Within the government’s Controlled Unclassified Information program, International Traffic in Arms Regulations (ITAR) data is what is known as a CUI Specified data type. Unless you are an export control specialist, you may not realize that ITAR data is governed by the Department of State’s Directorate of Defense Trade Controls (DDTC). The mission of the DDTC is to “Ensure commercial exports of defense articles and defense services are consistent with US national security and foreign policy objectives”. To that end, DDTC is responsible for oversight and management of ITAR across all organizations in the business of manufacturing, exporting, temporarily importing defense articles, or furnishing defense services.
Recently Mr. Arthur Shulman, who was the Acting Director of the DDTC at the time, spoke at the “Trends and Directions in the Aerospace and Defense Market” in Washington, DC. During his presentation, Mr. Shulman solidified a number of points that bear repeating and expanding upon as they impact the Aerospace and Defense market and how these organizations manage their CUI / ITAR data in accordance with DFARS 7012 and NIST 800-171.
I have discussed at length the DFARS 7012 requirement to report security incidents and breaches to the Dibnet (https://dibnet.dod.mil) as part of a comprehensive security plan that is required by the regulation. As everyone knows by now, you have 72 hours to make your initial report / submission when you have an incident. What you may not know is that you may have an additional requirement as part of the ITAR program.
Mr. Shulman specified during the conference that DDTC wants to be notified any time that a security incident resulted in unauthorized access to ITAR technical data. When you notify Dibnet and your contracting officer of the incident, there is a high likelihood that the notification will find its way to DDTC at some point during the investigation process. Mr. Shulman stressed that DDTC will look much more favorably on the situation if they hear from you before they find out about the incident from other avenues. Given that information, it is highly recommended that if a security incident involves ITAR data you should notify both Dibnet and the DDTC of the incident within 72 hours.
A second point made during the conference focused on protecting ITAR controlled data. There are a number of capabilities referenced:
- Know what you have by ensuring you have the proper United States Munitions List (USML) classification on the content. The USML is located at 22 CFR 121.1 https://www.ecfr.gov/cgi-bin/text-idx?SID=86008bdffd1fb2e79cc5df41a180750a&node=22:188.8.131.52.58&rgn=div5
- Know where you have it – Is it a physical item or is it electronic documentation? If it is electronic, what kind of system is it located in, where is the system physically located, and is that system properly protected? Since this data falls under the CUI AND ITAR controls, it must be protected to NIST 800-171 standards. If the data is in a cloud service, the service must be certified to FedRAMP moderate. To satisfy ITAR requirements, the data must physically reside in the US or in a country authorized by export license.
- Know who has access to it – This is critical as the information must be controlled so that only US Persons have access to it, to include users and administrators - unless you have the proper export license(s) in place. There are many software packages that you can leverage to ensure that you maintain positive control over your CUI and ITAR data. One solution that I have written quite a bit about is Office 365 and its capability for encrypting, classifying and marking content through the Azure Information Protection feature set.
This feature set alone isn’t enough as you need policies and a program around the capability. You may also need a more comprehensive marking capability depending on the amount of CUI and ITAR content you manage. However, it will certainly provide a toolset to help you maintain control over information.
- Use Best Practices to prevent ITAR Technical data violations – The three best practices mentioned by the Acting Director speak directly to the point I made above about Azure Information Protection in Office 365.
- Use Automatic Electronic Tagging
- Leverage Automatic electronic monitoring of access
- Provide Controls over unauthorized access and transfer
It is important to note that even if your organization follows every requirement within DFARS 7012 and NIST 800-171, it isn’t enough. If you are dealing with ITAR data you must integrate a robust IT Security program with a solid export control program. If you have one without the other you will leave your organization vulnerable from either a Security or Compliance standpoint, and potentially both. If you are interested in understanding the management of ITAR at a deeper level, I would recommend that you take a look at Matt Henson’s articles on LinkedIn: https://www.linkedin.com/in/matt-henson-tce/detail/recent-activity/posts/. He has an article entitled “Protecting Export Controlled Data: Shulman’s outgoing comments, DFARS, and what it means for your Trade Compliance program” where he outlines comments made by former Acting Directory Schulman and details how a Jurisdiction, Classification and Marking program along with other processes are key to ensuring a solid export control program.