International Traffic in Arms Regulations (ITAR) compliance is mandatory for over 130,000 United States (US) organizations that engages in the manufacture, export, or import of defense articles, services, or technology covered in the United States Munitions List (USML). Controlling the transfer of ITAR-related technical data is crucial to national security and foreign policy interests due to the sensitivity of the data.
What is ITAR-related technical data?
ITAR-related technical data refers to information, documentation, or data that provides details about the design, development, production, or use of defense articles. This includes blueprints, specifications, software and source code, CAD files, and research data. It’s important to note that technical data need not always be in the form of writing or electronic; it can also be transferred through visual presentation or orally.
Organizations and individuals involved in the export or sharing of technical data covered by ITAR must adhere to regulatory requirements and obtain appropriate licenses or authorizations to prevent unauthorized disclosure or access by foreign parties.
Here are some scenarios that organizations need to be aware of when exporting or sharing technical data with customers and external partners to avoid non-compliance:
Scenario 1: A partner or customer has an employee who is a non-US citizen: the organization must apply for an export license for the foreign employee concerned, ensuring that the employee is not a citizen or resident of the proscribed countries. Without the license, when the non-US employee tries to access ITAR-related technical data, access should be denied.
Scenario 2: A partner of customer has US employees located both in the US and foreign countries: employees who are US citizens and are in the US can access any controlled information regardless of where the data resides (SAP, SharePoint, etc.). However, if the employee is in a foreign country, access to these technical data will be denied. Since the employee is located outside of the US, it is required for organizations to obtain authorizations or licenses to allow this employee to access the data from outside the US.
Scenario 3: A partner or customer whose company is based outside the US: In most cases, a company that is based outside the US would have non-US employees. In this case, technical data can only be shared or exported if there are appropriate licenses or agreements in place.
How can organizations control the transfer of ITAR-related technical data?
The traditional model of authorizing access based on users’ role is no longer scalable as organizations had to create and manage thousands or millions of roles to respond quickly to the ever-changing requirements. In addition, access to technical data is dependent on dynamic attributes such as location and user citizenship. To streamline global operations, a new fine-grained method of authorization is required – that is, Attribute-Based Access Control (ABAC).
Given that, how can organizations enable global sharing of technical data while maintaining compliance with various regulatory requirements?
The NextLabs Export Control for Technical Data solution enables organizations to:
- Control access to technical data based on user citizenship, certification training, computer system, and physical location.
- Track and apply policy-based controls on technical data to control duplication, storage, copy/paste, printing, removable media, e-mail, IM, Web uploads, FTP, and web conferencing.
- Prevent the leakage of technical data beyond certified systems and users.
- Automatically match technical data exports to the corresponding Export Licenses or Technical Assistance Agreements (TAA).
- Detect and track user activity that may qualify as a “Deemed Export,” as well as automate the process of export license determination and/or manager approval.
To understand more about NextLabs solution for technical data export compliance, visit this link.