In the realm of export controls, “technical data” refers to a critical component of information that accompanies physical items or technology. It encompasses a wide range of data, including blueprints, diagrams, schematics, formulae, engineering designs, plans, photographs, manuals, and documentation. Technical data provides detailed instructions, specifications, or knowledge about how a particular product or technology functions, is produced, or can be modified.
Understanding technical data is essential because it is often subject to export control regulations, both under Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR). Technical data can be just as sensitive as the physical items or technology themselves, and controlling its export is crucial for safeguarding national security, protecting intellectual property, and preventing the proliferation of certain knowledge or technology to unauthorized parties.
Here are key aspects of technical data in the context of export control:
Export-controlled technical data is any information or related data that cannot be released or transferred to foreign countries or representatives of a foreign nation, without first obtaining approval or license. “Technical Data” refers to technical information beyond general and basic marketing materials about a controlled commodity. It does not refer to the actual product or the controls that accompany it. Some examples include technical documentation for software, or blueprints, photograms, or diagrams that include technical specifications.
To transfer any of these materials internationally, you must abide by and be compliant with Export Control Regulations. Export Control Regulations have existed since the 1940s and differ depending on what export a certain enterprise may deal with. Some of the predominant regulations include the Export Administration Regulations (EAR) implemented by the Dept. of Commerce, The International Traffic in Arms Regulations (ITAR) implemented by the State Department, and the Office of Foreign Assets Control (OFAC) implemented by the Treasury Department.
These Regulations exist as a means to protect national security interests, the unregulated transfer of technology could aid international threats and enemies of the state. These regulations do not solely apply to the purchasing and selling of products and the associated technical data but also include the collaboration of foreign partners and even non-us citizens within the United States.
A proper grasp of Export Control Regulations, and the controls associated with them, is the gateway for enterprises and organizations to operate on an international scale. These regulations impact more than just an organization’s business transactions but other activities, such as research and collaboration as well. The more a company grows and expands the more they will have to adhere to these regulations and the more likely they will accidentally incur penalties without proper procedure.
Each violation of export control regulations can lead to fines of up to $1,000,000,000 and jail time of up to 20 years. Besides monetary penalties and imprisonment, these violations can also lead to the debarment from all government contracts as well as the loss of a companies export privileges. Essentially barring companies from looking to do business internationally.
If you are trying to figure out if your technical data is controlled under the U.S Export Administration Regulations, the first thing you should do is check if it has been assigned an Export Control Classification Number (ECCN). These numbers are also associated with the reason why the export is controlled and will let you know what license if any, your organization needs to apply for.
A detailed data organization should also be implemented. The labeling of all technical data should be marked whether or not is deemed for export as well as whether or not it is controlled/restricted by ITAR or EAR. This should also apply to any external storage that technical data is stored on such as hard drives and USB devices. Depending on how large your organization is, it might be beneficial for your technical data labels to include which partner the data is associated with as well as its correlating ECCN classification number.
One of the best ways to avoid accidental violations is to implement an automated Attribute-Based Access Control (ABAC) solution. This access control method dictates access and privileges to data and files based on a number of attributes that could include location, nationality, and citizenship. This means that even if a foreign citizen had gained access to your cloud system, whether it be through an accidental email or link they would not be able to access these files, avoiding an accidental violation.
Another common practice is including an export control section in your annual company training. Ensure that employees know that emailing or transferring technical data, even internally, can be considered regulation violations if the proper procedures haven’t been followed. It is also a good idea to clarify what actions and data are controlled by export regulations.
Many businesses struggle with understanding the complexity of export control regulations surrounding technical data. Having a good understanding of these requirements and mapping them to your business processes will help you determine what controls you need to focus on to be compliant.
One example of a commonly misinterpreted regulation is within ITAR, these regulations relate to prohibiting the export of “Defense Articles.” Many enterprises interpret “Defense Articles” as relating solely to their products, in reality, “Defense Articles” refers to both the products, and technical data and services associated with said products. Exports to non-US countries without a proper export license, relating to both the product and its technical data and services, would constitute a violation.
Another common misinterpretation is what truly constitutes an “export.” Many consider an “Export” to be products and technical data that is in some way transferred to other countries. However, “Exports” also include the access of technical data by foreign persons, including access by foreign workers on US soil. Routing or storing technical data through servers or storing data in file shares located in other countries can also constitute a violation.
In today’s digital economy, enterprises need to enable a workforce that is both highly mobile and increasingly global and collaborate and share data across global supply chains. Most modern enterprises work with outsourced manufacturing partners to produce quality products cost-effectively, as well as manufacture for and trade with overseas customers.
Following regulations when exporting your technical data is only half of achieving compliance, the other half is proving compliance. This is best done by creating and keeping track of a comprehensive audit trail. This means keeping tabs on your data, including who has access to it, who has accessed it, and who it has been sent to. However, this can be difficult to manually, which is why many people turn towards automated compliance solutions.
A quality automated compliance solution will streamline your export regulation process by applying policies across the servers, applications, and workstations where technical data is managed and stored. These policies assist in controlling who can access, share and edit data in order to prevent compliance violations caused by human error.
When looking for automated compliance solutions, keep in mind a few key aspects:
Implementing an end-to-end export control solution becomes increasingly critical as it addresses the multifaceted challenges of tracking shipments and managing diverse technical documentation throughout collaboration with customers and suppliers. Automating export compliance not only enhances accuracy but also streamlines operations, reducing the burden of handling technical data from various sources, such as SAP, extranet platforms like SharePoint or cFolders, and email communications.
To streamline the automation of technical data export compliance, enterprises should apply the following 4 best practices:
Many enterprises today, when faced with a new export-controlled project, often resort to setting up a new instance or resorting to custom ABAP programming to regulate access through specific transactions. These endeavors demand a considerable amount of energy and effort, often spanning several months to become fully operational.
Implementing a platform that enables enterprises to effortlessly define their export authorization parameters will be crucial in these situations. These parameters could encompass defining what constitutes a “US person” or delineating the boundaries of “technical data.” With pre-defined criteria in place, seamless combination becomes possible for crafting coherent policies and authorizations. The outcome is streamlined and straightforward policies, such as “only individuals classified as US persons within Project X are authorized to access Project X’s technical data.”
An effective framework holds significant importance, as the ability to readily define which documents, SAP objects, and other data fall under export control is fundamental to effective access management. Various methods can be employed for this purpose. By utilizing GTS to classify products and materials, classifications can be inherited or imported from GTS and extended to encompass their data.
Alternatively, data can be classified by introducing attributes that align with specific needs, such as export license numbers or proprietary IP security parameters. Associative mechanisms can then be employed to propagate these classifications throughout all associated documents.
Furthermore, it’s essential to acknowledge that information about users carries equal weight. Their geographical location and nationality serve as critical attributes in determining the necessity of an export license and whether access should be granted. Additionally, considerations stemming from the organization’s IP security perspective, such as project designations, hold significance in this context.
What complements the previous points is the capacity to harness this information for access control. Consider a policy stipulating that “only individuals meeting the criteria of a US person located in US premises can access ITAR technical data.” In this seemingly conversational English policy, there are at least three decisive attributes at play: first, the classification of the content as technical data; second, the definition of a US person; and third, the delineation of a US location. The objective is to implement an access control mechanism, such as Attribute-Based Access Control (ABAC), that enables the dynamic adjudication of access decisions at the point of entry, guided by pertinent attributes. ABAC offers the capability to regulate data-level access within SAP, encompassing materials, documents, BOMs, routings, and transactions such as those within your folders.
The final aspect to consider is the establishment of comprehensive record-keeping and reporting capabilities. This ensures that, when the necessity arises for reporting, the requisite data is readily available in a centralized repository.
Export control entails numerous reporting and compliance obligations, underscoring the importance of implementing policies that automate the logging of pertinent information. For instance, a best practice is to log every instance when a user attempts to access technical data, regardless of whether the access request is approved or denied. This proactive approach is vital to meet regulatory requirements and maintain comprehensive compliance records.
To achieve comprehensive end-to-end control, an organization needs more than just a trade management system like GTS—it requires effective integration with advanced technical data control systems.
To learn more about automating technical data export compliance, read our Electronic Export Compliance whitepaper.
Zero Trust Data Centric Security
NextLabs® patented dynamic authorization technology and industry leading attribute-based zero trust policy platform helps enterprises identify and protect sensitive data, monitor and control access to the data, and prevent regulatory violations – whether in the cloud or on premises
To comment on this post
Login to NextLabs Community
NextLabs seeks to provide helpful resources and easy to digest information on data-centric security related topics. To discuss and share insights on this resource with peers in the data security field, join the NextLabs community.
Don't have a NextLabs ID? Create an account.