International Traffic in Arms Regulations (ITAR) mandates that access to physical materials or technical data related to defense and military technologies is restricted to US citizens only.
According to the US government, anything on the U.S. Munitions List falls under ITAR. Besides rocket launchers, torpedoes, and other military hardware, the list also restricts the plans, diagrams, photos, and other documentation used to build ITAR-controlled military gear. This is referred to by ITAR as “technical data”.
ITAR’s rules present a challenge for many US companies. A US-based company with overseas operations is prohibited from sharing ITAR technical data with employees locally hired, unless they gain State Dept. authorization. The same principle applies when US companies work with non-US subcontractors.
The US government requires having in place and implementing a documented ITAR compliance program, which should include tracking, monitoring and auditing of technical data. With technical data, it’s also a good idea to tag each page with an ITAR notice or marker so employees don’t accidentally share controlled information with unauthorized users.
Noncompliance can result in heavy fines and significant brand and reputation damage — not to mention the potential loss of business to a compliant competitor.
Case in point: In 2014, a defense-related company was fined $10 million for unauthorized exports of defense articles, including technical data. The State Dept.’s review found that this company had poor controls for record keeping.
Varonis can be a strong part of your compliance efforts. We’ve worked with organizations to map and understand who can and has accessed ITAR relevant data in documents, spreadsheets, presentations, and other content stored across their IT infrastructure.
Below are three critical data protection questions that we help our customers subject to ITAR answer:
- Where is ITAR information being stored? With the Varonis Data Classification Framework and using an appropriate search pattern, we’ve been very successful in finding relevant technical data in Windows File Servers, NAS Devices, Unix/Linux servers, and SharePoint.
- Who has accessed it? Has an unauthorized person accessed ITAR-controlled data? Any sys admin will tell you that it’s not easy to find out within a Microsoft or Linux environment. Active Directory, for example, doesn’t provide granular access logs. But with DatAdvantage, you can see this information graphically in a clean, user friendly UI, or as an exportable report.
- How can you keep this from happening again? Prevention is the next question to take up. After we know where the ITAR data is located, we help them remove unauthorized access and set up real-time notifications using DatAlert to spot unauthorized attempts. Finally, we implement DataPrivilege to enforce ITAR’s controls for record keeping and file access administration.
Are you 100% sure only authorized users are accessing your ITAR data? If not, Varonis can tell you. Try it for free!