Export Control and its Challenges
Many countries have regulations designed to protect their capabilities, both in commerce and defence. Generally, these are known as Export Control Regulations. They are designed to stop both physical objects and related data, including software and design data, from falling into “the wrong hands”, thereby protecting that country’s interests. Such regulations place restrictions on who can have access to both physical parts and information.
Perhaps the best-known such regulations are the International Trade in Arms Regulations coming from the United States. Known as ITAR, these are designed to protect the USA’s lead in defence and carry big penalties for infringement. Furthermore, the USA pursues the enforcement of these regulations outside of its own boundaries. ITAR applies to anything coming from the US that has military applications. This can even include material that was created outside of the US. However, ITAR is not the only US regulation that imposes restrictions and the USA is not the only source for such regulations.
It is important to be aware that some items that, at first sight, are for civilian use, can be subject to Export Control because they are used in the design or manufacture of defence products. Thus, for example, the design data set for a civil aircraft may contain such items.
Export Control Regulations include the management of physical items. Here we focus on the data around such items, referred to as ECR data. The regulations can apply when ECR data is simply shown on a screen to the wrong person or in the wrong place. This demonstrates that conformance to the regulations relies on people’s behaviours as well as what can be done with IT systems. Training and awareness of ECR is essential. Physical access also has to be controlled to IT systems that hold ECR data.
The challenge is to ensure that all data that is subject to Export Control is identified, and labelled as such and then that it is appropriately controlled, i.e., accessible to those with an approved need and not accessible to anyone else.
Access to Export Controlled Data
If data is covered by Export Control Regulations, there will typically be a licence that defines who can see that data. Thus additional controls have to be put in place for that data. Only those entitled to see the data will be granted access. Limitations will also be applied to ensure that the data can only be extracted or copied in conformance with the relevant licence. It is typical to track who has accessed the ECR data.
Fortunately, the core functions needed to satisfy these requirements are essentially similar to those used to protect Intellectual Property and not all data is subject to export control.
However, it is typical for large systems to contain a number of ECR-controlled parts. The additional constraints must then be applied to those items in particular as an additional layer of protection. Access control (and tracking) is needed at the level of individuals as well as organisations. Once this additional control is in place, data access and sharing processes are the same.
Importer challenges
Based on the above, particular challenges arise for the “Importer” of ECR data who receives controlled data under a specific license. It is the Importer who then has the responsibility to manage and control access to this data in a way that does not violate the appropriate regulations and it is the Importer who risks high fines should regulations not be complied with.
Some typical challenges are
- Restrict the access to the ECR data to the named persons of the license and manage the lifecycle of these access rights (start and end in accordance with regulations for the person as well as the license).
- Inform users of and possibly control access to ECR data based on geographical location.
- Add and remove access to persons under the license.
- Keep an audit trail on who had access to which part of the ECR data historically at any given time.
- Combine ECR data with non-ECR data in a useful way while complying with regulations.
- Allowing persons without access to specific ECR data to request access means that the existence of ECR data must be indicated without violating regulations.
Solution approaches
A significant challenge is to minimise the impact of Export Control requirements in adding friction and delay into existing business processes whilst still ensuring adherence to the EC regulations. There are different choices for how to handle ECR data within a business:
- Isolate the ECR data in its own specialized repository;
- Duplicate IT systems – one for ECR data and one for non-ECR data;
- Add ECR-specific controls into existing IT systems such as PLM;
- Provide access via a collaboration hub that covers multiple source IT systems.
In practice, a business may adopt a mix of the above approaches as they are not mutually exclusive.
Fundamentals
Physical objects and documents that are ECR-controlled must be labelled accordingly. The same is needed for ECR data. Any implementation must be able to manage classification as part of the metadata associated with any specific element of data and behave accordingly. A particular part can potentially be controlled by multiple types of Export Controls and be included in more than one licence. A person accessing ECR data may also be included in multiple licenses.
Solution approaches
Using a specialized repository
Clearly, this is a very safe option from the adherence perspective. Access to the content of the repository can be controlled as can physical access. However, the result is considerable friction within the business processes that use that data. One likely consequence is that some ECR data will be duplicated outside of the repository in order to reduce that friction, thus defeating the objective of the specialized repository.
Duplicate IT systems
The distinction between ECR and non-ECR is controlled at the level of access to the IT systems. This incurs additional cost for licences and IT administration and then potentially has the same drawbacks as the specialized system above, especially where the business processes require access to a mix of ECR data and non-ECR data. In addition, a person having access to ECR data under one license does not mean that the person should have access to all ECR data shared under other licenses.
Add ECR into existing systems
The advantage of taking this approach is that it can then be layered on top of the existing processes as supported by tools such as PLM and ERP systems. A disadvantage is that it can involve a lot of effort to configure the systems and this may have to be repeated with new major releases. Some of the enterprise-level systems have their own add-ons to handle ECR aspects which may represent a more cost-effective approach but will then be system specific. Given the requirements coming from ECR, the overall effect can be to add considerable additional complexity to the existing tools.
Provide access via a collaboration hub
This approach works well when the objective is to provide a consistent access approach to a mix of ECR data and non-ECR data which is held across a collection of diverse systems or even across different organisations. A hub-based approach should provide a single access point that is sensitive to Export Control classifications and takes licences into account as well as other factors, such as ownership of intellectual property, before granting access.
ShareAspace as the collaboration hub
With ShareAspace the collaboration hub already has fine-grained access control, given the basic requirement to support competing suppliers working with a single systems integrator. This access control is extended to include specific sub-organisations (those party to a given EC licence) or to consider the licences when determining access.
Using ShareAspace as the collaboration hub has additional advantages when the ECR data concerning a specific element, such as a specialist component, is actually held across multiple IT systems (for example PLM, ERP and ILS). The hub provides consistent access control to a consolidated view of the data concerned. This is simpler for the user and simpler to administrate, including the removal of access should it be required.
ShareAspace has been designed to enable and facilitate the controlled sharing of data. It already has many of the controls needed for handling ECR data. These can be used in line with ECR regulations by aligning ShareAspace’s user roles and organisations to ECR licences. This approach provides an ECR control solution suitable for use within organizations that have matching overall processes in place for ECR data.
A software product, such as ShareAspace, can only ever be an enabler for achieving ECR conformance and must be accompanied by suitable processes and training for personnel, including partner organizations.
Discover our new out-of-the-box ShareAspace ExC solution.
