International Traffic in Arms Regulations (ITAR)
The International Traffic in Arms Regulations (ITAR) is a U.S. government export regulation that covers the manufacture, sales, and distribution of defense and
space-related articles and services on the United States Munitions List (USML). Administered by the U.S. State Department Directorate of Defense Trade Controls,
the legislation is designed to control access to specific types of technology and associated data.
The law primarily applies to defense contractors that manufacture and/or export products on the USML, but all companies in the supply chain for such products must
register to obtain the appropriate import or export license and meet the ITAR requirements. The USML includes items that are specifically designed, developed, configured,
adapted or modified for a military application. However, the law also covers applicable data and information about the items on the list.
ITAR stipulates that regulated technical data – regardless of its form – may be used solely by U.S. persons employed by the U.S. government or a U.S. company.
A U.S. person is defined as a U.S. citizen, permanent resident, political asylee, government agency, or corporation. Furthermore, all U.S. companies that manufacture,
export, or handle data for items on the USML are required to register with the government and obtain prior authorization to export USML items to a foreign person or government.
They must also obtain a specific license exemption to export the data to a U.S. person located outside the U.S., such as to share it with a U.S. employee stationed in another country.
There are several types of export authorizations:
- Foreign military sales (FMS) – in which the U.S. government sells items on the USML to a foreign government
- Export license (e.g. DSP-5) – a temporary or permanent export of technology or technology data to a foreign person, but not technical services
- Warehouse and Distribution Agreement – allows a company to establish a warehouse to export USML items to approved foreign entities
- Technical Assistance Agreement (TAA) – authorization to provide defense-related services to foreign entities
- Manufacturing License Agreement (MLA) – authorization to export manufacturing knowledge to a foreign entity
Technical data pertaining to items on the USML is considered to be regulated. Data that is covered under ITAR generally pertains to the design, development, production,
manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. The law also regulates software that includes system functional
design, logic flow, algorithms, application programs, operating systems and support software for design, implementation, test operation, diagnostics, and repair.
- Ensure that controlled data is encrypted with strong encryption at all times, such as FIPS 140-2. Data should be persistently encrypted during transmission to the cloud and at rest on cloud storage servers.
- The data owner must maintain complete control over the encryption keys at all times, and no personnel from the cloud service provider should have access to the keys.
- Only authorized individuals can access controlled data.
- Individuals are uniquely identified and access to data is protected by strong authentication of the individual.
- Individual access rights are routinely reviewed for ongoing need.
- An individual’s access to data is promptly de-provisioned when it is no longer needed.
- All events pertaining to data access are captured and logged for monitoring and reporting purposes. This includes who, what, when, and where.
- Notifications or alerts are sent to individuals or work group members when a change to data records or files occurs.