Stringent Guidelines. ITAR dictates control over the export and import of. defense-related articles and services on the United States

ITAR Rules Undergo

2l't

Century Facelift

Regulations

and

practices

governing the

storage and processing

of

International

Traffic in Arms

Regulations (ITAR) technical data are evolving. For

example,in2or4,

the U.S. State Department, the administrating agency

for

ITAR, issued an advisory

opinion

pertaining

to

internet transmission of ITAR technical data. The new guideline, reflecting ongoing efforts to bring

ITARin

alignmentwith advancements

in

cloud computing over the last ¹⁵ years' for the first time allowed ITAR technical ^data to be shared

and

stored

using cloud computing

applications. This flexibility is conditioned on specific encryption guidelines designed to avoid the accidental or unintended export

of

specified data. Other handling and recipient protocols must also be satisfied.

For many years,

aerospace

and defense industry

organizations have been unable

to

collaborate

in

ITAR- controlled developments

via

common cloud computing practices that ^are widely recognized ^at the enterprise-level

as best-in-class to ^{foster high} productMty

and performance. Thus, the implementation

of public

cloud tools for document storage, management and collaboration have

not

been available

for ITAR

technical data. Even Robert Gates, former Secretary of Defense, recognized the

detriment to

development created

by

^these

types of

restrictions when in zoto he called the U.S. export control system

"a

byzantine amalgam

of

authorities, roles, and missions scattered around different parts

of the

federal government."

Stringent Guidelines

ITAR

dictates

control over the export and import of

defense-related articles and ^services on the United States

Munitions List (USML) ^{and all} listed and related technical data. This includes information within blueprints, technical drawings, photographs, mechanical plans, instructions,

software and other ^sensitive

defense-related documentation.

Under ITAR, ^{unless an} exemption exists, such information must be stored

in

a U.S.-located environment physically

and logistically

accessible

only to U.S. citizens

or pe,rmanent residents (U.S. persons).

For

a

public

cloud solution to meet these rigorous demands, all installation, support, ongoing maintenance and ^system upgrades must be supported exclusively ^{by U. S.} _Persons, employed by U. S.

employers and supervised by other U.S.

_Persons.

Additional security features not mandated specifically by ITAR but certainly part of ^a comprehensive approach ^are

full encryption, tamper-proof audit trails,

^two-factor

authentication ^and operators, as well as provider shielding.

ITAR-compliant solutions ^are not available to the general public. Those wishing to utilize ITAR-compliant solutions must guarantee that users are limited to U.S. persons and,

ideally, such organizations would maintain a

valid

Directorate of

^Defense

Trade Controls (DDTC;

^see

https://www.pmddtc.state.gov/) exporter registration

with full,

unsanctioned U.S. export privileges, among other requirements.

" Complex requirements and lagging use of technology solutions ^ltave led many to move quicker than the

DDTC would wish"

Encryption and Tokeni zation

Complex requirements and lagging use

of

technology solutions have led many to move quicker than the DDTC

would wish. The

U.S. State Department has already cautioned at least one cloud security services provider for overstating the benefits of encryption and tokenization to meet ITAR's high standards. While the provider apparently sought to market its token-based encryption technology as

solving certain ITAR deemed export restrictions, according to a |une 9,2or4 article published in the Wall Street Journal on the issue, a State Department official is quoted as stating,

"Tokenization _is almost irrelevant ^{to the} exemption. We did not in any shape or

form

^endorse tokenization as means

[of

me eting IT AR standar dsl. "

Risky Business: The Cost of Non-Compliance

What is the importance of all this? Since 2010, there have been nine cases where aerospace and defense contractors have been sanctioned for failing to comply

with

ITAR.

In

2014, there were two fines issued, totaling approximately

$30

million.In2OI3,

there were three fines issued for ITAR violations, for a total of $4t million.

Year

Number of Fines

Issued Total Amount of

Assessed and Contingent Fines

2oI4 2

$30

million

2or3 3

^$41

^million 2oL2 3

^$55

^million 20rr |

$79

million

Moreover

the possibility of

fines

is not the totality of

sanctions. Those possibilities extend to additional civil and

administrative

remedies,

including debarment as

an exporter or even a government contractor. Consequences could extend

into criminal

sanctions

for

egregious non- compliance.

Many organizations wishing or having to use

the collaborative and efficient cloud solutions that are coming

to define

best practices

for ITAR technical data

are, therefore, faced with a choice. One alternative is to develop an expensive private, dark cloud to provide secure storage and sharing of sensitive documents.

Newer offerings are entering the market and

have

sophisticated functionality that achieve

important efficiencies and cost savings. These offerings have systemic monitoring tools to track who has viewed information,

if

it has been copied to an unsecure platform or if it has been exported.

The second choice is a conscious effort to attempt to avoid ITAR rules through the deployment of existing enterprise tools

that

are at substantial

risk of not

meeting security guidelines.

Not

only do these tools fail to take safeguards to prevent non-U.S. persons

from

viewing

information,

potentially causing

the

unintended

or

accidental

export of

ITAR- defined technical data, they also lack definitive measures to prevent information from being copied or shared outside

of the solution. This is especially problematic ^as there is no way to track who ^{has accessed} or viewed information.

Priceless Peace of

Mind

Although the monetary penalties for ITAR violations ^are stiff -- often times, up to tens of millions of dollars in fines levied upon a company -- additional outcomes ^{can be even} more damaging.

However,

with

the U.S. government opening the door

for

organizations that handle ITAR-related technical data to now leverage secure public cloud collaboration tools, there is no need for businesses to take unnecessary risks.

These solutions, such as the ITAR-compliant Brainloop Secure Dataroom, are available

for

relatively affordable costs, particularly when compared to the consequences

of

ITAR violations.

In

order to attain priceless ^peace of mind when handling

ITAR technical data, companies must ensure

that collaboration solutions being considered

for

deployment are covered by end-to-end ITAR compliance.

These solutions must assure the non-intended exports

of ITAR technical data are possible. They must

be implemented and supported exclusively by U.S. persons at U.S. Companies.

They must include tamper proof audit trails to demonstrate continual ITAR compliance ^based on a document's specific

history. They

must be,

or

match,

the ITAR

^compliant

Brainloop solution.

To learn more about the rules and regulations pertaining

to the storage and collaboration of

ITAR-related documents in ITAR compliant public cloud solutions, visit www.brainloopITAR. com.

About Brainloop Inc.:

Operating ^{since 2oo7,} Brainloop Inc., the Secure Enterprise

Information

Company,

is

a market-leading

provider of highly intuitive

SaaS (Software-as-a-Service) solution enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their

IT

environments.

Our enterprise

customers,

comprising of

numerous

industries, count on our software's regulatory

and

corporate compliance, collaboration and

^process

capabilities as

well

as

its

complete

portfolio of

security features.

Brainloop's ^secure solutions look at the entire information protection issue

in

^a holistic and integrated way to better protect the way businesses operate today. We go beyond

common security

measures

to provide full

^256-bit

encrlption, audit trail, two-factor authentication

and provider and administrator shielding, all through an easy to ^use interface.

www.brainloop.com inforDbrainloop.com

About the

Author

William L. O'Brien is the chief operating officer of Brainloop

and

former

speaker

of the New

Hampshire House

of

Representatives.

He

obtained

his |.D. ^from

Suffolk University Law School and later received a Master's

in

Intellectual Property Law

from

the University of New Hampshire School of Law. He has held various executive positions

in

technology comPanies over the last ^{20 years,} including in both general counsel and operational ^roles.

11

0(L(

0:

1(

01

1r

0110 0100 11

0r00 0011 r000 001L

0101"

t ¹¹⁰ 0000 0001 1110 0001 1010 0101 i010 n1n1

I

1 0 0

I

1

1 0

01-00 1000 0111 0010 0110 00rl

0011 -it\

-t0

1e0 cc1

Need to share confidential or export

controlled documents outside your comp anf

Do it simpl ^{nd securely with Brainloop}

The demand

to

exchange and collaborate on confidential documents internally and externally is

growing. So is

the

risk of losing sensitive information by collaborating using non-secure cloud services, sending email attachments

or

using personal mobile devices.

Brainloop's enterprise approach

to

information security enables easy collaboration and information sharing with the highest level of security inside and outside the corporate environment.

,

Easy

to

set up and manage via the web

,

Secure collaboration, file sharing and emailing

,

Reduced risk of exposure, loss or data compromise

,

Dedicated server in certified, high-security datacenter within

the

^U.S. operated by U.S. personnel only ,ITAR compliant

www.brainloop.com' info@Brainloopl

R.com