5 W’s of ITAR and EAR Compliance

If you are thinking about or are actively exporting and importing defence-related articles to or from the United States, remember the 5 W’s of ITAR and EAR Compliance to familiarise yourself with the requirements and assist in avoiding the steep penalties that violations will incur.

1. What are ITAR and EAR?

ITAR, or the International Traffic in Arms Regulations, are issued by the United States government to control the export and import of defence-related articles and services on the United States Munitions List (USML), and cover items such as military hardware, guidance systems, submarines, armaments, military aircraft, IT, and defence specific software. In short, the U.S. Government requires all manufacturers, exporters, and brokers of defence articles, defence services or related technical data to be ITAR compliant. 

Export Administration Regulations (EAR) are issued and managed by the United States Department of Commerce to control the export of items which are designed for a commercial purpose which could have military applications (‘dual use items’), such as computer hardware and software (Commerce Control List).

Applying these regulations to your business and to those within the greater supply chain introduces additional costs, rigor, and complexity into your processes.

2. Who does it apply to?

These regulations apply to almost everyone conducting business with US Defence and Defence suppliers.   The US based legislation aims to control access to specific types of technology and their associated data, to prevent the disclosure or transfer of sensitive information to an unauthorised or prohibited foreign national.  If your company falls under ITAR or EAR and you need to collaborate on product development plans, hardware specifications, source code, or other sensitive information, then you need to implement security controls in the applications being used to share and collaborate on regulated information to ensure compliance. 

3. Where does it apply?

These rules apply to any organisation, including internal and external users or groups, that have access to ITAR regulated content in the US and in countries as defined in the regulations. ITAR compliance can pose challenges for companies, since data related to specific technologies may need to be transferred over the internet, via collaboration applications such as Microsoft 365 and SharePoint, or stored locally outside of the United States. 

4. Why is compliance important?

To become “ITAR certified” your company needs to register with DDTC, know what is required of your organisation to comply with ITAR (or EAR) and self-certify that you possess this knowledge. It is extremely important that you understand and comply with these regulations as ITAR and EAR violations can pose a huge risk for impacted companies. 

What is at stake? Defence contractors can be and have been, fined tens of millions of dollars for breaches, (in the case of Airbus billions), for failing to control access to EAR and ITAR regulated data. Violators can also be ‘debarred’ or lose the ability to export goods. Notably, violations can impact more than just the company’s bottom line – criminal penalties of up to 20 years in prison, depending on the breach are also possible.

5. Warning signs of ITAR and EAR non-compliance

To properly protect data and meet ITAR compliance you must be able to quickly determine the following factors when sharing any regulated content:

• User clearance level and caveats
• User citizenship
• Document/item clearance level (i.e. top secret, protected, classified, sensitive, etc.)
• Device (i.e. browser or OS such as iPad, Android, tablet or other mobile device)
• Geography and access locations

If you are not able to address the points above easily when users access and share information, then you are potentially in violation of the ITAR regulations. 

How can I ensure my data collaboration is secure and compliant?

It is important to understand how to secure your ITAR-controlled data in your collaboration and information sharing applications: including but not limited to Microsoft 365 applications, SharePoint, other file share providers, Teams/Slack, and even email. 

Here are some best practices to guide you on how to properly secure ITAR / EAR controlled data:

• Establish and maintain an information security policy.
• Implement zero trust network access methodologies.
• Regularly test networks, security systems and processes.
• Implement attribute-based access control (ABAC).
• Protect sensitive data with encryption and usage restrictions (e.g. restrict printing, copy /paste functions, downloads, etc.).
• Watermark documents to track chain of custody and remind users of a document’s sensitivity.
• Track and monitor all access to network resources and sensitive data.
• Implement measures to prevent the loss of ITAR and EAR controlled data through data misuse, accidental sharing, or theft.

Requirements will vary from company to company; however, this list provides a strong starting point for securing sensitive data to meet ITAR and EAR compliance. You should consult an expert if you are unsure of what is required.

ITAR and EAR compliance made easy

ITAR and EAR compliance is one of the most complex access management issues to solve. 

Trying to define access applications that utilise item or role-based permissions generally requires the creation of thousands of security groups, and if using inheritance thousands of sites or libraries and folders. You also run the risk of exceeding the limit of allowed security scopes on a list. The complexity and ongoing management of these security schemes greatly expand the likelihood of multiple single point defects in individual user or document permissions – any of which constitute an export breach.

Fortunately, archTIS provides organizations with multiple solutions to help tackle ITAR and EAR compliance and controlled information sharing needs. archTIS solutions are built on a zero trust methodology that use attribute-based access control (ABAC) to determine access, usage and sharing permissions at the item level. 

For companies that need to secure content in existing collaboration tools, the company’s NC Protect product enhances information protection by adding granular ABAC-based controls to file access and sharing, messaging, and emailing of sensitive and classified content across Microsoft 365 apps, including SharePoint, Teams, Exchange as well as Dropbox, Nutanix Files and Windows file shares to meet ITAR and EAR compliance. 

For companies that require a secure application that can provide multi-level security out of the box, Kojensi offers a cost-effective sovereign accredited PROTECTED SaaS-based solution that enables secure collaboration and sharing of sensitive/classified information.  Kojensi allows you to quickly separate your internal infrastructure and processes from those that are required for ITAR and EAR certification — especially when sharing information across multiple organisations or countries.  Kojensi provides government accredited, secure compartmentalised access, sharing and collaboration on sensitive and classified information that enables you to focus on your core business deliverables and not the infrastructure tools required.