Page 26 - Publication6
P. 26
st
ITAR Rules Undergo 21 Century Facelift Stringent Guidelines
Regulations and practices governing the storage and ITAR dictates control over the export and import of
processing of International Traffic in Arms Regulations defense-related articles and services on the United States
(ITAR) technical data are evolving. For example, in 2014, Munitions List (USML) and all listed and related technical
the U.S. State Department, the administrating agency for data. This includes information within blueprints, technical
ITAR, issued an advisory opinion pertaining to internet drawings, photographs, mechanical plans, instructions,
transmission of ITAR technical data. The new guideline, software and other sensitive defense-related
reflecting ongoing efforts to bring ITAR in alignment with documentation.
advancements in cloud computing over the last 15 years,
for the first time allowed ITAR technical data to be shared Under ITAR, unless an exemption exists, such information
and stored using cloud computing applications. This must be stored in a U.S.-located environment physically
flexibility is conditioned on specific encryption guidelines and logistically accessible only to U.S. citizens or
designed to avoid the accidental or unintended export of permanent residents (U.S. persons). For a public cloud
specified data. Other handling and recipient protocols must solution to meet these rigorous demands, all installation,
also be satisfied. support, ongoing maintenance and system upgrades must
be supported exclusively by U.S. persons, employed by U.S.
employers and supervised by other U.S. persons.
Additional security features not mandated specifically by
ITAR but certainly part of a comprehensive approach are
full encryption, tamper-proof audit trails, two-factor
authentication and operators, as well as provider shielding.
ITAR-compliant solutions are not available to the general
public. Those wishing to utilize ITAR-compliant solutions
must guarantee that users are limited to U.S. persons and,
For many years, aerospace and defense industry
ideally, such organizations would maintain a valid
organizations have been unable to collaborate in ITAR-
Directorate of Defense Trade Controls (DDTC; see
controlled developments via common cloud computing
https://www.pmddtc.state.gov/) exporter registration with
practices that are widely recognized at the enterprise-level
full, unsanctioned U.S. export privileges, among other
as best-in-class to foster high productivity and
requirements.
performance. Thus, the implementation of public cloud
tools for document storage, management and collaboration
have not been available for ITAR technical data. Even “Complex requirements and
Robert Gates, former Secretary of Defense, recognized the
detriment to development created by these types of lagging use of technology
restrictions when in 2010 he called the U.S. export control solutions have led many to
system �a byzantine amalgam of authorities, roles, and move quicker than the
missions scattered around different parts of the federal
government.� DDTC would wish”
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 3
