Professional Documents
Culture Documents
Guidelines For ITAR Compliance - REVISED2
Guidelines For ITAR Compliance - REVISED2
REQUIREMENTS
AND HOW THEY IMPACT
YOUR INFORMATION
SYSTEMS
1| ITAR, EAR, and DFARS Requirements
and How They impact Your Information Systems
If you’re a service provider to the U.S. federal government – whether to civilian agencies or the Department of
Defense (DoD) – your information systems must meet requirements as specified in the Federal Acquisition
Regulation (FAR) or, more specifically the Defense Federal Acquisition Regulation Supplement (DFARS).
The DFARS cyber clause must be flowed down to all suppliers or subcontractors
that will store, process and/or generate Covered Defense Information (“CDI”) as
CDI is an umbrella term that encompasses all Controlled Unclassified Information (CUI) and Controlled Technical
Information (CTI). These three markings (CDI, CUI and CTI) are given to unclassified content that must be protected
in a very specific manner both within and outside a government information system.
You may also need to comply with the requirements of the International Traffic in Arms Regulations (ITAR) or
the Export Administration Regulations (EAR). These regulations impact your organization if it meets any of the
following criteria:
• You handle Controlled Unclassified Information (CUI). • You provide defense articles and services.
• You produce, maintain and/or export items that are • You produce items or “know-how” on the Commerce
Everyone you share USML data with must be U.S. persons, which includes citizens and green card holders. This
requirement includes the employees of any cloud service providers that you may be utilizing to store and transmit
your data.
Furthermore, with the final stages of the implementation of Executive Order 13556 -- “Controlled Unclassified
Information” – contractors to the DoD that handle controlled unclassified information (CUI) are required to safeguard
CUI under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012 and the newly
established National Archives and Records Administration CUI processes (32 CFR part 2002).
GovFTP.com | Share
2| ITAR, EAR, and DFARS Requirements
and How They impact Your Information Systems
The CUI requirements recommended for use in Executive Order 13556 are derived from FIPS Publication 200 and
specify NIST SP 800-171 -- “Protecting Controlled Unclassified Information in Nonfederal Information Systems and
“the Contractor shall require and ensure that the cloud service provider meets
Information (CTI). These three markings (CDI, CUI and CTI) are given to unclassified content that must be protected
baseline and that the cloud service provider complies with requirements in
in a very specific manner both within and outside a government information system.
paragraphs (c) through (g) of this clause for cyber incident reporting, malicious
software,
You media
may also need preservation
to comply and protection,
with the requirements accessTraffic
of the International to additional information
in Arms Regulations (ITAR) or
the Export Administration Regulations (EAR). These regulations impact your organization if it meets any of the
and equipment necessary for forensic analysis, and cyber incident damage
following criteria:
assessment.”
An assessment against NIST SP 800-171 is needed for federal contractors to provide services for transmitting
or storing these data types in non-federal information systems in a way that complies with applicable
regulations.
Note these requirements also apply to all cloud service providers (CSPs)
GovFTP.com | Share
3| ITAR, EAR, and DFARS Requirements
and How They impact Your Information Systems
1. Make sure that both the data center infrastructure and cloud platform are FedRAMP JAB
Authorized.
The Federal Risk and Authorization Management Program (FedRAMP) evaluates cloud services and issues a
Provisional Authority to Operate (P-ATO) to those that pass review. JAB authorizations look at a standardized set
of FISMA and NIST requirements and both can be used by other agencies in their ATO process. When the Joint
Authorization Board (JAB) is convened, it is to review a cloud service that is and should be used throughout the
government. The members of the JAB are the CIOs of the General Services Administration, Department of
Defense, and Department of Homeland Security. They issue a P-ATO for cloud services that pass their review and
to be used to run systems holding any kind of government data at specific levels.
Once that P-ATO is granted, FedRAMP requires a cloud service provider to undergo audits and re-assessment every
year and to maintain continuous monitoring. This gives federal agencies ongoing assurance that the cloud service is
compliant.
If it is good enough for the federal agencies themselves to rely on, it is good enough for their contractors and
subcontractors as well.
First, make sure that your SFTP site is hosted in the United States (see above) -AND- that everyone employed by
the hosting provider are U.S. citizens. An additional way to ensure your technical data does not accidentally fall into
foreign hands is by using SFTP server software that allows you to restrict logical access by geographical location; for
example, only allowing access from IP addresses within the United States.
Next, make sure that your SFTP site can enforce the use of secure storage and secure transmissions meeting NIST
SP 800-171 and Federal Information Processing Standard (FIPS) 140-2 requirements for encryption cipher strength.
GovFTP.com | Share
4| ITAR, EAR, and DFARS Requirements
and How They impact Your Information Systems
There’s more. The following table offers guidelines for ITAR compliance in the handling of electronic data. It also
explains how FTP Today helps meet each of these requirements, along with who shoulders responsibility. After all,
ITAR Management
ITAR Requirements FTP Today’s Practice on GOVFTP
Guidelines Responsibility
Secure access using individually-assigned FTP Today provides a robust management Site
accounts requiring username/password, interface for configuring user authentication Administrator
user certificates, or other user-specific via passwords and or SSH keys.
authentication methods.
Access
Controls FTP Today provides controls to disable file Site
sharing (sending files using public links), Administrator
thereby allowing the administrator to require
user authentication for all access.
Protect Controlled Information by at FTP Today operates within a high-security FTP Today’s Data
least one physical or electronic barrier data center that requires biometric + card + Center Partner
(e.g., locked container or room, login and pin for physical access. FTP Today servers
password) when not under direct individual lives on a virtual infrastructure that is
control. physically located within locked cabinetry on
the data center floor.
Keep computers hosting Controlled All systems in use by FTP Today are regularly FTP Today
Information up to date on security patches patched and updated.
and updates.
System
Wipe electronic media in accordance All electronic media utilized in providing FTP Today’s Data
Management
with NIST 800–88, Guidelines for Media storage systems to FTP Today are wiped Center Partner
Sanitization when removed from service.
GovFTP.com | Share
5| ITAR, EAR, and DFARS Requirements
and How They impact Your Information Systems
ITAR Management
ITAR Requirements FTP Today’s Practice
Guidelines Responsibility
Provide monitoring and control over FTP Today provides activity logs that Site
inbound and outbound network traffic. are available to site administrators at all Administrator
Include blocking unauthorized ingress and times.
Transmission
egress.
of Data
FTP Today provides site-level controls to Site
restrict all access by Country of Origin (e.g. Administrator
US only) and user-level controls to restrict
each user to their individual IP address.
GovFTP.com | Share
6| ITAR, EAR, and DFARS Requirements
and How They impact Your Information Systems
ITAR Management
ITAR Requirements FTP Today’s Practice
Guidelines Responsibility
The directories containing the software All FTP Today software are contained in FTP Today
shall be access controlled so that only isolated directories.
its designated user(s) as approved by
the PI will have read, write and execute
permissions. All others shall have no access
permissions.
The shared system shall have audit logging FTP Today provides detailed historical FTP Today
enabled, and the audit logs shall be backed logs of all events on the FTP site. Logs are
up. backed up and are maintainted for the life of
your relationship with FTP Today.
Executable
Software
on Shared
Systems The shared system shall be managed solely FTP Today
by U.S. Persons, as defined in the export
regulations. All users with root or sudo
privileges must be U.S. Persons.
Disclaimer: This guide is meant for educational purposes only. As a SaaS FTP provider, FTP Today is not an exporter
of data as contemplated by ITAR and other export control laws. As a result, FTP Today is not required to maintain a
comprehensive export compliance program, nor can be held liable if any violations occur.
GovFTP.com | Share
7| ITAR, EAR, and DFARS Requirements
and How They impact Your Information Systems
About FTP
FTP Today specializes in secure FTP file transfers utilizing a proprietary SaaS platform in two private cloud options
-- FTP Today and GOVFTP. GOVFTP is built for government agencies, their contractors and sub-contractors to share
sensitive data with the most stringent U.S. Government security and compliance requirements, including ITAR, CJIS
GovFTP.com | Share