Speaker 1: Good morning, good afternoon, or good evening, everyone, depending on where you're dialing in from. Thanks for taking the time to join us on today's webinar on export controls compliance for aerospace and defense firms. My name is Norv Leong, and I'm the Senior Director of Product Marketing over here at NexLabs. Now, before we get started, I wanted to get a couple of housekeeping items out of the way first. All the lines have been muted, but feel free to submit your questions via the Q&A box that you see on your screen. I've set aside the last five minutes or so to answer any questions that might come in during the course of the webinar. Secondly, this webinar is being recorded, so we'll send you guys a copy of the recording within a couple days. So, without further ado, I'm just going to dive right on in here, because we've got quite a bit of information to cover. Here's a little sneak peek that I'll be covering over the next 30 minutes or so. Start off with a brief intro on NexLabs, who we are, what we do, follow that up with a quick intro on export controls compliance, then dive a little deeper on specific use cases and customer pain points. That'll set the stage for how companies are addressing these gaps with solutions like NexLabs. Finally, we'll wrap things up with a case study, and like I said, I'll answer any questions that are submitted during the course of the webinar. So, let me start off with some background on NexLabs. We were founded in 2004 here in Silicon Valley, which we still count as our headquarters today. We've since expanded our offices to include the UK, France, Germany, Malaysia, Singapore, and China. Our customer list is a who's who of the Fortune 500, including many aerospace and defense firms such as Lockheed Martin, Rockwell Collins, and the Swedish Armed Forces, to name a few. But we've also got customers in other industries as well, like manufacturing, pharma, financial services, among several others. So as you can see, we've built a very strong ecosystem of partners ranging from tech leaders like SAP, Microsoft, IBM, and Amazon, to the large global systems integrators like Deloitte, Accenture, and Infosys. So since our inception, NexLabs has been singularly focused on protecting applications and data, and that's reflected in our sizable patent portfolio, over 50 awarded and another 30 pending. So let's get into the meaty stuff and why you're all here. Now when it comes to export controls compliance for aerospace and defense, two acronyms should immediately come to mind, ITAR, which stands for International Traffic and Arms Regulations, and EAR, which stands for Export Administration Regulations. Now these two sets of regs, regulations, were created to help ensure that defense-related technologies don't fall into the wrong hands. So essentially, information can only be shared with US citizens. ITAR is administered by the State Department and is more stringent than the EAR for items potentially subject to both the EAR and ITAR. ITAR will take precedence. So EAR, on the other hand, it's administered by the Commerce Department and covers many items not within the domain of ITAR. Additionally, EAR can apply to both civilian and military applications, whereas ITAR is all about military applications. So items can fall under either EAR or ITAR, or maybe even both, and it doesn't always have to be a tangible object, which I'll get into in the next slide. So the movement of goods and information across country borders is a highly regulated activity. And like I said, the two regulations that inevitably come into play are ITAR and EAR. They're the two most important regulations that pertain to export controls. Usually you need an appropriate license or technical assistance agreement to transfer export control technical data or products subject to ITAR and EAR. So the purpose of these controls is to avoid inappropriate disclosure of military information to non-US citizens. Otherwise, you're going to get slapped with a penalty. So this also includes, quote unquote, deemed exports, which is the sending of export control technology, information, or source code to a foreign national located in the US. So these export control regulations affect a variety of activities, including many that take place physically within the United States. So export control is also not just about moving physical products. It's also about services like consulting, training, even speaking slots at conferences that fall within these regulations too. So on your screen, I've included a couple examples of what would be considered exports. Even glancing at design specs on someone's desk, you know, emailing data to a foreign partner or uploading content to the cloud. These would all be examples of exports subject to ITAR regulations. And lastly, an organization will typically have an export control office or ECO to help advise on compliance matters. So if you happen to violate ITAR or EAR, the penalties can be quite steep. Criminal fines are the greater of $250,000 or twice the amount of the transaction at issue. Administrative penalties, it can be up to $250,000 per violation. And on the criminal side, criminal penalties can be up to $1 million per violation, or even 10 to 30 years of jail time, depending on the violation. So there are some certain ITAR use cases that tend to pop up over and over again, and I think it's worth spending a good chunk of this webinar going over some of the key ones here. The first one is what we call limiting access to ITAR technical data. ITAR policies require that access to technical data is restricted to U.S. persons. Typically, technical data is managed in document management systems or on file servers. And while in these types of repositories, local controls may prevent ITAR access violations. However, these controls are insufficient to meet ITAR requirements once data is removed from the repository where no usage controls exist, therefore allowing data to be misused. Just to give you an example, an authorized user may need to copy a design file to an engineering workstation to complete the design. Now once copied to the workstation, no further controls exist for where the file may be saved or sent. So a violation, even unintentional, now has the opportunity to occur. A second use case, which we see often, we'll call it contamination see-through, ITAR will control a commercial item if a product or component that is subject to ITAR control is incorporated into it. For instance, if a part originally designed for military aircraft is used in a commercial airliner, the airliner is subject to ITAR while that ITAR-controlled part remains integrated into the airliner. So this situation presents unique risks when applied to ITAR technical data such as specifications and software, you know, where documents and code, they're easily reused between products. So to prevent the contamination that I just described, it's important that data pertaining to defense articles be kept separate from commercial data with any mixing of technical data prevented. The third one, transfers not matched to licenses, you know, export of technical data occurs any time that information is sent outside of the U.S. or provided to foreign persons within the U.S. So many of these types of exchanges are, however, allowed under license. Transfers of technical data under licenses must be accounted for and reported, similar to the export of physical goods. Accounting and tracking data movement can be difficult since transfer of electronic technical data can occur over multiple channels, including email, IM, FTP transfers, or web uploads. So because the transfer of electronic data is so frictionless, it is difficult to accurately account for exported information as required by regulations. Fourth use case, transfer over unauthorized channels is a big one. So in the design and manufacture of defense articles, companies often collaborate across a complex supply chain. A single product may include parts from suppliers, and each part may have several companies involved in design and manufacture. So in these cases, technical data is shared between organizations. The transfer of data requires approved distribution methods to prevent the exposure during transmission. For example, if data travels through systems or networks that are administered by foreign persons, there is definitely an opportunity for inappropriate disclosure. Fifth common use case is commercial product contamination. In many aerospace and defense, high-tech, and even industrial firms, you know, engineering development and manufacturing resources are used for both ITAR projects and commercial projects. You know, this multi-use environment can create the potential for accidental disclosure of technical data and contamination of commercial projects. In these environments, users, systems, and applications, there are potential bridge and leakage point. Just to give you an example, say an engineer copies design files to a workstation that's accessible to foreign persons. Similarly, a server application with ITAR-controlled designs may be administered by a foreign person, potentially exposing the files. So while utilizing shared resources across ITAR-controlled and commercial environments allows companies to economize by reducing infrastructure costs, it also increases the potential for inappropriate exposure. So you know, any kind of solution that you're looking at has to protect the integrity of mixed-use environments by enforcing the appropriate access and use for technical data that allows businesses to realize the economies of managing information across shared resources. And the final use case I wanted to go over with you guys has to do with mobile data and remote access use. So access to ITAR technical data from locations outside the U.S., even by approved or authorized persons, is considered an export of technical data. Similarly, the transport of technical data on a mobile device, such as a laptop, outside the U.S. is considered an export of technical data. But these export activities are either prohibited or allowed under an existing export license. Furthermore, data access requires that controls are applied based on the current location of the end user and endpoint system, along with the means to identify ITAR data that is stored on a mobile device to ensure that that device is free of technical data before it is brought outside the country. So continuing on from the previous slide, there are certain customer pain points that have emerged as a result of these use cases that I just walked you through. In order to be compliant with these ITAR and EAR regulations, addressing these following pain points that I'm going to go through is absolutely critical. The first one, right there on your screen, real-time monitoring and enforcement of export controls over sensitive data is a big one. So given the sensitivity of the data governed by ITAR and EAR, being able to enforce policies in real time is absolutely crucial. If there's any delay at all, the damage can already be done. Second, centrally managing access control policies eliminates a lot of administration headaches and ensures that policies are aligned with the business's objectives and that they're applied consistently across the enterprise. Now, enabling safe collaboration between employees, partners, and contractors is a necessity for effective global product development as well, as well as makes the supply chain much more efficient without having to compromise on your security requirements. And then finally, enhancing business agility is also a key pain point for many customers. You know, you want to be able to respond quickly to changing business conditions in order to stay relevant in a highly competitive economy. So the Next Lab's mission is quite simple, you know, to protect data anywhere, anytime. In order to do this, though, requires a delicate balancing act. You know, you have to ask yourself, how do I balance the need to share with the need to protect? You need to provide the right level of access to data in order to run your business effectively. But on the other hand, you need a requisite level of data security and compliance with applicable regulations, you know, such as ITAR. On one side, you've got the need to share information within a company or perhaps with partners to get things done. Maybe you're part of a supply chain where you have to share your design plans with upstream or downstream partners. Collaboration really is the name of the game, but you have to balance that against protecting the crown jewels, too. So you want to share only that part of the confidential data necessary for the task at hand. Similarly, you know, say there's a mergers and acquisitions event or maybe an ERP consolidation in the works. You have to ensure that sensitive data is protected and that all compliance requirements are met as efficiently as possible, so as not to slow down any business initiatives already in play. So how do you achieve this balancing act? In essence, a modern approach is needed to contend with the new challenges created by this new IT landscape, one in which the focus is on the data. Now, because 80 to 85% of data is originating from applications, an approach that takes into account the synergies between data and applications is going to be best suited to accommodating the complexities associated with this new landscape. So in essence, NextLab sees its data-centric approach as fundamental to safeguarding the business processes, you know, that further organizational agility, global collaboration, and cost reduction initiatives. And it all starts with classifying the data, so you know what you've got and where it is. Once you've got a handle on that, you can apply attribute-based access controls, or ABAC for short. ABAC, for those not familiar with this acronym, essentially is the next generation access control technology that takes role-based access control, or RBAC, several steps forward. So given the rapid proliferation of cloud and mobile, RBAC on its own is ill-equipped to keep up with the demands of this new IT landscape. With ABAC, attributes are characteristics about the user, the data, or the environment. You know, things like group, department, employee status, citizenship, position, device type, IP address, or any other factors which could affect the authorization outcome. Access decisions are based on this type of information. You're, in essence, protecting the data when it's sitting inside an application. Moving on, next is the scenario of when data leaves an application, and that's where encryption and rights protection come into play. You want the data to remain protected even as it leaves an organization. You may have heard the term digital rights management, or DRM for short, and that's exactly where this falls. And finally, you need a requisite amount of activity monitoring and auditing to meet all your compliance and governance requirements, and so that's why we refer to this as an end-to-end approach to protecting your data, really covering all aspects of security and compliance. So at the end of the day, the key benefits NextLabs provides can be boiled down into four buckets. The first, upper left-hand corner, automated compliance management, really simplifies the whole compliance management process. NextLabs allows companies to control and audit the export of technical data by applying real-time policies across the systems and applications where technical data is managed and stored. Second, this automated workflow lowers the cost of compliance as well. With so much automation in the NextLabs approach, this means less IT involvement and less application development to achieve the business's objectives. Thirdly, NextLabs enables secure collaboration. You know, with so many supply chain relationships in the aerospace and defense world, it becomes incredibly important to have a solution that allows for upstream and downstream collaboration without sacrificing on security. Finally, ultimately, companies are able to respond much more quickly to changes in business conditions or market requirements due to the flexibility that NextLabs provides. And here's a little case study that kind of ties it all together, really illustrating the value that NextLabs brings to the table. This one's about Lockheed Martin. I'm sure everybody's familiar with this company, aerospace behemoth here in the U.S. Their pain centered on protecting their intellectual property and securing their supply chain. So their main concern was to limit access on a need-to-know basis for their partners and customers. So their solution was NextLabs Entitlement Manager for SAP, which enforces authorization policies in real time based on attributes like citizenship, location, and geography. So with NextLabs deployed, Lockheed was able to restrict visibility of its sensitive data to only the materials partners managed on Lockheed's behalf. As I mentioned earlier, we'll be sending you a copy of this presentation. But in the meantime, if you'd like more information on anything I've covered today, check out our website or give us a call. On our website, you'll find tons of collateral and other helpful information. You can also read our blog or sign up for a demo. So we've got a few minutes, as I promised, left over for Q&A. So if you've got any specific questions, now's the time to shoot it on in. I'll do the best I can to answer them. During while I was speaking, I noticed some had already come in. So I'm kind of doing some multitasking here. So apologies if I seem to have a little delay in getting to your question, a question that had come in earlier. How do I know if my item is export controlled or governed by ITAR? How should I put this? If an item is considered to be used all over the world, it does not necessarily mean that export controls don't exist. The cop-out answer would be, you know, it's best to consult with your export control office or ECO for help if you have one. In general, though, products and services that are listed on the U.S. Munitions List, sometimes you'll see the acronym USML, they're going to fall under ITAR. Items that are categorized on the Commerce Control List, or CCL, they're going to fall under EAR. So I mentioned earlier that the same item can fall under both ITAR and EAR, and when that happens, ITAR will take precedence. The other thing you guys have to keep in mind, and there's other U.S. agencies, too, such as the Customs and Border Protection, you got Department of Homeland Security, you know, even the FDA, Food and Drug Administration, you got ATF, which stands for Alcohol, Tobacco, and Firearms, even Department of Energy. You know, these are all different federal agencies who may have jurisdiction over certain items or activities as well that also are subject to export controls. So great question. We get that one a lot. Somebody else is asking more of a product question here. Does NexLabs provide full audit capabilities for ITAR data? Short answer is yes. NexLabs provides a full audit trail detailing technical data access and usage to satisfy the ITAR requirements for audit. And it goes even further, too, by monitoring and detecting any user activity that violates export regulations and alerts administrators and users of any issue that requires attention. Somebody, like, a slightly different question. What kinds of reports does NexLabs provide out of the box? Out of the box, NexLabs produces reports on access to ITAR data by project, user, resource, location, or application. NexLabs can also create reports on policy activities and detailed reports on technical data transfers as well. There's a duplicate. Somebody asked, how do I get an export license? Basically, to get an export license, you need to work with your, once again, your ECO, your Export Control Office, since they can often spot potential issues before you actually submit it to the appropriate agency. But, you know, given that we're talking about the government here, you've got to allow yourself a lot of time and planning to get these types of licenses. I would say the average amount of time from submission to approval of a license is around three to four months. And taking a quick spin here through the Q&A list, yeah, the rest seem to be duplicates. But, you know, as I said, you know, if you guys have future questions that come to mind, don't hesitate to reach out to us should you have any of these future questions that you need answered. And hopefully you found this webinar helpful. And thank you for your time. And we hope to see you on future webinars.