The United States is likely to spend more than $700 billion on national defense in 2022. A big portion of that budget will be spent on contracts with third-party businesses — contractors who provide products, materials and services to the U.S. military. But, if you want to work with the U.S. military, you need to understand ITAR compliance and how it empowers you to secure a contract.
If your business would like to work with the U.S. military, or continue to work with the U.S. military, here’s a look at everything you need to know about ITAR — and ITAR compliance requirements.
What is ITAR? The acronym stands for International Traffic in Arms Regulations, and it represents a series of regulations designed to protect military- and defense-related technologies that are vital to the defense of the United States and its citizens.
There is no single ITAR law. Rather, ITAR rules and regulations were created as a series of laws put into place in the 1970s during the heart of the Cold War. At that time, ITAR and its regulations were meant to limit the export of arms in a way that mirrored regulations limiting the export of arms in the portions of Eastern Europe under Soviet influence. Specific ITAR regulations prevented U.S. individuals and businesses from engaging in the exchange of specific products, goods and materials with certain foreign nations.
You might imagine these products, goods and materials to be ammunition, weapons, military-grade vehicles, etc. And you would be correct. But there’s a much broader interpretation of products, goods and materials that can threaten national defense, including telecommunications equipment like satellites and materials used to build and launch satellites.
While the Cold War ended with the fall of the Berlin Wall and the breaking up of the Soviet Union, ITAR remained in place. In fact, the United States has greatly increased its enforcement of ITAR in the 21st century. The United States charged 12 parties with ITAR-related breaches between 1976 and 1998. Since 1999, the United States has charged 29 parties with ITAR-related breaches.
It’s easy to conflate ITAR with Export Administration Regulations (or EAR). Some may say that ITAR limits the export of products, goods and materials related to national defense — and that EAR limits the export of non-defense-related products, goods and materials. But the differences are more nuanced than that.
What is the difference between ITAR and EAR? The differences fall into these 3 categories:
These lists are subject to adjustment as national defense and security needs evolve over time. But, as of now, the USML includes items in 21 categories:
This list is constantly evolving, and ITAR categories (and specific materials within each category) are designed to evolve with the changing defense environment. For example, the suspected use of directed energy weapons against U.S. diplomats has been in the news recently, and the specific items within the directed energy weapon category have also recently changed.
The specific categories on the CCL are slightly different than the ITAR categories:
As you can imagine, there’s likely overlap in the “nuclear weapons, design and testing related items” category on the ITAR USML and the “nuclear and miscellaneous” category on the CCL.
What is ITAR certification? This is a bit of a trick question. There’s no such thing as ITAR certification. There’s no test to take or course to be passed. Instead of certification, ITAR relies on compliance. Any organization that is compliant and remains compliant with ITAR then earns approval to “import and export products, data and services” covered by ITAR.
Here in the 21st century, as ITAR compliance enforcement by the U.S. government increases, the focus of ITAR has shifted. As conceived in the 1970s, ITAR attempted to limit the trade of military-related products, goods and materials to specific countries. But, in the modern age, ITAR is more focused on how third parties transmit information related to military-related products, goods and services. Cyber warfare is a reality in 2021 and beyond in a way that it was not during the Cold War. The U.S. relies on ITAR to protect its land and citizens from breaches related to third parties transmitting militarily sensitive information in a non-secure manner. ITAR data is now just as important and relevant as ITAR products, goods and materials.
What ITAR compliance requirements does your organization need to follow? The requirements fall into 3 broad categories:
Who has access to information inside your organization? Given the sensitive nature of military-related information, it’s essential that your organization have in place a method for restricting access to specific team members and third parties. (Also, keep in mind that certain employees may struggle to meet ITAR requirements.)
Focus on protecting the physical locations where sensitive data and information may be stored. Also, you must require login credentials specific to individual users to gain access to stored data and information. Finally, you must prevent any and all transmission of data via public computers.
The system you use for managing sensitive data and information must be installed and maintained in a way that meets ITAR requirements. Today, these system management requirements fall into 4 categories:
Eventually, you’ll need to share sensitive data or information with the U.S. military or other third parties. Data transmission is one of the most at-risk activities, which is why ITAR includes stringent regulations for how to transmit this sensitive data. Follow these 5 best practices to remain ITAR compliant with your data transmission:
When in doubt, follow ITAR compliance best practices to ensure that you don’t violate specific regulations.
When you need to know how to make an ITAR compliant file transfer, it’s easy to get overwhelmed by all of the regulations. But rest assured you can use tools designed for ITAR compliance that make it fast and easy to securely transfer files — tools like The GOVFTP Cloud by FTP Today.
We designed The GOVFTP Cloud to solve compliance issues for organizations striving to follow ITAR. Our GOVFTP Cloud product provides compliant infrastructure and a compliant platform so that government contractors and other third parties can focus on their core business without worrying about ITAR violations. You can even use our Country Blocker feature to ensure that sensitive data can only be shared and accessed within the United States.
In addition to Defense Industrial Base contractors, companies in the aerospace industry and other sectors that often do business with the U.S. military trust our ITAR-compliant FTP solution. Communicate confidently with the U.S. military and government when you choose The GOVFTP Cloud by FTP Today. When you’re ready to make ITAR compliance easy, get in touch with us to learn more about The GOVFTP Cloud.
Arvind is Director of Compliance and Programs at FTP Today. He came to FTP Today with 11+ years of experience in offering cloud solutions to the Federal Government and public sector channels at companies such at Rackspace, IBM, UNICOM, A10 and Radware Alteon. He is based in the Washington, D.C. area.