Learn about ITAR compliance in Data Protection 101, our series on the fundamentals of information security.
A Definition of ITAR Compliance
International Traffic in Arms Regulations (ITAR) control the export and import of defense-related articles and services on the United States Munitions List (USML). According to the U.S. Government, all manufacturers, exporters, and brokers of defense articles, defense services, or related technical data must be ITAR compliant. Therefore, more companies are requiring their supply chain members to be ITAR compliant as well. In General:
For a company involved in the manufacture, sale or distribution of goods or services covered under the USML, or a component supplier to goods covered under the United States Munitions List (USML), the stipulation or requirement of being “ITAR certified (compliant)” means that the company must be registered with the State Department’s Directorate of Defense Trade Controls (DDTC) if required as spelled out on DDTC’s web site and the company must understand and abide by the ITAR as it applies to their USML linked goods or services. The company themselves are certifying that they operate in accordance with the ITAR when they accept being a supplier for the USML prime exporter.
In other words, companies must register with the DDTC and know what is required of them to be ITAR compliant and then certify that they possess that knowledge.
What Does the ITAR Mean For My Company?
Overall, it is important to understand that registering with the DDTC to sell your products or services in the ITAR industry is not enough; you must be sure not to violate ITAR compliance regulations. The expectation is that you are educated and trained in ITAR regulations. Keep in mind that ITR violations may result in criminal or civil penalties, being barred from future exports, and/or imprisonment, including:
- civil fines as high as $500,000 per violation
- criminal fines of up to $1,000,000 and 10 years imprisonment per violation
ITAR Compliance and Technology Companies
As an important U.S. export control law, the ITAR affects the manufacture, sale, and distribution of technology. The goal of the legislation is to control access to specific types of technology and their associated data. Overall, the government is attempting to prevent the disclosure or transfer of sensitive information to a foreign national. As a result, ITAR can pose challenges for global corporations, since data related to specific technologies may need to be transferred over the internet or stored locally outside of the United States in order to make business processes flow smoothly. The responsibility lies with the manufacturer or exporter to take the necessary precautions and steps to certify that they are, in fact, meeting ITAR compliance requirements.
Specifically, ITAR [22 CFR 120-130]:
- Covers military items or defense articles
- Regulates goods and technology designed to kill or defend against death in a military setting
- Includes space-related technology because of application to missile technology
- Includes technical data related to defense articles and services
- Involves strict regulatory licensing and does not address commercial or research objectives
ITAR Data Security Recommendations
Now that you know the significance of ITAR Compliance and the penalties of failing to comply, it is important to understand how to secure your ITAR-controlled data. While data security will have different requirements for every company, here are some best practices to follow in securing ITAR data:
- Maintain an information security policy
- Build and maintain a secure network by installing and maintaining firewall configuration to protect data and avoiding the use of vendor-supplied passwords and other security defaults
- Assign a unique ID to each person with computer access
- Regularly test security systems and processes
- Protect sensitive data with encryption
- Regularly monitor and test networks
- Implement strong access control measures
- Track and monitor all access to network resources and sensitive data
- Maintain a vulnerability management program
- Implement measures to prevent the loss of ITAR-controlled data
This list is not exhaustive, but is meant to provide a starting point for securing sensitive data and meeting ITAR compliance. By following and adopting these measures to your company’s needs, you can ensure that ITAR data is still accessible where it needs to be while staying protected against loss or unauthorized access.