“Our biggest priority when it comes to compliance is ITAR, especially because we are international. That means that everything we do in the United States has to stay in the United States... We are not allowed to have any piece of information leaving the country — even electronically.”
– Laurent Muller, IT Systems Manager, Exxelia
Exxelia is a global manufacturer of complex electronic components and subsystems that are designed to withstand high-pressure scenarios. Exxelia’s customers work in highly regulated fields such as aerospace, energy, military, and healthcare. Exxelia needed a way to securely communicate confidential project and product details — as well as intellectual property — to clients while maintaining compliance with ITAR and alignment with CMMC 2.0 compliance.
With Virtru’s data protection solutions, Exxelia is able to:
“Our group is a French-headquartered, multinational organization that manufactures electronic components,” said Laurent Muller, Exxelia’s IT Systems Manager. Muller is based in the U.S., where the organization’s design and engineering teams are also located. “We produce components mostly for the aerospace, medical, and energy sectors.”
“We actually have a few of our devices currently on Mars, in one of the rovers,” Muller noted.
Exxelia’s products are highly specialized, which is why it’s so important for the company to maintain ownership and control of design details. But sometimes, those details need to be shared as part of a project or contract.
“Our components are designed to withstand extreme conditions, and they have very stringent reliability demands,” Muller said. “For some of our customers, because of the nature of their work, we have a relatively high level of confidentiality to maintain, as we’re dealing with restricted information. Some of our components are ultimately used in the military and are technically considered as ammunition. Therefore, we have a specific set of rules to obey regarding confidentiality.”
With Virtru, Exxelia can ensure that sensitive contract details and customer information remain secure, and that its intellectual property — product designs, specifications, and research — don’t fall into the wrong hands.
“In-house, we of course have to keep everything securely stored, both physically and electronically,” Muller said. “Regarding communications with the outside world, we also have to keep that confidential, and this is where Virtru comes into play. Virtru helps us make sure that we keep emails containing confidential information properly encrypted and properly safe.”
For Exxelia, meeting ITAR rules, as well as CMMC guidelines, are critical to ensuring compliance and fulfilling agreements with customers. “Our biggest priority when it comes to compliance is ITAR, especially because we are international,” Muller said. “That means that everything we do in the United States has to stay in the United States. That also means we are not allowed to talk about it with foreigners. We are not allowed to have any piece of information leaving the country — even electronically.”
“At the network level, we had to think hard about the filtering rules on our respective firewalls, the configuration of our VPNs, and all our network architecture. But that also means that, for email exchanges, we have to be careful with what we share. We have to be absolutely certain that none of the U.S. data will be able to leave our network and end up on the French side,” Muller emphasized. When engineers or designers are discussing sensitive product information via email — whether internally or externally — they’re required to use Virtru to make sure the information is encrypted.
Thankfully, Exxelia is set up to handle this delineation between U.S. and International departments. “The design of our components and parts is done in the United States, and the manufacturing is done in the United States,” Muller said. “We have absolutely no reason to even talk about that with France. But, because we’re in the process of upgrading our enterprise resource planning (ERP) software and trying to streamline our processes throughout the group worldwide, this means we had to be extra careful when we put all the technical details in the new system.”
“That was quite a fun challenge,” Muller laughed.
For CMMC, Muller and his team are confident that they have the processes and reporting in place to meet those evolving standards, especially with the latest version, CMMC 2.0. “We have to be pretty thorough, especially with lots of new regulations and cybersecurity standards that are coming for the defense industrial base in the United States,” Muller said. “Generally speaking, I try to look at the bright side of that kind of regulation, because it pushes us to be more careful and more deliberate in our approach. It’s essentially best practices and common sense, and reasonable standards to follow.”
“The real challenge is that it requires more formalism, and more thorough documentation. But that’s the cost of doing business,” Muller said optimistically. “We will continue to adapt.”
CMMC continues to evolve, and the latest version, CMMC 2.0, was designed to streamline requirements in a way that helps businesses of all sizes achieve alignment with the standard. “With the first version of CMMC, I viewed it in the same spirit as ISO or other certifications,” Muller said. “You have to put a process in place, akin to quality management systems. Version 2.0, practically speaking, aligns better with existing standards that we are already compliant with anyway, so it looks like it will be slightly less cumbersome to implement.”
For Exxelia, evolving compliance standards don’t necessarily change the way the company does business — instead, they change the required documentation and demonstration of their existing processes. “Basically, it states that you should have a lock on your door — which we already have — but you also have to demonstrate that you checked the lock was working, you have to show documentation,” Muller said. “We have to prove that protections are indeed in place, and are indeed working as expected.”
While shifting compliance regulations can present some challenges, Muller views them as a good thing: “It’s a strong motivation to improve ourselves and to work better. It’s been positive.”
The way Virtru is designed helps remind Exxelia’s employees to encrypt sensitive information being shared via email. “When you send a Virtru-encrypted email, you see it: you have the visual cue that it’s special,” Muller said. “It acts as a kind of reminder that you’re sending or receiving special information.”
Exxelia has deployed Virtru to users who have a business need to share and protect sensitive or regulated information — particularly those on the commercial and engineering side of the business.
“It’s mostly instant communication, between our sites and external communication with vendors and providers. Because, depending on the product, some of the parts and subassemblies are being made outside,” Muller said.
With Virtru, communications about these products and their designs can be shared with external parties via email, naturally fitting into employees’ workflows and ensuring regulated information is always within Exxelia’s control, at all times.
For more information on how Virtru can help you achieve your secure data sharing objectives, including meeting ITAR and CMMC 2.0 compliance, please contact us today.
Exxelia is a leading designer and manufacturer of high-reliability passive components and precision subsystems focusing on highly demanding markets, applications and functions. Exxelia’s products are commonly used for power electronics, power generation, energy storage, and signal filtering functions in numerous leading industrial areas such as aviation, defense, space, medical, railway, oil and gas, and telecommunications.