Most organizations, especially those in the defense trade, are finding themselves on the spot when their prime contractors ask them whether they are ITAR Certified and ITAR Compliant. Some contractors even want to know the steps you're taking to meet this regulation.
As a chief information security officer, you've probably heard of CCPA and GDPR compliance and their role in consumer data. But, how well are you versed with International Traffic in Arms Regulations (ITAR)?
We have compiled this ultimate guide to ITAR Compliance, including what you should do to get a certification, the penalties for violating ITAR, and an ITAR compliance checklist.
What Is ITAR?
ITAR refers to the International Traffic in Arms Regulations and is a law by the U.S. government that controls or regulates the manufacture, sale, and distribution of the United States Munitions List (USML) which comprises space and defense-related services and articles. This regulation is enforced by the DDTC ( Directorate of Defense Trade Controls) in the U.S. Department of state. It is typically aimed at limiting access to technical data or physical materials related to military and defense technologies.
Currently, around 13,000 organizations, including universities, research labs, and defense companies, handle and work with the department of defense. Considering how sensitive their data is, ITAR controls are necessary to prevent this information from falling into the wrong hands. So, according to ITAR, these institutions can only share articles of the USML list with a U.S. citizen or a permanent resident, not unless they are authorized otherwise.
There are three aspects of ITAR; defense articles, defense services, and related technical data.
- Defense articles: They are 21 categories and include the following controlled items:
- Firearms and Related Articles
- Guns and Armament
- Ammunition and Ordnance
- Launch Vehicles, Ballistic Missiles, Guided Missiles, Bombs, Rockets, Torpedoes, & Mines
- Incendiary Agents, Explosives and Energetic Materials, Propellants, and Their Constituents
- Special Naval Equipment
- Ground Vehicles and Surface Vessels of War
- Aircraft and Related Articles
- Military Training Equipment and Training
- Personal Protective Equipment
- Military Electronics
- Fire Control, Laser, Imaging, and Guidance Equipment
- Materials and Miscellaneous Articles
- Toxicological Agents, Such as Biological Agents, Chemical Agents, and Associated Equipment
- Spacecraft & Related Articles
- Nuclear Weapons & Related Articles
- Technical Data, Classified Articles, and Defense Services That Are Not Enumerated
- Directed Energy Weapons
- Gas Turbine Engines & Associated Equipment
- Submersible Vessels & Related Articles
- Technical Data, Articles, and Defense Services Not Otherwise Enumerated
- Defense services: This involves military training of foreign forces and units, offering controlled technical data to foreign persons, and providing assistance for the use, operation, modification, maintenance, testing, or repair of defense articles.
- Technical data: ITAR data includes classified information on the defense services and articles, software used with the defense articles, and any other information involving the defense articles.
Compared to the export controls highlighted by the Export Administration Regulations (EAR), ITAR regulations are more strict since they address matters of national security.
What Is Required for ITAR Compliance?
To become ITAR compliant, you need to first fulfill the regulatory requirements. Here's a quick compliance checklist.
- Determine your jurisdiction: You need to determine whether your products are under ITAR or EAR jurisdictions. If they appear on the U.S. Munitions List, you should be registered with the state department. If you're unsure of the government agencies that have jurisdiction, ensure you submit a C.J. (commodity jurisdiction) request to the Directorate of Defense Trade Controls.
- Review the ITAR requirements: Find you everything about ITAR and how it impacts your operations. For instance, the president can add more controlled items to the USML as authorized by the Arms Export Control Act (AECA). So, technically, ITAR only implements the rules of AECA.
- Register with the DDTC: The registration process is pretty straightforward, and you just have to pay the required fees and complete the registration form. You should then collect the supporting documentation and upload them on the site. After that, it takes roughly 45 days for your application to be reviewed.
- Use the U.S. Munitions List to classify your products: There are 16 sections of the USML that are divided as follows; one addresses the general list, seven are reserved for future use, and the rest adds on to and describes the USML further.
- Determine the end-user and end-use of your product: This checklist has three elements; first, determine how you intend your products to be used and who will be using them. You should then check the export administration regulations to identify the prohibited destinations. Finally, make sure to screen all partners that you trade with.
- Apply for an export license: You can easily do this through the state department of the jurisdiction of BIS (Bureau of Industry and Security) if your items are not on the USML.
- Comply with the reporting requirements: Make sure you record all ITAR activities and ensure these records are readily available for inspection by the DDTC. Your recordkeeping should be near-perfect; otherwise, insufficient records could result in hefty penalties.
- Create an ITAR compliance program: the DDTC strongly recommends that all companies in the defense trade have an ECP in place to protect sensitive data about defense technologies.
Who Needs to Be ITAR Compliant?
If your institution manufactures, distributes, designs, handles, sells, or designs items on the USML, you need to be in compliance. Other organizations that should be in compliance include distributors, wholesalers, computer hardware/ software vendors, contractors, and third-party supplies. It’s important to note that all companies within this supply chain should be in compliance. For instance, if you sell your goods to company B but then re-export or re-transfer them to foreign nationals, you’ll also be considered in violation of ITAR.
According to ITAR regulations, only a U.S. person is allowed to access products in the USML. This means that even if you run a company with overseas operations that are run by foreign persons, they can't access ITAR data. There is, however, an exemption to this rule; you can share this data if you have authorization from the state department.
Please note that even though the DDTC is in charge of managing companies that can deal in USML products, it's up to you to establish policies that will help you remain in compliance.
What Is the Penalty for Violating ITAR?
ITAR violations attract stiff penalties as highlighted below;
- Criminal fines: up to 10 years imprisonment and/or $1 million per violation.
- Civil fines: up to $50,000 per violation.
Several companies have paid hefty fines for ITAR violations, but the two most popular cases involve ITT and FLIR Systems. ITT was fined $100 million in 2017 for illegally exporting night vision technology. FLIR systems, on the other hand, took a $30 million fine for giving dual national employees access to ITAR data.
What Is the Best Way to Secure ITAR Data?
Considering how severe the fines are for violating ITAR regulations, you should use multiple layers of security to protect sensitive data. Here are some of the principles that you should follow.
- Identify & secure all sensitive information and then classify it based on your business policies.
- Map the data to determine who has access to it and then file permissions of these users.
- Manage access control by identifying users that are inactive and then deactivating them. You should also manage group and user memberships and remove global access groups.
- Monitor all data and create an audit report on all events and activities. Be on the lookout for security breaches, malware, misconfigurations, and insider threats.
- Create and maintain an information security policy.
- Create a vulnerability management program.
- Monitor and test your networks regularly
- Ensure that everyone who can access sensitive information has a unique I.D., including third-party vendors.
- Install and maintain firewall configurations
You should also encrypt all the sensitive data to ensure that it remains secure even when it falls into the wrong hands.
Top ITAR Compliance FAQs
- How can I determine whether my ITAR data has been accessed?
Collaborate with a reputable security company to install alerts that are triggered every time your data is accessed or unusual activity is noticed. This way, you’ll be able to detect and flag any suspicious behavior for investigations. Keep a detailed audit trail for the DDTC.
- How can I remain compliant with ITAR regulations?
Once you register with the DDTC, ensure you renew your registration every year. We recommend that you submit your renewal documents at least 60 days before the expiration of your registration. This way, the documents will be processed before the deadline lapses.
- What are the qualities of a good ECP?
Your export compliance program should be clearly written down and documented. It should also be supported by the management and tailored to suit your organization's needs. Finally, make sure you review and update it regularly, especially if there are significant changes in your organization, such as a new partner.