What is Cyber Compliance?
In the context of this article, “Cyber Compliance” means ensuring the location, access and transfer of export-regulated data in IT networks and systems complies with export regulations. Cyber Compliance requires companies integrate export control requirements into IT architecture, administration and use.
Cyber Compliance differs from Cyber Security in that an environment may be secure, but not compliant. For example, if secure IT infrastructure is located in another country, housing export-regulated data within could result in an export violation. IT administrators and/or users could have the security credentials required to access data, but due to their employer, nationality or location, they do not have the export authorization to gain access, or potential access, to the data. A transfer of export-regulated data could occur through an encrypted channel, but the recipient of the data is an unauthorized Foreign Person. Cyber Compliance ensures unauthorized exports are prevented in IT (“export prevention”), while enabling authorized exports to occur in IT (“export enablement”).
Export Regulations and Cyber Compliance
Export compliance requirements have always applied to “Technical Data,” whether the data exists in hard-copy or electronic format. However, US export enforcement and compliance efforts (of the government and the governed) have traditionally focused on controlling exports resulting from physical access (e.g. foreign person employees, foreign person visitors, etc.) and physical transfers (e.g. shipments, hand-carries, etc.).
In response to the increasing trends in cyber compliance incidents, DDTC has included cyber compliance requirements in punitive actions known as Consent Agreements. To summarize Consent Agreement cyber compliance mandates, DDTC requires companies to implement capabilities for identifying, controlling and tracking regulated information in IT networks and systems. Although not codified in regulation, these requirements represent DDTC’s cyber compliance expectations.
As business operations evolved to become globally-networked and information-driven, organizations’ export compliance programs remained focused on the physical domain. Thus, many organizations have yet to implement adequate cyber compliance programs. As a result, these organizations are regularly discovering and voluntarily reporting cyber compliance incidents to the US Department of State Directorate of Defense Trade Controls (DDTC), the U.S. regulator responsible for the International Traffic in Arms Regulations (ITAR).
Achieving Cyber Compliance
To achieve cyber compliance, companies must have capabilities to identify what data is subject to what regulations and implement controls governing the location, access and transfer of regulated data. Answers to the following questions indicate a company’s cyber compliance capabilities and gaps:
Infrastructure – can your company readily identify:
- The companies that own, operate and service your IT infrastructure, to include the cloud and Disaster Recovery, and
- The geographic location, to include country, where the IT infrastructure is located?
Networks – can your company readily identify:
- The networks on which infrastructure resources reside, and
- The processes by which new infrastructure, applications and users are being provisioned/de-provisioned in the network(s)?
Applications – can your company readily identify:
- The applications containing regulated data and the infrastructure on which it resides, to include network file drives, email, collaboration suites (e.g. SharePoint), Customer Relationship Management (CRM), Product Lifecycle Management (PLM), Software Development Lifecycle (SDLC), Enterprise Resource Planning (ERP), Supplier Relationship Management (SRM), Manufacturing Execution Systems (MES), Quality Assurance Systems (QAS), etc.?
Administration – can your company readily identify:
- The personnel who administer infrastructure, networks and applications, to include identity attributes such as employer, geographic location, citizenship, etc.?
Users – can your company readily identify:
- Employees who have access to infrastructure, networks, and applications,
- Contractors who have access to infrastructure, networks and applications, and
- External Business Partner personnel who have access to infrastructure, networks and applications?
Data – can your company readily identify:
- What data is subject to regulatory control,
- When data is subject to regulatory control, the specific jurisdiction, classification and marking controls to which the data is subject, and
- To identify data and the related regulatory controls for both structured and unstructured data?
Authorizations – can your company readily identify:
- Applicable authorizations (e.g. internal policies, DSP-5s, TAAs, etc.) that define compliant location, access and transfer criteria?
Integrated Controls – can your company readily identify:
- Authorized regulated data creation and storage locations (infrastructure, networks and applications),
- Compliant user access control mechanisms (infrastructure, network, application and data-level),
- Compliant administrator access control mechanisms (infrastructure, network, application and data-level), and
- Compliant regulated data transfer mechanisms (e.g. encrypted email, authenticated portal, etc.)?
Export compliance risk in IT is real. In today’s globally-networked, information-driven economy, cyber compliance is important. If your company hasn’t made a deliberate effort to address “cyber compliance” in your IT networks and systems, you likely have significant export compliance risks.
To learn more, read our What are Export Controls or Technical Data Export Control blog.
By Matt Henson