As an important USA export control law, the International Traffic in Arms Regulations (ITAR) affects the manufacture, sale and distribution of technology in the defense sector. The goal of the legislation is to control access to specific types of technology and their associated data. Overall, the US Government is attempting to prevent the disclosure or transfer of sensitive information to an unauthorized foreign national.
ITAR can pose challenges for global corporations, since data related to specific technologies may need to be transferred over the internet or stored locally outside of the United States in order to make business processes flow smoothly. The responsibility lies with the manufacturer or exporter to take the necessary precautions and steps to certify that they are, in fact, meeting ITAR compliance requirements.
Failure to comply can result in heavy fines, having to spend funds on remediation, compliance measures and may also require the party to submit to external audit. As a result, effective management of sensitive ITAR information becomes key in order to remain competitive and a trusted supplier.
Supporting ITAR compliance with Clearswift
Data security will have different requirements for a commercial company, but there is a myriad of best practices that defense organizations must follow in order to appropriately secure ITAR data:
- Define and maintain an information security policy
- Build and maintain a secure network by installing and maintaining network defenses to protect sensitive data
- Protect sensitive data with encryption
- Regularly monitor networks
- Implement strong access control measures
- Track and monitor access to network resources and sensitive data.
While this list is not exhaustive, it does highlight the need for an advanced solution that can 1) detect ITAR information, and 2) ensure it is adequately protected as it flows between teams within the organization, and across the external boundary.
Clearswift provides a holistic cyber security platform that enables sensitive ITAR information to be identified and tracked as it flows through email. The platform, to include a set of optionally deployed components, seamlessly integrates with existing information security systems to enable improved ways of working, enhanced sensitive information security and visibility of information flow.
With email still being the primary business collaboration tool, defense organizations need to ensure that the ITAR content and information they send and receive is permitted to enter or leave the organization.
ITAR protection with the Clearswift Secure Email Gateway
The Clearswift Secure Email Gateway (SEG) helps to secure against ITAR data breaches, protecting the organization and ensuring compliance with the current regulation. The Clearswift Secure Email Gateway (SEG) will:
- Scan emails for sensitive ITAR content – both inbound and outbound (as a compliance breach relates to both scenarios)
- Offer granular organizational policy to provide the necessary flexibility to permit multiple behaviours, depending on the senders and recipients of the message
- Provide logical segmentation of communication of sensitive information inside the organization, without the need for segregated email solutions (using the Clearswift Secure Exchange Gateway option)
- With the Adaptive Redaction functionality, allow for content to be dynamically modified (redacted or sanitized), allowing the rest of the communication to be delivered. This ensures secure but continuous collaboration, rather than having to ‘stop and block’ emails and force a remediation against a potential ITAR breach
- Through Policy, apply encryption where required.
Clearswift Solution for Improving Control of Regulated ITAR Information
Designed to meet small, medium and enterprise scale deployments, the Clearswift SEG provides:
- Business operation level information asset protection – focused on the asset value, risk profile and the associated impact of the data associated with it
- Secure handling of ITAR information that is shared through email systems
- Deployment on-premise, or in the cloud, with hybrid deployments possible
- Granular control based on content and context as required to meet the policy requirements
- Recognition of classification tags and/or enforcement of tags before information can be shared
- Multiple encryption options to support different communication policies including TLS, PGP, S/MIME and portal-based encryption
- Advanced options for dealing with scanned documents and image files (Optical Character Recognition and image-based text redaction)
- Advanced Anti-steganography functionality to prevent infiltration of malicious code, or exfiltration of sensitive information in images
- Coherent and consistent sharing of information within and across teams both internally and externally to the organization that are holding or creating the data in support of the need for collaboration across multiple organizational and security domains
- Full compatibility with Microsoft Office 365
- Necessary controls and visibility of inbound/outbound data flow to support both audit and compliance under the specific collaboration policy requirements for ITAR
- Support for operational requirements for cyber security monitoring and incident response
- Support for multiple implementations of encryption that are common to international defense communities.
Designed to scale for organizations of all sizes, the Clearswift SEG solution offers:
- Low friction: seamless deployment using an established, proven and assured security technology platform to minimize cost and maximize time to value
- Deep content validation: proven capability to meet the specific demands of detecting ITAR-related content, especially in the ability to implement controls requiring deep content inspection checks, validation of information sensitivity and the adaptive requirements for content modification for an effective ITAR policy
- User experience: innovation-led improvement to end user experience for secure sharing of information that reduces risk and the associated impact of an ITAR compliance breach
- Reduced operational cost: specific features to deal with policy violations to minimize operational costs
- Support: underpinned by a defense-aware organizational culture that is creative, passionate and built around a customer focused ‘one-team’ approach, aligned with the essence of the Team Defence community, to ensure the low-risk delivery of enhanced protection.