The aerospace industry is a big business — and it’s only going to get bigger in the coming years. In 2020, the global aerospace industry reached $298 billion. That figure is expected to grow to $430.9 billion by 2025 (an expected 45% increase in 5 years). The size of the industry and it’s expected growth is even more impressive when you consider the many aerospace industry regulations that companies must adhere to.
The challenge with operating in aerospace is that almost everything designed, built or created has defense-related implications. Indeed, trade organizations (like the Aerospace Industries Association) and the U.S. government have established stringent regulations and security frameworks to prevent the aerospace industry’s products and data from falling into the wrong hands.
These regulations can be burdensome for aerospace companies. But they can also represent an opportunity for aerospace companies to put into place the right tools and technologies for making compliance easier and more automated.
Here’s a look at the most relevant aerospace and defense industry regulations — the AIA’s NAS9933, NIST SP 800-171, ITAR and EAR — plus a rundown of how aerospace companies can benefit from compliance.
Cybersecurity is particularly important within the aerospace industry because of the many cybersecurity challenges that companies in this space experience.
First and foremost, the aviation industry relies heavily on new technologies for advancement and innovation. As aviation has become more and more digital, the risk of cybersecurity threats has become more and more prominent. The aerospace industry has also experienced an increase in its sheer volume of technology, which opens up new front doors for cyber-attacks.
Compounding matters is this: Hackers are better than ever at gaining access to restricted systems. Traditionally, there’s been a lack of cybersecurity standards used by companies in the aerospace industry. The regulations you see below help create standards that compliant organizations must follow to safeguard sensitive files and data.
The Aerospace Industries Association (AIA) has published an aerospace cybersecurity standard known as NAS9933. The AIA is made up of representatives from across the aerospace industry, including those who work specifically on aircraft, spacecraft and general defense.
NAS9933 was designed to provide “dynamic, risk-based assessments and solutions” to cybersecurity threats, and to act as a “supplement” to requirements outlined by the U.S. Department of Defense (more on federal regulations below). Specifically, NAS9933 was written so that it can be implemented by smaller organizations just as easily as large ones.
There’s no NAS9933 certification process. Rather, organizations operating in the aerospace industry choose to align with NAS9933 standards, which include 22 control families — each of which is organized into five capability levels. These capability levels recognize that AIA members “vary in size, in the sector, and the level of necessary security” — hence the dynamic framework.
While alignment with NAS9933 standards is voluntary, organizations in the aerospace industry may find that prospective clients and/or partners require NAS9933 alignment before entering into a business relationship.
While the AIA’s NAS9933 was created specifically for the aerospace industry, the National Institute of Standards and Technology (NIST) provides a cybersecurity standard for a much broader constituency. NIST’s SP 800-171 applies specifically to aerospace and defense companies, providing guidelines for identifying cybersecurity risks, protecting systems, detecting incidents, responding to breaches, and recovering any data lost during a cybersecurity breach.
SP 800-171, first published in 2015, includes 110 security controls that organizations must have in place to secure their files and data. SP 800-171 is more comprehensive than NAS9933, but NAS9933 is more specific to the aerospace industry. Both stands are accepted by the U.S. Department of Defense.
The International Traffic in Arms Regulations (better known as ITAR) were designed to keep defense-related items and technology away from anyone who should not have access to them: adversarial nations, terrorists, etc. ITAR works in tandem with the United States Munitions List (USML), which outlines the items and technologies that are governed by ITAR.
ITAR regulates not only physical access to and the physical trade of everything on the USML, but it also regulates technical data related to everything on the USML. The munitions listed on the USML fall into 21 different categories. For example, ITAR regulates physical access to “launch vehicles, guided missiles, ballistic missiles, rockets, torpedoes, bombs and mines,” according to Category IV of the USML, and it also regulates technical data related to each. The USML covers a broad range of defense-related categories, including nuclear weapons, biological agents and more.
Naturally, ITAR creates a set of aerospace and defense industry regulations given that the USML includes so many aviation-related items. Specifically, the USML’s Category VIII relates to “aircraft and related articles,” and its Category XV relates to “spacecraft and related articles.”
To what types of individuals and companies is ITAR relevant? ITAR is important for third-party suppliers, contractors, wholesalers, distributors, hardware and software providers, and anyone else who is participating in the defense-related supply chain. Put another way, if you want to be a part of the manufacturing of anything that could be construed as a weapon based on the USML, you have to ensure that you are ITAR compliant.
How does ITAR affect your IT or IT Support? A lot of companies in the United States, including many in the aerospace industry, hire outside contractors to run their IT infrastructure, platform, or applications. In many cases, these contractors may not be U.S. based. The U.S. State Department has advised that foreign nationals with access to your IT systems, as well as ITAR-related controlled files, is strictly prohibited under ITAR. This includes if the person is merely an administrator of a system. The State Department has also advised that if your company stores data in the cloud, you should not use a cloud service provider who will store your data in foreign countries where foreign national employees will have access.
As you can see, ITAR compliance means taking precautionary measures to secure data and information. There are specific rules for access controls, systems management, transmission of data, and executable software on shared systems. To learn more, download our guide on how ITAR, EAR, and DFARS requirements impact your information systems.
The United States’ Export Administration Regulations (or EAR) are sometimes confused with ITAR, but there are slight differences that companies in the aerospace industry need to know. EAR, which is managed by the Commerce rather than State Department, specifically limits the export of “controlled” items. Under EAR, companies can export EAR-controlled technologies and products to foreign countries as long as the information related to, or the technology itself, meets certain encryption standards, and the company meets other requirements of the regulation.
Just as ITAR uses the USML as its guide for what is regulated and what is not, EAR uses the Commerce Control List (or CCL). The CCL includes items broken down into 10 categories:
Similar to the USML, the CCL includes categories that are directly relevant to anyone working in the aerospace industry. Items in Category 8 (Navigation and Avionics) and Category 10 (Propulsion Systems, Space Vehicles, and Related Equipment) limit any aerospace company’s ability to export their products as well as technical data related to their products. Technical data would specifically include diagrams, blueprints, designs, plans, etc.
There is significant overlap between the items on the USML and the items on the CCL, which means there’s significant overlap between EAR vs. ITAR and their regulations for aerospace companies. (This is similar to the AIA’s NAS9933 and NIST’s SP 800-171, which also include similar guidelines.) We recently wrote about ITAR and some of the nuances between what it covers vs. what EAR covers in general. Here are some of the broader takeaways for aerospace companies.
You already know that ITAR works off the USML and that EAR works off the CCL. These lists are created and managed in separate agencies of the U.S. federal government. ITAR and the USML sit within the Department of Defense, while EAR and the CCL sit within the Department of Commerce. ITAR and the USML are targeted at the control of defense-related items. EAR and the CCL are targeted at commercial items that could be used or repurposed for defense purposes. Again, there’s natural overlap in what each covers.
Aerospace companies are sometimes forced to keep up with sudden changes in how items are regulated by ITAR and EAR. For example, satellites have shifted in the past 40-plus years from the USML to the CCL, which means their regulation has shifted from ITAR to EAR. From 1976 to 1996, commercial satellites were listed on the USML. From 1996 to 1998, commercial satellites were moved to the CCL. Then, in 1998, commercial satellites moved back to the USML. In 2014, commercial satellites shifted back to the CCL — where they remain today.
This demonstrates that there’s a gray area between ITAR vs. EAR compliance. It’s often best to address the regulations within each at the same time to keep up with the shifting nature of what’s included on the USML vs. what’s included on the CCL.
Compliance with standards like NAS9933, SP 800-171, ITAR, EAR and others is undoubtedly relevant to aerospace companies. If your business is able to master compliance with these regulations, it can enjoy a series of benefits:
It’s exceedingly difficult (and expensive) for an aerospace company to build out and maintain its own systems for storing and sharing files and data governed by ITAR, EAR and other regulations. That’s why we launched our GOVFTP CLOUD as a service that makes it easy for aerospace companies and others to comply with aerospace industry regulations.
When you use GOVFTP Cloud by FTP Today, your files are secured both at-rest and in-transit. Your files are stored only in the United States in ITAR compliant data centers with only U.S. persons. Your users are forced to use compliant passwords and encryption. Your folders are fully secured so that only authorized users can gain access. And auditors can quickly and easily verify that your systems are compliant at any time. You can even limit access to certain files by country.
Get started with GOVFTP CLOUD today. Get in touch with us to ask questions or to get a brief demo of what this ITAR- and EAR-compliant solution can do for your business.
Arvind is Director of Compliance and Programs at FTP Today. He came to FTP Today with 11+ years of experience in offering cloud solutions to the Federal Government and public sector channels at companies such at Rackspace, IBM, UNICOM, A10 and Radware Alteon. He is based in the Washington, D.C. area.