Meeting ITAR AND EAR Compliance in Microsoft 365 and SharePoint
International Traffic in Arms Regulations (ITAR), are issued by the United States government to control the export and import of defense-related articles and services on the United States Munitions List (USML). In short, the U.S. Government requires all manufacturers, exporters, and brokers of defense articles, defense services or related technical data to be ITAR compliant. The Export Administration Regulations (EAR) are issued by the United States Department of Commerce to control the export of items that are designed for a commercial purpose which could have military applications, such as computer hardware and software (Commerce Control List). If your company handles, manufactures, designs, sells, or distributes items on the USML you must be ITAR compliant.
ITAR and EAR violations can pose a huge risk for impacted companies. Defense contractors have been fined tens of millions of dollars for failing to control access to EAR and ITAR regulated data. Furthermore, they can impact more than just the bottom line – criminal penalties of 10 to 20 years in prison, depending on the regulation, are also possible.
If your company falls under ITAR or EAR and you are using Microsoft 365 (M365), SharePoint Online or on-premises (SharePoint) to provide access to product development plans, hardware specifications, source code, and other sensitive information, then you must implement security controls in these applications to be ITAR compliant. The rules apply to any internal and external users or groups that have access to regulated content in the US and in many other countries as defined in the requirements.
It is one of the most complex access management issues to solve. To be ITAR compliant, multiple factors must be considered before sharing regulated content with M365 or SharePoint including:
- User clearance level and caveats
- User citizenship
- Document/item clearance level (i.e. top secret, confidential, etc.)
- Device (i.e. browser or OS such as iPad, Android, tablet or other mobile device)
- Geography and access locations
Trying to define access in M365 or SharePoint using item permissions would require the creation of thousands of security groups, and if using inheritance thousands of sites or libraries and folders. You also run the risk of exceeding the limit of allowed security scopes on a list. The complexity of these security schemes greatly expands the likelihood of multiple single point defects in individual user or document permissions – any of which constitute an export breach.
NC Protect provides a simple approach using real-time dynamic access and identity management.