RegDOX Solutions

The Secure Data Room solution provider for Corporate, EAR, DFARS and ITAR compliance in the cloud.

CALL US NOW: +1.800.517.3171
ADDRESS: 1 Elm Street, Suite 201, Nashua, NH 03060

Are Browser Plugins a Necessary Evil?

By

This weekend, we did a little ‘housekeeping’ and went through an old machine. We took a look at the Google Chrome browser and pulled up all the plugins. What to our surprise did we see on a VPN plug-in: A red triangle with an exclamation point and the words, “This extension contains malware.” (Yes, the irony is strong with this one).

Our minds immediately thought several things at the same time:

  1. Who does quality/screening for plugins in the store? What does this process look like?
  2. How can you know enough about my browser to feed me this warning (I am pretty sure I would not have downloaded this if the warning had been there previously)?
  3. What else do you know about my plugins? My browsing history?
  4. Why didn’t Elton John go with ‘John Elton’?

So, after reviewing a few other plugins, we saw something that we found ‘concerning’. Many plugins required a LOT of permissions when installing, so they could ‘function properly’.

What exactly is ‘a lot’? Well, take a look at a VPN Chrome extension:

  1. Read and change all your data on the websites you visit
  2. Display notifications
  3. Manage your apps, extensions, and themes

WHY would you ever give a plugin the ability to read and CHANGE data on the sites you visit?! Or manage other apps, extensions, and themes (keep in mind that this particular plugin was supposed to keep communications private and secure)?

The answer is: Because apparently, we don’t get a choice. Any extension that interacts with websites will almost always require “Read and change all your data on the websites you visit” permission.

Our good friends over at howtogeek.com also explained that Chrome is one of the few browsers that asks for your permission, instead of just blindly installing it. So, that’s something?

Chrome has a permission system for its extensions, while Firefox and Internet Explorer do not. Every Firefox and Internet Explorer extension has full access to the entire browser and can do anything it wants.

OK…so Explorer/Edge and Firefox, are just installing extensions without even asking me for my permission or telling me what they are able to do. Huh, good to know. Time to go dig out the Netscape 3.0 floppy disk.

What should you do when faced with this scary warning? Theoretically, do not worry. Any ‘store’ that offers browser extensions should have a screening process monitored by the company, and the ability to remove bad extensions. Obviously, the reality is different.

The ‘best practice’ is the usual when installing any type of software.

  • Ask if you really need it
  • Is there an alternative?
  • Is it worth the risk?

You may want to run some anti-virus/malware scans on your device after installing it – just to be safe. Something to think about when you’re not freaking out about all the other things happening.

Stay Safe!

Cybersecurity Nightmares

By

A nightmare is usually defined as,” a frightening or unpleasant dream”, and while we tell children that there are no such things as ghosts or bogeymen, there are real cyber nightmares that have happened and could happen. Some of the most significant events in recent years that have caused many people to cower in fear are discussed below.

2020 Election

If there is one thing that has been in the news for literally years now, is that the 2020 US election was a major target for foreign entities across the globe. Casting doubt on the validity of the election was intended to sow dissent and cause chaos-it has succeeded. Allegations of missing votes, improper counting of ballots, miscounting, or even stealing and destroying votes have all been put forth as reality by several groups. Using social media platforms, these agents caused immeasurable damage and chaos amongst US citizens.

Microsoft detected cyberattacks targeting people and organizations in the presidential election predominantly from groups operating in Russia, China, and Iran -although accurate attribution is a very difficult thing to prove with 100% accuracy. Both candidates’ campaigns were targeted, including social engineering/Phishing attacks on campaign staff, vendors, and consultants.

Vulnerable Children’s Devices

As a parent, we worry about our children and go to great lengths to protect them. Sometimes the tools we use to protect them make them even more vulnerable. Researchers at the Münster University of Applied Sciences in Germany found vulnerabilities in several different children’s smartwatches, allowing for the tracking, listening to voice messages, and reading text messages. These weaknesses could allow for exploitation of the communication channels to such an extent, that a malicious individual could send voice and text messages purported to be coming from parents. The potential for abuse is beyond scary, and despite responsible disclosure, some of the manufacturers have still not addressed all the concerns.

Bluetooth Vulnerability

Do you have a cellular phone? Of course, you do. You may even be reading this on your phone now. Phones have become ubiquitous around the world, and nearly every phone has the ability to connect to other devices (headphones, speakers, etc.) through a wireless technology commonly called “Bluetooth”. Bluetooth is generally limited to a range of fewer than 10 meters or 30 feet, but for most users, this is plenty of range. For example, you wear headphones on your head, and your phone is in your pocket. Bluetooth is extremely popular and has been a target for abuse for many years.

In September of 2009, the Bluetooth SIG organization announced a vulnerability that could affect hundreds of millions of devices around the globe. The flaw could allow an attacker to connect to a device without any authentication. While you may not care if some criminal listens to your favorite Swedish Death-Metal band, this vulnerability could allow someone to access data on your cell phone. Most people have a lot of information and personal items on their phones, including passwords and photographs of family and friends – some of which you may not want to be published on the internet. Additionally, many laptops have a Bluetooth device that you may or not even be aware of.

Technology and the tools we use can be an incredible thing, bringing music, information, and instant communication to our lives. But that same technology can also expose us to more risks, dangers, and cause nightmares for people around the world.

For more information on these nightmares:

Top Videos for Learning About CMMC

By

While traditionally people have learned things through reading, many people prefer to learn about things by watching videos. Regardless of the method you prefer, there are many resources available for educating yourself on the Cyber Maturity Model Certification (CMMC). The following list of videos is for educating people on the history of the CMMC, each of the 5 levels, and some professional perspectives.

Introductory and Background Videos

These videos are pretty basic, but are good at introducing CMMC:

Probably the best video out there about the impetus, evolution, and future by Jacob Horne: The Fascinating History of CMMC as Told by Jacob Horne

Comprehensive CMMC Videos

Summit 7 has a lot of videos that address various cybersecurity topics. They have a series where they break down CMMC at each level.

They also sponsor speakers like Bob Metzger:

Sabre On Point also has a very comprehensive series: CMMC Vlog Series

Professional Services Corporations Perspective

Baker Tilly: CMMC Series

IT Governance USA: Cybersecurity Certification for US Government Contractors

Government

National Cybersecurity Training & Education Center (NYCTE) has an extensive video section, a 4-part series: CMMC Workshop

Official Videos

The CMMC Advisory Board (CMMC-AB), the body in charge of implementing the guidelines,
has some thorough training videos: The CMMC Training Ecosystem

As more and more videos become available, we will continue to update and add to this list. If you prefer reading, RegDOX has a detailed analysis on CMMC and its future available for download here. Happy learning!

The Cost of Non-Compliance

By

“If you think compliance is expensive, try non-compliance.” former U.S. Deputy Attorney General Paul McNulty – June 2009
Paul McNulty really did say it best. Many organizations feel that the cost of compliance is too great a burden to undertake and run the risk of a catastrophic event. Taking out the ethical and moral issues, there are several risks the company runs if a successful cyber-attack on your organization, or any other breach of protocol due to non-compliance that can be very damaging to your business.

WHY DOES MY ORGANIZATION NEED TO BE COMPLIANT?

Compliance with regulations is designed to prevent bad things from happening. If you follow the rules, then your information should be protected. If you do not…bad things can happen. We equate compliance with having an insurance policy. The policy will only protect you if you have followed the rules. You really do not want to find out that your systems were not compliant after an attack.

IS COMPLIANCE THE SAME AS BEING SECURE?

No. You can be secure without being compliant and you can be compliant without being secure. Almost every major attack that has occurred in the past few years was not due to some major hole in security, or some gross disregard for compliance. It would be safe to say that the vast majority of organizations that have been attacked had some measure of compliance in place. The two are separate concepts that most people often get confused about.

Consider that a restaurant with a stove is required to have fire extinguishers (in case of fire). Having or not having the extinguisher is not going to make a difference on whether a fire starts or not. It may not make a difference if a fire starts, regardless. BUT…. having the fire extinguisher at the site can and should alleviate most minor fires. If a restaurant does not have the extinguisher, they are going to have a much more difficult time filing an insurance claim.

If your organization gets attacked and you had insufficient resources or procedures in place, you’re going to have a hard time defending your ‘adequate compliance measures’.

CAN WE GET FULLY SECURE IF WE ARE COMPLIANT?

No. There are some security measures that cannot be implemented if you want to function in business. If you lock down every computer and disconnect from the Internet, you’ll be safer, but you won’t be able to do your business. Compliance is about minimizing risk not removing it.

WHY WOULD MY ORGANIZATION GET ATTACKED?

EVERY organization is a target. Defense subcontractors are a much more valuable target because of the information that they have. Large or small, every organization is a target for various reasons. If you do not think it will happen to you, I have a bridge to sell you.

In 2020, Cybersheath conducted a survey of 200 senior executives of Defense Industrial Base (DIB) companies. Their findings are alarming, especially in light of the fact that many people will not admit to an attack, even anonymously.

  • 21% had experienced a cybersecurity incident.
  • 82% are generating and/or handling Controlled Unclassified Information (CUI).
  • 7% were unaware of the Cyber Maturity Model Certification (CMMC).
  • 33% of companies did not know which of the five levels they would need to be certified at.
  • 54% outsourced security and other IT needs to third-party vendors. These vendors may or may not be aware of the compliance requirements.

WHAT PRECISELY ARE COMPLIANCE COSTS?

Compliance costs are ALL the expenses a company must incur to ensure that they have met all industry regulations. These costs are relevant to more than just the Information Systems in an organization. There are other areas that are overlooked when doing an analysis: payroll for compliance staff and consultants, legal fees, registration/reporting fees, and the cost of any changes that need to be made. To better understand this, think about GDPR requirements. Your organization needs to have a Data Privacy Officer, to develop or buy solutions to track user information and a system and process to remove user information on request.

WHY IS THIS SUCH A CRUCIAL ISSUE?

In a 2021 report from Tier 1 Cyber, over a quarter (27%) of companies admitted that they knew they were unprepared for a security event. Additionally, 12% of DoD prime contractors “had confidence in their sub’s cybersecurity posture”.

According to the National Defense Industrial Association (NDIA), a whopping 10% of the companies surveyed had NO dedicated personnel to IT and 44% admitted that they were “still working to meet NIST 800-171 requirements”. And, as expected, 20% of the organizations had no incident response plan.

AND NOT COMPLYING IS BAD?

Other than the fact that you have broken the law, violated your contract(s), and made false claims to the government, there are some penalties traditionally assessed after an ‘event’.

Tangible Penalties: These are things like monetary fines, legal representation when addressing the claims against the organization, personnel leaving the organization.

Intangible Effects: These can range from damage to reputation to (federal) prison sentences for employees AND employers. If you use subcontractors or are a subcontractor, you need to consider this.

Monetary Effects: Lost productivity, lost revenue, lower stock price. Loss of Intellectual Property.

Monitoring: Usually, penalties require some type of remediation plan. This needs to be created, agreed to, and often an external monitor needs to be put in charge of reviewing, training, and re-training staff and ongoing monitoring reports are satisfactory to ensure that your processes and policies are being enforced.

WHAT ARE THE REAL COSTS?

It is a given that any organization that quotes you a system review, an assessment, a remediation plan, or any other form of testing and/or validating your compliance is going to vary based on the size of the organization and the complexity of the systems.

WHAT IS THE RISK OF NON-COMPLIANCE?

Almost 40% of senior executives estimate the cost of an attack at more than one million dollars. That’s a conservative estimate and does not fully take into account the possible loss of future business, and damage to company reputation.

SO WHAT ARE WE SAYING?

Be compliant. Make sure you meet whatever compliance you need, whether you’re worried about DFARS, ITAR, EAR, HIPAA, or meeting NIST 800-171 Standards. Invest the proper time and energy in learning about your compliance needs. Take the time to hire a professional if needed. Take Paul McNulty’s words to heart. It will save you the headache, and the dollars.

Cybersecurity: What Is It & Why Is It Important?

By

Imagine if you will, you have moved into a new house. It’s a nice house, and it has some nice things in it. Your things – along with windows and doors and locks.

Now imagine you open your front door. What do you see? Is it safe? Is it a good neighborhood? Are those people joggers or are they vandals running amok? Are those shady characters checking out your house? It looks alright, but it’s hard to tell.

Would you feel comfortable leaving your front door open? What about unlocked? What if someone came to the door and asked to use your bathroom, or for a glass of water? Maybe there are some weird-looking characters wandering around. What would you do? Would you let them in?

Now, what if they came to your house one night and spray-painted it or left a flaming bag of poo on the doorstep? What if they went into your bedroom and started looking through your personal stuff? You wouldn’t be happy, and you would and should be afraid. The next day you would probably want to put in a burglar alarm with cameras, maybe get a guard dog or a bodyguard.

Your computer is like this new house, except that you can’t see the obvious outside dangers. They are however certainly around and cybersecurity for your computer should be the equivalent of the burglar alarm, guard dog, and bodyguard for your house.

This is Your Life Online – Whether You Realize It or Not.

Cybersecurity is exactly what it sounds like: “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.” In other words, it is security for your online presence and activities.

Why Me? What Do I Have That is Valuable?

You have many valuable “things” on your computers, portable devices, and phones. Bad people want them. This could be your personal information, your banking info, credit cards, your social security number, access to all your company’s confidential or protected information…anything really.

But WHY Do These Problems Exist? Don’t We Have Super-smart People Writing Computer Code?

First, a little background: All devices, whether they are PCs, Macs, laptops, phones, IOT (Internet Of Things) – Internet-connected devices, all have an Operating System (OS). An OS provides the instructions to the device. As you can imagine, an OS is a very complex piece of software, typically with millions of lines of code. It is created by a group of smart people, but there are instances where one piece of code is perfectly secure, but then weakness or flaws develop when it is added to a different part of the code.

Sometimes parts of other software programs – applications, which are created by different companies – create conflicts that neither party could foresee on their own or for their own applications. Sometimes in order for a program to work, it needs to make changes that make the system less secure.

And the biggest issue – connecting to the Internet. In order to use the Internet and email, instant messages, etc., you have to ‘be online’. Once that happens, you open up ‘holes’ or ports to get that access out. Those holes allow bad things to come in…

You can lock a steel front door to your house with 3 deadbolts – which would be good protection for someone trying to get in that way. But if you don’t secure the back door, what good does it do?

Even doing in-depth quality assurance on software, testing applications extensively, and a launching large universe of anti-malware companies and communities for your network, there will still be issues.

What If Hackers Get Into The Server(s)?

There is a company outside of Washington, D.C. that had state and federal government business contracts. Just to get into the building, you had to have either a keycard for the garage or check in with a guard in the lobby. The guard would ask to see your driver’s license, note the time and date you came in, who you were there to see, and hand you a sticker with your floor number on it. Now, they also take your picture and print out your info on a plastic card that you have to wear in a visible location.

Then, suppose you went to the elevator after gaining permitted entry to the building and selected your floor. If the floor was ‘protected’, you had to wait in the lobby until someone came down and signed, authorizing you to come in. Then when you got on the elevator, that person had to enter a magnetic key card to push the button to their floor.

When you arrived at a high-security floor, there was a (bulletproof) glass wall, with an intercom. You had to speak to the receptionist and wait until someone came out and brought you back. Otherwise, you weren’t going anywhere.

Most server hosting facilities have all these protections and more – biometric scans must be always accompanied by a staff member, metal detectors, and more. These facilities make it as difficult as possible to get in.

Pretty Good Security, Don’t You Think? Wish We Had It for the Internet?

Well, ALL of these “measures” are duplicated in the online world:

Getting into the building: To get to a protected area on a website, (to shop, read medical records, etc.) we use a username password to identify the person.

Register at the front desk: Systems record the time and date you visit the site and tags you with a cookie or other code to track you as you move through the site.

Someone comes out to “vouch for you”: 2 Factor Authentication, or a secondary means to ensure that you really are who you claim to be. An example is seen when a bank texts an ID number to your phone to confirm a transaction.

All these steps are the same as setting up a Virtual Private Network (VPN). A VPN “extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network.

A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, and/or traffic encryption. From a user perspective, the resources available within the private network can be accessed remotely.

In essence, it creates a private, encrypted connection or tunnel between your machine and the website or resource you are visiting. VPNs cannot make online connections completely secure, but they can usually increase privacy and security dramatically.

VPNs require 3 things:

  1. Authentication – prove who you are and that you are allowed to access the resource (through passwords, 2-factor authentication, or digital certificates).
  2. Confidentiality – keeping the data exchange private (by encryption of traffic).
  3. Integrity – a way to ensure that the data is accurate and consistent, any tampering is logged, and you are notified.

So Why Does This Matter?

The short and sweet answer: to protect you from the bad guys. From phishing scams to ransomware to zero-day threats, cybersecurity is more important than ever. Getting hacked is more than just a threat to you, it’s a threat to any confidential information you may work with as well as your clients.

So . . . treat your computer and any networks to which it is connected as your house in a dangerous neighborhood. And to make sure your computer is as secure as you would want that house, use all the cybersecurity equivalents to the protections you would bring to that house, starting with usernames and passwords, multi-factor authentication, and VPNs.

But don’t stop there. Get a secure repository for storing and collaborating with your most sensitive information – the equivalent of a safe in your house. And then, as you would with that safe, use sophisticated permissioning protocols – the equivalent of having the combination to the safe – to decide who is allowed to access the repository and what they can do, and not do, while they are there. This last step is where RegDOX can help.

3 Common Questions Regarding the Handling of CUI: Part 3

By

In Part 1 and Part 2 of this three-part series, we reviewed why companies that handle federally-defined Controlled Unclassified Information (CUI) must comply with several sets of regulations and how RegDOX’s solution can enable that compliance. So how do you move forward to full implementation of ITAR/DFARS (i.e., CUI) compliance?

Question 3: How can RegDOX assist in achieving full compliance for organizations handling CUI?

Now that we’ve recognized the need for compliance and how the RegDOX Data Room System enables compliance, there is a three-step process to ensure that this enabling technology is fully utilized and that companies are compliant. First, an organization must assess its needs, typically referred to as a NIST 800-171 or preliminary CMMC assessment. Then, they must adopt enabling technology, policies, and processes to ensure the proper handling of CUI to, from, and within the operation. Finally, it must implement those policies and the compliance technology.

RegDOX has a unique ability grounded in its experience and technology to assist clients in assessing their current state of compliance, choosing the appropriate remedial efforts, and carrying forward an implementation plan to remedy discovered gaps in compliance.

Because of the broad reach of compliance it enables, using the RegDOX Secure Data Room System (RSDRS) and integrating it with appropriate corporate policies and procedures to achieve compliance can be a straightforward process, although one that relies on a deep commitment by an organization to cybersecurity. In order to participate in the Defense Industrial Base, however, organizations need to recognize and make this commitment to meeting federal regulations.

Companies can readily achieve compliance with these regulations while avoiding the unnecessary expense, disruption, and delay in implementing broader CUI controls affecting their entire IT infrastructure. But it takes the RSDRS technology and services to make this a reality. With that technology and those services, in short order companies can satisfy 85 of the 110 NIST 800-171/172 controls – the controls that require enabling technology – and have a robust platform to implement the remainder of controls that address written policies, training, and office procedures.

How can RegDOX assist in achieving CUI compliance? By letting companies know where compliance gaps exist, resolving cybersecurity gaps, and providing policies and procedures to remedy the remaining controls.

3 Common Questions Regarding the Handling of CUI: Part 2

By

In Part 1 of this three-part series, we reviewed the primary federal regulations covering Controlled Unclassified Information (CUI). Today, we’re discussing how companies can achieve compliance with one-stop shopping with the RegDOX Data Room System.

Question 2: How does the RegDOX Data Room System enable compliance?

RegDOX’s secure document and file collaboration solution provide the platform and the tools needed to keep CUI safe – especially when it comes to encryption and enabling the requirement of the least required access. It also meets the regulatory expectations that the use of CUI be recorded, tracked, and subject to alerts.

This robust ability of the RegDOXÂŽ system to achieve compliance is apparent from a comparison of the SPs 800-171/172 controls with the features and functions of the RegDOX system. Given the recent introduction of SP 800-172, a comprehensive concordance document has been made available by RegDOX, but here is a quick review of some of the most important compliance-enabling attributes of the RegDOX system.

Encryption

Encryption is the method of obscuring information through encoding. Essentially, this means that data is made unreadable by anyone intercepting the data without the proper means to decrypt the message.

Currently, the US government recognizes the Advanced Encryption Standard (AES) as a FIPS-140 compliant encryption method. All data coming in and out of RegDOX is transmitted and stored in an encrypted manner, utilizing the AES-256-bit encryption method.

End to End Encryption

This term refers to the ‘terminating points’ of a communication. Usually, these are a user via a web browser on one end, and a server of web pages and data at the other. Each end of the connection needs to be communicating through passing certificate information, a key, and the data. This works similar to a Virtual Private Network (VPN), which creates a “tunnel” for all communications to be kept confidential. For RegDOX users, the RegDOX system is at one end of this tunnel, and the user is at the other end.

SSL/TLS Communications Protection

Historically, the SSL (Secure Sockets Layer) protocol secured web transactions using encryption between a user (through the web browser) and a web server. While still in use, SSL has become less popular due to potential weaknesses and is being replaced by the more secure TLS (Transport Layer Security) protocol. By analogy, TLS creates a ‘handshake’ between sender and recipient that verifies the identity through a trusted third party, and then encrypts the message, allowing the parties to communicate securely.

The RegDOX system utilizes this more advanced protocol.

Access Controls

In addition to allowing access only through a TLS connection, the RegDOX system allows clients to restrict access to a single IP address or a range of IP addresses. This available feature ensures that CUI is only accessible or exchangeable with previously approved partners at those addresses. These access control restrictions can further enable RegDOX customers in implementing export restrictions, DFARS controls, and company confidentiality requirements.

In addition to persistent encryption and IP address restriction capabilities, the RegDOX system includes features that allow its customers to impose other valuable access controls. These include preventing API access, prohibiting screen and document printing, not allowing file saving on local devices, and preventing the redirecting of access to files to secondary recipients. All of these features and others provide additional levels of security and enable regulatory compliance.

RegDOX account access is granted only through secure, authentication methods. This means individual user accounts are protected with unique username and password combinations, certificates, SSO/SAML, or other secure authentication technologies. RegDOX by default requires multi-factor authentication through email or soft tokens, which is yet another step in controlling access to authorized people only and specifically implementing the requirements of the ITAR, SP 800-171, and now SP 800-172.

System Management

As background functionality, scanning of all files by anti-virus and anti-malware prevention software is installed and updated regularly within the RegDOX platform. Platform systems are reviewed to evaluate and implement security patches and updates to address the latest available security protections at the application and network levels.

Using the RegDOX system, along with specific corporate access, training, and use policies and processes, and the application’s ability to monitor users for compliance implement required SP 800-171 and 172 controls. Very importantly, these protections come without an enormous spend or learning new, complex software.

Permissioning-Least Necessary Privilege

RegDOX enables its subscribers to implement the requirements of SPs 800-171 and 172 mandating that access to CUI be limited to identified users and then only so long as required. So, for example, if only specific information is needed at a specific point in time (and not ongoing access) and that access need not be to an entire array of documents or files, RegDOX enables its corporate subscribers to implement the necessary restrictions. This capability is enabled by the granular permissioning that can be imposed at multiple levels, including specifically for individual or groups of users, documents or files, folders, and data rooms.

Audit & Tracking-Preserving Evidence of Compliance

Underlying the goals of the DDTC in the ITAR, as well as of the controls adopted by NIST in SPs 800-171/172, is that compliant electronic document and file security must not just be achieved, but that this compliance must be documented, and failures alerted. Essential for RegDOX earning the DDTC’s favorable opinion of compliance and underlying each of the four existing patents and the new patent to be issued covering the RegDOX solution, is the persistent and un-editable tracking and recording of actions within the solution by users and actions affecting documents and files. This information remains available to corporate subscribers of RegDOX through a robust series of on-demand reports and an ability to identify conditions for which a subscriber’s administrators may receive immediate alerts or periodic updates.

Moving Forward

From encryption to auditing through sophisticated permissioning controls, the RegDOX Data Room ensures every aspect of our system holds to the highest current standards. With the introduction of NIST SP 800-172, we continue to meet or exceed new security standards. The safety and security of CUI is your top priority and will always be RegDOX’s top priority.

3 Common Questions Regarding the Handling of CUI: Part 3

3 Common Questions Regarding the Handling of CUI: Part 1

By

When considering RegDOX’s patented cloud solution for ITAR and DFARS compliant handling of federally defined Controlled Unclassified Information (CUI), many companies come to us with a series of questions that can be summarized in three general categories:

  1. What are the regulations that cover CUI?
  2. Can you give us a brief review of how the RegDOX secure data room solution enables compliance with those regulations?
  3. How can RegDOX assist in achieving full compliance for organizations handling CUI?

This is the first part of a three-part series that will briefly and separately answer those questions.

Question 1: What are the regulations that cover CUI?

Any company seeking secure, compliant, and collaborative storage of CUI should begin with an understanding of ITAR, EAR, and DFARS regulations. While this is not the entirety of the relevant rules, regulations, and statutes affecting CUI, they are the key elements for most companies to address compliance. Here’s what they are:

The International Traffic in Arms Regulations (ITAR)

ITAR regulates the export of “defense articles and services” with the objective to keep those materials out of the hands of foreign nationals unless properly licensed. In addition to physical items (“hardware”), ITAR also controls technical data and sometimes specific services. These regulations apply to government contractors and subcontractors, and the articles and services covered by these regulations are outlined in the United States Munitions List (USML). The USML currently covers 21 different categories of products, services, and technical data.

It’s important to understand that ITAR controls more than just exports. Re-exports, temporary exports, and temporary imports also fall under this regulation. Furthermore, an “export” can occur by a U.S. Person intentionally or unintentionally disseminating controlled information to a foreign person without a proper license – even if that transfer occurs within the same company and within the United States.

Finally, the Directorate of Defense Trade Controls (DDTC), which enforces these regulations, addresses a critical concept it identifies as “Deemed Exports.” Deemed Exports define and address the “mishandling” of ITAR technical data in a manner that could result in a prohibited export to an unlicensed non-U.S. Person, even though the actual disclosure might not have occurred. For example, if technical data is exported, even though the intended recipient is a permitted recipient, if the export is handled in a manner where it could be exposed, an ITAR violation can exist. Similarly, if ITAR technical data is handled in a manner in which it could be readily exposed to non-U.S. persons, an ITAR violation will be found.

The Export Administration Regulations (EAR)

Generally, the EAR covers the commercial components of imports and exports. It normally applies to dual-use items – items that are available both for commercial and government use, like GPS systems. Items subject to EAR are listed on the Commercial Control List (CCL) in product or service categories.

Both ITAR and EAR regulations have the same goal: “To protect the national security of the United States by preventing the unauthorized export of controlled items to foreign persons.” Or, in other words, to protect sensitive materials or items from falling into the wrong hands.

The Defense Federal Acquisition Regulation Supplement (DFARS)

The DFARS is the Defense Department’s supplement to the Federal Acquisition Regulations (FAR). This supplement requires direct and indirect defense contractors to comply with specific cybersecurity requirements governing CUI, Controlled Technical Information (CTI), or Covered Defense Information (CDI).

Those requirements involve adherence to the 14 families of controls found in the National Institute of Science and Technology’s (NIST) special publication, NIST SP 800-171, although there are separate requirements found in the DFARS themselves, such as DFARS section 252.204-7012.

In February 2021, NIST issued an additional publication, NIST SP 800-172, which has enhanced requirements for some of the specific controls found in ten of the 14 SP 800-171 families of controls. With this new publication, the reference standards for DFARS compliance exist in both SP 800-171 and SP 800-172. They both detail how system administrators should best configure networks and which security practices provide additional protection from advanced persistent threats (APTs).

SP 800-172 itself codifies cybersecurity requirements that have been introduced by another initiative of the Defense Department: The Cybersecurity Maturity Model Certification (CMMC). Requirements of the CMMC include the assessment of organizational cybersecurity practices and processes through five CMMC levels, established in January 2020, while SPs 800-171 and 800-172 concentrate on the assessment of contractors’ technical systems and practices.

Cybersecurity compliance for the Defense Department extends beyond SPs 800-171 and 172, DFARS, and CMMC publications. The Cloud Computing Security Requirements Guide (CC SRG), published by the Defense Department in March 2017, remains in effect and covers any cloud service handling CUI. The CC SRG expressly includes ITAR/EAR-controlled data, referred to in that publication as “export-controlled information.”

The CC SRG describes four impact levels of cybersecurity and operational compliance for defense contractors, subcontractors, and their cloud vendors. Those levels are identified as levels 2, 4, 5, and 6. Level 4 applies to most CUI and contains restrictions that go beyond what is required by ITAR and EAR. For example, a 2020 amendment to ITAR allows certain unlicensed transmissions of encrypted export-controlled data outside of the U.S. but this remains prohibited by the CC SRG unless explicit authorization is granted.

It’s Just The Starting Point

For prospective DOD contractors, the regulatory apparatus they are required to comply with can be daunting at first glance. ITAR, EAR, and DFARS are the key pieces of that regulatory machinery. While this article only scratches the surface of each regulation, it should serve as a starting point for those new to complying with federal export and DOD regulations. In our next article, we will cover the ways RegDOX can provide secure data room solutions that allow you to achieve that compliance.

3 Common Questions Regarding the Handling of CUI: Part 2

3 Common Questions Regarding the Handling of CUI: Part 3

Quick Take: The DDTC Continues Active ITAR Enforcement

By

Lest anyone think that the DDTC is backing off from strongly enforcing the ITAR’s restrictions, $13 million in civil penalties was placed on Honeywell this past week, serving as a stark reminder to the exporting industry.

The case involved alleged transfers of 71 ITAR-controlled technical drawings related to various weapons systems to multiple countries and then, two years following a voluntary disclosure of this first set of unauthorized disclosures, additional violations involving 27 unauthorized exports of technical drawings. The documents were disclosed through DEXcenter and Daptiv, sharing and collaboration platforms used by Honeywell employees.

In addition to the civil penalty and three years of compliance reporting to the DDTC, Honeywell has agreed to hire a Special Compliance Officer (SCO) to be selected by the DDTC from candidates proposed by Honeywell and this SCO will be in place for a minimum of 18 months. The SCO shall have duties approved by the DDTC for overseeing Honeywell’s ITAR compliance and may hire, at Honeywell’s expense, the staff the SCO needs.

This DDTC action against Honeywell follows on the heels of the DDTC’s consent decree with Airbus last year, involving a number of alleged Airbus violations including failure to maintain records of ITAR-controlled transactions and unauthorized exports. Airbus agreed to pay $10 million in fines in its agreement.

In a similar fashion near the end of 2019, two companies paid substantial fines for ITAR violations. The California-based company AeroVironment, Inc. agreed to pay $1 million in penalties for its alleged violation of the ITAR involving technical data and record-keeping. A month before that, Florida company L3Harris Technologies, Inc. agreed to pay $13 million for its alleged ITAR violations.

While each of Honeywell, Airbus, AeroVironment, and L3 Harris Technologies are no doubt smarting from the millions of dollars in penalties they must pay, their cases stand as unambiguous lessons to all exporting and defense industrial based (DIB) companies. Either invest upfront in compliance technology, compliant processes, and training to avoid violations or invest later following fines being paid and having the DDTC oversee your exporting. And that is if your organization avoids criminal penalties and debarment

What is ITAR and Why is it Important?

By

The International Traffic in Arms Regulation (ITAR) is an established authoritative and mandatory list of compliance guidelines. These guidelines are set by the State Department’s Directorate of Defense Trade Controls (DDTC). It is important that any company that exports products or information outside the United States be aware and compliant with all the requirements of ITAR.

These regulations that the DDTC provides can be complicated, which could leave your company vulnerable to varying degrees of both civil and criminal penalties. ITAR compliance dictates that not only must your business be fully compliant, but they must also be current with any amendments and updates to ITAR regulations.

It is important to keep in mind that ITAR regulations do not just apply to the distribution of physical goods, but also virtual commodities such as technical data, sensitive files, and documents. Due to the nature of ITAR regulations, Small and Medium Enterprises (SMEs) are most at risk due to the nuances of export compliance regulations.

An ITAR violation can carry a heavy penalty and fine. The DDTC expects all exporters of defense commodities to be organizationally sound, secure, and resourceful enough to ensure that they meet all the standards that the ITAR requires.

What are the penalties?

Due to the nature of ITAR regulations, Small and Medium Sized Enterprises (SMEs) are most at risk due to nuances of export compliance. Companies working with CUI are carefully monitored by The State Department, who partner with other government agencies to monitor businesses to ensure compliance to export control laws. The State Department takes ITAR violations very seriously, with criminal violations of millions of dollars and up to 10 years imprisonment. Civil penalties, which are much more common, can reach millions of dollars in fines. While large companies can withstand paying enormous fines, they may also be subject to debarment, which blacklists the company from government contracts and working with companies who have government contracts.

What if you fail to comply?

Communication is key when it comes to preventing fines from the DDTC. Willful failure to comply with ITAR is subject to the highest degree of fines and penalties. Being prepared also goes a long way; if your company appears to have knowledge of an ITAR compliance issue, there should be a system in place that would allow your company to report the issue to officials.

What if you make a mistake?

When working with ITAR related materials, mistakes can happen simply due to human error. This is something that becomes possible given the scope of the regulations and can affect companies of any size. The DDTC might consider leniency on such occasions, but only under rare circumstances. ITAR provides the opportunity for voluntary disclosure. By being forthcoming about any mistakes and having a solid action plan to improve, fines and penalties may be reduced or eliminated.

Why honesty is important to compliance.

Given the nature of ITAR, it is in your company’s best interest to be fully honest. By misrepresenting or even not disclosing pertinent information, then the same penalties can apply as being noncompliant. You can prevent this by taking a thorough approach to compliance and ensuring that any and all information is disclosed.

What can you do to avoid a violation?

There will continue to be increasingly complex regulations in response to both attempts at cyber-attacks by bad actors as well as lax cyber-security practices by organizations. But, if you love your export business and the thought of excessive penalties scares you (which they should), then do not chance non-compliance of ITAR. There is a lot to lose violating regulatory compliance. Disaster can be pending on the horizon for you and your business from a single infraction that could have been avoided.

Take the step to secure your business and prevent future dilemmas by partnering with an ITAR compliant secure data room solution provider like RegDOX so you can focus on what’s important, your business! We at RegDOX have been innovative in responses to new and revised cyber-security regulations and provided our customers with solutions so inventive that they warrant patent protections for meeting and exceeding entirely justifiable regulatory requirements. Configurable, affordable, and coming with a “DDTC-reviewed” advisory opinion for ITAR compliance – what’s not to love? Get started now – https://www.regdox.com/contact/

 

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOXÂŽ offers compliance options for the transference and storage of ITAR, DFARS, EAR, and Corporate technical data within the cloud through highly intuitive, feature-rich virtual data room solutions. In addition, RegDOX offers DFARS assessment services for contractors and subcontractors of the DoD.

www.RegDOX.com

Share this page.