International Traffic in Arms Regulations (ITAR) is a United States regulatory regime to restrict and control the export of defense and military related technologies to safeguard U.S. national security and further U.S. foreign policy objectives. The Department of State Directorate of Defense Trade Controls (DDTC) interprets and enforces ITAR.
The ITAR was developed originally to regulate military products and services. However, these controls also cover many products that are commercial in nature. Many of these items were developed originally for military purposes but have evolved into mainstream commercial products – in the electronics, navigation, computer security, maritime, aviation and other industries. Today it is often very difficult to determine if a product is subject to ITAR, and this presents a challenge for business executives. However, it is important to understand this distinction, especially for firms that provide products and services to government customers, to avoid costly legal violations.
At the core of the ITAR is a list of products called the U.S. Munitions List (“USML”). The USML contains a wide array of products as well as software, technical data and services. If a company’s product, software, technical data or services are identified on the list, the company is subject to the ITAR requirements.
Nowhere in the International Traffic in Arms Regulations (ITAR) is it spelled out what “ITAR certified” means. If you speak to different staff members of the Directorate of Defense Trade Controls (DDTC), you may get slightly different answers, but the generally safe definition is as follows:
For a company involved in the manufacture, sale or distribution of goods or services covered under the United States Munitions List (USML), or a component supplier to goods covered under the USML, the stipulation or requirement of being “ITAR certified (compliant)” means that the company must be registered with the State Department’s DDTC (Directorate of Defense Trade Controls), if required as spelled out on the DDTC’s web site at (http://pmddtc.state.gov/registration/index.html) and the company must understand and abide by the ITAR as it applies to their USML linked goods or services. The company themselves is certifying that they operate in accordance with the ITAR when they accept being a supplier for the USML prime exporter.
In other simpler words, to be ITAR COMPLIANT, a company needs to register with the DDTC and know what is required of them to be in compliance with the ITAR, and self-certify that they possess this knowledge.
The USML contains twenty-one broad categories of products, ranging from firearms and military vehicles to computers and communication equipment. As described above, the intent behind the regulations is to cover military products, however, over time the USML has expanded to cover many items that have become commercial in nature.
The U.S. Government requires all manufacturers, exporters, and brokers of defense articles, defense services or related technical data to be ITAR compliant. Additionally, more and more companies are requiring that members of their supply chain be ITAR CERTIFIED or ITAR COMPLIANT. Language to that end is often contained in contracts, on purchase orders and request for proposals.
Assuming that you have educated and trained yourself in ITAR regulations, let’s turn attention to how we can protect you and your company from a cyber security perspective. It is imperative that you have controls in place to avoid spillage of ITAR controlled information outside of the logical, virtual and physical boundaries you will need to establish in order to meet ITAR regulations.
Spillage can result from:
- theft (via physical or electronic means);
- human error;
- configuration error;
- malware/system compromise etc.
Controls can take the form of a combination of DLP (Data Loss Prevention) appliances/software; encryption; 5th generation firewalls; Multi-Factor Authentication; media protection etc. In particular, training all staff that will be handling controlled information is especially important. (Recap: “You are expected to be educated and trained in ITAR regulations. Violating the ITAR may result in criminal or civil penalties, debarred from future exports, as well as imprisonment”)
Many organizations do not wholly deal with ITAR controlled goods or services. For some, it may in fact be only a small percentage of their business. For companies that come into the ITAR world “after the fact” and have an existing (perhaps complex) network infrastructure, the process of locking down and controlling access to sensitive data in that environment can be daunting and technically challenging. Security becomes a nightmare as the level of complexity increases, not to mention the cost of locking down legacy systems and retrospectively adding controls. An organization may also have a global footprint in multiple countries, which presents the need for additional controls and causes added complexity.
A simplified and elegant solution for some organizations is to create a separate “secure enclave” into which all ITAR controlled business systems and functions are moved. A secure enclave is simply a separate “air-gapped” network. Having controlled containment reduces the surface area across which data leakage can occur, reduces the “attack surface” that hackers can attempt to exploit and protects sensitive systems that are subject to ITAR controls. Despite the added cost of setting up a separate network, there can be a big cost savings because advanced controls such as DLP and Email Security systems only require licensing for the secure enclave users and securing a brand-new network from scratch is greatly simplified and faster. The benefits undoubtedly outweigh the added infrastructure in most use cases.
Data subject to ITAR or EAR (Export Administration Regulations) export control restrictions is referred to collectively as Controlled Information. NARA (National Archives and Records Administration) published 32 CFR Part 2002 Controlled Unclassified Information; Final Rule on September 14, 2016 and it became effective November 14, 2016. See https://www.federalregister.gov/d/2016-21665
Within this lengthy document, refer to https://www.federalregister.gov/d/2016-21665/p-90 for ITAR/EAR specific references, but the short version is that NARA decided that there would be no specific markups for ITAR controlled items when it issued its final ruling.
Since ITAR information is classified as Controlled Information, NIST 800-171 therefore applies, assuming that no classified information is involved.
NIST 800-171 consists of 109 mandatory controls, 62 additional NFO (non-federal organization) controls and a mandatory System Security Plan requirement. It stems from Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 which calls out NIST 800-171 and specifically applies to defense contractors, NASA, and GSA contractors.
The aforementioned “Secure Enclave” approach is an excellent model to consider when determining the best way to protect CUI.
Now that you know the criticality of ITAR Compliance and the penalties of failing to comply, it is important to understand how to secure your ITAR-controlled data. While data security will have different requirements for every company, here are some best practices to follow in securing ITAR data:
- Maintain an information security policy (met with our NIST 800-171 Policies document)
- Build and maintain a secure network. Install and maintain a 5th generation (aka next generation) firewall such as Forcepoint’s Stonesoft series and “air-gap” your secure-enclave from less secure LAN traffic.
- Implement DLP (Data Loss Prevention) controls to prevent the loss of ITAR-controlled data (we recommend Forcepoint DLP which includes ITAR-specific policies)
- Every user accessing ITAR controlled information must be uniquely identified and all access logged and authenticated (implement DUO Multi-Factor Authentication to ensure accounts cannot be compromised)
- Implement strong access control measures (met with our Access Control policies and Standard Operating Procedures)
- Maintain a vulnerability management program with tools that support the Security Content Automation Protocol (SCAP). (met with vulnerability scans using Tenable’s Nessus or Tenable.io.)
- At a minimum, laptops must be encrypted to protect sensitive data with encryption. (met with ESET encryption)
- CUI and ITAR information stored in a cloud resource must reside on a FedRAMP approved cloud provider. ITAR information must be encrypted to ensure that only US authorized users can access and view the data.
- Track and monitor all access to network resources and sensitive data (met with continuous monitoring and logging solutions such as Nagios, or LogRhythm. For a complete user community threat status, implement Forcepoint’s Sureview Insider Threat)
- Regularly test security systems and processes and secure against data loss (implement our Risk Assessment plan and remediate and mitigate accordingly)
- A mature network plan will also include an Incident Response plan COOP, and Disaster Recovery Plan (use our templates to help you create a plan for your network)
Talk to us! Techni-Core has real-world experience in securing sensitive networks. Our consulting services help guide you through the complexity of NIST compliance, compliance assessments and choosing the right technical controls for your organization. We have a mature set of NIST templates for NIST 800-171 and supportive documentation.
An initial meeting or telecon (with an NDA in place) will help us understand your organization, its infrastructure and the scope of what’s needed to get you on the right track to compliance. At Techni-Core, we have customers of all sizes, so whether you are a small company with one location and a few scattered employees or a multi-national enterprise with a global footprint, we’d like to engage with you.