The term “ITAR compliance” is a misnomer. Unlike FedRAMP and other compliance frameworks, there is no formal “ITAR Compliance” or “ITAR Certification” process. Organizations that fall under ITAR need to understand how the regulations apply to them and set up internal policies and controls to protect ITAR technical data.
Let’s examine what ITAR is all about, and how Keeper’s cybersecurity suite can help you comply with it.
What Is ITAR Compliance?
The International Traffic in Arms Regulation (ITAR) regulates U.S. imports and exports of space- and defense-related articles and services as described on the United States Munitions List (USML). In addition to space shuttles and torpedos, the USML also includes what ITAR refers to as “technical data”: things like plans, diagrams, photos, and other documentation used to build space shuttles, torpedoes, and other military and space hardware.
From a cybersecurity and IT compliance standpoint, ITAR requires companies to ensure that only “U.S. Persons” can access technical data. It’s important to note that the phrase “U.S. Persons,” as ITAR defines it, refers not only to people who are U.S. citizens or lawful permanent residents, but also any organization that is incorporated to do business in the U.S., as well as federal, state and local government entities.
Typically, ITAR compliance with regard to technical data involves ensuring that all data centers are located in the U.S. and managed solely by U.S. Persons. Further, organizations must ensure that only U.S. Persons can access technical data.
Which Organizations Must Comply with ITAR?
Organizations that sell products or services to the United States Department of Defense (DoD) – or who sell to companies that do – must be compliant with ITAR regulations. This means that every organization in the DoD supply chain must comply with ITAR, from prime contractors on down, including wholesalers, distributors, and IT service providers.
Keeper Security Government Cloud (KSGC) is ITAR Compliant
As a FedRAMP in-process (Moderate Impact Level) cloud services provider, and the first and only password manager to be listed on the FedRAMP marketplace, Keeper is well-positioned to help organizations achieve ITAR compliance.
Hosted on AWS GovCloud
Keeper’s FedRAMP environment, Keeper Security Government Cloud (KSGC), is hosted on AWS GovCloud, which uses only U.S.-based data centers that are accessible only by U.S. Persons. All data stored in AWS GovCloud is encrypted both in transit and at rest.
U.S.-Based Platform Designed, Managed & Supported by U.S. Persons
All Keeper software engineers and DevOps personnel who work on KSGC are U.S. persons, all KSGC source code is developed in the U.S., and access to the KSGC environment is tightly restricted to Keeper personnel who are U.S. Persons.
Further, KSGC has dedicated, U.S.-based Customer Success and Customer Support teams who have been trained in the safe handling of ITAR-governed technical data.
Granular Permissioning Controls
In addition to giving IT administrators complete control over employee password usage, Keeper’s top-rated password management solution offers granular role-based access controls (RBAC) with least-privilege access. Using Keeper, administrators can ensure that only U.S. Persons can access ITAR technical data, and that they can access only the data they are authorized to.
Zero-Knowledge Security Architecture
Keeper is a zero-knowledge security provider. Zero Knowledge is a system architecture that guarantees the highest levels of security and privacy by adhering to the following principles:
1. Data is encrypted and decrypted at the device level (not on the server)
2. The application never stores plain text (human readable) data
3. The server never receives data in plain text
4. No employee or intermediary can view the unencrypted data
5. The keys to decrypt and encrypt data are derived from the user’s master password
6. Multi-Layer encryption provides access control at the user, group and admin level
7. Sharing of data uses Public Key Cryptography for secure key distribution
Data is encrypted on the user’s device before it is transmitted and stored in Keeper’s digital vault. When data is synchronized to another device, the data remains encrypted until it is decrypted on the other device.
The user’s record data remains encrypted from the entire time after it leaves the end-user’s device, transmits over the Internet, and is stored in the Keeper vault. This means that no one – not even Keeper’s own employees – can decrypt the data our users store in their Keeper vaults. The data can only be decrypted on the end-user device with the master password.
The method of encryption that Keeper uses is a well-known, trusted algorithm called AES (Advanced Encryption Standard) with a 256-bit key length. Keeper uses PBKDF2 with HMAC-SHA256 to convert the user’s master password to a 256-bit encryption key with a minimum of 1,000 rounds. Each user has a 2048-bit RSA key for the secure sharing of record data.
Zero-Trust Access Policies
Keeper enables IT administrators to enforce comprehensive password security organization-wide, which supports the user and device verification at the core of the zero-trust security model. This includes the use of strong, unique passwords for every account and multi-factor authentication (MFA) on all accounts that support it.
Robust Compliance Auditing & Reporting
KSGC produces a traceable, electronic audit trail of all actions performed or data entered within the environment. Using Keeper’s Advanced Reporting and Alerts (ARAM) module, IT and security administrators can also receive real-time email, SMS text, or webhooks notifications of unusual or potentially risky behaviors; automatically feed real-time event data into an external spreadsheet or SIEM solution; and create create custom, time-based reports for internal use, compliance audits, or both.