With over 90% of organizations storing data in the cloud, data sharing workflows must be secure. When national security is at risk—as it is in the case of organizations who handle defense- and military-related items—this is especially true. The challenge for these organizations has long been how to remain in compliance with the International Traffic in Arms Regulations (ITAR) while still being able to share data and collaborate efficiently and securely.
Fortunately, ITAR compliance is changing in a big way in 2020. This past December (2019), lawmakers published a new “encryption carve-out,” effective March 23, 2020. Under this update to the ITAR, compliant organizations can communicate and securely share end-to-end encrypted ITAR technical data with foreign offices, partners, or U.S. government employees without applying for an export license each time.
ITAR Compliance Basics
The ITAR controls the export of defense- and military-related items to support the U.S. government’s national security and foreign policy goals. Specifically, the ITAR regulates items—articles, services, and related technology—on the United States Munitions List (USML), including straightforward military items like firearms, ammunition, and aircraft, but some less obvious items like personal protective equipment (e.g. hazmat suits) and IoT sensors.
Also protected is ITAR “technical data”—any information, including blueprints, documentation, schematics, flow charts, etc. needed for the design, development, manufacture, operation, maintenance or modification of items on the USML. The broad range of the USML means ITAR compliance isn’t just for arms dealers but all organizations involved in the supply chain for any good or service that could be used for military and defense purposes.
When this technical data interacts with cloud-based services like email and file systems throughout digital supply chain workflows, organizations can quickly find themselves in the crosshairs of the ITAR. A key nuance within the ITAR specifies that technical data that is accessible by non-U.S. persons when stored and shared in the cloud represents an ITAR violation since it is considered an export under ITAR unless the organization has advanced controls or an authorized export license. In practice, that makes data residency and personnel permissions crucial considerations when evaluating cloud-based workflows.
The Risk of Noncompliance
Because ITAR noncompliance leads to some of the most significant consequences of all data regulations, it is not to be taken lightly and boils down to one thing: preventing non-U.S. persons from accessing ITAR technical data in the cloud. If an organization is found to be in violation of this, noncompliance penalties can result in civil fines up to $500,000, criminal fines up to $1M, 10 years imprisonment, and/or being barred from conducting any export business in the future.
ITAR Compliance Checklist: Technical Data Protection
After nearly four years of deliberation, the U.S. Department of State issued a final ruling modernizing and unifying the role of end-to-end encryption in securing sensitive data and enabling digital supply chain workflows. Now, organizations can store and share ITAR technical data in cloud environments if it is protected from access by foreign entities with end-to-end encryption. As a result, firms in manufacturing, aerospace and defense, telecommunications, defense contracting, or any other industry that handles ITAR technical data should incorporate the following data protection capabilities into their compliance programs:
- End-to-End Encryption: Encrypt email and files containing ITAR technical data within the client to prevent access by foreign cloud servers or personnel, effectively resolving geolocation and personnel permissions concerns.
- Access Controls: Set expiration and disable forwarding for additional controls that prevent unauthorized foreign access. Revoke access to reduce the risk of foreign access in event of a data breach and watermark files containing ITAR technical data to deter file-based leaks.
- Persistent Protection: Maintain control of attachments to prevent foreign access wherever they’re shared, ensuring ITAR compliance beyond the initial email.
- Data Loss Prevention: Detect ITAR technical data in email and files and automatically enforce encryption and access controls.
- Granular Audit: View when and where ITAR data has been accessed as it’s shared throughout the supply chain, and adapt controls for evolving collaboration and access requirements.
- Key Management Capabilities: Host your own keys so that only your authorized US personnel can access the keys protecting ITAR technical data for ultimate control.
Virtru Unlocks ITAR-Compliant Digital Supply Chain Workflows
Virtru helps support ITAR compliance by providing end-to-end encryption that protects ITAR technical data from foreign access wherever it’s shared, unlocking cloud cost-savings benefits and enabling collaboration workflows that power innovation and growth.
Learn how Virtru can support your ITAR compliance programs today with our ITAR Compliance Checklist for Data Protection.