Up until now, unless data is on a US-only cloud service, no US export controlled data could be on it – even if it is encrypted. A couple of cloud service companies have attempted to fill this issue like Amazon (ref: http://aws.amazon.com/govcloud-us/).
It appears that things may change. Below is an extraction from a proposed ruling:
US export licensing requirements will be exempt on cloud storage if it meets three conditions: 1) must use a government-approved encryption standard, 2) must be encrypted end-to-end, and 3) the server holding the data cannot be located in a prohibited country. The proposal will also harmonize definitions including, “export,” “reexport,” “retransfer,” “public domain,” and “fundamental research.
Later this month BIS and DDTC are expected to publish rules proposing harmonized definitions that will exempt from export licensing requirements data uploaded into the cloud if it meets three conditions: 1) must use a government-approved encryption standard, 2) must be encrypted end-to-end, and 3) the server holding the data cannot be located in a prohibited country. The proposal will harmonize definitions including, “export,” “reexport,” “retransfer,” “public domain,” and “fundamental research.”
This is still just for information until the agencies release the actual rules. The final rule may be different that what is portrayed above. For now, you would need to confirm that any cloud service being contemplated is a “US Only” cloud (which is it likely not) or ensure that no ITAR or other export controlled technical data is on a server/systems that is backed or stored on the cloud.
(source: National Shooting Sports Foundation Newsletter, 16 Apr 2015)