Many people in your industry or others impacted by ITAR (International Traffic in Arms Regulations) are probably asking themselves, “Do we really need to be ITAR compliant?” or “Do we need ITAR certification?”
Explore this article on how to be ITAR compliant and what ITAR certification means for your company.
Who Needs ITAR Certification?
First, we need to dispel a myth about ITAR certification – it doesn’t really exist. You don’t receive ITAR certification from any organization. Instead you comply with ITAR regulations. And, you register with the Directorate of Defense Trade Controls (DDTC) to get approval to import and export products, data, and services covered by those ITAR regulations. So, if you hear the term “ITAR certification” it’s likely someone is just referring to ITAR compliance.
To put it simply, if you import or export items on the USML (United States Munitions List), you should get approval from the DDTC. The certification process acts as a means for the U.S. government to know which companies are involved in the import and export of ITAR-controlled data, products, and services.
It’s important to note that simply registering with the DDTC doesn’t mean that you’re ready to begin trading. This is the first step in a long process to ensuring you’re ITAR compliant. So, it’s imperative that you check (and double check) the USML to determine if your company is actually subject to ITAR.
What Should ITAR Compliance Look like for Your Organization?
ITAR regulatory compliance doesn’t need to be a major burden hanging over your head. When you have an understanding of the goal of ITAR – to keep sensitive defense information and tools out of the hands of foreign nations – you can take practical steps to meet that requirement.
It is essential that you align with ITAR requirements if you’re subject to them. This no only protects sensitive government information, it also protects your business from the huge risks that come with noncompliance. Businesses that are noncompliant can face civil fines as high as $500,000 and criminal fines as high as $1 million. Such high fines could bankrupt many companies. You could be blacklisted from getting government contracts, and in some extreme cases, you could face up to ten years of imprisonment per criminal violation. These are risks that you and your business can’t afford to take.
Although you are required to be compliant with all of the regulations, some of them may not apply to your business. So, it’s important that you know which specific regulations you need to align with to stay compliant.
What are the Guidelines for ITAR Compliance?
For ITAR compliance, there are three areas of your business operations that you need to pay attention to: access controls, systems management, and data transmission. To make sure each of these areas of your business are ITAR compliant, there are a few specific steps and safeguards you should implement under each category.
Access Controls
To promote ITAR compliance in your company, you need systems in place that restrict who has access to your controlled information. These restriction measures are threefold:
-
Prevent transmission of data via public computers.
-
Require user-specific login credentials (i.e., usernames/passwords and user certificates).
-
Protect access physical locations where data is stored.
System Management
In addition to controlling access to your systems, you also need to properly manage and maintain your systems in alignment with ITAR regulations.
-
Regularly update malware protection software.
-
Implement security patches and updates on computers storing controlled data.
-
Use NIST 800–88 Guidelines for Media Sanitization to wipe data off of unused devices.
-
Encrypt all controlled information stored on computer and mobile devices.
Transmission of Data
If you want to avoid the risks of noncompliance, it’s imperative that the way you share data, both with internal and external parties, is compliant. Because controlled information is a digital treasure trove for hackers, the following steps are crucial measures to take.
-
Always use encryption methods when transferring or emailing controlled information.
-
Encrypt wireless networks that are used to access controlled information.
-
Monitor inbound and outbound network traffic, and block unauthorized traffic.
-
Use firewalls, router policies, intrusion prevention/detection systems, or host-based security services to detect data extraction.
-
Only transmit controlled data to subcontractors on a need-to-know basis, and ensure they’re aligning with ITAR standards, as well.
The guidelines could include mandates like:
-
Never send sensitive data via email
-
Never share your username or password with anyone
-
Never access our systems using an unauthorized computer or device
Once you have the guidelines outlined, they should be communicated to your team, along with the expectation that they should follow these mandates to the letter. It also might be wise to share them with your subcontractors so they know what expectations they are held to, as well.
In addition to a Technology Transfer Control Plan, you should also consider adopting a secure file sharing solution to help you maintain your ITAR compliance. Top secure file sharing solutions, like Sharetru, have inherent ITAR-compliant secure measures and access controls.
Sharetru, for example, ensures that data is always housed on U.S. soil and only U.S. citizens are employed by the company. That helps you avoid noncompliance by potentially granting access to sensitive data to a foreign national who works for a subcontractor. Sharetru also enables IP address restrictions and country access restrictions, giving you maximum control over who can access your data and from what location.
An ITAR compliant file sharing solution has all of the measures needed to ensure compliant data transfers already built into the solution before you even adopt it. This means instead of implementing your own encryption methods, you can rely on theirs. Instead of trying to make all of your employees follow best practices like never using a public computer, you can just use Sharetru’s IP address restrictions to ensure access is only granted to pre-approved devices. The minute you adopt Sharetru, all the essential features you need to maintain ITAR compliance are at your fingertips.
As you think about your own ITAR guidelines and expectations for your company, consider your options for a file sharing solution carefully. While many solutions may claim to be secure, not all have the features needed to keep your business truly ITAR compliant.