Why NIST and ITAR is an important indicator of vendor reliability
30 August 2023
We’re very proud that Larson Packaging Company is ITAR registered and boast a NIST SPRS assessment score of 99 out of 110 on the scale used to gauge adherence to NIST’s Special Publication 800-171 requirements for manufacturers operating within supply chains tied to government contracts. But what does this sort of compliance actually mean, and why should you even care?
(NIST) Special Publication 800-171
NIST Special Publication 800-171 provides standards for protecting confidentiality of controlled unclassified information (CUI) and Covered Defense Information (CDI). In particular, national defense contractors must implement NIST SP 800-171 requirements and demonstrate adequate security to protect information in their defense contracts.
The standard is scored through the framework’s 110 security requirements. Each fully implemented requirement gains points. That means the highest possible score possible on an assessment is 110 (the lowest possible score is -203).
Implementing NIST SP 800-171 security requirements is a must for maintaining preferred contractor status for any manufacturer that’s a part of a DoD, General Services Administration (GSA), NASA or other federal or state agencies’ supply chain.
We find compliance with NIST 800-171 crucial to our business credibility and success for several reasons:
- Legal and regulatory requirements: Non-compliance can have legal and financial consequences and lead to fines and other penalties. Naturally, we don’t want to be fined.
- Protection of sensitive data: NIST 800-171’s framework provides a solid foundation for safeguarding the sensitive data of our customers and minimizing the risk of data breaches and unauthorized access.
- Cybersecurity: Compliance with NIST 800-171 helps us establish a robust cybersecurity posture and maintain the security of our information systems.
- Business continuity: Things can go wrong even with the best systems in place. NIST 800-171 helps us plan to maintain business continuity and minimize the impact of any disruption.
- Customer trust: We feel demonstrating compliance with NIST 800-171 builds trust. Because we systematically prioritize data security and privacy, customers and partners are more likely to want to do business with us.
The International Traffic in Arms Regulations (ITAR) is a set of U.S. government regulations that control the export and import of defense-related articles, services, and related technical data.
ITAR registered companies must register and keep their registration current with the Department of State’s Directorate of Defense Trade Controls (DDTC), which oversees the US Munitions List (USML).
These regulations demand that access to technical data and physical materials related to military and defense technologies be restricted to only U.S. citizens on a secure, compliant network.
ITAR covers a wide range of items, including firearms, ammunition, combat vehicles, naval vessels, missile technology, and satellite systems.
Consequently, government contractors must have an ITAR compliance plan. Furthermore, every company in the supply chain of a contract or project — subcontractors, computer software/hardware vendors, third-party suppliers, wholesalers and distributors — must also be ITAR registered.
The rules are administered by the U.S. Department of State. However, there is no formal process to become “ITAR Certified”. Instead, companies are expected to understand and comply with the Department of State’s regulations on their own. Some of the key elements of demonstrating ITAR compliance include:
- Registering with the Department of State: Companies involved in the manufacture, sale, or distribution of defense-related products and services must register with the department of State.
- Obtaining licenses or agreements: Companies must obtain the appropriate licenses or agreements to export, import, or broker defense articles and services.
- Controlling access to technical data: Companies must establish procedures to control access to technical data related to defense articles, ensuring access is limited to authorized persons only.
- Complying with record-keeping requirements: Companies must maintain records of their export transactions, including licenses, agreements, and shipping documents, for a specified period.
- Training employees: Companies must provide regular training to their employees on ITAR regulations and ensure that they understand their legal responsibilities.
We believe that being ITAR registered benefits more than just our customers in the defense sector.
Yes, it demonstrates our commitment to maintaining high standards of security and reliability within the defense industry, but doing so builds customer confidence in our integrity, in the quality and reliability of our products and services, and our ability to collaborate.