What is really needed for ITAR cybersecurity compliance?

The Defense Trade Controls Office of Defense Trade Controls Compliance (DTCC) just released the "International Traffic in Arms Regulations (ITAR) Compliance Program Guidelines" and it gives horribly misleading advice on cybersecurity. Yes, horrible advice and you can read it here https://www.pmddtc.state.gov/sys_attachment.do?sysparm_referring_url=tear_off&view=true&sys_id=1216c09a1b671d14d1f1ea02f54bcb25#page=23. Personally, I am not willing to accept this form of lazy writing and that is why this article addresses the realities associated with ITAR compliance with how that regulation intersects minimum cybersecurity controls requirements from another US agency.

The core issue with the ITAR Compliance Program Guidelines is one US Federal agency (e.g., DTCC) did not bother to acknowledge or reference that the US National Archives (NARA) already established baseline cybersecurity criteria for protecting ITAR/EAR data. For those not familiar with NARA, it runs the CUI Program for the US Government, so it is the authority on the matter.

Minimum Cybersecurity Requirements for?ITAR / EAR?

While it might be possible that there is some ITAR/EAR that falls outside of NARA's classification of "export-controlled" information, the reality is NIST SP 800-171 CUI and Non-Federal Organization (NFO) controls are the minimum cybersecurity requirements for ITAR/EAR due to NARA's?CUI Notice 2020-04. However, it is important to understand that NIST SP 800-171 will not address an organization's need for a broader export control program that governs how ITAR/EAR compliance is administered (e.g., registering for licenses, maintaining records, disclosures, etc.). The reason that NIST SP 800-171 is considered a "minimum" is that the controls may not be sufficient to address your organization's specific risk profile, so additional administrative, technical and physical controls may be necessary to become both secure and compliant.

ITAR vs EAR vs CUI - Competing Agencies Add Confusion

When you get into ITAR vs EAR vs CUI, it can be tricky and it is important to get it right due to the significant penalties associated with non-compliance. ITAR is "defense-related items, information and technology" and the information component of ITAR is CUI. The graphic shown below shows the relationship of regulations, the agencies that own them and what is covered:

Since a picture can be worth more than 1,000 words, this picture helps show the requirements to protect data from the agency down to the appropriate cybersecurity standard. ITAR / EAR fall under CUI//SP-EXPT and CUI Notice 2020-04 dictates NIST SP 800-171 and -171A as the underlying cybersecurity controls that are required to protect CUI.

If you take the time to read through ITAR/EAR requirements, you will not find a specified set of cybersecurity controls that are required to protect ITAR/EAR data. This is where NARA comes into play through its authority to operate the US Government's CUI Program, where "export controlled" information has its own unique CUI category -?https://www.archives.gov/cui/registry/category-detail/export-control.html

ITAR/EAR CUI Category:?Export Controlled (CUI//SP-EXPT)?

NARA Definition: Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations (ITAR)?and the munitions list; license applications; and sensitive nuclear technology information.

Bad Guidance From DTCC = Non-Compliance From NARA

From the ITAR Compliance Program Guidelines, DTCC states "Although the ITAR does not explicitly require organizations to implement specific cyber security or encryption measures for the storage or transmission of technical data, cyber intrusion events, and the theft of technical data may result in unauthorized exports. Other U.S. Government agencies and programs, however, have specific cyber security requirements. DDTC expects organizations to take steps to protect their technical data from cyber intrusions and theft and consider carefully what cyber security solutions work most effectively for them." What the hell does "work most effectively for them" mean? DTCC states that there are other agencies and programs that have requirements, but shrugs its shoulders and acknowledges that it does not really care about those compliance requirements. That is astounding for one US Federal agency to boldly ignore requirements. One of the "other US Government agencies" referenced is NARA that runs the entire CUI Program, which means DTCC is a subordinate to NARA's requirements and is not in a position to provide alternate requirements to protect CUI.

If you follow DTCC's "Cybersecurity and Encryption Suggestions" (shown below) those will not meet the minimum requirements to protect CUI that NARA established, so DTCC's conflicting guidance can lead an organization down the wrong path that would mean non-compliance with NARA's authoritative guidance to protect CUI.

To reduce the risk of ITAR violations and improve cyber security measures, DDTC recommends that organizations take the following actions:

• Establish policies and procedures for recurring training on travel with mobile devices for new and existing employees.
• Ensure foreign person employees do not receive unauthorized access to technical data.
• Ensure technical data is not backed up to servers in foreign locations.
• Coordinate with IT to implement intrusion detection systems.
• Educate employees about phishing, malware, and other cyber threats.
• Review electronic storage options, such as cloud storage services, and understand how service providers protect ITAR-controlled technical data.
• Establish security policies for file sharing and collaboration tools.
• Establish measures for encryption of data on mobile devices, such as laptops and cell phones.
• Establish policies and procedures for the review and approval of employee travel with mobile devices.
• Ensure that IT logs and controls access to company networks that contain ITAR-controlled technical data by authorized personnel.

About The Author

If you have any questions about this, please feel free to reach out. ?

Tom Cornelius is the Senior Partner at?ComplianceForge, an industry leader in cybersecurity and privacy documentation. He is also the founder of the?Secure Controls Framework?(SCF), a not-for-profit initiative to help companies identify and manage their cybersecurity and privacy requirements.