In 2007, ITT was fined $100 million for illegally exporting night vision technology. ITT thought that they could work around the imposed restrictions. However, the government didn’t agree with how they interpreted the rules. In April 2018, FLIR Systems was fined $30 million by the State Department for transferring USML data to employees holding dual nationalities. FLIR was also instructed to implement a better compliance strategy and hire a third party to oversee the agreement with Department as part of the penalty. Because of illegally exporting technical drawings of the missile, tanks, and aircraft components to countries like China, the State Department fined Honeywell International $13 million.
But why were these corporations this heavily fined? They all flouted the International Traffic in Arms Regulations (ITAR). This underscores the importance of understanding ITAR, properly managing ITAR data, and effectively managing ITAR compliance. Many organizations still find it challenging to manage ITAR compliance. In this article, we’ll address what the regulations mean and what contractors can do to manage their compliance in the best possible ways.
What is ITAR Compliance?
ITAR refers to a set of regulations and guidelines administered by the State Department to control the importation and exportation of the defense articles, services, or technologies listed under the US Munitions List (USML). The USML is a list of things with a military purpose and can be found within section 121.1 of the ITAR. It has 21 categories, including defense articles, defense services, and technical data.
ITAR regulations aim to control access to these technologies and associated data. To engage in ITAR-related activities, be it exporting, brokerage, or even importation, you must first register and obtain permission from DDTC (Directorate of Defense Trade Controls) and be ITAR compliant. Many universities, research labs, and defense companies handle military and defense technologies. However, these institutions should only share items listed on USML with US citizens unless otherwise authorized to remain ITAR compliant.
Who Should Follow ITAR Compliance?
Some organizations mistakenly assume that ITAR only relates to weapons such as missiles, jet fighters, and firearms. However, it includes much more than that. For instance, category 1 paragraph E of the ITAR also identifies mufflers, sound suppressors, and mufflers are controlled. Therefore, to avoid negative consequences and severe penalties, ensure that you take time and determine the ITAR elements you should address in your compliance efforts. This means checking if what your company produces is on the USML. Remember, ITAR also includes technical data and defense services.
Do you work with or produce any of these items?
- Aircraft and related articles
- Biological agents and associated equipment
- Chemical agents and associated equipment
- Classified articles, technical data and defense services
- Directed energy weapons
- Electronics, military
- Explosives and energetic materials and their constituents
- Fire control equipment
- Firearm sand related articles
- Gasturbine engines and associated equipment
- Ground vehicles
- Incendiary agents and their constituents
- Launch vehicles
- Materials and miscellaneous articles
- Missiles, guided and ballistic
- Naval equipment(special)
- Nuclear weapons related articles
- Optical, guidance, and control equipment
- Personnel protective equipment
- Propellants and their constituents
- Range finder equipment
- Spacecraft systems and related articles
- Submersible vessels and related articles
- Surface vessels of war
- Toxicological agents and associated equipment
- Training equipment, military
How Can An Organization Achieve ITAR Compliance?
To become ITAR compliant, there’s no formal certification. However, organizations are expected to follow and comply with certain standards. So, how do you become ITAR compliant? Below are some steps to follow:
Determining What Is Controlled
First, you should determine what is controlled and whether whatever is produced is covered under the USML. As mentioned above, the list covers defense articles, defense services, and technical data related to manufacturing any defense article designated as an SME (Significant Military Equipment). The defense services include but are not limited to:
- Servicing or furnishing a defense article.
- Providing military training to a foreign force or unit.
- Assisting a foreign citizen with a defense article (for instance, helping integrate a spacecraft or satellite into a launch vehicle).
- Providing a foreigner with technical data.
So, confirm if the company produces any data or item listed on the USML and take the appropriate measures to ensure compliance.
Registering with DDTC
After determining that you deal with an ITAR-controlled product or data, the next process is registering with DDTC. Before you can manufacture, export, or temporarily import defense articles, furnish or even broker defense services or articles, you should be registered with DDTC. Although manufacturing isn’t defined under ITAR, it means making something. For instance, if you turn steel into a rifle, you are a manufacturer. It also can mean improving an already existing thing. For instance, certain gunsmithing activities may be considered manufacturing, especially when they enhance the performance of a defense article.
For a physical defense article, exporting means moving it outside the US border. However, the term export has a broader meaning regarding technical data. If you show technical data to a person outside the US while you are within the country, you are deemed to have exported it although you haven’t physically moved it. These are called deemed exports.
Brokering means helping any other person or entity do either of the things mentioned previously, such as exporting a defense article. However, brokering is defined more broadly as DDTC regulating brokering of foreign defense articles and defense services and those of US origin. To continue with either of the activities above, you must renew your registration with DDTC annually. You also must keep ITAR-related records and documents and make them available for inspection by DDTC.
Adopt an ITAR Compliance Program
Next, you should familiarize yourself with the general requirements under ITAR and adopt internal written procedures and policies that comply with the said requirements. This is referred to as an ITAR compliance program. Comprehensive operational compliance programs comprise manuals that spell out the processes to be followed in implementing a company’s program. Below are the important elements of the program or manual:
- Corporate Policies and Statements: In the program/manual, the company should include a written directive by senior management to comply with ITAR and Arms Export Control (AECA). It should also demonstrate understanding and knowledge of how and when ITAR and AECA affect the company with ITAR-controlled items and Technical Data. The manual should also show the internal controls established and implemented to achieve ITAR and EACA compliance.
- Organizations structure. This should detail the company’s defense trade function, organizational charts, and a description of control and management structures for tracking and implementing compliance with US export controls.
- Methodologies that are tailored specifically to corporate organization, functions, and structure to properly identify and account for ITAR-controlled items or technical data handled by the organization
- Retransfers and Re-exports: The manual should detail the procedure used to obtain written approval from the State Department before a re-transfer to a party that isn’t included in the State Department’s authorization of an artifact or technical data exported or transferred to the company originally. It should also show how the company tracks the re-transfers and re-exports.
- Training: The compliance manuals and programs should also explain the company’s training on export control laws and regulations such as ITAR. It also should detail the process of ensuring training, guidance, and education to employees working on exports.
- Violations and Penalties: The programs and manuals should also include the procedures through which the company intends to report any violations of its internal control program or ITAR. It also should have a description of ITAR penalties and written procedures to foster employee discipline.
- Prohibited/ Restricted Transfers and Exports: The manual should show how the company intends to screen carriers, countries, and customers. It should also show how the company will be screening for high-risk transactions to prevent illegal transfers and exports. A good compliance program manual should also detail the procedure used to investigate evidence of unauthorized use or diversion of an ITAR artifact or US-origin product.
- Recordkeeping: The manual should show how the company will maintain records about US-origin products for the next five years from license expiration. It should detail how the company plans to review the documents and files internally.
- Internal Monitoring: The manual should include procedures for periodic performance audits, emphasizing full export compliance validation and measuring the effectiveness of daily operations.
State Department recommends that all the companies dealing with ITAR-controlled activities take on ITAR Compliance Programs. It reduces penalties and fines or assesses no penalties for companies adopting a compliance program. They demonstrate to the government agencies and prime contractors that a company has a formal ITAR compliance e process. It also shows that a company has a sophisticated approach to managing ITAR-controlled activities.
Ensuring that Your Cloud Infrastructure is ITAR Compliant
The next step is ensuring that your cloud infrastructure, such as storage and networks, is ITAR compliant. Microsoft GCC High is the only cloud environment where Microsoft contractually guarantees DFARS 7012 and is one of the two sovereign clouds that can effectively handle ITAR data. Companies must ensure they don’t accidentally distribute technical data to foreign nations or persons.
Normally, you can meet this standard by ensuring all data centers reside within the US and are solely managed by US citizens. Hence, data residency and sovereignty play a critical role when it comes to ITAR data. However, the State Department issues an exemption ruling that companies may share unclassified technical data outside the US or with their supply chain, provided it is secured with end-to-end encryption. The exchange isn’t considered an export of the technical data that is end-to-end encrypted.
What Does DDTC Registration Mean?
DDTC registration means that your company is complying with section 122 of the ITAR. It means that your company has obtained a registrant code that enables you to apply for ITAR export agreements, licenses, or even claim ITAR exemptions from DDTC. It is aware your company engages in licensed ITAR-controlled activities. However, this doesn’t mean that the US government has allowed you to perform any ITAR work, are ITAR compliant, or ITAR “certified.”
Why Are You Required to Protect ITAR Data?
As mentioned above, the US Government requires all exporters, brokers, and manufacturers of defense articles or services and any related technical data to be ITAR compliant. DFARS, CMMC, and NIST 800-171 compliance are among the top options. Non-compliance carries serious penalties and fines. Hence, it isn’t an option. However, being compliant keeps client information secure and safe. The same case applies to ITAR. It prevents a breach of sensitive information to foreign actors. This controls access to specific technologies and associated data, giving the government an edge in defense matters.
What Are the Penalties and Fines for ITAR Non-Compliance
ITAR non-compliance has potentially serious penalties, including hefty fines and jail time of up to 10 years. The civil fine is as high as $500,000, while criminal fines are up to $1,000,000. These penalties and fines are imposed per instance. At worse, the US Government can ban your organization from any future related export and import activities. Additionally, the State Department might impose restrictions on your business practice, meaning that your export/import activities may be banned. Hence, companies must understand how they can secure any ITAR-controlled data.
What Contractors Can Be Subjected to Non-Compliance Penalties
Any company dealing with defense artifacts listed in USML or handling ITAR-controlled data is subject to these penalties. Contrary to some beliefs that only prime contractors are subject to these penalties, even subcontractors should achieve compliance. Remember, the ITAR requirements flow down through DFARS and apply throughout the supply chain in compliance with DFARS 252.225-7048. For instance, the State Department charged Bright Lights USA Inc with an ITAR violation. The company often imported parts needed to manufacture its products from foreign suppliers.
However, it sent the drawings of export-controlled components to these foreign suppliers to get quotes, all without getting the necessary permissions and licenses. State Department concluded that Bright Lights Inc had significant compliance deficiencies & charged it with several violations. Although State Department could have pursued civil, administrative, and criminal enforcement, Bright Lights Inc was only accorded a $400,000 civil penalty. Hence, whether you are a prime or sub-prime contractor, as long as you are dealing with ITAR-controlled data, services, or artifacts, ensure that you are ITAR compliant.
How Can You Secure ITAR Data?
Given the penalties associated with ITAR non-compliance, it only makes sense to secure/protect digital data using as many security layers as possible. ITAR is a United States Federal regulation. Therefore, companies should possibly start with the federal for data security. NIST SP 800-53 defines the guidelines and standards federal agencies should follow, and any organization handling and managing ITAR-regulated items should use it as a baseline. Below are some basic principles that companies can use to secure ITAR data:
Discover & Classify Sensitive Data
The company should locate or identify sensitive data and secure it. This data should then be classified based on the corporate policies defined in its ITAR Compliance Program.
Map Data & Permissions
The other thing that a company can do to secure its ITAR data is to identify groups, users, files, and folder permissions—determining who has access to which or what data is critical to ensuring its security.
Manage Access Control
Then identify any stale users and deactivate them. The company should manage group and user memberships and remove any Global Access Groups. Implementing zero trust, especially the least privileged access model, can go a long way in securing it.
Monitor User Behavior, File Activity, and Data
Companies dealing with ITAR data should audit and report on event and file activities as spelt out in the internal monitoring section of its ITAR Compliance Program. This includes monitoring malware, misconfigurations, security breaches, and insider threats. If any security vulnerabilities are found, the company should take measures to remediate them. You should disclose any data breaches to DDTC.
How Can You Share ITAR Data?
To securely share any ITAR data, it must be end-to-end encrypted. End-to-end encryption is essential for securing ITAR data. The data is encrypted on the sender’s device and can only be decrypted by and on the receiver’s device. Hence, only the sender and receiver can read the encrypted data. Nobody else.
Since the data isn’t decrypted even when on the server, in the unanticipated event that an attacker(s) breaches it, they will only get gibberish. Companies were required to store all ITAR data on servers inside the US, and the servers had to be guarded or manned by a US citizen. However, these regulations were burdensome, especially with the global economy.
The regulation was revised by the State Department in March 2020, allowing the transfer or sharing of unclassified ITAR technical data without needing an export license. However, the data has to be secured using end-to-end encryption. The decryption keys shouldn’t be shared with or provided to ANY third party.
With this new guidance, the defense contractors can leverage the cloud in a way that they weren’t able to in the past. This is made possible by end-to-end encryption and proper key management. Following these guidelines, the DIB contractors can easily leverage cloud data storage. Further, they can send the data to a US citizen or any other authorized person or entity overseas. The defense contractors can store the data outside the US if it isn’t stored within a restricted or hostile country.
ITAR Compliance Checklist for Data Protection
Below are some key issues that defense companies should look at whenever developing ITAR compliance programs.
- They should ensure that the products or information they share is on the USML and subject to ITAR.
- Should the information be ITAR-controlled, the company should avoid the burdensome and challenging export controls by using end-to-end encryption when sharing files or sending emails to protect it.
- Ensure that your encryption provider uses key management practices that only the sender can access their private key.
- Use expirations to manage data access.
- Ensure they have granular access to the files through View-only and Read-only capabilities.
- Have log management that allows the company to see the people that access a file.
Does your company deal with any item listed on the USML? If it does, then you should take measures to ensure ITAR compliance. Non-compliance results in civil and criminal penalties and possibly even jail time, as explained above. Whether you are a prime contractor or subcontractor, you are subject to the penalties mentioned above since ITAR requirements flow down via DFARS.
Hence, ensure that you undertake regular audits to determine your compliance posture. Do you have questions about DDTC registration or need any help? Our team of ITAR professionals can help. They will guide you on every step to ensure ITAR compliance. After all, registration is easy, but remaining compliant is where most companies get into trouble. Contact us at Cleared Systems today for a consultation and assistance with your ITAR compliance.
Ways We Can Help You
Contact us to receive assistance in navigating cybersecurity risks and information compliance for your company. Here are some additional ways we can help:
Schedule a free discovery session with us during which we can learn about your company, answer your questions, and assist you in determining if Cleared Systems is the right fit for you.
Register for our upcoming cybersecurity and information compliance training.
Purchase our books on CMMC 2.0, CUI, Data Breaches, and ITAR.
Join our weekly free webinar sessions to ask questions and learn about the latest developments in cybersecurity and information compliance.
Carl B. Johnson, President of Cleared Systems, is a highly experienced and a ITAR, CMMC 2.0, Microsoft GCC High, and Microsoft DLP/AIP consultant. With over twenty years of experience in information assurance, cybersecurity, policy development, risk management, and regulatory compliance, he brings a wealth of knowledge and expertise to his clients.
Carl B. Johnsonhttps://clearedsystems.com/author/cs-man/
Carl B. Johnsonhttps://clearedsystems.com/author/cs-man/
Carl B. Johnsonhttps://clearedsystems.com/author/cs-man/
Carl B. Johnsonhttps://clearedsystems.com/author/cs-man/