End-to-End Data Protection for ITAR Compliance

The International Traffic in Arms Regulations (ITAR) governs the manufacture, sale, and distribution of defence and space-related articles and services as defined in the United States Munitions List (USML).

ITAR compliance has been designed to control access to the various types of technology and information associated with the organisation controlled by ITAR. It’s in place to prevent the disclosure of sensitive data to safeguard US national security.

Organisations controlled by ITAR are encouraged to create ITAR compliance programmes for record-keeping, including identifying, receiving and tracking ITAR-controlled items and technical data.

Who needs to be ITAR compliant? 

Put simply, any company that handles, manufactures, designs, sells and/or distributes items on the USML needs to be ITAR compliant. That list includes:

• Wholesalers
• Distributors
• Computer Software
• Hardware Vendors
• Third-party Suppliers
• Contractors

Any company that supplies the US State Department or sits in its supply chain must comply with ITAR. From manufacturing through to the end user, for example, if a part is sold to a foreign power, every company involved with that unique or adaption of a COTS product violates ITAR.

The Directorate of Defence Trade Controls required companies to have an export license to export technical/classified and unclassified data within the ITAR definition.

The penalties for ITAR compliance 

Any person/organization that violates any provision of the ITAR can face:

Civil Fines

• Up to $500K per breach

Criminal Fines

• Up to $1million per breach
• or 10 years imprisonment per breach

Securing critical data along its entire journey

In March 2020, the Department of State amended the rule, to modernise business processes and simplify compliance. The act was amended to state that an export license is no longer required as long as data is protected using ‘end-to-end encryption and FIPS 140-2 validated algorithms’ with no access to the keys by a third party, including the service provider.

This new approach could eradicate time-consuming, program-by-program compliance and give companies the ability to quickly and effectively achieve security throughout the entire defence program supply chain.

With a single, end-to-end encryption solution, the entire supply chain can be secured. Indeed, by dropping an enforcement point on each supplier’s network, every piece of data is secured and every part of the supply chain will meet ITAR demands.

Understanding the ITAR end-to-end encryption rule

To fully comprehend the rigorous requirements of ITAR and evaluate your current security stance, relying on Virtual Private Networks (VPN), Software Defined Wide Area Networks (SDWAN), encrypted MPLS and encrypted cloud onramps would not be adequate. While these technologies do protect a portion of the data journey, they may not be FIPS 140-2 certified and do not separate the key ownership from the key management.

True Zero Trust, as defined by The North American Institute of Standards and Technology (NIST), necessitates that rules definition and rules application must be undertaken by separate individuals/organisations to minimise any opportunity for security compromise.

In practical terms, organisations requiring ITAR compliance must have control over and manage network encryption keys, while the administration of network encryption should be handled by a separate team or organisation, such as a third-party supplier. It’s critical to note that the administration team should not have access to key production or distribution, and vice versa. 

Additionally, it’s important to recognise that a third-party IT provider cannot obtain an ITAR certificate on behalf of any businesses that supply to the US Department of Defence. The business must take full responsibility for the cryptology key management.

The Certes Networks ITAR Compliance solution

Securing the complex supply chain for any defence contract is a priority – whether it is a sub-contractor sharing technical drawings, software or photographs or highly confidential information relating to the program delivery between the prime contractor and the US DoD.

High Assurance Data Protection from Certes Networks, A patented, ITAR-compliant solution that delivers end-to-end FIPS 140-2 encryption with a clear separation of duties with a network agnostic transparent overlay, to ensure the security of the entire supply chain.

It removes the administrative pain and overhead of achieving program-by-program ITAR certification while also ensuring prime contractors can always access and utilise the best products and solutions available.

To find out more on how Certes can help you become ITAR compliant contacts us here.