What On Earth are ITAR Compliant File Transfers?
That's right, not GDPR or PCI DSS, like most other blogs and articles you might be reading online...but ITAR. The International Traffic in Arms Regulation, which governs the trade and export of defense materials and services in the US.
What does that have to do with you and your file transfers? You ask.
Well, the ITAR requires that both physical and technical data related to defense and military technology can only be handled by US citizens.
Although note that the UK, Canada and Australia have ITAR agreements in place to both adhere to the requirements and be able to handle defense materials and related technical data.
WARNING: That means if you transfer technical data, including photos or documentation which can be used to construct or operate physical arms. You will need to comply.
Simply put, ITAR affects both the physical and virtual worlds, of the whole defense industry.
Who Needs to be ITAR Compliant?
In essence, any company in the US, or agreed UK, Canadian or Australian organisation which handles, manufactures, designs, distributes or sells defense items or related technical data on the USML (United States Munitions List).
Such organisations include but are not limited to:
- Distributors.
- Wholesalers.
- Vendors for either or both software and hardware.
- A third-party suppliers.
- External contractors.
Every organisation in the supplier chain which handles defense materials or related technical data must be ITAR compliance, with the US State Department's Directorate of Defense Trade Controls (DDTC) maintaining a list of those who do.
What do the ITAR Regulations Require?
At a basic level, ITAR requires that defense materials and related technical data is not handled or shared with a non-US citizen.
However, there are exemptions.
The US State Department can issue exemptions for specific purposes, particularly in the case of mutual defense interests. There are a number of organisations in the UK, Canada and Australia which have been granted such exemptions; but on the grounds that they are also ITAR compliant.
At a high level, ITAR requires focus in the following areas:
- Tracking.
- Monitoring.
- Auditing.
In the case of technical data, ITAR expectations would be that the data contains a classification, its processing systems are actively monitored for unauthorised access and that auditing logs are maintained for review.
How Can You Secure ITAR File Transfers?
In short, you should be using a managed file transfer solution which can guarantee data security on multiple levels.
For example:
- Strong authentication controls to prevent unauthorised access - consider multi-factor authentication.
- Permission controls to prevent the wrong materials being accessible by the wrong parties.
- Ensure the integrity of technical data at both send and receive stages.
- Store technical data in an encrypted format so that it is protected in the event of a breach.
- Maintain an audit log detailing all access attempts against the authenticated user account.
Being found non-compliant with ITAR can result in a stiff penalty of up to $1 million dollars and / or up to 10 years imprisonment per violation.
Needless to say, the risks are high.
How Can Progress MOVEit Help?
MOVEit has a strong history of providing organisations with file transfer security controls which help them to meet a number of regulations and industry compliance standards, including ITAR.
In particular, MOVEit includes the following ITAR relevant features:
- Multi-factor authentication.
- Folder based permissions.
- Integrity checks on files.
- FIPS 140-2 validated file encryption.
- NIST compliant file shredding.
- Tamper-evident logging and auditing.
If you would like to learn more about MOVEit and how it might be able to help you with ITAR compliance. Book a call with one of our product specialists today.
|