Industrial R&D Platform
Assignment
ScaleSec guided an early-stage startup to support ITAR compliance, enabling their SaaS platform's public launch and pursuit of defense industry customers.
Challenges Faced
To meet ITAR compliance by a targeted launch date, ScaleSec helped the startup navigate regulatory, technical, and procedural hurdles.
The platform's role under ITAR was not immediately clear, as they did not fit the standard definition of a manufacturer, exporter, or broker of defense articles. ScaleSec communicated with the Directorate of Defense Trade Controls (DDTC) to clarify their requirements and responsibilities.
In reviewing the deployed Google Cloud Platform architecture, ScaleSec uncovered that some GCP services or features were not authorized for ITAR. ScaleSec recommended specific technical solutions to work around those constraints. Additionally, product updates were required to warn users of ITAR-controlled data in a clear but least-intrusive way, so ScaleSec developed clear guidance for achieving this balance.
As a startup, their established information security policy was lightweight and needed careful updates to meet requirements without adding unnecessary burden. Company staff were not familiar with the ITAR, so ScaleSec provided comprehensive and concise training to ensure they understood how to follow the newly required procedures.
Approach Taken
ScaleSec carefully navigated ITAR regulations to understand applicable requirements. In particular, the company needed to select a compatible security framework and establish a compliance program.
ScaleSec recommended building a program using the NIST SP 800-171 framework, to meet both immediate and future compliance goals. ScaleSec then reviewed existing processes and technical architectures against ITAR and NIST SP 800-171 to identify required changes. ScaleSec recommended specific technical changes to meet these requirements without degradation of resiliency or performance, going beyond simply informing the company that they did not meet a requirement.
ScaleSec also drafted an updated information security policy to meet requirements while avoiding adding unnecessary burden. Finally, ScaleSec trained the company's staff on ITAR compliance and provided customized training curriculum for new employee onboarding and refresher training.
Results
With ScaleSec’s assistance, the company launched on schedule with ITAR compliance support, enabling immediate engagement with US defense industry customers for the design and development of export-controlled articles. ScaleSec and this startup continue to collaborate on additional cloud architecture, security, and compliance goals.