Data-at-Rest Build vs. Buy: Why Export Matters

Network attached storage ITAR

When a new vehicle is being planned and designed, engineers, system architects, program managers, and acquisition personnel typically debate three procurement options for the subsystems:

•    Design their own subsystem and build it themselves (BUILD)
•    Have a contractor build the subsystem (BUILD)
•    Locate and buy a commercial off-the-shelf (COTS) subsystem (BUY)

Each approach may get you to the same goal, but each has positive and negative aspects. Those decisions can only be made internally. The white paper Data-At-Rest Build vs. Buy Considerations for Deployed Storage Devices suggests some considerations that should be introduced in any such debate or trade study. 

The white paper focuses on data at rest (DAR) devices known as network attached storage (NAS) or network file servers. These network attached storage devices are Ethernet-based and allow network clients to use the device as local storage. A network attached storage example is shown in Figure 1.

Figure 1 – Curtiss-Wright DTS1 NAS Example
Figure 1 – Curtiss-Wright DTS1 network attached storage Example

This blog focuses on one of those considerations: Export. The other considerations are lead time, loaners, encryption, quality, reliability, flexibility, cost, and risk. The perspective is that of a defense contractor in the United States (U.S).

Why does export matter?

For a U.S. defense contractor, the export consideration may matter a great deal. The wrong decision, in the beginning, may prove difficult to fix later and limit export options for the larger system.

  • To export the end system, you must carefully evaluate the export issues for the network attached storage and other subsystems. 
  • •    If you are only planning to sell to the U.S DoD, export is not a significant consideration.

ITAR-controlled devices

A network attached storage device designed specifically for military end use will almost certainly be categorized as ITAR-controlled.  ITAR stands for International Traffic in Arms Regulations. If a defense contractor designs and builds their own data at rest device for a new military vehicle, that network attached storage device will almost certainly be designated as ITAR since it is designed specifically for military end use (the vehicle or platform).  

This ITAR designation will likely occur whether the network attached storage was built in-house or by a sub-contractor. The resulting ITAR designation will limit the countries to which it can be exported from the U.S.  Export of ITAR-controlled devices or products is controlled by the U.S Department of State. The countries where ITAR products can be exported are carefully controlled and restricted. While it may be denied publicly, many companies outside the U.S avoid ITAR-controlled products.  

If a defense contractor purchases a network attached storage from a COTS vendor, they can choose an ITAR-controlled device or an EAR (Export Administration Regulations) designated device. The export of EAR-designated products is controlled by the Department of Commerce under much less restrictive controls.   
Always consult with your export control experts in your company before making any decision.   

For COTS network attached storage, you must check with the vendor regarding the export status and type of encryption (if used). Is the product ITAR or EAR designated?

Encryption Influence on ITAR designation

For newly deployed systems, data at rest encryption is almost a certainty these days. U.S defense contractors will usually specify National Security Agency (NSA) approved encryption. There are two types of NSA-approved encryption – Type 1 and Commercial Solutions for Classified (CSfC). Curtiss-Wright offers network attached storage devices which use both encryption types and so provides a unique, balanced perspective.    

Like the ITAR versus EAR designation, choosing one type of encryption versus another type will also influence the export possibilities. For an in-depth analysis of encryption (both Type 1 and CSfC) and its need in deployed vehicles, see the white paper series and start with Data At Rest Encryption Series: Data Threats and Protection White Paper.

Type 1 Encryption

A Type 1 encryptor is defined as cryptographic equipment, an assembly or component classified or certified by the NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. The term refers only to products, not information, keys, services, or controls. Type 1 products contain approved NSA algorithms and are available to U.S. Government users, their contractors, and federally sponsored non-U.S. Government activities subject to export restrictions in accordance with ITAR. Note the ITAR reference.  

Type 1 certification is a rigorous process that includes testing and formal analysis of (among other things) cryptographic security, functional security, tamper resistance, emissions security (EMSEC/TEMPEST), and security of the product manufacturing and distribution process. The third whitepaper in the data at rest series discusses public information regarding Type 1 devices. Type 1 encryption devices are limited to use by the Five Eyes countries–U.S., Canada, Australia, New Zealand, and the United Kingdom. For other U.S allies (including NATO, Japan, and South Korea), Type 1 encryption will prove difficult to get export approval.  

CSfC Encryption

As an alternative to Type 1 devices, the NSA CSfC Program enables commercial products to be used in layered solutions, leveraging industry innovation to protect classified National Security Systems (NSS) data. This provides the ability to securely communicate based on commercial standards in a solution that can be fielded more quickly. The white paper DAR Series Part 2: Commercial Solutions for Classified (CSfC) discusses CSfC encryption.  

NSA has developed, approved, and published solution-level specifications called Capability Packages (CP) and works with technical communities from across the industry, governments, and academia to develop and publish product-level requirements in U.S. Government Protection Profiles (PP). CP for Mobile Access (MA), Campus Wireless LAN, Multi-Site Connectivity (MSC), and DAR solutions are now published on the CSfC website at:

The encryption in the network attached storage product in Figure 1 was developed based on the CSfC data at rest CP. During its development, and even more recently, the NSA updated the data at rest CP, and the device in Figure 1 has been upgraded accordingly. 

CSfC encryption is not inherently ITAR-controlled if funded by the COTS vendor and not targeted only for military end use but for a wider marketplace. This allows for much broader export opportunities under the EAR rules. Nevertheless, consulting with your export control expert (ECE) before any decision is very important.


Export of a network attached storage device will be controlled by the export designation – ITAR or EAR. An ITAR designation will make export to countries outside the US more restricted. An EAR designation will allow the export to more countries.  

The ITAR designation can result in two ways.  

  1. If the network attached storage device was designed for a specific military end use, then it will most likely be designated as ITAR. If the network attached storage device was designed for the wider commercial market, it would likely is designated as EAR.   
  2. If the network attached storage device uses Type 1 encryption, it will almost certainly be designated ITAR. If the network attached storage uses the CSfC encryption approach (not designed for specific military end use), it will likely be designated as EAR.  

Figure 2 shows a simple flow diagram regarding the network attached storage export designation. Again, consult with your company ECE before making any decision.   

Figure 2 - NAS Export Designation Decision Tree
Figure 2 - Network Attached Storage Export Designation Decision Tree