International Traffic in Arms Regulations (ITAR)

ITAR overview

The US Department of State has export control authority over defense articles, services, and related technologies under the International Traffic in Arms Regulations (ITAR) managed by the Directorate of Defense Trade Controls (DDTC). Items under ITAR protection are documented on the United States Munitions List (USML). If you are a manufacturer, exporter, and broker of defense articles, services, and related technologies as defined on the USML, you must be registered with DDTC, must understand and abide by ITAR, and must self-certify that you operate in accordance with ITAR.

DDTC revised the ITAR rules effective 25 March 2020 to align them more closely with the Export Administration Regulations (EAR). These ITAR revisions introduced an end-to-end data encryption carve-out that incorporated many of the same terms that the US Department of Commerce adopted in 2016 for the EAR. Specifically, the revised ITAR rules state that activities that do not constitute exports, re-exports, re-transfers, or temporary imports include (among other activities) the sending, taking, or storing of technical data that is 1) unclassified, 2) secured using end-to-end encryption, 3) secured using FIPS 140 compliant cryptographic modules as prescribed in the regulations, 4) not intentionally sent to a person in or stored in a country proscribed in § 126.1 or the Russian Federation, and 5) not sent from a country proscribed in § 126.1 or the Russian Federation. Moreover, DDTC clarified that data in-transit via the Internet is not deemed to be stored. End-to-end encryption implies the data is kept encrypted at all times between the originator and intended recipient, and the means of decryption are not provided to any third party.

Azure and ITAR

There is no ITAR compliance certification. However, if you are subject to ITAR, Azure, Azure Government, and Azure Government Secret can help you meet your ITAR compliance requirements.

Except for the Azure region in Hong Kong SAR, Azure datacenters are not located in proscribed countries or in the Russian Federation. Azure services rely on FIPS 140 validated cryptographic modules in the underlying operating system, and provide you with a wide range of options for encrypting data in transit and at rest, including encryption key management using Azure Key Vault, which can store encryption keys in FIPS 140 validated hardware security modules (HSMs) under your control (customer-managed keys, CMK). Keys generated inside the Azure Key Vault HSMs are not exportable – there can be no clear-text version of the key outside the HSMs. This binding is enforced by the underlying HSM. Moreover, Azure Key Vault is designed, deployed, and operated such that Microsoft and its agents do not see or extract your cryptographic keys.

You are responsible for choosing the Azure regions for deploying your applications and data. Moreover, you are responsible for designing your applications to use end-to-end data encryption that meets ITAR requirements. Microsoft does not inspect or approve your Azure applications.

Azure Government provides an additional layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons.

For additional information regarding ITAR, you should review:

Applicability

  • Azure
  • Azure Government
  • Azure Government Secret

Office 365 and ITAR

For more information about Office 365 compliance, see Office 365 ITAR documentation.

Frequently asked questions

What should I do to comply with export control laws when using Azure?
If you are a manufacturer, exporter, and broker of defense articles, services, and related technologies as defined on the USML, you must be registered with DDTC, must understand and abide by ITAR, and must self-certify that you operate in accordance with ITAR. You must carefully assess how your use of Azure may implicate US export controls and determine whether any of the data you want to use or store there may be subject to ITAR controls, and if so, what controls apply. To learn more about how Azure can help you ensure your full compliance with US export controls, review the Microsoft Azure Export Controls whitepaper.

What technical features does Azure provide to help customers meet their ITAR compliance obligations?
The following Azure features are available to you to manage potential export control risks:

  • Ability to control data location - You have visibility as to where your data is stored, and robust tools to restrict data storage to a single geography, region, or country. For example, you may therefore ensure that data is stored in the United States or your country of choice and minimize transfer of controlled technology/technical data outside the target country. Customer data is not intentionally stored in a non-conforming location, consistent with the ITAR rules.
  • Control over access to data - You can know and control who can access your data and on what terms. Microsoft technical support personnel do not need and do not have default access to customer data. For those rare instances where resolving customer support requests requires elevated access to customer data, Customer Lockbox for Azure puts you in charge of approving or rejecting customer data access requests.
  • End-to-end encryption - Implies the data is kept encrypted at all times between the originator and intended recipient, and the means of decryption are not provided to any third party. Azure relies on FIPS 140 validated cryptographic modules in the underlying operating system, and provides you with a wide range of options for encrypting data in transit and at rest, including encryption key management using Azure Key Vault, which can store encryption keys in FIPS 140 validated hardware security modules (HSM) under your control (customer-managed keys, CMK). Azure Key Vault is designed, deployed, and operated such that Microsoft and its agents do not see or extract your cryptographic keys.
  • Tools and protocols to prevent unauthorized deemed export/re-export - Apart from the ITAR end-to-end encryption safe harbor for physical storage locations, the use of encryption also helps protect against a potential deemed export (or deemed re-export), because even if a non-US person has access to the encrypted data, nothing is actually revealed to non-US person who cannot read or understand the data while it is encrypted and thus there is no release of any controlled data. However, ITAR requires some authorization before granting foreign persons with access information that would enable them to decrypt ITAR technical data. Azure offers a wide range of encryption capabilities and solutions, flexibility to choose among encryption options, and robust tools for managing encryption.

Are Microsoft technologies, products, and services subject to ITAR?
In general, Microsoft technologies, products, and services are not subject to ITAR and are not listed on the Unites States Munitions List (USML).

What’s the difference between ITAR and the Export Administration Regulations (EAR)?
The primary US export controls with the broadest application are the EAR, administered by the US Department of Commerce. The EAR is applicable to dual-use items that have both commercial and military applications, and to items with purely commercial applications.

The United States also has separate and more specialized export control regulations, such as the ITAR, that governs the most sensitive items and technology. Administered by the US Department of State, ITAR imposes controls on the export, temporary import, re-export, and transfer of many military, defense, and intelligence items (also known as defense articles), including related technical data documented on the Unites States Munitions List (USML).

Should I use Azure or Azure Government for workloads that are subject to ITAR?
You are wholly responsible for ensuring your own compliance with all applicable laws and regulations and should consult your legal advisor for questions regarding regulatory compliance. Azure and Azure Government have the same security controls in place, including the same provisions for data encryption in transit and at rest to support ITAR requirements. The cloud environment decision will rest with you based on your business requirements. Most US government agencies and their partners are best aligned with Azure Government, which provides an additional layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons.

Resources