Data subject to ITAR or EAR (Export Administration Regulations) export control restrictions is referred to collectively as Controlled Information. NARA (National Archives and Records Administration) published 32 CFR Part 2002 Controlled Unclassified Information; Final Rule on September 14, 2016 and it became effective November 14, 2016. See https://www.federalregister.gov/d/2016-21665
Within this lengthy document, refer to https://www.federalregister.gov/d/2016-21665/p-90 for ITAR/EAR specific references, but the short version is that NARA decided that there would be no specific markups for ITAR controlled items when it issued its final ruling.
Since ITAR information is classified as Controlled Information, NIST 800-171 therefore applies, assuming that no classified information is involved.
A simplified and elegant solution for some organizations is to create a separate “secure enclave” into which all ITAR controlled business systems and functions are moved. A secure enclave is simply a separate “air-gapped” network. Having controlled containment reduces the surface area across which data leakage can occur, reduces the “attack surface” that hackers can attempt to exploit and protects sensitive systems that are subject to ITAR controls. Despite the added cost of setting up a separate network, there can be a big cost savings because advanced controls such as DLP and Email Security systems only require licensing for the secure enclave users and securing a brand-new network from scratch is greatly simplified and faster. The benefits undoubtedly outweigh the added infrastructure in most use cases.
At the core of the ITAR is a list of products called the U.S. Munitions List (“USML”). The USML contains a wide array of products as well as software, technical data, and services. If a company’s product, software, technical data or services are identified on the list, the company is subject to the ITAR requirements.
Nowhere in the International Traffic in Arms Regulations (ITAR) is it spelled out what “ITAR certified” means. If you speak to different staff members of the Directorate of Defense Trade Controls (DDTC), you may get slightly different answers, but the generally safe definition is as follows:
For a company involved in the manufacture, sale or distribution of goods or services covered under the United States Munitions List (USML), or a component supplier to goods covered under the USML, the stipulation or requirement of being “ITAR certified (compliant)” means that the company must be registered with the State Department’s DDTC (Directorate of Defense Trade Controls), if required as spelled out on the DDTC’s web site at (http://pmddtc.state.gov/registration/index.html) and the company must understand and abide by the ITAR as it applies to their USML linked goods or services. The company is certifying that they operate in accordance with ITAR when they accept being a supplier for the USML prime exporter.
In other simpler words, to be ITAR compliant, a company needs to register with the DDTC, know what is required of them to be in compliance with the ITAR, and self-certify that they possess this knowledge.
The USML contains twenty-one broad categories of products, ranging from firearms and military vehicles to computers and communication equipment. As described above. The intent behind the regulations is to cover military products, however, over time the USML has expanded to cover many items that have become commercial in nature.
The U.S. Government requires all manufacturers, exporters, and brokers of defense articles, defense services or related technical data to be ITAR compliant. Additionally, more and more companies are requiring that members of their supply chain be ITAR CERTIFIED or ITAR COMPLIANT. Language to that end is often contained in contracts, on purchase orders and request for proposals.
Now that you know the criticality of ITAR Compliance and the penalties of failing to comply, it is important to understand how to secure your ITAR-controlled data. While data security will have different requirements for every company, here are some best practices to follow in securing ITAR data:
- Maintain an information security policy (met with our NIST 800-171 Policies document)
- Build and maintain a secure network. Install and maintain a 5th generation (aka next generation) firewall such as Forcepoint’s Stonesoft series and “air-gap” your secure-enclave from less secure LAN traffic.
- Implement DLP (Data Loss Prevention) controls to prevent the loss of ITAR-controlled data (we recommend Forcepoint DLP which includes ITAR-specific policies)
- Every user accessing ITAR controlled information must be uniquely identified and all access logged and authenticated (implement DUO Multi-Factor Authentication to ensure accounts cannot be compromised)
- Implement strong access control measures (met with our Access Control policies and Standard Operating Procedures)
- Maintain a vulnerability management program with tools that support the Security Content Automation Protocol (SCAP). (met with vulnerability scans using Tenable’s Nessus or Tenable.io.)
- At a minimum, laptops must be encrypted to protect sensitive data with encryption. (met with ESET encryption)
- CUI and ITAR information stored in a cloud resource must reside on a FedRAMP approved cloud provider. ITAR information must be encrypted to ensure that only US authorized users can access and view the data.
- Track and monitor all access to network resources and sensitive data (met with continuous monitoring and logging solutions such as Nagios, or LogRhythm. For a complete user community threat status, implement Forcepoint’s Sureview Insider Threat)
- Regularly test security systems and processes and secure against data loss (implement our Risk Assessment plan and remediate and mitigate accordingly)
- A mature network plan will also include an Incident Response plan COOP, and Disaster Recovery Plan (use our templates to help you create a plan for your network)
Talk to us! Techni-Core has real-world experience in securing sensitive networks. Our consulting services help guide you through the complexity of NIST compliance, compliance assessments and choosing the right technical controls for your organization. We have a mature set of NIST templates for NIST 800-171 and supportive documentation.
An initial meeting or telecon (with an NDA in place) will help us understand your organization, its infrastructure and the scope of what’s needed to get you on the right track to compliance. At Techni-Core, we have customers of all sizes, so whether you are a small company with one location and a few scattered employees or a multi-national enterprise with a global footprint, we’d like to engage with you.