What is ITAR Compliance?
International Traffic in Arms Regulations (ITAR) is basically a set of rules and procedures provided by the United States to regulate the manufacture, sale, and distribution of defense and space-related articles and services, as defined in the United States Munitions List (USML).
The main aim of these laws is to ensure that unauthorized foreign nationals cannot access any sensitive information.
Who needs ITAR Compliance?
Any company that is involved in design, development, manufacturing or distribution of items that are listed on USML must be ITAR compliant. This includes:
- Wholesalers
- Distributors
- Computer Software/ Hardware vendors
- Third-party suppliers
- Contractors
All manufacturers, exporters, and brokers of defense articles, defense services, and related technical data must be ITAR compliant.
In this blog, we will discuss what measures a hardware or software contract service and system provider needs to take for ITAR compliance.
Technical data for a service provider broadly falls under two categories: 1) Project information, technical datasheet, and development code and 2) Product/Solution and end-user related data. Let’s take a close look at how ITAR compliance works for both of these.
Project information, technical datasheet, and development code
ITAR covers guidelines for compliance but it is the contract service provider’s responsibility to take measures and develop processes to ensure that there is no violation of the guidelines. Data security is the most critical thing to consider while creating the policies. The service provider needs to create a dedicated, ITAR-specific security policy and ensure its implementation. The policy needs to be updated as per the latest changes to ITAR.
When we talk about ‘controlled data access’ as part of ITAR, it refers to data both over the network as well as physical access. ITAR compliance also demands that the service provider should protect against any malicious insider within the organization who may be working with a foreign state.
How does this work in practice? At eInfochips, we have created a three-layered security framework:
- Physical security: Work area is physically isolated, is monitored by CCTV systems, and access is secured via biometrics
- Network security: Work area has a network that is isolated from other networks. This isolation is done at ISP, Firewall, Servers and by using advanced security protocols like IPSec, SSL, etc.
- Logical security: The project is executed at a location is where there isn’t any conflict in terms of business.
We have systems that are in place for physical security, data security, redundancy and performance optimization/scalability. We have a physically and logically isolated set-up with physical access control through biometrics and CCTV surveillance. This set-up is completely isolated from the eInfochips network and has its own layers of security from the perimeter to end user. We have solutions like data leakage prevention and advanced threat management from the gateway to end users, to protect and ensure data security.
In addition to data security, a service provider should also formulate guidelines for data classification that can help them to guide any data leakage prevention. At times, an individual might not be clear whether the data that they hold falls under the ambit of ITAR compliance. The classification system will help the individual in staying protected by knowing which techniques to use for which types of data.
Product/Solution and end-user related data
As connected devices and IoT become a reality for avionics, the cloud has become a part of most avionics solutions. When utilizing the ‘cloud’ for data storage, the technical data could be at a number of locations around the world and serviced by individuals that may be considered foreign nationals.
As per the State Department direction, any ITAR controlled technical data that is located overseas, even though encrypted, is considered as exported. The logic is that if the information has been stored outside of the US, and has therefore left the US borders. Services and solutions providers are now considering Government recommended AWS Gov Cloud to manage the complex regulatory issues associated with the storing of data in the cloud.
The main aim of this compliance is to ensure that any information regarding military and defense technologies is shared only within the US, with US authorized entities.
With expertise in DO-254, DO-178B, DO-178C, DO-160, and ARP-4754 compliant Avionics systems, eInfochips is a one-stop solutions provider of critical avionics for commercial, business, military and UAV programs. A majority of the work relates to supporting DAL-A systems in compliance with FAA and EASA, which address the business needs of global aerospace companies across hardware, software, and system engineering. We also provide services in mechanical engineering for Avionics systems.