ITAR and Data Security with Paperless Parts
If you work in an American Job Shop, chances are you work with “ITAR” parts or have at least heard about them. Being compliant with the International Traffic in Arms Regulations (ITAR) means more than filing a form with the government and paying a fee. Parts subject to ITAR (which includes the bulk of parts made for the military and defense contractors — a HUGE part of the US manufacturing market) must not be exported to another country without a special license. Obviously, this means you can’t ship an ITAR part overseas. But did you know disclosing technical data about an ITAR part to a foreign national — even when that person is on US soil — can get you and your shop in a lot of trouble, including both personal and business fines, and even prison time?
Here are a few quick questions to think about to better understand how ITAR impacts your shop:
- Do you work with customers who regularly provide products to the US Department of Defense? If yes, then you likely handle ITAR data.
- When was the last time your shop filed ITAR registration and paid the $2,250 fee? To be compliant requires yearly registration with the Directorate of Defense Trade Controls (DDTC), as required by Section 38 of the Arms Exports Control Act (AECA) and Section 122.1 of the International Traffic in Arms Regulations (ITAR).
- Do you control physical access to your shop floor and log all visitors? If no, this is critical item for working with major defense OEMs and will likely get flagged in an audit.
- Do you control access to all technical data including CAD models, drawings, and specifications? This should include files stored on your computer and paper copies traveling around the shop floor.
- Do you ever send ITAR data over email? If yes, these files must be encrypted or stored in a password secured access file vault.
- Do you store this data unencrypted on your local network? If so, you are exposing your shop to risk that these files will be compromised in a cyber attack.
- Do you always know if part files and technical data require adherence to ITAR? Communication between buyers and shops is not always clear around which files require strict ITAR security, so it is important to ask when quoting a customer and treat all files as ITAR until otherwise notified.
In our experience shops do a good job controlling physical access to the manufacturing floor, but often struggle with properly securing digital technical data. Paperless Parts ensures all of your data is handled properly and treated as if it is subject to ITAR to prevent from accidental disclosure.
To do this, we built the Paperless platform on servers located in Amazon’s “GovCloud”, powered by two Department of Defense approved data centers. These are located in the US, and staffed only by qualified US persons. All data is encrypted while traveling to and from our servers and files are stored encrypted. By using the Paperless automated request for quote form (SmartRFQ form) and digital quote, you and customers can always exchange files securely without attaching sensitive files to emails or having to leverage expensive 3rd party file vaults, which exposes you to the risk of accidental disclosure to foreign nationals.
We are the first manufacturing software platform to leverage the power of Amazon GovCloud. We join the ranks of organizations like the Department of Homeland Security, Lockheed Martin, and Raytheon.
We take data security and national defense seriously. Our founders have backgrounds from the military, defense industry, and ITAR compliant job shops. We are published experts on data security. Our mission at Paperless is to help job shops keep our nation’s sensitive data secure, while growing to support one of the largest manufacturing customers – the US Department of Defense.
– Scott Sawyer
Please find Paperless Parts' ITAR Registration Letter (2022) here.
Scott Sawyer is Co-Founder & Chief Technology Officer at Paperless Parts. He is focused on platform security and developing algorithms to quote parts more quickly and accurately, while scaling both the team and architecture. He worked on defense “big data” technology at MIT Lincoln Lab and Lockheed Martin, prior to leading the engineering team at a Boston IoT startup. Scott holds a BSEE (Villanova) and MSEE (UPenn).