Lessons from USRA’s Declination
On April 23, 2025, the Justice Department declined to prosecute Universities Space Research Association (USRA) after the nonprofit promptly self-reported an employee, Soong’s, illicit software exports. The decision is only the second corporate declination granted under the Justice Department’s 2024 revision of the National Security Division’s Voluntary Self-Disclosure (VSD) policy— following a case involving a Massachusetts biotech that uncovered and disclosed falsified export paperwork used to ship discounted products to China.
USRA’s experience now serves as a concise playbook for any organization facing an employee’s willful export-control or broader national-security violation. It demonstrates that prompt, substantive self-disclosure, extraordinary cooperation, and thorough remediation can shield a company from criminal exposure—an insight compliance professionals should embed in their incident-response plans.
Setting the Stage
In 2016, NASA’s Academic Mission Services (NAMS) contract authorized USRA to distribute two U.S. Army flight-control programs—CIFER and CONDUIT —under a Software Transfer Agreement with the Army’s Aviation & Missile Center (AvMC). CIFER lets users build a dynamic aircraft model from their own flight-test data using system-identification techniques; its source code is publicly available, making the tool openly accessible for research and design.
Both programs were later classified EAR99 (CIFER on July 7 2021; CONDUIT on August 11 2021). While EAR99 removes most licensing requirements, exports to embargoed destinations, Entity-List parties, or prohibited end uses still require Commerce Department authorization.
Soong’s Conduct
Program administrator Soong handled export screening, license issuance, invoicing, and delivery. On April 18, 2017, Beihang University—on the Entity List since 2001—asked to purchase CIFER. Soong acknowledged the “export-control issues,” inquired whether the requester was affiliated with another institution, and suggested using an intermediary.
On August 4, 2017, Soong issued an invoice listing Beijing Rainbow Technical Development Ltd. as both “Ship-To” and “Bill-To” to mask Beihang’s involvement. USRA received a $2,182 wire from Beijing Rainbow on January 2, 2018; additional payments eventually totaled about $161,000, all diverted to Soong’s personal accounts. Throughout 2017–2020, he forwarded CIFER passcodes directly to Beihang while payments flowed through Beijing Rainbow. When NASA sought clarification, he allegedly supplied inaccurate diligence records.
Internal Investigation and Voluntary Disclosure
USRA retained outside counsel, interviewed Soong three times, and terminated his employment before a third session, during which he admitted exporting to Beihang and using Beijing Rainbow to avoid Entity-List screening. Within days of that admission—and less than three months after counsel’s engagement—USRA submitted a VSD to DOJ’s National Security Division before completing its internal investigation.
Government Response and Resolution
Soong pleaded guilty in January 2023 to export-control and wire-fraud charges. On April 23, 2025, DOJ declined to prosecute USRA, citing the organization’s prompt disclosure, extensive cooperation, and remediation measures: dismissal of Soong, disciplinary action for his supervisor, significant enhancements to the compliance program, and repayment of US $94,000 to NASA plus US $161,000 to the U.S. Treasury.
Why DOJ Declined to Prosecute
The National Security Division’s VSD policy grants significant credit to companies that voluntarily report potential crimes, cooperate fully, and remediate quickly and credibly. Satisfying all three conditions presumptively earns a non-prosecution agreement—or, where the Justice Manual permits, a full declination. Even when aggravating factors (for example, exporting nonproliferation-controlled items) make a deferred-prosecution agreement or guilty plea unavoidable, a qualifying VSD can still cut the criminal fine by as much as 50 percent. For USRA, DOJ identified the following elements as most relevant to its decision to decline prosecution:
1. Timely, Voluntary Self-Disclosure
Outside counsel confronted Soong in 2020, and he admitted the unlicensed exports. Within days—and less than three months after counsel’s retention—USRA submitted a VSD to NSD, well before finishing its internal investigation. Gauging the moment when disclosure is prudent involves judgment and risk, but this declination signals an incentive for swift action.
2. Exceptional and Proactive Cooperation
USRA supplied all known facts, preserved and collected evidence internationally (including certified translations), and made relevant employees available for interviews.
3. Nature and Seriousness of the Offense
The matter involved only four exports of software classified EAR99 (a catch-all category for low-tech items). USRA gained no direct financial benefit; NASA—not USRA—was the contracting customer.
4. Timely and Appropriate Remediation
USRA terminated Soong, disciplined his supervisor, and overhauled its compliance program, adding resources, independence, and routine testing. The nonprofit also made prompt restitution, repaying $94,000 in NASA-funded salary and remitting $161,000 in diverted license fees to the U.S. Treasury.
Practical Insights for Compliance Leaders
USRA’s declination reinforces five themes every compliance program should internalize:
1. Cultivate a culture of immediate escalation.
USRA disclosed the misconduct within days—long before its internal investigation wrapped—showing that swift, good-faith reporting can tip prosecutorial discretion in the company’s favor. Although deciding exactly when to notify DOJ always involves judgment and risk, this case shows that the incentive squarely favors early action.
2. Speed wins.
The VSD framework rewards whoever reaches DOJ first. Because USRA filed ahead of its employee, it controlled the narrative and secured leniency; the reverse sequence might have ended very differently.
3. EAR99 is no shield.
An EAR99 designation merely means the item is not listed on the Commerce Control List. It does not remove licensing obligations for shipments to embargoed destinations, prohibited end uses, or—as here—Entity-List end users. End-user screening remains non-negotiable, even for low-tech, publicly available software.
4. Avoid single points of failure.
Concentrating export screening, invoicing, fulfillment, and payment authority in one employee created the vulnerability that Soong exploited. Effective risk management calls for segregated duties and regular audits.
5. Remediation must be concrete and timely.
DOJ emphasized USRA’s restitution of $94,000 in salary to NASA, repayment of $161,000 in misdirected license fees to the Treasury, supervisor discipline, and compliance program upgrades. Hard numbers and documented fixes carry real weight when prosecutors decide whether a company has earned a declination.
Where It All Leads
The USRA declination shows that—despite shifting enforcement priorities—VSD can still pay real dividends. Detecting misconduct early, self-reporting immediately, cooperating fully, and delivering measurable remediation can spare a company prosecution—even when the violation involves exporting to Entity-List companies and embezzlement.
That said, both declinations to date involve employees acting without corporate knowledge or gain; how DOJ will treat cases with broader systemic failures or clear corporate benefit remains uncertain. Publicizing the VSD incentive may also push employees to bypass internal channels or prompt companies to over-report marginal issues. Yet these uncertainties do not override the central takeaway: understand the facts, respond decisively, and you greatly improve the odds that DOJ will keep the company’s name out of the indictment headline.
Disclaimer: The views expressed here are solely my own and do not represent the positions of my employer. They do not constitute legal advice nor create an attorney–client relationship.
Ishan, great stuff as always!