What is ITAR Compliance? ITAR Regulations, Fines, Certifications & More
Learn about ITAR compliance in Data Protection 101, our series on the fundamentals of information security.
A Definition of ITAR Compliance
International Traffic in Arms Regulations (ITAR) control the export and import of defense-related articles and services on the United States Munitions List (USML). According to the U.S. Government, all manufacturers, exporters, and brokers of defense articles, defense services, or related technical data must be ITAR compliant. Therefore, more companies are requiring their supply chain members to be ITAR compliant as well. In General:
For a company involved in the manufacture, sale or distribution of goods or services covered under the USML, or a component supplier to goods covered under the United States Munitions List (USML), the stipulation or requirement of being “ITAR certified (compliant)” means that the company must be registered with the State Department’s Directorate of Defense Trade Controls (DDTC) if required as spelled out on DDTC’s website and the company must understand and abide by the ITAR as it applies to their USML linked goods or services. The company themselves are certifying that they operate in accordance with the ITAR when they accept being a supplier for the USML prime exporter.
In other words, companies must register with the DDTC and know what is required of them to be ITAR compliant and then certify that they possess that knowledge.
What Does the ITAR Mean For My Company?
Overall, it is important to understand that registering with the DDTC to sell your products or services in the ITAR industry is not enough; you must be sure not to violate ITAR compliance regulations. The expectation is that you are educated and trained in ITAR regulations. Keep in mind that ITR violations may result in criminal or civil penalties, being barred from future exports, and/or imprisonment, including:
- Civil fines as high as $500,000 per violation
- Criminal fines of up to $1,000,000 and 10 years imprisonment per violation
ITAR Compliance and Technology Companies
As an important U.S. export control law, the ITAR affects the manufacture, sale, and distribution of technology. The goal of the legislation is to control access to specific types of technology and their associated data. Overall, the government is attempting to prevent the disclosure or transfer of sensitive information to a foreign national. As a result, ITAR can pose challenges for global corporations, since data related to specific technologies may need to be transferred over the internet or stored locally outside of the United States in order to make business processes flow smoothly. The responsibility lies with the manufacturer or exporter to take the necessary precautions and steps to certify that they are, in fact, meeting ITAR compliance requirements.
Specifically, ITAR [22 CFR 120-130]:
- Covers military items or defense articles
- Regulates goods and technology designed to kill or defend against death in a military setting
- Includes space-related technology because of application to missile technology
- Includes technical data related to defense articles and services
- Involves strict regulatory licensing and does not address commercial or research objectives
2020 ITAR Amendment
In December of 2019, the Department of State added an amendment to ITAR. According to the summary, the amendment aims to “describe more precisely the articles that provide a critical military or intelligence advantage or, in the case of weapons, perform an inherently military function and thus warrant export and temporary import control on the USML.”
The new rule took effect on March 9th, 2020 and potentially changes the way organizations store and share ITAR data in the cloud. Essentially, certain data may be stored in the cloud as long as it is safe from being accessed by foreign entities and meets certain criteria. With this new amendment, data won’t be considered an “export” as long as it’s:
- Kept safe with end-to-end encryption
- Cryptographically secured
ITAR Data Security Recommendations
Now that you know the significance of ITAR Compliance and the penalties of failing to comply, it is important to understand how to secure your ITAR-controlled data. While data security will have different requirements for every company, here are some best practices to follow in securing ITAR data:
- Maintain an information security policy
- Build and maintain a secure network by installing and maintaining firewall configuration to protect data and avoiding the use of vendor-supplied passwords and other security defaults
- Assign a unique ID to each person with computer access
- Regularly test security systems and processes
- Protect sensitive data with encryption
- Regularly monitor and test networks
- Implement strong access control measures
- Track and monitor all access to network resources and sensitive data
- Maintain a vulnerability management program
- Implement measures to prevent the loss of ITAR-controlled data
This list is not exhaustive, but is meant to provide a starting point for securing sensitive data and meeting ITAR compliance. By following and adopting these measures to your company’s needs, you can ensure that ITAR data is still accessible where it needs to be while staying protected against loss or unauthorized access.
Experts Weigh in on ITAR Compliance
Here’s a look at what the experts have to say about ITAR compliance.
1. Certification is a myth. “Many have heard the term ‘certified’ in relation to ITAR. In reality, there is no such thing as being ITAR certified. There is only a regulatory requirement to be registered and a company’s obligation to be compliant. The confusion comes when you receive a letter from your customer asking you to ‘certify’ that your business is ITAR compliant. What they are really asking is, ‘Are you registered for ITAR and do you have an established compliance program with all required controls in place?’” — Mark Bleckley, What It Really Means to be ITAR Compliant: Why You Should Stop Saying You are ITAR Certified, Grand Valley State University
2. Registration doesn’t mean you’re out of the woods. “What is important to understand is that even though you may register your company with the DDTC to sell your products or services in the ITAR industry, you must also not violate ITAR compliance regulations. You are expected to be educated and trained in ITAR regulations. Violating the ITAR may result in criminal or civil penalties, debarred from future exports, as well as imprisonment.” — What does ITAR Compliant/ITAR Compliance mean?, Dunlap-Stone University
3. Use a checklist. “An ITAR compliance checklist is a tool used by arms suppliers to easily determine if they are ITAR compliant, establish an identification system for ITAR-controlled products, and implement an effective ITAR compliance program.” — Jona Tarlengco, Top 3 ITAR Compliance Checklists, Safety Culture
If your company is subject to ITAR compliance, following these tips and best practices will ensure you’re compliant with the most current regulations, including the latest amendment related to securing sensitive ITAR-controlled data in the cloud.