Are you a DoD contractor or dealing with any Export Controlled material? Understand how you can manage compliance and information security of ITAR and other forms of regulated data.
Have you just won a contract to deliver services or do business with the U.S. Department of Defense? Or are you preparing for an award of one? You should first consider whether you will be dealing or working with Export Controlled material. If you do, you should ensure compliance with Export Control regulations like the International Traffic in Arms Regulations (ITAR).
What is ITAR Compliance?
ITAR controls the importation and exportation of defense-related services and articles listed on the U.S. Munitions List (USML). All exporters, brokers, and manufacturers of defense services, defense articles, and related technical data must be ITAR compliant. ITAR requirements flow down to the supply chain members of the DIB contractors in compliance with DFARS 252.225-7048. Hence, you should stress that your suppliers also take measures to ensure compliance.
Does your company deal with manufacturing, distribution, or sale of services or goods covered under USML or any component supplier of goods listed on the USML? The requirement or stipulation of being ITAR compliant is that it must be registered by the DDTC (Directorate of Defense Trade Controls). The company should also abide by and understand ITAR as it applies to their underlying USML services or goods. Simply put, the company should first register with DDTC, understand what is needed to remain ITAR compliant, and certify that it has that knowledge through an ITAR compliance program.
What Does ITAR Compliance Mean for Your Company?
The administrative efforts to ensure you are compliant with such regulations as ITAR can prove complicated. Unfortunately, using incorrect measures to meet ITAR compliance has serious ramifications. Any ITAR violation could result in a $500,000 civil fine or a $1,000,000 criminal fine per violation or even being barred from any future exports. You also could be subject to 10-year imprisonment for each violation. When it comes to your ITAR compliance, you should note the following:
Registering with DDTC isn’t Enough
Registering with the DDTC as a manufacturer, broker, or exporter of any service, item, or technical data covered under ITAR isn’t enough. Your organization must also implement several other measures to ensure it remains compliant. You’re expected to have adequate training and knowledge in ITAR. Any violation could result into either or several penalties described above.
Certification is a Myth
You might have heard some people talk of ITAR as “certified.” There isn’t such a thing. In reality, there exists only a regulatory requirement for a company Dealing with ITAR to be registered with DDTC and its obligation to remain compliant. This confusion stems when a client asks a contractor to “certify” they are ITAR compliant. Essentially, they ask if you have registered with DDTC and have an ITAR compliance program in place.
Use A Compliance Checklist
This is a tool that arms suppliers use to determine their ITAR compliance status, put up a system for identifying ITAR-controlled products, services, or data, and implement an ITAR compliance program easily.
2020 ITAR Amendment
As of March 9th, 2020, a December 2019 ITAR amendment came into effect. Its objective is to precisely describe the articles providing critical intelligence or military advantage or, for arms, perform an intrinsic military function, warranting temporary import or export control on the USML. This rule potentially changes how companies share and store ITAR data on the cloud. In this amendment, information isn’t considered an “export” provided it is unclassified, cryptographically secure, and securely stored with end-to-end encryption.
Managing ITAR Compliance
If you’re dealing with Export Controlled materials, then you should implement various policies and processes throughout the company to remain compliant. Management of Controlled Unclassified Information (CUI) and ITAR regulated information is among organizations’ most complex tasks. Hence, you should consider the factors below to determine who should access the ITAR content:
- Briefing levels
- User nationality and Citizenship
- Item or Document Classification level
- User clearance levels & caveats.
Using the traditional role-based permissions to define access to ITAR would require the creation of many security groups and roles. Further, it would need thousands of libraries, folders, or sites to match should you decide to use permission inheritance. Such security schemas, ongoing management, and complexity significantly increase the chances of multiple single-point failures in the document or single user permissions. Either of these could be an ITAR violation. Managing information subject to ITAR requires a multifaceted approach to:
- Properly manage access and store information, and
- Control user interactions through policies and training.
Selecting technology to manage ITAR access process while ensuring it’s aligned and relevant to the entire ITAR access process can prove difficult. However, there’re several critical elements you must factor in when searching for a tool for ITAR access management, such as:
Taking a Data-Centric Security Approach
Besides leaving some potential security gaps, the traditional permission models are resource intensive and complex to manage. Consider using a data-centric approach to security that can enforce the data rules such as the ones related to ITAR dynamically upon being set up. Such a security approach uses ABAC (Attribute Based Access Control) to enable organizations to simplify the editing and viewing rights management and also dynamic enforcement of stricter controls over information.
ABAC model grants access only when the attributes of a user meet the required policies to release a specific file. The attributes include clearance levels, nationality, user’s organization, and other access control identifiers like access mode, time, project name, etcetera. With ABAC, a single repository may contain various classification levels, which minimizes expense and duplication.
Choose an Auditable and Secure Platform
You should select a platform that maintains the right auditability and security posture mandated for any ITAR material. You can further improve your audit and security controls if you can source a platform that integrates secure document editing and collaboration. The classification criteria required for your project may also require you to find an independent platform that meets the classification requirements for your current IT infrastructure.
Control Over Material Classification
The users (not the system admin) should have an ultimate way of controlling the classification of all materials they create. Allowing the creators to classify their materials means that the ABAC-enabled system can enforce information barriers depending on the set attributes. This ensures restricted access.
Securing ITAR Data
Security of the ITAR data is also a critical part of compliance. Although data security differs from one organization to the other, below are some best practices that you can use to secure ITAR data:
- Implementing strong access control policies.
- Maintaining a robust information policy.
- Using encryption to protect any sensitive data.
- Creating and maintaining vulnerability management programs.
- Regularly monitoring and testing the networks.
- Testing and processes and security systems regularly.
- Monitoring and tracking the access to sensitive data and network resources.
- Putting ITAR data loss prevention measures into place.
- Install and maintain a firewall configuration and implement zero trust to protect the ITAR data. Avoid using security defaults and vendor-supplied passwords.
- Assigning unique IDs to all users having computer access.
This list isn’t exhaustive but provides a starting point for organizations to meet ITAR compliance and secure sensitive data. Adopting and following these measures in an organization ensures that ITAR data is accessible to those authenticated and authorized.
Have you just won a contract with DoD? ITAR compliance should be the first thing you consider. Companies such as FLIR Systems and ITT have been fined for ITAR violations, and you don’t want to be the next statistic on that list. You are expected to be trained in and/or understand ITAR regulations. If you aren’t, you can partner with us at Cleared Systems to help you with your compliance efforts. Contact us today for help with CMMC, ITAR, and DFARS 7012 compliance.