Is your business subject to commercial Export Administration Regulations or its defense counterpart International Traffic and Arms Regulations? If so, there are some important security measures you should implement to align with these compliance standards. Before you can know how to comply with ITAR and EAR regulation standards, you need to know more about the goals of these regulations, and what they mean for your organization.
Export Administration Regulations (EAR)
To have a better grasp of what EAR compliance entails, you first need to learn more about EAR. Here are some common questions about EAR and the answers that will give you a deeper understanding of these standards:
What are the Export Administration Regulations (EAR)?
These are a series of regulations developed by the United States Department of Commerce that dictate how non-defense articles, services, and related technical data should be exported for companies in the aerospace and defense industry.
What is the definition of an export?
In the traditional sense, an export is the shipment of items out of an origin country. In terms of EAR, an export is considered to be any transmission of items – physical or digital – out of the United States. Under EAR, this can mean items, services, data, or technology. Specifically, regarding EAR, it’s the transfer of any of the listed items to a non-U.S. citizen.
What is the definition of technical data?
Essentially, EAR regulation mandates cover technical data used for commercial purposes but are also related to controlled articles. Technical data is any information – digital or physical – needed in relation to controlled articles. This is information that can be used for design, development, production, operation, maintenance, or any other activity related to controlled articles. While technical data can be digital data, it can also include physical documentation like diagrams, instructions, blueprints and more.
ITAR
ITAR outlines how defense articles and services should be handled – primarily limiting use to U.S. citizens only. Here are a few questions about ITAR in relation to EAR. The answers to these questions should clarify what these two sets of compliance regulations have in common and how they differ.
EAR vs. ITAR: What are the major differences?
ITAR is strictly focused on the export of defense articles and services, with the primary objective being to keep these sensitive materials out of the hands of foreign nationals. ITAR applies to both government agencies and government contractors and subcontractors. To find the items covered by ITAR, look to the USML (United States Munitions List). EAR, in contrast, places a focus on commercial items or dual-use items.
What are “Dual-Use” items?
EAR focuses on the commercial aspect of data import and export. It applies to dual-use items, ones that can be used both for commercial and defense purposes. This can mean commodities like GPS systems, computers, and more. In addition to being used for defense purposes, they can also be used for nefarious means like terrorism.
Commerce Control List (CCL)
What is the Commerce Control List (CCL)?
The CCL is the U.S. Department of Commerce’s list of items restricted for export. These items are organized into ten different categories based on their type and function. Items on this list are subject to EAR export guidelines. If an item does not fall into one of these ten categories, it is then classified as EAR99, a category with minimal export restrictions.
What are the 10 categories of CCL-Controlled items?
The CCL encompasses a wide range of items. To help companies better identify which items are covered in their technology or data, EAR has organized these items into ten different categories:
- Nuclear Materials, Facilities, and Equipment, and Miscellaneous
- Materials, Chemicals, Microorganisms, and Toxins
- Materials Processing
- Electronics
- Computers
- Telecommunications and Information Security
- Lasers and Sensors
- Navigation and Avionics
- Marine
- Propulsion Systems, Space Vehicles, and Related Equipment
EAR and Information Security
Because data falls under both ITAR and EAR regulations, you need the appropriate security measures in place for data protection. In order to keep data secure, while also aligning with EAR and ITAR regulations (if applicable), you need to ensure you have the following measures in place:
Access Controls
Having the appropriate security strategy for the way you access data and grant access to your data is crucial. If there are vulnerabilities in the channels you have for data access, your information can easily be compromised. So, to protect data, take the following measures:
- Only use secure file sharing solutions to access data. Sensitive data should never be accessed via public computers, which can be easily compromised.
- You should use multiple authentication methods to verify a user’s identity before granting them access to data.
- Physical access should be restricted, in addition to digital access.
System Management
Information systems you use to store and share sensitive data should be regularly maintained. This means:
- Keeping malware software up to date
- Maintaining physical hardware with updates and security patches
- Securely wiping electronic media
- Encrypting data stored on your systems
Transmission of Data
When transferring data, you should be vigilant in your efforts to keep your data secure. Using the following methods, you can mitigate the risk of an in-transit data compromise:
- Only transfer encrypted data
- Encrypt your wireless networks used to transfer data
- Monitor incoming and outgoing traffic for suspicious activity
- Detect and address data breaches as they occur
- Verify that all subcontractors are using appropriate data transfer security measures
Executable Software on Shared Systems
The way your systems are implemented and used can help you maintain data security. Using these actions, you can align with the appropriate security standards:
- Directories should have strict access permissions.
- Audit logs should be accessible for all activity dating back to initial system implementation.
- Systems should only be managed by U.S. citizens.
- Systems should be physically accessible to U.S. citizens only.
Aligning with EAR or ITAR regulations is an important objective for your organization. With the appropriate strategies and security measures in place, you can protect your data from compromise and your company from the consequences of noncompliance.
One measure that allows you to align with these compliance regulations is adopting a secure file sharing solution. Finding the right solution can help you keep your data protected, especially a solution with compliant security features built-in. You can’t afford to take chances when it comes to your sensitive data, and with the right solution, you’ll feel confident it is protected.
Learn more about ITAR and its objectives. Download this free guide on ITAR now.