Can You Email ITAR Data?

When it comes to ITAR, questions are never in short supply among contractors. For example, one of the most common is “Can I email ITAR data?” In today’s blog, we provide an answer.

What Is ITAR Data and Why Is It Important?

The International Traffic in Arms Regulations (ITAR) controls the export and import of articles in the U.S. Munitions List.

In the context of ITAR, “export” refers not only to the physical transportation of goods but also to the action of sharing data in any way, be it via documents, in conversation, or through visual inspection.

ITAR defines technical data as the information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles and software.

The idea at the core of ITAR is to prevent non-US persons from having physical or logical access to ITAR articles and data.

Understanding ITAR, including what constitutes ITAR data and how to handle it, is important because ITAR violations can result in substantial individual fines, imprisonment, or both.

To learn more about ITAR data, check out our previous posts: “Is ITAR Data CUI?“

We live in an era where advances in technology and production methods require information to travel with increasing velocity, and ITAR data is no exception.

In such a hyper-connected landscape, contractors have to grapple with complex compliance dilemmas. For example: Can ITAR data be sent by email?

The answer is in ITAR CFR § 120.54, also known as the “ITAR carve out,” a provision created to establish that “Sending, taking, or storing technical data” does not constitute an export, reexport, retransfer, or temporary import if the information is:

Unclassified
Secured using end-to-end encryption
Secured using cryptographic hardware or software compliant with the Federal Information Processing Standards Publication 140–2 (FIPS 140–2) or its successors, supplemented by software implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES–128);
Not intentionally sent to a person in or stored in countries subject to restrictions under ITAR § 126.1 or the Russian Federation
Not sent from a § 126.1 country or the Russian Federation.

Contact Our ITAR Experts Today

ITAR defines end-to-end encryption and an encryption process that meets two criteria

Data is not in an unencrypted form between the originator (or the originator’s in-country security boundary) and the intended recipient (or the recipient’s in-country security boundary)
The decryption keys are not provided to any third party.

This means that you can email ITAR unclassified technical data as long as all the above conditions are met.

As you can see, this is a stringent set of requirements, so it is important to get to know more about your email or cloud service providers and where they operate in order to stay compliant.

When in doubt, the best is to seek the assistance of a professional. Our ITAR experts stand ready to answer all your questions. Contact us today.

To learn more about FIPS and FIPS 140-2, read our previous blog “CMMC Compliance: What Is FIPS-Validated Cryptography?”

Need To Achieve ITAR Compliance? We Are Here To Help

Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.

Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.