In Fidem: ITAR/EC-Controlled Data
Canada and the United Kingdom both enforce similar export regulations through the Controlled Goods Directorate (CGD) and the Export Control Organisation (ECO). Domestic laws restricting exports are known as “Export Control” (EC). A broad range of commercial goods, including certain off-the-shelf valves, gauges, electronics, computers, optics, sensors, software, and other items of a seemingly commercial nature are EC-regulated. Many of these items do not have to be solely of U.S. origin to be subject to ITAR/EC.
At times, the agencies share overlapping jurisdiction and a license may be required from more than one agency for the same export, service, or other activity. Also, each agency’s regulations set forth its own prohibitions, requirements, and processes. At times, this maze of regulatory red tape seems unfair to companies looking to conduct legitimate business abroad.
Using the Wassenaar Arrangement as a common denominator, EC authorities in 40 participating countries restrict exports of a wide range of commercial and military products, information, and services. The Wassenaar Arrangement was established in 1995 to contribute to regional and international security and stability by promoting transparency and greater accountability in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations.
Who should be concerned?
While business management should be concerned with ITAR/EC, IT management – as the custodian of information and information technologies within the business – must sort through the intricacies of such regulations and understand the impact of ITAR/EC requirements. Take a moment to consider the following cases:
- Trade show presentations
- Travel overseas with a laptop, removable storage device, or documents
- Access to IT infrastructure from out-of-country locations
- Email to a foreign supplier or out-of-country co-worker
- Storage in out-of-country datacenters
- Reuse of source code or intellectual property in a non-defence product
- Allowing a foreign national to visit a lab or a factory
- Use of global technology services such as software as a service (SaaS) or cloud-based services
IT management should be aware that all of the above activities are possible exports or “deemed” exports, and IT management professionals must determine how ITAR/EC requirements apply to the organization.
Why focus on ITAR/EC?
Information and material related to ITAR/EC technology may be shared only with authorized persons unless a license or special exemption is obtained from the government. Heavy fines are imposed not only for tangible transfers of technology and information but also situations in which an export has been “deemed” to occur, such as sales presentations and proposals to unauthorized persons or entities or the accessing of controlled information by authorized personnel when traveling outside the country.
The range of information controlled under ITAR/EC regulations is broad and includes not only the products themselves, but also informational assets: designs, test information, processes, software, communications, and documents.
ITAR/EC compliance is all about risk management, there are choices to make. One may think that the authorities will use the big stick, but oftentimes it is the competition that will use the law against the unprepared. Since violations can result in criminal liability for the company, including imprisonment of the company’s owners and employees, it is imperative for firms to have a clear understanding of ITAR/EC sanctions that individuals and companies face, such as: penalties, criminal fines, debarment, ban on exports, seizure of products and information, sanctions and announcements, or contract termination.
ITAR/EC is all well and good, but I’m not in the military business!
If your company is mainly a civil manufacturer, introducing ITAR/EC goods and technologies into its civil programs will adversely impact the merchantability of its civil programs. It is therefore essential that your company’s civil products remain free of EC content, particularly U.S. ITAR content. This leads to the concept of “ITAR-free” goods, information, or services. The ITAR-free label is often used by companies wishing to demonstrate their efforts to avoid contamination.
To address compliance today, most organizations still employ traditional security methods to control ITAR/EC-related informational assets. But IT touches everything in modern businesses, and these types of solutions are not broad enough in scale. They also present fundamental organizational challenges and a competitive disadvantage as the industry moves to IT globalization.
One of the most challenging aspects of ITAR/EC is that unlike other regulations, they clearly identify prohibitions and punishments, but offer no standards, guidelines, or checklists, and provide no amplifying language for IT management professionals.
ITAR/EC is all well and good, but I’m not exporting anything!
Many executives believe the purpose of ITAR/EC is simply to regulate exports. However, EC regulations are far broader, covering a wide variety of purely domestic commercial activities. Even if you are not exporting, you are still subject to certain ITAR/EC requirements. For example, you need to obtain authorization for the import of defence items; you need to avoid data transfers to foreign nationals in the U.S.; and, you need to enforce record keeping even if your only customer is DOD or MOD or NATO or DOD overseas.
Taking action and getting started today
Many companies are subject to ITAR/EC requirements, but few of them take pre-emptive action for lack of proper understanding of the nuts and bolts or uncertainty with respect to the many regulations. Becoming ITAR/EC compliant is a long journey that requires a thoughtful approach. Here are examples of measures your company should enforce:
- Register with the government
- Prohibit transferring software
- Do not export without a license
- Do not import without a temporary import license
- Enforce record keeping, logging
- Restrict payment of fees
- Restrict information transfer with debarred firms
The “wait and see” approach is clearly not an option, as ITAR/EC non-compliance can seriously endanger your business activities. You have a lot to do, so you’d better take action as soon as possible. Furthermore, preparing for ITAR/EC compliance sends a signal to competitors and prospects and can lead to new business opportunities, which is good news.
There is a history of criminal prosecution in the public domain against exporters for ITAR/EC violations. In a recent case, the defendant argued that he was not responsible for ITAR/EC compliance because the laws are too complex to understand. The court disagreed and upheld the conviction while acknowledging that “putting together the pieces of this regulatory puzzle is not easy.”
Given all this, where should IT begin? What problem should it tackle first?
Based on real world projects, there are five ITAR/EC challenges for business and IT management professionals:
- Delineate a protection perimeter, both logical and physical.
- Classify, label, and track ITAR/EC-related informational assets.
- Take into account transfers with external partners: outsourcing, SaaS, cloud computing.
- Dock ITAR/EC compliance to existing compliance frameworks.
- Implement efficient and dedicated security controls.
ITAR/EC compliance is all about geography: location of datacenters, tracking of assets, employees’ place of birth, email destination.
Because every company is different, we have developed a quick way to prioritize solution components. This first step is a 4- to 5-week assessment consisting mainly of a careful risk-mapping process. This approach allows the company to evaluate its maturity and establish internal compliance program objectives. The process is tailored to the company’s business model, perimeter, objectives, and processes. The end result is two deliverables: a risk map and an action plan.
After conducting this assessment, the next step is to design and implement an ITAR/EC internal compliance program. In Fidem’s ITAR/EC Information Security Management System (I3SMS) manual was created for this purpose. This document uses recognized referentials such as PCI DSS and ISO 27001 standards as a base. It identifies ten high level compliance tasks:
- Delineate a perimeter (logical and physical).
- Classify and label informational assets.
- Manage human resources.
- Manage access to informational assets.
- Track informational asset movements.
- Maintain a secure IT infrastructure.
- Set up a training program.
- Monitor & periodically test security systems.
- Manage incidents and vulnerabilities.
- Integrate asset security into the existing security management framework.
The next step is to set up a tailored compliance program using a prioritized, risk-driven approach that enables you to select the tasks most appropriate to your business. Implementing this customized program can take between 3 and 12 months, depending on the target perimeter (i.e., a project team, a business unit, the whole company).
In addition to providing reliable progress metrics, this approach leads to immediate gains, makes it possible to do the work in steps, and facilitates financial planning.
In many respects, ITAR/EC is just another cost of doing business in today’s global marketplace. It cannot be ignored.
Management must dedicate the right level of resources and attention to ITAR/EC compliance, stay informed of changes to the regulations (as the August updates to Section 126.18), follow other applicable laws, and adjust each compliance step as needed. While this may all seem very complex, the two simple steps described in this paper are a scalable and organized approach to ITAR/EC compliance that can reduce risk, lower control costs, and help keep your company’s markets open.
Jean Loup Le Roux has a professional background in the military defence, nuclear and aeronautic sectors with a focus on Export Control. He joined In Fidem as an Information Security Consultant.
This article contains general, condensed descriptions of actual legal matters and opinions, and is for information purposes only. It is not meant to be legal advice and is not contractual. Readers with particular needs regarding specific issues should contact In Fidem Inc.
© FrontLine Security 2011