NASA's lack of a comprehensive inventory of its export-controlled technologies is a longstanding issue that the NASA Inspector General identified as early as 1999.[Footnote 19] Specifically, the Inspector General noted that NASA had not identified all export-controlled technologies related to its major programs and did not maintain a catalog of classifications for transfers of export-controlled technologies and that NASA personnel lack training in controlling and documenting export-controlled technologies. The NASA Inspector General recommended that NASA develop a cataloging process for export- controlled technologies and closed the recommendation in 2002 after NASA developed a catalog of commodities controlled under the Export Administration Regulations. According to NASA headquarters export control officials, activities to obtain a comprehensive knowledge of export-controlled technologies would be beneficial but is resource-intensive. NASA headquarters' Director of the Export Control and Interagency Liaison Division in the Office of International Affairs and Interagency Relations also stated that NASA's foreign national screening, as well as NASA's counterintelligence annual threat assessments help mitigate risks. However, as noted in this report, NASA has not resolved all of its deficiencies related to foreign national access to its technologies. In addition, over the past 5 years, NASA's Office of Protective Services Counterintelligence Division Director has conducted a number of threat assessments and executive briefs which include identification of foreign intelligence threats to NASA programs, projects, technologies, and information. [Footnote 20] However, according to NASA's Office of Protective Services Counterintelligence Division Director, he lacks analytic staff to assess systemic and cross-cutting vulnerabilities for export-controlled technologies. We found that three centers began recent efforts to identify export- controlled technologies at their centers--one of which involves coordination with the center counterintelligence officer. Specifically, at this center, the counterintelligence office collaborated with the CEA to conduct a sensitive technology survey-- designed to identify the most sensitive technologies at the center--to better manage risks by developing protective measures for these technologies in the areas of counterintelligence, information technology security, and export controls. As part of this effort, they are asking each center ECR to identify the three most sensitive NASA technologies within their area of responsibility and are collecting a range of details on each technology, including program or project affiliation, export control or sensitivity classification, physical or network location, and foreign countries interested in the technology. Such approaches, implemented NASA-wide, could enable the agency to take a more risk-based approach to oversight by targeting existing resources to identify the most sensitive technologies and then ensure the location of such technologies are known and protected. At the other two centers, the CEAs are working with program and project staff to identify export-controlled technology; however the effort at one of these centers is limited to one facility. NASA Headquarters Has Taken Limited Steps to Address Deficiencies Identified in Oversight Reviews of the Centers' Implementation of Export Controls: Some Annual Export Control Audit Findings Not Addressed: NASA's export control NPR provides that adherence to export control policies is measured in part by annual audits on the operation of the export control program at each center. The purpose of the annual audit is to ensure the adequacy of the overall NASA export control program and verify that centers follow procedures and maintain documents to comply with export control regulations. The audit reports are provided to the Center Director, CEA, and HEA. According to NASA's export control NPR, CEAs are required to review the reports and provide written responses including concurrence, partial concurrence, or non- concurrence with findings and recommendations. CEA's are also required to review and ensure follow-up and closeout on recommendations from the annual NASA export control program audit. We found that seven centers have unresolved findings, recommendations, or observations spanning a period from 2005 to 2012, in areas including export control awareness, management commitment, resources, training, STI Review, foreign national visitor processes, and disposal of property. For five centers, responding to audit findings and implementing recommendations required that the CEA coordinate with other offices and programs across the center beyond the CEA's control. For example, one CEA audit finding in 2010 related to disposal of hard drives possibly containing export-controlled material. Although the audit recommendations were provided to the CEA for corrective action, the CEA stated that the actions necessary to close out the recommendations were dependent on a different NASA organization at the center,[Footnote 21] which did not take action to close the recommendation until 2013. The remaining two centers cited resource constraints, organizational priorities, and insufficient coordination with center management as barriers to implementing corrective actions and resolving recommendations. NASA's current procedures do not address coordination among offices at a center to address findings from annual audits. In addition to the annual export control audits, according to NASA headquarters export control officials, in April 2013, it collaborated with NASA's Office of Protective Services to add export control topics in a required functional review of each center's implementation of security operations. The Office of Protective Services conducts functional reviews to ensure NASA centers implement their protective services programs in compliance with all applicable federal statutes and federal and agency regulations, policies, and procedural requirements. The outcome of this integrated review is a combined export control and security report, provided to the Center Director who must respond to the findings and provide an action plan for each of the recommendations. NASA completed its first combined reviews at Dryden and Langley in 2013. At one of these centers, they found that foreign national escorts were not following the provisos issued by the Office of Security, particularly when the proviso required the foreign national to be escorted at all times while on Center. The same review found that personnel across the center whose duties involved export controls lacked understanding of their export control responsibilities. The review at the other center identified a gap in resources at the CEA level. In addition, that review found that the center did not provide export control reviews for videos and photos prior to releasing them into the public domain and recommended additional training to all responsible for releasing information to the public. Similar reviews will be conducted at each center once every 3 years. According to NASA headquarters' export control officials, these reviews receive more management attention than the annual export control audits because the Center directors are responsible for meeting with NASA's Administrator to discuss the results. NASA Headquarters Has Not Fully Addressed Export Control Concerns Expressed by Center Export Administrators: NASA headquarters export control officials also hold annual export control program reviews with the CEAs to discuss export control changes and CEA concerns and recommendations for the program. At NASA's 2013 annual review, the CEAs presented NASA headquarters export control officials with a list of comments regarding the export control program, many of which echo the issues raised earlier in this report. Table 2 provides selected issues raised by the CEAs including suggestions for improvements. Table 2: Selected Export Control Program Concerns Raised by NASA Center Export Administrators (CEA): NASA export control topic: CEA position and resources; Issue of concern: The placement of the CEA and level of authority varies across Centers; Suggestions for improvement: The CEA position should allow access to the Center Director and provide authority to enforce export controls. NASA export control topic: CEA position and resources; Issue of concern: CEAs lack resources to conduct their work in a timely manner and, in some cases, creating a backlog of work; Suggestions for improvement: Export Control Offices should be appropriately staffed. NASA export control topic: NASA's security culture; Issue of concern: NASA's security culture is in competition with its mission to provide for wide dissemination of information; Suggestions for improvement: NASA should develop a written, integrated security strategy, in order for NASA leadership to bring appropriate balance to competing interests of protecting key information with the desire to share with the public. NASA export control topic: Annual export control audits; Issue of concern: Export control audits do not encompass center programs, where export control problems can originate; Suggestions for improvement: Audits should incorporate center programs. NASA export control topic: Annual export control audits; Issue of concern: Auditors need proper training; Suggestions for improvement: Form an export control team with representatives from Headquarters and Centers that would conduct rolling annual reviews of each Center's export control program. NASA export control topic: Foreign national access; Issue of concern: Foreign national escorts did not have export control training; Suggestions for improvement: Foreign national escorts need to have export control training and understand access restrictions before they perform escort duties. NASA export control topic: Awareness of export-controlled technologies; Issue of concern: Export classification of all hardware and technical information is not a requirement in the NASA Procedural Requirement (NPR); Suggestions for improvement: Classification should be required when hardware/software is transferred to or created by NASA. NASA export control topic: Awareness of export-controlled technologies; Issue of concern: The NPRs for export controls and project managers lack clarity on Technology Transfer Control Plans; Suggestions for improvement: Update NASA procedures to make Control Plans mandatory for all projects with foreign national participation. Source: GAO review of comments from the Annual NASA Export Control Program Review 2013. [End of table] Federal internal control standards require managers to develop plans with specific time frames to address audit and other findings. However, NASA headquarters' export control officials acknowledged that they have not fully addressed the CEA concerns from the most recent program review in March 2013 and have not developed specific plans to do so. According to NASA headquarters export control officials, they agree with issues raised by the CEAs but have not developed an approach to address them. For example, in terms of CEA resources and placement, NASA headquarters officials acknowledged that some CEAs have limited staff resources and are not at a senior level as called for in NASA policy. However, NASA headquarters export control officials have not taken action to address this issue. In fact, we found that over the last 3 years, NASA headquarters export control officials provided only one policy update or other direction to address export control concerns raised by the CEAs. Specifically, CEAs requested that NASA provide additional guidance on fundamental research and in response NASA updated its export control NPR with an appendix with detailed guidance on this subject. These discussions between the HEA and CEAs began in 2008, and NASA did not update its export control NPR until 2011. As a result, NASA headquarters may have missed opportunities to take action through policy updates or other guidance to address problems Centers face in ensuring compliance with export control policies. NASA May Be Missing an Opportunity to Use Voluntary Disclosures to Help Improve Export Control Compliance: NASA's export control NPR provides that it is every NASA employee's personal responsibility to comply with U.S. export control laws and regulations; and further provides the regulatory requirements of State's ITAR and Commerce's EAR for voluntary self disclosure of noncompliance in export activities, even if the errors were inadvertent. Noncompliance with U.S. export control laws and regulations could result in criminal, civil, or administrative penalties against both government officials and private contractors and harm to the national security or foreign policy of the United States, and result in schedule or cost overruns in NASA programs. NASA's export control NPR further explains the process for reporting potential export noncompliance, stating that any NASA employee or contractor concerned about questions of export compliance or impropriety in the area of export control should report those concerns to the CEA or to the HEA. According to the NPR, the CEA and HEA are to gather information and determine if a voluntary disclosure to the regulatory agency is warranted. According to the NPR and NASA headquarters export control officials, all NASA voluntary disclosures, regardless of where they occur, are to be submitted to the appropriate U.S. regulatory and enforcement agencies through the HEA at NASA Headquarters' Office of International and Interagency Relations. NASA headquarters' export control program officials told us that few or no voluntary disclosures might indicate a weakness in a center's export control program, because one reason for a lack of disclosures could be that oversight activities are not robust. We found little usage of the voluntary disclosure process at the NASA centers. Since 2011, NASA reported a total of 13 voluntary disclosures to the Departments of State and Commerce--12 were reported to State on potential violations of the ITAR; and 1 was reported to Commerce for potential violation of the EAR. These 13 voluntary disclosures were divided among four of the NASA centers; and potential noncompliance ranged from failure to file a record of shipment to Germany to potential foreign national exposure to a program's technical data. The remaining six NASA centers have not submitted voluntary disclosures since 2011. We found that CEA approaches toward voluntary disclosures at some centers and within some projects may affect NASA's ability to identify and report potential violations of export control regulations. NASA's export control NPR states that errors affecting exports or making transfers should not be concealed for any reason and that it is better to uncover errors or mistakes, investigate, and understand the causes, and then make process changes to preclude future reoccurrence. In line with this approach, CEAs at two different centers stated that voluntary disclosures are a good tool for monitoring compliance and targeting export control training. One of these CEA's stated that his approach to voluntary disclosures is to identify and report as much as possible, even minor cases, so this information can be used to strengthen compliance; he reinforces that employees will not get in trouble for making a mistake and encourages them make a disclosure when mistakes occur. This CEA uses these disclosures to inform others during his annual export control training session. According to the Director of State's Office of Defense Trade Controls Compliance Division, the voluntary disclosure process provides a great opportunity to reflect on how and why violations occurred in order to strengthen an export control compliance program. We also found that a similar event may lead to a voluntary disclosure at one center but not another. For example, NASA headquarters submitted a voluntary disclosure in April 2013 for potential export control violations on its NASA Technical Reports Server database after a Center raised concerns about foreign access and disclosure of export- controlled information on the website. Conversely, two centers told us of instances in which export-controlled information was posted to a publicly available website, but they did not submit voluntary disclosures. In one of these cases, the CEA received notice from a project that ITAR export-controlled information was inadvertently posted for a short period of time to the center's website. According to this CEA, the Center Chief Information Office reviewed the Internet address that accessed the data and could not prove that any were foreign, so the CEA decided not to elevate this concern to NASA headquarters. NASA headquarters export control officials were not familiar with this incident and indicated that in this case they might file a voluntary disclosure once the full details were available and they made an assessment. Conclusions: To effectively achieve its mission, NASA is to strike a balance between protecting the sensitive export-controlled technologies and information it creates and uses and supporting international partners and disseminating important scientific information as broadly as possible. To do so, it is important to have clear export control policies that have strong management support and effective oversight to ensure consistent adherence across NASA Centers. NASA's program is lacking in both areas. For example, in the absence of clear policy direction or other guidance about the authority, placement, and resources needed for the CEA function, implementation of NASA's export control procedures across Centers has been inconsistent. Specifically, Center directors in some cases have appointed CEAs that are not senior level, have low visibility to staff and management, and are provided limited resources to carry out export control responsibilities. Further, centers have not consistently adhered to restrictions on foreign national access to NASA information and released scientific information without export control reviews. When dealing with export- controlled information, every instance of unapproved foreign national access or unapproved release of scientific information increases the risk of harm to national security. A more effective export control compliance program could help minimize such risks. As emphasized in State and Commerce guidance, a risk-based approach is essential to ensuring compliance with export controls laws and regulations. In the absence of a NASA wide approach, some centers have initiated their own early efforts to take a more risk-based approach. However, it is incumbent upon NASA leadership to address export control risks at an agency-wide level in order to ensure the Centers apply consistent approaches. NASA has an opportunity to better leverage existing resources to create a more risk-based approach, such as using NASA counterintelligence staff to identify technologies most at risk and then ensuring CEAs and program managers take appropriate measures to protect them. Effectively utilizing existing oversight tools by taking prompt action to address identified weaknesses and vulnerabilities from the annual export control audits and concerns raised by the CEAs, as well as implementing corrective actions identified during the foreign national moratorium are critical to ensuring an effective export control program. NASA has some actions under way to improve export control and foreign national access issues, but until these issues are fully addressed, NASA will remain at risk of unauthorized access to its export-controlled technologies. Recommendations for Executive Action: To ensure consistent implementation of NASA's export control program, we are recommending that the NASA Administrator take the following two actions: * Establish guidance defining the appropriate level and organizational placement of the CEA function, and: * Assess CEA workload and other factors to determine appropriate resources needed to support the CEA function at each center. To improve NASA's oversight and address identified deficiencies in the export control program, we recommend that the NASA Administrator take the following five actions: * Implement a risk-based approach to the export control program by using existing information sources, such as counterintelligence assessments, to identify targeted technologies and then direct that the types and location of those export-controlled technologies are identified and managed by CEAs within each center. * Direct Center Directors to oversee implementation of export-related audit findings which could involve collaboration among several center offices. * Develop a plan, including timeframes for addressing CEA issues and suggestions for improvement provided during the annual export control conference, and share the plan with CEAs. * Re-emphasize to CEAs the requirements on how and when to notify the HEA about potential voluntary disclosures to ensure more consistent reporting of potential export control violations at NASA centers. * Develop plans with specific time frames to monitor corrective actions related to management of foreign national access to NASA facilities and assess their effectiveness. Agency Comments and Our Evaluation: We provided a draft copy of this product to NASA, Commerce, Justice, and State for comment. Commerce export control compliance officials, in e-mailed comments, stated that they agreed with the importance of an effective export control compliance program and the usefulness of its Compliance Handbook to guide this program. State and Justice did not provide comments. In their written comments, NASA concurred with all of our recommendations, provided information on actions taken or planned to address them, and included associated timeframes for implementation. Recognizing that many of the recommendations do not require additional resources, NASA indicated that it plans to revise its guidance to ensure consistent implementation, improve oversight, and address identified deficiencies in the export control program. NASA indicated that GAO's findings and recommendations complement results from the recent reviews by the NASA's Inspector General and the National Academy of Public Administration. NASA indicated that all three reviews evaluated the effectiveness of select aspects of its foreign national access management program and its stated approach is to improve this program including export controls. In response to the findings of each review, NASA plans over the next 2 years to adopt a more comprehensive, risk-based approach to enhance its export control program in the context of the overall foreign national access management program, which should help NASA further secure sensitive, export-controlled information at its centers and enhance overall security. As improvements are being implemented, it is important that NASA consider interim steps to help mitigate risks. It is also important that NASA continue to evaluate actions taken to improve export control and foreign national access management to ensure effective implementation. NASA provided technical comments which were incorporated as appropriate. NASA's written comments are reprinted in appendix III. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies of this report to the Administrator of NASA, the Secretaries of Commerce and State, the Attorney General, interested congressional committees, and other interested parties. This report will also be available at no charge on GAO's website at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-4841 or martinb@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix IV. Signed by: Belva M. Martin: Director: Acquisition and Sourcing Management: [End of section] Appendix I: Objectives, Scope, and Methodology: This report focuses on the National Aeronautics and Space Administration's (NASA) implementation and oversight of its export control program. Specifically, we assessed (1) NASA's export control policy and procedure and how centers implement them, and (2) the extent to which NASA headquarters and Center Export Administrators apply oversight of center compliance with its export control policy and procedure. To assess NASA export control policy and procedure, we examined export control laws and regulations, NASA's Policy Directive and Procedural Requirements for NASA's Export Control Program (NPD 2190.1B and NPR 2190.1B), and compared these with the Departments of State and Commerce's elements of an effective export control compliance program. To identify these elements, we met with and reviewed documents provided by officials from the Departments of State and Commerce, Office of Defense Trade Controls and Bureau of Industry and Security, respectively. We also compared NASA's export control policy and procedure against Standards for Internal Control in the Federal Government, primarily in the areas of authority and audit reports. To determine how NASA Centers implement NASA's export control policy and procedure, we conducted site visits or telephone interviews with each of NASA's 10 centers, including the Jet Propulsion Laboratory (JPL). Specifically, we conducted site visits at four NASA Centers: * Dryden Flight Research Center, * Goddard Space Flight Center, * Jet Propulsion Laboratory, and: * Langley Research Center. At each of these site visits, we met with the Center Director, Center Export Administrator (CEA) and export control staff, and representatives from the Office of Protective Services, including the Counterintelligence Division, the Chief Information Officer; as well as selected program and project officials. These program and projects were selected by the center, based on factors such as presence of international partners and foreign nationals working at the Center. In addition, at the Jet Propulsion Laboratory, we met with officials from the NASA Management Office. We conducted telephone interviews with the remaining six NASA centers: * Ames Research Center, * Glenn Research Center, * Johnson Space Center, * Kennedy Space Center, * Marshall Space Flight Center, and: * Stennis Space Center. At these centers, we held telephone discussions with the CEAs and export control staff, officials from the Office of Protective Services and the Office of the Chief Information Officer. In addition, we met with officials from the counterintelligence office at Glenn Research Center; as well as officials from the International Space Station program at Johnson Space Center. We collected data and documentation when available to confirm CEA statements and to provide additional detail, such as e-mails, policy documents, and internal reviews. We further evaluated NASA centers' implementation of NASA export control policy and procedure by examining foreign national access control plans and procedures, such as those contained in NASA's procedural requirements for Security Program Procedures (1600.1A); Identity and Credential Management (1600.4); and Scientific and Technical Information (STI) procedural documents and data, including NASA's procedural requirement for the Documentation, Approval, and Dissemination of NASA STI (2200.2C). To assess the export control workload at each Center, we collected data from NASA's Headquarters Export Administrator on the number of STI reviews for fiscal year 2013. We also collected data on the number of foreign national visitors at each center for fiscal year 2013 from the NASA headquarters' Office of Protective Services. We assessed the reliability of the STI and foreign national visitor data by reviewing existing information about the data and the system that produced them, and interviewing agency officials knowledgeable about the data. We determined that the data were sufficiently reliable for the purposes of this report. We also met with Department of Justice officials from the Federal Bureau of Investigation to discuss their role in assessing threats at NASA centers; and with the National Academy of Public Administration to discuss its review of NASA's performance of foreign national access management. To assess NASA headquarters' oversight role, we met with officials from NASA's Office of International and Interagency Relations, Export Control; Office of Protective Services, including the Counterintelligence Division; and NASA's Scientific and Technical Information Program Office. We reviewed various documents, including the two most recently completed annual export control audits from the Centers (excluding JPL) for calendar year 2011 and 2012; documentation from each of the 10 centers provided to NASA headquarters to lift the moratorium on foreign visits in 2013; the two most recently completed STI compliance audits for calendar years 2010 and 2011; voluntary disclosures filed by NASA centers in fiscal years 2012 and 2013[Footnote 22]; and completed security functional reviews in 2013 for Dryden Flight Research Center and Langley Research Center. In addition, we reviewed documentation of discussions at the 2013 annual export control program review, agendas from quarterly export control meetings, and communication between headquarters and center officials. To assess NASA's awareness of export controlled technologies, we interviewed CEAs at each center and Headquarters export control officials. For centers that had efforts to increase awareness of technologies, we met with these officials involved to discuss the initiatives and reviewed related documents, such as data collection instruments. Further, we interviewed and met with State's Office of Defense Trade Controls, Chief of the Enforcement Division; and Commerce's Bureau of Industry and Security, Director of Compliance. With these officials, we discussed elements of an effective compliance program, including voluntary disclosures. We conducted this performance audit from May 2013 to April 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Department of Commerce Elements of an Effective Compliance Program: The U.S. Department of Commerce, Bureau of Industry and Security, Office of Exporter Services, Export Management and Compliance Division issued Compliance Guidelines in June 2011, titled "How to Develop an Effective Export Management and Compliance Program and Manual." These guidelines contain nine key elements for any effective compliance program for an exporter of U.S.-origin dual-use items; which provide a foundation for the basic structure of an export management compliance program, as follows: 1. Management Commitment: Senior management must establish written export compliance standards for the organization, commit sufficient resources for the export compliance program, and ensure appropriate senior organizational officials are designated with overall responsibility for the export compliance program, in order to ensure adherence to export control laws and regulations, and develop and nurture a pervasive corporate culture of compliance. 2. Continuous Risk Assessment of the Export Program. 3. Formal Written Export Management Compliance Program: A manual of policies and procedures with a sufficient level of operational detail to ensure effective implementation and day-to-day compliance. 4. Ongoing Compliance Training and Awareness. 5. Cradle-to-Grave Export Compliance Security and Screening: Screening of employees, contractors, customers, products, and transactions, and implementation of compliance safeguards throughout the export life- cycle, including product development, jurisdiction, classification, sales, license decisions, supply-chain management, servicing channels, and post-shipment activity. 6. Adherence to Recordkeeping Regulatory Requirements. 7. Compliance Monitoring and Periodic Audits/Assessments. 8. Internal Program for Handling Compliance Problems, including Reporting and Escalating Export Violations. 9. Completing Appropriate Corrective Actions in Response to Export Violations. According to these guidelines, a major benefit of implementing an Export Management Compliance Program is that it can minimize the risk of noncompliance with export regulations. [End of section] Appendix III: Comments from National Aeronautics and Space Administration: National Aeronautics and Space Administration: Headquarters: Washington, DC 20546-0001: Reply to Attn of: Office of International and Interagency Relations: Ms. Belva Martin: Director: Acquisition and Sourcing Management: United States Government Accountability Office: Washington, DC 20548: Dear Ms. Martin: The National Aeronautics and Space Administration (NASA) appreciates the opportunity to review and comment on the Government Accountability Office (GAO) draft report entitled, "Export Controls: NASA Management Action and Improved Oversight Needed to Reduce the Risk of Unauthorized Access to Its Technologies" (GAO-14-315) dated March 7, 2014. In the draft report, GAO makes seven recommendations to the NASA Administrator intended to ensure consistent implementation and improve oversight of NASA's export control program. NASA takes the responsibility of securing sensitive, export-controlled information at our facilities very seriously. Recognizing the growing threat of espionage aimed at Government agencies by hostile nation-states and foreign adversaries, the NASA Administrator has already directed a number of actions to further secure sensitive, export-controlled information at NASA facilities and to enhance overall security. The draft GAO report complements recent reviews conducted by the NASA Office of the Inspector General in October 2013 and the National Academy of Public Administration (NAPA), which provided its findings to the NASA Administrator in January 2014. Each of these recent reviews evaluated the effectiveness of select aspects of NASA programs relevant to Foreign National Access Management. At the request of the NASA Administrator, the NAPA review focused on five areas: Information Technology, Security, Counterintelligence, Export Control, and Organizational and Functional Relationships. Your recommendations, together with those previously provided to NASA, are assisting in our continuing efforts to enhance all aspects of our Foreign National Access Management, including NASA's export control compliance program. With regard to the specific recommendations contained in the GAO's draft report, NASA provides the following responses, including planned corrective actions: Recommendation 1: Establish guidance defining the appropriate level and organizational placement of the CEA function. Management's Response: NASA concurs. We will revise the NASA Procedural Requirements (NPR 2190.1B) governing the NASA Export Control Program (ECP) to specify the level of senior-level officials, at OS-15 or above, for the Center Export Administrator (CEA) function. We will also require that CEAs report directly to Center Directors or designees in the performance of their functions. Coupled with this, NASA will address a related recommendation from the January 2014 NAPA report that a Headquarters (HQ) endorsement be sought before any CEA position is filled by working with the human resources and Center management to ensure that NASA HQ endorsement is obtained for CEA appointments. Estimated Completion Date: April 30, 2015. Recommendation 2: Assess CEA workload and other factors to determine appropriate resources needed to support the CEA function at each Center. Management's Response: NASA concurs. We have already begun to assess the need for additional resources to support the CEA function, with the understanding that, like all agencies, we are in a very constrained budget environment. We will explore strategies to enhance support of export control functions through both civil service and contractor efforts, and will work to expand the model of Center Export Control Representatives (ECRs) that has been successfully employed at more than half of NASA's Centers, and which was noted in the draft report. Estimated Completion Date: April 30, 2016. Recommendation 3: Implement a risk-based approach to the export control program by using existing information sources, such as counterintelligence assessments, to identify targeted technologies and then direct that the types and location of those export-controlled technologies are identified and managed by CEAs within each Center. Management's Response: NASA concurs. Consistent with the recommendation, we will implement a risk-based approach for targeted technologies of particular concern, working with CEAs, program managers, and counterintelligence professionals to identify key technologies and catalog those key technologies at each Center. This balanced, focused approach follows the discussion on page 20 of the draft report and should not require significant additional resources to implement. This recommendation is also consistent with the NAPA report's recommendation that NASA provide a detailed export control manual to serve as a standardized guide to CEAs, ECRs, and Center project managers, and to mandate the use of certain practices that have proven effective at various Centers. Subject to additional funding availability, NASA plans to develop an export control manual in order to ensure greater consistency in implementation of the NASA ECP across the Agency. We will include provisions for a dynamic, risk-based assessment of key technologies in the manual. Estimated Completion Date: First-draft of a manual to be prepared by April 30, 2015. Recommendation 4: Direct Center Directors to oversee implementation of export-related audit findings which could involve collaboration among several Center offices. Management's Response: NASA concurs. We will revise NPR 2190.lB to specify that Center Directors shall oversee the completion of annual ECP audits, and report their implementation or progress to the Associate Administrator for International and Interagency Relations (OIIR) and to the NASA Headquarters Export Control Administrator (HEA). Estimated Completion Date: April 30,2015. Recommendation 5: Develop a plan, including timeframes for addressing CEA issues and suggestions for improvement provided during the annual export control conference, and share the plan with CEAs. Management's Response: NASA concurs. This is a subject that will be addressed at the forthcoming Annual NASA ECP Review at Langley Research Center in May 2014. Following the engagement and agreement with CEAs on the subject, the HEA will formulate the recommended plan for inclusion in revisions to NPR 2190.IB. Estimated Completion Date: April 30, 2015. Recommendation 6: Re-emphasize to CEAs the requirements on how and when to notify the HEA about potential voluntary disclosures to ensure more consistent reporting of potential export control violations at NASA Centers. Management's Response: NASA concurs. We will revise NPR 2190.lB to clarify the thresholds and standards for reporting voluntary disclosures to the HEA. Because of the linkage to both effective NASA ECP operations and to the NAPA report's recommendation to develop an export control manual in order to ensure greater consistency of proven best practices, we will also include provisions regarding voluntary disclosure standards in an export control handbook which we expect to produce. The timeline for the development of this handbook will be driven by the availability of additional resources. Estimated Completion Date: April 30, 2015. Recommendation 7: Develop plans with specific time frames to monitor corrective actions related to management of foreign national access to NASA facilities and assess their effectiveness. Management's Response: NASA concurs. Under NASA Policy Directive (NPD) 2190.1, the Export Control Manual contains specific operational procedures related to the management of foreign national access to NASA facilities. Additionally, as part of NASA's response to the January 2014 Focused Independent Security Review performed by NAPA, the Associate Administrator directed the Assistant Administrator for Protective Services on March 10, 2014, to establish a Foreign National Access Management (FNAM) Program, managed by the Office of Protective Services (OPS). The FNAM will seek to increase the effectiveness of NASA's existing procedures and implement improved procedures as required. Although OPS has the lead for the FNAM Program, OIIR will be engaged in the development and execution of the FNAM Program and will be the lead office in monitoring corrective actions as they relate to Export Control. Estimated Completion Date: July 30, 2016. Thank you for the opportunity to comment on the draft audit report. If you have any questions or require additional information, please contact David Flynn, NASA Headquarters Export Control Administrator, at 202-358-1792. Signed by: Michael F. O'Brien: Associate Administrator for International and Interagency Relations: cc: A/Administrator Bolden; A/Mr. Lightfoot; OPS/Mr. Mahaley; OIIR/Mr. Condes. [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Belva Martin, (202) 512-4841 or martinb@gao.gov. Staff Acknowledgments: In addition to the contact named above, William Russell (Assistant Director), Marie Ahearn, Lisa Gardner, Laura Greifner, Caryn Kuebler, Jean McSween, Amanda Parker, Jeff Phillips, and Roxanna Sun made key contributions to this report. [End of section] Footnotes: [1] The Jet Propulsion Laboratory (JPL) is a NASA federally funded research and development center managed by the California Institute of Technology under contract with NASA. For purposes of this report, we refer to JPL as a NASA center. [2] GAO: Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1], Washington, D.C.; Nov. 1999. [3] For the purposes of this report, the term defense items refers to defense articles, defense services, and related technical data, as specified in 22 U.S.C. § 2778, and the term dual-use refers to items that have both commercial and military applications, such as high- performance computers and radars. [4] 22 U.S.C. §2751-2799aa-2 and 50 U.S.C. app. § 2401-2420. The Export Administration Act is not permanent legislation. 50 U.S.C. app. § 2419. Authority granted under the act lapsed in August 2001. However, Executive Order No. 13222, Continuation of Export Control Regulations, which was issued in August 2001 under the authority provided by the International Emergency Economic Powers Act (50 U.S.C. §§ 1701-1707), continues the controls established under the act, and the implementing Export Administration Regulations. Executive Order No. 13222 requires an annual extension and was recently renewed by Presidential Notice on August 8, 2013. 78 Fed. Reg. 49.107 (Aug. 12, 2013). [5] An export can be any shipment, mail, transfer, or transmission of commodities, technology, or software, regardless whether it occurs in the United States, overseas, or in space and can range from an export of hardware for the spacecraft to videos and photos of systems, components, or parts. [6] Release of controlled technology to a foreign national in the United States is "deemed" to be an export to the person's home country or countries.15 C.F.R. § 734.2(b). While the EAR uses the term foreign national, NASA uses the term foreign person for purposes of export control as any person who is not a U.S. citizen, permanent resident alien, or protected individual of the U.S. under 22 C.F.R § 120.16. NASA NPR 2190.1B. App. A (definition of "Foreign Person"). [7] NASA Policy Directive (NPD) 2190.1B--NASA Export Control Program (June 20, 2012) and NASA Procedural Requirements (NPR) 2190.1B--NASA Export Control Program (Dec. 27, 2011). [8] The National Aeronautics and Space Act provides that the administration shall provide for the widest practicable and appropriate dissemination of information concerning its activities and the results thereof. 51 U.S.C. § 20112(a). [9] The General Schedule has 15 grades--GS-1 (lowest) to GS-15 (highest). Agencies establish (classify) the grade of each job based on the level of difficulty, responsibility, and qualifications required. [10] While this guidance is aimed primarily at corporate export control compliance programs, export control compliance officials from Commerce and State told us this guidance can also be applied to federal agencies, such as NASA. [11] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [12] NASA Inspector General Investigative Summary, Bo Jiang's Access to NASA's Langley Research Center (October 22, 2013). [13] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [14] See NASA Inspector General Investigative Summary, October 22, 2013. [15] A Report By a Panel of the National Academy of Public Administration for the National Aeronautics and Space Administration, An Independent Review of Foreign National Access Management (January 2014). [16] NPR 2200.2C, "Documentation, Approval, and Dissemination of NASA Scientific and Technical Information," STI NPR. [17] NASA IG-08-017. Actions Needed to Ensure Scientific and Technical Information is Adequately Reviewed at Goddard Space Flight Center, Johnson Space Center, Langley Research Center, and Marshall Space Flight Center. [18] U.S. Department of Commerce, Bureau of Industry and Security, Office of Exporter Services, Export Management and Compliance Division, Compliance Guidelines: How to Develop an Effective Export Management and Compliance Program and Manual (June 2011). [19] NASA Inspector General Report, NASA Control of Export-Controlled Technologies (Mar. 31, 1999). [20] These assessments do not have a specific focus on export controls, but over the past 6 years, counterintelligence has presented threat briefings to Headquarters and Center management, including presentations to the CEAs at NASA's Annual Export Control Program Review. [21] According to the audit, that Center's policy states that the Systems Administrator is responsible for cleaning of hard drives prior to disposal and Information Technology Security Operations is to conduct a review of excessed Information Technology equipment to ensure systems are clear of NASA-related information. [22] We requested voluntary disclosures for fiscal years 2011 through 2013, but there were none in 2011. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]