ITAR vs EAR vs FAR vs DFARS
If you are part of the Defense Industrial Base (DIB), it is common to have questions pertaining to cybersecurity requirements for International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS), since ITAR, EAR, FAR and DFARS each serve different regulatory masters, sometimes with conflicting guidance (e.g., FIPS-validated vs FIPS-compliant encryption requirements). There are multiple stakeholders that have to be identified and their roles understood:
If you take the time to read through ITAR/EAR requirements, you will not find a specified set of cybersecurity controls that are required to protect ITAR/EAR data. This is where NARA comes into play through its authority to operate the US Government's Controlled Unclassified Information (CUI) Program, where "export controlled" information has its own unique CUI category - https://www.archives.gov/cui/registry/category-detail/export-control.html.
ITAR/EAR CUI Category: Export Controlled (CUI//SP-EXPT)
NARA Definition: Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations (ITAR) and the munitions list; license applications; and sensitive nuclear technology information.
Minimum Cybersecurity Requirements for ITAR / EAR
While it might be possible that there is some ITAR/EAR that falls outside of NARA's classification of "export-controlled" information, the reality is NIST SP 800-171 CUI and Non-Federal Organization (NFO) controls are the minimum cybersecurity requirements for ITAR/EAR due to NARA's CUI Notice 2020-04. However, it is important to understand that NIST SP 800-171 will not address an organization's need for a broader export control program that governs how ITAR/EAR compliance is administered (e.g., registering for licenses, maintaining records, disclosures, etc.). The reason that NIST SP 800-171 is considered a "minimum" is that the controls may not be sufficient to address your organization's specific risk profile, so additional administrative, technical and physical controls may be necessary to become both secure and compliant.
There are no products listed under this category.
-
NIST 800-171 R2 to R3 Transition Guide
Sooner, rather than later, the US Government's global supply chain will have to transition to NIST 8...
-
NIST 800-171 R3 Kill Chain
The CMMC 2.0 & NIST 800-171 R2 version of the CMMC Kill Chain introduces the theory of constrain...
-
NIST 800-171 R3 In A Nutshell
It is worthwhile to take a look at NIST 800-171 R3 through a People, Process, Technology, Data &...
-
NIST 800-171 R3
NIST 800-171 Rev 3 was released on 14 May of this year, and it contains significant changes from the...