What You Need to Know About ITAR Compliance

Posted on January 22, 2021 - by Justin Gratto - in Building Your InfoSec Program

If you’re exporting certain technologies, materials, or data from the United States, you may be required to be in compliance with ITAR. While ITAR regulations are best known for applying to defense contractors exporting military-grade weaponry, to protect U.S. protect national security and foreign interests, other businesses can also run into this set of rules.

Here’s the basics you need to know about ITAR, its scope, and what you need to do to achieve compliance with it. We also included several resources for you to identify whether you need to comply with ITAR, even if you’re not connected to the defense industry.

What is ITAR Compliance?

Formally called the International Traffic in Arms Regulation, ITAR is a U.S.-based regulatory export compliance law that restricts the export of “defense articles” and military-related technologies. ITAR is intended to protect national security interests, ensuring that weapons and defense technology aren’t traded in a way that would compromise U.S. foreign policy objectives.

ITAR restricts the export or sale of items designated on a federal list to only other U.S. citizens. This can present a challenge to companies with locally hired overseas employees. To share things like ITAR technical data or scientific matierals, each individual must gain authorization from the U.S. State Department. (Exceptions exist for countries with standing ITAR agreements: Australia, Canada, and the U.K.)

Who Must Be ITAR Compliant?

Another common misconception is that ITAR compliance is only for defense-industry organizations or governments. This is not necessarily true. Any organization that does business with the U.S. military or handles items that fall into any of the listed categories must be aware of and compliant with ITAR. This includes:

  • Computer hardware and software vendors
  • Wholesalers
  • Distributors
  • Private companies
  • Import and export companies
  • Universities
  • Private research facilities
  • Defense industry contractors and subcontractors

Businesses must also be aware of ITAR compliance requirements when sending employees abroad with company-issued devices. In 2019, an engineer was arrested while traveling abroad with his work laptop that contained technical data listed on the USML.

What’s on the United States Munitions List (USML)?

Many people mistakenly believe that the USML applies only to military-grade items such as tanks or missiles, but this is not true. The USML includes 21 categories of defense articles including systems, equipment, components, accessories, technical data, and services. They are:

  • Information security and intelligence materials
  • Technical data, instructions, or other sensitive information
  • Personal protective equipment
  • Toxicological, chemical, or biological agents and their equipment
  • Military electronics
  • Spacecraft
  • Classified articles
  • Explosives and energetic materials, propellants, incendiary agents, and their constituents
  • Firearms, ammunition, rockets, torpedoes, and other armaments
  • Military training equipment and training materials
  • Armored ground vehicles, military aircraft, submersible vessels, etc.
  • Fire control, laser, imaging, and guidance equipment
  • Nuclear weapons and directed energy weapons
  • Other items “as appropriate”

What are the Penalties for Noncompliance?

The U.S. government takes penalties for ITAR noncompliance seriously, as violations may be harmful to U.S. foreign policy or national security. Organizations and individuals may face both civil and criminal penalties, including:

  • Civil fines exceeding one million dollars per violation
  • Criminal fines ranging up to one million dollars
  • Up to 20 years’ imprisonment
  • Banned from exporting defense articles

Tips to Implement ITAR Compliance Requirements

The U.S. Department of State provides a helpful guide on getting started with ITAR compliance. We highly recommend that you review it, or set up a time to speak with our team to discuss your business operations and potential compliance requirements. For further helpful guidance on “getting and staying in compliance” with ITAR, you can find it here.

You will need to register with the U.S. Department of State as part of becoming ITAR compliant. Do not refer to your business as “ITAR Certified” – that doesn’t exist.

You’ll also need to implement certain information security measures to safeguard any technical data or materials that are stored in your business infrastructure. Some basic best practices we recommend:

1. Classify Your Data and Know What Is ITAR Regulated

Start with a data classification system that highlights what data falls under ITAR compliance. Review the USML in its entirety or get assistance from an expert to make sure you don’t miss anything.

2. Implement Controls to Screen Export Parties

Due to the high-stakes nature of the items on the USML, ITAR calls for rigorous checks known as Blue Lantern checks to determine the veracity of consignees, end-users, exported articles, and compliance requirements. For this reason, you need to develop security policies that involve robust screening of potential export parties and your entire process.

3. Develop Strong Security and Compliance Policies

ITAR doesn’t lay out what security and compliance policies companies should include, just that it should be a “good” program that protects the company’s data and information security. Many universities and trade experts recommend that your security and compliance policies include:

  • Written procedures and policies
  • Defined roles and responsibilities
  • Established recordkeeping
  • Ongoing training
  • Ongoing risk assessment and management
  • Internal monitoring
  • Periodic reviews and audits

You should use a cybersecurity framework, such as NIST Cybersecurity Framework, ISO 27001, SOC 2, or CIS Controls. The Directorate of Defense Trade Controls also provides resources for companies creating compliance programs for ITAR.

Note: If you’re a defense contractor or involved with the Department of Defense, you should also pay attention your required compliance level with the CMMC.

4. Introduce Employee Training

Finally, make sure that your staff is well-trained on the ITAR and what it entails. Ignorance is never an excuse. Develop a robust security awareness training program that brings employees up to speed both on ITAR compliance and the new information security controls that you’ve implemented as a result of compliance. Make sure your staff is always empowered with the knowledge of the correct course of action in any situation.

Achieve ITAR Compliance with Securicy

Defense contractor or not, ITAR compliance is a big deal. An information security management platform is perfect to make sure you can monitor compliance and meet your legal obligations. By using a centralized management hub, you can easily build, improve, customize, and manage your security program.

From due diligence with your end-users to acquiring the correct licenses and implementing the right security controls, make sure you’re doing everything right. You can start by using the right tools.

Tags: compliance / Defense Industry / ITAR /

About the author

Justin Gratto

Justin Gratto is a Canadian Army veteran, experienced information security professional, and the former director of security at Securicy. When Justin isn’t at work, he likes to go on adventures to new places to visit, learn about, and taste different cultures. He is from Nova Scotia, Canada.

Related Articles

PCI DSS common mistakes and challenges

6 Common Mistakes and Challenges with PCI DSS Compliance
What is ISO 27001 and Why Does It Matter for Your Business?

Why ISO 27001 Compliance is Important for Your Business
5 Security Trends Startups Need to Know Today

5 Security Trends Startups Need to Know Today