On March 30, 2026, the U.S. Department of Justice’s (DOJ) National Security Division (NSD) issued a press release confirming that DOJ’s new department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) applies to matters within NSD’s purview and that voluntary self-disclosures (VSDs) involving potential criminal violations of U.S. national security laws should be submitted to NSD.

Key Takeaways

• Submit VSDs involving potential criminal national security violations to NSD.VSD@usdoj.gov, with the company name in the subject line.
• Update internal escalation and triage so potential export controls/sanctions or other national security issues are promptly assessed for criminal exposure and routed to the appropriate DOJ intake channel (including NSD where applicable).
• Disclosures only to civil regulators (e.g., BIS, OFAC, DDTC) do not substitute for a DOJ VSD in criminal matters.
• A good faith disclosure to a DOJ component will not, by itself, disqualify a company from CEP consideration if the matter later shifts to another DOJ component.

NSD’s Guidance on Reporting Violations

NSD’s press release emphasizes its responsibility for enforcing criminal laws affecting or relating to national security, as set forth in DOJ’s Justice Manual. The scope of matters for which companies should submit VSDs to NSD includes violations of the government’s primary export control and sanctions regimes—namely, the Arms Export Control Act (AECA), the Export Control Reform Act (ECRA) and the International Emergency Economic Powers Act (IEEPA).

NSD also notes that business conduct may implicate other national security laws handled by NSD, including laws prohibiting material support to and financing of foreign terrorist organizations, as well as criminal violations connected to CFIUS and Team Telecom matters.

Finally, NSD has confirmed an important operational principle under the CEP: a good faith disclosure to one DOJ component that is later investigated by another appropriate DOJ component will not, by itself, disqualify a company from CEP consideration (including declination eligibility).

NSD’s Prior Voluntary Self-Disclosure Policy and the Shift to a Department-Wide Framework

Under the prior NSD policy, companies that voluntarily self-disclosed, fully cooperated and timely remediated were generally eligible for significant mitigation, including the possibility of a non-prosecution agreement and, in appropriate cases, avoidance of a criminal fine and compliance monitor. NSD made clear that disclosures made only to civil or regulatory agencies (such as the Bureau of Industry and Security (BIS), Office of Foreign Assets Control (OFAC), or Directorate of Defense Trade Controls (DDTC)) did not qualify as VSDs to DOJ for criminal enforcement purposes. The policy also incorporated a mergers and acquisitions safe harbor, encouraging acquiring companies to disclose criminal misconduct discovered during due diligence or post-closing integration.

While the old NSD policy provided meaningful incentives, it applied only to matters handled by NSD and existed alongside multiple, sometimes overlapping VSD frameworks across DOJ components and U.S. attorney’s offices.

That changed on March 10, 2026, when DOJ replaced all component-specific corporate enforcement and VSD policies with the CEP. DOJ has said that the CEP is intended to promote uniformity, predictability and transparency, and that, absent certain limited aggravating circumstances, companies that voluntarily self-disclose, fully cooperate and timely remediate can expect a declination of prosecution.