• Blog

ITAR Compliance with End-to-End Encryption

This past March, the U.S. State Department adopted the ITAR Carve-out for Encrypted Technical Data. The carve out, known as CFR § 120.54, establishes that defense companies can now share unclassified ITAR technical data without requiring an export license so long as the data is properly secured with end-to-end encryption and the decryption keys “are not provided to any third party“.

According to the Federal Register:

“[P]roperly secured (by end-to-end encryption) electronic transmission or storage of unclassified technical data via foreign communications infrastructure does not constitute an export, reexport, retransfer, or temporary import.”

Definition: ITAR technical data

Any information, including blueprints, documentation, schematics, flow charts, etc. needed for the design, development, manufacture, operation, maintenance or modification of items on the USML. This might include hardware specifications for a satellite, a bill of materials for the manufacture of a drone, or blueprints and photographs of facilities intended to support the manufacture and assembly of a ground vehicle.

This move by the State Department is important because it modernized the approach companies can take to exchange ITAR data. With this new capability in their arsenal, DIB companies now have the ability to exchange ITAR data up and down their supply chain in a manner that was not previously open to them.

End-to-end encryption carve out for ITAR

Previously, ITAR technical data had to be housed on cloud platforms that were difficult to use and expensive to manage. Additionally, these servers had sit exclusively in US-based data centers that could only employ US persons. The new carve out however makes technical data free from many of the restrictions these rules implemented.

The ruling makes clear that end-to-end encrypted technical data can be stored on any cloud service that does not store data in a country hostile to the U.S. Additionally, the data can be accessed by US or authorized persons outside the US. The stipulations on this exchange are that:

  • The data is unclassified
  • The data is secured with end-to-end encryption and FIPS 140-2 validated algorithms
  • Cloud services provider can’t access the decryption keys
  • Data is not intentionally sent to a person in or stored in restricted countries
  • Data is not intentionally sent from a restricted country

This new guidance provides DIB companies with the ability to now take advantage of the cloud in a way they were unable to in the past. End-to-end encryption along with proper key management makes that possible. Following these prescriptions, DIB companies can also now easily take advantage of storing their data in the cloud. They can also send data to a US or authorized person overseas or even store data outside the U.S. so long as it is not stored in a restricted country.


An example: Sending ITAR technical data overseas

A US defense company sends end-to-end encrypted ITAR technical data to a U.S. entity working at the company’s office in Germany. The State Department does not need to authorize the data’s export – unless it were being reexported to a restricted country or the Russian Federation.

How PreVeil meets the ITAR standards

With PreVeil’s end-to-end encryption and device-based keys, the platform easily meets the new ITAR standards. PreVeil’s Gov Community offering also stores ITAR data in AWS GovCloud datacenters, enabling easy compliance with other data residency requirements.
PreVeil’s platform uses end-to-end encryption to secure user data. End-to-end encryption ensures that data is encrypted on the sender’s device and is never decrypted anywhere other than on the recipient’s device. This ensures that only the sender and the recipient can ever read the information being shared–and no one else. Data is never decrypted on the server, thus even if attackers successfully breach the server, all they will get is gibberish.
Additionally, in PreVeil no provider (including PreVeil) has access to keys, network access codes, or passwords that enable decryption. Private keys are stored on user devices only. Public keys stored on the server are encrypted, ensuring an attacker can never access them.
Defense suppliers that rely on PreVeil are able to safely and securely exchange ITAR related data with U.S. entities outside the U.S. as well as store ITAR data in servers overseas.

Learn more about how PreVeil can help you get on the path to ITAR compliance. Contact us.