Penalties get hefty fast when ITAR (International Traffic in Arms) technical data is mismanaged. In February 2023, the US State Department concluded a $20M settlement of alleged export violations by 3D Systems Corporation. Before that, Honeywell International was fined $13M by the State Department for unauthorized export of dozens of technical drawings.
Today, ITAR compliance poses a significant challenge. To avoid steep fines and other penalties—and to help advance US national security goals—organizations that handle ITAR-controlled defense items need to understand the regulations and how to comply with them. We’ve written this blog to help. It covers:
This blog will inform you about your compliance obligations and how to best meet your compliance responsibilities. We’ll look at:
- What is ITAR?
- What is ITAR compliance?
- Who needs to be ITAR compliant?
- How can you be ITAR compliant?
- What are the ITAR penalties?
- ITAR carveout: Sharing ITAR data using end-to-end encryption
- ITAR and CUI overlap
- The ITAR compliance checklist: Key considerations
What is ITAR?
International Traffic in Arms Regulations (aka ITAR) govern the export of US defense and military products. ITAR controls implement the Arms Export Control Act (AECA) and are administered by the US State Department. The AECA and ITAR were adopted during the Cold War, when the need for broad export controls to keep US defense items and technology out of the hands of the USSR and the Soviet Bloc countries became evident.
ITAR controls apply to military-related items—which includes a far wider realm of products and services than “Arms” in “ITAR” implies. While many items on the USML are clearly arms—such as guns, rockets and bombs—the list wraps up with a catch-all category, “Articles, Technical Data, and Defense Services Not Otherwise Enumerated”. Notably, that encompasses technical data and defense services such as installation, repair, training and consulting related to items on the USML as well.
The Department of Defense (DoD), of course, has a strong interest in regulating military products as well, and so DoD works closely with the State Department on ITAR-related matters. Organizations that do work for the DoD need to know about ITAR.
What is ITAR compliance?
To be ITAR compliant, organizations that handle ITAR-controlled defense articles and services, including technical data, must receive prior authorization for any transactions related to those items (or meet exceptions to the rules).
Items subject to ITAR controls are listed on the United States Munition List (USML). The USML is organized into 21 major categories of military products, running the gamut from Guns and Armament and Personal Protective Equipment, for example, to Spacecraft and Nuclear Weapons.
Any organization engaged in the United States in the business of the manufacturing, exporting or brokering of US defense articles or services on the USML is required to register with the State Department’s Directorate of Defense Trade Controls (DDTC). Today, there are approximately 13,000 defense companies, universities and research labs registered with DDTC.
After registration with DDTC, the next step is to identify all the ITAR-controlled items that your organization handles. Once you’ve identified those, you’ll need to obtain prior authorization for any related transactions you wish to engage in. Prior authorization is your only possible course of action; there is no after-the-fact approval.
Who needs to be ITAR compliant?
Any U.S. company, research lab or university that engages in either manufacturing or exporting defense articles or furnishing defense services on the USML is required to register with the Directorate of Defense Trade Controls (DDTC) and comply with ITAR regulations.
In order to avoid the severe penalties and negative consequences of noncompliance with the State Department’s directorate, take the time to determine which elements of ITAR, if any, need to be addressed in your compliance efforts.
The easiest way to know if you are responsible for ITAR compliance is to see if your company’s product or service is on the USML.
How can you be ITAR compliant?
There is no formal certification process to become ITAR compliant. Instead, there are certain standards that companies are expected to comply with.
Step 1: Register with the DDTC. Again, any organization engaged in the United States in the business of the manufacturing, exporting or brokering of US defense articles or services on the USML is required to register with DDTC. Registration must be renewed every 12 months. Submit your ITAR registration renewal documents at least 60 days before the expiration date of your registration, to ensure your compliance doesn’t lapse.
Step 2: Adopt an ITAR Compliance Program A compliance program demonstrates that your company has a formal process for ITAR compliance and projects a sophisticated approach to managing these issues. DDTC strongly advises organizations engaged in the defense trade to establish and maintain an ITAR/export compliance program, and has issued guidelines to help them do so.
Step 3:Obtain prior authorization for all ITAR-controlled transactions Identify all the ITAR-controlled defense articles, defense services, and related technical data that your organization handles, and obtain prior authorization from DDTC for any related transactions you wish to engage in.
Step 4: Track ITAR-controlled items at all times. Know where those items are located and who has access to them. When items are transferred, keep records of where and to whom they are transferred, as well as details of any retransfers from there.
Step 5:Ensure your cloud storage is ITAR compliant. In 2020, the State Department issued a ruling—known as the end-to-end encryption carveout—that allows organizations to share unclassified technical data with their supply chain or with persons outside the US, as long as the data is secured with end-to-end encryption. If the data is end-to-end encrypted (and meets other criteria, as described below) the exchange is not considered an export.
Check that your cloud service provider uses end-to-end encryption to support ITAR compliance. This ensures that technical data is not accidentally distributed to foreign persons or foreign nations.
What are the ITAR penalties?
There are serious penalties imposed for any ITAR violations, including civil fines of up to $500,000, criminal fines of up to $1,000,000, and jail time of up to 10 years imprisonment per violation. Restrictions may apply to your import/ export activities as an individual or as a company.
As recently as August 2022, the State Department banned 10 people from participating directly or indirectly in future ITAR related activities because they conspired to violate ITAR regulations.
Small contractors have also felt the brunt of ITAR fines. In 2017, Bright Lights USA, Inc a manufacturer of basic spare parts for the DoD (e.g., rubber stoppers and grommets) with approximately 100 employees was penalized with a civil fine of $400,000 for ITAR violations. Bright Lights had shared drawings of export-controlled components with foreign suppliers to get quotes without first obtaining the necessary ITAR export licenses. Bright Lights also failed to keep proper documentation of its ITAR-related transactions.
Sharing ITAR technical data using end-to-end encryption
Prior to March 2020, organizations had to store all ITAR technical data on servers located within the US. The servers had to be managed by US persons, who protected the data through the use of on-premise storage. But in a global economy, these regulations became burdensome.
In March 2020 State Department recognized that advances in cybersecurity could be leveraged without compromising national security goals and issued 22 CFR 120.54, aka the ITAR Carveout for Encrypted Technical Data. The carveout permits defense companies to send, store, and share unclassified ITAR technical data without requiring an export license, provided the exchange meets the criteria listed below.
This end-to-end encryption carveout allows organizations to leverage the cloud and streamline their ITAR data handling practices. End-to-end encryption, along with proper key management, provides a less expensive, more user-friendly alternative to traditional on-premise solutions, while maintaining a gold standard of security.
ITAR and CUI overlap
Not all ITAR is CUI (Controlled Unclassified Information), and not all CUI is ITAR. CUI can only be created under a contract to the federal government, whereas ITAR data can be created by a company without any contract. That said, many organizations that handle ITAR data also handle CUI. And organizations that handle CUI could find themselves subject to ITAR due to contract changes or modifications in the USML.
In addition to ITAR regulations, organizations handling ITAR data and CUI should be familiar with two DFARS clauses:
For CUI, there’s DFARS 252.204-7012. It focuses on the safeguarding of defense information and cyber incident reporting.
For ITAR data, there’s DFARS 252.225-7048. It focuses on the safeguarding of information in international collaborations (and refers defense contractors to both ITAR and AECA regulations.
Neither clause is optional. Given that organizations are often subject to regulation by both clauses, the best technical solution will satisfy the conditions of each clause simultaneously. PreVeil’s secure file sharing and email platform does exactly that.
ITAR compliance checklist: Key considerations
Some of the key considerations organizations should take into account when developing ITAR compliance programs include:
- Check if the defense products, technical data and/or services that that you are exchanging are on the US Munitions List (USML) and are subject to ITAR.
- If any items are subject to ITAR, avoid challenging and burdensome export controls by using an end-to-end encrypted file sharing and email platform that meets ITAR standards.
- Confirm that your encryption provider uses key management practices that ensure only users has access to their private key and no one else—not even the provider. Manage data access through expirations that rescind access after a limited, pre-designated period of time.
- Exert granular control over access to ITAR-controlled data via read-only and view-only capabilities.
- Ensure that you have robust log management capabilities so you can readily discover who has accessed ITAR-controlled data.
PreVeil Supports ITAR Compliance
PreVeil understands the challenges that small to mid-size contractors must overcome to comply with ITAR. Its solution simplifies ITAR compliance because it meets each of the technical components of the ITAR carveout:
- PreVeil Drive and Email are grounded in world-class end-to-end encryption that meets FIPS 140-2 standards.
- With PreVeil, files, emails and data are only ever encrypted and decrypted on a user’s device. Information is never decrypted on any server anywhere. If attackers breach a server, all they will get is useless gibberish. PreVeil also captures every file sharing and email transaction that contains ITAR data in immutable logs, which support ITAR compliance per DDTC guidelines.
- PreVeil has no access to keys, network access codes, or passwords that enable decryption. Private keys are stored only on user devices, assuring that no one other than the sender and intended recipients can ever access your sensitive data—not even PreVeil.
Moreover, PreVeil is easy to use and cost effective for organizations with limited cybersecurity expertise and compliance resources.
Want to learn more about how to manage your ITAR data and meet compliance? Talk to our compliance experts.