You may have already heard about GDPR and CCPA compliance and what it involves when it comes to consumer data in our rapidly changing digital world. But how much do you know about the International Traffic in Arms Regulations (ITAR)?
The ITAR was passed into law by the US government to limit access to physical materials or technical data related to defense and military technologies. Considering how easily sensitive information can end up in the wrong hands, this was a necessary step for everyone’s safety.
In this article, we’ll break down what this regulatory compliance implies and which businesses need to comply with it. We’ve also put together a quick ITAR compliance checklist.
The International Traffic in Arms Regulations (ITAR) is the US regulation that controls the manufacture, sale, and distribution of defense articles, services, and technology as defined in the United States Munitions List (USML).
Generally, ITAR is enforced by the Directorate of the Defense Trade Controls (DDTC) in the State Department.
There are 21 categories of defense articles mentioned in the USML as follows:
While defense services involve the following:
Technical data includes elements such as:
These parties must be fully aware of and fully compliant with ITAR.
Third-party contractors are also subjected to ITAR regulations that work with them and all the other companies in the supply chain, including:
“U.S. person means a person who is a lawful permanent resident or who is a protected individual. It also means any corporation, business association, partnership, society, trust, or any other entity, organization or group that is incorporated to do business in the United States. It also includes any governmental (federal, state or local) entity.” - ITAR, Section 120.15
Note: There are certain countries that currently have standing agreements with the U.S. that apply to ITAR, such as Australia, Canada, and the U.K.
Let’s move on to the next step and delve into what you should keep in mind when getting yourself ITAR-ready.
Once you've determined that ITAR applies to your business, the first step toward becoming compliant is to register with the DDTC.
There is a non-refundable fee associated with registration and also a few important points to remember:
This way, you’ll have your documents processed and approved before the deadline.
Key tip: To keep your ITAR registration up to date, you should designate a person in your company responsible for managing the renewal each year.
It’s time to create and implement a documented ITAR compliance program, which should include tracking, monitoring, and auditing of technical data. When it comes to technical data, it’s essential to train your employees in understanding what type of controlled information has to be kept safe from unauthorized users.
The DDTC defines a good program as being “clearly documented in writing, tailored to the business, regularly reviewed/updated and fully supported by management”.
In short: As secure as possible. Also, companies that manage ITAR regulated materials and data can follow the guidelines for data security provided in the NIST SP 800-53.
There are a few basic principles you can follow to secure your ITAR-related data:
Note: The new ITAR encryption rule that came into effect on March 25, 2020 releases the transmission of unclassified defense technical data using end-to-end encryption from ITAR control.
However, the foreign person who receives the technical data has to be authorized before they are provided with the access information that allows them to access that data in unencrypted form.
A key element in showing ITAR compliance is visitor scanning, tracking and record-keeping—core functions of a visitor management system. We could even call it an ITAR visitor logbook.
Is there such a thing as an ITAR-compliant visitor logbook? Sure there is.
A cloud-based visitor management system like Proxyclick can provide your business with the vital elements required and create a seamless and secure check-in experience for your visitors.
In addition to regulatory compliance with many other global laws, Proxyclick can help you manage your visitors around the following ITAR compliance requirements:
Non-compliance with the ITAR regulation can result in significant fines, brand and reputation damage, and even potential loss of business to a competitor who's on top of their corporate governance.
The penalties for ITAR violations include civil fines up to $500,000 per violation and criminal fines of up to $1 million and/or 10 years imprisonment per violation.
Bearing in mind that no two companies are exactly alike, here's a good starting point to use as your ITAR checklist:
Note: Considering all regulations can change over time, you should regularly revisit and revise your ITAR compliance measures.
An annual edition of ITAR regulations is published each April, however, you shouldn’t wait until then to familiarize yourself with the ITAR compliance requirements.
Changes within your company—a new partnership with another organization or the introduction of a new data-sharing application—are a great opportunity to revisit ITAR regulations and make sure that all your processes and business partners are 100% compliant.
Becoming compliant and maintaining that status on a day-to-day basis can require significant efforts, but consider us a trusted partner in helping you meet your compliance objectives.
Find out more about how a visitor management system can help you on your compliance journey:
***
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.