Back

ITAR Compliance in Office 365

The world of government data is surrounded by regulation Whether thats FedRAMP DFARS compliance and the upcoming Cybersecurity Maturity Model Com...

5 min read
Published on Oct 4, 2022
ITAR Compliance in Office 365

The world of government data is surrounded by regulation. Whether that’s FedRAMP, DFARS compliance, and the upcoming Cybersecurity Maturity Model Compliance framework(CMMC) — operating as a government entity (or as a contractor who handles government data) can be tough.

Once you take these bundles of regulations and apply the ever-complex technology ecosystem to them, complexities start to mount. One of these regulatory documents is the International Traffic in Arms Regulations (ITAR) – which controls the import and export of defense-related goods and information.

Today, we’re going to take a look at what ITAR is and how you can leverage Microsoft GCC High to meet ITAR requirements.

Understanding ITAR

The International Traffic in Arms Regulations was initially enacted during the Cold War with the USSR. Today, it still stands as one of the most critical pieces of legislation governing defense-related data and goods. It’s important to note that there have been changes since the original enactment of ITAR. For example, Satellite technology — which was critical during the Space Race — has been removed from ITAR due to the need for more robust global competition.

But, while some technology and goods have been removed from ITAR, it has significantly increased in scope in recent years due to the addition of data.

To figure out what types of data, goods, and services are impacted by ITAR, we need to look at ITAR [22 CFR 120-130], which states that the following are covered under its scope.

  • Military items or defense articles (these are typically classified by USML categories)
  • Both military goods and technology that are designed to kill or defend against death
  • Most space tech
  • Technical data related to defense articles and services

In a cloud setting, the fourth objective on that list is going to be the primary driver of compliance. Securing ITAR-controlled data is a crucial step towards avoiding ITAR fines. While the fines themselves can be harsh (see below), actions can also result in the loss of contracts or relationships with federal entities — as well as civil or criminal actions.

The Directorate of Defense Trade Controls — who oversees ITAR — says the following.

“ITAR violations can have other consequences as well, including the denial/revocation of licenses and other export authorizations, compliance oversight, and the loss of business opportunities.”

Briefly, let’s cover the fines for ITAR. ITAR fines come in two categories, civil and criminal.

Civil Fines

ITAR Compliance Civil fines can cost you +$1 million per infraction. We can see a few examples of this in action.

  • Meggitt USA was fined $25 million due to ITAR violations in 2013.
  • BAE Systems was fined $78 million due to ITAR violations in 2011.
  • Esterline was fined $20 million due to ITAR violations in 2013.
  • Darling Industries was fined $400,000 due to ITAR violations in March of this year.
  • Flir was fined $30 million due to ITAR violations in 2018.

There have been thousands of civil actions issued throughout the lifespan of ITAR.

It’s important to note that a SINGLE violation can (and will) cause you to face fines. This can be something as simple as a single infraction for technical data — which happened to a Massachusetts-based Microwave Engineering Corporation in 2016.

Criminal Fines

Criminal fines can cost you +$1 million per infraction OR up to 20 years of imprisonment.

  • BAE Systems was fined $400 million criminal fine due to ITAR violations in 2010.

Again, there have been many cases of criminal fines over the years. BAE was certainly one of the largest, and it still stands as a critical look at how severe penalties can be in terms of fines — and how crucial security is in the government space. Remember, even if you don’t deal with defense articles and services, you are likely to still subject to compliance via FedRAMP and DFARS. To learn more about these, check out our posts detailing their particulars.

  • DFARS
  • FedRAMP

Microsoft and ITAR

One of the biggest complexities involved in ITAR compliance is that its set of regulations are broad — not granular. So, there aren’t specific requirements that must be met on your cloud providers end to earn ITAR compliance. In fact, there is no ITAR certification for cloud companies.

This puts government entities and contracts in a bit of a pickle. You need cloud solutions to handle your critical data (especially post-Cloud First Policy) but you don’t have a specific standard to look for.

Don’t worry! Microsoft has your back. Realizing that ITAR compliance is a necessity for many government agencies and contractors, Microsoft has baked ITAR compliance into its government cloud services. This means that Microsoft’s government cloud offerings are ITAR compliant despite the lack of certificate offerings.

Why Is This Important?

Microsoft is one of the few cloud companies that has publicly claimed ITAR compliance in their government cloud. This means that the entire cloud ecosystem meets the standards of ITAR and is designed to effectively secure and monitor data to reduce risk for agencies and contractors.

Currently, there are two Microsoft offerings with ITAR compliance.

Remember, ITAR compliance is not native to these solutions out-of-the-box. You MUST work with your Microsoft partner to set up the correct policies, agreements, and system architecture to enable ITAR compliance. If you are considering GCC High, we strongly suggest getting Microsoft Authorization for GCC High as early as possible to avoid having it hold up your migration later.

Conclusion

The International Traffic in Arms Regulations (or ITAR) is a set of standards that agencies and contractors must meet. These standards apply to a variety of contractors and data types. It’s important to understand the scope of ITAR and whether or not it applies to the data you hold. Once you know your role in ITAR, you’ll need a cloud service that can handle that data safely and securely.

Microsoft has two solutions that can act as critical enablers for government compliance — while still offering the ease-of-use and core services that make Microsoft such a powerful cloud provider.

If you’re interested in Microsoft Office 365 GCC High, but you’re not sure where to start, contact us. We were one of the first Microsoft Partners who could provide GCC High licensing. Not only can we provide licensing, but we can fast track your cloud adoption and help you set up the correct policies and system architecture you need to succeed.

Ready to move to a compliant cloud solution? Request a quote.

Related Posts

How MSPs, RPOs, and C3PAOs Help Organizations Achieve CMMC Compliance

How MSPs Help Organizations Achieve CMMC Compliance

MSPs, RPOs, and C3PAOs play a crucial role in CMMC compliance. Learn how to choose the right consultant, third-party auditor, or provider to meet CMMC certification requirements.

May 20, 2025
8 min read
CMMC Compliance Requirements for Level 1 Level 2 and Level 3

CMMC Compliance Requirements for Level 1 Level 2 and Level 3

CMMC certification requires different cybersecurity controls at each level. Learn the key requirements for Level 1, Level 2, and Level 3 compliance and how they align with NIST 800-171.

May 16, 2025
5 min read
Common Questions About Azure Migration Answered

Common Questions About Azure Migration Answered

Get answers to the most common Azure migration questions. Learn about costs, best practices, security, compliance, and troubleshooting cloud migration challenges.

Apr 29, 2025
3 min read
AVD vs W365 in GCC high reducing your CMMC scope

AVD vs W365 in GCC High Reducing Your CMMC Scope and Simplifying Compliance

Comparing AVD vs W365 for GCC High? Learn how each can reduce your CMMC assessment scope and simplify security and compliance management in government environments.

Apr 28, 2025
7 min read
Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

Implementing Cybersecurity Policies for CMMC Compliance and Managing CUI

CMMC compliance requires well-documented cybersecurity policies. Learn how to implement security controls, create an SSP and POA&M, and manage Controlled Unclassified Information (CUI).

Apr 25, 2025
7 min read
CMMC compliance for DoD contractors

CMMC Compliance Requirements for DoD Contractors and Subcontractors in the Defense Industry

CMMC compliance is mandatory for DoD contractors and subcontractors. Learn about certification levels, requirements, and the consequences of failing to meet compliance.

Apr 24, 2025
6 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation