256.585.6868 |

ITAR Compliance in Microsoft 365 and Azure


The Dilemma 

Many companies supporting the defense industry are working to better understand how to classify and protect defense and military related data. Does this apply to your company?  This content will help you answer the following five common questions about the protection of export controlled information in order to safeguard U.S. national security and further U.S. foreign policy objectives.  

Understanding this information will help you develop a baseline of knowledge to develop a plan and properly protect export controlled information within your company.  


What is ITAR Data?  

The International Traffic in Arms Regulation (ITAR) controls the export and import of defense-related articles and services on the United States Munitions List (USML). The USML is a list of articles, services, and related technology designated as defense and space related by the United States federal government. Any article, service, or related data found to be on the USML requires an export license issued by the United States State Department to be exported. There are twenty-one categories of articles on the USML and include everything from firearms and other weapons to toxicological and biological agents and technical data. You can find the full list here. If you would like to access the source information about ITAR, please reference 22 CFR Chapter I, Subchapter M, Parts 120-130.   

ITAR has been around since 1976 during the Cold War. The intention was to implement unilateral arms export control, as many other countries were under the same restrictions. Under ITAR, in order for a U.S. Person (can be a U.S. Citizen, permanent resident, political asylee, a part of the U.S. government, or a corporation, business, organization, or group that is incorporated in the United States under U.S. law) to export USML items to a foreign person, the U.S. Person must obtain authorization from the U.S. Department of State before the export can take place. These precautions are in place to protect the United States and our sensitive data.  

Why Am I Required to Protect ITAR Data as a Defense Contractor?  

According to the U.S. Government, all manufacturers, exporters, and brokers of defense articles/services or related technical data must be ITAR compliant. Companies who fall under these stipulations must register with the United States Directorate of Defense Trade Controls (DDTC) and are required to know what is necessary of them to be ITAR compliant.  

Think of it this way. CMMC, DFARS and NIST 800-171 compliance is at the top of most radars. Non-compliance isn’t an option when it comes to doing work with the government. Plus, being compliant helps keep yours and your clients’ information safe and secure. With ITAR, the government is attempting to prevent breaches of sensitive information to foreign nationals. Just as you want to keep your data safe, you should want to keep your country’s data safe.  

Do I Have ITAR Data 

Most companies with ITAR data will have the requirement called out in a contract with either a Prime Contractor or in a contract with the US Government itself. Beyond that, if you have anything to do with any item, technical data or content on this list, you need to be ITAR compliant. It’s always better to be safe than sorry, and this is no exception.    

Once you determine that you may have or will have ITAR data, your company must register with DDTC if you sell, manufacture, or export defense articles. This is an essential first step, even if you are just starting to thinking about exporting. Registering it identifies you as someone eligible to apply for an export license, however, you cannot ONLY register. You must be registered to enter into discussions with potential customers for part of the ITAR restricted items; when you register you also commit to completing annual compliance reports. 

This is pretty straight forward.  

How Do I Protect ITAR Data?  

Protect ITAR in Microsoft 365 GCC High

First, and most importantly, you must understand that in the context of DFARS 7012 and CMMC, ITAR data is specified Controlled Unclassified Information (CUI). This means that the baseline protections you are required to provide for CUI-Basic also apply to ITAR. Once those baseline protections are in place you then add the CUI-Specified requirements to your list of controls.  If you are dealing with ITAR data while also holding contracts with the Department of Defense, you need to understand CMMC (especially CMMC 2.0 Level 2), DFARS and CUI requirements.  

You will apply for an export license when you have a specific sale lined up. You’ll need a new export license for every additional sale since the permits are country-specific. In adjudicating your license, the State Department may ask other U.S. Government agencies (like the DoD) to review your request and make a recommendation.  

As for keeping your ITAR data safe in your own environment, Microsoft has made different platforms available that can meet ITAR compliance. Microsoft (Office) 365 GCC High and Microsoft (Office) 365 GCC High DoD are both capable of holding ITAR, as well as are Azure Government and Azure Government DoD. These platforms allow you to stay compliant while dealing with sensitive, classified, and unclassified information.  

What are the penalties for ITAR violations 

National security, jail time, and major fines could be involved. If you’re worried, go through the list linked above and see if any criteria look familiar. 

If you’re still not convinced, keep in mind that ITAR violations can not only result in criminal or civil penalties, but you could also be put in prison, or be barred from future exports. Criminal penalties can go up to $1,000,000 with ten years of imprisonment per violation, and civil penalties can be as high as $500,000 per violation. 


Submit Any Additional Questions Here

Microsoft 365 GCC High and Azure Government for ITAR