Pic
Security

Using off-the-shelf software for government-regulated data?

Popular software applications like those offered by Google, Airtable, and Monday.com are putting small businesses regulated by ITAR and EAR at risk.


With the rise of cloud-based technology, we are experiencing a surge of productivity applications that are built to be lightweight, configurable, and affordable. These include products like Airtable, Monday.com, QuickBase, as well as the ubiquitous Google suite of apps (Docs, Sheets, Drive).

These commercial, off-the-shelf (COTS) software products are a boon for small to medium businesses that aren’t ready to invest in an ERP like Oracle or SAP, and want something to quickly set up and start managing their processes. For businesses that are subject to U.S. Department of State regulations, however, these products pose a major risk for non-compliance. For these manufacturers, the only alternative is expensive on-prem software that is difficult to maintain.

Cloud-based services are expected to account for nearly 50% of all organization-level software usage among manufacturers by 2023. Businesses dealing with Department of State regulations should have an equal opportunity to leverage the cloud in improving their operations.

What are the Regulations?

First, a quick explanation of International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR). ITAR and EAR are parallel regulations that regulate the import and export of goods, data, and services to prevent sensitive information from being accessible by foreign nationals. ITAR specifically regulates the import and export of defense-related products, data, and services that appear on the United States Munitions List while EAR focuses on dual-use items available for both commercial sale and government use, appearing on the Commercial Control List.

What’s the Risk?

The risk in using COTS products like Google Suite or Airtable is that the provisions of these regulations extend not only beyond the business itself to the software vendor they use, but also to the infrastructure provider the software vendor uses.

The most popular infrastructure provider is Amazon Web Services (AWS), with applications like Airtable and Monday.com hosted on their servers. These applications, along with others like Dropbox and QuickBase, are not compliant because they are hosted on the AWS public cloud, which is accessible by foreign nationals employed by Amazon. Google’s suite of products is also not compliant as it is hosted on Google Cloud, which does not support ITAR-controlled data.

What’s the Solution?

The benefit of these applications is their ability to leverage the cloud’s capabilities to manage your business in real-time at an affordable price. The good news is that it is still possible to use the cloud to manage ITAR-controlled data. Both AWS and Microsoft Azure offer ITAR and EAR-compliant cloud infrastructures that software vendors can host their products on, called AWS GovCloud and Microsoft Azure Government respectively.

While the popular COTS products mentioned above are not hosted on these special cloud infrastructures, there are other products that can meet your needs. We suggest you run a thorough investigation of what applications your employees are using to store, send and receive sensitive data, and build a plan to switch usage over to a compliant product.

FactoryFour for ITAR

FactoryFour was designed with the same, modern aesthetic and usability principles as these COTS products, with the ability to scale with your unique processes and organization growth. Most importantly, we are ITAR and EAR compliant and focused specifically on manufacturing. FactoryFour provides regulated manufacturers:

  • Fully compliant data storage hosted on AWS GovCloud restricted to the US.
  • Secure data encryption in transit and at rest.
  • Granular permissioning to ensure only approved personnel can access sensitive data.
  • Traceable, electronic audit trail of all actions performed or data entered.
  • Sequestered team of US persons on FactoryFour Customer Success team that have been trained in safe handling of Export Controlled and ITAR governed data.

Need a manufacturing management software that is ITAR compliant? Speak to one of our experts here and book a demo today.