Last Updated on January 12, 2024
If your business is part of the US defense industrial base (DIB), youāre probably already concerned about how muchĀ Controlled Unclassified InformationĀ (CUI) you have, where itās stored and how itās secured.Ā But you may not be as familiar withĀ International Traffic in Arms RegulationsĀ (ITAR)Ā and how that relates to CUI and your overall complianceĀ requirements.Ā
ToĀ find out more about ITAR and other nuances lurking in the language of DoD contracts,Ā Corbin Evans, Principal Director, Strategic Programs at theĀ National Defense Industrial AssociationĀ (NDIA), joinedĀ host John Verry, Pivot Point Security CISO and Managing Partner,Ā forĀ a recent episode of the Virtual CISO Podcast.Ā
John warns: āThe danger with ITAR is you can conform with CMMC, and you may migrate to a different email solution, as an example, that conforms with CMMC requirements, spend a lot of time and money doing thatābut it doesnāt conform to the ITAR requirement because of the data center access and whoās involved with it. So itās really critical.āĀ
āAs an example, I think the most recent guidance from Microsoft is youād have toĀ go to GCC HighĀ if youāve got ITAR data,ā continues John.Ā Ā
Failing toĀ achieve holistic compliance with DoD mandatesĀ could leave your firm in compliance with CMMCĀ and/or NIST 800-171, but not with the ITAR guidelines.Ā WhereĀ wouldĀ that leave you if youāre in the midst of yourĀ CMMC assessment?Ā
John asks Corbin: āDo we know yet where their boundaries are? Do you think thatās something theyāll end up pointing out inĀ anĀ audit? I would think they should, because the reality is that we failed to live up to the contractual obligation.ā
āSo youāre exactly right that that should be something that would be a great part of that conversation,ā replies Corbin. āBut itās an unknown, currently, as to whether those third-party assessment organizations are going to send the auditorsĀ out into your system, and theyāre going to have a robust knowledge of all the contractual requirements.ā
āI havenāt sat through the training, so I canāt tell you exactly what the CMMC-AB is educating these prospective auditors on, and whether ITAR and other protections required in contracts are part of that education process. But I certainly thinkĀ that itād be advantageous for them to, at minimum, point it out. Whether that means they receive some sort of deduction on their overall score or not, I think thatās probably a larger conversation. But I think to a certain extent these auditors, and really the community more broadly, can be sharing best practices from contractor to contractor.Ā
āI know there are a lot of different forums (NDIA has a couple and is involved in a couple as well) where contractors have the ability to share, what email system are you using? What multifactor authentication solution have you implemented?Ā Is it both CMMC and NIST 800-171 compliant? Is it ITAR compliant? That really comes down to a conversation among the contractor community.Ā Ā
āWhetherĀ the DIBCAC auditors, the DCMA folksĀ whoĀ are going to come out and potentially audit your system to the DFARS 7012 requirements, areĀ commenting on your ITAR compliance or not, isĀ alsoĀ an unknown.Ā But again, an important piece to keep in mind when youāre having conversations or asking questions with these folks about best practices,ā reiterates Corbin.
John drills deeper into the DIBās ITAR concerns: āIn regards toĀ the updated ITAR earlier this year, some people differ on whether we need end-to-end encryption, and whether or not storage outside of the US is possible. Have you guys released any guidance on that?ā
āWe havenāt released any guidance, so I will proceed with a bit of caution here,ā acknowledges Corbin. āIn my reading of the updated regulations, which I believe were in March of 2020ā¦ theyĀ allow, as I understand it, a little bit more flexibility related to data storage; and created an option, essentially, where you could have US persons access data outside of the US.Ā SoĀ an exception to that domestic requirement, if the data was encrypted via end-to-end encryption.ā
āItās a pretty narrow exception, and I would encourage folks who are seeking to take advantage of that exception to read that regulation very closelyĀ to ensure they are in compliance,āĀ CorbinĀ emphasizes. āAbove all else, as weāve mentioned, does that data remain secure?ā
Reading your contracts inĀ depthĀ and getting questions answeredĀ to make sure youĀ seeĀ your complianceĀ pictureĀ beforeĀ youĀ start expending time and moneyĀ is really the bottom line here.Ā
If you have responsibilities forĀ cyberĀ compliance on DoD contracts,Ā this podcast episodeĀ with Corbin EvansĀ is perfect for yourĀ informationĀ needs.Ā And donāt neglect toĀ check out allĀ theĀ other DIB-orientedĀ episodes ofĀ TheĀ VirtualāÆCISO PodcastāÆhere.āÆĀ
If you donāt use Apple Podcasts, youĀ can access all ourĀ podcastsāÆhere.āÆĀ
[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]