In the United States, some regulations control the manufacture, sale, and distribution of defense and space-related articles and services. The regulations are controlled under the International Traffic in Arms Regulation (ITAR). The definition of these products and services are detailed in the United States Munitions List (USML).
Besides rocket launchers, torpedoes, and other military hardware, the USML lists other military hardware and restrictions on the plans, diagrams, photos, and other documentation used to build ITAR-controlled military gear. ITAR refers to this as “technical data”.
ITAR mandates that access to physical materials or technical data related to defense and military technologies is restricted to U.S. citizens only. How can a company ensure that only U.S. citizens have and then access that data on a network and are ITAR compliant? Limiting access to physical materials is straightforward; restricting access to digital data is more complicated.
Who Needs To Follow ITAR Compliance?
Any company that handles manufactures, designs, sells, or distributes items on the USML must be ITAR compliant. The State Department’s Directorate of Defense Trade Controls (DDTC) manages the list of companies that can deal in USML goods and services, it is up to each company to establish policies to comply with ITAR regulations.
Some of the types of companies/industries that are involved in ITAR are:
- Computer Software/ Hardware vendors
- Third-party suppliers
- Every company in the supply chain needs to be ITAR compliant. If company A sells a part to company B and then company B sells the same part to a foreign power, company A also violates ITAR.
ITAR regulations apply to U.S. citizens who can access items on the USML list. This can present a challenge for uninformed U.S. companies. A US-based company with overseas operations is prohibited from sharing ITAR technical data with employees locally hired unless they gain State Dept. authorization. The same principle applies when U.S. companies work with non-US subcontractors.
There are exemptions that the State Department can issue exemptions for specific purposes. Certain countries currently have standing agreements with the U.S. that apply to ITAR – Australia, Canada, and the U.K., for example.
The U.S. government requires having in place and implementing a documented ITAR compliance program, which should include tracking, monitoring, and auditing of technical data.
ITAR exists to track military and defense-sensitive material and to keep that material out of the hands of U.S. enemies. Noncompliance can result in heavy fines and significant brand and reputation damage — not to mention the potential loss of business to a compliant competitor.
Penalties for ITAR Compliance Violations
The penalties for ITAR violations can be significant:
- For civil infractions, fines up to $500,000
- For criminal offenses up to $ 1 million and 10 years in prison
Types of Defense Articles
For specific definitions of categories please consult the Defense Articles in the USML. There are 21 distinct categories
How to Secure Your ITAR Data
Given the penalties associated with ITAR, it makes sense to protect digital data with as many layers of security as possible. Because ITAR is a U.S. Federal regulation, their guidance for data security is a great place to start. NIST SP 800-171 defines the standards and guidelines federal agencies must follow, and any company that manages ITAR-regulated materials should use NIST SP 800-53 as a baseline for their security standards. Follow these basic principles to secure your ITAR data:
- Discover and Classify Sensitive Data
- Locate and secure all sensitive data
- Classify data based on business policy
- Map Data and Permissions
- Identify users, groups, folders and file permissions
- Determine who has access to what data
- Manage Access Control
- Identify and deactivate stale users
- Manage user and group memberships
- Remove Global Access Groups
- Implement a least privilege model
- Monitor Data, File Activity, and User Behavior
- Audit and report on file and event activity
- Monitor for insider threats, malware, misconfigurations,` and security breaches
- Detect security vulnerabilities and remediate
Intrex Aerospace is very experienced in producing parts requiring ITAR compliance. Our systems and staff are very familiar with ITAR regulations. It has been instrumental in growing our business in the aerospace, space, and defense sectors. If you would like more information about our capabilities, please contact us. Thank you again for spending time on our website. We hope you have found it informative and worthwhile.