ITAR, EAR, AND DFARS

REQUIREMENTS
AND HOW THEY IMPACT
YOUR INFORMATION
SYSTEMS
1| ITAR, EAR, and DFARS Requirements
and How They impact Your Information Systems

If you’re a service provider to the U.S. federal government – whether to civilian agencies or the Department of

Defense (DoD) – your information systems must meet requirements as specified in the Federal Acquisition

Regulation (FAR) or, more specifically the Defense Federal Acquisition Regulation Supplement (DFARS).

The DFARS cyber clause must be flowed down to all suppliers or subcontractors

that will store, process and/or generate Covered Defense Information (“CDI”) as

part of contract performance.

CDI is an umbrella term that encompasses all Controlled Unclassified Information (CUI) and Controlled Technical

Information (CTI). These three markings (CDI, CUI and CTI) are given to unclassified content that must be protected

in a very specific manner both within and outside a government information system.

You may also need to comply with the requirements of the International Traffic in Arms Regulations (ITAR) or

the Export Administration Regulations (EAR). These regulations impact your organization if it meets any of the

following criteria:

• You handle Controlled Unclassified Information (CUI). • You provide defense articles and services.

• You produce, maintain and/or export items that are • You produce items or “know-how” on the Commerce

on the United States Munitions List (USML). Control List (CCL).

Everyone you share USML data with must be U.S. persons, which includes citizens and green card holders. This

requirement includes the employees of any cloud service providers that you may be utilizing to store and transmit

your data.

Furthermore, with the final stages of the implementation of Executive Order 13556 -- “Controlled Unclassified

Information” – contractors to the DoD that handle controlled unclassified information (CUI) are required to safeguard

CUI under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012 and the newly

established National Archives and Records Administration CUI processes (32 CFR part 2002).

GovFTP.com | Share
2| ITAR, EAR, and DFARS Requirements
and How They impact Your Information Systems

The CUI requirements recommended for use in Executive Order 13556 are derived from FIPS Publication 200 and

specify NIST SP 800-171 -- “Protecting Controlled Unclassified Information in Nonfederal Information Systems and

Organizations” -- as the security guideline.

In addition, DFARS 252.204-7012 states:

“the Contractor shall require and ensure that the cloud service provider meets

security requirements equivalent to those established by the Government for the

Federal Risk term

CDI is an umbrella andthat
Authorization Management
encompasses all Controlled Program
Unclassified (FedRAMP)
Information Moderate
(CUI) and Controlled Technical

Information (CTI). These three markings (CDI, CUI and CTI) are given to unclassified content that must be protected
baseline and that the cloud service provider complies with requirements in
in a very specific manner both within and outside a government information system.
paragraphs (c) through (g) of this clause for cyber incident reporting, malicious

software,
You media
may also need preservation
to comply and protection,
with the requirements accessTraffic
of the International to additional information
in Arms Regulations (ITAR) or

the Export Administration Regulations (EAR). These regulations impact your organization if it meets any of the
and equipment necessary for forensic analysis, and cyber incident damage
following criteria:
assessment.”

An assessment against NIST SP 800-171 is needed for federal contractors to provide services for transmitting

or storing these data types in non-federal information systems in a way that complies with applicable
regulations.

Note these requirements also apply to all cloud service providers (CSPs)

that are storing, processing and transmitting these datatypes on behalf

of federal agencies, civilian contractors, or DoD contractors.

GovFTP.com | Share
3| ITAR, EAR, and DFARS Requirements
and How They impact Your Information Systems

Steps you should take when choosing SFTP cloud

service providers:

1. Make sure that both the data center infrastructure and cloud platform are FedRAMP JAB
Authorized.

The Federal Risk and Authorization Management Program (FedRAMP) evaluates cloud services and issues a

Provisional Authority to Operate (P-ATO) to those that pass review. JAB authorizations look at a standardized set

of FISMA and NIST requirements and both can be used by other agencies in their ATO process. When the Joint

Authorization Board (JAB) is convened, it is to review a cloud service that is and should be used throughout the

government. The members of the JAB are the CIOs of the General Services Administration, Department of

Defense, and Department of Homeland Security. They issue a P-ATO for cloud services that pass their review and

to be used to run systems holding any kind of government data at specific levels.

Once that P-ATO is granted, FedRAMP requires a cloud service provider to undergo audits and re-assessment every

year and to maintain continuous monitoring. This gives federal agencies ongoing assurance that the cloud service is

compliant.

If it is good enough for the federal agencies themselves to rely on, it is good enough for their contractors and

subcontractors as well.

2. Make Sure Your SFTP Site is ITAR and DFARS Compliant

First, make sure that your SFTP site is hosted in the United States (see above) -AND- that everyone employed by

the hosting provider are U.S. citizens. An additional way to ensure your technical data does not accidentally fall into

foreign hands is by using SFTP server software that allows you to restrict logical access by geographical location; for

example, only allowing access from IP addresses within the United States.

Next, make sure that your SFTP site can enforce the use of secure storage and secure transmissions meeting NIST

SP 800-171 and Federal Information Processing Standard (FIPS) 140-2 requirements for encryption cipher strength.

GovFTP.com | Share
4| ITAR, EAR, and DFARS Requirements
and How They impact Your Information Systems

There’s more. The following table offers guidelines for ITAR compliance in the handling of electronic data. It also

explains how FTP Today helps meet each of these requirements, along with who shoulders responsibility. After all,

compliance itself is not something you can outsource; it is a shared responsibility.

ITAR Management
ITAR Requirements FTP Today’s Practice on GOVFTP
Guidelines Responsibility

Do not access Controlled Information from Site

shared, public computers such as kiosk Administrator
computers in libraries, hotels, and business
centers, or from computers that have no
local access control.

Secure access using individually-assigned
accounts requiring username/password,
user certificates, or other user-specific
authentication methods.
Access
Controls
FTP Today provides a robust management Site
interface for configuring user authentication Administrator
via passwords and or SSH keys.
FTP Today provides controls to disable file Site
sharing (sending files using public links), Administrator
thereby allowing the administrator to require
user authentication for all access.

Protect Controlled Information by at FTP Today operates within a high-security FTP Today’s Data
least one physical or electronic barrier data center that requires biometric + card + Center Partner
(e.g., locked container or room, login and pin for physical access. FTP Today servers
password) when not under direct individual lives on a virtual infrastructure that is
control. physically located within locked cabinetry on
the data center floor.

Use regularly-updated malware protection FTP Today

software

Keep computers hosting Controlled All systems in use by FTP Today are regularly FTP Today
Information up to date on security patches patched and updated.
and updates.

System
Wipe electronic media in accordance All electronic media utilized in providing FTP Today’s Data
Management
with NIST 800–88, Guidelines for Media storage systems to FTP Today are wiped Center Partner
Sanitization when removed from service.

All Controlled Information must be encrypted N/A End Users

if stored on mobile computing devices such
as laptops, PDA’s and removable media such
as thumb drives or CD/DVD.

Continued on the next page...

GovFTP.com | Share
5| ITAR, EAR, and DFARS Requirements
and How They impact Your Information Systems

ITAR Management
ITAR Requirements FTP Today’s Practice
Guidelines Responsibility

Do not transmit or email Controlled Site

Information unencrypted. If encryption is Administrator
not available, data must be individually
encrypted using at least application-provided
mechanisms such as the password-based
encryption provided in Microsoft Office 2007
and above.

Wireless network access to Controlled N/A End Users

Information must be encrypted using,
e.g., WPA2 Enterprise wireless network
encryption.

Provide monitoring and control over FTP Today provides activity logs that Site
inbound and outbound network traffic. are available to site administrators at all Administrator
Include blocking unauthorized ingress and times.
Transmission
egress.
of Data
FTP Today provides site-level controls to Site
restrict all access by Country of Origin (e.g. Administrator
US only) and user-level controls to restrict
each user to their individual IP address.

Detect exfiltration of data using firewalls, FTP Today

router policies, intrusion prevention/
detection systems, or host-based security
services.

Transfer controlled information only to N/A Site Admins &

subcontractors with a need to know. End Users
Subcontractors must adhere to these same
data protection requirements.

Continued on the next page...

GovFTP.com | Share
6| ITAR, EAR, and DFARS Requirements
and How They impact Your Information Systems

ITAR Management
ITAR Requirements FTP Today’s Practice
Guidelines Responsibility

The directories containing the software All FTP Today software are contained in FTP Today
shall be access controlled so that only isolated directories.
its designated user(s) as approved by
the PI will have read, write and execute
permissions. All others shall have no access
permissions.

The shared system shall have audit logging FTP Today provides detailed historical FTP Today
enabled, and the audit logs shall be backed logs of all events on the FTP site. Logs are
up. backed up and are maintainted for the life of
your relationship with FTP Today.
Executable
Software
on Shared
Systems The shared system shall be managed solely FTP Today
by U.S. Persons, as defined in the export
regulations. All users with root or sudo
privileges must be U.S. Persons.

Only U.S. Persons shall have unescorted FTP Today’s Data

physical access to the shared system. Center Partner

Disclaimer: This guide is meant for educational purposes only. As a SaaS FTP provider, FTP Today is not an exporter

of data as contemplated by ITAR and other export control laws. As a result, FTP Today is not required to maintain a

comprehensive export compliance program, nor can be held liable if any violations occur.

GovFTP.com | Share
7| ITAR, EAR, and DFARS Requirements
and How They impact Your Information Systems

See a Secure FTP

Site in Action!
Request a free, personalized demo of our web app
to get a first-hand look at the reliability in sharing
sensitive files.

Get Started Today

About FTP

FTP Today specializes in secure FTP file transfers utilizing a proprietary SaaS platform in two private cloud options

-- FTP Today and GOVFTP. GOVFTP is built for government agencies, their contractors and sub-contractors to share

sensitive data with the most stringent U.S. Government security and compliance requirements, including ITAR, CJIS

and DoD IL2 workloads.

GovFTP.com | Share