Navigating export regulations

Features - Regulations

Balancing defense regulatory compliance with modern product development needs.

Adobe Stock © Jag_cz

The aerospace and defense (A&D) market demands product development efficiency, quality, technological innovation, and regulatory compliance. Many A&D products are subject to export regulations, including International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR), requiring compliance in technical data handling and access.

Regulations stipulate that any technical data deemed controlled by ITAR or EAR must not be exported during design, production, or sustaining activities unless covered under an export license.1

In practical terms:

  • ITAR-, EAR-regulated data must remain in the U.S.; be accessible only to U.S. persons
  • In-transit, at-rest data must be encrypted
  • Platforms containing regulated product data must control and restrict access to only U.S. persons

These regulations ensure companies have tight control over all regulated technical data, including controlled unclassified information (CUI). The registered manufacturer defines what technical data in the product record is under export control based on the product, how the government classifies the product, and what product features are of interest to the U.S. government. Technical data can include file names, component descriptions, engineering drawings, specifications, test procedures, and bills of materials. All restricted data must be tightly controlled by standard policies and procedures for access, audit history, and incident reporting.

Regulations refer to any method of access: operating systems, applications, IT assistance, and/or system maintenance where restricted data is stored. All information sharing methods require control, including email, faxes, and physical deliveries.

Complex products, development

Increasing complexity – mechanical products becoming electro-mechanical, electro-mechanical products embedding software and Internet of Things (IoT), artificial intelligence (AI), and machine learning – makes regulatory compliance more difficult.

Of the top 10 business threats to the A&D industry identified by Ernst & Young 2, four relate directly to product complexity in compliance, strategy, and operations – creating supply chain management burdens, innovation challenges, quality and time-to-market stresses, and overall performance stresses. A&D companies must prioritize product data control, transparency, and availability to overcome these challenges.

Digitizing the complete product record can advance intelligence, improve manufacturing, and increase quality. However, companies won’t experience those benefits until they control the product record in one digital form. This digital copy allows all design, release, and service activities to flow from the same view across all products.

Managing export-controlled data

Legacy business software solutions, developed before modern security advancements, don’t support complex product work needed for efficiency, speed, and quality. Homegrown desktop apps, spreadsheets, and local file servers can suffice for a time, but none enable scaling business, optimizing processes, or exceeding quality and market goals. Most of them can’t adequately address the security and location-based restrictions federal regulators demand without cost and additional risk.

ITAR and EAR regulations impact every tool and method of storing and accessing controlled technical data:

  • Physical and logical layers, hardware, operating systems, networks, protocols
  • Platforms, applications
  • Product data structures
  • Data classification
  • End-user controls
  • Access management

Regulations stipulate specific requirements, and the responsible owner for each layer must ensure requirements are met, including policies and procedures, incident reporting, and maintenance activities.

De-mystifying ITAR, EAR

Management should confer with compliance officers and legal counsel to determine:

  • Does product require registration for ITAR, EAR, both
  • What in the product data is under export control
  • Which requirements, beyond specific regulations, must also be met
  • Determine how the requirement is being met and who is responsible for that requirement

Security controls have the highest priority when adopting or changing product lifecycle management (PLM) systems or digitizing complete product records. Modern systems allow regulatory compliance and improve business operations by offering collaboration functions.

Technologies and practices have progressed to the point that U.S. government agencies use various secure cloud tools for everyday business such as Cloud First, Cloud Smart, and GovCloud initiatives.3 Regulatory bodies have recognized this technological maturity, updating regulations to account for more collaborative cloud options.

Arena Solutions

References 1. ITAR and EAR regulations are complex, and the author is not offering any legal advice or counsel for any reader, nor should you take this article as guidance to supersede your responsibilities to comply with these regulations. 2. “Top 10 risks in aerospace and defense (A&D).” Ernst & Young, 2017. 3.