When Encryption Isn’t Enough – Protecting Export-Controlled CUI Data in the Defense Industrial Base

By Alex Trafton, Senior Director, Ankura

There are few industry sectors subject to more scrutiny and regulation than the U.S. Defense Industrial Base (“DIB”). DIB companies routinely are targeted by advanced persistent threats (“APTs”) seeking to compromise sensitive Department of Defense (“DOD”) acquisition programs and data. As such, DIB companies are subject to multiple regulatory and contract requirements which obligate them to protect sensitive data such as Controlled Unclassified Information (“CUI”) and International Traffic in Arms Regulations (“ITAR”) -controlled data through multiple means, including encryption.  While encryption standards for handling CUI and ITAR-controlled data are similar, they have critical distinctions that can have significant impact if not addressed.

DIB companies which receive or produce Covered Defense Information (“CDI”) or Controlled Technical Information (“CTI”) [collectively CUI] are subject to the Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, which requires covered contractors to implement the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 to protect CUI. Control 3.13.11 of NIST SP 800-171 requires covered contractors to “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.” Currently, DIB companies are working to shore up compliance with NIST SP 800-171 in advance of a DOD final rule implementing the Cybersecurity Maturity Model Certification (“CMMC”), which is designed to provide a third-party audit and verification mechanism to assess and certify implementation of NIST SP 800-171. Many defense contractors are working to implement encryption requirements across their on-premises and cloud infrastructures. Some industry thought leaders have taken the position that the implementation of FIPS-validated cryptography is sufficient to render CUI data secure, even if held in a third party-managed cloud environment.

While this position may satisfy the NIST SP 800-171 standard, it does not account for key additional encryption considerations applicable to ITAR technical data—which many DIB contractors may receive or create.[1]The key provision of the ITAR relating to encryption is section22 CFR §120.54(a)(5), which states that data “[s]ecured using cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors” is not considered an export (i.e., is not subject to ITAR restrictions).  Critically, the provision carves out encrypted technical data that is intentionally sent to a person or stored in a country subject to ITAR §126.1prohibitions(particularly including Russia and China).  In other words, there are two key distinctions between the CUI and ITAR encryption standards: 1. the difference between FIPS-validated(the CUI standard) and FIPS-compliant(the ITAR standard) cryptography, and 2. the ITAR’s persistent prohibition on transferring controlled technical data to §126.1 countries and nationals, even when encrypted.

The first distinction establishes a more exacting standard for CUI encryption.  The Federal Information Processing Standard (“FIPS”) 140-2 is the standard for validating the effectiveness of cryptographic modules. To be FIPS-validated, the cryptographic module must undergo review, testing, and approval at an accredited NIST laboratory – a lengthy and rigorous process. “FIPS-compliant” is itself not a standard and refers to the algorithm or component which may be approved for use in a FIPS-validated module, but where this component itself has not undergone NIST testing. In short, simply using a FIPS-compliant encryption algorithm, while potentially sufficient to satisfy ITAR requirements, will not satisfy the CUI protection requirements found in NIST SP 800-171. This subtle and poorly understood distinction is a critical compliance risk for defense contractors—if ITAR technical data in a company’s systems also is CUI, the company must ensure that the encryption is FIPS-validated, not just FIPS-compliant.

The second distinction establishes a key additional consideration applicable to encrypted ITAR-controlled technical data.  Such data cannot be sent to a person or stored in a country subject to ITAR §126.1prohibitions.  This is a critical consideration when CUI data also is subject to the ITAR.  Contrary to the prevailing attitude that, if CUI is encrypted using FIPS-validated encryption, it can be stored and routed anywhere, CUI encrypted data that also is subject to the ITAR must not be exposed a §126.1 country or national.  This is a particularly acute risk when dealing with cloud-based and third-party service providers, software, and data centers. Defense contractors should implement enhanced diligence to ensure that all external entities who may process, store, or transmit CUI/ITAR data (even if encrypted) do not send or store data in nor employ staff who are nationals of any §126.1 country.

The risks arising from these CUI and ITAR considerations are significant and real. On October 6, 2022 Deputy Attorney General Lisa Monaco announced the DOJ’s Civil-Cyber Fraud Initiative to enforce cybersecurity requirements through False Claims Act and qui tam (whistleblower) litigation. Subsequently the DOJ filed a statement of interest in a qui tam matter between defense contractor Aerojet-Rocketdyne and a whistleblower – a case Aerojet-Rocketdyne settled for over $9 million dollars.

For violations of the ITAR, the DOJ and State Department may levy civil fines (up to $1 million by DOJ and up $500,000 by the State Department) for the willful violation of the ITAR. In addition to civil penalties, the DOJ may pursue criminal prosecution with sentencing ranging up to 10 years in prison. On November 9, 2022 the DOJ announced that it was charging three Americans for violating export controls and defrauding the DoD in connection with sourcing DIB materials from China.

With such robust enforcement mechanisms for violations, the encryption challenge facing the DIB is one of governance. Traditionally, ITAR and CUI compliance functions are bifurcated between legal and IT departments, respectively. The key compliance issue arises when these two functions are working towards implementing cryptography and data sovereignty controls on the same technical data without reconciling security and privacy requirements. This can lead to one compliance method causing potential compliance issues in another area. The key to mitigating this risk is for defense contractors to coordinate their export control and CUI compliance programs to comprehensively address their regulated data compliance requirements and mitigate associated enforcement risks.

[1] Export Controlled Information is itself a category of CUI found in the NARA CUI Registry.

Hot Topics

Related Articles