ITAR: Welcome to Public Cloud Collaboration



Similar documents
Welcome to the World of Public Cloud Collaboration Allowing Enhanced Security

Stringent Guidelines. ITAR dictates control over the export and import of. defense-related articles and services on the United States

EXPORT CONTROLS COMPLIANCE

ITAR Compliance Best Practices Guide

Using Technology Control Plans in Export Compliance. Mary Beran, Georgia Tech David Brady, Virginia Tech

Supplier Awareness. Export Control/ ITAR

Why You Should Consider Cloud- Based Archiving. A whitepaper by The Radicati Group, Inc.

International Trade Compliance Alert

Addressing ITAR compliance with Teamcenter

Export Controls and Cloud Computing: Legal Risks

Second Annual Impact of Export Controls on Higher Education & Scientific Institutions

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

Brainloop Cloud Security

Global Compliance Audit

Security in Fax: Minimizing Breaches and Compliance Risks

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

COMPUTER & INTERNET. Westlaw Journal. Expert Analysis Software Development and U.S. Export Controls

You Can Survive a PCI-DSS Assessment

Key Elements of International Trade Compliance. Presented by:

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

HIPAA Compliance and the Protection of Patient Health Information

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

WHY YOU SHOULD CONSIDER CLOUD BASED ARCHIVING.

white paper Mitigate Risk in Handling ediscovery Data Subject to the U.S. Export Control Laws and Regulations

HIPAA Security Alert

Export Control Basics

Compliance in the Corporate World

Bossier Parish Community College

Whitepaper. Simple and secure. Business requirements for Enterprise File Sync and Share solutions.

DATA SECURITY AGREEMENT. Addendum # to Contract #

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Newcastle University Information Security Procedures Version 3

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

Anypoint Platform Cloud Security and Compliance. Whitepaper

Sarbanes-Oxley Compliance for Cloud Applications

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

The Impact of HIPAA and HITECH

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

Harvard Export Control Compliance Policy Statement

Top Ten Technology Risks Facing Colleges and Universities

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

ITAR Export Control Laws

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Bridging the HIPAA/HITECH Compliance Gap

Policy and Procedures Date:

Research Information Security Guideline

COMPLIANCE ALERT 10-12

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

HIPAA and Network Security Curriculum

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

HIPAA and HITECH Compliance Simplification. Sol Cates

efolder White Paper: HIPAA Compliance

PCI Compliance for Cloud Applications

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

A Primer on U.S. Export Controls

EXPORT CONTROL GUIDELINES FOR STAFF

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

White Paper. Document Security and Compliance. April Enterprise Challenges and Opportunities. Comments or Questions?

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Department of Defense DIRECTIVE

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

HIPAA and HITECH Compliance for Cloud Applications

Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

THE IMPORTANCE OF ENCRYPTION IN THE HEALTHCARE INDUSTRY

troinet.com When It Comes to HIPAA Compliance, Ignorance of the Law Is No Excuse

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

Healthcare Compliance Solutions

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY

Cyber Security: Confronting the Threat

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Somansa Data Security and Regulatory Compliance for Healthcare

Best Practices for PCI DSS V3.0 Network Security Compliance

Transcription:

Whitepaper ITAR: Welcome to Public Cloud Collaboration Updated Guidelines Create New Avenues for Aerospace and Defense Contractors to Share and Store Technical Data www.brainloop.com

ITAR Rules Undergo 21st Century Facelift Regulations and practices governing the storage and processing of ITAR technical data are evolving. Regulations and practices governing the storage and processing of International Traffic in Arms Regulations (ITAR) technical data are evolving. For example, in 2014, the U.S. State Department, the administrating agency for ITAR, issued an advisory opinion pertaining to internet transmission of ITAR technical data. The new guideline, reflecting ongoing efforts to bring ITAR in alignment with advancements in cloud computing over the last 15 years, for the first time allowed ITAR technical data to be shared and stored using cloud computing applications. This flexibility is conditioned on specific encryption guidelines designed to avoid the accidental or unintended export of specified data. Other handling and recipient protocols must also be satisfied. For many years, aerospace and defense industry organizations have been unable to collaborate in ITAR-controlled developments via common cloud computing practices that are widely recognized at the enterprise-level as best-in-class to foster high productivity and performance. Thus, the implementation of public cloud tools for document storage, management and collaboration have not been available for ITAR technical data. Even Robert Gates, former Secretary of Defense, recognized the detriment to development created by these types of restrictions when in 2010 he called the U.S. export control system a byzantine amalgam of authorities, roles, and missions scattered around different parts of the federal government. Whitepaper - ITAR 2 6

ITAR Rules Undergo 21st Century ITAR dictates control over the export and import of defenserelated articles and services on the United States Munitions List (USML) and all listed and related technical data. This includes information within blueprints, technical drawings, photographs, mechanical plans, instructions, software and other sensitive defense-related documentation. Under ITAR, unless an exemption exists, such information must be stored in a U.S.-located environment physically and logistically accessible only to U.S. citizens or permanent residents (U.S. persons). Additional security features are full encryption, tamperproof audit trails, two-factor authentication and operators, as well as provider shielding. For a public cloud solution to meet these rigorous demands, all installation, support, ongoing maintenance and system upgrades must be supported exclusively by U.S. persons, employed by U.S. employers and supervised by other U.S. persons. Additional security features not mandated specifically by ITAR but certainly part of a comprehensive approach are full encryption, tamper-proof audit trails, two-factor authentication and operators, as well as provider shielding. ITAR-compliant solutions are not available to the general public. Those wishing to utilize ITAR-compliant solutions must guarantee that users are limited to U.S. persons and, ideally, such organizations would maintain a valid Directorate of Defense Trade Controls (DDTC; see https://www.pmddtc.state. gov/) exporter registration with full, unsanctioned U.S. export privileges, among other requirements. Encryption and Tokenization Complex requirements and lagging use of technology solutions have led many to move quicker than the DDTC would wish. The U.S. State Department has already cautioned at least one cloud security services provider for overstating the benefits of encryption and tokenization to meet ITAR s high standards. While the provider apparently sought to market its token-based encryption technology as solving certain ITAR deemed export restrictions, according to a June 9, 2014 article published in the Wall Street Journal on the issue, a State Department official is quoted as stating, Tokenization is almost irrelevant to the exemption. We did not in any shape or form endorse tokenization as means [of meeting ITAR standards]. Tokenization is almost irrelevant to the exemption. Whitepaper - ITAR 3 6

Risky Business: The Cost of Non- Compliance Aerospace and defense contractors have been sanctioned for failing to comply with ITAR. What is the importance of all this? Since 2010, there have been nine cases where aerospace and defense contractors have been sanctioned for failing to comply with ITAR. In 2014, there were two fines issued, totaling approximately $30 million. In 2013, there were three fines issued for ITAR violations, for a total of $41 million. Moreover the possibility of fines is not the totality of sanctions. Those possibilities extend to additional civil and administrative remedies, including debarment as an exporter or even a government contractor. Consequences could extend into criminal sanctions for egregious non-compliance. Many organizations wishing or having to use the collaborative and efficient cloud solutions that are coming to define best practices for ITAR technical data are, therefore, faced with a choice. One alternative is to develop an expensive private, dark cloud to provide secure storage and sharing of sensitive documents. Newer offerings are entering the market and have sophisticated functionality that achieve important efficiencies and cost savings. These offerings have systemic monitoring tools to track who has viewed information, if it has been copied to an unsecure platform or if it has been exported. Whitepaper - ITAR 4 6

The second choice is a conscious effort to attempt to avoid ITAR rules through the deployment of existing enterprise tools that are at substantial risk of not meeting security guidelines. Not only do these tools fail to take safeguards to prevent non-u.s. persons from viewing information, potentially causing the unintended or accidental export of ITAR-defined technical data, they also lack definitive measures to prevent information from being copied or shared outside of the solution. This is especially problematic as there is no way to track who has accessed or viewed information. Priceless Peace of Mind Although the monetary penalties for ITAR violations are stiff - often times, up to tens of millions of dollars in fines levied upon a company - additional outcomes can be even more damaging. However, with the U.S. government opening the door for organizations that handle ITAR-related technical data to now leverage secure public cloud collaboration tools, there is no need for businesses to take unnecessary risks. These solutions, such as the ITAR-compliant Brainloop Secure Dataroom, are available for relatively affordable costs, particularly when compared to the consequences of ITAR violations. Although the monetary penalties for ITAR violations are stiff additional outcomes can be even more damaging. In order to attain priceless peace of mind when handling ITAR technical data, companies must ensure that collaboration solutions being considered for deployment are covered by endto-end ITAR compliance. These solutions must assure the nonintended exports of ITAR technical data are possible. They must be implemented and supported exclusively by U.S. persons at U.S. companies. They must include tamper proof audit trails to demonstrate continual ITAR compliance based on a document s specific history. They must be, or match, the ITAR compliant Brainloop solution. To learn more about the rules and regulations pertaining to the storage and collaboration of ITAR-related documents in ITAR compliant public cloud solutions, visit www.brainloopitar.com. Whitepaper - ITAR 5 6

About Brainloop Inc. Operating since 2007, Brainloop Inc., the Secure Enterprise Information Company, is a market-leading provider of highly intuitive SaaS (Software-as-a-Service) solution enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. Our enterprise customers, comprising of numerous industries, count on our software s regulatory and corporate compliance, collaboration and process capabilities as well as its complete portfolio of security features. Brainloop s secure solutions look at the entire information protection issue in a holistic and integrated way to better protect the way businesses operate today. We go beyond common security measures to provide full 256-bit encryption, audit trail, two-factor authentication and provider and administrator shielding, all through an easy to use interface. Brainloop. simply secure. www.brainloop.com info@brainloop.com Copyright 2015 Brainloop WP-037-0215 Whitepaper - ITAR 6 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information