The International Traffic in Arms Regulations (ITAR) 101
You may have already about GDPR and CCPA compliance and what it means to consumers’ personal data in our data dominant world. Bu how much do you know about the International Traffic in Arms Regulations (ITAR)?
“Being compliant” is a buzz-phrase these days but ITAR is no passing phase. The US government wants to limit access to physical materials or technical data related to defense and military technologies. Considering how easily sensitive information can end up in the wrong hands, this is a necessary step for everyone’s safety.
Now, let’s explore what this regulation implies and which businesses need to comply with it.
What is ITAR all about?
The International Traffic in Arms Regulations (ITAR) is the US regulation that controls the manufacture, sale, and distribution of defense articles, services, and technology as defined in the United States Munitions List (USML).
Generally, ITAR is enforced by the Directorate of the Defense Trade Controls (DDTC) in the State Department.
There are 21 categories of defense articles and services, as well as related technical data in the USML. The categories include:
- Firearms, close assault weapons, and combat shotguns
- Guns and armament
- Launch vehicles, guided missiles, ballistic missiles, rockets, torpedoes, bombs, and mines
- Explosives and energetic materials, propellants, incendiary agents, and their constituents
- Surface vessels of war and special naval equipment
- Ground vehicles
- Aircraft and related articles
- Military training equipment and training
- Personal protective equipment
- Military electronics
- Fire control, laser, imaging, and guidance equipment
- Materials and miscellaneous articles
- Toxicological agents, including chemical agents, biological agents, and associated equipment
- Spacecraft and related articles
- Nuclear weapons-related articles
- Classified articles, technical data, and defense services not otherwise enumerated
- Directed energy weapons
- Gas turbine engines and associated equipment
- Submersible vessels and related articles
- Articles, technical data, and defense services not otherwise enumerated
While Defense services involve the following:
- providing assistance, including training, to foreign persons on anything related to the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles
- providing foreign persons with controlled technical data
- military training of foreign units and forces.
Technical data includes elements such as:
- information other than software for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles - this information can be in the form of blueprints, photographs, plans, and more.
- classified information about the defense articles and defense services listed above
- software directly related to defense articles
Who needs to be ITAR compliant and what does that really mean?
These parties must be fully aware of, and fully compliant, with ITAR.
- Any company that does business with the U.S. military
- As well as any organization that deals with information concerning defense articles, services, or related data mentioned in the USML
And what of third-party contractors?
This regulation also applies to the third-party contractors that work with them and all companies in the supply chain including:
- Tech companies
- Third-party suppliers
The basic rule that all the parties mentioned above have to follow is this: only U.S. citizens can access items on the USML list.
“U.S. person means a person who is a lawful permanent resident or who is a protected individual. It also means any corporation, business association, partnership, society, trust, or any other entity, organization or group that is incorporated to do business in the United States. It also includes any governmental (federal, state or local) entity.” - ITAR, Section 120.15
Note: There are certain countries that currently have standing agreements with the U.S. that apply to ITAR such as Australia, Canada, and the U.K.
Let’s move on to the next step and delve into what you should keep in mind when getting yourself ITAR-ready.
How can your business comply with the ITAR requirements?
Once you've determined that ITAR applies to your business, the first step toward becoming compliant is to register with the DDTC mentioned above.
There is a non-refundable fee associated with registration and important points to remember:
- You are required to renew your ITAR registration every 12 months,
- You should submit your ITAR registration renewal documents at least 60 days prior to the expiration date of your registration.
This way you’ll have your documents processed and approved before the deadline.
Key tip: In order to keep your ITAR registration up to date, you should designate a person in your company who is responsible for managing the renewal each year.
Post-registration: next steps
It’s time to create and implement a documented ITAR compliance program, which should include tracking, monitoring and auditing of technical data. When it comes to technical data, it’s essential to train your employees in understanding what type of controlled information has to be kept safe from unauthorized users.
The DDTC defines a good program as being “clearly documented in writing, tailored to the business, regularly reviewed/updated and fully supported by management”.
In short: As secure as possible. Also, companies that manage ITAR regulated materials and data can follow the guidelines for data security provided in the NIST SP 800-53.
There are a few basic principles you can follow in order to secure your ITAR-related data:
- Discover and classify sensitive data - make sure to locate and secure all sensitive data and classify it based on your business policy
- Map data and permissions - take time to identify all the users, groups, folder and file permissions involved in your data handling process and clearly determine who has access to what data
- Manage access control on your data - identify and deactivate stale users and manage user and group memberships to improve the security of your file-sharing process
- Monitor data, file activity and user behavior to prevent any threats, malware, misconfigurations and security breaches that might appear
So what does ITAR mean for visitor management?
A key element in showing ITAR compliance is visitor scanning, tracking and record-keeping—core functions of a visitor management system.
A cloud-based visitor management system like Proxyclick can provide your business with the vital elements for a seamless and secure check-in process.
In addition to regulatory compliance with many other global laws, Proxyclick can help you manage your visitors following ITAR stipulations:
- Make pre-registration of all visitors and contractors mandatory
- Use facial recognition technology for identity verification at check-in with our
ID Match feature
- Verify countries of origin or citizenship of your visitors
- Customize check-in questions for business purpose of visit and level of authorization needed
- Screen visitors against watchlists to ensure authorization
- Alert security if unauthorized access is attempted
- Capture digital signatures on legal documents and NDAs
- Customize and print visitor badges with photos, QR codes for access, etc.
- Implement access control to areas of your premises with access control integrations
- Track visitor history and their precise movements for reporting and audit purposes
- Export data for all insurance- and audit-related queries
- And more...
What are the penalties for ITAR compliance violations?
Non-compliance with the ITAR regulation can result in significant fines, brand and reputation damage, and even potential loss of business to a competitor who's on top of their corporate governance.
The penalties for ITAR violations include civil fines up to $500,000 per violation and criminal fines of up to $1 million and/or 10 years imprisonment per violation.
Not to mention, regulatory costs are expected to double over the next five years.
Keeping up to date is a must
As these regulations can change in time, you should revisit and revise your ITAR compliance measures regularly.
An annual edition of ITAR regulations is published each April, however, you shouldn’t wait until then to familiarize yourself with the ITAR requirements.
Changes within your company—a new partnership with another organization or the introduction of a new data-sharing application—are a great opportunity to revisit ITAR regulations and make sure that all your processes and business partners are 100% compliant.
Becoming compliant and maintaining that status on a day-to-day basis can require significant efforts, but consider us a trusted partner in helping you meet your compliant objectives.
And stay tuned for more fresh content!
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.