The International Traffic in Arms Regulations (ITAR) is a United States regulation that controls the import and export of defense-related items and services in accordance with the United States Munitions List (USML). ITAR stipulates that only US citizens may access physical materials or technical information pertaining to defense and military technologies. However, limiting access to tangible items is simple; restricting access to digital information is a lot harder.
Who Needs to Comply with ITAR?
Any company that handles products listed on the USML is required to comply with ITAR regulations. This includes wholesalers, distributors, computer software/hardware vendors, third-party suppliers, and contractors. The list of firms permitted to trade with USML goods and services is maintained by the Directorate of Defense Trade Controls (DDTC), and it is the responsibility of each firm to establish and enforce ITAR compliance procedures. ITAR compliance is required of all supply chain participants. If company A sells a part to company B, and company B sells that part to a foreign power, company A will be in violation of ITAR.
As mentioned, only U.S. citizens can access items on the USML list, which presents a challenge for many U.S. companies. For example, they are prohibited from sharing ITAR technical data with overseas employees who are not U.S. citizens, unless they have permission from the State Department. The same holds true when they are dealing with foreign subcontractors. Some nations, such as Australia, Canada, and the U.K., currently have standing agreements with the U.S. that cover ITAR. In any case, they must closely monitor all technical data they are entrusted with, including how the data is accessed, used, and shared. Non-compliance with ITAR can lead to steep fines, serious brand and reputational damage, and other negative consequences.
Penalties for ITAR Compliance Violations
Failing to comply with ITAR can result in civil fines of up to $500,000 per violation, and criminal fines of up to $1 million, or ten years in jail for each violation. The State Department fined FLIR Systems $30 million in April 2018, for disclosing USML information to an employee with dual citizenship. In addition to the fine, FLIR was also required to improve its compliance procedures and appoint a third party to manage its agreement with the State Department. Likewise, in 2007, ITT received a $100 million fine for illegally exporting night-vision technology to China.
How to Secure Your ITAR Data
Since the NIST SP 800-53 guidelines are used by federal agencies to help them manage ITAR data, familiarizing yourself with these guidelines would be a good place to start. At the very least, you will need to:
Discover and classify sensitive data
Use an automated solution to scan your repositories, both on-premise and cloud-based, and classify ITAR data as it is found. Many modern data classification solutions come with built-in classification taxonomies that are aligned with a wide range of data privacy regulations, including ITAR.
You will need to ensure that access to ITAR data is granted on a need-to-know basis. In other words, users should only be granted access to the data they need to perform their role, and access should be revoked when it is no longer required. You will also need to carefully review existing controls to verify their relevance, and remove any stale user accounts and Global Access Groups.
Monitor access to ITAR data
You will need to use real-time change auditing and reporting software to continuously monitor access to your ITAR data, as doing so will help you detect and respond to suspicious activities in a timely manner. A sophisticated real-time auditing solution like Lepide Auditor will use machine learning models to establish a baseline that can be tested against in order to identify anomalies. When an anomaly is detected, an alert is sent to the administrator’s inbox or mobile device.