Is ITAR compliance on your radar?
Any manufacturing, sales, or distribution of defense and space-related articles on the United States Munitions List (USML) are subject to ITAR. While defense contractors are clearly affected by ITAR, any company that participates in the supply chain for USML products must still meet ITAR requirements. Even products primarily having civil use can fall under ITAR.
ITAR was put in place to meet US national security and foreign policy objectives, which means the government can impose criminal and civil penalties for noncompliance. Civil ITAR violations can result in penalties of up to 1.09 million per violation, and enforcement is robust and growing; dedicated FBI agents and other domestic agencies work with the State Department to closely monitor exporting and ITAR compliance.
ITAR stipulations revolve around technical data pertaining to USML. This regulated technical data may only be used by US persons employed by the US government or a US company. The Commerce and State Departments consider even the ability to access controlled technical data to be a violation. All companies that handle manufacturing, exports, or data for items on the USML must register with the government and obtain prior authorization for exporting abroad. Items on the USML can change over time, and companies must keep abreast of these changes.
“If a company is a player in this industry, it likely deals with items on the munitions list,” said Richard Katz, an attorney very familiar with ITAR. “If so, they have to register with the office of the State Department overseeing ITAR regulations.”
Suggestions for meeting ITAR requirements also encompass IT best practice and include:
- Ensuring regulated data is strongly encrypted at all times, with encryption like FIPS 140-2.
- Only allowing authorized individuals access to regulated data
- Unique identification of individuals and strong authentication when individuals need access to controlled data
- Individual access rights are reviewed regularly and their access to data is terminated when it is no longer necessary
- All incidents related to data access are captured and logged for monitoring and reporting purposes
- Classifying controlled data and ensuring it does not become mixed with normal corporate data.
- Monitoring and looking into all red flags
Since ITAR’s requirements are so complex and the consequences of non-compliance are high, if there is a chance a company may be subject to ITAR then the company should seek legal clarification to know for sure. ITAR compliance is a moving target that must stay current with new regulation and enforcement trends as well as adapting to company growth.
To learn more about robust support for ITAR compliance, get in touch with CyberStreams at (425) 2 or firstname.lastname@example.org.