July 5, 2017

    ITAR Compliance Requirements You Need To Know

    The International Traffic in Arms Regulations, or ITAR, is a set of government rules that control the export and import of defense-related articles, services and technology on the U.S. Munitions List (USML). It is a collection of critical compliance requirements that help to ensure defense technology and related technical information does not fall into the hands of anyone who is not expressly intended to have it.

    Organizations in the defense industry must fully understand if and how ITAR compliance requirements apply to them. Many mistakenly assume that this set of regulations only relates to tanks, missiles and weaponry, but in fact, it affects much more than that. In order to avoid the severe penalties and negative consequences of noncompliance, take the time to determine which elements of ITAR, if any, need to be addressed in your compliance efforts. Read on for answers to some fundamental questions regarding this matter.

    Who Needs to Be ITAR Compliant?

    Any company that does business with the U.S. military, as well as any organization that deals with information related to items, services or related data on the USML, must be highly aware of and fully compliant with ITAR. Understand that affected parties are NOT limited to government and military organizations. Also included are any third-party contractors that work with them, and all companies in the supply chain, such as:

    • Wholesalers
    • Distributors
    • Technical companies

    What’s on the USML?

    The USML comprises 21 categories of defense articles and services, as well as related technical data, pursuant to the Arms Export Control Act. The import and export of these items are controlled and regulated by the U.S. Department of State. The categories include:

    1. Firearms, Close Assault Weapons and Combat Shotguns
    2. Guns and Armament
    3. Ammunition/Ordnance
    4. Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs and Mines
    5. Explosives and Energetic Materials, Propellants, Incendiary Agents and Their Constituents
    6. Surface Vessels of War and Special Naval Equipment
    7. Ground Vehicles
    8. Aircraft and Related Articles
    9. Military Training Equipment and Training
    10. Personal Protective Equipment
    11. Military Electronics
    12. Fire Control, Laser, Imaging and Guidance Equipment
    13. Materials and Miscellaneous Articles
    14. Toxicological Agents, Including Chemical Agents, Biological Agents and Associated Equipment
    15. Spacecraft and Related Articles
    16. Nuclear Weapons Related Articles
    17. Classified Articles, Technical Data and Defense Services Not Otherwise Enumerated
    18. Directed Energy Weapons
    19. Gas Turbine Engines and Associated Equipment
    20. Submersible Vessels and Related Articles
    21. Articles, Technical Data and Defense Services Not Otherwise Enumerated

    What Do I Need to Know About Technical Data?

    A protected article under ITAR is any technical data stored in any form (e.g., a document or other digital file) that contains information related to items or services designated on the USML. ITAR compliance is focused on ensuring this technical data is not inadvertently distributed to foreign persons or foreign nations.

    One key piece of information to keep in mind is that by law, data management and FTP providers are NOT considered to be an “exporter of data” in the same way your own organization might be. This means that the responsibility of maintaining ITAR compliance does not lie with your provider, but rather with your company and the individuals within your company or outside parties with whom the data is legally shared via the FTP provider.

    How Does ITAR Affect Data Management?

    To meet compliance requirements, any organization that falls under the jurisdiction of ITAR should design and implement a dedicated security policy, one that is fluid and continually updated to reflect the latest ITAR developments and compliance needs. This policy should include provisions for both physical and network security, addressing how your data is stored and accessed. In addition, it should have a detailed Incident Response Plan to help guide all relevant parties in the event of a breach.

    Following are some important steps to take in your efforts to meet your company’s ITAR obligations as they pertain to data management:

    • Institute a data classification system to guide any data leakage prevention implementation your business happens to use. Not every kind of data your business handles will need to be ITAR compliant, so the key is knowing which techniques to use on which types of data. All of your information should be classified into various categories for easy identification, like “Public Use,” “Internal Use Only,” “Confidential” and more.
    • Familiarize yourself with the types of situations you are likely to face and how they could put you in violation of ITAR. For instance, mistakes can and will happen, and accidental leaks due to user error or other oversights are quite common. It’s important to put a set of strict policies in place to help prevent users from taking data home to work on it, accidentally sending data using insecure channels and more.
    • Rely on proper encryption methods to protect data at rest, in use and in transit. At-rest encryption secures data while it is stored on servers, laptop or desktop hard drives and mobile devices. In-use encryption can prevent data from being seen by unauthorized users even if accessed by people with the appropriate permissions. In-transit encryption helps secure data that’s being transferred via email, a file sharing solution or another means.

    What Are the Penalties for ITAR Noncompliance?

    Once your company is registered with the State Department’s Directorate of Defense Trade Controls (DDTC), it’s critical you understand what is required to be ITAR compliant. Serious repercussions can occur if you violate ITAR, including civil fines as high as $500,000 per violation, criminal fines of up to $1,000,000 per violation and 10 years of imprisonment per violation. Additionally, you can be barred from future imports and exports.

    In order to avoid these detrimental consequences, it is crucial to evaluate your file sharing and data handling processes. Are you utilizing a solution that aids you in ITAR compliance efforts?

    Most providers are not required to maintain a comprehensive export compliance program, but there are those that offer options to assist you with these requirements. For example, FTP Today provides multiple security layers that customers can control, and it features a country blocker to prevent data from being transmitted outside the United States. This facilitates each customer’s management of their own compliance obligations while processing and storing data on FTP Today servers.

    There’s no room for noncompliance when it comes to meeting ITAR requirements. Can you confidently say that your current file sharing process satisfies this need? Find out by getting your free guide: Guidelines for ITAR Compliance and Sharing Your Technical Data.

    itar compliance guidelines

    Tag(s): Government

    Martin Horan

    Founder of FTP Today and an expert in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.

    Other posts you might be interested in

    View All Posts