The International Traffic in Arms Regulation, popularly known as ITAR, is a set of regulations governing the export and import of defense goods and services. As simple as the definition may sound, ITAR is among the hardest of government regulations to understand and even harder to comply with. Because national interest is at stake, most manufacturers, exporters, defense contractors, and brokers of defense articles struggle to comprehend what constitutes ITAR data in their respective organizations and what exactly comes under the scanner. Violations can be very expensive for organizations, with fines, debarment, imprisonment, and of course loss of brand value and reputation for violators.
We’ve had numerous conversations with companies that need to comply with ITAR and the first question that they usually start with is, “How do we find what ITAR data is in our environment?”
This one is a heavy-hitter! To find ITAR-specific data when the content base is large, vague, and greatly spread-out is no small task. It takes a combination of human skill and technology to win this battle!
To start off, we need to define what constitutes a good ITAR Compliance program. This can be broken down into an easy, 5-step process.
- Classification – Tag data at its creation as sensitive and high-risk
- Identification – Catch this information as it relates to you
- Methodology – Use technology to help you scan for this data
- Analysis – Determine access rights and permissions on this data
- Remediation – Take action to remediate this data by locking down access rights or moving it to a secure location
No program can be fool-proof, but a good process will take you that much closer to being a breach free and compliant environment. To put it simply, it’s all about that first step.