ITAR & EAR: Think You Are Compliant? Think Again...

Anyone doing business with the US government and / or producing technology or physical goods that the US considers controlled needs to spend 5 minutes here and get a refresher on ITAR and EAR. The biggest thing that scares me when I think about how folks are handling their sensitive communications and regulated data files is that any solution relying on SSL / TLS for data encryption is NOT compliant and exposing you to serious fines, penalties, and more. You'll see ITAR briefs on the big "box" cloud file sharing & collaboration platform websites but you won't actually see them say they are compliant - gotta love marketing.

But... before I digress too much, what is ITAR and EAR?

International Traffic Arms Regulation (ITAR) and  Export Administration Regulations (EAR) are US government export controls that govern technical data at rest, in motion, and use. EAR and ITAR are separate regulations that are compatible and consistent in their approach to controlling sensitive data. This is good news as it means firms working on projects  subject to either regulation can implement the same process / controls and satisfy both requirements (better safe than sorry!).

Companies that work with controlled information must comply with ITAR and EAR, however there are no certifications for ITAR or EAR compliance making things even harder. Top that with the fact that violations of these regulations may result in both criminal and civil prosecution along with serious financial penalties...

Quick call out - if you know you have ITAR / EAR compliance needs you can likely stop reading now...

HighSide’s SecureDrive meets and exceeds the encryption requirements for ITAR and EAR. HighSide facilitates ITAR and EAR compliance regarding how sensitive data is stored, shared, and used. HighSide is available in a FedRAMP cloud and DoD IL-4 environment (IL-5 with sponsorship).

Click Here to Schedule a HighSide Demo

OK, back to more details...

ITAR and Data:

ITAR was created by the Directorate of Defense Trade Control (DDTC) to regulate two things,  defense articles and defense services. A complete list of defense articles may be found on the US Munitions List (USML), but  defense services are simply defined as any of the following.

  • Assisting a foreign person with a defense article
  • Providing technical data to a foreign person
  • Providing military training to a foreign unit or force

ITAR restrictions are very tight, for example, showing technical data to a foreigner is considered an export even if the foreigner is in the USA. Releases of controlled technology to foreign persons in the USA is also deemed to be an export to the person's country or countries of nationality. ITAR regulations state that no non-US person may have physical or logical access to information stored in an ITAR environment.

ITAR sets criteria that allows for the use of cloud technology provided that the content is unclassified, secured using end-to-end encryption, secured using FIPS 140-2 encryption, and not intentionally sent to or from a person in or stored in a prohibited country. ITAR cloud compliance focuses on ensuring controlled technical data is not inadvertently exported. In 2016, DDCT provisioned that export controlled data must be end-to-end encrypted before it is transmitted. The method for decrypting the data may not be shared with a third party before it reaches the recipient.

The standard encryption of data at rest by most cloud providers is not end-to-end encryption and fails to comply with ITAR. Providers who have access to your data and its encryption key are a violation of ITAR compliance (this means all the big names....).

HighSide's end-to-end encryption exceeds FIPS 140-2 standards and simplifies ITAR compliance with patented geolocation access controls and intuitive admin controls.

EAR and Data

Bureau of Industry and Security (BIS) administers Export Administration Regulations (EAR). EAR regulates items and their related technology that are designed for commercial use, but could have military applications. Similar to ITAR’s USML, BIS maintains a Commerce Control List (CCL). BIS set rules that allow for the use of cloud technology under certain provisions:

  • Content is unclassified
  • Content is secured using end-to-end encryption
  • Encryption is at least as effective as FIPS 140-2 standards
  • Data is not stored in Russia or a military embargoed country (Country Group D:5)
  • Means of decryption are not provided to any 3rd party

Well, now that you know a bit more about ITAR and EAR requirements... you might be thinking, how can you be compliant and still collaborate and share regulated data with teams that need access to do their job.

ITAR and EAR compliance... what you can do

ITAR and EAR compliance in the cloud is not an end result, but a continual journey protecting data. There is no certificate of compliance or stamp of approval, as such organizations must implement the right technology, access control and user programs.

HighSide provides

  • End-to-End encryption that meets and exceeds FIPS 140-2 standards
  • FedRAMP hosting and support for isolated computing environments
  • Access controls for data based on physical device location using RF signal triangulation and not IP address lookup

HighSide provides organizations the tools to govern how sensitive information is stored, where the information is accessed, and with whom it is shared. HighSide’s end-to-end encryption meets and exceeds FIPS 140-2 standards, delivers the ability to store, share and co-edit regulated data through SecureDrive and provides organizations with secure & compliant chat & communications tools to collaborate while remaining compliant.

Schedule a HighSide Demo today and join government contractors, manufacturers and systems integrators in choosing HighSide for your secure & compliant collaboration.