ITAR Compliance in Microsoft 365 and Azure
Meeting CMMC Compliance with ITAR data
ITAR data is data that The International Traffic in Arms Regulation (ITAR) controls regarding export and import of defense-related articles and services on the United States Munitions List (USML). Within the government’s Controlled Unclassified Information program, some of the International Traffic in Arms Regulations (ITAR) data is what is known as a CUI Specified data type.
This content will help you answer the following five common questions about the protection of export-controlled information in order to safeguard U.S. national security and further U.S. foreign policy objectives.
- Why am I required to protect ITAR data as a defense contractor?
- How does ITAR affect CMMC compliance?
- Is ITAR data CUI?
- What is ITAR compliance?
Understanding this information will help you develop a baseline of knowledge to develop a plan and properly protect export controlled information within your company.
What is ITAR Data?
ITAR data is data that The International Traffic in Arms Regulation (ITAR) controls regarding export and import of defense-related articles and services on the United States Munitions List (USML). The USML is a list of articles, services, and related technology designated as defense and space related by the United States federal government. Any article, service, or related data found to be on the USML requires an export license issued by the United States State Department to be exported. There are twenty-one categories of articles on the USML and include everything from firearms and other weapons to toxicological and biological agents and technical data. You can find the full list here. If you would like to access the source information about ITAR, please reference 22 CFR Chapter I, Subchapter M, Parts 120-130.
ITAR has been around since 1976 during the Cold War. The intention was to implement unilateral arms export control, as many other countries were under the same restrictions. Under ITAR, in order for a U.S. Person (can be a U.S. Citizen, permanent resident, political asylee, a part of the U.S. government, or a corporation, business, organization, or group that is incorporated in the United States under U.S. law) to export USML items to a foreign person, the U.S. Person must obtain authorization from the U.S. Department of State before the export can take place. These precautions are in place to protect the United States and our sensitive data.
Why Am I Required to Protect ITAR Data as a Defense Contractor?
According to the U.S. Government, all manufacturers, exporters, and brokers of defense articles/services or related technical data must be ITAR compliant. Companies who fall under these stipulations must register with the United States Directorate of Defense Trade Controls (DDTC) and are required to know what is necessary of them to be ITAR compliant.
Think of it this way. CMMC, DFARS and NIST 800-171 compliance is at the top of most radars. Non-compliance isn’t an option when it comes to doing work with the government. Plus, being compliant helps keep yours and your clients’ information safe and secure. With ITAR, the government is attempting to prevent breaches of sensitive information to foreign nationals. Just as you want to keep your data safe, you should want to keep your country’s data safe.
Do I Have ITAR Data?
Most companies with ITAR data will have the requirement called out in a contract with either a Prime Contractor or in a contract with the US Government itself. Beyond that, if you have anything to do with any item, technical data or content on this list, you need to be ITAR compliant. It’s always better to be safe than sorry, and this is no exception.
Once you determine that you may have or will have ITAR data, your company must register with DDTC if you sell, manufacture, or export defense articles. This is an essential first step, even if you are just starting to think about exporting. Registering it identifies you as someone eligible to apply for an export license, however, you cannot ONLY register. You must be registered to enter into discussions with potential customers for part of the ITAR restricted items; when you register you also commit to completing annual compliance reports.
This is pretty straightforward.
How Do I Protect ITAR Data?
Microsoft 365 GCC High is the only Microsoft offering - besides the DoD dedicated Microsoft 365 - that insures all data resides in U.S. data centers and is supported by background-checked U.S. persons. Those attributes make GCC High suitable for ITAR and EAR data.
First, and most importantly, you must understand that in the context of DFARS 7012 and CMMC, ITAR data is specified Controlled Unclassified Information (CUI). This means that the baseline protections you are required to provide for CUI-Basic also apply to ITAR. Once those baseline protections are in place you then add the CUI-Specified requirements to your list of controls. If you are dealing with ITAR data while also holding contracts with the Department of Defense, you need to understand CMMC (especially CMMC 2.0 Level 2), DFARS and CUI requirements.
You will apply for an export license when you have a specific sale lined up. You’ll need a new export license for every additional sale since the permits are country-specific. In adjudicating your license, the State Department may ask other U.S. Government agencies (like the DoD) to review your request and make a recommendation.
As for keeping your ITAR data safe in your own environment, Microsoft has made different platforms available that can meet ITAR compliance. Microsoft (Office) 365 GCC High and Microsoft (Office) 365 GCC High DoD are both capable of holding ITAR, as well as are Azure Government and Azure Government DoD. These platforms allow you to stay compliant while dealing with sensitive, classified, and unclassified information. Microsoft 365 GCC High is the only Microsoft offering - besides the DoD dedicated Microsoft 365 - that insures all data resides in U.S. data centers and is supported by background-checked U.S. persons. Those attributes make GCC High suitable for ITAR and EAR data.
For organizations that interact with export-controlled data such as International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR); Azure Government cloud instances are exponentially beneficial because:
- All personnel employed at these locations must be United States citizens and must successfully pass a background screening
- All data is stored in data centers on U.S. soil.
What are the penalties for ITAR violations?
National security, jail time, and major fines could be involved. If you’re worried, go through the list linked above and see if any criteria look familiar.
If you’re still not convinced, keep in mind that ITAR violations can not only result in criminal or civil penalties, but you could also be put in prison, or be barred from future exports. Criminal penalties can go up to $1,000,000 with ten years of imprisonment per violation, and civil penalties can be as high as $500,000 per violation.