What to Know About ITAR, COTS, and CUI
With all the acronym-labeled requirements and definitions related to doing business with the federal government, it can seem like you are swimming in an alphabet soup. In addition to the consumer off the shelf (COTS) designation which determines the presence of controlled unclassified information (CUI), there is another program to be aware of, ITAR.
International traffic and arms regulations (ITAR) is a signed acknowledgement companies make with the government during contract on-boarding. ITAR is required if the government determines that your piece part or widget is going to be included in a weapon system designed, developed, or manufactured by the DoD.
For your fulfillment with the DoD contract, your company agrees to have your product reviewed by the government when you sell it to international companies. This applies to COTS products, like microprocessors or GPS receivers, as if these components are being put into a weapon system, the DoD wants to bind this technology to America. Also, if you are knowingly selling this same component to companies that are including it in weapons, you must acknowledge that to the government so that it can be trafficked.
As a current example, right now the drones that are being shot down by Russia have a lot of American chips in them. The FBI just launched an investigation against the companies that provide these chips to understand how those chips made it into the drones. These microprocessing companies were surely bound by ITAR and they should have had more control over their chips. As a result, the government can actually come back and claim restitution.
Why it is important to know if you have ITAR
Often if you’re bound by the government’s laws on international trade in arms or controlled technologies, your products are not available commercially off the shelf. The ITAR program means that there’s not a reselling marketplace without your knowledge, control, and authorization. Consequently, ITAR can be seen as the opposite of COTS.
ITAR itself binds your company to operating in a Federal Risk and Authorization Management Program (FedRAMP) high infrastructure, which requires more stringent cybersecurity controls than DFARS. Talking about COTS and CUI is actually a red herring when it comes to ITAR because ITAR actually bypasses all the DFARS requirements.
If you have any questions where your company and its wares fall in terms of ITAR, COTS, and CUI, get in touch with the experts at CyberSheath. We can help determine your current designation and strategize how to move forward with implementing the required security controls.