ITAR amendment builds on and advances FedRAMP principles
The U.S. government has taken an important step in extending the reach of its Federal Risk and Authorization Management Program (FedRAMP) initiative, using it as the cornerstone for a new data encryption carve-out in one of the most important functional areas anywhere.
The International Traffic in Arms Regulations (ITAR) are designed to keep America and her allies safe, setting out criteria and authorities for the export and import of defense products and services. Like many other domains where FedRAMP functions, it’s a policy area where security is paramount, and there is no margin for error: any breach could have widely devastating consequences for months or years.
That’s why subject specialists were celebrating December 26, when the government issued a new amendment to the ITAR that modernizes and unifies the role of end-to-end encryption in securing sensitive data and enabling cloud modernization. For companies connected with the Defense Industrial Base (DIB), the amendment is proof positive that FedRAMP-compliant solutions—from ERP, to supply chain, to manufacturing execution and more—meet ITAR requirements.
After more than four years of painstaking deliberation, the new rule “promises to dramatically improve data security while lowering costs and enhancing the productivity of our defense industrial base,” according to John Ackerly, a former White House technology policy advisor, and Robert Monjay, a former U.S. foreign policy officer.
“Unless you are familiar with the complexities of the ITAR and export policies in general, this news may not be on your radar,” they write for NextGov. But “know this: the impact of this new ruling extends far beyond manufacturers of defense-related items (including satellites, drones, Internet-of-things sensors, and much more).”
And for anyone who’s been relying on FedRAMP as a touchstone for data security, the interesting twist is that it’s also the certification behind protecting Controlled Unclassified Information (CUI) in the cloud, which requires data to be secured using cryptographic modules compliant with FIPS 140-2 and other procedures and security controls specified in current U.S. National Institute for Standards and Technology (NIST) publications. “When you use a cloud service provider with built-in compliance measures, you can rest assured that your company can meet compliance that is dependent on FedRAMP controls, such as ITAR and DFARS [the Defence Federal Acquisition Regulation Supplement],” FTP Today reported in June 2019.
Encrypted data is no longer an ‘export’
That makes FedRAMP the cornerstone for what Ackerly and Monjay herald as “a new data protection paradigm, one which we expect will both drive cloud adoption and enhance data security for organizations handling extremely sensitive data.”
Under the amendment, “technical data protected with end-to-end encryption, such that it cannot be accessed by foreign entities, is no longer considered to be ‘exported’ under ITAR,” they explain. “As a result, organizations no longer have to apply and wait for an export license to share data with authorized individuals, domestically or overseas.”
The two authors call that “a significant step toward the U.S. recognizing the powerful roles that encryption and control play in data security and privacy.” In a single stroke, the State Department “has freed ITAR-compliant organizations from an antiquated approach to security,” saving them the thousands of hours and tens of millions of dollars they previously devoted to meeting ITAR’s geolocation and access requirements.
Which means that, “where the sharing of ITAR technical data was previously a roadblock, it is now an opportunity to unlock innovation within the heavy manufacturing, aerospace and defense, defense contracting, and telecommunications industries.”
A FedRAMP principle in practice
Even more important to Ackerly and Monjay is the recognition that “securing data at the network level is no longer sufficient or productive; a data-centric approach is required for optimal security, while empowering organizations to collaborate, innovate, and push their business forward.”
It’s an evolution that FedRAMP made possible, by providing the digital security backbone on which other programs and agencies can build. And, appropriately enough, the new ITAR amendment supports the philosophy and approach that FedRAMP is meant to entrench across the public sector.
“It is our hope that ITAR’s encryption carve-out represents both an intersection of security and privacy and a digital transformation that will inspire other organizations, across all industries, to shake their legacy approach to cybersecurity, and begin to realize the benefits of a secure digital workplace,” Ackerly and Monjay write. “If this new rule is any indication, organizations can trust that both the security and privacy communities, as well as the U.S. government, are focused on empowering organizations and individuals to have complete control over their data by knowing where it is and who has access.”
Download the how-to guide: “10 steps to public sector data security”