Organizations that make defense-related equipment and services can leverage the power of the cloud, big data analytics, and artificial intelligence to help the United States (US) military stay ahead in modern warfare. But ensuring the safety of sensitive data as it’s stored, transformed, and transmitted across the organization’s digital infrastructure is a tricky challenge.
Understanding how to adopt the cloud safely is essential for all organizations in the US defense sector. The US government has established International Traffic in Arms Regulations (ITAR) to protect national security and foreign policy interests by ensuring that sensitive military data does not get into the wrong hands.
This article discusses six key data security measures to help achieve ITAR compliance in the cloud.
- Build an ITAR compliance program
- Discover sensitive ITAR data across clouds
- Limit data access and map data flows
- Strengthen cloud data security posture
- Ensure compliance across the supply chain
- Prove ITAR compliance and assist with investigations
Before discussing these, let’s briefly review what is ITAR.
What is ITAR? Who Should Care?
ITAR is a set of regulatory rules defined by the United States Department of State to control the manufacturing, sale, and distribution of defense and space-related articles included in the United Stated States Munitions List (USML). In a world where every transaction has a digital footprint, a key goal of ITAR is to limit access to sensitive data connected with USML to United States personnel only.
Any company that handles, manufactures, designs, sells, or distributes items on the USML must register with The State Department’s Directorate of Defense Trade Controls (DDTC) and abide by ITAR rules. Penalties can be severe and include fines of up to $1,000,000 and imprisonment of up to 10 years per violation. For these reasons, no organization should take ITAR lightly.
Additionally, in March 2020, the State Department issued a ruling to guide organizations on handling unclassified ITAR-related data and storing it in the cloud. We will discuss this ruling further alongside relevant data security measures.
To learn more about ITAR, visit Securiti’s knowledge center.
ITAR Data Security Measures
In the modern cloud context, organizations must meet several data security, governance, and compliance requirements to protect sensitive ITAR data. Let’s look at these requirements and understand how Securiti can help.
1. Build an ITAR Compliance Program
ITAR has no formal certification process, and the onus of compliance falls on organizations through self-assessment. Therefore, organizations must establish internal ITAR programs to help protect sensitive data and implement security controls.
The legal or compliance department within the organization plays a crucial role in managing this ITAR program. Their responsibilities include staying informed on current laws and regulations, providing training to employees, collaborating with internal IT, security, import/export, and vendor management teams to implement technical controls, and developing processes to enforce and monitor compliance.
In case of non-compliance, this department must report ITAR violations to the US government and collaborate with investigating bodies. The following measures focus on data security guidance to help protect ITAR-specific data.
2. Discover sensitive ITAR data across clouds
The first technical step towards ITAR compliance is to discover, identify, and label ITAR-restricted data across the organization’s entire digital infrastructure. This process can be complex, as data is often dispersed across various silos, including on-premises and public clouds. Organizations must ensure that sensitive ITAR-specific data does not spill into cloud infrastructure that is not ITAR compliant.
Securiti’s Sensitive Data Intelligence uses automation to discover sensitive data across multi-cloud and SaaS platforms. This enables organizations to pinpoint the location of their data, automatically detect shadow or cloud-native assets, and scan structured or unstructured data at a petabyte scale. Securiti applies advanced machine learning techniques to help organizations accurately identify ITAR-specific data with a low false positive rate.
3. Limit Data Access and Map Data Flows
ITAR compliance requires that only US citizens can access sensitive ITAR data. This requirement applies to employees and subcontractors in US or foreign office locations. There are exceptions to this rule, such as the relaxation of ITAR export requirements to certain countries. ITAR requires that organizations extensively document every instance when they claim an exception for business operations.
To comply with ITAR, organizations must track user access and understand how data flows through different data systems. Securiti’s Data Access Governance and Data Mapping Automation modules help quickly identify direct or indirect user access to sensitive data, enforce least privilege controls, visualize how data flows through systems, and detect cross-border transfers.
4. Strengthen Cloud Data Security Posture
Leading cloud and SaaS providers enable organizations to comply with ITAR by storing sensitive data in sovereign data centers located in the United States. These providers ensure that only authorized personnel, who are US citizens, can manage infrastructure in these environments.
Organizations can now use these cloud environments to transmit, process, and store sensitive data in line with key ITAR regulations. However, it is important to remember that cloud security is a shared responsibility between the cloud provider and the customer. While the cloud provider ensures the security and compliance of the underlying infrastructure layer, the customer is responsible for the security of the applications and data in the cloud. Therefore the onus of managing the cloud data security posture falls on the customer, who must enforce security controls to restrict network access and enable encryption for data at rest and in motion.
Additionally, in March 2020, the state department issued a ruling that makes it easier for organizations to share unclassified ITAR data with individuals outside the United States. However, ITAR still requires end-to-end encryption for sharing unclassified data.
Securiti’s Data Security Posture module continuously monitors configuration settings of data assets across clouds to prevent accidental data exposure. The solution supports over 700 configuration security best practices defined by standards such as NIST, which is a crucial starting point for compliance with ITAR.
5. Ensure Compliance Across the Supply Chain
ITAR requires that every organization handling sensitive data across the supply chain comply with its data security regulations. An infraction of ITAR compliance by even one organization in the supply chain can create a non-compliance risk for everyone. Therefore, organizations must track the compliance status of all relevant suppliers and distributors. Securiti’s Vendor Assessment module enables organizations to onboard, assess, and track third-party vendor compliance risk in one central location.
6. Prove ITAR Compliance and Assist with Investigations
Finally, ITAR requires that organizations track all data processing activities and report on them when audited by the US government. Securiti’s Data Command Center delivers a comprehensive solution, providing real-time reports and an audit trail of compliance with data security controls, and any changes to data mapping flows. This enables organizations to demonstrate commitment to ITAR compliance and provide evidence of the measures taken to protect sensitive data.
In the event of a suspected ITAR violation, Securiti’s Data Breach Management module enables organizations to securely validate the incident and avoid a false notification. If the violation is confirmed, the solution helps assess the scope of the infraction and share accurate information when the investigation is in process.
Leveraging Securiti’s Data Control Cloud For ITAR Compliance
Compliance with ITAR regulations is essential for all organizations that help the US military develop critical military services and equipment. Major enterprises rely on Securiti’s Data Command Center™ to unify data intelligence and controls across multiple public clouds, data clouds, SaaS, and private clouds. By delivering a centralized data command center, the solution enables organizations to fulfill essential data security, privacy, governance, and compliance obligations while eliminating the cost and complexities of managing disparate tools.
Learn how Securiti’s Data Command Center can help implement key ITAR security measures by booking a demo today.