What Does ITAR Compliance Have to Do with Your Technical Data?

When operating in the import and export of military or defense-related products, your company has much more to be concerned about than your everyday business needs. You must also be vigilant with government compliance and ensure that you’re following all International Trafficking in Arms Regulations (ITAR) managed by the U.S. Department of State.

Your first step should be to fully understand your obligations under these laws. That means staying informed on all aspects of ITAR compliance, which covers every item listed on the United States Munitions List (USML). One easily overlooked factor in this regulatory arena is technical data, but insufficient attention to this component could result in major criminal and civil penalties, imprisonment or a complete ban on future imports/exports.  

To help avoid these outcomes, find out how ITAR compliance specifically relates to your company’s technical data, and use the insight provided here to inform your compliance and data security efforts.

Why Technical Data Is Included on the USML

ITAR exerts control over how defense-related articles and services on the U.S. Munitions List (USML) are managed, ensuring that these items can only be shared with United States citizens, unless special authorization or exemptions have been previously created.

Technical data is included as a related item under each of the 23 main categories of the USML. This is an important means of controlling how information related to articles and services like firearms, missiles, naval equipment, military training and even spacecraft is protected from foreign entities. It’s a matter of national security.

Of course, this is a complex issue. Data is unlike a physical item in terms of how it is stored and transferred. Protecting technical data requires a more dynamic approach, including highly secure file transfer solutions, access controls and authorization safeguards. Without these types of security protocols, sensitive information related to a defense article could fall into the wrong hands.

What Technical Data Does and Doesn’t Cover

The U.S. Department of State defines technical data as:

• Information that is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation.
• Classified information relating to defense articles and defense services on the U.S. Munitions List and 600-series items controlled by the Commerce Control List
• Information covered by an invention secrecy order
• Software directly related to defense articles

What the department does not designate as technical data under ITAR is:

• Information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities
• Information in the public domain
• Telemetry data
• Basic marketing information on function or purpose
• General system descriptions of defense articles

Who’s Responsible for Complying with ITAR

If your organization does business with the United States military or deals with any information related to items and services on the U.S. Munitions List (even if you’re a third-party contractor), the burden of responsibility for ITAR compliance on matters of technical data falls on the shoulders of your company and the individuals within your company (or outside parties) with whom the data is legally shared.

If you are utilizing a data management and file transfer provider, accountability for ITAR compliance still lies with your company. FTP providers are not considered to be an "exporter of data" the same way your organization might be. That means it’s critical to be highly selective about the provider you choose and ensure they offer advanced features that allow you to maintain an ITAR-compliant file transfer process from end to end.

You want to be confident that the data stored on your organization’s FTP site is protected from accidental distribution to foreign persons or people from foreign nations. For instance, Sharetru’s solution provides the following security advantages:

• 100% of its FTP cloud services is maintained in a Louisville, KY, data center manned only by U.S. citizens at all times.
• Its Country Restrictions feature allows clients to technologically deny access to the site from any country in the world except the United States, based on geo-IP address mapping. You can further allow and deny access by IP address at the user level.
• It enforces multiple security layers and exclusive controls like granular access definitions and encryption capabilities.

Tips for ITAR-Compliant Data Security

With the knowledge that ITAR-compliant management of your technical data is in the hands of your organization alone -- and that the price to be paid for noncompliance is a major one, it’s vital to get in line with ITAR mandates and take the necessary steps to ensure the security of your technical data. You’ll want to:

• Work on identifying any data that may fall under the jurisdiction of the Department of State for ITAR purposes, and classify those files and information appropriately.
• Implement a strict data security policy with specific communication on ITAR compliance, as well as training for all end users.
• Utilize encryption methods to protect ITAR-relevant data that’s being stored, accessed or transferred.
• Ensure that your FTP site is hosted in the United States and that all employees of both the hosting provider and data center are U.S. citizens.
• Opt for an FTP provider that enables you to restrict access by geographical location and that can enforce the use of secure transmissions meeting National Institute of Standards and Technology (NIST) and Federal Information Processing Standard (FIPS) 140-2 requirements for encryption cipher strength.
• Create different types of users and user roles that govern access, designating specific permissions for site administrators, sub-site administrators and individual user accounts.
• Make sure you have auditing functionality, including detailed activity logs and on-demand reports available to site administrators so they always know how files are being accessed or shared and can glean valuable insight to make the most informed, actionable decisions.
• Prioritize intrusion detection and prevention with a solution that actively monitors connections, detects suspicious activity, instantly blacklists offending IP addresses and distributes the blacklist across the entire network of servers.
• Authenticate users by password or SSH key, leveraging a system that automatically executes password strength and expiration parameters, and that manages public keys on a per-user basis.