Understanding the ITAR End-to-End Encryption Rule
The U.S Department of State enacted the March 2020 ITAR amendment, effectively simplifying compliance requirements and modernizing business processes. Most notably, the amendment reduces the burden of compliance overhead and enables those managing ITAR controlled technical data to streamline their internal data storage and encourage supply chain workflows. This was done by carefully defining and clarifying export activities and naming the role end-to-end encryption plays in securing sensitive data.
What is ITAR and who must comply?
The International Traffic in Arms Regulations (ITAR) is a set of policy requirements that restrict and control the export and import of defense-related articles, services and technology listed on the U.S. Munitions List (USML). Enacted in 1976 during the Cold War, ITAR mandates that access to physical materials or technical data related to defense and military technologies is restricted to US citizens only to safeguard U.S.national security and further US policy objectives.
While one might expect USML to include obvious items like firearms, weapons and aircrafts, ITAR also regulates “technical data ''. Under ITAR, “technical data'' refers to information and software required for all aspects of a defense article’s life cycle from design through operation, maintenance, and modification. This includes blueprints, drawings, schematics, flow charts, needed for the design, development, manufacture, operation, maintenance or modification of items on the USML. The broad range of the USML means ITAR compliance isn’t solely for arms dealers, but applies to all organizations involved in the supply chain for any good or service within the military and defense space.
In short, nearly every company that supplies the State Department or sits in its supply chain needs to comply with ITAR.
What is the March 2020 ITAR Rule?
In March 2020, the Department of State amended ITAR by adding a definition of “activities that are not export, reexports, retransfers, or temporary imports.” In creating this definition, the DoS incorporated text from the original law then supplemented it with new text focusing on secured unclassified technical data.
The Directorate of Defense Trade Controls (DDTC) at the Department of State enforces ITAR and manages any defense articles or services that companies export or temporarily import. Prior to the March 2020 update, companies required a license to export technical data, classified defense articles, and unclassified technical data.
Under the new amendment, the transfer of ITAR-controlled unclassified technical data outside of the U.S. is not considered to be an “export” provided that it is secured using end to end encryption.
The term "end-to-end encryption" is defined in the amendment as: (i) the provision of cryptographic protection of data, such that the data is not in an unencrypted form, between an originator (or the originator’s in-country security boundary) and an intended recipient (or the recipient’s in-country security boundary); and (ii) the means of decryption are not provided to any third party.
This new definition placed cybersecurity controls around certain data classifications, removing the need for a DDTC authorization and license.
What changes does the ITAR Rule make that impact data?
ITAR’s purpose is to protect data from unauthorized access by nation-states or foreign nationals. However, as organizations moved sensitive data to the cloud, ITAR became increasingly burdensome for them. ITAR originally implied that storing data or transmitting data outside the United States needed the appropriate export and import license, yet cloud storage locations left open the possibility that companies might not be compliant.
Addressing this concern, the March 2020 amendment allows organizations subject to ITAR’s export rules to streamline their internal data storage and transfer processes by migrating unclassified technical data into the cloud provided it is end-to-end encrypted as defined by the amendment.
What are the ramifications of non-compliance?
Not all information shared when fulfilling DoS contracts is dangerous to national security. However, even seemingly innocent communications, if intercepted by malicious actors, can have an unintended negative consequence.
In order to hold organizations accountable, ITAR section 127 lists the penalties imposed for violating the law:
Seizure and Forfeiture: government confiscation of any items or technical data involved in the violation
Administrative or Statutory Debarment: inability to apply for contracts
Civil Fines: fines up to $500,000
Criminal Penalties: of up to $1 million and/or 10 years imprisonment per violation
An inability to apply for contracts and hefty fines make maintaining ITAR compliance a financial business imperative for organizations whose primary revenue stream comes from working with the DoS. Individuals within companies can also be held liable and face serious civil and criminal penalties, making ITAR non-compliance an incredibly steep price to pay.
What are the challenges of meeting ITAR compliance?
Encryption often acts as a roadblock to productivity, making the new ITAR requirement challenging. Adding to this general business challenge, the new ITAR rule incorporates a new requirement for controlling access to data.
The new rule includes section 120.55 Access Information which states:
Access information is information that allows access to encrypted technical data subject to this subchapter in an unencrypted form. Examples include decryption keys, network access codes, and passwords.
Organizations that encrypt data need to provide their workforce members a way to view the sensitive information in an unencrypted form. Whether it’s an employee or a contractor, users must be able to access and interact with data so that they can carry out their daily required job functions. However, if a contractor or employee who needs to access the information is a foreign national, then companies need to register for authorization to release the data to those people.
Additionally, in the Rule’s commentary, the DoS clarifies the burden that this new requirement places. The Export Administration Regulations (EAR) give companies more flexibility by stating that access to decrypted information only requires prior authorization if the company gives the access information with “knowledge.” Under previous laws, if a company did not know that foreign person obtained credentials to access the decrypted information, the company had no liability.
For example, a company might employ non-US citizens and would knowingly give them access. Meanwhile, if a foreign person illegally obtained credentials, the company would have no “knowledge” and therefore maintain compliance with the EAR. However, under ITAR, no such protection exists. This highlights the need for companies to employ strong access controls along with regular monitoring and audit logging to avoid non-compliance.
3 steps to getting ITAR compliance-ready
As organizations look to meet these stringent compliance requirements, preparing and planning becomes fundamental to creating a sustainable compliance strategy.
1. Identify and Classify ITAR Data
The location of all ITAR controlled technical data must be known and data must be classified accordingly.
2. Establish and Enforce Access Controls
After identifying and classifying what internal information is deemed technical data, companies need to locate on-premises and cloud-based locations that store, transmit, and process it. Locations to consider include:
As part of meeting compliance, each location needs to be protected by policies that limit access according to the principle of least privilege. Organizations should consider role-based access controls (RBAC) as well as attribute-based access policies (ABAC). This means that the access should go beyond a user’s job function and include additional attributes such as geolocation, IP address, or time of day. Then those policies need to be enforced continuously.
Moreover, part of establishing those access policies includes encrypting data as it travels from one location to the user. Decryption capabilities should be aligned with an organization's ABAAC policies. For example, a foreign national should not have access to cloud-based resources nor be able to decrypt technical data delivered through email.
3. Monitor Activity and Audit Access Logs
As part of an organization’s compliance preparations, it needs to continuously monitor access and document this activity by auditing its access logs. Any anamolous access attempts should be investigated to ensure continued compliance.
Atakama’s encryption reduces ITAR compliance burdens
As companies look to enhance their compliance strategies to maintain the ITAR compliance necessary for continued contract solicitation, Atakama offers a solution that reduces the burden ITAR regulated companies face. Among other things, Atakama:
- Natively integrates with leading data classification tools to systematically and automatically identify critical technical data and immediately encrypt the data,
- Generates real time user file access syslogs that are transmitted to a central log aggregator for auditability and compliance reporting,
- Provides policy driven group privileges, user options, and tracking configurability.
Because Atakama encrypts at the file level, each file receives its own AES 256-bit encryption key. Atakama then splits each key in “shards” that then are distributed across devices, such as smartphones and computers, controlled by the authorized users. As a result of it’s distributed key management technology, Atakama is disconnected from identity and access management controls, so that even when a user’s credentials are compromised, any files encrypted by Atakama remain secure. As a distributed solution, Atakama prevents any central point or failure. And when it comes to encryption of data in transit, Atakama users are able to transmit files end-to-end encrypted to non-Atakama users.
For more information about how Atakama can address your organization’s ITAR compliance needs, contact us for a demo today.