Blog

ITAR Compliance with End-to-End Encryption

This past March, the U.S. State Department adopted the ITAR Carve-out for Encrypted Technical Data. The carve out establishes that defense companies can now share unclassified technical data outside the U.S. with authorized persons. This exchange can be done without requiring an export license so long as the data is properly secured with end-to-end encryption. If the data is end-to-end encrypted, the exchange is not considered an export.
 

According to the Federal Register:

“[P]roperly secured (by end-to-end encryption) electronic transmission or storage of unclassified technical data via foreign communications infrastructure does not constitute an export, reexport, retransfer, or temporary import.”

Definition: ITAR technical data

Any information, including blueprints, documentation, schematics, flow charts, etc. needed for the design, development, manufacture, operation, maintenance or modification of items on the USML. This might include hardware specifications for a satellite, a bill of materials for the manufacture of a drone, or blueprints and photographs of facilities intended to support the manufacture and assembly of a ground vehicle.

 
This move by the State Department is important because it modernized the approach companies can take to exchange ITAR data in foreign countries. With this new capability in their arsenal, DIB companies now have the ability to exchange data up and down their global supply chain in a manner that was not previously open to them.

End-to-end encryption carve out for ITAR

Previously, ITAR technical data had to exclusively sit in US-based data centers that could only employ US persons. The new carve out however makes technical data free from many of the restrictions these rules implemented.

 
The ruling makes clear that end-to-end encrypted technical data can be accessed by US or authorized persons outside the US. The stipulations on this exchange are that:

  • The data is unclassified
  • The data is secured with end-to-end encryption and FIPS 140-2 compliant algorithms
  • Cloud services provider can’t access the decryption keys
  • Data is not intentionally sent to a person in or stored in restricted countries
  • Data is not intentionally sent from a restricted country

This new guidance provides DIB companies with the ability to now take advantage of the cloud in a way they were unable to in the past. End-to-end encryption along with proper key management makes that possible. Following these prescriptions, DIB companies can also now send data to a US or authorized person overseas or even store data outside the U.S. so long as it is not stored in a restricted country.

 

An example: Sending ITAR technical data overseas

A US defense company sends end-to-end encrypted ITAR technical data to a U.S. entity working at the company’s office in Germany. The State Department does not need to authorize the data’s export – unless it were being reexported to a restricted country or the Russian Federation.

How PreVeil meets the ITAR standards

With PreVeil’s end-to-end encryption and device-based keys, the platform easily meets the new ITAR standards. PreVeil’s Gov Community offering also stores ITAR data in AWS GovCloud datacenters, enabling easy compliance with other data residency requirements.
 
PreVeil’s platform uses end-to-end encryption to secure user data. End-to-end encryption ensures that data is encrypted on the sender’s device and is never decrypted anywhere other than on the recipient’s device. This ensures that only the sender and the recipient can ever read the information being shared–and no one else. Data is never decrypted on the server, thus even if attackers successfully breach the server, all they will get is gibberish.
 
Additionally, in PreVeil no cloud services provider (including PreVeil) has access to keys, network access codes, or passwords that enable decryption. Private keys are stored on user devices only. Public keys stored on the server are encrypted, ensuring an attacker can never access them.
 
Defense suppliers that rely on PreVeil are able to safely and securely exchange ITAR related data with U.S. entities outside the U.S. as well as store ITAR data in servers overseas.
 

Learn more about how PreVeil can help you get on the path to ITAR compliance. Contact us.