IDC Names Securiti a Worldwide Leader in Data PrivacyView
Protecting user data, especially sensitive data, is the primary objective of data regulations. In a world where cybersecurity incidents are rampant, losing sensitive data to threat actors can put a user in significant danger. However, imagine a set of sensitive data, which is linked to defense-related goods like long-range missiles or nuclear data, ends up falling into the wrong hands. Such a consequence could be catastrophic. Here, ITAR encryption comes into the picture.
The International Traffic in Arms Regulation (ITAR) is governed and enforced by the Directorate of Defense Trade Controls (DDTC) at the US Department of State. The regulation is enforced to safeguard defense-related items, services, and data against unlawful use by unauthorized persons and to uphold national security. In March 2020, the Department of State implemented the ITAR addendum to enable the transfer of unclassified technical data without the need for any licenses providing it is end-to-end encrypted.
ITAR encryption is now a critical component of the regulation that not only requires compliance but also demands businesses ensure robust data protection mechanisms for protecting defense-associated data. Read on to learn more about the provisions related to ITAR end-to-end encryption (EEE) and the best practices to enforce it.
ITAR encryption provision discusses the theme of using cryptography for protecting ITAR data. In layman's terms, encryption refers to the process of scrambling data until it makes no sense to any unauthorized person. In fact, even an authorized individual would require a key to unscramble it. The process of unscrambling is called decoding, while the process of scrambling or encrypting data is called encoding.
Encryption is one of the most highly effective and guaranteed mechanisms that offer data protection. And with end-to-end encryption (EEE), data teams can doubly make sure that the data’s integrity and confidentiality remain intact while in transit or at rest. ITAR encryption requires ITAR-covered entities to protect unclassified technical data with EEE to reduce the risk of unauthorized access or potential data breaches.
The DDTC enacted the ITAR addendum with revised definitions and related provisions in March 2020 under the newly added § 120.54. Regulation § 120.54 contains some part from the original text and supplements it with the revised definition for activities that are not considered as controlled events, i.e., “activities that are not exports, reexports, retransfers, or temporary imports,” and so it requires no approval or authorization from DDTC. § 120.54 further lists five additional provisions in paragraph (a), where each provision discusses how different “not controlled events” must be treated in various scenarios.
For instance, provision (a)(1) presents that launching items into space is not a controlled event. Similarly, (a)(2) states that the transfer of technical data between US persons in the US is not a controlled event and thus doesn’t require DDTC approval. Provision (a)(3) states that the transfer of technical data between US persons in the same foreign country is not a reexport or retransfer if it is not released to a foreign person. Provision (a)(4) talks about moving defense items between US territories as not controlled events.
The fifth provision, (a)(5), is the part where the DDTC discusses the requirement, type, and scenarios for encryption of technical data when it is transferred outside the United States.
The fifth provision, (a)(5) of § 120.54, states that the transmission, transfer, or storage of effectively encrypted unclassified technical data is not a controlled event, i.e., it doesn’t require authorization as long as the data is end-to-end encrypted. However, encryption must occur from the sender’s facility and remain in encrypted form when it reaches the recipient’s facility and is decrypted by the authorized recipient or the sender himself in the case of remote storage. The provision further clarifies that a “controlled event” occurs only when the transferred technical data is released to an unauthorized foreign person or any US person while the data is not encrypted.
The provision a(5) of § 120.54 in the ITAR addendum further highlights the encryption standards required for the transmission or storage of technical data outside the United States. Let’s take a closer look at the breakdown of those highlights:
The addendum emphasizes the utilization of end-to-end encryption (EEE) for compliance and protecting ITAR technical data when transmitted or transferred outside the US. The addendum defines EEE as a cryptographic mechanism that should be applied when it is in the facility of the ITAR-covered entity or sender. The encryption of the technical data should remain intact until it reaches the recipient's facility or is decrypted by an authorized person. The addendum further clarifies that EEE means that the decryption keys must not be provided to any third party, and encryption must not be decoded while the data is in transit.
The importance of ITAR encryption cannot be exaggerated enough. The 2020 addendum strengthens data security controls around defense-related data to prevent unauthorized access and potential security risks. Let’s take a quick look at some of the key reasons why this provision holds such significant value:
ITAR encryption is an integral part of ITAR compliance. By establishing encryption policies and controls, organizations can safeguard their data against various security risks, maintain compliance with the law, and contribute to the protection of national security.
Securiti, a named leader in privacy management solutions, helps organizations automate and meet compliance with global regulations and standards through a unified data controls framework. Leverage Securiti to gain deeper insights into your ITAR data across the organization, associated risks or vulnerabilities, and enable optimized controls around its security, governance, and compliance.
Request a demo today and see how Securiti can empower your business.
The ITAR rule for encryption involves controlling the export of encryption technology that is specially designed or modified for military or space applications covered by ITAR regulations. ITAR encryption provision discusses the theme of using cryptography for protecting ITAR data
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.