ITAR Compliance to End-to – End Encryption
Last March, the U.S. State Department approved the exclusion of ITAR for encrypted technical data. This reduction means that defense companies can now disclose non-confidential technical data outside the United States to authorized persons. This exchange can take place without the need for an export licence, provided that the data is properly secured by means of end-to-end encryption. If the data is fully encoded, the exchange is not considered as an export.
According to the federal register:
The relatively secure electronic transmission or storage [P] (end-to-end encryption) of unclassified technical information via a foreign communication infrastructure does not constitute an export, re-export, transfer or temporary entry.
Definition : Technical data for ITAR
All information, including drawings, documentation, diagrams, flow charts, etc., required to design, develop, manufacture, operate, maintain or modify elements of the SULA. These may include specifications for satellite equipment, a list of materials for the production of an unmanned aerial vehicle, or drawings and photographs of objects supporting the production and assembly of a ground vehicle.
This initiative by the Ministry of Foreign Affairs is important because it has modernised the approach that companies can use to exchange ITAR data abroad. With this new capacity in their arsenal, OIW companies are now able to exchange data that was previously inaccessible to them.
End-to-end coding for ITAR
Previously, ITAR’s technical data had to be hosted exclusively in data centers in the United States, where only U.S. employees could work. However, the new extract frees the technical data from the many restrictions introduced by these rules.
The Regulation stipulates that the streaming encrypted technical data can be accessed both in the United States and by authorised persons outside the United States. The conditions for this exchange are as follows:
- The data is not classified.
- The data is protected by end-to-end encryption and algorithms that comply with FIPS 140-2.
- A cloud service provider does not have access to the decryption keys.
- Data is not intentionally transmitted or stored in countries where access is restricted.
- The data is not intentionally sent from a country with limited access.
This new guide now allows OIW companies to take advantage of the benefits of the cloud in a way that was not possible in the past. This is made possible by full encryption and appropriate key management. Under these provisions, DIB companies may now send data to the United States or to an authorized person abroad, or even store data outside the United States until it is stored in a country with limited access.
For example: Sending ITAR technical data abroad
A U.S. defense company permanently sends ITAR-encrypted technical data to a U.S. company operating out of its office in Germany. The Ministry of Foreign Affairs is not obliged to approve the export of data unless they have been re-exported to a restricted country or to the Russian Federation.
When PreVeil meets ITARstandards
With PreVeil end-to-end encryption and device-based keys, the platform easily meets the new ITAR standards. PreVeil’s Gov community offering also stores ITAR data in AWS GovCloud data centers so that other storage needs can be easily met.
The PreVeil platform uses end-to-end encryption to protect user data. Full encryption ensures that data is encrypted on the transmitting device and never decrypted except on the receiving device. This ensures that only the sender and receiver can read the information revealed – and no one else. The data is never decrypted on the server, so even if the attackers manage to hack the server, they only get gibberish.
In addition, no cloud service provider (including PreVeil) has access to the keys, network access codes or passwords to decipher data in PreVeil. Private keys are only stored on user devices. The public keys stored on the server are encrypted so that the attacker can never access them.
Defense contractors who rely on PreVeil can securely and reliably exchange ITAR data with organizations in the U.S. outside the U.S. and store ITAR data on servers abroad.
Find out how PreVeil can help you meet ITAR standards Contact us.
For the first time, PreVeil contains a message about ITAR compliance with the end-to-end encryption requirements.
*** This is the syndicate Blog Security Bloggers Network of Blog – PreVeil, written by Orlee Berlove. The original message can be found at the following address: https://www.preveil.com/blog/itar-compliance-with-end-to-end-encryption/.