Stringent Guidelines. ITAR dictates control over the export and import of. defense-related articles and services on the United States

Transcription

1

2

3

4 ITAR Rules Undergo 2l't Century Facelift Regulations and practices governing the storage and processing of International Traffic in Arms Regulations (ITAR) technical data are evolving. For example,in2or4, the U.S. State Department, the administrating agency for ITAR, issued an advisory opinion pertaining to internet transmission of ITAR technical data. The new guideline, reflecting ongoing efforts to bring ITARin alignmentwith advancements in cloud computing over the last 15 years' for the first time allowed ITAR technical data to be shared and stored using cloud computing applications. This flexibility is conditioned on specific encryption guidelines designed to avoid the accidental or unintended export of specified data. Other handling and recipient protocols must also be satisfied. Stringent Guidelines ITAR dictates control over the export and import of defense-related articles and services on the United States Munitions List (USML) and all listed and related technical data. This includes information within blueprints, technical drawings, photographs, mechanical plans, instructions, software and other sensitive defense-related documentation. Under ITAR, unless an exemption exists, such information must be stored in a U.S.-located environment physically and logistically accessible only to U.S. citizens or pe,rmanent residents (U.S. persons). For a public cloud solution to meet these rigorous demands, all installation, support, ongoing maintenance and system upgrades must be supported exclusively by U. S. Persons, employed by U. S. employers and supervised by other U.S. Persons. Additional security features not mandated specifically by ITAR but certainly part of a comprehensive approach are full encryption, tamper-proof audit trails, two-factor authentication and operators, as well as provider shielding. For many years, aerospace and defense industry organizations have been unable to collaborate in ITARcontrolled developments via common cloud computing practices that are widely recognized at the enterprise-level as best-in-class to foster high productmty and performance. Thus, the implementation of public cloud tools for document storage, management and collaboration have not been available for ITAR technical data. Even Robert Gates, former Secretary of Defense, recognized the detriment to development created by these types of restrictions when in zoto he called the U.S. export control system "a byzantine amalgam of authorities, roles, and missions scattered around different parts of the federal government." ITAR-compliant solutions are not available to the general public. Those wishing to utilize ITAR-compliant solutions must guarantee that users are limited to U.S. persons and, ideally, such organizations would maintain a valid Directorate of Defense Trade Controls (DDTC; see exporter registration with full, unsanctioned U.S. export privileges, among other requirements. " Complex requirements and lagging use of technology solutions ltave led many to move quicker than the DDTC would wish"

5 Encryption and Tokeni zation Complex requirements and lagging use of technology solutions have led many to move quicker than the DDTC would wish. The U.S. State Department has already cautioned at least one cloud security services provider for overstating the benefits of encryption and tokenization to meet ITAR's high standards. While the provider apparently sought to market its token-based encryption technology as solving certain ITAR deemed export restrictions, according to a une 9,2or4 article published in the Wall Street Journal on the issue, a State Department official is quoted as stating, "Tokenization is almost irrelevant to the exemption. We did not in any shape or form endorse tokenization as means [of me eting IT AR standar dsl. " $30 million.in2oi3, there were three fines issued for ITAR violations, for a total of $4t million. Year Number of Fines Issued Total Amount of Assessed and Contingent Fines 2oI4 2 $30 million 2or3 3 $41 million 2oL2 3 $55 million 20rr $79 million Moreover the possibility of fines is not the totality of sanctions. Those possibilities extend to additional civil and administrative remedies, including debarment as an exporter or even a government contractor. Consequences could extend into criminal sanctions for egregious noncompliance. Many organizations wishing or having to use the collaborative and efficient cloud solutions that are coming to define best practices for ITAR technical data are, therefore, faced with a choice. One alternative is to develop an expensive private, dark cloud to provide secure storage and sharing of sensitive documents. Newer offerings are entering the market and have sophisticated functionality that achieve important efficiencies and cost savings. These offerings have systemic monitoring tools to track who has viewed information, if it has been copied to an unsecure platform or if it has been exported. The second choice is a conscious effort to attempt to avoid ITAR rules through the deployment of existing enterprise tools that are at substantial risk of not meeting security Risky Business: The Cost of Non-Compliance guidelines. What is the importance of all this? Since 2010, there have been nine cases where aerospace and defense contractors have been sanctioned for failing to comply with ITAR. In 2014, there were two fines issued, totaling approximately Not only do these tools fail to take safeguards to prevent non-u.s. persons from viewing information, potentially causing the unintended or accidental export of ITARdefined technical data, they also lack definitive measures to prevent information from being copied or shared outside

6 of the solution. This is especially problematic as there is no way to track who has accessed or viewed information. history. They must be, or match, the ITAR compliant Brainloop solution. To learn more about the rules and regulations pertaining to the storage and collaboration of ITAR-related documents in ITAR compliant public cloud solutions, visit com. Priceless Peace of Mind Although the monetary penalties for ITAR violations are stiff -- often times, up to tens of millions of dollars in fines levied upon a company -- additional outcomes can be even more damaging. However, with the U.S. government opening the door for organizations that handle ITAR-related technical data to now leverage secure public cloud collaboration tools, there is no need for businesses to take unnecessary risks. These solutions, such as the ITAR-compliant Brainloop Secure Dataroom, are available for relatively affordable costs, particularly when compared to the consequences of ITAR violations. In order to attain priceless peace of mind when handling ITAR technical data, companies must ensure that collaboration solutions being considered for deployment are covered by end-to-end ITAR compliance. These solutions must assure the non-intended exports of ITAR technical data are possible. They must be implemented and supported exclusively by U.S. persons at U.S. Companies. They must include tamper proof audit trails to demonstrate continual ITAR compliance based on a document's specific About Brainloop Inc.: Operating since 2oo7, Brainloop Inc., the Secure Enterprise Information Company, is a market-leading provider of highly intuitive SaaS (Software-as-a-Service) solution enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. Our enterprise customers, comprising of numerous industries, count on our software's regulatory and corporate compliance, collaboration and process capabilities as well as its complete portfolio of security features. Brainloop's secure solutions look at the entire information protection issue in a holistic and integrated way to better protect the way businesses operate today. We go beyond common security measures to provide full 256-bit encrlption, audit trail, two-factor authentication and provider and administrator shielding, all through an easy to use interface. infordbrainloop.com About the Author William L. O'Brien is the chief operating officer of Brainloop and former speaker of the New Hampshire House of Representatives. He obtained his.d. from Suffolk University Law School and later received a Master's in Intellectual Property Law from the University of New Hampshire School of Law. He has held various executive positions in technology companies over the last 20 years, including in both general counsel and operational roles.

7 -t0 -it\ 1e0 cc1 I I r r L 0101" t i010 n1n rl ( L( 0: 1( 01 1r Need to share confidential or export controlled documents outside your comp anf Do it simpl nd securely with Brainloop The demand to exchange and collaborate on confidential documents internally and externally is growing. So is the risk of losing sensitive information by collaborating using non-secure cloud services, sending attachments or using personal mobile devices. Brainloop's enterprise approach to information security enables easy collaboration and information sharing with the highest level of security inside and outside the corporate environment., Easy to set up and manage via the web, Secure collaboration, file sharing and ing, Reduced risk of exposure, loss or data compromise, Dedicated server in certified, high-security datacenter within the U.S. operated by U.S. personnel only,itar compliant info@brainloopl R.com