DOJ Clarifies How Companies Should Report National Security Law Breaches

The US Department of Justice has moved to remove any ambiguity around where companies should report potential criminal breaches of national security laws, making clear that voluntary self-disclosures should be sent directly to the National Security Division. The update, published on 30 March 2026, links national security enforcement more tightly to the Department-wide Corporate Enforcement Policy introduced earlier this month and gives businesses a clearer route to seek cooperation credit.

The announcement matters because it translates a broad corporate enforcement framework into a practical reporting instruction for companies dealing with export controls, sanctions and other national security risks. Under the Department-wide Corporate Enforcement Policy, businesses that voluntarily disclose misconduct, cooperate with investigators and remediate properly may receive substantial credit and, in many cases, a declination. By specifying that disclosures involving national security laws should go to NSD, the Department is trying to increase predictability for companies assessing whether and how to come forward.

For compliance teams, the message is straightforward. If a company identifies potential criminal exposure connected to US national security laws, the Department expects that disclosure to be made to the component with primary authority over those offences. In this area, that means NSD. The guidance also reflects the Justice Manual’s allocation of responsibility to the Assistant Attorney General for NSD for criminal laws affecting or relating to national security, including related offences such as conspiracy, perjury and false statements.

The scope is broad and reaches far beyond traditional export controls. The Department specifically points to the Arms Export Control Act, the Export Control Reform Act and the International Emergency Economic Powers Act, all of which sit at the centre of US export control and sanctions enforcement. But it also signals that NSD expects disclosures covering other national security matters, including material support and terrorist financing offences, criminal breaches connected to CFIUS, and cases involving Team Telecom. That framing is notable because it presents NSD not simply as an export and sanctions enforcer, but as the central criminal enforcement hub for a wider set of corporate national security risks.

From a risk management perspective, the release is another sign that national security compliance is now firmly a board-level issue. Businesses operating across sensitive supply chains, dual-use technologies, cross-border payments, telecoms infrastructure and foreign investment review processes face increasing pressure to detect issues early, escalate them quickly and make defensible disclosure decisions. The Department is clearly signalling that companies which act promptly and in good faith will be treated differently from those that stay silent.

The practical takeaway is that any voluntary self-disclosure concerning potential criminal violations of US national security laws should be sent to NSD.VSD@usdoj.gov, with the company name in the subject line. For multinationals and high-risk sectors, that instruction should now be built into escalation protocols, investigations playbooks and incident response procedures. The policy incentive is important, but so is the operational clarity: the Department has now identified the front door.

Read the press release here.