Digital Storage of ITAR Controlled Documentation

R

Russ

I am trying improve our handling of ITAR documentation and am looking for examples of how everyone stores their ITAR documentation be it drawings, records, etc. Do you keep these separate from all others or not? Is limiting access to the network enough control over this documentation or should we have all ITAR documents in an area where only a select few can access?:bonk:
 

WCHorn

Rubber, Too Glamorous?
Trusted Information Resource
In my opinion, it depends on who has access to the documents, electronic or paper. Only US persons can have access; you need to protect the information from Foreign Persons. That protection extends to assurance that persons authorized to have access know about ITAR and duly protect the data from Foreign Persons.

We digitize almost everything and it has been effective for us. Again in my opinion, electronic documentation is far easier to control than paper. We don't keep it separate because we don't have foreign persons working for us, so we just have to worry about our intranet security and visitors.
 
R

Russ

WCHorn, thanks for your reply. Since I am not one to make complex systems when simple will work it is good that I am not alone in that thinking!
 

JLyt207

Involved In Discussions
In my opinion, it depends on who has access to the documents, electronic or paper. Only US persons can have access; you need to protect the information from Foreign Persons. That protection extends to assurance that persons authorized to have access know about ITAR and duly protect the data from Foreign Persons.

We digitize almost everything and it has been effective for us. Again in my opinion, electronic documentation is far easier to control than paper. We don't keep it separate because we don't have foreign persons working for us, so we just have to worry about our intranet security and visitors.

This is it in a nutshell. Your system has to prevent accidental "export" to non-U.S. persons. Hopefully you can prove that you screened everyone that does have access. In addition to citizenship make sure your records indicate you screened them against the denied persons list.

We go to the additional step of keeping controlled info on a separate network drive. It requires an extra step to get to and it is clearly marked so that users are less likely to accidentally export anything. We need hard copies on the floor and those are clearly stamped. They have folders they keep them in when not in use.
 

Pjservan

Involved In Discussions
This is it in a nutshell. Your system has to prevent accidental "export" to non-U.S. persons. Hopefully you can prove that you screened everyone that does have access. In addition to citizenship make sure your records indicate you screened them against the denied persons list.

We go to the additional step of keeping controlled info on a separate network drive. It requires an extra step to get to and it is clearly marked so that users are less likely to accidentally export anything. We need hard copies on the floor and those are clearly stamped. They have folders they keep them in when not in use.

Agree with the above.

In addition, I recommend this network drive is only accessible from your physical location of business. Accessing the drive from external locations my expose you to some other risks. For example, if you have people that travel overseas for business and have access the drive, they might inadvertently "export" information .
 
R

Russ

Three other points I would like to get input on which I think are weaknesses in our ITAR handling. We don't currently do these but I believe we need to include them in our system.
1) Have some kind of central tracking of all ITAR docs sent to anyone.
2) Label CNC programs for all ITAR parts
3) Label ITAR parts that are in RTS

Any thoughts?
 
G

George Kloos

After doing some work on the subject of cloud storage of ITAR/EAR information, I was able to determine that the following conditions need to be met:
1) "End to end encryption" must be used to secure the technology or software;
2) The encryption technology in use must meet or exceed Federal Information Processing (FIPS) Publication 140-2 and be supplemented by security related software meeting or exceeding current NIST guidance; and
3) The technology or software must not be intentionally be stored in a country in Country Group D:5 or in Russia.

Hope this helps if you are planning to story information off site.
 
Top Bottom