What is ITAR Compliance? Definition and Regulations

The International Traffic in Arms Regulations (ITAR) is the United States regulation that controls the manufacture, sale, and distribution of defense and space-related articles and services as defined in the United States Munitions List (USML).

In this article, we'll cover: 

• Who Needs to be ITAR Compliant?
• ITAR Regulations
• Penalties for ITAR Compliance Violations
• Types of Defense Articles
• How to Secure Your ITAR Data
• ITAR Compliance FAQs

Besides rocket launchers, torpedoes, and other military hardware, the list also restricts the plans, diagrams, photos, and other documentation used to build ITAR-controlled military gear. This is referred to by ITAR as “technical data”.

ITAR mandates that access to physical materials or technical data related to defense and military technologies is restricted to US citizens only. How can a company ensure that only US citizens have and then access that data on a network and are ITAR compliant? Limiting access to the physical materials is straightforward; limiting access to digital data is more complicated.

Who Needs To Follow ITAR Compliance?

Any company that handles, manufactures, designs, sells, or distributes items on the USML must be ITAR compliant. The State Department’s Directorate of Defense Trade Controls (DDTC) manages the list of companies who can deal in USML goods and services, and it is up to each company to establish policies to comply with ITAR regulations.

• Wholesalers
• Distributors
• Computer Software/ Hardware vendors
• Third-party suppliers
• Contractors

Every company in the supply chain needs to be ITAR compliant. If company A sells a part to company B and then company B sells the same part to a foreign power, company A is also in violation of ITAR.

ITAR Regulations

ITAR regulations are simple: only U.S. citizens can access items on the USML list.

ITAR’s rules can present a challenge for many US companies. A US-based company with overseas operations is prohibited from sharing ITAR technical data with employees locally hired, unless they gain State Dept. authorization. The same principle applies when US companies work with non-US subcontractors.

The State Department can issue exemptions to that one rule, and there are existing exemptions established for specific purposes. There are certain countries that currently have standing agreements with the U.S. that apply to ITAR – Australia, Canada, and the U.K., for example.

The US government requires having in place and implementing a documented ITAR compliance program, which should include tracking, monitoring and auditing of technical data. With technical data, it’s also a good idea to tag each page with an ITAR notice or marker so employees don’t accidentally share controlled information with unauthorized users.

ITAR exists to track military and defense sensitive material and to keep that material out of the hands of U.S. enemies. Noncompliance can result in heavy fines along with significant brand and reputation damage — not to mention the potential loss of business to a compliant competitor.

Penalties for ITAR Compliance Violations

The penalties for ITAR infractions are stiff:

• Civil fines up to $500,000 per violation
• Criminal fines of up to $1 million and/or 10 years imprisonment per violation

In April of 2018, the State Department fined FLIR Systems, Inc $30 million in civil penalties for transferring USML data to dual national employees. Part of the penalty requires that FLIR implement better compliance measures and hire an outside official to oversee their agreement with the State Department.

In 2007 ITT took at $100 million fine to the face for exporting night-vision technology illegally. ITT thought they could workaround the restrictions, the Government didn’t agree with their interpretation of the rules.

Types of Defense Articles

There are 21 categories of Defense Articles in the USML. A defense article is anything on this long and oddly specific list.

1. 1. Firearms, Close Assault Weapons and Combat Shotguns
   2. Guns and Armament
   3. Ammunition/Ordnance
   4. Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs and Mines
   5. Explosives and Energetic Materials, Propellants, Incendiary Agents and Their Constituents
   6. Surface Vessels of War and Special Naval Equipment
   7. Ground Vehicles
   8. Aircraft and Related Articles
   9. Military Training Equipment and Training
   10. Personal Protective Equipment
   11. Military Electronics
   12. Fire Control, Laser, Imaging and Guidance Equipment
   13. Materials and Miscellaneous Articles
   14. Toxicological Agents, Including Chemical Agents, Biological Agents and Associated Equipment
   15. Spacecraft and Related Articles
   16. Nuclear Weapons Related Articles
   17. Classified Articles, Technical Data and Defense Services Not Otherwise Enumerated
   18. Directed Energy Weapons
   19. Gas Turbine Engines and Associated Equipment
   20. Submersible Vessels and Related Articles
   21. Articles, Technical Data and Defense Services Not Otherwise Enumerated

How to Secure Your ITAR Data

Given the penalties associated with ITAR, it makes sense to protect the digital data with as many layers of security as possible. Because ITAR is a U.S. Federal regulation, their own guidance for data security is a great place to start. NIST SP 800-53 defines the standards and guidelines federal agencies must follow, and any company that manages ITAR regulated materials should use NIST SP 800-53 as a baseline for their own security standards.. Follow these basic principles to secure your ITAR data:

• Discover and Classify Sensitive Data
  Locate and secure all sensitive data
  Classify data based on business policy
• Map Data and Permissions
  Identify users, groups, folder and file permissions
  Determine who has access to what data
• Manage Access Control
  Identify and deactivate stale users
  Manage user and group memberships
  Remove Global Access Groups
  Implement a least privilege model
• Monitor Data, File Activity, and User Behavior
  Audit and report on file and event activity
  Monitor for insider threats, malware, misconfigurations and security breaches
  Detect security vulnerabilities and remediate

ITAR Compliance FAQs

1. How can Varonis help me find all of my ITAR data?
   The Data Classification Engine identifies and classifies regulated data on your core data stores – both on-premise and in the cloud. You can configure rules to identify ITAR data and even apply custom tags, flags, and notes to regulated data.
2. Who can access this ITAR data?
   Varonis DatAdvantage crawls your file systems to analyze permissions to all of your data, including the ITAR data. Understanding who can access this data is step one to protecting the data from illegal access. With DatAdvantage, you can see this information graphically in a clean, user-friendly UI, or as an exportable report.
3. How will I know if my ITAR data is accessed?
   Varonis DatAlert monitors and trigger alerts when data is accessed, including a folder of your ITAR data. You can detect, flag, and investigate any suspicious behavior or unusual activity on your ITAR data, and maintain a complete audit trail to help meet ITAR regulations.
4. How can I manage access to ITAR data?
   The Automation Engine automatically repairs and maintains file system permissions – keeping ITAR data locked down, and helping achieve a least privilege model. Varonis DataPrivilege helps streamline data access governance, automatically enforce security policies, and demonstrate compliance to government auditors.

Want to learn more about how to manage your ITAR data to meet compliance? Get a 1:1 demo with a security engineer to see how Varonis can help.