ITAR: Welcome to Public Cloud Collaboration

Transcription

1 Whitepaper ITAR: Welcome to Public Cloud Collaboration Updated Guidelines Create New Avenues for Aerospace and Defense Contractors to Share and Store Technical Data

2 ITAR Rules Undergo 21st Century Facelift Regulations and practices governing the storage and processing of ITAR technical data are evolving. Regulations and practices governing the storage and processing of International Traffic in Arms Regulations (ITAR) technical data are evolving. For example, in 2014, the U.S. State Department, the administrating agency for ITAR, issued an advisory opinion pertaining to internet transmission of ITAR technical data. The new guideline, reflecting ongoing efforts to bring ITAR in alignment with advancements in cloud computing over the last 15 years, for the first time allowed ITAR technical data to be shared and stored using cloud computing applications. This flexibility is conditioned on specific encryption guidelines designed to avoid the accidental or unintended export of specified data. Other handling and recipient protocols must also be satisfied. For many years, aerospace and defense industry organizations have been unable to collaborate in ITAR-controlled developments via common cloud computing practices that are widely recognized at the enterprise-level as best-in-class to foster high productivity and performance. Thus, the implementation of public cloud tools for document storage, management and collaboration have not been available for ITAR technical data. Even Robert Gates, former Secretary of Defense, recognized the detriment to development created by these types of restrictions when in 2010 he called the U.S. export control system a byzantine amalgam of authorities, roles, and missions scattered around different parts of the federal government. Whitepaper - ITAR 2 6

3 ITAR Rules Undergo 21st Century ITAR dictates control over the export and import of defenserelated articles and services on the United States Munitions List (USML) and all listed and related technical data. This includes information within blueprints, technical drawings, photographs, mechanical plans, instructions, software and other sensitive defense-related documentation. Under ITAR, unless an exemption exists, such information must be stored in a U.S.-located environment physically and logistically accessible only to U.S. citizens or permanent residents (U.S. persons). Additional security features are full encryption, tamperproof audit trails, two-factor authentication and operators, as well as provider shielding. For a public cloud solution to meet these rigorous demands, all installation, support, ongoing maintenance and system upgrades must be supported exclusively by U.S. persons, employed by U.S. employers and supervised by other U.S. persons. Additional security features not mandated specifically by ITAR but certainly part of a comprehensive approach are full encryption, tamper-proof audit trails, two-factor authentication and operators, as well as provider shielding. ITAR-compliant solutions are not available to the general public. Those wishing to utilize ITAR-compliant solutions must guarantee that users are limited to U.S. persons and, ideally, such organizations would maintain a valid Directorate of Defense Trade Controls (DDTC; see gov/) exporter registration with full, unsanctioned U.S. export privileges, among other requirements. Encryption and Tokenization Complex requirements and lagging use of technology solutions have led many to move quicker than the DDTC would wish. The U.S. State Department has already cautioned at least one cloud security services provider for overstating the benefits of encryption and tokenization to meet ITAR s high standards. While the provider apparently sought to market its token-based encryption technology as solving certain ITAR deemed export restrictions, according to a June 9, 2014 article published in the Wall Street Journal on the issue, a State Department official is quoted as stating, Tokenization is almost irrelevant to the exemption. We did not in any shape or form endorse tokenization as means [of meeting ITAR standards]. Tokenization is almost irrelevant to the exemption. Whitepaper - ITAR 3 6

4 Risky Business: The Cost of Non- Compliance Aerospace and defense contractors have been sanctioned for failing to comply with ITAR. What is the importance of all this? Since 2010, there have been nine cases where aerospace and defense contractors have been sanctioned for failing to comply with ITAR. In 2014, there were two fines issued, totaling approximately $30 million. In 2013, there were three fines issued for ITAR violations, for a total of $41 million. Moreover the possibility of fines is not the totality of sanctions. Those possibilities extend to additional civil and administrative remedies, including debarment as an exporter or even a government contractor. Consequences could extend into criminal sanctions for egregious non-compliance. Many organizations wishing or having to use the collaborative and efficient cloud solutions that are coming to define best practices for ITAR technical data are, therefore, faced with a choice. One alternative is to develop an expensive private, dark cloud to provide secure storage and sharing of sensitive documents. Newer offerings are entering the market and have sophisticated functionality that achieve important efficiencies and cost savings. These offerings have systemic monitoring tools to track who has viewed information, if it has been copied to an unsecure platform or if it has been exported. Whitepaper - ITAR 4 6

5 The second choice is a conscious effort to attempt to avoid ITAR rules through the deployment of existing enterprise tools that are at substantial risk of not meeting security guidelines. Not only do these tools fail to take safeguards to prevent non-u.s. persons from viewing information, potentially causing the unintended or accidental export of ITAR-defined technical data, they also lack definitive measures to prevent information from being copied or shared outside of the solution. This is especially problematic as there is no way to track who has accessed or viewed information. Priceless Peace of Mind Although the monetary penalties for ITAR violations are stiff - often times, up to tens of millions of dollars in fines levied upon a company - additional outcomes can be even more damaging. However, with the U.S. government opening the door for organizations that handle ITAR-related technical data to now leverage secure public cloud collaboration tools, there is no need for businesses to take unnecessary risks. These solutions, such as the ITAR-compliant Brainloop Secure Dataroom, are available for relatively affordable costs, particularly when compared to the consequences of ITAR violations. Although the monetary penalties for ITAR violations are stiff additional outcomes can be even more damaging. In order to attain priceless peace of mind when handling ITAR technical data, companies must ensure that collaboration solutions being considered for deployment are covered by endto-end ITAR compliance. These solutions must assure the nonintended exports of ITAR technical data are possible. They must be implemented and supported exclusively by U.S. persons at U.S. companies. They must include tamper proof audit trails to demonstrate continual ITAR compliance based on a document s specific history. They must be, or match, the ITAR compliant Brainloop solution. To learn more about the rules and regulations pertaining to the storage and collaboration of ITAR-related documents in ITAR compliant public cloud solutions, visit Whitepaper - ITAR 5 6

6 About Brainloop Inc. Operating since 2007, Brainloop Inc., the Secure Enterprise Information Company, is a market-leading provider of highly intuitive SaaS (Software-as-a-Service) solution enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. Our enterprise customers, comprising of numerous industries, count on our software s regulatory and corporate compliance, collaboration and process capabilities as well as its complete portfolio of security features. Brainloop s secure solutions look at the entire information protection issue in a holistic and integrated way to better protect the way businesses operate today. We go beyond common security measures to provide full 256-bit encryption, audit trail, two-factor authentication and provider and administrator shielding, all through an easy to use interface. Brainloop. simply secure. info@brainloop.com Copyright 2015 Brainloop WP Whitepaper - ITAR 6 6