- Why Sharetru?
- Learning Center
Is your business subject to ITAR or EAR regulations? If you’re unsure, it’s essential that you find out – fast. Otherwise, you could face serious consequences for noncompliance. To find out which regulations your business is subject to, explore what ITAR and EAR cover and how a file sharing solution can make compliance easier.
ITAR regulates the export of defense articles and services with the objective to keep materials out of the hands of foreign nationals. These regulations apply for both government contractors and subcontractors, and the articles and services covered by these regulations are outlined in the United States Munitions List (USML).
Even if your company doesn’t make missiles or tanks, you could still be required to align with ITAR. The USML a wide range of products, services, and technical data, like vehicles, ammunition, aircraft, and more. But it also covers articles you may not expect, like military training materials, classified articles, and other data.
ITAR specifically controls the import, export, and temporary import and export of products, data, and services covered on the USML. Sending an ITAR-covered document via email is considered export of data, so companies must be particularly attentive to how their data is shared.
While it might sound straightforward to keep USML-subjected articles restricted to approved U.S. citizens only, this can be more complex than it seems. It could mean the access of a foreign national, even one employed by your own company, would need to be restricted to protect sensitive hardware and data.
EAR covers the commercial component of product and data import and export. It applies to dual-use items, which are available both for commercial sales and government use, like GPS systems or high-performance computers.
Items subject to EAR are enumerated on the Commercial Control List (CCL) in a few categories of products or services:
Nuclear and Miscellaneous
Materials, Chemicals, Microorganisms, and Toxins
Sensors and Lasers
Navigation and Avionics
Aerospace and Propulsion
As each of the categories are broad, your company would likely need to conduct a little research or connect with a U.S. Department of Commerce, Bureau of Industry and Security (BIS) official to determine if your products fall into one of these categories. The BIS is the government agency in control of regulating and enforcing EAR compliance.
It’s easy to say that ITAR covers the export of all defense-related materials and items, and EAR covers everything else. But, untangling these similar, yet different regulations can take some time. Now that you have a better idea of what ITAR covers and what EAR covers, look at the three main areas where these regulations diverge:
Regulating Body: ITAR is regulated by the U.S. Department of State, Directorate of Defense Trade Controls (DDTC), while EAR is regulated by the U.S. Department of Commerce, Bureau of Industry and Security (BIS).
Regulated Items: ITAR covers all defense articles and services, while EAR covers commercial and dual-use items and technologies.
Where Regulated Items are Listed: You can find ITAR-covered items on the United States Munitions List (USML), while EAR items are listed on Commercial Control List (CCL).
This summary of the variances shows that while different, in many ways ITAR and EAR are parallel regulations. And in the end, they both have the same goal – to protect sensitive materials or items from falling into the wrong hands.
You probably already know about the serious consequences that could come with failure to comply with government regulations. With ITAR and EAR, failing to comply with either regulation could cost your company a substantial amount in fines and lost business. You could even face more serious consequences like criminal charges. So, it’s imperative that you have the controls in place to maintain compliance.
One of the first steps you should take to safeguard against noncompliance is to adopt a secure file sharing solution. Because both regulations deal with not only hardware but data as well, you need a way to share that data both internally and externally without compromising sensitive information.
While you might not be “exporting” in the traditional sense, you may be sharing and sending information to other parties. Exporting data is a daily occurrence in most businesses today. If you’re sending ITAR or EAR-related information both internally and to your clients, you need to set standards to keep your data safe, regardless of who is sharing it and who they are sharing it with.
When using a secure file sharing solution, you have the tools needed to keep your data safe. ITAR, in particular, outlines a number of ways you need to protect your data, broken into four categories:
Don’t access data via public computers. Secure file sharing solutions allow you to restrict access by IP address, so accounts and data are only accessed from approved, secure computers.
Account access can only be granted through authentication methods. This means accounts must be protected with usernames, passwords, SSH keys, etc.
ITAR-regulated data must be physically protected. Choose a FTP provider operating out of a secure location.
Regularly update malware prevention software. Top FTP hosts will manage and update all software security measures.
Hardware providing access to controlled data should be current on security patches and updates. Your file sharing host will maintain the secure solution for you.
Electronic media should be wiped in accordance with NIST 800–88. Top file sharing solutions comply with this mandate, as should your company.
Data must be encrypted when stored. This is one of the primary functions of a secure file sharing solution. In a top file sharing solution, data is encrypted automatically.
Transmission of Data
Don’t transmit unencrypted data. Using a secure file sharing solution, administrators can enforce data encryption as a file sharing requirement.
Wireless networks should be encrypted. This falls under the responsibility of the company, not the FTP host.
Monitor inbound and outbound traffic. Industry-leading file sharing solutions provide activity logs to show who is accessing data. You can also control access based on country and IP address.
Detect data breaches when they occur. Using a file sharing solution like FTP Today, you’ll be protected by intrusion detection and prevention measures to prevent unauthorized access.
Subcontractors must align with regulations. As a subcontractor, top file sharing solution hosts guarantee that your data will not be mishandled on their end.
Executable Software on Shared Systems
Directories containing software will have strict access permissions. If you choose a FTP solution like FTP Today, the host ensures that all software is contained in isolated directories.
Audit logs are enabled and backed up. Your FTP host provides logs that are preserved as long as you need them.
Systems should be managed only by U.S. citizens. FTP Today, for example, only employs U.S. citizens to ensure compliance with this regulation.
Only U.S. citizens should have physical access to systems. The best FTP hosts ensure security at the locations of their physical infrastructures.
Ultimately, the best way to cover your bases when it comes to all of these regulations is to choose a file sharing solution that can keep you compliant and your data secure. A file sharing host can focus on the complexities of compliance as it relates to file sharing, and you can turn your attention back to your business.
Do you want to learn more about how to stay compliant with ITAR regulations? Explore this guide on ITAR compliance and its impact on data sharing.
Founder of Sharetru (Formerly FTP Today) and a respected voice in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.
Get industry-leading thought leadership content to stay informed, delivered to your inbox.