That's right, not GDPR or PCI DSS, like most other blogs and articles you might be reading online...but ITAR. The International Traffic in Arms Regulation, which governs the trade and export of defense materials and services in the US.
What does that have to do with you and your file transfers? You ask.
Well, the ITAR requires that both physical and technical data related to defense and military technology can only be handled by US citizens.
Although note that the UK, Canada and Australia have ITAR agreements in place to both adhere to the requirements and be able to handle defense materials and related technical data.
WARNING: That means if you transfer technical data, including photos or documentation which can be used to construct or operate physical arms. You will need to comply.
Simply put, ITAR affects both the physical and virtual worlds, of the whole defense industry.
Who Needs to be ITAR Compliant?
In essence, any company in the US, or agreed UK, Canadian or Australian organisation which handles, manufactures, designs, distributes or sells defense items or related technical data on the USML (United States Munitions List).
Such organisations include but are not limited to:
Vendors for either or both software and hardware.
A third-party suppliers.
Every organisation in the supplier chain which handles defense materials or related technical data must be ITAR compliance, with the US State Department's Directorate of Defense Trade Controls (DDTC) maintaining a list of those who do.
At a basic level, ITAR requires that defense materials and related technical data is not handled or shared with a non-US citizen.
However, there are exemptions.
The US State Department can issue exemptions for specific purposes, particularly in the case of mutual defense interests. There are a number of organisations in the UK, Canada and Australia which have been granted such exemptions; but on the grounds that they are also ITAR compliant.
At a high level, ITAR requires focus in the following areas:
In the case of technical data, ITAR expectations would be that the data contains a classification, its processing systems are actively monitored for unauthorised access and that auditing logs are maintained for review.
How Can You Secure ITAR File Transfers?
In short, you should be using a managed file transfer solution which can guarantee data security on multiple levels.