ITAR Compliance – Strategies to Identify and Protect Technical Data

The aerospace and defense industry continues to increase its global reach at a rapid rate. Aerospace agencies handle data that needs to be protected from competitors and foreign military and government organizations. Competitive sensitivities, disparate customer requirements and government regulations concerning the sharing of sensitive information are critical considerations in the aerospace and defense marketplace.

In an effort to protect national security and trade secrets, the U.S. government created the International Traffic in Arms Regulations (ITAR), governing the export and import of defense related material and technologies. U.S. companies can face multi-million dollar fines if they provide non-U.S. people with access to ITAR-protected products or information.

Managing and controlling ITAR-protected information is a critical step for organizations wishing to address ITAR compliance requirements. Fortra has created a family of solutions that facilitates secure information sharing in today’s global aerospace environment while helping organizations meet their compliance obligations.

Fortra ITAR compliance solutions enable organizations to manage and control sensitive information by labeling information and restricting access as part of an ITAR compliance program. Fortra solutions are used worldwide in aerospace and defense organizations, including UTC, Pratt and Whitney, Xilinx, Dow Corning, DRS, BAE Systems, Lockheed Martin, and Northrop Grumman.

This whitepaper focuses on strategies to meet ITAR requirements and best practices surrounding implementation of an ITAR compliance program. Information about Fortra portfolio of solutions and how they can be deployed as part of an ITAR compliance program is also provided.

ITAR legislation is a set of regulations that authorizes the government to control the export and import of defense related articles and services. ITAR affects those involved in the manufacturing, distribution and regulation of aircraft, amphibious vehicles, cartridge and shell casings, chemical agents, firearms, naval equipment, missile control, and other  military related equipment.

The U.S. Directorate of Defense Trade Controls (DDTC) strongly encourages organizations to create ITAR compliance programs for record keeping, including the identification, receipt and tracking of ITAR controlled items and technical data. Organizations that fail to control ITAR-related information are subject to fines and imprisonment. Fortra ITAR solutions are built on the Microsoft Office and Microsoft SharePoint platforms. Because end-users are already generally familiar with the Microsoft environments, the ITAR solutions are easy to deploy and have a high level of acceptance among users.

For companies using SharePoint as a document management platform, Fortra Data Classification offers a metadata-based security solution to protect ITAR information. Information labeled in SharePoint as ITAR restricted will be secured for specific ITAR-cleared audiences.

Fortra also offers desktop-based classification solutions for ITAR that allow organizations to identify, label and mark email and documents as part of an ITAR compliance program. ITAR-related information such as product plans, product specifications, financial information, manufacturing plans, instructions and product documentation can be protected with email and document classification labels.

Many organizations working on sensitive ITAR projects want to promote collaboration and information sharing among the
project staff, but also need to ensure that other employees who are not working on the project, or who hold citizenship in
certain proscribed countries, do not gain access to the ITAR information.

Microsoft SharePoint is a popular platform for collaboration and document management. It can be used to share project related documents and information. Because of SharePoint’s history of being used in decentralized environments, SharePoint’s native security is generally not regarded as robust enough to handle ITAR-restricted information.

Fortra Metadata Security for SharePoint solution adds an additional layer of security to the SharePoint platform which allows organizations to easily protect sensitive ITAR information. The administrator can easily create ITAR based security policy that will result in strong security for all project-related information.

For example, an organization may have a document library that contains a mix of documents, some of which are ITAR Restricted. The Fortra administrator can define a security rule that will restrict access to all information labeled in SharePoint as “ITAR RESTRICTED” to a specific group of cleared employees working on that project. A user with ITAR clearance would see all documents in the folder, while a user without ITAR clearance would see only a sub-set of documents, as shown below.

In this way organizations can be confident that they are meeting the ITAR compliance requirements for export controlled information.

Organizations can also protect sensitive ITAR information by using Fortra Data Classification solutions for ITAR. These solutions allow organizations to:

Fortra desktop solutions have several security features that can help organizations to apply and enforce security policy in an ITAR-controlled environment. Key features include:

• Safe Recipient Lists 
  Safe recipient checking ensures that only authorized or intended recipients receive ITAR related email, even in cases where different people with different privileges have the same name. Fortra data classification checks both internal and external recipients, and can prevent common export violations such as inadvertently sending ITAR information to an unauthorized user hidden in a distribution list.
• Automatic Content Scanning 
  Data classification solutions can scan content and warn users if an email or document appear to contain ITAR-restricted information. Fortra can also prevent users from discussing potential ITAR violations through email, and instead, direct them to report the potential violation through proper channels.
• Automatic Email and Document Protection 
  Data classification  solutions can automatically apply encryption or Microsoft AD Rights Management Services (RMS) based on the email or document label. This feature is transparent to the user; they simply select a label from the dropdown list, and the protection is applied automatically, with no encryption or RMS training required.
• Customized Email and Document Disclaimers 
  solutions can automatically insert a customized disclaimer based on a selected export control label. For example, if a user selects an ITAR Restricted label, Fortra can automatically add a disclaimer such as: “This technical data is regulated under ITAR. Export from the US or disclosure to foreign nationals in the U.S. without an export license authority is a violation of law.” By clearly identifying that the information is export controlled, the organization puts accountability and responsibility on the recipient.
• Auditing and Retention
  Through the use of audit files, Fortra solutions can help to identify users who are willfully breaking ITAR rules for email and documents, and prove that the organization took steps to prevent it. Fortra can also help with archiving and e-Discovery by automatically sending a copy of all ITAR-related email to an ITAR retention mailbox.

Fortra ITAR compliance solutions provide many key features and capabilities that an organization needs for a successful ITAR compliance program. Fortra products can be used as standalone solutions or together as a powerful integrated solution. This section highlights just some of the features included in the Fortra family of ITAR compliance solutions.

Fortra Security Suite for SharePoint

The Fortra Security Suite for SharePoint enhances SharePoint security and ensures that security policies are applied consistently and automatically across all your sensitive content in SharePoint. These solutions ensure the right people access the right information, and promote end user awareness and accountability for sensitive information.

With the Security Suite for SharePoint, organizations can:

• Implement consistent and strong Data Governance
• Enforce dynamic, fine-grained security
• Automate security using identity and metadata
• Comply with regulations such as ITAR

The suite is made up two products: Fortra Metadata Security automatically applies permissions and access control for sensitive content in SharePoint based on metadata properties combined with trusted user claims. Fortra Document Policy Manager automatically converts documents to PDF and applies visual labels to raise awareness of sensitive content, providing users with education on how to handle sensitive data.

Fortra Data Classification Solutions

Fortra Data Classification offers a complete family of information classification and marking solutions for email and documents. With a wide range of customizable functionality, the Fortra Classification solutions enable your organization to:

• Empower users to identify and protect export-controlled information
• Reduce risk and raise user awareness by applying consistent ITAR markings (including disclaimers) to documents and email
• Enforce export control policies to ensure the right people access the right information
• Prevent common export control violations such as accidentally sending email to unauthorized recipients in a distribution list

Fortra Classification solutions include:

• Message Classification™ for the classification, marking and protection of email in Microsoft Outlook®, Outlook
  Web App®, Lotus Notes®, and mobile devices
• Classification™ for Microsoft Office™ for the classification, marking and protection of Microsoft Office Word®,
  PowerPoint®, and Excel® documents
• Classification for Desktop™ for the classification and protection of any file type in a Windows® environment,
  including PDF, CAD, and multimedia files

Ease of Use

Fortra ITAR compliance solutions integrate seamlessly into current Microsoft Office and Microsoft SharePoint environments and are very easy to use. There are no new applications for users to learn.

Users familiar with SharePoint will interact in the same way as they interact with other SharePoint applications. The additional ITAR security is transparent to users.

Fortra ITAR solutions are also integrated into Microsoft Office, Outlook and Windows Explorer. The user simply selects the
appropriate ITAR label for the document or email from the list of available labels.

As a result of their design, training requirements for Fortra ITAR solutions are minimal, and can be deployed within organizations very quickly.

ITAR regulations have introduced considerable challenges to the aerospace and defense industry. Fortra classification offers cost effective interoperable solutions that ensure the security of sensitive ITAR information. By providing a wide selection of ITAR solutions, Fortra enables organizations to deploy the solution that most closely fits their requirements and their current infrastructure.

Fortra Data Classification solutions are applicable for all aerospace, defense agencies, contractors and suppliers dealing with ITAR protected information.

The solutions are low cost, easy to deploy, and enable efficient sharing of sensitive information. To find out how Fortra can help your organization comply with ITAR and other export control regulations, schedule a demo with one of our experts.