January 21, 2021

Last Updated on January 12, 2024

If your business is part of the US defense industrial base (DIB), youā€™re probably already concerned about how muchĀ Controlled Unclassified InformationĀ (CUI) you have, where itā€™s stored and how itā€™s secured.Ā But you may not be as familiar withĀ International Traffic in Arms RegulationsĀ (ITAR)Ā and how that relates to CUI and your overall complianceĀ requirements.Ā 

ToĀ find out more about ITAR and other nuances lurking in the language of DoD contracts,Ā Corbin Evans, Principal Director, Strategic Programs at theĀ National Defense Industrial AssociationĀ (NDIA), joinedĀ host John Verry, Pivot Point Security CISO and Managing Partner,Ā forĀ a recent episode of the Virtual CISO Podcast.Ā 

John warns: ā€œThe danger with ITAR is you can conform with CMMC, and you may migrate to a different email solution, as an example, that conforms with CMMC requirements, spend a lot of time and money doing thatā€”but it doesnā€™t conform to the ITAR requirement because of the data center access and whoā€™s involved with it. So itā€™s really critical.ā€Ā 

ā€œAs an example, I think the most recent guidance from Microsoft is youā€™d have toĀ go to GCC HighĀ if youā€™ve got ITAR data,ā€ continues John.Ā Ā 

Failing toĀ achieve holistic compliance with DoD mandatesĀ could leave your firm in compliance with CMMCĀ and/or NIST 800-171, but not with the ITAR guidelines.Ā WhereĀ wouldĀ that leave you if youā€™re in the midst of yourĀ CMMC assessment?Ā 

 

John asks Corbin: ā€œDo we know yet where their boundaries are? Do you think thatā€™s something theyā€™ll end up pointing out inĀ anĀ audit? I would think they should, because the reality is that we failed to live up to the contractual obligation.ā€

ā€œSo youā€™re exactly right that that should be something that would be a great part of that conversation,ā€ replies Corbin. ā€œBut itā€™s an unknown, currently, as to whether those third-party assessment organizations are going to send the auditorsĀ out into your system, and theyā€™re going to have a robust knowledge of all the contractual requirements.ā€

ā€œI havenā€™t sat through the training, so I canā€™t tell you exactly what the CMMC-AB is educating these prospective auditors on, and whether ITAR and other protections required in contracts are part of that education process. But I certainly thinkĀ that itā€™d be advantageous for them to, at minimum, point it out. Whether that means they receive some sort of deduction on their overall score or not, I think thatā€™s probably a larger conversation. But I think to a certain extent these auditors, and really the community more broadly, can be sharing best practices from contractor to contractor.Ā 

ā€œI know there are a lot of different forums (NDIA has a couple and is involved in a couple as well) where contractors have the ability to share, what email system are you using? What multifactor authentication solution have you implemented?Ā Is it both CMMC and NIST 800-171 compliant? Is it ITAR compliant? That really comes down to a conversation among the contractor community.Ā Ā 

ā€œWhetherĀ the DIBCAC auditors, the DCMA folksĀ whoĀ are going to come out and potentially audit your system to the DFARS 7012 requirements, areĀ commenting on your ITAR compliance or not, isĀ alsoĀ an unknown.Ā But again, an important piece to keep in mind when youā€™re having conversations or asking questions with these folks about best practices,ā€ reiterates Corbin.

 

John drills deeper into the DIBā€™s ITAR concerns: ā€œIn regards toĀ the updated ITAR earlier this year, some people differ on whether we need end-to-end encryption, and whether or not storage outside of the US is possible. Have you guys released any guidance on that?ā€

ā€œWe havenā€™t released any guidance, so I will proceed with a bit of caution here,ā€ acknowledges Corbin. ā€œIn my reading of the updated regulations, which I believe were in March of 2020ā€¦ theyĀ allow, as I understand it, a little bit more flexibility related to data storage; and created an option, essentially, where you could have US persons access data outside of the US.Ā SoĀ an exception to that domestic requirement, if the data was encrypted via end-to-end encryption.ā€

ā€œItā€™s a pretty narrow exception, and I would encourage folks who are seeking to take advantage of that exception to read that regulation very closelyĀ to ensure they are in compliance,ā€Ā CorbinĀ emphasizes. ā€œAbove all else, as weā€™ve mentioned, does that data remain secure?ā€

Reading your contracts inĀ depthĀ and getting questions answeredĀ to make sure youĀ seeĀ your complianceĀ pictureĀ beforeĀ youĀ start expending time and moneyĀ is really the bottom line here.Ā 

If you have responsibilities forĀ cyberĀ compliance on DoD contracts,Ā this podcast episodeĀ with Corbin EvansĀ is perfect for yourĀ informationĀ needs.Ā And donā€™t neglect toĀ check out allĀ theĀ other DIB-orientedĀ episodes ofĀ TheĀ Virtualā€ÆCISO Podcastā€Æhere.ā€ÆĀ 

If you donā€™t use Apple Podcasts, youĀ can access all ourĀ podcastsā€Æhere.ā€ÆĀ 

 

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]