The ITAR (International Traffic in Arms Regulations) legislation details what measures businesses and individuals must take to comply with ITAR requirements and specifies severe penalties, both civil and criminal, for non-compliance. The reach of the regulations is broad and suppliers of all kinds may be subject to requirements to keep sensitive information secure and restricted.
Even organizations far down the supply chain may have ITAR obligations and the government has had little tolerance for breaches. If you supply goods or information for products that may eventually end up in military supplies, it is a good idea to review your ITAR status and possibly investigate whether your data handling meets the requirements specified.
Areas of ITAR Application
The ITAR legislation doesn’t just apply to companies that sell arms. It is framed so that anyone who buys, sells or distributes products that are on the USML (United States Munitions List) is subject to its requirements. The USML includes technology from aviation, space flight, computers and electronics as well as listing software and technical data. It also includes an item that covers anything not specifically listed but which may have been developed for military use or have military applications. Your business may be manufacturing a product destined for the maritime industry, for example, but it could still be on the list.
Consequently, if you produce, sell or distribute anything that could remotely have a military application, it’s worth looking at whether you are subject to ITAR compliance requirements. It is often difficult to determine if a business or individual might be subject to ITAR because many technologies originally developed for military applications are now broadly used in commercial products. To address the risk of ITAR non-compliance you can get an expert to evaluate your situation and you can implement security that satisfies ITAR requirements.
What are ITAR Non-Compliance Penalties?
Violation of ITAR regulations can lead to fines totalling millions of dollars as well as civil penalties and criminal charges. Companies may also be forced to undergo audits, participate in compliance training and upgrade their security practices to better ensure compliance in the future. The names of companies that have violated ITAR and the penalties are entered on a public list kept by the State Department and, for severe cases, companies may be banned from exporting certain classes of materials.
In one of the largest cases in 2010, BAE Systems PLC was fined $400 million for violating ITAR and a number of other regulations applicable to their exports. More recently, in 2014, Esterline Corporation was fined $20 million despite the fact that the lack of compliance was based on reviews of voluntary disclosure documents. In addition to fines, criminal charges can lead to prison terms and the imposed seizure or forfeiture of the materials in question can ruin a company.
What Are ITAR Compliance Requirements?
The intent of the ITAR legislation is to keep technically advanced goods and information that have military potential out of the hands of unfriendly foreign governments and organizations. Encryption is the only way to ensure the security of data that falls under these regulations. This means that regulated data on your IT networks, in the cloud and in transit must be encrypted at all times.
In particular, ITAR requires that a secure system have the following features:
- Strong encryption at all times
- Control of encryption keys by the owner of the data
- Data access limited to authorized individuals
- Strong authentication of authorized individuals
- Regular review of authorizations to limit access to those who need it
- Logging of all data access requests and associated details
- Notifications for changes to data or to files
While you will have to take additional steps, such as registering and obtaining licences, for your business to legally export or send abroad products and technical data covered under ITAR, implementing such security gives you the basis for ensuring compliance. With end-to-end encryption you can also be sure you don’t inadvertently violate ITAR regulations if your products or services have potential military applications.
End-to-End Encryption With CloudMask
The CloudMask platform gives you the capability to encrypt data and email as you type, before it leaves your computer or mobile device. The data stays encrypted and no third party, not the cloud service provider personnel, not government agencies and not even your own systems administrator has access to the decryption keys. You retain full control of your data until you authorize a specific individual to view information that you want to share.
Since you control access to the data, you can insist on strong authentication of the identity of authorized individuals and you can remove such authorization at any time, should access to the data no longer be required. Using CloudMask consistently for all your data storage and communication needs reduces the risk of ITAR non-compliance for your business and for yourself.
With CloudMask, only your authorized parties can decrypt and see your data. Not hackers with your valid password, Not Cloud Providers, Not Government Agencies, and Not even CloudMask can see your protected data. Twenty-six government cybersecurity agencies around the world back these claims.
Watch our video and demo at www.vimeo.com/cloudmask
