Last Updated on March 16, 2023
If your business is part of the US defense industrial base (DIB), you’re probably already concerned about how much Controlled Unclassified Information (CUI) you have, where it’s stored and how it’s secured. But you may not be as familiar with International Traffic in Arms Regulations (ITAR) and how that relates to CUI and your overall compliance requirements.
To find out more about ITAR and other nuances lurking in the language of DoD contracts, Corbin Evans, Principal Director, Strategic Programs at the National Defense Industrial Association (NDIA), joined host John Verry, Pivot Point Security CISO and Managing Partner, for a recent episode of the Virtual CISO Podcast.
John warns: “The danger with ITAR is you can conform with CMMC, and you may migrate to a different email solution, as an example, that conforms with CMMC requirements, spend a lot of time and money doing that—but it doesn’t conform to the ITAR requirement because of the data center access and who’s involved with it. So it’s really critical.”
“As an example, I think the most recent guidance from Microsoft is you’d have to go to GCC High if you’ve got ITAR data,” continues John.
Failing to achieve holistic compliance with DoD mandates could leave your firm in compliance with CMMC and/or NIST 800-171, but not with the ITAR guidelines. Where would that leave you if you’re in the midst of your CMMC assessment?
John asks Corbin: “Do we know yet where their boundaries are? Do you think that’s something they’ll end up pointing out in an audit? I would think they should, because the reality is that we failed to live up to the contractual obligation.”
“So you’re exactly right that that should be something that would be a great part of that conversation,” replies Corbin. “But it’s an unknown, currently, as to whether those third-party assessment organizations are going to send the auditors out into your system, and they’re going to have a robust knowledge of all the contractual requirements.”
“I haven’t sat through the training, so I can’t tell you exactly what the CMMC-AB is educating these prospective auditors on, and whether ITAR and other protections required in contracts are part of that education process. But I certainly think that it’d be advantageous for them to, at minimum, point it out. Whether that means they receive some sort of deduction on their overall score or not, I think that’s probably a larger conversation. But I think to a certain extent these auditors, and really the community more broadly, can be sharing best practices from contractor to contractor.
“I know there are a lot of different forums (NDIA has a couple and is involved in a couple as well) where contractors have the ability to share, what email system are you using? What multifactor authentication solution have you implemented? Is it both CMMC and NIST 800-171 compliant? Is it ITAR compliant? That really comes down to a conversation among the contractor community.
“Whether the DIBCAC auditors, the DCMA folks who are going to come out and potentially audit your system to the DFARS 7012 requirements, are commenting on your ITAR compliance or not, is also an unknown. But again, an important piece to keep in mind when you’re having conversations or asking questions with these folks about best practices,” reiterates Corbin.
John drills deeper into the DIB’s ITAR concerns: “In regards to the updated ITAR earlier this year, some people differ on whether we need end-to-end encryption, and whether or not storage outside of the US is possible. Have you guys released any guidance on that?”
“We haven’t released any guidance, so I will proceed with a bit of caution here,” acknowledges Corbin. “In my reading of the updated regulations, which I believe were in March of 2020… they allow, as I understand it, a little bit more flexibility related to data storage; and created an option, essentially, where you could have US persons access data outside of the US. So an exception to that domestic requirement, if the data was encrypted via end-to-end encryption.”
“It’s a pretty narrow exception, and I would encourage folks who are seeking to take advantage of that exception to read that regulation very closely to ensure they are in compliance,” Corbin emphasizes. “Above all else, as we’ve mentioned, does that data remain secure?”
Reading your contracts in depth and getting questions answered to make sure you see your compliance picture before you start expending time and money is really the bottom line here.
If you have responsibilities for cyber compliance on DoD contracts, this podcast episode with Corbin Evans is perfect for your information needs. And don’t neglect to check out all the other DIB-oriented episodes of The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can access all our podcasts here.