If you are using Microsoft 365 (M365) or SharePoint and need to comply with or learn more about ITAR and EAR, read our 6 W’s to help you ensure compliance with these strict U.S. regulations.
ITAR, or the International Traffic in Arms Regulations, are issued by the United States government to control the export and import of defense-related articles and services on the United States Munitions List (USML). e.g., military hardware, guidance systems, submarines, armaments, military aircraft, IT and software. In short, the U.S. Government requires all manufacturers, exporters, and brokers of defense articles, defense services or related technical data to be ITAR compliant.
The Export Administration Regulations (EAR) are issued by the United States Department of Commerce to control the export of items which are designed for a commercial purpose which could have military applications, such as computer hardware and software (Commerce Control List).
These regulations apply to almost everyone conducting business with US Defence. The US based legislations aim to control access to specific types of technology and their associated data to prevent the disclosure or transfer of sensitive information to a foreign national. If your company falls under ITAR or EAR and you need to collaborate on product development plans, hardware specifications, source code, and other sensitive information, then you must implement security controls in the applications being used to share and collaborate on regulated information to ensure compliance.
The rules apply to any organisation, including internal and external users or groups, that have access to ITAR regulated content in the US and in many other countries as defined in the requirements. ITAR compliance can pose challenges for companies, since data related to specific technologies may need to be transferred over the internet, via collaboration applications such as Microsoft 365 and SharePoint, or stored locally outside of the United States.
To be “ITAR certified (compliant)” your company needs to register with DDTC, know what is required of your organization to comply with ITAR and self-certify that you possess this knowledge. It’s important that you understand and comply with these regulations as ITAR and EAR violations can pose a huge risk for impacted companies.
With a civil penalty of US $1 million+ per violation, Defense contractors have been fined tens of millions of dollars, and in the case of Airbus, billions, for failing to control access to EAR and ITAR regulated data. Violators can be ‘debarred’ or lose the ability to export goods.
Notably, violations can impact more than just the company’s bottom line – criminal penalties of up to 20 years in prison, depending on the regulation, are also possible.
If your company falls under the categories above compliance is mandatory.
6. Why compliance can be difficult to achieve on your own
ITAR / EAR compliance is one of the most complex access management issues to solve. To be compliant, multiple factors must be considered before sharing regulated content with M365 or SharePoint including:
- User clearance level and caveats
- User citizenship
- Document/item clearance level (i.e. top secret, confidential, etc.)
- Device (i.e. browser or OS such as iPad, Android, tablet or other mobile device)
- Geography and access locations
Trying to define access in M365 or SharePoint using item permissions would require the creation of thousands of security groups, and if using inheritance thousands of sites or libraries and folders. You also run the risk of exceeding the limit of allowed security scopes on a list. The complexity of these security schemes greatly expands the likelihood of multiple single point defects in individual user or document permissions – any of which constitute an export breach.
ITAR and EAR Compliance Made Easy
The NC Protect approach to ITAR and EAR is simple.
NC Protect’s zero trust methodology uses attribute-based access control (ABAC) to determine access, usage and sharing permissions at the item level — without the need to create additional groups and independent of item permissions. Organizations define policies and dynamically define groups, permissions and access based on user and file attributes including classification.
With NC Protect access controls and information protection are applied to individual files, chats and messages in real-time, so sensitive content can be safely stored, shared and collaborated in Microsoft 365 apps and SharePoint — regardless of user membership, unlike solutions that secure or encrypt at the app or location level. This approach also controls the proliferation of sites to support individual collaboration scenarios.