ITAR Compliance: A New Exemption for End-to-End Encryption

The International Traffic in Arms Regulation (ITAR) controls the export of defense- and military-related items to support the U.S. government’s national security and foreign policy goals. Administered by the U.S. Department of State, ITAR dictates that military- and defense-related items and associated data may only be shared or accessed by U.S. persons, unless otherwise authorized or exempted. The United States Munitions List (USML) contains the articles, services, and related technology that ITAR regulates, including straightforward military items like firearms, ammunition, and aircraft, but some less obvious items like personal protective equipment (e.g. hazmat suits). 

The broad range of the USML means ITAR compliance isn’t just for arms dealers but all organizations involved in the supply chain for any good or service that could be used for military and defense purposes. And, because ITAR noncompliance leads to some of the most significant consequences of all data regulations, it is not to be taken lightly: violations can result in civil fines up to $500K, criminal fines up to $1M, 10 years imprisonment, and/or being barred from conducting any export business in the future. 

ITAR “Technical Data” and Cloud Challenges

Another primary concern with ITAR is “technical data”—any information, including blueprints, documentation, schematics, flow charts, etc. needed for the design, development, manufacture, operation, maintenance or modification of items on the USML. Practical examples of ITAR technical data might include hardware specifications for a satellite, a bill of materials for the manufacture of a drone, or blueprints and photographs of facilities intended to support the manufacture and assembly of a ground vehicle. 

When this technical data interacts with cloud-based services like email and file systems throughout digital supply chain workflows, organizations can quickly find themselves in the crosshairs of ITAR. A key nuance within ITAR specifies that technical data that is accessible by non-U.S. persons when stored and shared in the cloud represents an ITAR violation since it is considered an export under ITAR unless the organization has advanced controls or an authorized export license. 

In practice, that makes data residency and personnel permissions crucial considerations when evaluating cloud-based workflows. Historically, organizations with ITAR compliance concerns have had to validate that 1) the physical servers storing data within cloud platforms are only located in the United States, and 2) the personnel working at the cloud platform vendor who could potentially access the stored data are only U.S. persons. This meant that in order to support ITAR compliance, cloud vendors like Google and Microsoft would have to offer U.S.-based geolocation and validate proper personnel and permissions processes to ensure that their staff who could potentially access the data are only U.S. citizens.

Cloud Vendors’ ITAR Compliance Support and Limitations

For its part, Microsoft addressed ITAR technical data’s geolocation and permissions concerns with its Microsoft Azure Government offering. Colloquially referred to as “GovCloud,” it satisfies ITAR compliance concerns and much more. It’s also very expensive and complex. Built to serve the federal agencies who deal with dozens of regulations from an alphabet soup of subagencies, GovCloud provides much more than is realistically needed for most organizations with ITAR compliance concerns (and is priced accordingly).  

On the other hand, Google’s cloud services were not originally designed to support ITAR compliance. Historically, organizations with ITAR compliance concerns looking at G Suite had to look elsewhere. Until now. Support for U.S.-based geolocation was recently added, and access controls provided by Virtru (more on that below) ensure that only intended recipients—in this case, U.S. persons—can access ITAR technical data stored by its cloud customers. 

A New “Encryption Carve-Out” for ITAR

ITAR compliance in the cloud recently changed in a very big way. This past July (2019), lawmakers issued a request for public comment on clarifications and amendments to ITAR, with a focus on consolidating and clarifying exemptions for scenarios where it’s currently unclear whether ITAR is relevant. 

As a result of this request, ITAR, effective March 25, 2020, will mirror an exemption within a similar regulation called the Export Administration Administration (EAR). While EAR is focused more on commercial products that have implications for U.S. global economic competitiveness and is administered by the Department of Commerce, it is a parallel export control regime that prevents non-U.S. persons from freely accessing technical data related to commercial items. In 2016, EAR implemented a rule change that revised the definition of an export for cloud-based workflows: technical data stored and shared in the cloud is no longer considered an export if it is protected with end-to-end encryption. The logic is that technical data protected with end-to-end encryption is shielded from access by non-U.S. persons when stored in the cloud. This rule change has since been referred to as the EAR “Encryption Carve-Out.”

ITAR is now following suit over four years later with an encryption carve-out of its own. That means organizations can store technical data in the cloud, so long as it’s protected with end-to-end encryption that prevents unauthorized access and limits visibility to the technical data owners and their intended, authorized recipients. 

Encryption and a New Paradigm for Cybersecurity

Implementation of the new encryption carve-out opens up the opportunity to use G Suite and Google Cloud Platform to organizations with ITAR compliance needs, ultimately benefiting the industry at large by giving organizations a choice in which cloud platform to use—and raising general economic competitiveness by offering a lower cost option than Microsoft’s GovCloud. This will lead to unlocking more innovation within heavy manufacturing, aerospace and defense, defense contracting, and telecommunications industries via cloud-based collaboration and productivity benefits. 

The ITAR encryption carve-out also sets a new precedent for embedding privacy into mission-critical workflows by raising awareness of end-to-end encryption’s protection and collaboration benefits. “It is our hope that ITAR’s encryption carve-out represents both an intersection of security and privacy and a digital transformation that will inspire other organizations, across all industries, to shake their legacy approach to cybersecurity, and begin to realize the benefits of a secure digital workplace. If this new rule is any indication, organizations can trust that both the security and privacy communities, as well as the U.S. government, are focused on empowering organizations and individuals to have complete control over their data by knowing where it is and who has access,” writes Virtru CEO & Co-Founder, John Ackerly, and former State Department official, Robert Monjay, for NextGov.

Virtru Supports Digital Supply Chain Workflows

As Google’s recommended encryption provider, Virtru helps support ITAR compliance by protecting ITAR technical data from access by non-U.S. entities wherever it’s shared, unlocking the cloud’s efficiency and cost-saving benefits. With end-to-end encryption, granular access controls, and customer-hosted keys, Virtru addresses native cloud security gaps to prevent foreign entities from accessing technical data.

To learn more, join us for an educational webinar on April 16th at 1 pm EDT, featuring pre-eminent ITAR thought leader Robert Monjay, to: 

  • Learn how ITAR’s overarching goals reinforce U.S. national security and foreign policy.
  • Review the roles of agencies supporting ITAR and key terms and concepts (e.g. USML, technical data, export controls).
  • Discuss key compliance requirements and concerns surrounding the electronic storage and transmission of ITAR technical data.
  • Examine how the new “ITAR Encryption Carve Out” will transform digital supply chain workflows and unlock productivity.
  • Learn how to create and implement a robust ITAR compliance strategy with processes, policies, and technology solutions that leverage end-to-end encryption to keep technical data compliant throughout your supply chain. 

Register for the webinar here.

Subscribe to Our Newsletter

Connect With Us