What ITAR/EAR Means for Secure Product Development

To support ITAR/EAR-compliant product development, manufacturers need to adopt measures that ensure technical data and technology – including identified product information – remain accessible where allowed and needed while protecting against loss or unauthorized access. Individual needs and requirements will vary by organization, but generally span three areas.

Data Location

ITAR- and EAR-regulated data must remain in the specified geographic location: the United States. Public commercial cloud services may not meet these requirements, as data can reside in non-U.S. locations or cross geographic borders during transit. While on-premises systems certainly meet geographic location restrictions, such solutions also may not provide team-empowering, traceable ways to collaborate on product development.

Cybersecurity Protections

Systems handling ITAR data should be designed to adhere to standards and best practices for ongoing management, monitoring, and review of the multiple layers (physical, logical, and application). Other needed protections include levels of encryption for in-transit and at-rest data. Commercial cloud offerings, either public or private, do not necessarily provide these protections. On-premises solutions may or may not, depending upon variables of systems, networks, policy definitions, and IT practices.

Sophisticated Access Management

Backend access to the PLM platform must be controlled and restricted to U.S. persons only. Commercial cloud solutions do not provide these controls; compliance of on-premises solutions depends on the product company’s IT resources, physical server location configuration and access, and controlled network security layers. Manufacturers must also consider data classification and team data access. Not all product data will be subject to ITAR or EAR.

Manufacturers need the ability to easily identify the technical data that must be ITAR compliant, and therefore limited in access to particular individuals, while conversely providing for less-limited access to non-ITAR technical data. Additionally, companies need visibility of who has accessed technical data and when they accessed it.