Are you ITAR compliant?

Keeping your data secure and compliant is getting more difficult as businesses become more software-driven. ITAR Guide was built to educate businesses on the data compliance requirements of ITAR and EAR, and to ensure they are taking the right steps in protecting themselves.

Get Your Risk Report Today

Average Violation Fine in 2018:

Avg Violation Fine in 2018:

What is ITAR or EAR?

ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations) are sets of compliance requirements designed to keep specific items and services out of the hands of foreign nationals.

These compliance requirements commonly apply to organizations involved in:

  • Aerospace
  • Automotive
  • Electronics
  • Industrial & Machinery
  • Telecommunications
More FAQs
manufacturing

Key Tenets

Only U.S. citizens can access items on the United States Munitions List (USML).

Any technical specifications describing an export-controlled item or how its made are subject to ITAR and EAR.

Any company that handles, manufactures, designs, sells, or distributes items on the USML is subject to ITAR/EAR compliance, including software vendors.

Not sure if you require ITAR or EAR compliance?

Take our free assessment today.

Start Assessment

FAQ

ITAR specifically regulates the import and export of defense-related products, data and services that appear on the United States Munitions List. It typically applies to government contractors and subcontractors.

EAR is a parallel regulation focused on the commercial component of products, data and services. This applies to dual-use items appearing on the Commercial Control List, which are available for commercial sales and government use.

If the products, or the parts and components of the products you are working with appear on the United States Munitions List or the Commercial Control List, then they are regulated under ITAR or EAR.

The penalties for violating ITAR and EAR are severe, as violators can be fined up to $1,000,000 per violation and up to 20 years of imprisonment. In 2018, the average total penalty was $2,889,373.

Yes, any contractors that come into contact with your sensitive data must adhere to ITAR and EAR as well. Keep in mind that physically shipping product or sending sensitive data to third-party contractors overseas is a violation.

Yes, you can still remain compliant while hiring foreign nationals as long as those employees are not able to access any sensitive data or the physical products that are subject to ITAR and EAR compliance.

No, using common email and phone services to store, receive, or send sensitive information is not ITAR or EAR compliant.

You must take special precautions when receiving, sending and storing sensitive data. For example, storing data on Google Drive is not compliant because contractors that are foreign nationals may be managing your data. The same goes for other third-party software applications you may use for business management, unless they are taking specific precautions such as hosting their servers on AWS GovCloud.

Even if you are storing your data locally, it may not be safe. You must be careful who accesses data via a desktop or laptop within your facility, and these devices cannot physically leave the country.

No, most popular third-party software applications like the Google suite of products, Airtable, or Dropbox are not ITAR and EAR compliant.

Yes, you can store data on the cloud and remain compliant with ITAR and EAR, however you must be careful about how this data is stored and handled. Not only does ITAR and EAR restrictions apply to software providers, but it also extends to infrastructure providers, such as Amazon Web Services (AWS) that handle the data. Most cloud-based software applications are hosted on a public cloud, however there are ITAR-compliant clouds like AWS GovCloud that applications can be hosted on to. Make sure you confirm you are using an ITAR-compliant cloud when storing data.

Key Risk Areas

When evaluating your business for risk of non-compliance, look to these areas to assess how data is being handled.

Storing, Sending and Receiving Sensitive Data

Where you store sensitive data, as well as which methods or applications you use to send and receive this data are important considerations when assessing your risk of non-compliance. If you store data on the cloud, or use cloud-based applications to send and receive data, be aware that ITAR restrictions extend to the infrastructure providers as well. If a cloud-based application is hosted on a popular infrastructure like Amazon Web Services (AWS), it could be non-compliant if it is a public cloud.

Using Third-Party Software

Using consumer-grade, off-the-shelf software (COTS) to store and manage sensitive data can put you at risk of violation. Common services like Google Drive and Dropbox, or software applications like Airtable or Quick Base are not ITAR compliant because they host your data on public cloud which is accessible by foreign nationals.

Working with Third-Party Contractors

If you work with third-party contractors for design, finishing, or other service, be wary of how they handle your sensitive data, as they should be adhering to ITAR and EAR as well. Shipping product or sensitive data to third-party contractors overseas is a violation.

Employing Foreign Nationals

The objective of ITAR and EAR is to prevent sensitive information from being accessed by foreign nationals. That doesn’t necessarily mean that your business shouldn’t hire foreign nationals if you handle business that isn’t subject to these regulations. However, if employed foreign nationals have access to business software containing sensitive data or the physical goods or documents themselves, this can pose a major risk.

Since 2000, the government has been more aggressive on enforcing ITAR and EAR requirements, resulting in larger fines year over year for businesses.

$3.4B
ITAR/EAR Penalty Total Since 2000

Get our Free Compliance Risk Report Today

Take our brief quiz to determine your risk of non-compliance with ITAR or EAR.

The Compliance Risk Report will:

  • Assess your risk of non-compliance and provide you with a Risk Score.
  • Identify key areas of risk that need to be addressed.
  • Provide suggestions on how to address these areas of risk and avoid non-compliance.

Disclaimer: Data entered into this questionnaire and provided in the "Compliance Risk Report" is for illustrative purposes only and does not constitute or pertain to any real-life scenario.

Risk Report
Risk Report

Latest News

Data aggregated from trusted news sources.

Want to talk compliance?

We are committed to providing you with the latest compliance news and resources. Talk with an expert today.