By Soujanya Madhurapantula.
In the previous post, you’ve seen how we can control the movement of physical products using GTS. However, any company that deals in ITAR controlled products has associated technical data that they will need to share. And when these guys are people who are outside the US, or people who are within the US but not US persons, then the technical data transmissions themselves are all considered as exports.
Technical data by the way, for those of you who don’t know, is anything like a document, a blueprint, a photo, a plan, instructions, etc. Something with which you can actually do something useful. Not like a marketing brochure or things like that, but something that gives you the information you need to actually construct, repair, or otherwise do something useful to that product that the government would want to control.
Let’s move over to the technical side of the house
Let’s say I’m a US company, ACME Missile Components, and I’d like to export a product of mine which has been designed for military use and is therefore controlled under ITAR. I have 3 different scenarios possible here.
- I’m going to collaborate on the product with one of my customers somewhere in the Southern United States, Bob’s Rocket Motor Company. However, I know that Bob probably has some non-US Person employees, and when we talk about technical data this becomes very important.
- I’m going to collaborate on the product with one of my subsidiaries, Charlie’s Aerospace Mechanisms and they have staff who are US-Persons located in both US and overseas locations
- I’m going to collaborate on the product with a partner company outside the US, David’s Recovery Systems
So for Bob’s Rocket Motor Company who has non-US engineers located within the US, we would not want to send him any ITAR-product related technical data. We would first need an agreement or license from the government saying we can do so. Without the license, when any non-US engineers there try to access ITAR-related technical data, they should all get warning displays denying them access and explaining why.
With regard to Charlie’s Aerospace Mechanisms: when their engineers are on US soil, everything is OK. If they are inside the United States of America, they can go into any controlled information wherever it resides (SAP, SharePoint, etc) and access it without impeding their work. If they are not located in the US, now they will be denied. When they are outside the US, we need to ensure that we have the authorization for them to access the data and this may require acquiring licenses and such for them to do that.
The non-US partner with non-US employees, David’s Recovery Systems, is a straightforward one. We can send them data, but only if we have an agreement or license in place to do that.
Do we have the models in place necessary to yield this kind of control?
The traditional model of authorizing access by user role is no longer scalable: these companies end up creating and managing thousands of roles to respond to rapidly increasing access control requirements, so a new fine-grained method of authorization is required to support streamlined global operations. In addition, access to technical data is dependent on dynamic factors like location, so RBAC will not be sufficient.
Given that, how can companies both enable the global sharing of data necessary for designing best-in-class products while also meeting various regulatory requirements?
Soujanya is the Product Manager for the Entitlement Manager for Enterprise Applications at NextLabs. She works with the Solutions Management team to devise best practices for securing and controlling data in order to develop solutions for Global 5000 business around partner collaboration, export regulations, IP and Data security.