Six things you have to know about ITAR compliance

International Traffic in Arms Regulations (ITAR) is a set of regulations administered by the State Department to control the export of defense and military related technologies. The goal of the legislation is to control access to specific types of technology and their associated data by our country’s enemies.
Any U.S. company, research lab or university that engages in either manufacturing or exporting defense articles or furnishing defense services is required to register with DDTC and comply with ITAR regulations.

Download our free whitepaper on how to facilitate ITAR compliance
The U.S. Department of State has recently taken action that recognizes that technological advances in cybersecurity can simplify ITAR compliance without compromising national security goals. Check out our ITAR white paper to learn more.

Cybersecurity Live - Boston

Download Whitepaper

Today, ITAR compliance poses a significant challenge to many global corporations. ITAR data may need to be transferred over the internet or stored outside of the United States in order to make business processes flow smoothly. However, ITAR regulations prevent this from happening.
In this blog we’ll break down what the regulation means and look into what companies can do to best manage their compliance responsibilities. We’ll look at:


What is ITAR Compliance?

ITAR Compliance is a set of controls managed by the State Department. The controls are designed to ensure that the 13,000 or so defense companies, universities and research labs handling defense and military technologies do not get into the wrong hands. Specifically, ITAR regulations say that items listed on the US Munitions List (USML) may only be shared with US persons unless otherwise authorization. If your product is on this list (see below), it is subject to these controls.

Categories on the United States Munitions List

  1. Firearms, Close Assault Weapons and Combat Shotguns
  2. Guns and Armament
  3. Ammunition/Ordnance
  4. Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs, and Mines
  5. Explosives and Energetic Materials, Propellants, Incendiary Agents, and Their Constituents
  6. Surface Vessels of War and Special Naval Equipment
  7. Ground Vehicles
  8. Aircraft and Related Articles
  9. Military Training Equipment and Training
  10. Personal Protective Equipment
  11. Military Electronics
  12. Fire Control, Range Finder, Optical and Guidance and Control Equipment,Night vision goggles
  13. Materials and Miscellaneous Articles
  14. Toxicological Agents, Including Chemical Agents, Biological Agents, and Associated Equipment
  15. Spacecraft and Related Articles
  16. Nuclear Weapons Related Articles
  17. Classified Articles, Technical Data, and Defense Services Not Otherwise Enumerated
  18. Directed Energy Weapons
  19. Gas Turbine Engines and Associated Equipment
  20. Submersible Vessels and Related Articles
  21. Articles, Technical Data, and Defense Services Not Otherwise Enumerated

How do I achieve ITAR Compliance?

There is no formal certification process to become ITAR compliant. However, there are certain standards companies are expected follow and comply with.
The first step a company should take is to register with the State Department. Specifically, the company must register with the Directorate of Defense Trade Controls (DDTC)
The second step a company should take is to adopt an ITAR Compliance Programs. A Compliance Program demonstrate that your company has a formal process for ITAR compliance and project a sophisticated approach to managing these issues.
The third step is ensuring your cloud storage is ITAR compliant. You need to ensure that technical data is not accidentally distributed to foreign persons or foreign nations. Typically, this standard is met by ensuring all data centers are managed solely by US Persons in US locations and data is not shared outside of the US.
In March 2020 however, the State Department did issue a ruling that companies can share unclassified technical data with their supply chain or outside the US. The dat just has to be secured with end-to-end encryption. If the data is end-to-end encrypted, the exchange is not considered an export.

What is unclassified technical data?
Information, other than software as defined in 22 CFR 120.10(4), which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or altering of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation.
What is a US person?
U.S. person means a person is someone who is a lawful permanent resident of the US. It also means any corporation, business association, partnership, society, trust, or any other entity, organization or group that is incorporated to do business in the United States. It also includes any governmental (federal, state or local) entity.

Who needs to follow ITAR compliance

Many mistakenly assume that this set of regulations only relates to tanks, missiles and weaponry, but in fact, it affects much more than that. In order to avoid the severe penalties and negative consequences of noncompliance, take the time to determine which elements of ITAR, if any, need to be addressed in your compliance efforts.
The easiest way to know if you are responsible for ITAR compliance is to see if your company’s product is on the Munitions List or not.

Companies most likely to fall under Munitions List requirements:

  • Manufacturers, exporters and distributors of defense products and services.
  • Companies that act directly in the defense industry.
  • Third party suppliers
  • Contractors
  • Vendors who produce defense software and hardware.

Penalties for ITAR noncompliance

There are potentially serious penalties imposed for any ITAR violations, including civil fines up to $500,000, criminal fines up to $1,000,000, and jail time of up to 10 years per instance. Even worse, the U.S. government has the power to ban your company from any related future import and export activity.
Besides, restrictions may apply to your business practice; your import/export activities could be banned. Therefore, it is of vital importance to understand how to secure your ITAR-controlled data.

Airbus Agrees to Pay Over $3.9 Billion in Global Penalties to Resolve Foreign Bribery and ITAR Case
In January 2020, Airbus entered into an agreement with the US Government. The government charged that Airbus had attempted to violate bribery provisions of the Foreign Corrupt Practices Act (“FCPA”) and ITAR regulations. The charge stems from Airbus’s failure to disclose political contributions, commissions or fees to the U.S. government as required under ITAR.

But it’s not just large Primes that are subject to fines for failing to comply with ITAR. In 2017, the State Department charged Bright Lights USA, Inc with an ITAR violation. Bright Lights often looked to foreign suppliers for the parts needed to manufacture the products. However, Bright Lights often sent drawings of export-controlled components to foreign suppliers to get quotes without first obtaining the necessary ITAR export licenses.
The State Department concluded that Bright Lights had major compliance deficiencies and charged them with a number of violations. While the government could have pursued criminal, civil and administrative enforcement for ITAR violations, the company was only required to pay a $400,000 civil penalty. While the government could have pursued criminal, civil and administrative enforcement for ITAR violations, the company was only required to pay a $400,000 civil penalty.

Sharing ITAR data using end-to-end encryption

End-to-end encryption is the gold standard for securing data. With end-to-end encryption, data is encrypted on the user’s device and is only ever decrypted on the recipient’s device. This ensures that only the sender and the recipient can ever read the information being shared–and no one else. Data is never decrypted on the server, thus even if attackers successfully breach the server, all they will get is gibberish.
Until March of 2020, companies had to store all ITAR data on servers located within the US. The servers also had to be manned by US persons. However, in a global economy, these regulations were burdensome.
In March 2020 the State Department created the ITAR Carve-out for Encrypted Technical Data. The carve out establishes that defense companies can now share unclassified ITAR technical data without requiring an export license. They have to ensure though that the data is properly secured with end-to-end encryption and the decryption keys “are not provided to any third party“.

According to the Federal Register:
“[P]roperly secured (by end-to-end encryption) electronic transmission or storage of unclassified technical data via foreign communications infrastructure does not constitute an export, reexport, retransfer, or temporary import.”

The ruling makes clear that end-to-end encrypted technical data can be stored on any cloud service as long as it’s not in a country hostile to the U.S. And the data can be accessed by US persons. The only stipulations on this exchange are that:

  • The data is unclassified
  • The data is secured with end-to-end encryption and FIPS 140-2 compliant algorithms
  • Cloud services provider can’t access the decryption keys
  • Data is not purposely sent to a person in or stored in restricted countries
  • Data is not purposely sent from a restricted country

This new guidance provides defense companies with the ability to now take advantage of the cloud in a way they were unable to in the past. End-to-end encryption along with proper key management makes that possible. Following these prescriptions, defense contractors can also now easily take advantage of storing their data in the cloud. They can also send data to a US or authorized person overseas or even store data outside the U.S. so long as it is not stored in a restricted country.

ITAR compliance checklist for protecting your data

  • Protecting your ITAR data starts with using end-to-end encryption to protect USML data.
  • Key management ensures that only the user has access to their private key – never the server
  • Where is data stored on FedRamp
  • Expirations: Data access can be managed through expirations
  • Granular access: Read only and View only
  • Logs: Ensure that you have log management so you can see who has accessed files.

Want to learn more about how to manage your ITAR data and meet compliance? Talk to our compliance experts.

The post Six things you have to know about ITAR compliance appeared first on PreVeil.

*** This is a Security Bloggers Network syndicated blog from Blog – PreVeil authored by Orlee Berlove. Read the original post at: