One of the manufacturers using Paperless Parts recently approached us for advice on how to ensure their shop is ITAR compliant. What follows are our pointers on what manufacturers can do to ensure the proper policies and programs are in place.
Note: This should not be taken as legal advice, rather best practices we have seen or used to support ITAR compliance.
ITAR Compliance Programs
To achieve ITAR compliance for companies not intending to export, the DDTC recommends a number of organizational steps:
- Documented ITAR and IT security policies that emphasize your corporate commitment to ITAR compliance.
- Regular staff training on U.S. export control laws and regulation.
- Identification of ITAR items and data (i.e., “tagging”). This includes documenting the methodology used to tag ITAR data.
For details on what the government expects as part of a compliance program, read these Compliance Program Guidelines.
ITAR Compliance Considerations for Web-Based Tools
Unfortunately, most web-based tools like email, Dropbox, and Google Drive are not ITAR compliant. While they are convenient and accessible, these vendors tend to have administrators, support personnel, and data center staff who will have access to customer data but are not necessarily US Persons. Companies looking to be ITAR compliant cannot use these solutions.
We have taken precautions to ensure ITAR compliance with the Paperless Parts Platform. This means we:
- Ensure all of our employees with administrator-level access are US Persons and have a valid need for that level of access;
- Our software runs on Amazon GovCloud. Only US Persons have physical access to the servers and networks containing customer data.
Learn more about ITAR Compliance and Data Security.
IT Security in your Shop
Securely receiving files from your customer is just the first step. To manufacture ITAR items, you will need to work with unencrypted technical data on your shop computers and network. Your shop’s IT security policies and best practices must restrict access to US Persons with need-to-know. These policies should protect against attackers attempting to gain access to data.
As a reference, UC Berkeley has a good list of IT security best practices you can find here.
I’ll summarize and add some commentary here:
Keep software up-to-date: For PCs, this means you are running Windows 10 with automatic updates. You should use an up-to-date version of Google Chrome, Firefox or Microsoft Edge to access your software platforms like Paperless Parts. Do not install unnecessary browser extensions.
Avoid phishing scams: Train your staff to be on guard for social engineering. Your team must understand that attackers might claim to be your customer and might try to collect data by asking for files via email or gleaning other sensitive information.
Password management: Use long, complex passwords on your PC, Paperless accounts, email, and any other service you use. These passwords should be updated periodically to avoid any risks associated with hacked accounts. Ensure that you also use different passwords for your different accounts to avoid a single point of failure in the event an account gets hacked.
Be careful what you click: Visiting sketchy websites invites malware, which puts your data at risk. Some companies even lock or restrict web access on company computers. They only allow non-work-related web browsing to happen on separate devices on a guest WiFi network. While extreme, the separation of internet usage decreases the risk in compromising sensitive data.
Never leave devices unattended: Put password protected screen savers on all of your PCs. Could someone walk in your front (or side) door, get to a PC with ITAR data, and start clicking without entering a password?
Protect sensitive data: Bottom line — only give people access to ITAR data that need it. When using software platforms like Paperless, use permissions to restrict access further. If you have a file server for customer data, it should be password protected and only people who need that data should have access.
Install anti-virus: Windows Defender is a good start. Consider purchasing an endpoint security product to protect against malware.
Backup your data: Losing your shop’s data is very painful. Mitigate the risk by ensuring that your hard drives and other data stores are backed up on a regular basis.
These are just some of the ways that you can make sure your shop is prepared for ITAR compliance.
Does your shop do anything else to ensure ITAR compliance and IT security? We’d love to hear it.
– Scott Sawyer
Scott Sawyer is Co-Founder & Chief Technology Officer at Paperless Parts. He is focused on platform security and developing algorithms to quote parts more quickly and accurately, while scaling both the team and architecture. He worked on defense “big data” technology at MIT Lincoln Lab and Lockheed Martin, prior to leading the engineering team at a Boston IoT startup. Scott holds a BSEE (Villanova) and MSEE (UPenn).