Understanding ITAR vs EAR vs FAR vs DFARS Cybersecurity Requirements

It is possible for data related to International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) to fall outside of the US National Archives (NARA) classification of export-controlled information (e.g., CUI//SP-EXPT). However, the reality is NIST SP 800-171 controls constitute the minimum cybersecurity requirements for ITAR/EAR due to NARA's CUI Notice 2020-04. Additionally, an entity needs to ensure "access" and "release" requirements are specified according to 22 CFR 120.56:

22 CFR 120.56 - Release
1. Release. Technical data is released through:
  a. Visual or other inspection by foreign persons of a defense article that reveals technical data to a foreign person;
  b. Oral or written exchanges with foreign persons of technical data in the United States or abroad;
  c. The use of access information to cause or enable a foreign person, including yourself, to access, view, or possess unencrypted technical data; or
  d. The use of access information to cause technical data outside of the United States to be in unencrypted form.
2. Provision of access information. Authorization for a release of technical data to a foreign person is required to provide access information to that foreign person, if that access information can cause or enable access, viewing, or possession of the unencrypted technical data.

This requirements to control “release” forces an entity to define authorized users based on:

1. Nationality as an explicit criteria (e.g., NOFORN); and
2. Access location as an explicit criteria.

This access control applies for the user’s allowed assigned functions (e.g., roles) and privileged functions (e.g., system administrator). EAR is similar, but allows for a broader list of nationalities and countries that can be authorized for release.

While NIST SP 800-171 is considered a "minimum" to protect Controlled Unclassified Information (CUI) from a compliance perspective, those controls are likely not sufficient the entirety of an entity's overall needs to be secure, compliant and resilient. Therefore, additional administrative, technical and physical controls may be necessary (e.g., overlayed on top of NIST SP 800-171 controls).

NOTE: It is important to understand that NIST SP 800-171 will not solely address an entity's needs for a broader export control program. This program-level understanding is needed to govern how ITAR/EAR compliance is administered across the entity, not just within cybersecurity (e.g., registering for licenses, maintaining records, disclosures, etc.). To authorize release of export-controlled information an entity must communicate with the appropriate authority within the US government:

• ITAR: The US Department of State Directorate of Defense Trade Controls (DDTC) is the primary authority within the US government for authorizing ITAR-controlled access based on nationality (e.g., non-US citizens). DDTC grants licenses, technical assistance agreements and/or approvals for foreign nationals to access US defense technology.
• EAR: The US Department of Commerce Bureau of Industry and Security (BIS) is the primary authority within the US government for authorizing the export, re-export, or in-country transfer of items subject to its jurisdiction, including determining the nationality / country restrictions for deemed exports.

To understand ITAR vs EAR vs DFARS vs FAR requirements, it is important to understand the multiple stakeholders and their roles:

If you take the time to read through ITAR/EAR requirements, you will not find a specified set of cybersecurity controls that are required to protect ITAR/EAR data. This is where NARA comes into play through its authority to operate the US Government's CUI Program, where "export controlled" information has its own unique CUI category - https://www.archives.gov/cui/registry/category-detail/export-control.html. 

ITAR/EAR CUI Category:  Export Controlled (CUI//SP-EXPT) 

NARA Definition: Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations (ITAR) and the munitions list; license applications; and sensitive nuclear technology information.

What Are Minimum Cybersecurity Requirements for ITAR & EAR?

While it might be possible that there is some ITAR/EAR that falls outside of NARA's classification of "export-controlled" information, the reality is NIST SP 800-171 CUI and Non-Federal Organization (NFO) controls are the minimum cybersecurity requirements for ITAR/EAR due to NARA's CUI Notice 2020-04. However, it is important to understand that NIST SP 800-171 will not address an organization's need for a broader export control program that governs how ITAR/EAR compliance is administered (e.g., registering for licenses, maintaining records, disclosures, etc.). The reason that NIST SP 800-171 is considered a "minimum" is that the controls may not be sufficient to address your organization's specific risk profile, so additional administrative, technical and physical controls may be necessary to become both secure and compliant.

What is ITAR/EAR?

ITAR/EAR are two (2) different, but complimentary sets of requirements:

• ITAR is an acronym for International Traffic in Arms Regulations; and
• EAR is an acronym for Export Administration Regulations.

ITAR and EAR combine to govern the export and import of sensitive technologies and defense-related materials:

ITAR regulates defense-related articles and services on the US Munitions List (USML).

• ITAR’s authority is based on 22 CFR Parts 120-130;
• ITAR is managed by the US Department of State (DDTC); and
• ITAR restricts the export and sharing of military technologies, requiring manufacturers and exporters to register with the US State Department and obtain export licenses.

EAR controls the export of commercial and dual-use goods, software and technology that can have both civilian and military applications.

• EAR’s authority is based on 15 CFR Parts 730-774; and
• EAR is managed by the US Department of Commerce (BIS).

Compliance with ITAR/EAR is critical for companies working with defense contracts, aerospace, or technologies with potential national security implications. Violations can lead to severe penalties, including fines and export restrictions. ITAR and EAR information may be handled under CUI protections if it falls within CUI categories, but ITAR/EAR compliance involves additional controls such as strict export licensing and access restrictions.

What Are Applicable NIST SP 800-171 Controls For ITAR & EAR?

NARA does not specify which controls are applicable to ITAR and/or EAR, so the expectation is all applicable NIST SP 800-171 controls and NIST SP 800-171A Assessment Objectives (AOs). However, there are a few specific controls and AOs that need to have explic nationality and location criteria defined for ITAR/EAR compliance:

Applicable NIST SP 800-171 R2 Controls & Assessment Objectives

3.1.1: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

• 1.1[a]: authorized users are identified.
• 1.1[b]: processes acting on behalf of authorized users are identified.
• 1.1[c]: devices (and other systems) authorized to connect to the system are identified.
• 1.1[d]: system access is limited to authorized users.
• 1.1[e]: system access is limited to processes acting on behalf of authorized users.
• 1.1[f]: system access is limited to authorized devices (including other systems).

3.1.3: Control the flow of CUI in accordance with approved authorizations.

• 1.3[a]: information flow control policies are defined.
• 1.3[b]: methods and enforcement mechanisms for controlling the flow of CUI are defined.
• 1.3[c]: designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified.
• 1.3[d]: authorizations for controlling the flow of CUI are defined.
• 1.3[e]: approved authorizations for controlling the flow of CUI are enforced.

3.1.15: Authorize remote execution of privileged commands and remote access to security-relevant information.

• 1.15[a]: privileged commands authorized for remote execution are identified.
• 1.15[b]: security-relevant information authorized to be accessed remotely is identified.
• 1.15[c]: the execution of the identified privileged commands via remote access is authorized.
• 1.15[d]: access to the identified security-relevant information via remote access is authorized.

Applicable NIST SP 800-171 R3 Controls & Assessment Objectives

03.01.01 (Access Enforcement): Enforce approved authorizations for logical access to CUI and system resources in accordance with applicable access control policies.

• 03.01.02[01]: approved authorizations for logical access to CUI are enforced in accordance with applicable access control policies.
• 03.01.02[02]: approved authorizations for logical access to system resources are enforced in accordance with applicable access control policies.

03.01.03 (Information Flow Enforcement): Enforce approved authorizations for controlling the flow of CUI within the system and between connected systems.

• 03.01.03[01]: approved authorizations are enforced for controlling the flow of CUI within the system.
• 03.01.03[02]: approved authorizations are enforced for controlling the flow of CUI between connected systems.

03.01.07 (Least Privilege – Privileged Functions):

1. Prevent non-privileged users from executing privileged functions.
2. Log the execution of privileged functions.

• 03.01.06.ODP[01]: personnel or roles to which privileged accounts on the system are to be restricted are defined.
• 03.01.06.a: privileged accounts on the system are restricted to <A.03.01.06.ODP[01]: personnel or roles>.
• 03.01.06.b: users (or roles) with privileged accounts are required to use non-privileged accounts when accessing non-security functions or non-security information.