ITAR, Cloud, and Encryption

The International Traffic in Arms Regulations (ITAR) affect many businesses based or with operations in the United States. As businesses, especially small and medium sizes, embrace the cloud and other forms of digital transformation it becomes increasingly difficult to manage the responsibilities under ITAR as defense articles are virtualized and the definition of “export” becomes increasingly complex.

What is ITAR?

Where do we begin?! The ITAR is a US law that governs the export of military and defense technology as identified by the US Munitions List. Broadly, the controlled technology is referred to as “defense articles” or “defense services” and includes everything from flame throwers to software to Computer-aided design (CAD) files. The ITAR intersects but supersedes the Export Administrations Regulations. Navigating the combination of the ITAR and EAR is daunting and is guaranteed to keep export compliance professionals employed for the remainder of time.

Public Clouds and ITAR Technical Information

Small and medium businesses were the first to go all-in on the cloud. It’s no wonder why they were so eager to do so – small IT staff responsible for the security and maintenance of an increasing number of devices and connections experience a lot of value by offloading Exchange servers, file server appliances, and other commodity technologies to services like Microsoft Office 365.

There is no provision in the ITAR for a “Safe Harbor” if the data is encrypted.

The problem is the commercial cloud services like Microsoft Office 365, Google G Suite, Box, etc. are not suitable for data regulated by the ITAR. Put another way, businesses that store defense technical data in commercial cloud are violating the law. It doesn’t matter if the technical data is encrypted; there is no provision in the ITAR for a “Safe Harbor” if the data is encrypted. This is a big source of confusion in the market since there are many encryption vendors marketing the use of their email or file encryption solutions to allow use of commercial cloud offerings and still comply with the ITAR. Nope. Commercial cloud service providers use employees and contractors of any and all nationalities, residency status, and locations, thereby rendering their offerings completely incompatible with the access requirements of the ITAR – whether or not you encrypt the information. Read this blog for more information about encryption, ITAR, EAR, and clouds.

ITAR-Compliant Clouds

The only way to move to the cloud and maintain ITAR compliance is to guarantee that only US citizens and permanent residents have access to ITAR technical information and the systems used to store and process it. Using clouds approved for use by the government will be compatible with your needs. Not all these services are available to non-government organizations and some require minimum licenses (e.g. Office 365 Government requires a minimum of 500 users) that are too expensive for small businesses. Sadly, the ITAR market is perennially underserved but there are specialized cloud providers that offer ITAR-compliance file sharing and storage services with pricing that is attractive for businesses of any size.

Remember, that any cloud service is only as secure as how you use it. Be careful to manage access to your data, wherever it’s stored, according to the legal requirements of the ITAR.