The United States and Australian Governments have established strict regulations to safeguard the technology that can be used for military applications. The most sensitive technology is regulated by the U.S. International Traffic in Arms Regulations (ITAR), and it is imperative for any company working with ITAR-controlled technologies and data to comply with these regulations. Failure to comply can lead to severe legal and financial repercussions, as well as reputational damage. To avoid these risks, organisations must establish robust ITAR compliance programs and provide training to employees on the requirements for managing ITAR in Australia and in the region.
What is ITAR?
The International Traffic in Arms Regulations or ‘ITAR’ are issued by the U.S. State Department to control the export and import of defence-related articles and services on the United States Munitions List (USML), such as military hardware, guidance systems, submarines, armaments, military aircraft, technical data related to such articles and software. The purpose of ITAR is to control access to technology that affords the U.S. and its allies military superiority and to prevent the disclosure or transfer of this sensitive information to rogue states and actors.
Who must comply with ITAR in Australia?
If your organisation does business with Australian or U.S. Defense, ITAR likely applies to you. Any organisation that handles, designs, sells, or distributes items on the USML, even if they are merely incorporating ITAR-controlled components into Australian-designed products, must be compliant.
Additionally, product development plans, hardware specifications, source code, and technical data we create here in Australia that incorporates hardware, software or technical data listed on the USML must be treated as ITAR-controlled.
What is Technical Data under ITAR?
ITAR § 120.33 defines technical data as any of the following:
- Information that is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles on the USML and some of the 600-series items on the Commerce Control List (CCL), including blueprints, drawings, photographs, plans, instructions or documentation. This includes information you produce in Australia, using ITAR-controlled information.
- Classified information relating to defence articles and defence services.
- Information covered by a U.S. Government invention secrecy order.
- Software directly related to defence articles and listed on the USML.
What are the Consequences of Non-compliance with ITAR?
The consequences of failing to comply with export regulations are severe, with the possibility of facing fines of over a million dollars for each civil violation of ITAR regulations. With such penalties and the associated reputational damage, non-adherence to export laws can easily bankrupt an organisation. The penalties for wilful misconduct also carry criminal consequences. Violators can face imprisonment of up to 20 years.
ITAR Compliance Checklist for Australian Companies
Unlike CMMC, there is no ITAR certification program, just a responsibility to comply with the regulations. Organisations must develop, implement, and maintain their own compliance programs to ensure compliance is maintained for the lifecycle of the ITAR-controlled products in their possession.
This checklist will assist Australian organisations with how to identify if ITAR is applicable to them and best practices for implementing an ITAR compliance program. If you’re unsure of what’s required, seek expert advice.
1. Determine if ITAR Applies to Your Organization
Start by determining which defence articles, services, or data within your organisation are subject to ITAR. The OEM or supplier will be able to provide you with information about whether the products they supplied to you are ITAR-controlled. If you are using ITAR-controlled technical data in your design or manufacture, your Australian-produced technical data will also be ITAR-controlled. This is known as “ITAR Taint”. Assess any associated threats or vulnerabilities and formulate risk-based compliance plans for physical and information security to assist with mitigation and compliance.
2. Ensure you have the necessary export/temporary import licenses and exemptions before granting access or re-exporting /retransferring ITAR
Before you grant your staff access to ITAR-controlled articles, re-export, retransfer or import ITAR-controlled articles, including technical data, you must first obtain approval from the U.S. State Department’s DDTC. Ensure that the approval covers the scope of work you intend to carry out. If not, request the appropriate approval that will allow you to satisfy your commercial agreements.
3. Train all employees in ITAR policies and procedures
Implement employee training programs to ensure all employees and contractors are educated on ITAR handling and sharing policies and any internal processes for identifying, safeguarding and storing ITAR-related materials on company networks and mobile devices.
4. Ensure Only Authorised Persons Can Access ITAR-controlled Data
Access to ITAR-controlled data is restricted to employees authorised to access ITAR-controlled data described in the DDTC approvals. Each approval will have a different scope of work and list of controlled technologies. For this reason, there is no such thing as an “ITAR Authorised Employee”. The ability to access ITAR will differ for staff from project to project, depending on a number of factors, including the nationalities of the staff member and employment status (e.g. full-time or contract work). Third parties involved in working with ITAR-controlled technologies at your site must also comply with the requirements of the DDTC Approvals.
To properly safeguard ITAR-controlled information, implementing technology such as attribute-based access control (ABAC) policies can restrict access and limit sharing based on various factors such as the user’s citizenship, clearance level, and other attributes. This helps ensure that only authorised individuals have access to ITAR-controlled technical data and that it is shared only with those who are allowed to see it.
5. Implement Record-keeping and Auditing Protocols
Ensure that all activities related to ITAR articles are documented, including but not limited to design, manufacturing, acquisition, divestiture, storage, re-export, retransfer and destruction. Organisations are also required to maintain records related to these types of ITAR transactions for a minimum of five years and furnish these records to DDTC upon request. As a best practice, you should keep the records for 25 years and create an audit team that regularly reviews ITAR policies and record-keeping practices to ensure you can evidence compliance with the ITAR to DDTC when required.
6. Verify that your supply chain partners are ITAR compliant
As an organisation dealing with ITAR-regulated data, ensuring that all third parties and subcontractors with whom you share ITAR-controlled technical data comply with the regulations and have implemented their own access controls is crucial.
7. Do not share ITAR data with individuals from prohibited countries
It is strictly prohibited to share any ITAR data with individuals without the proper approval. It is the policy of the U.S. State Department to deny access to ITAR-controlled technology to persons from a proscribed country, including those who have acquired Australian citizenship but were born in a proscribed country. Under no circumstances should you share ITAR data with anyone residing in a country on the proscribed countries list found in Part 126.1 of the ITAR. You should employ technology that can proactively prevent the sharing of ITAR data with unauthorised individuals to prevent human error, as staff may be unaware of the sensitivities around the country of birth or previous citizenships held by their coworkers.
8. Control data access on all systems and devices
Currently, there are no established regulations or certification programs for cybersecurity under ITAR. DDTC expects organisations to ensure that processes are in place for securing access to, handling and sharing of ITAR data to protect against cyberattacks and other threats. They do, however, make some security recommendations, including:
- Having clear policies, procedures, and training programs in place.
- Ensuring ITAR controlled data is clearly marked. This will also prevent inadvertent ITAR taint.
- Controlling access to ITAR-controlled data on file sharing, cloud storage, and collaboration applications to ensure only authorised personnel can access data.
- Ensuring unathorised employees do not have access to ITAR data.
- Using end-to-end encryption for data in transit or stored on mobile devices, such as phones and laptops, that is FIPS 140-2 compliant or by other cryptographic means is comparable to the Advanced Encryption Standard (AES–128).
- Employing intrusion detection systems.
- Logging and controlling access to networks and applications that contain ITAR-controlled technical data.
9. Implement FIPS 140-2 Compliant Encryption
While encryption is recommended as a best practice by ITAR, specific encryption requirements were added in ITAR § 120.54(a)(5). They apply to “activities that are not exports, reexports, retransfers, or temporary imports” regarding the sending, taking, or storing of unclassified technical data without an export/import license, including:
- Allowing the transfer of unclassified technical data without the need for licenses, provided it is secured with end-to-end encryption that is FIPS 140-2 compliant or an alternative that meets AES–128 criteria.
- Ensuring technical data is not backed up to servers that are not physically located in the U.S. or Australia unless it meets ITAR § 120.54(a)(5) criteria for end-to-end encryption.
10. Report ITAR violations immediately
Despite having all the proper precautions, mistakes and malicious activities can occur. In the event of an accidental or deliberate ITAR violation, you must report violations of the ITAR to the DDTC. Not doing so can result in fines, criminal penalties, and debarment.
Securing ITAR-controlled Data and Access
Regarding cyber security and encryption, the guidance from DDTC for ITAR is relatively standard. You must implement robust access control data protection mechanisms to protect ITAR-controlled data.
There are multiple factors you must evaluate when determining access and handling policies for ITAR-controlled data, including:
- User citizenship
- User clearance level and caveats
- Document categorisation (e.g., ITAR, EAR, etc.)
- Document classification (e.g., Controlled Unclassified, Public Trust Position, Confidential, Secret, Top Secret, Compartmented)
- Device, Browser or Operating System (e.g., iPad, Android, tablet or another mobile device)
- Geography/location of the user requesting access
- Other regulations may also apply, including EAR, DFARS, CMMC, etc.
To ensure compliance with the ITAR, it is important to use classificational tools that can accurately identify and tag ITAR data. These tags can then be utilised by your data security and access management tools to restrict access to authorised individuals and control the conditions under which the data can be accessed and shared with others (e.g., applying end-to-end encryption). This way, you can avoid potential violations by maintaining strict control over who has access to ITAR data and who it can be shared with.
archTIS has deep experience helping companies implement solutions for data-centric access control and protection of ITAR-controlled data. We offer a range of products, from secure document management platforms with built-in ITAR data controls to solutions for managing ITAR-controlled data in your Microsoft file sharing and collaboration applications. Our products use policy-enforced attribute-based access control (ABAC) and data protection to dynamically secure data in real time. With archTIS, it’s easy to manage ITAR access controls and data security with precision and efficiency.
Kojensi document management and collaboration platform
Kojensi is a document management and collaboration platform designed from the ground up to meet the specific needs of the Government, Defence, and Defence Industry, including ITAR. It is designed with ITAR controls to assist organisations with meeting their compliance obligations. ITAR compartments enforce ITAR dissemination controls and visually alert users that they are working on export-controlled materials to reduce human error. With Kojensi, you can securely share any number of files that may have different export controls internally, with partners, and with Defense.
NC Protect for M365, GCC, GCC High and SharePoint Server
NC Protect simplifies the management and protection of ITAR-controlled information in Microsoft 365, GCC, GCC High, SharePoint Server, and file shares. Attribute-based access control (ABAC) policies dynamically secure ITAR data access based on user nationality, location, device and file classification. Policies can also automatically apply encryption, visual markings, and other security trimmings to ensure ITAR data remains secure while auditing file access and actions.
Contact archTIS today to learn more about our information security solutions, specifically designed to meet the unique security and compliance needs of the Defense industry.
