Understanding Cybersecurity Maturity Model Certification (CMMC)
[ZOOM EVENT] Wednesday, June 23, 2021 @ 11AM-12PM ET REGISTER HERE
WHAT IS ITAR DATA AND WHY MUST BUSINESSES PROTECT IT?
By Ken Michael
Businesses and subcontractors involved with the defense industrial base (DIB) that manufacture defense products or services are bound by a number of federal regulations to protect national security. Such businesses often import and export products and services. Because many of these contractors also conduct business with the United States military and other organizations such as the National Aeronautics and Space Administration (NASA), it behooves the United States government to require a certain level of security surrounding the manufacture of such products and services. One of the most important of these regulations is the International Traffic in Arms Regulations, also known as ITAR.
The ITAR regulation differs in that it covers not only the products and services manufacturers and their subcontractors may produce or provide, but it also covers valuable data that could lead to disaster for the U.S. if it were to fall into the wrong hands. Here’s a look at the ITAR, ITAR data, and why businesses are required to protect it.
What is ITAR?
The ITAR is a United States federal regulation that controls the manufacture, sale, and distribution of defense and space-related products and services. The products and services covered by ITAR are defined by the United States Munitions List (USML).
This particular regulation restricts physical materials and technical data (ITAR data) related to defense and military technology be restricted to citizens of the United States only. Thus, businesses must limit access to the both the physical materials and digital data to only Americans. Businesses that must adhere to ITAR include:
Computer Software/Hardware Vendors
Any Business Involved with the Supply Chain
In addition to the products you may expect defense manufacturers to produce from torpedoes to rocket launchers, the USML also restricts the sharing of plans, diagrams, photos, and other documentation of such products and their components. Such plans, diagrams, photos and the like are known as “technical data” under the ITAR regulation. Often, businesses involved in the DIB use such information in the manufacture of military gear and weaponry.
The final product isn’t the only thing covered by ITAR requirements. ITAR data also includes every subcomponent that goes into defense products including circuit boards and wiring. Even something as innocent as travel to a foreign nation with a laptop loaded with ITAR data that is never opened can create an ITAR violation.
While the ITAR requirements can be very simply stated as only allowing U.S. citizens access to items on the USML, meeting the requirements can create challenges for businesses required to achieve them. For example, if a company is based in the U.S. but has operations overseas, the company cannot share ITAR products or data with employees unless they are American citizens or have gained special authorization from the State Department. The same requirements apply when a U.S. business works with subcontractors outside of the United States.
Another part of ITAR requires businesses to implement and maintain ITAR compliance program that includes tracking, monitoring, auditing, and documentation of technical data. It is advised that each page of ITAR data be stamped with an ITAR notification. This serves as a reminder for employees not to share ITAR data with unauthorized persons.
Failure to comply with ITAR could result in stiff fines up to $500,000 per violation in civil fines and $1 million in criminal fines. Additionally, noncompliance can lead to the loss of contracts, damage to an organization’s reputation, and 10 years of imprisonment per violation.
One company, ITT, was fined $100 million by the U.S. government for failure to comply with ITAR in 2007. The organization has exported night-vision technology despite ITAR rules. In April 2018, FLIR Systems, Inc., faced civil penalties totaling $30 million. That company had transferred USML data to dual national employees.
Another business hit with ITAR violations and civil penalties is China’s giant telecommunications company, ZTE Corporation. In March 2017, several U.S. government agencies including the Department of Justice and the Department of Commerce’s Bureau of Industry and Security (BIS) charged ZTE with violating laws sanctioning the export of defense products. The company ultimately pled guilty and agreed to pay fines and penalties to the tune of nearly $900,000,000 U.S. dollars with an additional $300,000,000 in suspended fines if it were to further violate its agreement with the BIS.
Even helping a business overseas with integrating software or components into a defense product while Skyping from the United States is an ITAR covered service. A short video by the Small Business Administration (SBA) can help explain why this is the case. To perform a service for a foreign party overseas relating to any USML item, a business will need an export license and all of those services are covered by ITAR requirements. More information is available from the SBA.
Adhering to ITAR
With such serious penalties, businesses must proceed with caution in adhering to ITAR requirements. A great place to start is with implementing the requirements of ITAR include the following:
Identify and Classify Sensitive Data: Know where your sensitive data is located in both digital and hard format. Classify each piece of data based on your business policy and the requirements of ITAR.
Employ the Principal of Least Privilege: Determine what employees require what data to perform their work duties. Only allow the minimum access to digital and hard data that is necessary for each user. Also, ensure that only U.S. citizens have access to ITAR data.
Update Users Regularly: As new employees are on-boarded, existing employees change positions, and employees leave, keep access to all data updated. This should be done on an ongoing basis.
Use Data Monitoring Software: By using data monitoring software, you can track and audit the access of data by every employee. This will help identify potential insider threats, viruses, malware, security breaches, and more. Such software will also quickly identify security vulnerabilities and address any threats found.
Secure Hard Data: Don’t neglect hard copies of data. Keep ITAR data locked in a secure, monitored location where only those with the highest security clearance have access. Physical security may include doors with keycard or bio-sensitive door locks and video surveillance for starters.
What’s New with ITAR?
Most recently, on March 18, 2021, the Secretary of State made effective a policy determination to amend the ITAR to include Russia in the list of enumerated countries with respect to which it is the policy of the US to deny licenses and other approvals for exports and/or imports of defense products and services.
“On March 1, 2021, the Secretary of State determined pursuant to Section 306(a) of the Chemical and Biological Weapons Control and Warfare Elimination Act of 1991, that the Government of Russia used chemical weapons in violation of international law or lethal chemical weapons against its own nationals.”
Thus, Russia is now on the list of countries subject to denial for exports of defense articles and services with an exception being allowed for a case-by-case review of exports to Russia that support government space cooperation.
To learn more about ITAR requirements for your business or to successfully implement ITAR requirements within your organization, contact Dox Electronics at (585) 473-7766.