Government procurement requirements stipulate that prime contractors with ITAR or EAR obligations must include those obligations in any agreements with subcontractors that may handle the export-controlled product or service at any time. If you’re a service provider to the U.S. federal government or a prime federal contractor that handles export-controlled products or provides export controlled services – whether to civilian agencies or the Department of Defense (DoD) – you may need to comply with the requirements of the ITAR, EAR, or similar federal export regulation. ITAR or EAR export regulations may impact your organization if you meet any of the following criteria:

• You produce, maintain, and/or export items on the United States Munitions List (USML).
• You provide defense articles and services.
• You produce items or “know-how” that is listed on the Commerce Control List (CCL).
• You provide IT or cloud services to prime contractors or federal agencies that store, process, or transmit export-controlled data using your services.

Although ITAR, EAR, and other federal export regulations do not set strict cybersecurity requirements, cybersecurity controls are almost always needed to implement an effective export compliance program within your organization. And for both regulations, compliance is not optional – it’s the law.

Spotlight on cloud

Although most cloud service providers (CSPs) are not in the business of manufacturing export-controlled products or services, many CSPs find themselves engaging in business with customers with export control needs. Due to the nature of ITAR, EAR, and other export control regulations, CSPs are often required to demonstrate compliance with export control regulations to win business and avoid censure or criminal prosecution. As the largest cloud security assessor, we have extensive experience assessing cloud environments against FedRAMP®, DoD Security Requirements Guide (SRG), and other cybersecurity requirements and are well equipped to support CSPs navigating export control cybersecurity contract obligations during their quest for authorization.

How Coalfire helps

Our team of advisors and assessors work with your organization to help you understand ITAR and EAR export control requirements and how they impact your cybersecurity strategy and implementation. We provide advisory and assessment services designed to help you navigate the entire cybersecurity aspect of the export control compliance process and successfully respond to your  specific cybersecurity needs. Our services include:

• Export control cybersecurity advisory
  • Scoping and gap analysis support for organizations and in-scope information systems
  • Generation of advisory opinions to support scoping rationale and compliance determinations
  • Implementation support for applicable security controls and contract obligations
  • Documentation development support, including system security plan (SSP) and plan of action and milestones (POA&M) preparation
• Export control cybersecurity assessment
  • Assessment of security controls
  • Assessment and evaluation of overall compliance with cybersecurity contract obligations
  • POA&M validation and monitoring
  • Compliance recommendation for organizations and in-scope information systems
  • Continuous compliance monitoring