Demonstrating ITAR, EAR, and CMMC Compliance to Gain Market Advantage

What ITAR/EAR/CMMC Means for Secure Product Development

To support ITAR/EAR/CMMC-compliant product development, manufacturers need to adopt measures that ensure technical data and technology—including identified product information—remain accessible where allowed and needed while protecting against loss or unauthorized access. Individual needs and requirements will vary by organization, but generally span three areas.

Secure Product Development

Data Location

ITAR- and EAR-regulated data must remain in the specified geographic location: the United States. Public commercial cloud services may not meet these requirements, as data can reside in non-U.S. locations or cross geographic borders during transit. While on-premises systems certainly meet geographic location restrictions, such solutions also may not provide team-empowering, traceable ways to collaborate on product development.

Cybersecurity Protections

Systems handling ITAR/EAR/CMMC data should adhere to standards and best practices for ongoing management, monitoring, and review of the multiple security layers (physical, infrastructure, and application). Other needed protections include levels of encryption for in-transit and at-rest data. On-premises solutions may or may not provide these protections, depending upon variables of systems, networks, policy definitions, and IT practices. Some commercial cloud offerings, either public or private, do not necessarily provide these protections.

Companies using commercial cloud solutions must ensure that their cloud service provider has FedRAMP Moderate Baseline or Equivalent level security in place to meet CMMC requirements.

Proper cybersecurity measures encompass:

  • Documented plans, policies, and procedures for addressing system security controls, incidence response, and risk mitigation
  • User access controls to ensure that only authorized individuals (both internal and external) have access to sensitive product information
  • Continuous monitoring for system weaknesses and assessment of security control effectiveness
  • Training for employees and external partners on how to mitigate cybersecurity risks, handle sensitive product information, and respond to security breaches

Sophisticated Access Management

Manufacturers must consider data classification and user access since not all product data will be subject to ITAR, EAR, or CMMC. Backend access to the PLM platform must be controlled and restricted to U.S. persons only for ITAR/EAR compliance. Most commercial cloud solutions do not provide these controls; compliance of on-premises solutions depends on the product company’s IT resources, physical server location configuration and access, and controlled network security layers.

Manufacturers need the ability to easily identify the technical data that must be ITAR/EAR compliant, and therefore limit access to specific individuals while conversely providing for less-limited access to non-ITAR/EAR technical data. Additionally, companies need visibility of who has accessed sensitive data and when they accessed it.