ITAR Compliance in Office 365

The world of government data is surrounded by regulation. Whether that’s FedRAMP, DFARS compliance, and the upcoming Cybersecurity Maturity Model Compliance framework(CMMC) — operating as a government entity (or as a contractor who handles government data) can be tough.

Once you take these bundles of regulations and apply the ever-complex technology ecosystem to them, complexities start to mount. One of these regulatory documents is the International Traffic in Arms Regulations (ITAR) – which controls the import and export of defense-related goods and information.

Today, we’re going to take a look at what ITAR is and how you can leverage Microsoft GCC High to meet ITAR requirements.

Understanding ITAR

The International Traffic in Arms Regulations was initially enacted during the Cold War with the USSR. Today, it still stands as one of the most critical pieces of legislation governing defense-related data and goods. It’s important to note that there have been changes since the original enactment of ITAR. For example, Satellite technology — which was critical during the Space Race — has been removed from ITAR due to the need for more robust global competition.

But, while some technology and goods have been removed from ITAR, it has significantly increased in scope in recent years due to the addition of data.

To figure out what types of data, goods, and services are impacted by ITAR, we need to look at ITAR [22 CFR 120-130], which states that the following are covered under its scope.

• Military items or defense articles (these are typically classified by USML categories)
• Both military goods and technology that are designed to kill or defend against death
• Most space tech
• Technical data related to defense articles and services

In a cloud setting, the fourth objective on that list is going to be the primary driver of compliance. Securing ITAR-controlled data is a crucial step towards avoiding ITAR fines. While the fines themselves can be harsh (see below), actions can also result in the loss of contracts or relationships with federal entities — as well as civil or criminal actions.

The Directorate of Defense Trade Controls — who oversees ITAR — says the following.

“ITAR violations can have other consequences as well, including the denial/revocation of licenses and other export authorizations, compliance oversight, and the loss of business opportunities.”

Briefly, let’s cover the fines for ITAR. ITAR fines come in two categories, civil and criminal.

Civil Fines

Civil fines can cost you +$1 million per infraction. We can see a few examples of this in action.

• Meggitt USA was fined $25 million due to ITAR violations in 2013.
• BAE Systems was fined $78 million due to ITAR violations in 2011.
• Esterline was fined $20 million due to ITAR violations in 2013.
• Darling Industries was fined $400,000 due to ITAR violations in March of this year.
• Flir was fined $30 million due to ITAR violations in 2018.

There have been thousands of civil actions issued throughout the lifespan of ITAR.

It’s important to note that a SINGLE violation can (and will) cause you to face fines. This can be something as simple as a single infraction for technical data — which happened to a Massachusetts-based Microwave Engineering Corporation in 2016.

Criminal Fines

Criminal fines can cost you +$1 million per infraction OR up to 20 years of imprisonment.

• BAE Systems was fined $400 million criminal fine due to ITAR violations in 2010.

Again, there have been many cases of criminal fines over the years. BAE was certainly one of the largest, and it still stands as a critical look at how severe penalties can be in terms of fines — and how crucial security is in the government space. Remember, even if you don’t deal with defense articles and services, you are likely to still subject to compliance via FedRAMP and DFARS. To learn more about these, check out our posts detailing their particulars.

• DFARS
• FedRAMP

Microsoft and ITAR

One of the biggest complexities involved in ITAR compliance is that its set of regulations are broad — not granular. So, there aren’t specific requirements that must be met on your cloud providers end to earn ITAR compliance. In fact, there is no ITAR certification for cloud companies.

This puts government entities and contracts in a bit of a pickle. You need cloud solutions to handle your critical data (especially post-Cloud First Policy) but you don’t have a specific standard to look for.

Don’t worry! Microsoft has your back. Realizing that ITAR compliance is a necessity for many government agencies and contractors, Microsoft has baked ITAR compliance into its government cloud services. This means that Microsoft’s government cloud offerings are ITAR compliant despite the lack of certificate offerings.

Why Is This Important?

Microsoft is one of the few cloud companies that has publicly claimed ITAR compliance in their government cloud. This means that the entire cloud ecosystem meets the standards of ITAR and is designed to effectively secure and monitor data to reduce risk for agencies and contractors.

Currently, there are two Microsoft offerings with ITAR compliance.

• Azure Government
• Office 365 GCC High

Remember, ITAR compliance is not native to these solutions out-of-the-box. You MUST work with your Microsoft partner to set up the correct policies, agreements, and system architecture to enable ITAR compliance. If you are considering GCC High, we strongly suggest getting Microsoft Authorization for GCC High as early as possible to avoid having it hold up your migration later.

Conclusion

The International Traffic in Arms Regulations (or ITAR) is a set of standards that agencies and contractors must meet. These standards apply to a variety of contractors and data types. It’s important to understand the scope of ITAR and whether or not it applies to the data you hold. Once you know your role in ITAR, you’ll need a cloud service that can handle that data safely and securely.

Microsoft has two solutions that can act as critical enablers for government compliance — while still offering the ease-of-use and core services that make Microsoft such a powerful cloud provider.

If you’re interested in Microsoft Office 365 GCC High, but you’re not sure where to start, contact us. We were one of the first Microsoft Partners who could provide GCC High licensing. Not only can we provide licensing, but we can fast track your cloud adoption and help you set up the correct policies and system architecture you need to succeed.

Ready to move to a compliant cloud solution? Request a quote.