If your company exports defense or space-related items, you must be ITAR compliant. Otherwise, you could be fined hundreds of thousands of dollars.
What does it mean to be ITAR compliant? Becoming compliant with the International Traffic in Arms Regulations means your company is registered with the U.S. State Department’s Directorate of Defense Trade Controls and has complied with all the necessary ITAR regulations for U.S. Munitions List exports.
What Is ITAR and Why Would an Organization Want To Be Compliant?
The International Traffic in Arms Regulations is a regulatory body and framework used to control arms and munitions imports and exports in the interest of protecting U.S. national security and foreign policy priorities.
ITAR refers explicitly to the U.S. Munitions List (USML), which is a list of services, technologies, and articles designated as “defense and space-related.” It is an inventory of weapons, military equipment, and defense-related data that are defined as “munitions.” Because the U.S. often trades in weaponry (either as a buyer or seller), the government must keep meticulous records about its equipment. Likewise, because the defense supply chain comprises a network of agencies and third-party contractors (known as the Defense Industrial Base), these organizations must meet the requirements instituted to manage U.S. munitions.
ITAR and the Arms Export Control Act were passed into law in 1976 during the Cold War to address fears of U.S. weapons falling into the hands of USSR agents or satellite governments. In 1999, management and enforcement of the rules and regulations under ITAR and the Arms Export Control Act (AECA) fell to the U.S. State Department.
Under ITAR, “defense articles” are divided into two broad categories: physical equipment and technical data about existing or future equipment. Within these two categories are more user-specific categories:
- Firearms, Close Assault Weapons, and Shotguns
- Materials, Chemicals, Microorganisms, and Toxins
- Ammunition and Ordnance
- Launch Vehicles, Guided and Ballistic Missiles, Rockets, Torpedoes, Bombs, and Mines
- Explosives and Energetic Materials, Propellants, Incendiary Agents, and Their Constituents
- Vessels of War and Special Naval Equipment
- Tanks and Military Vehicles
- Aircraft and Associated Equipment
- Military Training Equipment
- Protective Personnel Equipment
- Military Electronics
- Fire Control, Range Finder, Optical, Guidance, and Control Equipment
- Auxiliary Military Equipment
- Toxicological Agents, Including Chemical Agents, Biological Agents, and Associated Equipment
- Spacecraft Systems and Associated Equipment
- Nuclear Weapons, Design, and Testing Related Items
- Classified Articles, Technical Data, and Defense Services Not Otherwise Enumerated
- Directed Energy Weapons
- Gas Turbine Engines
- Submersible Vessels, Oceanographic, and Associated Equipment
- Articles, Technical Data, and Defense Services Not Otherwise Enumerated
All military weaponry and information about that weaponry fall under one of these categories. Any organization that performs manufacturing, research, or exports related to articles falling under these categories must register with the Directorate of Defense Trade Controls (DDTC) and follow ITAR regulations.
How Can an Organization Be ITAR Compliant?
There are a few key steps any organization must take to meet ITAR compliance:
- Register With the DDTC: This step comes before any other and is necessary to perform any work managing USML articles in any way. Per the DDTC website, all “manufacturers, exporters, temporary importers, and brokers of defense articles (including technical data)” falling under the USML must register with the DDTC.
- Enact an ITAR Compliance Program. ITAR requirements specify that organizations must have a documented ITAR compliance program that outlines the monitoring, tracking, and auditing of technical USML data that falls under ITAR’s jurisdiction. Furthermore, the DDTC recommends that you mark sensitive materials with an ITAR designation to support compliance among employees.
- Implement ITAR Security: Compliance will follow the security clearance of the data. Suppose information managed as part of ITAR is classified. In that case, it will most likely carry its unique security compliance demands (including using specific router networks like the Secret Internet Protocol Router Network). If, however, an organization manages Controlled Unclassified Information (CUI)—sensitive information related to weaponry and defense that is not classified—then security compliance can follow the National Institute of Standards and Technology Special Publication 800-171.
How Does ITAR Apply to Tech Companies?
The growing dependence of defense agencies on third-party contractors has created a parallel dependence on vendor-provided IT infrastructure for these agencies and their partner contractors. These types of infrastructure include Software-as-a-Service (SaaS) applications, cloud storage, government solutions, and crucial technologies for most organizations.
Because systems like cloud storage are so critical to the operations of defense contractors and agencies, it is also important that any system managing “articles, technical data, and defense services” (classified or not) meet the minimum compliance requirements.
This plays out in two different ways. In terms of CUI or classified data, an organization must follow the regulations to protect those specific forms of data. Additionally, per ITAR requirements, these organizations were, before 2020, required to ensure that data centers were managed only by U.S. citizens located in the United States.
In March 2020, the State Department decided organizations can share unclassified technical data with their supply chain outside the United States so long as the communication has been secured with end-to-end encryption.
What Are the Penalties for Noncompliance With ITAR?
According to ITAR documentation on the DDTC website, it is considered unlawful to do any of the following:
- Export, import, or conspire to import or export defense articles from the United States without approval from the State Department
- To import, export, or broker the exchange of defense articles without proper licensing
- To manufacture defense articles in partnership with the government without complying with licensing and security regulations
- Commit fraud in an attempt to obtain ITAR compliance, licensing, or other approval for exporting, importing, or brokering defense articles
Penalties are resolved through what is called a “consent agreement,” where an organization in violation of ITAR undergoes monitoring and remediation alongside financial penalties through a process that can last three to four years.
Per the DDTC website, there are two tiers of penalties:
- Civil Penalties: Civil penalties are governed by ITAR Article 128 and include penalties of at least $1M per violation and possible debarment, at least during a period of remediation governed by a consent agreement. Civil penalties are typically seen as unintended or correctable, allowing for a consent agreement.
- Criminal Penalties: Criminal penalties are governed by AECA 22 U.S.C2778(c) and generally apply to organizations knowingly and willfully violating ITAR. Penalties are a minimum of $1M per violation or up to 20 years in prison and disbarment.
Maintaining Safe Systems and ITAR-secure Information
Organizations working in the Department of Defense supply chain already handle important, sensitive data. Those managing technical information as part of the management of the U.S. Munitions List have even more responsibilities to ensure that information doesn’t fall into the wrong hands. That’s why it is important to work with cloud and data management systems that can meet strict security requirements in and outside of the defense industry.
Sign up for a free demo today to see how the Kiteworks platform can support your security and compliance needs.
Get email updates with our latest blogs news