ITAR and EAR Compliance in Microsoft 365 and SharePoint

 

ITAR & EAR COMPLIANCE

If you are using Microsoft 365 (M365) or SharePoint and need to comply with or learn more about US export control requirements, read our 6 W’s of ITAR and EAR Compliance to help you comply with these strict U.S. regulations.

1. What are ITAR & EAR?

ITAR, or the International Traffic in Arms Regulations, are issued by the United States government to control the export and import of defense-related articles and services on the United States Munitions List (USML). e.g., military hardware, guidance systems, submarines, armaments, military aircraft, IT and software. In short, the U.S. Government requires all manufacturers, exporters, and brokers of defense articles, defense services or related technical data to be ITAR compliant.

The Export Administration Regulations (EAR) are issued by the United States Department of Commerce, Bureau of Industry and Security (BIS) to control the export of dual-use items that are designed for a commercial purpose which could have military applications, such as computer hardware and software (Commerce Control List). EAR also controls certain types of munitions and “military hardware”, including some types of firearms, aircraft, military vehicles, materials, chemicals and more. This also covers items controlled by the Wassenaar Munitions List (WAML).

2. Who do ITAR & EAR apply to?

These regulations apply to almost everyone conducting business with US Defence.

ITAR: If your company handles, manufactures, designs, sells, or distributes items on the USML you must be ITAR compliant. The legislation aims to control access to specific types of technology and their associated data to prevent the disclosure or transfer of sensitive information to a foreign national.

EAR: Any company that manufactures products and technology in the US with either dual-use (commercial and military applications) or solely commercial applications are subject to EAR regulations.

If your company falls under ITAR or EAR and you need to collaborate on product development plans, hardware specifications, source code, and other sensitive information, then you must implement security controls in the applications being used to share and collaborate on regulated information to ensure compliance.

3. Where is ITAR & EAR Compliance Mandated?

The rules apply to any organization, including internal and external users or groups, that have access to ITAR or EAR regulated content in the US and in many other countries as defined in the requirements. Compliance can pose challenges for companies, since data related to specific technologies may need to be transferred over the internet, via collaboration applications such as Microsoft 365 and SharePoint, or stored locally outside of the United States.

4. Why do I need to be ITAR OR EAR COMPLIANT?

With a civil penalty of US $1 million+ per violation, Defense contractors have been fined from tens to hundreds of millions of dollars for failing to control access to EAR and ITAR-regulated data. Violators can be ‘debarred’ or lose the ability to export goods. Notable violations include Seagate, which was fined $300 million for EAR violations and placed under a 3-year ITAR debarment, and Airbus SE’s $3.9 billion in fines for ITAR violations and misconduct, and foreign bribery.

It is important to understand that violations can impact more than just the company’s bottom line – criminal penalties of up to 20 years in prison, depending on the regulation, are also possible.

To be ITAR compliant, your company needs to register with the Directorate of Defense Trade Controls (DDTC), know what is required of your organization to comply with ITAR and self-certify that you possess this knowledge. It’s important that you understand and comply with these regulations as ITAR and EAR violations can pose a huge risk for impacted companies.

5. When do I need to be ITAR or EAR Compliant?

Any U.S. company, university or research lab that manufactures, exports or temporarily imports “defense articles” or furnishes “defense services”, must register with the DDTC and comply with ITAR regulations. Parties that engage in defense “brokering” and freight forwarders that perform services under the Foreign Military Sales program are also required to register under ITAR. Organizations should assess if they are required to register and do so as quickly as possible.

EAR requires a license for the exportation of a wide range of items with “dual-use” commercial and military applications, or otherwise of strategic value to the United States. Importantly, items listed on the Commerce Control List (“CCL”) require a license prior to exportation. US exporters should consult the EAR to assess if export license requirements apply to the sale of their items.

6. Why is compliance difficult to achieve in Digital Collaboration Applications?

ITAR and EAR compliance are one of the most complex governance and access management issues to solve in collaboration applications. To be compliant, multiple factors must be considered before sharing regulated content using Microsoft 365 applications (SharePoint Online, OneDrive, and Exchange) or SharePoint on-premises, including:

• User clearance level and caveats
• User citizenship
• Document categorization (e.g., ITAR, EAR, etc.)
• Clearance level (e.g., Controlled Unclassified, Public Trust Position, Confidential, Secret, Top Secret, Compartmented)
• Device (i.e. browser or OS such as iPad, Android, tablet or other mobile device)
• Geography and access location

Trying to define access in Microsoft 365 or SharePoint using item permissions would require the creation of thousands of security groups, and, if using inheritance, thousands of sites or libraries and folders. You also run the risk of exceeding the limit of allowed security scopes on a list. The complexity of these security schemes greatly expands the likelihood of multiple single-point defects in individual user or document permissions – any of which constitute an export breach.

ITAR & EAR Compliance in Microsoft 365 Applications Made Easy

archTIS’ approach to ITAR and EAR compliance in Microsoft applications makes the complex easy to achieve using dynamic policy-based enforcement.

NC Protect’s data-centric zero trust methodology uses attribute-based access control (ABAC) to determine access, usage and sharing permissions at the item level — without the need to create additional groups and independent of item permissions. Access and data protection policies are based on user and file attributes including categorization/classification, nationality, country, etc.

With NC Protect access controls and information protection are applied to individual files, chats and email messages in real-time, so sensitive content can be safely stored, shared and collaborated in Microsoft 365 apps and SharePoint — regardless of user membership, unlike solutions that secure or encrypt at the app or location level. This approach also controls the proliferation of sites to support individual collaboration scenarios.

NC Protect also provides unique functionality to enhance information security, including a secure read-only viewer, dynamic security watermarks, CAD file protection, visual markings, data obfuscation, redaction, and more, not available natively in Microsoft applications.

Microsoft 365 & SharePoint ITAR & EAR Compliance FAQs

1. How can NC Protect help me find all of my ITAR data?
   NC Protect scans your data repositories to identify and classify regulated data – on-premises, in the cloud and in hybrid environments. You can configure rules to identify ITAR or CUI data and automatically apply custom classifications/tags to identified regulated data.
2. What if I am using classification/tagging from another vendor?
   NC Protect’s Bring Your Own Classification model allows customers to use NC Protect’s classification engine or leverage existing classifications as one of the attributes used by the product’s dynamic ABAC policies to control access and apply file-level protection. Integrations with Microsoft Purview Information Protection (MPIP) labels and Janusseal Documents classifications make this a seamless process.
3. How can I manage access to ITAR data?
   NC Protect’s ABAC policies evaluate and validate each file’s attributes including security classification and permissions, as well as user and environmental attributes such as security clearance, time of day, citizenship, country and device to determine who can access, edit, download, and/or share a particular file. Policies are applied each and every time a file is accessed applying zero trust at the file level. NC Protect helps control data access, automatically enforces security policies, and demonstrates compliance with government auditors.
4. How can I apply encryption when needed?
   NC Protect can dynamically encrypt ITAR files at rest or in motion, as well as SharePoint lists, using secure AES-256 bit encryption that is FIPS 140-2 compatible.
5. How do I apply markings to ITAR and EAR Documents?
   NC Protect’s advanced watermarking capability can dynamically apply multiple visual markings and CUI markings based on document categorization as required.  
6. How will I know if my ITAR or EAR data is accessed?
   NC Protect logs all access to documents as well as actions users have taken with them (print, save, email, etc.) and maintains a complete audit trail to help meet ITAR regulations. Automatically feed logs into Microsoft Sentinel or Splunk to trigger alerts and upstream actions on suspicious behavior or unusual activity.

Learn More about how NC Protect helps address ITAR and EAR compliance.