ITAR Compliance: Data Management and What You Need to Know

ITAR is a set of rules that regulates your data management when your company deals with US military organizations. In this article, we are going to cover what ITAR compliance means, why you need ITAR-compliant cloud storage, and when it may be necessary for your company’s operations.

ITAR Compliance Overview

Every company that manufactures, sells to or buys something from an organization on the United States Munitions List (USML) must meet a set of rules that impose requirements on how the related information is stored and processed. These rules are referred to as International Traffic in Arms Regulations (ITAR).

The main purpose of these rules is to prevent data leaks when multiple commercial organizations participate in the production or the delivery of military-related goods or information. The USML contains more than 20 categories of defense-related goods and technologies, including firearms, ammunition, guns, military training, and so on. Therefore, if you store or transfer any documents related to such goods or services, your company must implement ITAR regulations.

As for other security-related standards, your company must meet complex requirements, such as:

  • Registration in the State Department’s Directorate of Defense Trade Controls (DDTC)—a kind of registry of companies trading with the US military.
  • Understand and implement the set of practices described in ITAR for any data, goods, or services that are associated with the USML.
  • Pass the certification to ensure ITAR practices are implemented and used.

Not following these requirements can lead to a heavy fine and administrative or even criminal prosecution for a company or its associates. (For example, civil fines can amount to $500,000; criminal incidents can even lead to 10-20 years imprisonment—per violation.)

Now, let’s take a closer look at the key points of ITAR compliance.

Regulation Areas

First, it is important to keep in mind that “data exporter” in terms of US law may mean something different than your company’s understanding. If, for example, the use of non-ITAR-compliant cloud storage can lead to sending sensitive data to one of the provider’s data centers around the world (thus breaking the ITAR), your company will be recognized as a data exporter (with all the possible consequences).

Another important issue is that if your company is a global player, with offices around the world, it may be difficult to integrate ITAR rules into existing business processes. You will have to change these processes to pass the data using strictly dedicated ITAR-based security policies. (This covers physical and network security areas and includes a response plan with detailed steps to be completed by personnel in case of a security accident.)

Since the particular areas you should cover depend on your business, we will highlight only the general recommendations here.

Implement the Right Information Security Policy

These recommendations help to avoid business risks by establishing a set of rules for expected behavior. Typical security policy contains these elements:

  • High-level definitions of IT concepts, general authority, and consequences.
  • A set of technologies with rules and guidelines for all employees, including contractors and interns.
  • Directives for IT staff, including applicable standards and sets of technologies, must be implemented.

Without an IT security policy, you can miss something crucial in your data protection routine.

Enforce Network Perimeter Protection

Protect your local network from intrusions by installing perimeter firewalls, changing default passwords, restricting network access, and implementing protected networks to prevent data access from outside the office. These are the basic building blocks of any serious IT infrastructure, so they should hopefully already be in place. If so, you only need to ensure everything was implemented correctly.

Assign a Personal ID to Any Employee that Uses IT Services

The ability to track actions in your network is critical—and this is especially true when implementing ITAR compliance rules that mean individual liability. Therefore, you should create a personal account for each user and implement practices that can help avoid the use of one account by a few people (even with your permission). One of the best practices here is implementing two-factor authentication based on ID cards and personal PIN codes.

Implement Monitoring and Penetration Testing

Monitoring (along with security policy and network protection) is one of the cornerstones of IT infrastructure. It helps to detect technical failures, thus allowing you to react much more quickly. When implementing ITAR regulations, it is important to also monitor unauthorized data access of transmissions (for example, you need to be sure that certain information will not be transferred to another cloud availability zone outside the US).

You need also to conduct network penetration tests to check whether your protection is secure enough. There are a lot of IT security organizations with “good hackers” (IT security testing experts) which can help with this.

Use ITAR-Compliant Cloud Storage

Several cloud storage providers offer specialized cloud segments, allowing you to store data and meet government requirements, especially ITAR. For example, Amazon has the AWS GovCloud (US) region that you can use to store sensitive data. Using this type of cloud storage helps you meet most other IT-related requirements under ITAR: network protection, access audit, authentication, etc.

Encrypt Sensitive Data and Audit File Access

Always encrypt ITAR-related data using the strongest possible algorithms to guarantee that it will not be compromised (even in the case of a data leak). For example, you need to encrypt backup files from end to end: before transferring over the Internet and when storing in cloud storage, so no one can access the data, even from the cloud provider’s side.

Files (or emails, databases, etc.) access audit is another instrument that could help you find the source of a possible data leak if and when it occurs. Do not rely solely on built-in OS capabilities. There are several special products on the market that allow you to manage access events centrally.

Create a Detailed Plan for Any Potential Accident

If faced with an accident which can lead to heavy consequences, there is a significant probability that you will miss something in the process of reacting. A detailed emergency response plan can make all the difference in the face of accidents. A thorough emergency response plan includes actions that every involved employee must complete to minimize risks and avoid any fallout from accidents. The plan can include breaking outgoing network connections, restricting sensitive data access, or deleting encryption keys so that the stolen data is unreadable.

Summary

ITAR keeps sensitive military data safe with a broad range of critical requirements. You can find out more on the ECFR.gov website.