The US International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) are export control regulations administered by the US government, but with extraterritorial jurisdiction over the items they cover. Australian businesses, in areas spanning high tech military to dual use technologies, must ensure their compliance with these regulations.
In September 2018 we wrote an article that explained the regulations to readers, with a particular focus on the explanation of the regulations and the measures that need to be considered to maintain compliance. We have since been made aware via ADF personnel in the US of the biggest risks in the current environment.
The protection of Technical Data was highlighted as the greatest priority, with the US Departments of State (ITAR) and Commerce (EAR) likely to treat any such breach very seriously. The recent expansion of the Australian Cyber Security Centre (ACSC) and amalgamation within the Australian Signals Directorate (ASD) suggests the Australian Government is similarly looking at the protection of technical data as a priority for industry. This is supported by the increase in cyber and intelligence activity attributed to external adversaries who have succeeded in obtaining data from a small number of Australian businesses.
ACSC has initiated a Top Four and Essential Eight list of strategies to mitigate cyber security incidents. These strategies need to be implemented by all players in Defence industry, from primes to the smallest SME, to protect the technical data inherent to ADF capability.
Defence Industry enterprises can expect to face increasing emphasis on improving their security posture. The reality of evolving cyber threats makes this a certainty.
The US has a number of requirements in place to protect technical data. The National Institute of Standards and Technology (NIST) 800-171 regulations are the US recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). The regulation applies when CUI is resident in non-federal systems and organisations. The security requirements apply to all components of these systems and organisations that process, store, or transmit CUI, or that provide security protection for such components.
As computing platforms and technologies are ubiquitously deployed worldwide and systems and components are increasingly interconnected through wired and wireless networks, the susceptibility of CUI to loss or compromise grows.
The purpose of NIST 800-171 is to provide US federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a non-federal information system, such as contractors. The standard applies to any prime contractor or sub-contractor who works on US government projects, where it is highly likely they have access to CUI and thus need to implement the necessary controls.
Australian supply chain enterprises should familiarise themselves with NIST 800-171, as they are increasingly likely to encounter it in future contracts. Some Australian suppliers are already participating in contracts that specifically challenge them about their security posture against NIST. Primes have indicated that the guidelines in 800-171 will be a future contract discriminator.
It should also be noted that the intentions of ITAR and NIST 800-171 overlap in many areas. Enterprises mindful of both stand to gain significant security benefits. Such enterprises will also gain access to contract negotiations that exclude non-participating enterprises.
Note: Kevin Chenney is a senior consultant with Goal Professional Services. Ray Harvey works in Internal Threat Business Development at Cider House ICT, a Goal Group member.