Mandatory audits for data protection and control under ITAR/EAR begin at varying levels from 2020, so it is now more important than ever to thoroughly understand the levels of compliance provided by various vendors. Misleading claims can cause confusion and put your government contracts at risk.
ITAR WARNING – “This item is subject to the Arms Export Control Act (22 U.S.C. 2778) and the International Traffic in Arms Regulations (22 C.F.R. Parts 120-130). A prior authorisation or license from the U.S. State Department Directorate of Defense Trade Controls is required to export, re-export, transfer or re-transfer this item abroad, either in its original form or after being incorporated into other end items.“
Whether you have never seen an ITAR Export Controlled Item warning before or you have written one to inform your customers of regulatory restrictions on your products, it is important to understand the regulations involved. The International Traffic in Arms Regulation (ITAR) regulation helps keep American weapons technology safe from bad actors that would use it against us and our allies.
Defense articles, subsystems, and components of such systems that are regulated under ITAR are defined in the United States Munitions List (USML). The USML covers everything from firearms, guns and optics in categories 1 and 2 to missiles and nuclear weapons in categories 4 and 16 respectively. A quick side note for the uninitiated, firearms and guns are defined differently: kinetic weapons propelled by chemically energetic materials with a bore equal to or less than .5 inches are firearms while larger diameter bores are classified as guns.
Who Does ITAR Impact?
ITAR affects any person or organization that has possession of, manufacturers, intends to manufacture, or an exporter/importer of items on the US Munitions List. Technical diagrams, drawings and schematics are also regulated. As mentioned previously it is a broad scope that is necessary to protect defense articles. You can find ITAR regulatory impacts from hunters with high end optics to aero-space manufacturers working on projects for the DoD.
Manufacturers of defense articles have a necessary burden on their shoulders to protect this technology. Prior to producing dUSMLefense articles a manufacturer must first register with the Directorate of Defense Trade Controls (DDTC) to ensure compliance. This registration helps the U.S. Government protect and control defense technology. Additionally, ITAR registration is often a precondition for additional Government requirements. Large DoD contractors often require their manufacturing partners and suppliers to be ITAR compliant as well.
As with many federal regulations there is some impact on individual persons. However, thankfully the impact can be summed up rather simply: Don’t transfer defense articles to or from foriegn nationals/entities.
A Necessary Burden For Small Business
Let’s be clear: small businesses bear the brunt of most of the regulation. Small budgets paired with regulations that require advanced technology and highly skilled security personnel don’t work well together. To make matters worse there are very few vendors that are able or willing to provide services for the small defense article manufacture community. Even fewer provide compliance services at a reasonable cost. Having worked in this industry for years, I have seen the toll this exacts.
Stiff penalties for compliance violations can be shrugged off by larger organizations, but are almost always a death nail for small-to-medium businesses. Compliance violations can result in fines of $500,000 per violation for civil penalties and criminal penalties of fines of $1,000,000 per violation and imprisonment of up to 20 years pursuit U.S.C 22.2778c.
In September of 2019 L3Harris (i.e. Harris Corporation) Technologies reached an agreement with the US Department of State to pay $13 million for 131 violations committed between 2013 and 2015. This is simply the latest violation amongst many. Luckily for the Harris Corporation their $7.4 billion annual revenue will keep them from going under. Doubtless smaller companies won’t even make the news as they shut their doors under the weight of ITAR violations and the consequences of non-compliance.
“Cocoon Data have US patents on tying together encryption keys, access control policies and identity verification. Most other vendors don’t get this. I say to you – ‘What’s the point of encrypting something if you don’t know WHO the person the system is issuing the key to – or under what policy?’ For example, do you really know it’s Mary Moorehouse and that she has the right clearance to decrypt a classified file? What if she leaves the company, or the classification is upgraded – how will you automatically prevent her obtaining access? What if she has moved or is traveling internationally? That’s a breach of ITAR. Understanding the requirements and repercussions is paramount, as it’s your companies government contract and old FTP protocols or permissionless storage (most) often does not cut it”
– Trent Telford, CEO – Cocoon Data
Innovative Compliance Tools
The good news is that it’s no longer difficult to store, share and collaborate on ITAR regulated material in a compliant way. American innovation once again provides solutions for small businesses to stay ITAR compliant without breaking the bank. Cocoon Data’s Cocoon Data for ITAR is a mature document sharing platform that allows users to store, share and collaborate on documents in the cloud. Cloud collaboration allows users to edit documents containing ITAR regulated material without downloading data to the device. With smart data management and state of the art security hosted on a FedRAMP certified system the compliance offering from Cocoon Data is rock solid. But arguably the best aspect of the solution is the user experience. Users and administrators benefit from well designed solutions that remove unnecessary complexity while maintaining granular security controls. No complex setup is required either: deployment and setup can be completed within minutes.