In February of 2023, the US State Department concluded a $20M settlement of alleged export violations by 3D Systems Corporation. Before that, Honeywell International was fined $13M by the State Department for unauthorized export of dozens of technical drawings. Both were the result of mismanagement of ITAR (International Traffic in Arms Regulations) data.
Today, ITAR compliance poses a significant challenge to many global corporations. It’s important for these organizations to understand how to correctly control ITAR data in order to avoid steep fines and other penalties that can result from mismanagement. To help, we’ve put together this blog as a guide.
Download our free whitepaper on how to facilitate ITAR compliance
The U.S. Department of State has recently taken action that recognizes that technological advances in cybersecurity can simplify ITAR compliance without compromising national security goals. Check out our ITAR white paper to learn more.
In this blog we’ll break down what the regulation means and look into what companies can do to best manage their compliance responsibilities. We’ll look at:
- What is ITAR Compliance?
- Who needs to follow ITAR compliance mandates?
- How do I achieve ITAR Compliance?
- What are the penalties for not complying with ITAR?
- Sharing ITAR data using end-to-end encryption
- ITAR and CUI overlap
- The ITAR compliance checklist
What is ITAR Compliance?
International Traffic in Arms Regulations (ITAR) is a set of regulations administered by the State Department to control the export and import of defense and military related technologies on the United States Munitions List (USML). The goal of the legislation is to control access to these specific types of technology and their associated data.
In order to be ITAR compliant, companies must be able to track ITAR data at all times, know what data is being protected under ITAR, where that data is located, and who has access to the data. When data is transferred, organizations must also be able to record who the data is transferred to, as well as details of any further transferrals from there.
Today, there are approximately 13,000 or so defense companies, universities and research labs handling defense and military technologies. ITAR compliance says that these institutions may only share items on the USML with US persons unless otherwise authorization. If a product is on this list (see below), it is subject to these controls.
Categories on the United States Munitions List
- Firearms, Close Assault Weapons and Combat Shotguns
- Guns and Armament
- Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs, and Mines
- Explosives and Energetic Materials, Propellants, Incendiary Agents, and Their Constituents
- Surface Vessels of War and Special Naval Equipment
- Ground Vehicles
- Aircraft and Related Articles
- Military Training Equipment and Training
- Personal Protective Equipment
- Military Electronics
- Fire Control, Range Finder, Optical and Guidance and Control Equipment,Night vision goggles
- Materials and Miscellaneous Articles
- Toxicological Agents, Including Chemical Agents, Biological Agents, and Associated Equipment
- Spacecraft and Related Articles
- Nuclear Weapons Related Articles
- Classified Articles, Technical Data, and Defense Services Not Otherwise Enumerated
- Directed Energy Weapons
- Gas Turbine Engines and Associated Equipment
- Submersible Vessels and Related Articles
- Articles, Technical Data, and Defense Services Not Otherwise Enumerated
Who needs to follow ITAR compliance
Any U.S. company, research lab or university that engages in either manufacturing or exporting defense articles or furnishing defense services is required to register with DDTC and comply with ITAR regulations.
Many mistakenly assume that this set of regulations only relates to tanks, missiles and weaponry, but it affects a much broader set of technical data related to defense. In order to avoid the severe penalties and negative consequences of noncompliance with the State Department’s directorate, take the time to determine which elements of ITAR, if any, need to be addressed in your compliance efforts.
The easiest way to know if you are responsible for ITAR compliance is to see if your company’s product is on the Munitions List or not.
How do I achieve ITAR Compliance?
There is no formal certification process to become ITAR compliant. However, there are certain standards companies are expected follow and comply with.
The first step a company should take is to register with the State Department. Specifically, the company must register with the Directorate of Defense Trade Controls (DDTC)
The second step a company should take is to adopt an ITAR Compliance Programs. A Compliance Program demonstrate that your company has a formal process for ITAR compliance and project a sophisticated approach to managing these issues.
The third step is ensuring your cloud storage is ITAR compliant. You need to ensure that technical data is not accidentally distributed to foreign persons or foreign nations. Traditionally, this standard is met by ensuring all data centers are managed solely by US Persons in US locations and data is not shared outside of the US.
That’s not the only way anymore. In March 2020 the State Department issued a ruling that companies can share unclassified technical data with their supply chain or with persons outside the US, as long as the data is secured with end-to-end encryption. If the data is end-to-end encrypted, the exchange is not considered an export.
What is unclassified technical data?
Information, other than software as defined in 22 CFR 120.10(4), which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or altering of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation.
What is a US person?
U.S. person means a person is someone who is a lawful permanent resident of the US. It also means any corporation, business association, partnership, society, trust, or any other entity, organization or group that is incorporated to do business in the United States. It also includes any governmental (federal, state or local) entity.
What is an export?
An export is the actual shipment or transmission out of the United States of ITAR data, including the sending or taking of a defense article out of the United States in any manner. Any release in the United States of technical data to a foreign person is also deemed to be an export to all countries in which the foreign person has held or holds citizenship or holds permanent residency.
Penalties for ITAR noncompliance
There are serious penalties imposed for any ITAR violations, including civil fines up to $500,000, criminal fines up to $1,000,000, and jail time of up to 10 years imprisonment per violation. Restrictions may apply to your import/ export activities as an individual or as a company’s As recently as August 2022, the State Department banned 10 people from participating directly or indirectly in future ITAR related activities because they conspired to violate ITAR regulations.
In January 2020, Airbus entered into an agreement with the US Government. The government charged that Airbus had attempted to violate bribery provisions of the Foreign Corrupt Practices Act (“FCPA”) and ITAR regulations. The charge stems from Airbus’s failure to disclose political contributions, commissions or fees to the U.S. government as required under ITAR.
Large Primes have also felt the brunt of ITAR fines. In 2017, the State Department charged Bright Lights USA, Inc with an ITAR violation. Bright Lights often looked to foreign suppliers for the parts needed to manufacture the products. However, Bright Lights often sent drawings of export-controlled components to foreign suppliers to get quotes without first obtaining the necessary ITAR export licenses.
The State Department concluded that Bright Lights had major compliance deficiencies and charged them with a number of violations. While the government could have pursued criminal, civil and administrative enforcement for ITAR violations, the company was only required to pay a $400,000 civil penalty.
Secure sharing of ITAR data with end-to-end encryption
Until March of 2020, companies had to store all ITAR data on servers located within the US. The servers were manned by US persons, who protected the data through the use of on-premise storage. However, in a global economy these regulations have become burdensome.
In March 2020 the State Department issued Regulation 120.54, the ITAR Carve-out for Encrypted Technical Data. The carve out establishes that defense companies can now send, store, and share unclassified ITAR technical data without requiring an export license. In order for the carve out to apply, organizations must ensure that the data is properly secured with end-to-end encryption using FIPS 140-2 (or its successor) validated algorithms. Additionally, the decryption keys must also “not [be] provided to any third party“.
According to the Federal Register:
“[P]roperly secured (by end-to-end encryption) electronic transmission or storage of unclassified technical data via foreign communications infrastructure does not constitute an export, reexport, retransfer, or temporary import.”
The ruling makes clear that end-to-end encrypted technical data can be stored on any cloud service as long as it’s not in a country hostile to the U.S. And the data can be accessed by US persons. The only stipulations on this exchange are that:
- The data is unclassified
- The data is secured with end-to-end encryption and FIPS 140-2 compliant algorithms
- Cloud services providers or any third parties cannot have access to the decryption keys
- Data is not purposely sent to a person in or stored in restricted countries
- Data is not purposely sent from a restricted country
This new guidance provides defense companies with the ability to now take advantage of the cloud in a way they were unable to in the past. End-to-end encryption, along with proper key management, provides a less expensive, more user-friendly alternative to traditional on-premise solutions, while maintaining a gold standard of security.
ITAR and CUI overlap
Many organizations handling ITAR data also handle controlled unclassified information (CUI). Like those handling ITAR data, those handling CUI are responsible for compliant data identification, location, access, transfer, tracking, and remediation.
There are two clauses organizations handling ITAR data and CUI must be familiar with. For CUI, there’s DFARS 252.204-7012. It focuses on the safeguarding of defense information and cyber incident reporting. For ITAR data, there’s DFARS 252.225-7048. It focuses on the safeguarding of information in international collaborations.
Neither clause is optional. Given that organizations are often subject to regulation by both, the best technical solution will satisfy the conditions of each clause simultaneously. PreVeil’s secure file sharing and email platform does exactly that.
ITAR compliance checklist for protecting your data
The following checklist represents some of the key issues companies should look at when developing their ITAR compliance programs.
- Ensure that the information or products you are sharing are on the US Munitions List (USML) and are subject to ITAR
- If the information is subject to ITAR, avoid challenging and burdensome export controls by using end-to-end encrypted email and file sharing to protect USML data.
- Make sure your encryption provider uses key management practices that ensure only the user has access to their private key.
- Manage data access through expirations
- Make sure you have granular access to files through Read only and View only capabilities
- Ensure that you have log management so you can see who has accessed files.
PreVeil Enable ITAR Compliance
With PreVeil’s end-to-end encryption and device-based keys, the platform easily meets the ITAR Carve Out standards. PreVeil’s Gov Community offering also stores ITAR data in AWS GovCloud datacenters, enabling easy compliance with other data residency requirements.
Additionally, in PreVeil no one has access to keys, network access codes, or passwords to enable decryption. Private keys are stored on user devices only. Public keys stored on the server are encrypted, ensuring an attacker can never access them.
Defense suppliers that rely on PreVeil are able to safely and securely exchange ITAR related data with U.S. entities outside the U.S. as well as store ITAR data in servers overseas.
Want to learn more about how to manage your ITAR data and meet compliance? Talk to our compliance experts.