What is ITAR Compliance? (Definition and Examples for IT)
by Blake Cormier Content Manager, E-N Computers
International Traffic in Arms Regulation (ITAR) is a set of regulations that controls access by foreign persons and entities to information about items listed on the United States Munitions List (USML). It applies to many government and defense contractors who handle “technical data” about defense-related technologies, restricting “export” of this information to any “foreign person” unless authorized by the Department of State.
At E-N Computers, we have a number of clients involved in the defense contracting space who handle data subject to ITAR, CMMC, and other U.S. Government regulations. It takes careful planning to ensure compliance with ITAR – and it can get especially complicated when outsourced IT services and cloud technologies are involved.
In this article, you’ll learn more about ITAR and how it affects IT operations for small and midsize contractors. You’ll also learn about some of the options you have to ensure you stay compliant with ITAR and other regulations.
Who and What Does ITAR Cover?
ITAR doesn’t necessarily cover specific organizations. Rather, it applies to specific products, services, and technologies that are listed on the USML. So any organization that handles “technical data” (as defined by ITAR) about things listed on the USML is subject to ITAR regulations.
Key ITAR Definitions
As with all regulations, the specific terms used in the regulation need to be understood as defined by the government. Common terms used in ITAR include:
Technical data: This is defined broadly in ITAR, including: “Information, […] which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation.” It also includes classified information about defense articles, anything covered by an “invention secrecy order”, and certain software.
Person: Under ITAR, a person can be an actual person, or it can be a corporation, organization, or government entity.
U.S. Person: A U.S. citizen, a permanent resident, a political asylee, part of the U.S. government, or a business or organization that is incorporated within the U.S.
Foreign Person: Anyone who is not a U.S. citizen or lawful permanent resident, including visitors and foreign governments and corporations.
Export: Any transfer of information or items listed on the USML from a U.S. person to a foreign person, even if the transfer takes place on U.S. soil.
What Technologies Does ITAR Cover?
While the USML mostly lists things directly related to defense, including munitions, arms, military vehicles, and so on, it has and continues to have technologies that are more loosely connected to defense but that the government nevertheless deems an issue of national security. For example, for many years strong cryptography was included on the USML, and export of it was illegal until it was removed from the list in 1997. More recently, information on satellites and orbital launch vehicles has been added, due to the potential to use these technologies for military purposes.
This means that all contractors and subcontractors need to watch carefully the language of their contracts and any additions to them to make sure that the technical information they receive is not subject to ITAR.
What are the Penalties for ITAR Violations?
The penalties for willful or accidental ITAR breaches can be quite steep, in some cases reaching into the hundreds of millions of dollars. Even large contractors like Lockheed, Boeing, and Northrop Grumman have been fined in the past. Other sanctions can include being required to implement ITAR controls under government supervision, the loss of export licenses, or even suspensions and cancellations of contracts.
What Does ITAR Compliance Mean for IT Service?
To understand ITAR’s impact on IT, it’s important to revisit the definitions of foreign person and export – and then think through what that means when data is stored in the cloud.
As mentioned, an export is any transfer of anything listed on the USML, including “technical data”, to any foreign person, no matter where or how that transfer occurs. The definition of “foreign person” includes anyone who is not a U.S. citizen or lawful permanent resident (“green card holder”) – and can even include these individuals in some cases, for example if they hold another citizenship and are working for a foreign entity.
With these broad definitions in mind, this means that for guaranteed compliance with ITAR, you need to make sure that anyone who could possibly access your ITAR-covered data is a U.S. citizen or permanent resident. While this is simple to say, let’s look at some scenarios that could result in an unintentional “export” and thus an ITAR violation.
ITAR and Cloud Services
One major source of ITAR compliance issues in IT is in the use of cloud services. Many cloud providers use offshore support and engineering teams who can access your stored data under certain conditions. Even the theoretical ability to access data by a foreign person can constitute a breach of ITAR.
However, this doesn’t mean that all cloud providers and services are off-limits for ITAR data. Major cloud providers like Microsoft Azure and Amazon AWS offer government-focused products that are specifically designated as ITAR-compliant to eligible customers. Data stored or processed using these products is kept within the U.S., and only screened U.S. persons are used as support personnel.
ITAR can also introduce complications for organizations that want to leverage a managed IT service provider (MSP) or other outsourced IT resources. Many large MSPs and consulting firms make use of offshore labor for help desk, engineering, network monitoring, and other tasks. Giving such a company access to your network at the level required by an MSP is just not possible if it contains ITAR data.
As an alternative, a local or regional MSP may be able to guarantee that it does not give foreign persons access to your network. This can give you the IT support you need without the chance of an ITAR violation.
ITAR and Mobile Computing
Another potential source of ITAR problems stems from laptops and mobile devices. Company-owned and managed devices are a great solution to the cybersecurity problems posed by bring-your-own-device (BYOD). But it’s important that all users of such devices understand that they cannot take these devices out of the U.S., as doing so would constitute an export if the device contains any ITAR data.
Getting Help with ITAR Compliance
Handling data in compliance with ITAR requires a combination of policy and technical controls. Technology can’t prevent every possible ITAR breach, but having the right controls in place can reduce the risk of both malicious activity and unintentional violations. Additionally, making the effort to implement controls can mitigate fines and penalties if a breach does occur.
Most organizations that handle ITAR data are also covered by the requirements of DFARS 7012, NIST 800-171, and soon, CMMC. Many of the same technical controls that ensure compliance with these regulations can also be used to ensure ITAR compliance when implemented properly.
A managed IT service provider (MSP) like E-N Computers can help you with these regulatory burdens. By providing on-demand cybersecurity expertise, backed by high-quality tools and proven processes, an MSP can help you to plan out your roadmap to compliance, and then help you to stay compliant down the road.
In addition to ITAR compliance, you should also be prepared for the new Cybersecurity Maturity Model Certification (CMMC) requirements that will affect nearly all defense contractors. Our article The Ultimate Guide to CMMC will give you an overview of CMMC and the steps you need to take to become compliant. We also recently held a webinar about the latest changes to CMMC – watch it on demand here.
To help defense contractors prepare for these new regulations, we’re offering free strategy sessions to all organizations that need CMMC or ITAR assistance. In this 30-minute, no-obligation call, you’ll get advice specific to your situation about the next steps you need to take to get ready for certification. Just click the button below to pick a time that works for you: