Microsoft 365 Tenant Migration for ITAR-Regulated Organizations

As more organizations choose to migrate their data to the cloud, this creates unique security challenges, particularly for federal contractors that handle sensitive government data subject to the International Traffic in Arms Regulations (ITAR). These organizations must take extra precautions to ensure their data is secure and ITAR-compliant at each phase of the migration, as failing to properly protect export-controlled data can have serious repercussions. The fact is that failing to properly protect ITAR data can not only damage your reputation, but it could also result in your organization facing fines, penalties, and loss of contracts.

If your organization handles ITAR data and you operate in the cloud, it is essential that you choose the right cloud environment so your data is properly protected. For many entities subject to ITAR, this means migrating to a secure Microsoft tenant such as Microsoft Government Community Cloud (GCC) High. GCC High offers the security, compliance, and data residency features necessary to secure your data and ensure you maintain compliance with ITAR. Yet, due to the sensitive nature of the data being handled, these tenant migrations can be challenging and require extra care to ensure ongoing compliance throughout the migration process. To help you better prepare for your tenant migration, keep reading as we take a deeper look at ITAR and the effect it has on tenant-to-tenant migrations.

What is ITAR and Who Must Comply?

Of course, if you’re new to the world of federal contracts, the first thing you may find yourself wondering is what ITAR is and who it applies to. The International Traffic in Arms Regulations is a set of federal regulations that control the export and import of defense-related articles, services, and data. ITAR covers a wide range of items, including military gear, weaponry, equipment, software, and technical documentation like blueprints and schematics. As such, ITAR applies to all US companies that manufacture, export, or import defense articles, services, and technical data on the United States Munitions List (USML), such as manufacturers, exporters, vendors, and brokers, as well as foreign companies that receive or use US-origin defense articles or technical data. The goal of ITAR is to enhance national security and foreign policy interests by controlling the export and security of sensitive information.

ITAR Requirements for Cloud Environments

Since ITAR-controlled data is highly sensitive and could threaten national interests if it were to be compromised, ITAR outlines strict requirements for how this data must be handled, particularly when it is stored, transmitted, or processed in a cloud environment. While ITAR outlines various security controls entities must follow when operating in a cloud environment, some of the most important requirements it outlines include:

• Maintaining Strict Access Controls: To maintain ITAR compliance, any cloud service you use must only be accessible to, and serviced by, vetted U.S. citizens. Additionally, your ITAR data should only be accessible by authorized personnel who are U.S. citizens or legal permanent residents. Maintaining strict access controls and regularly monitoring who has access to ITAR data is then essential to maintain compliance.

• Employing End-to-End Encryption: To protect ITAR-controlled data, contractors must also implement robust encryption technologies that comply with FIPS 140-2 standards to ensure the proper protection of sensitive data during storage and transmission. End-to-end encryption is essential when transmitting sensitive data to ensure it remains secure from origin to recipient.

• Ensuring Data Residency: ITAR also requires that all ITAR data be stored in cloud environments located physically within the U.S. This will affect which cloud services you can use, as many store data outside of U.S. borders.

GCC vs. GCC High for ITAR-Regulated Data

Now that you have a better idea of what ITAR is and how it can affect the cloud services available to you, you’ll have to choose which cloud tenant is right for your organization. Most government contractors who handle sensitive government data, such as Controlled Unclassified Information (CUI), will either end up migrating to Microsoft GCC or GCC High. Yet, how will you know which one is right for you? While both platforms offer federal contractors a secure cloud platform that provides additional security and compliance features compared to Microsoft’s commercial tenants, GCC High is necessary for organizations that handle ITAR and EAR data. This is because only GCC High offers the strict compliance standards required by ITAR, such as data residency in the U.S., and restricted access to data by vetted, U.S.-based personnel. Microsoft GCC is better suited for organizations that handle CUI that does not involve export-controlled data.

ITAR-Compliant Migration Best Practices

Once you’ve chosen the appropriate Microsoft tenant to meet your organization’s compliance needs, you’ll be ready to start planning your migration. Taking the time to thoroughly plan each stage of your migration before you get started ensures the process goes as smoothly as possible, preventing potential complications that could result in extra downtime or lost data. A few best practices to ensure ITAR compliance during your GCC High migration include:

• Conducting Pre-Migration Compliance Assessments: Before starting your migration, perform a pre-migration compliance assessment. This can help you get a better sense of your current compliance posture and help determine if there are any compliance gaps that you’ll need to fix to ensure your CUI is secure during your migration. This can also help you make adjustments to your new tenant to ensure ongoing compliance.

• Isolating Export-Controlled Data and Planning Secure Transfers: Next, you’ll want to assess your network to determine where all your export-controlled data resides. Categorizing the types of data on your network and isolating export-controlled data can allow you to take extra precautions to protect your most secure data during your migration.

• Maintaining Logs, Audit Trails, and Chain of Custody: Maintaining compliance throughout your migration is crucial. As part of this process, it’s important that you maintain logs, audit trails, and chain of custody at each phase of your GCC High migration so that you can ensure your export-controlled data makes it to your new tenant secure and intact.

The Role of an MSP in ITAR Migrations

Ensuring your ITAR data is secure at each phase of a GCC High migration more than just meeting your contractual compliance obligations; it’s essential to protect national security and defense interests. Special caution must be taken during tenant-to-tenant migrations involving export-controlled data for proper protection leading up to, during, and after your migration.

For this reason, you should consider working with an experienced Managed Service Provider (MSP) during your tenant migration. The fact is that an experienced migration partner can help walk you through the process by making plans to secure your export-controlled data, helping to reduce compliance risks. The right MSP can reduce your compliance burden by ensuring data security and integrity throughout the migration process, handling important documentation, and by offering post-migration support for audits.

If you work with ITAR data and are in the process of planning a GCC High migration, you should consider contacting Agile IT today to learn how our team of experienced migration partners can help you navigate this complicated process. As a Microsoft AOS-G partner, we can help you achieve GCC High validation, choose and purchase the appropriate licenses for your compliance needs, and help facilitate your migration with ease. Additionally, as a Cyber-AB authorized RPO, we can also help you achieve CMMC compliance in your new tenant. Feel free to contact us today to learn more about our migration and compliance services.