ITAR Compliance Tips for 2021 and Beyond

The United States is likely to spend more than $700 billion on national defense in 2022. A big portion of that budget will be spent on contracts with third-party businesses — contractors who provide products, materials and services to the U.S. military. But, if you want to work with the U.S. military, you need to understand ITAR compliance and how it empowers you to secure a contract.

If your business would like to work with the U.S. military, or continue to work with the U.S. military, here’s a look at everything you need to know about ITAR — and ITAR compliance requirements.

What is ITAR?

What is ITAR? The acronym stands for International Traffic in Arms Regulations, and it represents a series of regulations designed to protect military- and defense-related technologies that are vital to the defense of the United States and its citizens.

There is no single ITAR law. Rather, ITAR rules and regulations were created as a series of laws put into place in the 1970s during the heart of the Cold War. At that time, ITAR and its regulations were meant to limit the export of arms in a way that mirrored regulations limiting the export of arms in the portions of Eastern Europe under Soviet influence. Specific ITAR regulations prevented U.S. individuals and businesses from engaging in the exchange of specific products, goods and materials with certain foreign nations.

You might imagine these products, goods and materials to be ammunition, weapons, military-grade vehicles, etc. And you would be correct. But there’s a much broader interpretation of products, goods and materials that can threaten national defense, including telecommunications equipment like satellites and materials used to build and launch satellites.

While the Cold War ended with the fall of the Berlin Wall and the breaking up of the Soviet Union, ITAR remained in place. In fact, the United States has greatly increased its enforcement of ITAR in the 21st century. The United States charged 12 parties with ITAR-related breaches between 1976 and 1998. Since 1999, the United States has charged 29 parties with ITAR-related breaches.

The Difference Between EAR and ITAR

It’s easy to conflate ITAR with Export Administration Regulations (or EAR). Some may say that ITAR limits the export of products, goods and materials related to national defense — and that EAR limits the export of non-defense-related products, goods and materials. But the differences are more nuanced than that.

What is the difference between ITAR and EAR? The differences fall into these 3 categories:

1. Items: Whereas ITAR addresses defense-related items like ammunition, EAR restricts the export of other sensitive items like computers, electronics, sensors, lasers, etc.
2. Enforcement: There’s always overlap between different U.S. government agencies and departments. For example, the U.S. government includes 17 different intelligence agencies. The Director of National Intelligence exists to manage the overlap. ITAR is regulated and enforced by the U.S. State Department, while EAR is regulated and enforced by the U.S. Commerce Department and Bureau of Industry and Security. While there may be overlap in export restrictions, almost all restricted items will fall under one party’s purview.
3. Lists: ITAR items can be found on the United States Munitions List (USML), while EAR items can be found on the Commercial Control List (CCL).

These lists are subject to adjustment as national defense and security needs evolve over time. But, as of now, the USML includes items in 21 categories:

1. Firearms and related articles
2. Guns and armaments
3. Ammunition and ordnance
4. Launch vehicles, guided missiles, ballistic missiles, rockets, torpedoes, bombs, mines
5. Explosives and energetic materials, propellants, incendiary agents (and their constituents)
6. Surface vessels of war and special naval equipment
7. Aircraft and related articles
8. Materials and miscellaneous articles
9. Military training equipment
10. Protective personnel equipment
11. Military electronics
12. Fire control, range finder, optical guidance and control equipment
13. Auxiliary military equipment
14. Toxicological agents, including chemical agents, biological agents, and associated equipment
15. Spacecraft and related articles
16. Nuclear weapons, design and testing related items
17. Classified articles, technical data and defense services not otherwise enumerated
18. Directed energy weapons
19. Gas turbine engines
20. Submersible vessels, oceanographic and associated equipment
21. Articles, technical data, and defense services not otherwise enumerated

This list is constantly evolving, and ITAR categories (and specific materials within each category) are designed to evolve with the changing defense environment. For example, the suspected use of directed energy weapons against U.S. diplomats has been in the news recently, and the specific items within the directed energy weapon category have also recently changed.

The specific categories on the CCL are slightly different than the ITAR categories:

• Nuclear and miscellaneous
• Materials, chemicals, microorganisms and toxins
• Materials processing
• Electronics
• Computers
• Telecommunications
• Information security
• Sensors and lasers
• Navigation and avionics
• Marine
• Aerospace and propulsion

As you can imagine, there’s likely overlap in the “nuclear weapons, design and testing related items” category on the ITAR USML and the “nuclear and miscellaneous” category on the CCL.

How to Obtain ITAR Certification

What is ITAR certification? This is a bit of a trick question. There’s no such thing as ITAR certification. There’s no test to take or course to be passed. Instead of certification, ITAR relies on compliance. Any organization that is compliant and remains compliant with ITAR then earns approval to “import and export products, data and services” covered by ITAR.

Here in the 21st century, as ITAR compliance enforcement by the U.S. government increases, the focus of ITAR has shifted. As conceived in the 1970s, ITAR attempted to limit the trade of military-related products, goods and materials to specific countries. But, in the modern age, ITAR is more focused on how third parties transmit information related to military-related products, goods and services. Cyber warfare is a reality in 2021 and beyond in a way that it was not during the Cold War. The U.S. relies on ITAR to protect its land and citizens from breaches related to third parties transmitting militarily sensitive information in a non-secure manner. ITAR data is now just as important and relevant as ITAR products, goods and materials.

Getting to Know ITAR Compliance Requirements

What ITAR compliance requirements does your organization need to follow? The requirements fall into 3 broad categories:

1. Access

Who has access to information inside your organization? Given the sensitive nature of military-related information, it’s essential that your organization have in place a method for restricting access to specific team members and third parties. (Also, keep in mind that certain employees may struggle to meet ITAR requirements.)

Focus on protecting the physical locations where sensitive data and information may be stored. Also, you must require login credentials specific to individual users to gain access to stored data and information. Finally, you must prevent any and all transmission of data via public computers.

2. Managing Systems

The system you use for managing sensitive data and information must be installed and maintained in a way that meets ITAR requirements. Today, these system management requirements fall into 4 categories:

1. Use encryption to control all data and information on computers and mobile devices.
2. Delete data from unused devices using NIST 800-88 guidelines.
3. Implement security updates and patches on all computers used to store sensitive data and information.
4. Update malware software on a regular basis.

3. Transmitting Data

Eventually, you’ll need to share sensitive data or information with the U.S. military or other third parties. Data transmission is one of the most at-risk activities, which is why ITAR includes stringent regulations for how to transmit this sensitive data. Follow these 5 best practices to remain ITAR compliant with your data transmission:

1. Share information only with other ITAR-compliant parties, and only share information on a need-to-know basis.
2. Detect data extraction by using router policies, firewalls, intrusion prevention and detection systems, or host-based security systems.
3. Track all inbound and outbound network traffic, and use your tracking system to block any unauthorized users.
4. Encrypt the wireless networks used to transmit sensitive data and information.
5. Use encryption when emailing or otherwise transmitting controlled information.

When in doubt, follow ITAR compliance best practices to ensure that you don’t violate specific regulations.

How to Make an ITAR Compliant File Transfer

When you need to know how to make an ITAR compliant file transfer, it’s easy to get overwhelmed by all of the regulations. But rest assured you can use tools designed for ITAR compliance that make it fast and easy to securely transfer files — tools like The GOVFTP Cloud by FTP Today.

We designed The GOVFTP Cloud to solve compliance issues for organizations striving to follow ITAR. Our GOVFTP Cloud product provides compliant infrastructure and a compliant platform so that government contractors and other third parties can focus on their core business without worrying about ITAR violations. You can even use our Country Blocker feature to ensure that sensitive data can only be shared and accessed within the United States.

In addition to Defense Industrial Base contractors, companies in the aerospace industry and other sectors that often do business with the U.S. military trust our ITAR-compliant FTP solution. Communicate confidently with the U.S. military and government when you choose The GOVFTP Cloud by FTP Today. When you’re ready to make ITAR compliance easy, get in touch with us to learn more about The GOVFTP Cloud.