Achieving ITAR Compliance in the Cloud
The International Traffic in Arms Regulations (ITAR) requires sophisticated, comprehensive information and data management capabilities. The many regulatory details of ITAR are meant to ensure that an organization’s information and materials pertaining to defense and military technologies on the United States Munitions List (USML) are shared only with US and authorized entities. On the surface, this may seem like a simple mandate, but, in practice, achieving it can be incredibly challenging for many organizations. The right set of IT solutions can significantly enhance a company’s ability to meet these complex requirements.
For example, many technologies are dual-use. This means that when information is shared regarding a commercial product or service, steps must be taken to ensure that all ITAR-related information is carefully and completely purged. In the case of marketing and scientific materials, for example, general materials may not be subject to ITAR requirements. But understanding the difference between what is and is not subject to ITAR requires an in-depth knowledge of licensing terms, agency directives, court interpretations, and other guidance.
In order to manage the complexities and nuances of ITAR, organizations must have sufficient metadata to classify, catalog, and separate documents and must possess the ability to precisely control information access. It is equally critical to control the location, archiving, replication, and purging of documents and to control the management of the media storing the information. Without these capabilities, a company is at risk of disclosing ITAR information and valuable intellectual property to unauthorized entities. The unauthorized disclosure of ITAR data can bring heavy fines, legal action against company officers and employees, loss of export licenses and government contracts, and other penalties.
More often than not, leading organizations can find the IT solutions needed to manage these complex regulatory issues in the cloud. “Government cloud platforms are growing in popularity,” explains Indy Crowley, an independent government security and compliance architect, “because they allow organizations to focus more on their end-user security profile and responsibilities while maintaining ITAR requirements.”
The Microsoft Government Cloud, for instance, has developed an extensive collection of capabilities that help organizations subject to ITAR to implement robust access control and information and document management solutions. These include document rights management, identity and access management, and email encryption. Its IaaS, SaaS, and PaaS services enable companies to build and operate information and document management systems that meet the most stringent security and compliance requirements.
Bridge Partners has worked extensively with commercial and government customers to assess their information and document management technologies, systems, and processes. Our experience in risk and vulnerability management, cloud assessment, technology enablement, and operations puts us in a unique position to support our customers as they navigate complex industry and governmental regulations, including ITAR, ISO, FISMA, FedRAMP, DFARS, and GDPR.
If you’d like to read more best practices for security and compliance using the capabilities of the cloud, check out this blog by Susie Adams, CTO of Microsoft Federal.