Guidelines for ITAR Compliance and Sharing Your Technical Data
Help ensure your company's information is ITAR compliant!
Is My File Sharing ITAR Compliant?
A strong flow of information is the heartbeat of any business or organization. To keep your operation on pace, you need a file sharing and storage option that facilitates the process of data communication and transmission, making it efficient and effective. But if your business or government agency functions in any capacity related to the import/export of defense items as defined by ITAR, you also have a responsibility to ensure that your file sharing solution is legally compliant.
ITAR compliance should never be taken lightly. Repercussions for entities that have failed to meet these obligations have included tens of millions of dollars in financial penalties, as well as permanent government bans on import/export operations and up to 20 years’ imprisonment for involved parties. The grave nature of these consequences makes it essential for you to identify whether your file sharing process is compliant with the ITAR terms of handling technical data.
If you haven’t made the effort to examine your organization’s systems and actions in this area, it is critical for you to take this step immediately. Be sure to ask the following questions in order to determine whether you’re executing a file sharing process that protects you, your organization and your employees from the detrimental outcomes of non-compliance with ITAR.
Learn the Guidelines and Requirements for ITAR Compliance
Ensure Your Technical Data Doesn't Fall into Foreign HandsDownload the ITAR Compliance Guide
ASK: Who has access to your files?
For purposes of national security, the United States government requires all manufacturers, exporters and brokers of defense articles, services or related technical data to be ITAR compliant. These regulations are designed to prevent defense-related items from being accessed by foreign persons or parties. To maintain compliance, you must ensure that any technical data that falls under this jurisdiction is properly managed and protected from non-citizens and unauthorized individuals. Does your file sharing solution enable you to meet these requirements?
An ITAR-compliant file sharing process regulates who has access to your organization’s files by enforcing the following policies:
- Safeguard physical access to the file sharing system by restricting any persons who are not U.S. citizens or government-authorized individuals as defined by ITAR provisions.
- Deny access to ITAR-controlled data and information from shared and/or public computers.
- Designate individual user accounts that require user authentication for access, and set granular permissions based on role and clearance level.
If you’re utilizing a file sharing provider that you can’t trust to facilitate the security of your ITAR-controlled data, it’s imperative to find one that meets the highest levels of data protection and advanced functionality. Ensure that your solution features systems and controls to inhibit data from being accessed by unsanctioned individuals. Look for one that includes:
- User authentication by password or SSH key to foster password strength and expiration parameters, and to manage public keys on a per-user basis
- Capabilities for administrators to create user-level access rules that restrict individual user connections by remote IP address and/or protocol
- Granular access controls that govern your company’s file sharing processes with user-specific permissions and restrictions
- Intrusion detection and prevention measures to actively monitor connections, detect suspicious activity and thwart offending IP addresses
ASK: Are you utilizing best practices in system management?
An effective compliance effort must take a multi-faceted approach to file system management. What policies and practices does your organization have in place to protect its ITAR-controlled data? At a minimum, you need to be adhering to the following best practices in secure system management:
- Keep malware protections updated at all times. Given the sensitivity of the files and information you’re managing, it’s crucial to ensure that your protection software can effectively address the vulnerabilities posed by constantly evolving intrusion threats. As the technology of malware advances, so do the security features designed to obstruct them. But if you’re not ensuring that the protection software in place is continually updated to adopt new safeguards, you’re leaving your system open to emerging threats. Even just the potential for a breach (as opposed to an actual incident) can put your organization in danger of non-compliance with ITAR. Therefore, you must take precautions to ensure that your malware defense software is regularly updated with the most recent patches and improvements.
- Employ encryption techniques for all controlled data. In-transit encryption encodes data as it is being sent from a computer or device to your server, or as it is in the process of making its way from that server back to a physical location. Even if an unauthorized individual were to intercept those packets of information during transmission, the data contained inside would be unreadable without the associated encryption keys. At-rest encryption protects the information that has reached its destination (i.e., the server) so that if an intruder were to gain entry to the server, they wouldn’t have unfettered access to everything contained on it. These encryption capabilities provide a fundamental layer of security in protecting ITAR-controlled data and meeting compliance regulations.
- Implement a detailed Incident Response Plan. What happens if a breach does, in fact, occur? To help guide all relevant parties in this event, a best practice for data security is to develop an Incident Response Plan that will help address the issue immediately, minimize the reach of the attack and get your systems up and running again as quickly as possible. Some aspects that the plan should address include backup procedures, redundancies and a system-wide IP blacklist that automatically blocks out IP addresses of hackers and port-scanners.
ASK: How are you transmitting data?
As ITAR requires, in relevant part, that material covered on the USML only be shared with U.S. citizens absent special authorization or exemption, an integral component of your compliance efforts should concentrate on the transmission of data, both internally and externally. Identify whether your file sharing solution offers the following features for facilitating ITAR compliance as it pertains to data transmission.
- Protocol Controls: These should force end users to conform to your compliance requirements rather than letting them police themselves. You want to be able to enforce Explicit FTPS on port 21 while disallowing unencrypted FTP on the same port, block all access methods that are not SFTP and engage only encrypted protocols.
- Country Blocker: Utilize a professional geo-IP database that tracks all IP addresses in use worldwide. This industry-exclusive feature gives you control over front-line access by country to prevent data from being transmitted outside the United States.
- Analytical Tools and Proactive Network Scans: These protections help quickly identify suspicious activity and safeguard your organization from any malicious insider who may be working with a foreign state.
- Firewalls to Detect Exfiltration: Prevent any unauthorized foreign party from extracting data from your systems. Firewalls enable you to monitor incoming and outgoing traffic and identify whether data is being transmitted to the proper location over an authorized protocol.
- Auditing Functionality: This should include detailed activity logs and on-demand available to site administrators so they always know how files are being shared or transmitted.
Do your answers to these questions have you concerned that your organization’s current file sharing system isn’t fully ITAR compliant? Get more information by reading Guidelines for ITAR Compliance and Sharing Your Technical Data.
About Martin Horan
Founder of FTP Today and an expert in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.