Q&A With an Expert: ITAR for Job Shops

The response to our recent webinar on ITAR-Compliant Cloud Solution for Aerospace and Defense Job Shops was phenomenal. Attendees were eager to learn about the intricacies of ITAR and how it impacts their operations, and they posed thought-provoking questions throughout the session. Our Senior Product Manager, Dave Lechleitner, was the perfect person to lead the webinar, given his extensive experience and knowledge on the subject.

If you missed it, don't worry - we've put together a list of the most important questions that were raised during the session.

What is the purpose of ITAR?

The International Traffic in Arms Regulations (ITAR) is a set of government regulations administered by the US Department of State’s Directorate of Defense Trade Controls (DDTC). In order to maintain the confidentiality of US defense technology and intellectual property, ITAR controls the production, sale, and distribution of defense and space-related items and services in the United States.

Does ITAR affect all job shops?

No. Only those organizations that manufacture, design, sell, or distribute items on the United States Ammunition List (USML) must adhere to ITAR regulations, which necessitate rigorous safeguards.

What are the consequences of being non-ITAR compliant?

Failure to comply with ITAR may result in serious consequences such as significant fines, loss of export privileges, and criminal charges. To ensure compliance, companies must identify their USML status, comprehend ITAR components, register with the DDTC, classify their products, and guarantee end-use compliance.

Do I need to get ITAR certified?

No. This is a common misconception, but there is no such thing as an ITAR Certification. Instead, companies are expected to understand the regulations and comply with the requirements on their own. It is also not uncommon for places to refer to themselves as being “ITAR Certified”, but what they really mean is that they are “ITAR Compliant”.

Is there a website that those pursuing ITAR Compliance must be registered with?

Yes. Registration is required with the Directorate of Defense Trade Controls (DDTC), which administers the ITAR. After submitting the electronic statement of registration, the DDTC will review your registration and assign a registration code if approved. The registration is valid for 12 months, starting from the date of issuance and it’s essential to renew the registration annually to remain compliant.

Does anything ITAR have to be labeled as such? And if so, can I assume that if not labeled, it's not ITAR-related?

Yes, but no. In accordance with ITAR regulations, all information that falls under the jurisdiction of ITAR must be appropriately labeled as such. However, this is where many of our customers and prospects run into difficulties. Due to a lack of understanding of the regulation, they may have ITAR-related documents circulating on their shop floor without realizing that they should be handled in an ITAR-compliant manner. That's why we strongly recommend transitioning to a paperless system as much as possible. Every piece of paper that is floating around increases the likelihood of a breach, so minimizing physical documents is crucial.

Is being a U.S. citizen a requirement for ITAR Compliance?

No. ITAR compliance extends to US Permanent Residents (green card holders) and US nationals, meaning that anyone involved in an ITAR process at any level must comply with its regulations. However, certain non-US persons, such as some refugees, asylum seekers, and others may be allowed access once required additional licensing or approvals to access controlled materials are granted. For these reasons, it's essential to properly vet and authorize all individuals on your shop floor, regardless of citizenship, to ensure compliance with ITAR regulations.

As a current ECI product user, is my ERP solution already ITAR Compliant?

No. ITAR does not ask that ERP solutions be compliant. What it does require is that the location where the ERP is hosted be ITAR compliant. So, chances are unless you’ve deployed your ERP locally and have taken on the responsibility of ensuring compliance, it’s not. Our ERPs, like any company, deploy in what is called a “commercial environment”, often referred to as “the cloud” which is not compliant. However, we do have a process in place where we grab your data and move it over to the government cloud which would ensure your ERP solutions are hosted in an ITAR-compliant manner.

I know my ERP solution is hosting my data in the AWS GovCloud, can I be completely hands-off now?

No. DDTC operates on a “shared responsibility model”. Ultimately, the cloud provider ensures that as a host of your data, they are logically and physically compliant with the ITAR regulatory demands. However, its customers (you) are still responsible for your on-prem security and compliance of the data, applications, personnel, and your sub-contracted vendors are also ITAR compliant.

As an ECI ERP solutions user, can ITAR-controlled documents be confined to specific users?

No, not yet. Specific documents cannot be locked down, but you can limit access to specific areas within the system to specified users. The solution would be to know where the ITAR-related document/s are from there ensure that only ITAR-compliant individuals are able to access those specific modules.

What is so unique about ECI's approach to ITAR?

Although not required or regulated, we did not want to go into the market and assume we had everything in place. So, we contracted with a third-party to attest our level of control and we passed that attestation with flying colors. We’ll have that attestation – again, we’re not saying we’re “certified” – but we have been attested in terms of the level of control that we have. It was our goal to ensure our internal controls were up to the expectations of the regulation for our customers.

Where can customers go to learn more about ECI's ITAR offerings?

We have an ECI & ITAR-specific web page setup that outlines our regulatory compliance offerings for manufacturers and from which you can download our ITAR Product Guides.