A struggle of more than 4 years has now ended. The US government issued a final ruling for implementing end-to-end encryption to protect sensitive data and provide services to enable cloud modernization. The International Traffic in Arms Regulations (ITAR) is a new encryption rule applicable to all the export items.
The ITAR will provide improved data security, focusing more on lowering costs and enhancing productivity for the defense industry. The ITAR compliance is meant to keep the potentially dangerous products, techniques, and data out of reach from potentially dangerous governments/businesses, which could use the technology against the US. The ITAR is going beyond the defense companies, so any technology that threatens the country’s interests and policy needs to be regulated. Businesses all around the world need to adhere to the Export Administration Regulations (EAR) to regulate various software exports, including encryption algorithm.
The ITAR does not apply to the defense manufactures and its supply chain partners, so any organization that buys, sells, or distributes anything on the United States Munitions List (USML) or handles data on the ITAR will be subject to the new regulation. USML is the list of military and defense items that demand the license of the Department of State to be exported. USML includes equipment, plans, blueprints, and documentation required for design, development, and production.
Businesses dealing with USML data will be affected by ITAR. Defense organizations are rapidly shifting to cloud-based solutions; storing and sharing technical data in the cloud can risk exposure to non-US persons. Steep penalties and criminal charges can be levied on the non-compliant businesses; if a business falls under the ITAR, it should develop and implement a dedicated and fluid data security policy.
The ITAR’s new encryption carve-out was published on December 24, 2019, and will be effective from March 23, 2020. The regulation will enable ITAR-compliant organizations to communicate and share data securely across foreign offices, partners, and the US government without the need for an export license.