ITAR and EAR Compliance in the Cloud

Recent changes to the EAR regulations provides a way for organizations to store data in Cloud environments and stay compliant with export rules. We first learned of these changes in the June 3, 2016 Federal Register but they are now final and part of the U.S. Code 15 CFR 734.18 and 734.19.

In short, the changes mean that organizations can store export controlled data in private and public Cloud environments like SharePoint, Office 365, Azure, Google, Box, etc., provided that the information has been secured using “end to end encryption.” End-to-end encryption in this case does not simply mean network transmission security such as a Virtual Private Network (VPN) or HTTPS. The definition of “end to end encryption” in the regulation is technologically means that the information must be encrypted and remain encrypted between the originator and recipient of the information, and that no unauthorized third parties have the ability to decrypt the information.

The requirement that third parties cannot decrypt is critical for employing end-to-end encryption as a means to comply with EAR. The native data at rest encryption feature of most Cloud Service Providers will not meet the definition of end-to-end encryption since the Cloud provider has access to both the data and the encryption key. Possession of the data and the decryption key allows Cloud providers the ability to access export controlled data without authorization by the information owner (originator), which violates 734.19. Further, data at rest encryption is not end-to-end encryption, at all. Data at rest encryption is only applied when the data…is at rest.

Note that the encryption related changes were NOT adopted in the ITAR regulation. Businesses that need to store ITAR technical data in the cloud must find ITAR-compliant cloud offerings. This blog has excellent analysis of changes and what was and was not included into ITAR.

For your convenience the sections of regulation cited in this blog are below:

§734.18 Activities that are not exports, reexports, or transfers.

(5) Sending, taking, or storing “technology” or “software” that is:

(i) Unclassified;
(ii) Secured using `end-to-end encryption;’
(iii) Secured using cryptographic modules (hardware or “software”) compliant with Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by “software” implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications, or other equally or more effective cryptographic means; and
(iv) Not intentionally stored in a country listed in Country Group D:5 (see supplement no. 1 to part 740 of the EAR) or in the Russian Federation.
Note to paragraph (a)(4)(iv): Data in-transit via the Internet is not deemed to be stored.

(b) Definitions. For purposes of this section, End-to-end encryption means (i) the provision of cryptographic protection of data such that the data is not in unencrypted form between an originator (or the originator’s in-country security boundary) and an intended recipient (or the recipient’s in-country security boundary), and (ii) the means of decryption are not provided to any third party. The originator and the recipient may be the same person.
(c) Ability to access “technology” or “software” in encrypted form. The ability to access “technology” or “software” in encrypted form that satisfies the criteria set forth in paragraph (a)(5) of this section does not constitute the release or export of such “technology” or “software.”

§734.19 Transfer of access information.

To the extent an authorization would be required to transfer “technology” or “software,” a comparable authorization is required to transfer access information if done with “knowledge” that such transfer would result in the release of such “technology” or “software” without a required authorization.

This is an update version of a blog originally published on