Decrypted | Insights from Virtru to Unlock New Ideas

ITAR Compliance and Email Encryption

Written by Editorial Team | Dec 12, 2019 3:13:02 PM

For many organizations, compliance often means protecting business assets and professional reputation, but with the International Traffic in Arms Regulations (ITAR), national security may be at stake. ITAR is a set of government rules that controls the export of defense materials and technology to prevent access by foreign entities in the interest of US national security. 

ITAR holds manufacturers, exporters, and brokers of defense products and services partly responsible for their nation’s security. Companies that fail to secure ITAR technical data may be inadvertently sharing sensitive information with our country’s enemies—and find themselves on the hook for millions of dollars in fines.

Violating ITAR compliance can lead to both civil and criminal penalties. In practice, the fines are really unlimited—often, companies are subject to prosecution for hundreds of violations at once, and penalties have run into the hundreds of millions.

Why is ITAR Compliance So Important?

ITAR compliance is meant to keep potentially dangerous products, techniques, and data out of the hands of foreign entities who could use them against the U.S. However, even technologies that aren’t directly regulated by ITAR could threaten American interests and foreign policy.

For this reason, organizations need to enforce a compliance program that goes beyond ITAR, regulating any assets that could have a military use. In particular, they need to adhere to the Export Administration Regulations (EAR) in addition to ITAR compliance rules. EAR regulates a large range of software, including data encryption software.

Who Needs to Be Compliant with ITAR?

ITAR compliance rules are complex, and it is important for organizations in the defense industry—and defense manufacturers’ supply chain partners—to understand if and how ITAR compliance requirements apply to them. 

In spite of its name, ITAR compliance isn’t just for arms dealers. Many mistakenly assume that ITAR only applies to firearms, tanks, missiles, and the like but in actuality, anyone who buys, sells or distributes anything on the United States Munitions List (USML), or who handles ITAR technical data is subject to ITAR. 

The USML is a list of military and defense items that require a license by the Department of State to be exported. Along with weapons, ground vehicles, and ammunition, It also includes aircraft, personal protective equipment, military electronics, and ITAR technical data—such as plans, blueprints, and documentation required for the design, development, production, manufacture, assembly, operation, repair, maintenance or modification of items on the USML.

How does ITAR Impact Your Organization’s Data Management Practices?

As more organizations are moving to a digital workplace, managing technical data related to items on the USML in the cloud presents a dilemma. Storing and sharing technical data in the cloud can risk exposure to non-US persons, steep non-compliance penalties, and criminal charges, yet blocking digital supply chain workflows inhibits collaboration and frustrates your supply chain partners.

In order to still realize the benefits of cloud workflows, organizations that fall under the jurisdiction of ITAR should develop and implement a dedicated data security policy that is fluid and continually updated to reflect the latest ITAR developments and compliance requirements.

Why Does Email Encryption Matter for ITAR Compliance?

In today’s cybersecurity landscape, it is no secret that data traveling over the Internet is especially vulnerable to attack. That vulnerability also extends to email protected by SSL/TLS. With SSL/TLS encryption, the tunnel that carries the email message is encrypted, but once that email content is unencrypted it is unprotected from access by non-US persons. Only when encryption takes place on the client-side, before the content hits the network, is the security robust enough to protect email content throughout its lifecycle. 

When it comes to sharing ITAR technical data, email is often the most convenient method even if it isn’t the most secure. Email providers’ native security features are a great first step towards secure email, however, enhanced protection is needed to maintain ITAR compliance. 

If a U.S. government official needs to share ITAR technical data with an authorized individual in the field overseas, the compliant method for securing and sending this data would be to encrypt the email or data itself and then send it via an encrypted tunnel to the foreign recipient. This level of email encryption protects both the data itself and the tunnel through which it travels.  In other words, without strong, client-side email encryption, there’s no practical way to send information subject to ITAR compliance rules overseas. 

How and Why is Encryption Important to ITAR?

Client-side, end-to-end encryption is the only reliable way to secure data from hackers, cyber-spies, and internal threats. ITAR compliant organizations must use strong encryption standards, and carefully control encryption keys to ensure unauthorized parties—including cloud vendors—can’t decrypt sensitive information such as ITAR technical data.

With over 90% of organizations storing data in the cloud, data sharing workflows—especially for ITAR compliant organizations—must be secure. The ideal method for receiving, storing, processing, sending, and securing ITAR technical data is data-centric encryption in which the data itself is wrapped in an encryption layer, before sharing it via email. This type of encryption travels with the data and ensures that the data owner always remains in control of the data. 

Fortunately, ITAR’s new “Encryption Carve-Out”—published December 24, 2019 and effective March 23, 2020—enables ITAR-compliant organizations to communicate and securely share end-to-end encrypted ITAR technical data with foreign offices, partners, or U.S. government employees without applying for an export license each time.

Under this update, technical data stored and shared in the cloud is no longer considered an export if it is protected with end-to-end encryption. The logic is that technical data protected with end-to-end encryption is shielded from access by non-U.S. persons when stored in the cloud. 

That means that even if the underlying cloud provider can’t provide geolocation and permissions assurances, organizations can store technical data in the cloud, so long as it’s protected with end-to-end encryption that prevents unauthorized access and limits visibility to the technical data owners and their intended, authorized recipients.

It is important to note, however, that email encryption alone won’t prevent a well-meaning employee from forgetting to encrypt a sensitive message, or sending out sensitive data through email by mistake. This is where other email security features such as DLP, access controls, and audit become critical.

Virtru and ITAR Compliance

Virtru simplifies compliance for organizations managing ITAR technical data in the cloud in the following ways:

End-To-End Encryption for Email, Files, and SaaS Apps

Encrypt email and files containing ITAR technical data within the client to prevent access by foreign cloud servers or personnel, effectively resolving geolocation and personnel permissions concerns.

Attribute-Based Access Controls

Prevent unauthorized foreign access by setting expiration and disabling forwarding. Watermarking files containing ITAR technical data helps deter file-based leaks, but in the event of a data breach, users can revoke access to reduce the risk of foreign access. 

Persistent Protection for Greater Data Control

Maintain control of attachments to prevent foreign access wherever they’re shared, ensuring ITAR compliance beyond the initial email. 

Data Loss Prevention (DLP)

Detect ITAR technical data in email and files and automatically enforce encryption and access controls.

Detailed Audit

View when and where ITAR technical data has been accessed as it’s shared throughout the supply chain, and adapt controls for evolving collaboration and access requirements.

Host Your Own Encryption Keys

Host your own keys so that only authorized U.S. personnel can access the keys protecting ITAR technical data for ultimate control. 

Trusted Data Format (TDF)

Bind encrypted data to control policies and metadata to ensure only authorized US parties can access ITAR technical data.

ITAR Compliance is Complex, but Virtru Can Help

Using Virtru alone does not guarantee ITAR compliance. Virtru solutions must be deployed as part of a broader compliance program with additional safeguards, controls, and processes that prevent unauthorized foreign access to ITAR technical data.

To learn more about how Virtru enables ITAR compliance, please get in touch with one of our data security experts today.