Back

ITAR Compliance in Office 365

The world of government data is surrounded by regulation Whether thats FedRAMP DFARS compliance and the upcoming Cybersecurity Maturity Model Com...

5 min read
Published on Oct 4, 2022
ITAR Compliance in Office 365

The world of government data is surrounded by regulation. Whether that’s FedRAMP, DFARS compliance, and the upcoming Cybersecurity Maturity Model Compliance framework(CMMC) — operating as a government entity (or as a contractor who handles government data) can be tough.

Once you take these bundles of regulations and apply the ever-complex technology ecosystem to them, complexities start to mount. One of these regulatory documents is the International Traffic in Arms Regulations (ITAR) – which controls the import and export of defense-related goods and information.

Today, we’re going to take a look at what ITAR is and how you can leverage Microsoft GCC High to meet ITAR requirements.

Understanding ITAR

The International Traffic in Arms Regulations was initially enacted during the Cold War with the USSR. Today, it still stands as one of the most critical pieces of legislation governing defense-related data and goods. It’s important to note that there have been changes since the original enactment of ITAR. For example, Satellite technology — which was critical during the Space Race — has been removed from ITAR due to the need for more robust global competition.

But, while some technology and goods have been removed from ITAR, it has significantly increased in scope in recent years due to the addition of data.

To figure out what types of data, goods, and services are impacted by ITAR, we need to look at ITAR [22 CFR 120-130], which states that the following are covered under its scope.

  • Military items or defense articles (these are typically classified by USML categories)
  • Both military goods and technology that are designed to kill or defend against death
  • Most space tech
  • Technical data related to defense articles and services

In a cloud setting, the fourth objective on that list is going to be the primary driver of compliance. Securing ITAR-controlled data is a crucial step towards avoiding ITAR fines. While the fines themselves can be harsh (see below), actions can also result in the loss of contracts or relationships with federal entities — as well as civil or criminal actions.

The Directorate of Defense Trade Controls — who oversees ITAR — says the following.

“ITAR violations can have other consequences as well, including the denial/revocation of licenses and other export authorizations, compliance oversight, and the loss of business opportunities.”

Briefly, let’s cover the fines for ITAR. ITAR fines come in two categories, civil and criminal.

Civil Fines

ITAR Compliance Civil fines can cost you +$1 million per infraction. We can see a few examples of this in action.

  • Meggitt USA was fined $25 million due to ITAR violations in 2013.
  • BAE Systems was fined $78 million due to ITAR violations in 2011.
  • Esterline was fined $20 million due to ITAR violations in 2013.
  • Darling Industries was fined $400,000 due to ITAR violations in March of this year.
  • Flir was fined $30 million due to ITAR violations in 2018.

There have been thousands of civil actions issued throughout the lifespan of ITAR.

It’s important to note that a SINGLE violation can (and will) cause you to face fines. This can be something as simple as a single infraction for technical data — which happened to a Massachusetts-based Microwave Engineering Corporation in 2016.

Criminal Fines

Criminal fines can cost you +$1 million per infraction OR up to 20 years of imprisonment.

  • BAE Systems was fined $400 million criminal fine due to ITAR violations in 2010.

Again, there have been many cases of criminal fines over the years. BAE was certainly one of the largest, and it still stands as a critical look at how severe penalties can be in terms of fines — and how crucial security is in the government space. Remember, even if you don’t deal with defense articles and services, you are likely to still subject to compliance via FedRAMP and DFARS. To learn more about these, check out our posts detailing their particulars.

  • DFARS
  • FedRAMP

Microsoft and ITAR

One of the biggest complexities involved in ITAR compliance is that its set of regulations are broad — not granular. So, there aren’t specific requirements that must be met on your cloud providers end to earn ITAR compliance. In fact, there is no ITAR certification for cloud companies.

This puts government entities and contracts in a bit of a pickle. You need cloud solutions to handle your critical data (especially post-Cloud First Policy) but you don’t have a specific standard to look for.

Don’t worry! Microsoft has your back. Realizing that ITAR compliance is a necessity for many government agencies and contractors, Microsoft has baked ITAR compliance into its government cloud services. This means that Microsoft’s government cloud offerings are ITAR compliant despite the lack of certificate offerings.

Why Is This Important?

Microsoft is one of the few cloud companies that has publicly claimed ITAR compliance in their government cloud. This means that the entire cloud ecosystem meets the standards of ITAR and is designed to effectively secure and monitor data to reduce risk for agencies and contractors.

Currently, there are two Microsoft offerings with ITAR compliance.

Remember, ITAR compliance is not native to these solutions out-of-the-box. You MUST work with your Microsoft partner to set up the correct policies, agreements, and system architecture to enable ITAR compliance. If you are considering GCC High, we strongly suggest getting Microsoft Authorization for GCC High as early as possible to avoid having it hold up your migration later.

Conclusion

The International Traffic in Arms Regulations (or ITAR) is a set of standards that agencies and contractors must meet. These standards apply to a variety of contractors and data types. It’s important to understand the scope of ITAR and whether or not it applies to the data you hold. Once you know your role in ITAR, you’ll need a cloud service that can handle that data safely and securely.

Microsoft has two solutions that can act as critical enablers for government compliance — while still offering the ease-of-use and core services that make Microsoft such a powerful cloud provider.

If you’re interested in Microsoft Office 365 GCC High, but you’re not sure where to start, contact us. We were one of the first Microsoft Partners who could provide GCC High licensing. Not only can we provide licensing, but we can fast track your cloud adoption and help you set up the correct policies and system architecture you need to succeed.

Ready to move to a compliant cloud solution? Request a quote.

Related Posts

Risks of not using a CMMC RPO

The Risks of Not Using a CMMC RPO for Compliance and Certification Readiness

A CMMC RPO helps organizations prepare for certification and avoid compliance failures. Learn why working with an RPO is essential for achieving CMMC compliance.

Mar 20, 2025
8 min read
CMMC 2.0 Require GCC High for Compliance

Does CMMC 2.0 Require GCC High for Compliance?

Does CMMC 2.0 require GCC High? Learn the cloud options for compliance, data security, and protecting CUI under NIST 800-171 and DFARS.

Mar 17, 2025
10 min read
Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

CMMC RPO vs a C3PAO: Understanding Their Roles in Compliance

Understanding the difference between an RPO and a C3PAO is crucial for CMMC compliance. Learn why they should be separate and how an RPO helps prepare for certification.

Mar 15, 2025
6 min read
Can You Meet CMMC with Google Workspace?

Can You Meet CMMC with Google Workspace?

Is Google Workspace CMMC compliant? Learn about its DFARS, NIST 800-171, and ITAR limitations and how migrating to GCC High ensures full compliance.

Mar 4, 2025
7 min read
Is Maintaining a GCC High Tenant Worth It for Non-Government

Evaluating the Need for a GCC High Tenant in Non-Government Organizations

Explore whether maintaining a GCC High tenant is necessary for organizations not involved in government work. Understand the pros and cons, costs, and compliance considerations.

Feb 25, 2025
7 min read
Top 10 Reasons to Partner with an MSP for Security and Compliance

Top 10 Reasons to Partner with an MSP for Security and Compliance

Discover why partnering with an MSP for security and compliance is critical for organizations navigating FAR CUI and CMMC requirements.

Feb 21, 2025
8 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation