A prestigious university regularly collaborates with a DoD prime on advanced research. This time, the prime contracted the university to help with research on electro-optical distributed aperture systems for our F-35s. However, it had recently hired foreign laboratory technologists and professors as part of its efforts to enhance learning through diversification. The research, designs, and other technical data regarding the electro-optical distributed aperture system fell squarely under ITAR. One of the core tenets of ITAR compliance is to ensure that technical data on defense articles and services CANNOT be viewed by or exported to foreign nationals. If a foreign national or entity in the U.S. viewed the data, it was considered an export and would thus violate ITAR. This required the university to implement proper safeguards to protect the research and technical data, as their disclosure would pose risks to U.S. national security and the effectiveness of our military forces. The university needed an effective method to label and classify ITAR data while implementing access control measures and encryption to ensure secure collaboration and safeguard sensitive information. They opted for Microsoft AIP and enlisted the assistance of Cleared Systems, an MSP, to deploy this solution.
Objectives
- To guarantee that the university adhered to ITAR regulations through meticulously labeling and classifying technical data related to the electro-optical distributed aperture system.
- To implement proper access controls and encryption for securing sensitive information on the electro-optical distributed aperture system, thereby preventing unauthorized access.
- To foster a secure collaboration environment that prioritizes protecting sensitive data while promoting effective communication among different employees.
Challenges
- Integrating Microsoft AIP into the university’s existing systems without disrupting ongoing research activities was a significant challenge. The university had a large and diverse data environment with multiple sources and formats of ITAR data, which added to the complexity of the task.
- The deployment of Microsoft AIP into the university systems introduced confusion among the university’s staff and research collaborators regarding the ITAR compliance changes. The staff and partners had to be trained to use Microsoft AIP to label and classify ITAR documents and records.
- The university faced a significant challenge as its cryptography modules weren’t FIPS 140-2 compliant, a requirement in line with ITAR. This meant the encryption methods used to protect sensitive data did not meet the security standards. The university had to upgrade or replace these modules, which required careful planning and execution to avoid compromising data security during the transition. This challenge was further compounded by the need to train staff on using new tools and protocols.
- Managing the flow of sensitive technical data while maintaining efficient collaboration within the university and with external partners was a delicate balancing act. The university had to balance the need for security and the need for collaboration among its staff and partners. This thin line could result in ITAR violations.
- To ensure all research collaborators marked the ITAR technical data relating to the defense item properly, the university needed a proper monitoring system that wasn’t in place. The system needed to be deployed to identify any potential breaches promptly.
Solutions
- Microsoft AIP Deployment: Our team deployed Microsoft AIP onto the university’s systems, facilitating meticulous labeling and classification of ITAR data. This strategic move streamlined the management of sensitive information, enhancing compliance with ITAR regulations. The deployment was carried out in a phased manner to minimize disruption to ongoing research activities.
- Access Control Measures: Cleared Systems implemented robust access control measures to ensure secure collaboration and seamless ITAR data transmission between research collaborators. This effectively curtailed unauthorized access to ITAR-controlled technical data on the electro-optical distributed aperture systems. The measures were tailored to the university’s unique needs, considering the diverse roles and responsibilities of staff and collaborators.
- Data Encryption: We deployed FIPS 140-2 compliant cryptographic modules to encrypt ITAR-controlled technical data in line with ITAR. This advanced encryption safeguarded sensitive research data on an electro-optical distributed aperture system during transmission between research collaborators and at rest, adding an extra layer of security. We regularly updated the encryption standards to keep pace with evolving cybersecurity threats.
- Staff Training: Our team offered comprehensive training on using Microsoft AIP, understanding of ITAR regulations, and best practices for handling sensitive data for the university staff. We also conducted post-training assessments to ensure the staff fully understood and could apply the training content.
- Continuous Monitoring: Cleared Systems put a continuous monitoring system in place for real-time detection of potential breaches or non-compliant activities, enabling swift corrective actions. The system generated detailed logs that could be reviewed for audit purposes and to identify areas for further improvement.
Results
- ITAR Compliance: Through the meticulous labeling and classification of technical data facilitated by the deployment of Microsoft AIP, the university successfully achieved ITAR compliance. This not only streamlined the management of sensitive information but also ensured that all data handling processes were in strict accordance with ITAR regulations.
- Secure Collaboration: Implementing robust access control measures and advanced encryption protocols was pivotal in ensuring secure collaboration. By leveraging FIPS 140-2 compliant cryptographic modules for data encryption, the university got an added layer of security, safeguarding sensitive data during transmission between the research collaborators and at rest. This comprehensive approach to data security ensured that sensitive information remained protected while facilitating effective collaboration.
- Data Safeguarding: The university successfully safeguarded its research and technical data, a critical aspect of national security. By implementing stringent data security measures and adhering to ITAR compliance, the university played a crucial role in protecting U.S. national security, foreign policy, and military effectiveness. The secure handling of sensitive information about the electro-optical distributed aperture systems for F-35s ensured that critical defense technology remained secure, thereby contributing to the overall effectiveness of our military forces. Contact Cleared Systems for more information about Microsoft AIP compliance.