Secure IP When Outsourcing: ITAR, ISO 27001 and ISO 9001

IP theft is a serious business problem that costs U.S. companies over $300 billion per year, according to research by the National Bureau of Asian Research. IP-related risk can take the form of counterfeiting, corporate espionage, ransomware attacks or compromised trade secrets. These risks are particularly acute in industries with advanced, sensitive products like medical devices, aerospace and defense (this article provides a great breakdown of risk reduction strategies in medical technology).

The US Department of Defense increasingly recognizes that IP theft risks not only private sector losses, but national security. The DoD is continuing to emphasize its desire to have contractors better identify where they may be vulnerable to intellectual property theft (and how that theft might impact national security). Air Force Lt. Gen. David Allvin, then the Joint Staff's strategy director for plans and policy, noted that even apparently innocuous technology can constitute a threat: “It becomes a relationship between us and the defense industrial base,” and “understanding this relationship about what is there in the commercial industry that, in it of itself, doesn't qualify as classified -- but when it's aggregated with others -- can put together pieces that in the aggregate can be classified.”

With these financial and national security risks in mind, the focus on securing IP is only going to become a more and more integral part of manufacturing and product development. The security of the development process depends not only on following the requisite best practices internally, but also on ensuring that every vendor with access to sensitive data is taking the proper precautions. In this blog, we review some important security credentials for vendors who participate in your manufacturing and/or product development process: ITAR registration and ISO 9001/27001 Certifications.  

In addition to these credentials, limiting the number of vendors with access to product data can be a great way to limit risk. Vendors with the greatest possible breadth of service offerings can reduce exposure without sacrificing access to the expertise and resources needed for a successful project.

CRUCIAL REQUIREMENTS FOR SECURING YOUR PRODUCT IP

No matter what precautions an organization takes internally, its product data will only be as safe as the “weakest link” in the team of vendors involved with the project. A single careless vendor can risk exposing competitive secrets, compromise project success, and even open up vulnerabilities for ransomware attacks.

The right credentials can help establish that a vendor has instituted established best practices for securing product data and communications. Three important credentials to look for are:

1. ITAR registration

2. ISO 9001 compliance

3. ISO 27001 compliance

We concisely explain the importance of each one below.

What is ISO 9001?

ISO 9001 is an international standard related to instituting a quality management system (QMS)—a systematic approach to providing products/services that fill customer and regulatory requirements.

Originally published in 1987 and last updated in 2015, ISO 9001 helps companies verify that suppliers are following accepted best practices for quality assurance.

What is ISO 27001?

ISO 27001 is an international standard relating to information security. It governs best practices for the establishment of an information security management system (ISMS). An ISMS helps ensure that security controls are instituted systematically, rather than managed haphazardly through separate plans for IT security, data protection, business continuity etc.

Published in 2005 and updated in 2013, ISO 27001 effectively helps ensure that information security is a holistic organizational commitment, not simply a laundry list of IT tools.

What is ITAR registration?

ITAR refers to “The International Traffic in Arms Regulations,” a set of federal government regulations governing defense-related exports. Registration is required for organizations that manufacture a list of defense-related articles (including products, services and data), as defined by the United States Munitions List.

By registering with ITAR, an organization agrees to maintain compliance with ITAR requirements. In general, these best practices pertain to due diligence for closing any security gaps in an organization’s supply chain.

SECURE PRODUCT DEVELOPMENT BEYOND THE CREDENTIALS

In many industries, the security credentials outlined above are regulatory necessities. Even when they are not required, they can be valuable indicators that a supplier can be trusted with your data.

Your overall approach to managing vendors in the product development process can also play a valuable role in reducing risk. The right credentials are a great starting point for ensuring that your vendors are following best practices. But even an organization that takes proper precautions is not invulnerable to security risks (whether they stem from careless employees or a missed IT update). For this reason, each additional vendor who works with your product data represents at least some additional risk.

In this context, limiting the number of vendors involved with the product development process is a straightforward way to reduce the exposure of your sensitive data. More vendors mean more certifications to verify, more potential points of failure for security protocols, and more inter-organization touchpoints where security gaps can develop. By working with secure vendors who offer the greatest possible breadth of services, you can reduce risk without sacrificing access to the expertise and manufacturing capabilities your product needs.

Empire Group provides a great example. We are ITAR registered, maintain the latest ISO 9001 and ISO 27001 certifications, and take pride in offering services to clients with stringent security requirements. Our quality systems are tested daily by defense, medical device, and Fortune 500 Companies (including Raytheon, Boston Scientific, Google and Amazon). And our breadth of service offerings helps our clients navigate the product development process development end-to-end with minimal additional vendors (even if the project needs support for design, early 3D modeling, rapid prototyping, and final assembly).

Our experience shows that this diverse portfolio of services provides outstanding value to clients through more than just reduced data exposure. Streamlining the number of vendors required is a great way to accelerate your product development process (we take a deeper look at why this can be so valuable here).

If you’re interested in learning more about working with a secure, full-service product development group, we encourage you to reach out to our team.