ITAR and Encryption What You Need to Know

Protecting user data, especially sensitive data, is the primary objective of data regulations. In a world where cybersecurity incidents are rampant, losing sensitive data to threat actors can put a user in significant danger. However, imagine a set of sensitive data, which is linked to defense-related goods like long-range missiles or nuclear data, ends up falling into the wrong hands. Such a consequence could be catastrophic. Here, ITAR encryption comes into the picture.

The International Traffic in Arms Regulation (ITAR) is governed and enforced by the Directorate of Defense Trade Controls (DDTC) at the US Department of State. The regulation is enforced to safeguard defense-related items, services, and data against unlawful use by unauthorized persons and to uphold national security. In March 2020, the Department of State implemented the ITAR addendum to enable the transfer of unclassified technical data without the need for any licenses providing it is end-to-end encrypted.

ITAR encryption is now a critical component of the regulation that not only requires compliance but also demands businesses ensure robust data protection mechanisms for protecting defense-associated data. Read on to learn more about the provisions related to ITAR end-to-end encryption (EEE) and the best practices to enforce it.

What is ITAR Encryption?

ITAR encryption provision discusses the theme of using cryptography for protecting ITAR data. In layman's terms, encryption refers to the process of scrambling data until it makes no sense to any unauthorized person. In fact, even an authorized individual would require a key to unscramble it. The process of unscrambling is called decoding, while the process of scrambling or encrypting data is called encoding.

Encryption is one of the most highly effective and guaranteed mechanisms that offer data protection. And with end-to-end encryption (EEE), data teams can doubly make sure that the data’s integrity and confidentiality remain intact while in transit or at rest. ITAR encryption requires ITAR-covered entities to protect unclassified technical data with EEE to reduce the risk of unauthorized access or potential data breaches.

Understanding ITAR Regulations for Encryption

The DDTC enacted the ITAR addendum with revised definitions and related provisions in March 2020 under the newly added § 120.54. Regulation § 120.54 contains some part from the original text and supplements it with the revised definition for activities that are not considered as controlled events, i.e., “activities that are not exports, reexports, retransfers, or temporary imports,” and so it requires no approval or authorization from DDTC. § 120.54 further lists five additional provisions in paragraph (a), where each provision discusses how different “not controlled events” must be treated in various scenarios.

For instance, provision (a)(1) presents that launching items into space is not a controlled event. Similarly, (a)(2) states that the transfer of technical data between US persons in the US is not a controlled event and thus doesn’t require DDTC approval. Provision (a)(3) states that the transfer of technical data between US persons in the same foreign country is not a reexport or retransfer if it is not released to a foreign person. Provision (a)(4) talks about moving defense items between US territories as not controlled events.

The fifth provision, (a)(5), is the part where the DDTC discusses the requirement, type, and scenarios for encryption of technical data when it is transferred outside the United States.

Provision § 120.54 (a)(5) - ITAR Encryption

The fifth provision, (a)(5) of § 120.54, states that the transmission, transfer, or storage of effectively encrypted unclassified technical data is not a controlled event, i.e., it doesn’t require authorization as long as the data is end-to-end encrypted. However, encryption must occur from the sender’s facility and remain in encrypted form when it reaches the recipient’s facility and is decrypted by the authorized recipient or the sender himself in the case of remote storage. The provision further clarifies that a “controlled event” occurs only when the transferred technical data is released to an unauthorized foreign person or any US person while the data is not encrypted.

ITAR Encryption Standard as Governed by DDTC

The provision a(5) of § 120.54 in the ITAR addendum further highlights the encryption standards required for the transmission or storage of technical data outside the United States. Let’s take a closer look at the breakdown of those highlights:

• The encryption must be accomplished in a manner certified by the U.S. National Institute for Standards and Technology (NIST), as compliant with the Federal Information Processing Standards Publication 140-2 (FIPS 140-2).FIPS 140-2 is a security standard that lists the requirements for encryption modules as used by military or government agencies. These standards ensure that the encryption grade used by any entity meets the specific criteria.
• ITAR-covered entities are further permitted to use an alternative to the NIST FIPS 140-2 standard. However, it is imperative to make sure that the encryption grade must meet or exceed at least the 128-bits security strength.
• ITAR addendum also mentions “Table 2: Comparable strengths” of NIST Special Publication 800-57 Part 1, Revision 4.” The table provides a comparison chart between different encryption levels and their equivalent. The table can be considered an ideal reference when making sure that the encryption used for safeguarding technical data is equal in strength or more than 128 bits.

ITAR End-to-End Encryption Definition

The addendum emphasizes the utilization of end-to-end encryption (EEE) for compliance and protecting ITAR technical data when transmitted or transferred outside the US. The addendum defines EEE as a cryptographic mechanism that should be applied when it is in the facility of the ITAR-covered entity or sender. The encryption of the technical data should remain intact until it reaches the recipient's facility or is decrypted by an authorized person. The addendum further clarifies that EEE means that the decryption keys must not be provided to any third party, and encryption must not be decoded while the data is in transit.

Why is ITAR Encryption Important?

The importance of ITAR encryption cannot be exaggerated enough. The 2020 addendum strengthens data security controls around defense-related data to prevent unauthorized access and potential security risks. Let’s take a quick look at some of the key reasons why this provision holds such significant value:

• Defense-related data is highly sensitive since it is associated with the national security of a country. If it ends up in the hands of cybercriminals, it could pose serious threats to a nation. ITAR encryption helps both the government and the defense suppliers and manufacturers to safeguard the data to reduce risks and thwart potential breaches.
• State-sponsored espionage is also a common occurrence that could have severe consequences if a breach is successful. By complying with ITAR encryption provisions and setting up the right safeguards against such attacks, organizations can thwart the efforts of threat actors and prevent unauthorized individuals from accessing, decoding, or tempering sensitive data even if a breach occurs.
• Compliance with the ITAR encryption addendum is not only critical for ensuring national security but also for preventing reputational and financial losses which are the result of non-compliance. The addendum puts compliance responsibility on organizations to leverage optimal controls for safeguarding defense data and demonstrate their commitment to upholding trust and national security.

Best Practices for Implementing ITAR Encryption

• First, discover and classify all the ITAR data across the organization to understand the sensitivity level of the data so you may apply the right security controls.
• Identify the potential vulnerabilities and risks associated with your ITAR data to determine the encryption level you need to safeguard it.
• Map the discovered data against ITAR provisions, especially the cross-border rules, to ensure compliance with the law during cross-border transactions.
• Establishing access policies and controls around ITAR data to ensure only authorized individuals have access to data. Add a layer of added security by applying encryption on the data to safeguard it against access risks and compliance with the ITAR addendum.
• Apply dynamic data masking wherever applicable to ensure the secure sharing of data while keeping the sensitive data obfuscated.

Meet ITAR Compliance with Securiti

ITAR encryption is an integral part of ITAR compliance. By establishing encryption policies and controls, organizations can safeguard their data against various security risks, maintain compliance with the law, and contribute to the protection of national security.

Securiti, a named leader in privacy management solutions, helps organizations automate and meet compliance with global regulations and standards through a unified data controls framework. Leverage Securiti to gain deeper insights into your ITAR data across the organization, associated risks or vulnerabilities, and enable optimized controls around its security, governance, and compliance.

Request a demo today and see how Securiti can empower your business.