What is ITAR Compliance?

The Department of State is responsible for ITAR.

ITAR Defined

International Traffic in Arms Regulations (ITAR) control the export and import of defense-related articles and services on the United States Munitions List (USML). According to the U.S. Government, all manufacturers, exporters, and brokers of defense articles, defense services, or related technical data must be ITAR compliant. Therefore, more companies are requiring their supply chain members to be ITAR compliant as well. In General:

For a company involved in the manufacture, sale or distribution of goods or services covered under the USML, or a component supplier to goods covered under the United States Munitions List (USML), the stipulation or requirement of being “ITAR certified (compliant)” means that the company must be registered with the State Department’s Directorate of Defense Trade Controls (DDTC) if required as spelled out on DDTC’s web site and the company must understand and abide by the ITAR as it applies to their USML linked goods or services. The company themselves are certifying that they operate in accordance with the ITAR when they accept being a supplier for the USML prime exporter.

In other words, companies must register with the DDTC and know what is required of them to be ITAR compliant and then certify that they possess that knowledge.

What Does the ITAR Mean For My Company?

Overall, it is important to understand that registering with the DDTC to sell your products or services in the ITAR industry is not enough; you must be sure not to violate ITAR compliance regulations. The expectation is that you are educated and trained in ITAR regulations. Keep in mind that ITAR violations may result in criminal or civil penalties, being barred from future exports, and/or imprisonment, including:

  •  Civil fines as high as $500,000 per violation
  •  Criminal fines of up to $1,000,000 and 10 years imprisonment per violation

ITAR Compliance and Manufacturing Companies

As an important U.S. export control law, the ITAR affects the manufacture, sale, and distribution of technology. The goal of the legislation is to control access to specific types of technology and their associated data. Overall, the government is attempting to prevent the disclosure or transfer of sensitive information to a foreign national. As a result, ITAR can be challenging for global corporations, since data related to specific technologies may need to be transferred over the internet or stored locally outside of the United States in order to make business processes flow smoothly. The obligation lies with the manufacturer or exporter to take the necessary measures and steps to certify that they are, in fact, meeting ITAR compliance requirements.

Specifically, ITAR [22 CFR 120-130]:

  •  Covers military items or defense articles
  •  Regulates goods and technology designed to kill or defend against death in a military setting
  •  Includes space-related technology because of application to missile technology
  •  Includes technical data related to defense articles and services
  •  Involves strict regulatory licensing and does not address commercial or research objectives

ITAR Data Security Recommendations

Now that you know the significance of ITAR Compliance and the penalties of failing to comply, it is important to understand how to secure your ITAR-controlled data. While data security will have different requirements for every company, here are some best practices to follow in securing ITAR data:

  •  Maintain a formal information security policy
  •  Build and maintain a secure network by installing and maintaining firewall configuration to protect data and avoiding the use of vendor-supplied passwords and other security defaults
  •  If your company is owned, or has investors from outside of the United States, you must ensure that their access is strictly limited
  • Assign a unique ID to each person with computer access
  •  Regularly test security systems and processes
  •  Protect sensitive data with encryption
  •  Regularly monitor and test networks
  •  Implement strong access control measures
  •  Track and monitor all access to network resources and sensitive data
  •  Maintain a vulnerability management program
  •  Implement measures to prevent the loss of ITAR-controlled data

This list is not exhaustive, but is meant to provide a starting point for securing sensitive data and meeting ITAR compliance. By following and adopting these measures to your company’s needs, you can ensure that ITAR data is still accessible where it needs to be while staying protected against loss or unauthorized access.

Diverse Tech Services has significant experience in assisting companies with ITAR compliance. We work with manufacturers to ensure their company meets the stringent documentation and security requirements.

Call 317-524-5700 or e-mail Sales@DiverseTechServices.com to learn more.

 

What to Watch For – Ransomware Attacks

TeslaCrypt is one of the most prevalent ransomware attacks in the US

Ransomware – What You Need to Know

Diverse Tech Services has noticed a sharp increase in attempted ransomware attacks over Q1 and Q2 2016.  These attacks are primarily initiated through e-mail attachments, but also through social media websites linking to infected websites. Websites like Facebook, Twitter, and Pinterest are susceptible to these attacks by linking users to outside web addresses.
What does ransomware do?

There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.

They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.

Ransomware can:

  • Prevent you from accessing Windows.
  • Encrypt files so you can’t use them.
  • Stop certain apps from running (web browser, anti-virus).

Ransomware will demand that you pay money (a “ransom”) to get access to your PC or files. We have also seen them make you complete surveys.

There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.

How to protect yourself?

  1. Be cautious about unsolicited attachments
    The crooks are relying on the dilemma that you should not open a document until you are sure it is the one you want, but you cannot tell if it is the one you want until you open it. If in doubt, leave it out.
  2. Do not enable macros in any document attachment received via email
    Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so do not do it!
  3. Regularly backup your important files
    There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. If your company has a share drive or file server, make sure to save your important files there. Often saving them to “My Documents” or to the “Desktop” does not ensure that they are backed up.

 

How does ransomware work?

Ransomware is computer malware that installs covertly on a victim’s computer, executes a cryptographic attack that adversely affects it, and demands a ransom payment to restore it.

Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, and display a message requesting payment to unlock it. More advanced malware encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. The ransomware may also encrypt the computer’s Master File Table (MFT) or the entire hard drive.

Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files since it is intractable to decrypt the files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file.

 

How does Diverse Tech Service stop the threat?

Diverse Tech Services utilizes the latest in security tools. We work to block all threat vectors to ensure total protection. When it comes to stopping these advanced threats in their tracks, we rely on our Email Security Service, or ESS.

ESS is a comprehensive and affordable cloud-based email security service that protects both inbound and outbound email against the latest spam, viruses, worms, phishing, and denial of service attacks.

Whether you manage your own mail server such as Microsoft Exchange or use a hosted service like Microsoft Office 365, Spam and viruses are blocked in the cloud prior to delivery to your network, saving network bandwidth and providing additional Denial of Service protection.