As the coronavirus pandemic continues to explode, the IAF, IAQG, accreditation bodies and certification bodies are trying to figure out ways to pretend that they can conduct business as usual, while being barred from physical entry to most clients’ facilities. They are turning to remote auditing using Information Communications Techniques (ICT) as allowed by the IAF directives.
The problem is that these IAF directives were written for generic ISO audits (ISO 9001, ISO 14001, etc.) and not industry-specific schemes such as AS9100. In addition, the IAF directives require that any use of ICT remain compliant with local laws.
The International Traffic in Arms Regulation prohibits the unauthorized export of defense articles (which includes technical data). That’s the law in shorthand, the actual regulations are much, much more complicated. An organization must take reasonable care to determine whether the network/server used to transmit or store the controlled technical data is not located outside the United States, and/or is not accessible to non-US Persons without prior US government authorization. Failing to do so could result in an inadvertent escape, and thus a violation to the ITAR or EAR.
The short version, therefore, is that it’s nearly guaranteed that any remote AS9100 audit will result in violations of ITAR or its regulatory cousin, EAR. These violations are typically felonies, putting those who violate it at risk of massive, organization-crushing fines and even imprisonment.
So far, the IAQG has not offered any guidance on this, and appears to be ignoring it. NQA’s UK-based Aerospace Director Michael Venner published a LinkedIn video boasting about how NQA is conducting remote AS9100 audits using Skype, MS Teams or Zoom, all with IAQG permission. (I haven’t confirmed that they actually received that permission, and so far IAQG hasn’t commented.) I immediately pointed out that such methods would ensure ITAR violations, and Venner’s post disappeared — whether I was blocked or the post was deleted is not clear.
NQA’s UK website does indicate that remote audits may be conducted via “GoToMeeting, Teams, Google Hangouts or Skype,” consistent with Venner’s LinkedIn post. However, another NQA memo dated March 18th says they had not gotten permission (at that time) to include AS9100 in these remote audits, but were working on it, saying, “We anticipate aerospace certification (AS 9100 etc.) will be moving to remote based auditing in the near future.”
But NQA isn’t alone. Other CBs are trying to keep afloat by pretending they can perform remote AS9100 audits. Maybe they can, but maybe they shouldn’t because it’s clearly illegal.
Current Tools Are Not ITAR Ready
Obviously, any remote audits will rely on IT solutions — that’s what “ICT” addresses, of course. This means videoconferencing, telephony, instant messaging, web conferencing, etc. All of these require servers to operate. To maintain ITAR compliance, such servers — at all ends of the communication, as well as all points in between — would need to physically reside within the United States. Most companies cannot guarantee this. Furthermore, even if the various providers ensure end-to-end encryption, it doesn’t matter — the servers will must be in the US, even if the communication is encrypted.
So let’s examine the various common platforms.
Zoom (security white paper here) claims to be FedRamp compliant, but that alone does not ensure ITAR compliance. In fact, the University of Illinois at Urbana-Champaign issued a use-case disclaimer that deemed Zoom as not acceptable for ITAR/EAR communications.
MS Teams and Sharepoint are products within MS Office 365 suite, and out-of-the-box do not comply with ITAR or EAR. Instead Microsoft offers government agencies or contractors two special options for conferencing and collaboration that meet the regulations: “Microsoft Azure Government” or “Microsoft Office 365 US Government for Defense.” The latter requires the organization to have over 30,000 employees, putting it far out of reach for any AS9100 CB or their clients. According to a Microsoft security white paper:
Customers with ITAR-controlled data are eligible for enrollment in Office 365 U.S. Government Defense provided they sign additional agreements formally notifying Microsoft of their intention to store ITAR-controlled data so that Microsoft may comply with responsibilities both to customers and to the US government.
GoToMeeting’s white paper on security claims to have end-to-end encryption, but does not guarantee its servers or data colocation centers are physically located in the United States. It’s website mainly boasts of HIPAA compliance, and makes no mention of ITAR or EAR, and it is not FedRamp compliant.
Cisco’s WebEx is not even close to ITAR compliant, and it openly discusses how it uses the data of its users, including “call participant information, including email addresses, IP address, username, phone numbers, room device information.” Worse, Cisco claims to capture “meeting and call recordings, transcriptions of call recordings, [and] uploaded files.”
Bluejeans has been deemed as not allowable for ITAR/EAR data transmission by the University of Michigan. U-M also researched and claims that Google Drive cannot be used for ITAR information, and repeats that the same restrictions apply to MS Office, OneDrive, and Zoom, among others.
Google Hangouts is marketed by Google itself as not being suitable for ITAR, saying, “Google does not support use of our services with ITAR-controlled data.” This statement means that not only Hangouts is non-compliant, so are Google’s office suite of apps, such as Docs, Slides and Sheets. The security add-in Virtru does appear to add ITAR compliance to GSuite, but it’s not clear if that would then apply to Hangouts.
WhatsApp doesn’t even claim to be ITAR compliant, and I doubt anyone would ever accuse it of being so. The bulk of WhatsApp users are outside the United States, so just their use would ensure ITAR violations. (You couldn’t use an ITAR compliant system to send information to a non-US person, as that would still violate ITAR.)
If anyone is using Facebook Messenger, just stop. Really.
As a result, the available tools which could be used for AS9100 remote auditing are slim to none. It’s also not clear (to me) whether the tools would need to be used by both ends, or just the client — but the client would have to have assurances that the CB isn’t then taking the ITAR controlled data and using it back at the CB office in a non-ITAR secure manner or location. (As I said, CBs are not ITAR registered.)
Which means the only way for AS9100 CBs to conduct remote audits is to not examine any information that might be ITAR controlled. Which, during an AS9100 audit for many companies, is nearly everything.
IAQG Must Step Up
It’s bad enough that CB auditors can’t find nonconformities when they are on-site, looking at actual evidence. It gets worse when we ask them to do this remotely, and they can’t personally select evidence. It’s wholly unworkable to then ask them to conduct an audit while avoiding all ITAR and EAR data entirely.
I suspect what will happen is the IAQG and CBs will continue to just push their clients into breaking the law, and hope no one gets caught. IAQG is trading the health security concerns of the COVID-19 outbreak for serious felony risks for violations of ITAR. I don’t think that’s good.
But IAQG has shown no interest in ensuring AS9100 certifications are only given to companies that don’t commit felony-level ITAR crimes. FLIR Surveillance was forced to pay $30M in fines after over 340 ITAR violations. They not only had AS9100 certification at the time of the violations, they maintained it and still have it to this day (issued by LRQA.) IAQG said nothing, despite AS9100 requiring companies to comply with applicable laws.
Instead, the IAQG and the world’s AS9100 CBs should throw their support behind the commonsense call for a 1-year extension of all AS9100 certifications, and cessation of all audits during the outbreak. CBs can continue to sell training or whatever it is they do, but they will have to suffer along with the rest of us, and shouldn’t threaten clients with loss of AS9100 certification during this unprecedented time.
You can read more about the Public Call for a 1-year extension of ISO and AS certificates here. I urge you to download the PDF and circulate it to your CB, AB and within your industry.
Mark Stevens of Aerospace Exports Inc., an ITAR consulting firm, contributed to this article.