ITAR Compliance Checklist

The United States government has established strict regulations to safeguard intellectual property and military superiority. Compliance with the International Traffic in Arms Regulations (ITAR) is imperative for companies involved with U.S. defense technologies and data. Failure to comply can lead to severe legal and financial repercussions, as well as reputational damage. To avoid these risks, organizations must establish robust ITAR compliance programs and provide training to employees on the requirements.

What is ITAR?

The International Traffic in Arms Regulations or ‘ITAR’ are issued by the U.S. State Department to control the export and import of defense-related articles and services on the United States Munitions List (USML), such as military hardware, guidance systems, submarines, armaments, military aircraft, IT and software. The purpose of ITAR is to control access to specific types of technology and their associated data to prevent the disclosure or transfer of sensitive information to a foreign national.

Who must comply with ITAR?

If your organization is doing business with U.S. Defense, ITAR likely applies to you. Any organization that handles, designs, sells, or distributes items on the USML must be ITAR compliant.

All U.S. companies, research labs, and universities involved in the manufacturing, exporting, and brokering of defense articles, services, or technical data must register with the Directorate of Defense Trade Controls (DDTC) and comply with ITAR regulations. Additionally, product development plans, hardware specifications, source code, and other sensitive technical data must be adequately secured in accordance with ITAR guidelines.

What is Technical Data under ITAR?

ITAR § 120.33 defines technical data as any of the following:

1. Information that is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles on the USML and the 600-series items on the Commerce Control List (CCL), including blueprints, drawings, photographs, plans, instructions or documentation.
2. Classified information relating to defense articles and defense services.
3. Information covered by an invention secrecy order.
4. Software directly related to defense articles.

What are the Consequences of Non-compliance with ITAR?

The consequences of failing to comply with export regulations are severe, with the possibility of facing fines of hundreds of thousands of dollars for each civil violation of ITAR regulations. With penalties of $1 million+ per violation, non-adherence to export laws can easily cost an organization millions. Organizations can also be ‘debarred’ or lose the ability to export defense articles. The penalties for willful misconduct are even more severe, with criminal consequences. In such instances, apart from significant multi-million dollar fines, the violators can face imprisonment of up to 20 years.

ITAR Compliance Checklist

Unlike CMMC, there is no ITAR certification program, just a responsibility to register with DDTC and comply with the terms of the regulation. Organizations must develop, implement, and maintain their own compliance programs.

Use this checklist to assist with best practices for implementing an ITAR compliance program. If you’re unsure of what’s required, seek expert advice.

1. Determine if ITAR Applies to Your Organization

Review the USML list to understand which defense articles, services, or data apply to your organization and are subject to ITAR. Assess any associated threats or vulnerabilities and formulate risk-based compliance plans for physical and information security to assist with mitigation and compliance. If you’re a subcontractor, contact the supplier or OEM you are working with to check if the materials or data are ITAR-controlled.

2. Register your company with the Directorate of Defense Trade Controls (DDTC)

U.S. companies need to register with DDTC as quickly as possible if any ITAR-controlled activities or defense articles apply to their organization. Typically, registration is a precondition to the DDTC issuing any import/export license or other approval unless the DDTC grants you an exception. Registration must be renewed annually, so be aware of expiration and renewal dates and processes.

3. Obtain necessary export/temporary import licenses and exemptions

Before U.S. companies export or temporarily import defense-related articles, including technical data, they must first obtain proper approval and licensing from the DDTC unless the temporary import qualifies for an exemption. If an exemption applies, you must follow the documented procedures and file any required documents. Permanent import of defense articles is regulated by the Department of the Justice’s Bureau of Alcohol, Tobacco, Firearms and Explosives.

4. Train all employees in ITAR policies

Implement employee training programs to ensure all employees and contractors are educated on:

• ITAR handling policies for physical items and technical data, and;
• Internal processes for identifying and safeguarding ITAR-related materials on company networks and mobile devices.

5. Ensure Only U.S. Citizens in the U.S. Can Access ITAR-controlled Data

Access to ITAR-controlled data is restricted to employees who are U.S. citizens located in the U.S. Any U.S. companies operating abroad must obtain State Department authorization before sharing ITAR data with local staff. Third parties involved in ITAR work must also comply with this requirement. However, there are specific exemptions for allied countries.

To properly safeguard ITAR-controlled information, implementing technology such as attribute-based access control (ABAC) policies can restrict access and limit sharing based on various factors such as the user’s citizenship, clearance level, exemptions, and other attributes. This helps ensure that only authorized individuals have access to ITAR information and that it is shared only with those who are allowed to see it.

6. Implement Record-keeping and Auditing Protocols

Ensure that all activities related to ITAR are documented, including but not limited to registration, manufacturing, acquisition, and disposition, as well as any minutes, notes, drawings, etc. Organizations are also required to maintain ITAR-related transaction records for five years and furnish them to DDTC upon request. As a best practice, you should create an audit team that regularly reviews ITAR policies and record-keeping procedures.

7. Verify that your supply chain partners are ITAR-compliant

As an organization dealing with ITAR-regulated data, ensuring that all third parties and subcontractors with whom you share such data comply with the regulations and have implemented their own access controls is crucial. To help ensure compliance, notify them when materials are ITAR-controlled and secure end-user statements to attest that they understand what is required of them under ITAR.

8. Do not share data with individuals outside the U.S. or from prohibited countries

It is strictly prohibited to share any ITAR data with individuals outside the U.S. without the proper licensure. Under no circumstances should you share ITAR data with anyone residing in a country on the prohibited countries list. You should employ technology that can proactively prevent the sharing of ITAR data with unauthorized individuals to prevent human error.

9.  Control data access on all systems and devices

Currently, there are no established regulations or certification programs for cybersecurity under ITAR.  DDTC expects organizations to ensure that processes are in place for securing access to, handling and sharing of ITAR data to protect against cyberattacks and other threats. They do, however, make some security recommendations, including:

• Having clear policies, procedures, and training programs in place.
• Controlling access to ITAR-controlled data on file sharing, cloud storage, and collaboration applications to ensure only authorized personnel can access data.
• Ensuring foreign employees do not have access to ITAR data.
• Using end-to-end encryption for data in transit or stored on mobile devices, such as phones and laptops, that is FIPS 140-2 compliant or by other cryptographic means is comparable to the Advanced Encryption Standard (AES–128).
• Employing intrusion detection systems.
• Logging and controlling access to networks and applications that contain ITAR-controlled technical data.

10. Implement FIPS 140-2 Compliant Encryption

While encryption is recommended as a best practice by ITAR, specific encryption requirements were added in ITAR § 120.54(a)(5). They apply to “activities that are not exports, reexports, retransfers, or temporary imports” regarding the sending, taking, or storing of unclassified technical data without an export/import license, including:

• Allowing the transfer of unclassified technical data without the need for licenses, provided it is secured with end-to-end encryption that is FIPS 140-2 compliant or an alternative that meets AES–128 criteria.
• Ensuring technical data is not backed up to servers in foreign locations unless it meets ITAR § 120.54(a)(5) criteria for end-to-end encryption.

11. Report ITAR violations immediately

Despite having all the proper precautions, mistakes and malicious activities can occur. In the event of an accidental or deliberate ITAR violation, you must immediately report it to the DDTC. Not doing so can result in fines, criminal penalties, and debarment.

Securing ITAR-controlled Data and Access

Regarding cyber security and encryption, the guidance from DDTC for ITAR is relatively standard. You must implement robust access control data protection mechanisms to protect ITAR-controlled data.

There are multiple factors you must evaluate when determining access and handling policies for ITAR-controlled data, including:

• User citizenship
• User clearance level and caveats
• Document categorization (e.g., ITAR, EAR, etc.)
• Document classification (e.g., Controlled Unclassified, Public Trust Position, Confidential, Secret, Top Secret, Compartmented)
• Device, Browser or Operating System (e.g., iPad, Android, tablet or another mobile device)
• Geography/location of the user requesting access
• Other applicable regulations, including EAR, DFARS, CMMC, etc.

To ensure compliance with the ITAR, it is important to use classificational tools that can accurately identify and tag ITAR data. These tags can then be utilized by your data security and access management tools to restrict access to authorized individuals and control the conditions under which the data can be accessed and shared with others (e.g., applying end-to-end encryption). This way, you can avoid potential violations by maintaining strict control over who has access to ITAR data and who it can be shared with.

archTIS has deep experience helping companies implement solutions for data-centric access control and protection of ITAR-controlled data. We offer a range of products, from secure document management platforms with built-in ITAR data controls to solutions for managing ITAR-controlled data in your Microsoft file sharing and collaboration applications. Our products use policy-enforced attribute-based access control (ABAC) and data protection to dynamically secure data in real time. With archTIS, it’s easy to manage ITAR access controls and data security with precision and efficiency.

Kojensi document management and collaboration platform

Kojensi is a document management and collaboration platform designed from the ground up to meet the specific needs of the Government, Defence, and Defence Industry, including ITAR. Kojensi is designed with ITAR controls to assist organizations with meeting their compliance obligations. Kojensi’s ITAR compartments enforce ITAR dissemination controls and visually alert users that they are working on export-controlled materials to reduce human error. With Kojensi, securely share any number of files that may have different export controls internally, with partners and with Defense.

NC Protect for M365, GCC, GCC High and SharePoint Server

NC Protect simplifies the management of ITAR-controlled information in Microsoft 365, GCC, GCC High, SharePoint Server, and file shares. Attribute-based access control (ABAC) policies dynamically secure ITAR data access based on user nationality, location, device and file classification.  Policies can also automatically apply encryption, visual markings and other security trimmings to ensure ITAR data remains secure while auditing file access and actions.

Contact archTIS today to learn more about our information security solutions, specifically designed to meet the unique security and compliance needs of the Defense industry.