ITAR Registration Puffery: XAND Raises the Bar

Posted by at 6:38 pm on June 4, 2014
Category: Part 122

XAND Date Center via http://www.xand.com/assets/MG_2226_Low-1024x668.jpg [Fair Use]An ongoing feature of this blog has been, for some time, to highlight ITAR registration press releases where companies breathlessly announce their registration under part 122 of the ITAR as if it were equivalent to having been awarded the Nobel Peace Price, an Oscar, and three Michelin stars on the same day when in fact the State Department routinely hands out Part 122 registration to anyone who can figure out how to fill out a short form, write a check for the registration fee and send both to Washington. Once the check clears, a registration is issued by DDTC without so much as even looking at the registrant’s elevator certificates and corporate cafeteria lunch menu.

So when a friend of the blog pointed out a press release headlined “Xand Earns International Traffic in Arms Regulations (ITAR) Compliance from U.S. Department of State,” it was clear that we had a moral obligation to bring to our readers the latest and greatest in marketing department hyperbole.

Xand, the Northeast’s premier provider of cloud, managed services, colocation and disaster recovery announced today the successful completion of all regulatory requirements required to attain International Traffic in Arms Regulations (ITAR) registration and compliance from the U.S. Department of State, a unique distinction among infrastructure service providers.

Okay, so maybe the “regulatory requirements” meant by Xand were filling out the form and sending the check. Well, you might think that until you see what the company’s Chief Security Officer had to say:

We selected data center facilities in Pennsylvania, New York, and Massachusetts to undergo thorough and exhaustive compliance testing to meet the critical standards of the U.S. Department of State. The end result allows Xand to provide clients with unmatched geographic diversity and redundancy options when it comes to housing, storing, and protecting the data and technology infrastructure needed to power the critically important work of the defense industry.

It seems to me that the State Department ought to tell people that it will revoke the registration of anyone who so fundamentally misunderstands the ITAR as to suggest in public that registration is the result of compliance testing and constitutes a certification that the registrant is compliant.

One other interesting point here is to try to figure out why Xand needed registration in the first place. Registration is required for parties that manufacture items on the USML and for those that export goods or technical data on the USML. Frankly, I’m baffled how a domestic cloud and colocation service provider does either of those things even if it has customers that manufacture or export USML items. Anyone have any thoughts on this?


Bookmark and Share

Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


If their customers were processing and storing technical data for controlled items, then they would have to ensure they don’t allow any foreign national employees to access the data. If that access occurred (even at those domestic locations), wouldn’t it be a “deemed export”?

Comment by jstults on June 4th, 2014 @ 8:25 pm

    Yes, but they would need a TAA or a DSP-5, not a registration under Part 122, to cover that. Of course, they would need the registration to get those, so maybe that’s what’s going on here.

    Comment by Clif Burns on June 4th, 2014 @ 11:42 pm

Well it looks to be more so that they are announcing completion of a certification program, proving complete compliance. I do not see mention of registration anywhere in the article. It could have been worded better as the program would definitely not have been administered or awarded by DOS. Knowing the actual certification issued could possibly lend the article some credibility.

Comment by Gwen W on June 5th, 2014 @ 6:14 am

Clif: As usual, I remain firm in my belief that a few unscrupulous ITAR consultants are behind this sort of registration ballyhoo. My guess is they’re able to inflate the value of their services by inflating the value of DDTC registration–a step that is literally the LEAST an entity subject to the ITAR can do.

Gwen: I’ve had the benefit of my morning cup(s) of coffee, so I see that the word “registration” appears in Clif’s first quote, which is the lead sentence of the press release. 😉 As for any sort of certification, you correctly note that DDTC offers no such thing. Yet Xand’s press release refers to “Federal certification” in the subheading, and more than once touts their “certification” in connection with the ITAR and the State Department. The press release also announces that Xand “earn[ed]” and “attain[ed]” ITAR “compliance” from State, a peculiar formulation that suggests maybe the authors don’t quite understand what they’re talking about.

Now, it’s entirely possible Xand obtained some sort of certification from a private entity, or even created its own ad hoc security certification. If either is the case, though, the press release is worse than just poorly worded. It’s downright misleading.

Comment by Pat on June 5th, 2014 @ 10:03 am