ITAR: Defending the defense industry

ITAR: Defending the defense industry

We help you become ITAR compliant

There are few more security-critical industries than defense. Ensuring information pertaining to national security is kept secure and out of unauthorized hands are vital considerations that every company connected to defense articles must consider. End-to-end encryption, coupled with granular access controls and data residence options, are must-have features of any cloud storage service used by the industry.

The term  "end-to-end encryption" (E2EE) is defined by ITAR as "(i) The provision of cryptographic protection of data, such that the data is not in an unencrypted form, between an originator (or the originator's in-country security boundary) and an intended recipient (or the recipient's in-country security boundary); and (ii) The means of decryption are not provided to any third party."

The Tresorit applications enable you to satisfy both (i) and (ii) which is good news for organizations sharing unclassified technical data over the internet because there is no worry about the fact that the data may accidentally be routed through foreign networks. ITAR § 120.54 provision provides that the properly secured (by end-to-end encryption) electronic transmission or storage of unclassified technical data via foreign communications infrastructure does not constitute an export, reexport, retransfer, or temporary import.

Tresorit’s end-to-end encryption architecture enables organizations to share Controlled Unclassified Information (CUI) with partners and vendors in a secure manner. Thanks to the ease of use of the Tresorit file sharing solution organizations’ security is greatly improved when collaborating on CUI documents, because the risk of user error decreases dramatically.

ITAR – The what, where, and why

The International Traffic in Arms Regulation, commonly known as ITAR, is a ruleset that regulates the export and import of defense and military-related technologies listed on the United States Munitions List (USML). It requires that any company connect to items listed on the USML in any way (research & development, manufacturing, import, and export, etc.) or technical data related to listed items (blueprints, documentation, repair, maintenance, assembly, operation, etc.) be ITAR compliant.

What are the implications of not complying with ITAR guidelines?

The mandate at the core of ITAR is ensuring that any data connected to the manufacture, sale, distribution, or operation of military or defense technology is restricted to US citizens. These guidelines can cause significant headaches for international companies. Their operations may require that sensitive information be accessed by US nationals stationed worldwide or force them to limit access to specific files to selected employee groups.

Violations of the regulations can result in both civil and criminal liability. Sanctions can include fines, being barred from future operations in the defense industry, and imprisonment. In April 2018, the State Department fined FLIR Systems, Inc $30 million in civil penalties for transferring USML data to dual national employees. Under ITAR, disclosing information to any foreign nationals in the US is considered an export.

How does Tresorit support compliance with ITAR?

Zero-knowledge end-to-end encryption (E2EE) is the most reliable way of protecting ITAR-regulated data. An ITAR amendment, effective from March 2020 and known as “Encryption Carve-Out,” recommends using client-side end-to-end encryption to protect sensitive information. The rules also state that if controlled technical data is encrypted using end-to-end encryption, the transfer of such data outside the US does not require an export license. Tresorit offers a wide variety of security features to ensure ITAR-compliance:

  • Securing ITAR data: Tresorit provides military-grade security for storing and organizing sensitive technical data.
  • Managing access rights and permissions: Role-based user rights for managing subscription policies and various access permissions allow companies to control who has access to ITAR-regulated data efficiently.
  • Sharing ITAR attachments via secure links: Emails are often the most effective method of sharing information. However, attachments are a major security risk. Using Tresorit, attachments can be replaced with E2EE sharing links to maintain ITAR compliance. By setting passwords, expiration dates, and disabling downloads, employees retain full control over shared files.
  • ITAR-compliant collaboration with third-party suppliers, contractors, etc.: E2EE file requests allow companies to request information from partners while remaining ITAR compliant and avoiding email attachments.
  • Manage users and monitor file activity: The admin dashboard provides easy access to detailed activity reports, user management, authorized devices, team-based policies, and essential user statistics.

These rules empower defense companies to benefit from cloud services so long as they meet the requirements set out in ITAR. Tresorit goes further and allows them to overcome the headaches of compliance without hassle while ensuring all data remains secure. Take your first steps to a new form of security with Tresorit.