What is ITAR Compliance? (Regulations, Fines, & More)
Learn about ITAR compliance in Data Protection 101, our series on the fundamentals of information security.
What is ITAR Compliance?
ITAR compliance is compliance with the International Traffic in Arms Regulations (ITAR) which controls the export and import of defense-related articles and services on the United States Munitions List (USML). According to the U.S. Government, all manufacturers, exporters, and brokers of defense articles, defense services, or related technical data must be ITAR compliant. Therefore, more companies are requiring their supply chain members to be ITAR compliant as well. In General:
For a company involved in the manufacture, sale or distribution of goods or services covered under the USML, or a component supplier to goods covered under the United States Munitions List (USML), the stipulation or requirement of being “ITAR certified (compliant)” means that the company must be registered with the State Department’s Directorate of Defense Trade Controls (DDTC) if required as spelled out on DDTC’s website and the company must understand and abide by the ITAR as it applies to their USML linked goods or services. The company themselves are certifying that they operate in accordance with the ITAR when they accept being a supplier for the USML prime exporter.
In other words, companies must register with the DDTC and know what is required of them to be ITAR compliant and then certify that they possess that knowledge.
What Does the ITAR Mean For My Company?
Overall, it is important to understand that registering with the DDTC to sell your products or services in the ITAR industry is not enough; you must be sure not to violate ITAR compliance regulations. The expectation is that you are educated and trained in ITAR regulations. Keep in mind that ITR violations may result in criminal or civil penalties, being barred from future exports, and/or imprisonment, including:
- Civil fines as high as $500,000 per violation
- Criminal fines of up to $1,000,000 and 10 years imprisonment per violation
ITAR Compliance and Technology Companies
As an important U.S. export control law, the ITAR affects the manufacture, sale, and distribution of technology. The goal of the legislation is to control access to specific types of technology and their associated data. Overall, the government is attempting to prevent the disclosure or transfer of sensitive information to a foreign national. As a result, ITAR can pose challenges for global corporations, since data related to specific technologies may need to be transferred over the internet or stored locally outside of the United States in order to make business processes flow smoothly. The responsibility lies with the manufacturer or exporter to take the necessary precautions and steps to certify that they are, in fact, meeting ITAR compliance requirements.
Specifically, ITAR [22 CFR 120-130]:
- Covers military items or defense articles
- Regulates goods and technology designed to kill or defend against death in a military setting
- Includes space-related technology because of application to missile technology
- Includes technical data related to defense articles and services
- Involves strict regulatory licensing and does not address commercial or research objectives
2020 ITAR Amendment
In December of 2019, the Department of State added an amendment to ITAR. According to the summary, the amendment aims to “describe more precisely the articles that provide a critical military or intelligence advantage or, in the case of weapons, perform an inherently military function and thus warrant export and temporary import control on the USML.”
The new rule took effect on March 9th, 2020 and potentially changes the way organizations store and share ITAR data in the cloud. Essentially, certain data may be stored in the cloud as long as it is safe from being accessed by foreign entities and meets certain criteria. With this new amendment, data won’t be considered an “export” as long as it’s:
- Kept safe with end-to-end encryption
- Cryptographically secured
ITAR Data Security Recommendations
Now that you know the significance of ITAR Compliance and the penalties of failing to comply, it is important to understand how to secure your ITAR-controlled data. While data security will have different requirements for every company, here are some best practices to follow in securing ITAR data:
- Maintain an information security policy
- Build and maintain a secure network by installing and maintaining firewall configuration to protect data and avoiding the use of vendor-supplied passwords and other security defaults
- Assign a unique ID to each person with computer access
- Regularly test security systems and processes
- Protect sensitive data with encryption
- Regularly monitor and test networks
- Implement strong access control measures
- Track and monitor all access to network resources and sensitive data
- Maintain a vulnerability management program
- Implement measures to prevent the loss of ITAR-controlled data
This list is not exhaustive, but is meant to provide a starting point for securing sensitive data and meeting ITAR compliance. By following and adopting these measures to your company’s needs, you can ensure that ITAR data is still accessible where it needs to be while staying protected against loss or unauthorized access.
Experts Weigh in on ITAR Compliance
Here’s a look at what the experts have to say about ITAR compliance.
1. Certification is a myth. “Many have heard the term ‘certified’ in relation to ITAR. In reality, there is no such thing as being ITAR certified. There is only a regulatory requirement to be registered and a company’s obligation to be compliant. The confusion comes when you receive a letter from your customer asking you to ‘certify’ that your business is ITAR compliant. What they are really asking is, ‘Are you registered for ITAR and do you have an established compliance program with all required controls in place?’” — Mark Bleckley, What It Really Means to be ITAR Compliant: Why You Should Stop Saying You are ITAR Certified, Grand Valley State University
2. Registration doesn’t mean you’re out of the woods. “What is important to understand is that even though you may register your company with the DDTC to sell your products or services in the ITAR industry, you must also not violate ITAR compliance regulations. You are expected to be educated and trained in ITAR regulations. Violating the ITAR may result in criminal or civil penalties, debarred from future exports, as well as imprisonment.” — What does ITAR Compliant/ITAR Compliance mean?, Dunlap-Stone University
3. Use a checklist. “An ITAR compliance checklist is a tool used by arms suppliers to easily determine if they are ITAR compliant, establish an identification system for ITAR-controlled products, and implement an effective ITAR compliance program.” — Jona Tarlengco, Top 3 ITAR Compliance Checklists, Safety Culture
If your company is subject to ITAR compliance, following these tips and best practices will ensure you’re compliant with the most current regulations, including the latest amendment related to securing sensitive ITAR-controlled data in the cloud.
Frequently Asked Questions
What does it mean to be ITAR compliant?
International Traffic in Arms Regulations (ITAR) establishes controls regarding the export and import of defense-related items and services that appear on the United States Munitions List (USML). ITAR is meant to limit access to specific technologies and their associated data resources. ITAR compliance requires companies subject to ITAR to only share items in the USML with U.S. personnel unless otherwise authorized by the U.S. Department of State.
How do I know if I am ITAR compliant?
Companies need to understand the requirements for ITAR compliance related to the items on the USML that they handle. Organizations need to take the necessary steps to protect ITAR data, including:
1) End-to-end data encryption
2) Key management to retain control over decryption keys
3) Access control to prevent unauthorized foreign access to ITAR data
4) Data loss prevention (DLP) to identify ITAR data and enforce access controls and encryption
5) Persistent protection of ITAR data that prevents foreign access to regulated email attachments
Which countries are ITAR restricted?
The following countries are on the ITAR - Proscribed Countries List (22 CFR 126.1).
- China (Prc)
- North Korea
What are the most common ITAR violations?
The most common ITAR violations include:
1) Willful failure to comply with ITAR.
2) Misrepresentations or omissions when addressing items or data that fall under ITAR guidelines.
3) Oversight or accidental mistakes that put ITAR data at risk.
What is the difference between ITAR and EAR?
Here are some substantial differences between ITAR and Export Administration Regulations (EAR):
1) ITAR is administered by the U.S. Department of State and EAR is administered by the U.S. Department of Commerce.
2) ITAR only covers military items. EAR covers commercial items that may have military applications.
3) ITAR is intended solely to ensure U.S. security. EAR balances national security with commercial and research objectives.
Who needs to be ITAR registered?
ITAR applies to any person in the United States who engages in the business of manufacturing, exporting, or temporarily importing defense articles or furnishing defense services. Companies should review the USML to determine if they need to be ITAR registered.
How much does ITAR registration cost?
The cost of applications made to the Directorate of Defense Trade Controls (DDTC) follows a three-tier structure:
1) $2,250 per year if the DDTC has not reviewed, adjudicated, or issued a response to any application.
2) $2,750 per year if the DDTC has reviewed, adjudicated, or issued a response to between 1 and 10 applications.
3) $2,750 plus additional fees based on the number of applications if the DDTC has reviewed, adjudicated, or issued a response to more than 10.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business