If you’re exporting certain technologies, materials, or data from the United States, you may be required to be in compliance with ITAR. While ITAR regulations are best known for applying to defense contractors exporting military-grade weaponry, to protect U.S. protect national security and foreign interests, other businesses can also run into this set of rules.
Here’s the basics you need to know about ITAR, its scope, and what you need to do to achieve compliance with it. We also included several resources for you to identify whether you need to comply with ITAR, even if you’re not connected to the defense industry.
What is ITAR Compliance?
Formally called the International Traffic in Arms Regulation, ITAR is a U.S.-based regulatory export compliance law that restricts the export of “defense articles” and military-related technologies. ITAR is intended to protect national security interests, ensuring that weapons and defense technology aren’t traded in a way that would compromise U.S. foreign policy objectives.
ITAR restricts the export or sale of items designated on a federal list to only other U.S. citizens. This can present a challenge to companies with locally hired overseas employees. To share things like ITAR technical data or scientific matierals, each individual must gain authorization from the U.S. State Department. (Exceptions exist for countries with standing ITAR agreements: Australia, Canada, and the U.K.)
Who Must Be ITAR Compliant?
Another common misconception is that ITAR compliance is only for defense-industry organizations or governments. This is not necessarily true. Any organization that does business with the U.S. military or handles items that fall into any of the listed categories must be aware of and compliant with ITAR. This includes:
Computer hardware and software vendors
Wholesalers
Distributors
Private companies
Import and export companies
Universities
Private research facilities
Defense industry contractors and subcontractors
Businesses must also be aware of ITAR compliance requirements when sending employees abroad with company-issued devices. In 2019, an engineer was arrested while traveling abroad with his work laptop that contained technical data listed on the USML.
What’s on the United States Munitions List (USML)?
Many people mistakenly believe that the USML applies only to military-grade items such as tanks or missiles, but this is not true. The USML includes 21 categories of defense articles including systems, equipment, components, accessories, technical data, and services. They are:
Information security and intelligence materials
Technical data, instructions, or other sensitive information
Personal protective equipment
Toxicological, chemical, or biological agents and their equipment
Military electronics
Spacecraft
Classified articles
Explosives and energetic materials, propellants, incendiary agents, and their constituents
Firearms, ammunition, rockets, torpedoes, and other armaments
Military training equipment and training materials
Armored ground vehicles, military aircraft, submersible vessels, etc.
Fire control, laser, imaging, and guidance equipment
Nuclear weapons and directed energy weapons
Other items “as appropriate”
What are the Penalties for Noncompliance?
The U.S. government takes penalties for ITAR noncompliance seriously, as violations may be harmful to U.S. foreign policy or national security. Organizations and individuals may face both civil and criminal penalties, including:
Civil fines exceeding one million dollars per violation
Criminal fines ranging up to one million dollars
Up to 20 years’ imprisonment
Banned from exporting defense articles
Tips to Implement ITAR Compliance Requirements
The U.S. Department of State provides a helpful guide on getting started with ITAR compliance. We highly recommend that you review it, or set up a time to speak with our team to discuss your business operations and potential compliance requirements. For further helpful guidance on “getting and staying in compliance” with ITAR, you can find it here.
You will need to register with the U.S. Department of State as part of becoming ITAR compliant. Do notrefer to your business as “ITAR Certified” – that doesn’t exist.
You’ll also need to implement certain information security measures to safeguard any technical data or materials that are stored in your business infrastructure. Some basic best practices we recommend:
1. Classify Your Data and Know What Is ITAR Regulated
Start with a data classification system that highlights what data falls under ITAR compliance. Review the USML in its entirety or get assistance from an expert to make sure you don’t miss anything.
2. Implement Controls to Screen Export Parties
Due to the high-stakes nature of the items on the USML, ITAR calls for rigorous checks known as Blue Lantern checks to determine the veracity of consignees, end-users, exported articles, and compliance requirements. For this reason, you need to develop security policies that involve robust screening of potential export parties and your entire process.
3. Develop Strong Security and Compliance Policies
ITAR doesn’t lay out what security and compliance policies companies should include, just that it should be a “good” program that protects the company’s data and information security. Many universities and trade experts recommend that your security and compliance policies include:
Note: If you’re a defense contractor or involved with the Department of Defense, you should also pay attention your required compliance level with the CMMC.
4. Introduce Employee Training
Finally, make sure that your staff is well-trained on the ITAR and what it entails. Ignorance is never an excuse. Develop a robust security awareness training program that brings employees up to speed both on ITAR compliance and the new information security controls that you’ve implemented as a result of compliance. Make sure your staff is always empowered with the knowledge of the correct course of action in any situation.
Achieve ITAR Compliance with Securicy
Defense contractor or not, ITAR compliance is a big deal. An information security management platform is perfect to make sure you can monitor compliance and meet your legal obligations. By using a centralized management hub, you can easily build, improve, customize, and manage your security program.
From due diligence with your end-users to acquiring the correct licenses and implementing the right security controls, make sure you’re doing everything right. You can start by using the right tools.
Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing a cybersecurity program.
Justin Gratto is a Canadian Army veteran, experienced information security professional, and the Senior Director of Product at Securicy. Justin is responsible for product ownership at Securicy, a SaaS platform that assists businesses through creating, implementing, and managing their information security and privacy compliance program. He is also involved in advisory service delivery, and holds the responsibility of Security and Privacy Officer at Securicy. When Justin isn’t performing his duties at Securicy, he likes to go on adventures to new places to visit, learn about, and taste different cultures. He is from Nova Scotia, Canada.
