Data-at-Rest Build vs. Buy: Why Export Matters

Data-at-Rest Build vs. Buy: Why Export Matters
Data-at-Rest Build vs. Buy: Why Export Matters
Blog
August 08, 2022

Data-at-Rest Build vs. Buy: Why Export Matters

When a new vehicle is being planned and designed, engineers, system architects, program managers, and acquisition personnel typically debate three procurement options for the subsystems:

•    Design their own subsystem and build it themselves (BUILD)
•    Have a contractor build the subsystem (BUILD)
•    Locate and buy a commercial off-the-shelf (COTS) subsystem (BUY)

Each approach may get you to the same goal, but each has positive and negative aspects. Those decisions can only be made internally. The white paper Data-At-Rest Build vs. Buy Considerations for Deployed Storage Devices suggests some considerations that should be introduced in any such debate or trade study. 

The white paper focuses on data-at-rest (DAR) devices known as network-attached storage (NAS) or network file servers. These NAS devices are Ethernet-based and allow network clients to use the device as local storage. A NAS example is shown in Figure 1.

Figure 1 – Curtiss-Wright DTS1 NAS Example
Figure 1 – Curtiss-Wright DTS1 NAS Example

This blog focuses on one of those considerations: Export. The other considerations are lead time, loaners, encryption, quality, reliability, flexibility, cost, and risk. The perspective is that of a defense contractor in the United States (U.S).

Why does export matter?

For a U.S. defense contractor, the export consideration may matter a great deal. The wrong decision, in the beginning, may prove difficult to fix later and limit export options for the larger system.

  • To export the end system, you must carefully evaluate the export issues for the NAS and other subsystems. 
  • •    If you are only planning to sell to the U.S DoD, export is not a significant consideration.

ITAR-controlled devices

A NAS device designed specifically for military end use will almost certainly be categorized as ITAR-controlled.  ITAR stands for International Traffic in Arms Regulations. If a defense contractor designs and builds their own DAR device for a new military vehicle, that NAS device will almost certainly be designated as ITAR since it is designed specifically for military end use (the vehicle or platform).  

This ITAR designation will likely occur whether the NAS was built in-house or by a sub-contractor. The resulting ITAR designation will limit the countries to which it can be exported from the U.S.  Export of ITAR-controlled devices or products is controlled by the U.S Department of State. The countries where ITAR products can be exported are carefully controlled and restricted. While it may be denied publicly, many companies outside the U.S avoid ITAR-controlled products.  

If a defense contractor purchases a NAS from a COTS vendor, they can choose an ITAR-controlled device or an EAR (Export Administration Regulations) designated device. The export of EAR-designated products is controlled by the Department of Commerce under much less restrictive controls.   
Always consult with your export control experts in your company before making any decision.   

For a COTS NAS, you must check with the vendor regarding the export status and type of encryption (if used). Is the product ITAR or EAR designated?

Encryption Influence on ITAR designation

For newly deployed systems, DAR encryption is almost a certainty these days. U.S defense contractors will usually specify National Security Agency (NSA) approved encryption. There are two types of NSA-approved encryption – Type 1 and Commercial Solutions for Classified (CSfC). Curtiss-Wright offers NAS devices which use both encryption types and so provides a unique, balanced perspective.    

Like the ITAR versus EAR designation, choosing one type of encryption versus another type will also influence the export possibilities. For an in-depth analysis of encryption (both Type 1 and CSfC) and its need in deployed vehicles, see the white paper series and start with Data-At-Rest Encryption Series: Data Threats and Protection White Paper.

Type 1 Encryption

A Type 1 encryptor is defined as cryptographic equipment, an assembly or component classified or certified by the NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. The term refers only to products, not information, keys, services, or controls. Type 1 products contain approved NSA algorithms and are available to U.S. Government users, their contractors, and federally sponsored non-U.S. Government activities subject to export restrictions in accordance with ITAR. Note the ITAR reference.  

Type 1 certification is a rigorous process that includes testing and formal analysis of (among other things) cryptographic security, functional security, tamper resistance, emissions security (EMSEC/TEMPEST), and security of the product manufacturing and distribution process. The third whitepaper in the DAR series discusses public information regarding Type 1 devices. Type 1 encryption devices are limited to use by the Five Eyes countries–U.S., Canada, Australia, New Zealand, and the United Kingdom. For other U.S allies (including NATO, Japan, and South Korea), Type 1 encryption will prove difficult to get export approval.  

CSfC Encryption

As an alternative to Type 1 devices, the NSA CSfC Program enables commercial products to be used in layered solutions, leveraging industry innovation to protect classified National Security Systems (NSS) data. This provides the ability to securely communicate based on commercial standards in a solution that can be fielded more quickly. The white paper DAR Series Part 2: Commercial Solutions for Classified (CSfC) discusses CSfC encryption.  

NSA has developed, approved, and published solution-level specifications called Capability Packages (CP) and works with technical communities from across the industry, governments, and academia to develop and publish product-level requirements in U.S. Government Protection Profiles (PP). CP for Mobile Access (MA), Campus Wireless LAN, Multi-Site Connectivity (MSC), and DAR solutions are now published on the CSfC website at: https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/

The encryption in the NAS product in Figure 1 was developed based on the CSfC DAR CP. During its development, and even more recently, the NSA updated the DAR CP, and the device in Figure 1 has been upgraded accordingly. 

CSfC encryption is not inherently ITAR-controlled if funded by the COTS vendor and not targeted only for military end use but for a wider marketplace. This allows for much broader export opportunities under the EAR rules. Nevertheless, consulting with your export control expert (ECE) before any decision is very important.

Summary

Export of a NAS device will be controlled by the export designation – ITAR or EAR. An ITAR designation will make export to countries outside the US more restricted. An EAR designation will allow the export to more countries.  

The ITAR designation can result in two ways.  

  1. If the NAS device was designed for a specific military end use, then it will most likely be designated as ITAR. If the NAS were designed for the wider commercial market, it would likely is designated as EAR.   
  2. If the NAS uses Type 1 encryption, it will almost certainly be designated ITAR. If the NAS uses the CSfC encryption approach (not designed for specific military end use), it will likely be designated as EAR.  

Figure 2 shows a simple flow diagram regarding the NAS export designation. Again, consult with your company ECE before making any decision.   

Figure 2 - NAS Export Designation Decision Tree
Figure 2 - NAS Export Designation Decision Tree

 

Data-at-Rest Encryption

Today’s defense and aerospace platforms are required to protect critical data-at-rest (DAR) from unauthorized access. Curtiss-Wright offers cost-effective, proven, and certified commercial off-the-shelf (COTS) storage solutions that match various data security requirements.

 

Data-at-Rest Encryption Guide

This guide provides a brief overview of various encryption approaches and compatible, flexible solutions for each.

Download the Guide