.svg?rev=a492cc1069df46bdab38f8cb66573f1c&hash=2617C9FE8A7B0BD1C43269B5D5ED9AE2)
At a Glance
- The Department of Justice confirms its Department-wide corporate enforcement policy framework applies to national security-related violations and criminal offenses, including export controls and sanctions violations.
- The DOJ’s National Security Division stated that voluntary disclosures related to any national security violation should be made via a monitored email account: NSD.VSD@usdoj.gov.
- Companies should review their compliance programs and escalation protocols to ensure they are positioned for timely disclosure of potential employee misconduct in appropriate cases.
The Department of Justice (DOJ or Department) announced on March 20, 2026, that its existing corporate enforcement policy (CEP), released on March 10, will also apply to voluntary self-disclosures of national security violations, confirming that such matters will be evaluated under a consistent framework and directed to the National Security Division (NSD). Rather than creating a new standalone policy, the announcement clarifies how the DOJ’s current corporate enforcement principles extend into the national security arena.
Consistent with the CEP, companies may be eligible for declinations of prosecution in a national security matter where a company voluntarily self-discloses misconduct, fully cooperates, and timely remediates, absent aggravating factors. The policy applies to criminal violations implicating US national security, including export control and sanctions-related violations. As with the broader CEP framework, eligibility for favorable treatment depends on timely disclosure, in an effort to incentivize companies to voluntarily disclose discovered misconduct, cooperate with investigations, and timely and appropriately remediate the wrongdoing.
The DOJ also clarified that voluntary self-disclosures involving potential criminal violations of US national security laws should be directed to the NSD, consistent with the requirement that disclosures be made to the appropriate Department component, and has provided an email address — NSD.VSD@usdoj.gov — where companies can direct voluntary disclosure correspondence.
Analysis
While application of the CEP to the National Security Division was expected given the policy’s Department-wide approach, the national security context introduces potential tension with a policy that will apply to a wide range of different criminal investigations.
The CEP promises increasing predictability and some assurance that the company will not be prosecuted if the terms of the policy are met. But the policy also maintains the Department’s ability to decide that certain factors — such as “aggravating circumstances” related to the nature of the offense, severity of harm, or corporate recidivism — do not warrant a corporate declination.
National security matters are, by their nature, often considered more serious than many other categories of criminal investigations. Thus, companies should expect heightened scrutiny of aggravating factors and increased sensitivity to the nature of the underlying conduct. For example, a case that seems like a technical and minor export violation may be viewed by the Department’s national security prosecutors as a serious offense because it involved highly sensitive technology or a foreign adversary.
As a result, companies may face greater uncertainty in assessing whether a declination is realistically available, and must make a more difficult decision about whether a relatively early disclosure is worthwhile without knowing the full scope of potential liability given that they may not receive “full” credit under the CEP. Ultimately, companies should keep in mind that the Department almost always looks favorably on cooperation, and so disclosure prior to an affirmative DOJ investigation is often in the company’s interest, regardless of whether they obtain the full benefits of the CEP.
Practical Implications
The NSD announcement underscores the importance of early internal investigation and escalation protocols, particularly for companies with exposure to export controls, sanctions, or other national security regimes. This is particularly the case given the escalation of Iran-related sanctions and designations of a number of drug trafficking organizations (DTOs) as foreign terrorist organizations, which significantly expands the scope of risk to companies who do business in regions where DTOs operate. Companies should ensure that compliance programs are calibrated to identify and address these risks, including those arising from cross-border operations, third-party relationships, and supply chains.
Disclosure decisions will require coordinated analysis across legal and compliance functions, taking into account both DOJ incentives and the potential for collateral regulatory or business consequences. This includes the risk that disclosure will trigger potential parallel inquiries, violations, or resolutions with regulators with a similar portfolio (e.g., the US Department of Commerce, Bureau of Industry and Security (BIS) for export controls violations, and the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) for economic sanctions violations, or the Committee on Foreign Investment in the United States (CFIUS) for criminal violations related to foreign investment) or regulators that have more general supervisory authority over certain businesses (e.g., the Securities and Exchange Commission). At the same time, securing a declination through the CEP, and the cooperation it reflects, may help these potential parallel matters resolve in a similarly favorable manner for the company.
Bottom Line
The DOJ’s national security voluntary self-disclosure announcement represents a natural extension of its broader corporate enforcement policy, but also introduces additional complexity in high-risk areas. Companies that promptly identify, disclose, and remediate potential violations stand to benefit from meaningful enforcement credit, but the national security context makes early, informed decision-making critical.
