ITAR & EAR Compliance

Meeting ITAR AND EAR Compliance in Microsoft 365 and SharePoint

Meeting ITAR AND EAR Compliance in Microsoft 365 and SharePoint

International Traffic in Arms Regulations (ITAR), are issued by the United States government to control the export and import of defense-related articles and services on the United States Munitions List (USML). In short, the U.S. Government requires all manufacturers, exporters, and brokers of defense articles, defense services or related technical data to be ITAR compliant. The Export Administration Regulations (EAR) are issued by the United States Department of Commerce to control the export of items which are designed for a commercial purpose which could have military applications, such as computer hardware and software (Commerce Control List).

ITAR and EAR violations can pose a huge risk for impacted companies. Defense contractors have been fined tens of millions of dollars for failing to control access to EAR and ITAR regulated data. Furthermore, they can impact more than just the bottom line – criminal penalties of 10 to 20 years in prison, depending on the regulation, are also possible.

If your company falls under ITAR or EAR and you are using Microsoft 365 (M365), SharePoint Online or on-premises (SharePoint) to provide access to product development plans, hardware specifications, source code, and other sensitive information, then you must implement security controls in these applications to be compliant. The rules apply to any internal and external users or groups that have access to regulated content in the US and in many other countries as defined in the requirements.

It is one of the most complex access management issues to solve. To be compliant, multiple factors must be considered before sharing regulated content with M365 or SharePoint including:

  • User clearance level and caveats
  • User citizenship
  • Document/item clearance level (i.e. top secret, confidential, etc.)
  • Device (i.e. browser or OS such as iPad, Android, tablet or other mobile device)
  • Geography and access locations

Trying to define access in M365 or SharePoint using item permissions would require the creation of thousands of security groups, and if using inheritance thousands of sites or libraries and folders. You also run the risk of exceeding the limit of allowed security scopes on a list. The complexity of these security schemes greatly expands the likelihood of multiple single point defects in individual user or document permissions – any of which constitute an export breach.

NC Protect provides a simple approach using dynamic access and identity management.

NC Protect for ITAR and EAR Compliance
The NC Protect approach to ITAR and EAR is simple

NC Protect’s zero trust methodology uses attribute-based access control (ABAC) to determine access, usage and sharing permissions at the item level — without the need to create additional groups and independent of item permissions. Organizations define policies and dynamically define groups, permissions and access based on user and file attributes including classification.

With NC Protect access controls and information protection are applied to individual files, chats and messages in real-time, so sensitive content can be safely stored, shared and collaborated in Microsoft 365 apps and SharePoint—regardless of user membership, unlike solutions that secure or encrypt at the app or location level. This approach also controls the proliferation of sites to support individual collaboration scenarios.

Key Benefits of NC Protect

  • Supports Microsoft 365 apps, SharePoint Online and on-premises
  • Uses attribute-based access control (ABAC) to determine access, usage and sharing rights
  • Automatically identifies if a document falls under ITAR or EAR and classifies it based on its contents/sensitivity
  • Embeds a CUI Designator Label including Owner Name, Controlled By, Category, Distribution/Limited Dissemination Control and POC into documents as a watermark
  • Prevents the deletion of an ITAR document based on the published date or a shipment date for retention requirements.
  • Tracks chain of custody
  • Enforces zero trust at the data level

Case Study

Learn how this Defense Manufacturer uses NC Protect to identify and restrict access to content containing CUI.

Get Advanced Information Protection that’s Simple, Fast & Scalable with NC Protect

Discover how NC Protect’s advanced information protection capabilities prevent data breaches, unauthorized file access and accidental sharing in M365 apps, Windows File Shares and more — for a solution that’s simple, fast and scaleable.

archTIS Named 2022 Australian Defence Industry Awards Cyber Business of the Year
CyberSecurity Breakthrough Awards NC Protect 2022 Policy Management Solution of the Year
Cybersecurity Excellence Award 2022 Gold

​Let’s Get the Conversation Started

Learn how to leverage NC Protect for ITAR and EAR data compliance to enforce dynamic access and security to proactively protect ITAR controlled information.