ITAR Compliance Regulations, Standards, and Penalties
International Traffic in Arms Regulations compliance is mandatory for over 13,000 businesses in the United States. Is your business one of them?
Who needs to be ITAR compliant? A company will need to be ITAR compliant if they handle any part of the supply chain for defense articles, whether manufacturing, exporting, other defense services, or even handling defense-related technical data.
What Is the International Traffic in Arms Regulation?
Private military information and equipment are a massive liability for the security interests of the United States. With expanded logistics and supply chains, as well as a growing number of digital service providers and other contractors, the potential for the theft of weapons, technical schematics, and protected data is a real and present danger. In this context, “technical data” equates to information pertaining or relating to items on the U.S. Munitions List (USML), which includes schematics, blueprints, and reports.
To protect these materials, ITAR was created. Passed in 1976 to address security issues around weapon security during the Cold War, ITAR deals specifically with the USML, a directory of services, documents, and technologies related to “defense and space-related” government projects and activities. This list contains information about the storage, management, and sale of ITAR-governed materials, including schematics, munitions, and equipment within the Defense Industrial Base.
Currently, ITAR is governed by the U.S. State Department. Its jurisdiction covers two broader categories—physical equipment and technical data about the equipment. These are further split into more specific categories:
- Firearms, Close Assault Weapons, and Shotguns
- Materials, Chemicals, Microorganisms, and Toxins
- Ammunition and Ordnance
- Launch Vehicles, Guided and Ballistic Missiles, Rockets, Torpedoes, Bombs, and Mines
- Explosives and Energetic Materials, Propellants, Incendiary Agents, and Their Constituents
- Vessels of War and Special Naval Equipment
- Tanks and Military Vehicles
- Aircraft and Associated Equipment
- Military Training Equipment
- Protective Personnel Equipment
- Military Electronics
- Fire Control, Range Finder, Optical, Guidance, and Control Equipment
- Auxiliary Military Equipment
- Toxicological Agents, Including Chemical Agents, Biological Agents, and Associated Equipment
- Spacecraft Systems and Associated Equipment
- Nuclear Weapons, Design, and Testing Related Items
- Classified Articles, Technical Data, and Defense Services Not Otherwise Enumerated
- Directed Energy Weapons
- Gas Turbine Engines
- Submersible Vessels, Oceanographic, and Associated Equipment
- Articles, Technical Data, and Defense Services Not Otherwise Enumerated
Organizations managing or handling any of these items must register with the Directorate of Defense Trade Controls (DDTC).
What Does It Mean To Be ITAR Compliant?
ITAR compliance refers to how contractors manage and handle items in the USML. Much of these compliance requirements fall under registration and reporting obligations so that things are accounted for and organizations demonstrate that they continue to maintain compliance over software and hardware systems.
ITAR compliance includes a few foundational requirements:
- Register with the DDTC: According to the DDTC website, all “manufacturers, exporters, temporary importers, and brokers of defense articles (including technical data)” falling under the USML must register with the DDTC.
- Enact an ITAR compliance program: Organizations must implement documented ITAR compliance programs, with plans that outline the monitoring, tracking, and auditing of technical USML data that falls under ITAR’s jurisdiction.
- Implement ITAR security: Organizations must follow security requirements based on the clearance of data managed. Information in the Secret category will have its own private hardware network requirements. In contrast, Controlled Unclassified Information (CUI)—sensitive information related to weapons and defense that is not classified—can follow the National Institute of Standards and Technology Special Publication 800-171.
These requirements are continually reported and monitored, and noncompliance (essentially, the endangering of U.S. weapons or secrets) carries stiff penalties. Even so, some organizations can obtain exemptions under ITAR, granted by the State Department, for situations like temporary exports, technical data, or governmental exemptions.
How do I know if I am ITAR compliant?
The best way to determine if your organization is ITAR compliant is to have a qualified professional review your internal processes and procedures. This would include a review of your security protocols, employee training procedures, export control policies, and any other relevant items. Additionally, obtaining a third-party ITAR certification can provide additional assurance that you are a compliant organization.
What Are the Penalties for Noncompliance With ITAR?
Like any compliance framework, ITAR defines specific penalties for noncompliance, tied to the nature of the noncompliance and the organization’s cooperation.
According to ITAR documentation on the DDTC website, it is considered unlawful to do any of the following:
- Export, import, or conspire to import or export defense articles from the United States without approval from the State Department.
- Import, export, or broker the exchange of defense articles without proper licensing.
- Manufacture defense articles in partnership with the government without complying with licensing and security regulations.
- Commit fraud in an attempt to obtain ITAR compliance, licensing, or other approval for exporting, importing, or brokering defense articles.
Consent agreements are a unique part of ITAR regulations. If an organization breaches compliance, they will (under certain circumstances) enter into a consent agreement where they agree to monitoring and remediation alongside their financial obligations. This process, leading to potential readmission into the supply chain, can last three to four years.
Under ITAR, there are two tiers of penalties:
- Civil penalties: Civil penalties are governed by ITAR Article 128 and include penalties of at least $1 million per violation and possible debarment, at least during a period of remediation governed by a consent agreement. Civil penalties are typically seen as unintended or correctable, allowing for a consent agreement.
- Criminal penalties: Criminal penalties are governed by AECA 22 U.S.C. 2778(c) and generally apply to organizations knowingly and willfully violating ITAR. Penalties are a minimum of $1 million per violation or up to 20 years in prison and disbarment.
What constitutes an ITAR manufacturing violation?
An ITAR manufacturing violation occurs when a person manufactures, exports, imports, or transfers a defense article or related technical data without the proper authorization from the U.S. government. This can be done knowingly or unknowingly, and the violation can include sending or receiving the data or document electronically.
Is It Possible to Maintain ITAR Compliance in the Cloud?
The short answer is yes.
In December 2019, the U.S. State Department ruled that organizations could store ITAR-related data in the cloud, assuming they use encrypted, ITAR-controlled software.
To help facilitate this ruling, it also creates an additional definition of activity for cloud providers, specifically storing ITAR data in the cloud using FIPS 140-2 encryption or AES-128 equivalent cryptography. This definition officially enters the list of governed practices that include exporting, re-exporting, selling, transferring, or importing USML data.
Protect and Secure Critical Data With Kiteworks
Protecting information during transit and storage is critical for any government contractor. These organizations need to ensure that their business file sharing, analytics, and all storage media are encrypted and secured as part of the vendor risk management component within ITAR. All reporting, auditing, and documentation must meet the requirements of their industry.
The Kiteworks platform provides comprehensive governance and protection, supporting enterprise businesses and members of the defense supply chain with compliant security and enterprise-grade functionality. Some of the features that come with Kiteworks include:
- Secure email links: With Kiteworks, users do not send emails; they send links back to hardened servers. This means they maintain CMMC compliance while also providing email coverage for outside users as needed. This enables organizations and third-party partners to avoid being locked into a specific PGP encryption manner.
- Encryption and hardened servers: Kiteworks utilizes AES-256 encryption for data at rest and TLS 1.2+ for data in transit. Its hardened virtual appliance, granular controls, secure firewall, authentication, and other security stack integrations provide a defense-in-depth approach to security. Coupled with comprehensive logging and audit, organizations can achieve compliance efficiently.
- Audit logging: With Kiteworks immutable audit logs, users can trust that an organization can detect attacks sooner and maintain the correct chain of evidence to perform forensics.
- Private cloud: Your file transfers, file storage, and access occur on a dedicated Kiteworks instance, deployed on your premises, on your Infrastructure-as-a-Service (IaaS) resources, or hosted in the cloud by Kiteworks. That means no shared runtime, databases or repositories, resources, or potential for cross-cloud breaches or attacks.
- SIEM integration: Kiteworks supports integration with major security information and event management (SIEM) solutions, including IBM QRadar, ArcSight, FireEye Helix, LogRhythm, and others. It also has the Splunk Forwarder and includes a Splunk App.
- Data visibility and management: Kiteworks’ CISO Dashboard provides critical insight into how your data moves through your system: who handles it, when they handle it, and how. Businesses can use this information to inform essential CMMC requirements when overseeing supply chain risk management and third-party risk management (TPRM) and developing security- and data-focused plans for auditors.
- Unlimited file size: Kiteworks secure email links allow organizations to share files of any size. Additionally, they can use our managed file transfer and storage capabilities to store and share unlimited-sized files.
To learn more about compliance and security with data management platforms, schedule a custom demo of Kiteworks today.