This article originally appeared in Defence Connect.
Selling to the Department of Defence or dealing with Export Controlled material? Discover how to manage the information security and compliance of ITAR and other regulated data
Congratulations, you have finally won a unique business opportunity in Defence that will enable you to showcase your hard work to like-minded individuals and or to deliver services to the United States (U.S.) Department of Defense. Will you be dealing with or working with Export Controlled material?
You may need to comply with Export Controls such as the International Traffic in Arms Regulations (ITAR). ITAR are the regulations that control the export and import of defence-related materials and services on the United States Munitions List (USML). This includes military hardware, guidance systems, submarines, armaments, military aircraft, IT and software. The U.S. Government requires all manufacturers, exporters, and brokers of defence articles, defence services or related technical data, to be ITAR compliant.
Managing ITAR Compliance
The administrative effort required to maintain Export Controlled material such as ITAR can be complicated. Not doing it correctly could jeopardise your contracts with Defence Departments and could expose you to large fines. There have been breaches leading to fines that have ranged from 10 to 100 million dollars, and in some cases prison sentences.
To be compliant you need to implement numerous processes and policies across the business. One of the more complex compliance tasks is the ongoing management of ITAR regulated information, including Controlled Unclassified Information (CUI).
Multiple factors must be considered to determine who can access regulated content including:
- User clearance levels and caveats
- User citizenship and nationality
- Document / item classification level
- Briefing levels
Trying to define access to this material using traditional role-based permissions would require the creation of thousands of security roles and/or groups. If you’re using permission inheritance, it would require thousands of sites or libraries and folders to match. The complexity and ongoing management of such security schemas greatly expand the likelihood of (multiple) single point failures in individual user or document permissions – any of which could constitute an ITAR violation.
The act of managing this restricted information, requires a multi-pronged approach to:
- Control the user interactions via training and policies, and
- Properly store and manage access to the information.
Selecting a technology to manage the access process, while keeping relevant and aligned to the processes that oversee the information is a difficult one. There are several key elements that should be factored into your search for an ITAR access management tool.
First, traditional permission models are complex and require lots of resources to manage, while leaving potential security gaps. Instead, consider taking a data-centric security approach, that dynamically enforces data rules, such as those related to ITAR, once they have been set up, automatically and transparently. Data centric security uses what is called Attribute Based Access Control (ABAC) to enable you to simplify the management of viewing and editing rights and the dynamic enforcement of strict controls over information. The ABAC model only grants access once a user’s attributes meet the policies required to release a particular file. These attributes could include a user’s organisation, nationality, and clearance levels, as well other access control identifiers such as project name, mode of access, time, etc. With ABAC-based controls a single repository could contain many different classification levels reducing duplication and expense.
Second, it is essential that the platform can maintain the correct security posture and auditability that is mandated for ITAR material. If you can source a platform that fully integrates secure document collaboration and a document editing suite you can improve your security and audit controls even further. Depending on your current IT infrastructure you may also need to find an independent platform that is fully accreditable to meet the classification criteria required for your project.
Third, users need ultimate control of the classification of the materials that they create, not the system administrator. By enabling creators to classify their materials, an ABAC-enabled system can enforce information barriers based on the attributes they set to restrict access accordingly.
Simplifying the management of and access to ITAR data
There is a content management platform that dynamically provides the right information access to the right people, based on their associated attributes to help to prevent data loss or misuse, and to assist in meeting ITAR requirements – Kojensi.
Kojensi is designed from the ground up to meet the specific needs of Government, Defence, and Defence Industry. It is available as a SaaS platform or on-premises to meet the need of SMEs and larger organisations.
Kojensi provides the ability to meet your compliance obligations by:
- Protecting information via attribute-based access controls
- Embedding a document creation and collaboration suite within the platform
- Being accredited to Protected and accreditable to higher classification on-premises
- Having inbuilt ITAR compliant dissemination controls to fit your business processes
Managing ITAR Regulated Data in Microsoft Applications
To control ITAR regulated information in Microsoft 365 or SharePoint on-premises, archTIS’ NC Protect provides the same ABAC-based controls to secure CUI and other ITAR data. To benefit from archTIS’ expertise delivering multi-level security, cross domain solutions within the highest security areas of government to manage ITAR, DISP and other regulatory requirements contact us today.
