The bygone era of securing export-controlled technical data by merely placing it in a locked storage cabinet at night are long gone. Some of us may still wish for those long lost days where accessing export-controlled information required one to physically use a key, or door knob, to open the storage unit and retrieve what the government considered “controlled.” Today, compliance officers, regulatory attorneys and day-to-day IT personnel are faced with a host of threats to not only the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) export-controlled information, but to company secrets, personnel information, health records, and more. How we go about addressing these threats is sometimes daunting and challenging, but the government, in the case of ITAR, has made it very clear that the “release” of “technical data” to a foreign person remains a controlled event.
It begs the question, what exactly does that mean, both from a practical business side, as it pertains to IT and physical controls of technical data, as well as from a specifically defined standpoint, and where do we begin? There are a host of proposed regulatory changes that aim to provide “clarity”, although it seems that the more clarity that is provided at times only creates more difficulty in interpretation. Adding to the scrutiny in interpretation are such terms as “release”, “technical data” and “disclose,” which are all critical terms when designing both your Technology Control Plans (TCP) and Cloud Computing requirements. If you haven’t yet reviewed the proposed changes for the foregoing, I highly recommend that you do, since it provides a wealth of information on where the DDTC and other agencies are heading now, and in the future. (see 31525-31538 Fed. Reg. Vol. 80, No. 106). This article is not meant to delve deeply into the meaning and impact of these proposed changes, but instead to provide the reader with some insight into where, what, and how they should proceed when addressing the title of this article.
From a Cloud Computing standpoint, the new proposed rules appear to state that providing someone with encrypted “technical data” would not be an “export” under certain circumstances. I’ve italicized the word “encrypted” since it is a key issue as to whether you can comply with the proposed changes. Thus, your starting point, from an operational and technology control standpoint, would be, “do you have the capability, within all departments, when handling ITAR and export controlled technical data, to encrypt”? This requires one to look at the entire process, from inception of an export-controlled project, which includes receiving customer information and data, to the final proposed solution, regarding the customer’s request. There are countless touch points throughout this process that one must work with within their IT/IS department to ensure controls are in place. The various USG agencies will look at the act of providing physical access (think of a 3rd party vendor upgrading your server containing export controlled information), to unsecured technical data. Again, I’ve emphasized “unsecured,” since the next logical step in the process would be to see what the USG considers “unsecured” (under the ITAR) and then address what controls need to be put into place to comply.
The starting point though, with any TCP and Cloud Computing solution, needs to be determining what information is, or is not, “technical data”. Beginning with your products and the United States Munitions List (USML) (a similar thought process can be given to products subject to the Commerce Control List or CCL), you should be able to decide what is controlled and what is not, and if in doubt, filing a commodity jurisdiction would be prudent.
Once you’ve determined what is controlled, then you can logically take the next steps in securing such information.
Where do you start from an organization and business standpoint? Some recommended areas for architecting your TCP should be:
- Drawings, 2D/3D models and mock-ups, engineering change orders, 1st article inspection reports, quality control reports, software and data results, CAD, artwork/graphics, etc.
- Multiple layers of protection in order to maintain control over security and confidentiality of data from both inadvertent export or cybersecurity threats. This can include both physical and IT controls, such as Foreign National visitor badges that clearly identify a FN; employee travel only laptops for engineers and others who have ITAR information on their home-based computers; and 2-factor authentication tools for all users within a business (this makes sense, whether or not it’s export controlled or not).
- File Access/Active Directory protocols that allow you the ability to report historical information as to “who, when and what”, may have accessed export controlled information (critical business files such as drawings, artwork, and CAD data). This also should include Active Role Server controls as to user access rights.
Above are just a few examples of areas that your TCP must address. In the end, the primary objective of your TCP must be to protect ITAR data at rest or “in-use” on systems inclusive of back-end systems, such as storage, data rooms and databases. Due diligence is necessary in monitoring capabilities in the transmission and receipt of sensitive export and proprietary information, on a real-time basis; encryption (key to meeting the Directorate of Defense Trade Controls (DDTC) rules), including network systems that transmit ITAR, and email classification controls. Establishing a well-designed enterprise information Security Program (InfoSec), that addresses, correlates and collects disparate IT data from numerous systems and devices on a real-time basis, is of utmost importance, especially given the cybersecurity issues facing both government agencies and companies today (we can’t forget the SONY case last summer).
Finally, how you go about incorporating Cloud Computing within your TCP, along with addressing cybersecurity controls, is very pertinent. Any TCP today, in my opinion, must address both, since they go hand-in-hand with who is accessing export controlled information and technical data. DDTC’s proposed rules have shed some light into this area, including that providing someone with encrypted “technical data” would not be an “export,” as mentioned above, as long as the necessary protocols, under these rules are met. As an example, the act of providing physical access to unsecured technical data (subject to the ITAR) will be a controlled event. Thus, the key operative word is “unsecured,” and if you can also meet the requirements of the definition of “secured,” for the most part, you have met this standard.
The government realizes that often a company is unaware of how information is being routed electronically, including through foreign servers. The new proposed rules mean to address this, especially in light of cloud computing. The rules specifically state examples of cloud storage and how, without the knowledge of the sender, the data may be physically stored on a server, or servers, outside the U.S. Today, access to such export-controlled data, even if unintended by the company and sender, constitutes an export under ITAR § 120.17. The proposed changes will help address this, in that as long as the information is encrypted prior to sending to a remote storage, and remains encrypted until received by the recipient or retrieved by the sender, a license is not required. Thus, storage in a foreign country would be permissible, other than those defined in the ITAR (§120.1 + Russia). The end result is that your TCP and Cloud Computing controls will need to ensure that you have the continuous encryption controls in place to ensure compliance.
In conclusion, both the proposed rules by DDTC and BIS, for ITAR and EAR-controlled items, appear to be heading in the right direction. Most importantly though, harmonization of certain key terms and definitions are being proposed between both agencies to ensure consistency and easier compliance by companies. Identifying which terms apply to your products and business, ensuring you have all the proper elements of a TCP in place that meet DDTC guidelines, and addressing Cloud Computing and Cybersecurity threats and controls, are key starting points.