Much has been written about the concept of a Digital Thread and how it can play an important role in an Industry 4.0 or Digital Transformation strategy. The topic can be extended to a broader perspective of establishing a Digital Cloth or Digital Tapestry, depending upon how far along you might be with your digital strategy. Manufacturers operating in the Aerospace & Defense (A&D) industry should also be rethinking their ITAR data strategy.
In a previous post, I wrote about the basic tenants of ITAR compliance, and the associated nonmilitary or dual-use product rules in the Export Administration Regulations (EAR). That article explained that it isn’t just the end products themselves subject to ITAR, but the services and data that may be associated with those products that are also subject to ITAR. Therefore, as you plan on building out your digital strategy, here are some points to consider as this data is shared between your MES, PLM, QMS, ERP, and MRO applications.
Export of Data Isn’t Just Sending It Out of Country
Exporting data in the context of ITAR goes beyond shipping a disk to a foreign country or performing an electronic file transfer across borders. Under ITAR, information or data is considered “exported” whenever it is disclosed to a foreign national.
This means that if you use a Manufacturing Execution System to make a controlled product or system, then the MES will contain ITAR data. If you allow a supplier access to your MES or QMS system, as far as ITAR is concerned, if anyone at that supplier has access to the system who is not a US citizen, then there are ITAR implications.
Another scenario where export might be possible would be in the case of access to eLearning systems that contain information that is covered by ITAR. It is important to remember that ITAR covers all information, classified or not, so just using a simple security profile that restricts access to classified data may still put you at risk of an ITAR export violation.
To make sure that you minimize your risks, validate your MES, QMS, MRO, and other software systems support complex user access profiles so that you can restrict access not to just classified information, but any ITAR covered data.
Think of Section 120.10 Technical Data as a “Digital Twin”
CFR Part 22 Section 120 is where ITAR terms and explanations are codified. Section 120.10 details what is considered “technical data,” defined as follows:
§ 120.10 Technical Data.
(a) Technical Data means, for purposes of this subchapter:
(1) Information, other than software as defined in § 120.10(a)(4), which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions, or documentation.
Section 120.10 also defines what is considered classified or a trade secret that is protected information in addition to the software used within ITAR covered devices.
It should now be quite clear that the digital data underlying today’s digital transformation and Industry 4.0 strategies are subject to ITAR compliance. The above paragraph (1) goes to the very heart of what a digital cloth is all about and the benefits that digital transformation seeks to provide.
This means that the software you use on the plant floor must be considered part of your ITAR profile when planning your architecture. Make sure your plant floor systems allow you to tag information as being ITAR or EAR sensitive. This will then ensure your systems can easily allow access control so only authorized US Persons – and restrict those who are not. Doing so will keep your ITAR data in compliance.