ITAR and EAR Compliance and Modern Product Development (Part I)
As a high-tech electronics manufacturer, you have your hands full developing and producing today’s complex products—a mix of sophisticated electrical, mechanical, and software elements. If you participate in the defense market, you may also be subject to strict federal regulations governing at least some of your product data and processes—either directly as an ITAR- or EAR-registered company or from your customers as part of flow-down requirements from their compliance needs.
And, as your products embody the most current technologies including IoT platforms, analytics, machine learning, and artificial intelligence, you might also need to update the very processes and tools you use to deliver products. Timely design decisions without multiple meetings? Transparent, accessible information on the latest revision sent to production? A clear, traceable set of requirements for the new product introduction coming up next month?
Complex products mean diverse teams—from engineering, program management, and scientific to quality assurance, operations, and supply chain. To succeed, you must deliver the right product at the right time for the right price to the customer. If your customer is part of the defense supply chain or a defense agency, all this product work must happen within the framework of strict federal compliance regulations. Products created for United States defense purposes are subject to the International Traffic in Arms Regulations (ITAR) and/or Export Administration Regulations (EAR), requiring manufacturers to adhere to a complex set of regulations to protect national security interests. Neither ignorance nor good intentions spare a company from serious consequences if it violates regulations. Recent non-compliance fines have ranged from $20,000 to $78 million and resulted in contract losses.
Before we look at your options for product lifecycle management (PLM), we need to review the basics of ITAR and EAR regulations as related to product development.
Understanding ITAR and EAR
At the most basic level, the regulations stipulate that any technical data deemed controlled by ITAR or EAR be under export control, meaning that technical data must not be exported at any point during design or production (or sustaining activities) unless covered under an export license.[i]
In practical terms, this means that:
- ITAR- and EAR-regulated data must remain in the U.S. and be accessible only to U.S. citizens/U.S. green cardholders.
- In-transit and at-rest data must be encrypted.
- Access to any platform containing regulated product data must be controlled and restricted to U.S. persons.
To summarize, companies must have tight control over all regulated technical data, including what’s referred to as controlled unclassified information (CUI). Depending on the circumstances, technical data can include file names, component descriptions, engineering drawings, specifications, test procedures, bills of materials, and more. As the registered manufacturer, you define what technical data in your product record is under export control based on your product, how the government classifies the product, and what particulars of the product are of interest to the U.S. government. All restricted data must be tightly controlled based on the terms above. This control includes standard policies and procedures for access, audit history, and incident reporting.
Furthermore, the access the regulations refer to includes any method of access: any operating system and any application, including during IT assistance and/or maintenance in systems where restricted data is stored. It specifies that all methods of sharing information require control (e.g., email, faxes, and physical deliveries). Clearly, complying with these stringent regulations without sacrificing business agility can be an unwanted challenge for manufacturers of complex electronic devices.
Options for managing export-controlled data
Compliance breeds caution. While this is understandable, it isn’t a desirable position to drive innovation or ensure market advantage. In the past, you might have found product record tool choices limited: desktop apps, spreadsheets, and local file servers; homegrown solutions; or heavier, outdated PLM systems. While any of these solutions can suffice for a period of time, none of these enable scaling your business, optimizing processes, and exceeding quality and market goals. And, most of them were not designed to (and cannot) adequately address the security and location-based restrictions federal regulations demand without cost and additional risk.
For any export controlled technical data, all records, access, and movement of data must meet federal regulations, as we’ve discussed. Manufacturers that assume a product record solution, tool or platform meets regulatory requirements, without due diligence of validation, risk unpleasant customer audits, or non-compliance incidents that endanger current or future contracts.
ITAR and EAR regulations impact every layer of tools and methods of storing and accessing controlled technical data: from physical and logical layers (e.g., hardware, OS systems, networks, protocols) and platforms and applications to product data structures, data classification, end-user controls, and access management. For each of these areas, the regulations stipulate specific requirements, and the responsible owner for each layer must ensure requirements are met, including policies and procedures, incident reporting, and maintenance activities.
Assumptions can be dangerous. Off-the-shelf business applications, such as word processing and spreadsheet software, are not designed to address these security and location-based restrictions. Your network may or may not already meet regulatory requirements for encryption and location-based access for identified users; most likely it does not unless you communicated these requirements to your IT team. And, for most manufacturers, to create the structures and processes in physical, logical, platform, and application layers divert resources and time from the important work of making products.
Modern secure Cloud PLM—shared responsibility
In the commercial markets, manufacturers benefit from business-ready Cloud PLM solutions (like Arena, of course) that provide the product control and team collaboration needed in a flexible, scalable, and easy-to-implement platform. However, until recently, regulated defense suppliers have not been able to easily adopt a Cloud PLM for full product control across all product lines. Instead, they have settled for the inferior solutions we discussed earlier, all of which require responsibility burdens outside of the work of developing and delivering products to customers.
With the advent of regulatory maturity, plus the U.S. government’s own Cloud First, Cloud Smart[ii], and Gov cloud initiatives, and superior technology and platform advances, secure government-grade Cloud PLM is now a reality. Defense manufacturers can have a modern and empowering Cloud PLM, benefitting from a better shared-responsibility security model.
If your company participates in the defense industry, check out the Cloud PLM that will help address your ITAR and EAR regulatory needs, while empowering your teams with one source of product truth. Very soon, the same proven Arena PLM solution used by over 1,300 leading manufacturers will be available for our defense supply chain customers.
For more information, read our ebook.
Disclaimers and References
[i] ITAR and EAR regulations are complex, and Arena Solutions is not offering any legal advice or counsel for any reader of this blog, nor should you take our statements as guidance to supersede your responsibilities to comply with these regulations.