Posted on January 22, 2021 - by Justin Gratto - in Building Your InfoSec Program
If you’re exporting certain technologies, materials, or data from the United States, you may be required to be in compliance with ITAR. While ITAR regulations are best known for applying to defense contractors exporting military-grade weaponry, to protect U.S. protect national security and foreign interests, other businesses can also run into this set of rules.
Here’s the basics you need to know about ITAR, its scope, and what you need to do to achieve compliance with it. We also included several resources for you to identify whether you need to comply with ITAR, even if you’re not connected to the defense industry.
Formally called the International Traffic in Arms Regulation, ITAR is a U.S.-based regulatory export compliance law that restricts the export of “defense articles” and military-related technologies. ITAR is intended to protect national security interests, ensuring that weapons and defense technology aren’t traded in a way that would compromise U.S. foreign policy objectives.
ITAR restricts the export or sale of items designated on a federal list to only other U.S. citizens. This can present a challenge to companies with locally hired overseas employees. To share things like ITAR technical data or scientific matierals, each individual must gain authorization from the U.S. State Department. (Exceptions exist for countries with standing ITAR agreements: Australia, Canada, and the U.K.)
Another common misconception is that ITAR compliance is only for defense-industry organizations or governments. This is not necessarily true. Any organization that does business with the U.S. military or handles items that fall into any of the listed categories must be aware of and compliant with ITAR. This includes:
Businesses must also be aware of ITAR compliance requirements when sending employees abroad with company-issued devices. In 2019, an engineer was arrested while traveling abroad with his work laptop that contained technical data listed on the USML.
Many people mistakenly believe that the USML applies only to military-grade items such as tanks or missiles, but this is not true. The USML includes 21 categories of defense articles including systems, equipment, components, accessories, technical data, and services. They are:
The U.S. government takes penalties for ITAR noncompliance seriously, as violations may be harmful to U.S. foreign policy or national security. Organizations and individuals may face both civil and criminal penalties, including:
The U.S. Department of State provides a helpful guide on getting started with ITAR compliance. We highly recommend that you review it, or set up a time to speak with our team to discuss your business operations and potential compliance requirements. For further helpful guidance on “getting and staying in compliance” with ITAR, you can find it here.
You will need to register with the U.S. Department of State as part of becoming ITAR compliant. Do not refer to your business as “ITAR Certified” – that doesn’t exist.
You’ll also need to implement certain information security measures to safeguard any technical data or materials that are stored in your business infrastructure. Some basic best practices we recommend:
Start with a data classification system that highlights what data falls under ITAR compliance. Review the USML in its entirety or get assistance from an expert to make sure you don’t miss anything.
Due to the high-stakes nature of the items on the USML, ITAR calls for rigorous checks known as Blue Lantern checks to determine the veracity of consignees, end-users, exported articles, and compliance requirements. For this reason, you need to develop security policies that involve robust screening of potential export parties and your entire process.
ITAR doesn’t lay out what security and compliance policies companies should include, just that it should be a “good” program that protects the company’s data and information security. Many universities and trade experts recommend that your security and compliance policies include:
You should use a cybersecurity framework, such as NIST Cybersecurity Framework, ISO 27001, SOC 2, or CIS Controls. The Directorate of Defense Trade Controls also provides resources for companies creating compliance programs for ITAR.
Note: If you’re a defense contractor or involved with the Department of Defense, you should also pay attention your required compliance level with the CMMC.
Finally, make sure that your staff is well-trained on the ITAR and what it entails. Ignorance is never an excuse. Develop a robust security awareness training program that brings employees up to speed both on ITAR compliance and the new information security controls that you’ve implemented as a result of compliance. Make sure your staff is always empowered with the knowledge of the correct course of action in any situation.
Defense contractor or not, ITAR compliance is a big deal. An information security management platform is perfect to make sure you can monitor compliance and meet your legal obligations. By using a centralized management hub, you can easily build, improve, customize, and manage your security program.
From due diligence with your end-users to acquiring the correct licenses and implementing the right security controls, make sure you’re doing everything right. You can start by using the right tools.