Guidelines for ITAR Compliance and Sharing Your Technical Data
Help ensure your company's information is ITAR compliant!
ITAR Requirements for Your Employees: Who's at Risk?
ITAR (International Traffic in Arms Regulations) compliance isn’t just an initiative that’s only a concern for those at the top. Every employee plays a role in protecting your data. And, it’s imperative that you know which employees are approved to handle ITAR-related materials. To ensure you’re meeting ITAR requirements for your employees, learn more about how ITAR applies to the people in your company.
Why Do Companies Struggle to Meet ITAR Requirements for Employees?
Understanding ITAR as it relates to your own employees can be a challenge. Imagine you hire someone for your IT department that was born outside the United States. They have an excellent resume and would be an asset to your team. But because they work in the IT department, they could easily access sensitive materials. This is a violation of ITAR regulations, even though the employee is on U.S. soil, working for a U.S. company, and isn’t working directly with classified data.
In a situation like this one, your company could be subject to non-compliance consequences, like paying steep fines, having your status as a government contractor revoked, and in the most extreme cases, you could face jail time.
To avoid these risks and ensure you’re aligning with ITAR requirements for your employees, you need to pay close attention to who in your company can have access to sensitive data and who can’t have access. It’s important to note that ITAR was not put in place to discourage companies from hiring foreign employees, and below we’ll look at how you can employ non-U.S. citizens while still remaining compliant.
Types of Employees
As you’re looking at ITAR requirements for employees, you first need to know the two categories of employees as it pertains to ITAR. These categories are U.S. citizens and foreign persons. Depending on the classification of your employees, they may or may not be permitted to handle ITAR materials.
U.S. Person (per EAR Part 772 AND ITAR 120.15)
Any individual who is granted U.S. citizenship
Any individual who is granted U.S. permanent residence (i.e., a "Green Card" holder)
Any individual who is granted status as a "protected person"
Any corporation, business, organization, or group incorporated in the U.S. under U.S. law
Any employee of U.S. government
Foreign Person (or anyone who is not a U.S. person)
Any individual who is not a U.S. citizen
Any individual who is not a U.S. permanent resident alien (i.e. "Green Card" holder)
Any individual who is not a protected individual (i.e., refugees or those that have political asylum)
Any foreign corporation, business, organization, or group not incorporated or organized under U.S. law
Foreign government employees and any agency or subdivision of foreign governments (i.e., those on diplomatic missions)
What Should Employers in the U.S. Do?
So, does ITAR compliance mean that you can only hire employees that are U.S. citizens? Not necessarily. The easiest way for non-citizens to handle ITAR materials without violating compliance regulations is for the individual to become a U.S. citizen or permanent resident. However, if you want to or have already hired non-U.S. citizens, you can take action to get them approved to handle ITAR-covered materials.
If the employee does not want to become a citizen or is unable to be a permanent resident, you have an option other than the path to citizenship. For a non-U.S. citizen to handle ITAR-covered materials, your company can go through the process of obtaining an export license for the individual.
You must apply for an export license for employee, and if approved, they can work with or have access to ITAR data. It’s important to know that there are a few drawbacks when it comes to pursuing an ITAR export license. There will be a lot of paperwork on your company’s part. It will also take time for the government to approve the applicant. Thus, you should expect a lot of time and work that you have to invest in the process of gaining a license. And, you still face the chance of the license being denied.
Denial of a license is a probable outcome if the employee is a citizen of a country on ITAR’s “prohibited countries” list. This is a list of more than 20 countries that the U.S. has deemed as being particular threats. The current list includes China, Iran, and other countries. The list is updated every now and then, so be sure to check it regularly. If the employee you’re seeking a license for is from a country on that list, they aren’t likely to be granted an export license.
How to Meet ITAR Requirements for Employees
If you employ foreign persons and you’re waiting for their export license to be approved, there are ways they can still work for your company while you maintain ITAR compliance. Finding a top file sharing solution that gives your administrators access restriction control will help you limit who can and can’t have access to sensitive technical data.
Look for a file sharing solution that allows you to control who can do the following:
List Directory Permissions
By controlling these aspects of your file sharing solution, you can ensure that only approved employees are able to work with sensitive data. Everyone else will be prevented from gaining access, even if they have a user account with your solution.
It’s also important to educate your employees on how to securely share files to avoid noncompliance. For example, if an employee regularly emails sensitive files to recipients that haven’t been approved to handle ITAR-related data, your company is noncompliant. A file sharing solution like FTP Today offers a secure way to share files and provides a log of who sent files to which recipients.
Establish protocols on how your company can meet ITAR requirements for employees, and communicate that every employee should follow these protocols. Employees have a major role to play in ensuring your company is ITAR compliant, whether they know it or not. And unfortunately, being unaware of compliance standards doesn’t help you avoid the fines.
Ultimately, with a thorough knowledge of who in your company can handle sensitive data, export licenses for employees that require them, and a file sharing solution to support your efforts, you can easily maintain ITAR compliance. Meeting ITAR requirements for employees may take an investment of time and effort, but it will pay off when you avoid the risks of noncompliance.
Learn about ITAR requirements for employees and how to ensure you’re compliant. Download Guidelines for ITAR Compliance and Sharing Your Technical Data for more information.
About Martin Horan
Founder of FTP Today and an expert in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.