Protecting National Security Through ITAR Compliance

By: Calli Schlientz, Director of Compliance

ITAR Compliance Checklist

If your organization engages in exporting or importing defense articles, or furnishing defense services to foreign entities, you must achieve ITAR compliance.

The U.S. International Traffic in Arms Regulation protects national security and foreign policy interests by preventing the unauthorized transfer of sensitive technology. ITAR specifically controls the exporting and importing of defense items (called munitions). These can include technology like encryption algorithms and computer software. They also include bombs, guns, ships, tanks, and airplanes.

The actions of ITAR abusers can harm national security. Therefore, violations may result in severe civil and criminal penalties. Violators may also damage their brand reputations and lose licenses to export and import.

A Guide for Your ITAR Compliance Journey

To manage your IT environment to achieve and maintain ITRA compliance, the program you develop should focus on monitoring and controlling regulated import and export activities. To guide you on this mission, here’s a checklist covering the necessary high-level activities:

• Establish an ITAR-specific compliance program—Understand how your business works to determine your risk areas. Many companies that don’t engage in manufacturing, exporting, or brokering must still maintain a compliance program to reduce the risk of violations.
• Know your obligations—See the U.S. Munitions List to determine if your organization is subject to ITAR and what ITAR requires. This includes registration and obtaining approvals before engaging in export, import, and brokering activities.
• Know your customers—This includes their intended use of the defense articles and services. Screen all parties involved in transactions. Also know which countries the U.S. government has denied approvals for receiving defense articles and services.
• Document the licensing procedures—Keep detailed records of all defense-related exports and imports. This includes the registration of your corporate controller and the licensing of items and services
• Categorize your munitions items—The munitions list spans 21 categories classified into 16 sections. The classification determines restrictions, exemptions, and licensing requirements.
• Control access—Identify the access privileges of your internal users based on their job roles. Implement robust authentication methods.
• Manage risks—Conduct a thorough assessment to determine the risks of unauthorized transfer of sensitive technologies. Then implement a plan to close any security gaps.
• Coordinate incident response—Establish a plan for mitigating, reporting, and investigating data breaches.
• Audit regularly—Verify your exports and imports of ITAR-controlled items. Create a system for investigating discrepancies.
• Train your employees—Invest in staff training for ITAR and your related infrastructure to foster a culture of compliance across your enterprise.
• Encrypt sensitive data—Use encryption to ensure only authorized recipients can decrypt data.
• Control data sharing—Use technology to prevent the sharing of ITAR data with unauthorized individuals.

After working through this checklist, review the ITAR provisions and complete your registration with the Directorate of Defense Trade Control (DDTC). As part of this process, determine the legal authority over your product. A handy tool to work your way through the compliance process is the ITAR Risk Matrix. It outlines several elements to consider when building your program and how to assess your risk.

How DataBank Supports ITAR Customers

DataBank equips its colocation data center facilities to fully support ITAR compliance for our customers. We implement the required security protocols and demonstrate our capabilities through annual third-party audits.

Customers trust our compliance experts—including a dedicated CISO—to support their needs. Our customers also rely on our managed services security program that ensures compliance with ITAR. Our relevant certifications include a FedRAMP Authority to Operate (ATO) as well as SSAE 18 SOC 1 Type 2 and SOC 2 Type 2.

To learn more about how DataBank data centers can help your organization comply with ITAR and other regulations, contact DataBank today. In addition to achieving compliance, you can safeguard personal information and build confidence among your customers.