As an ITAR Auditor, we closely review how and where companies back-up their ITAR controlled technical data.   Even when the data is stored onsite, foreign national access must be blocked unless there is a specific State Department authorization.   A common finding in this area is when third party suppliers are hired to look after the IT system and those companies employ foreign nationals.

Now to cloud computing    While I am not an expert in cloud computing, I do understand the challenges it poses when it comes to ITAR compliance.    The State Department has taken a position that any ITAR controlled technical, that is located overseas, has been exported.  It does not matter if the technical data is encrypted or has not been accessed by a foreign national.  If is located outside of the US, an export has been made.   When utilizing the “cloud” for data storage, the technical data could be at a number of locations around the world and serviced by individuals that may be considered to be foreign nationals.   This all leads to numerous compliance issues when it comes to ITAR compliance.

Some companies are bringing some solutions in this area.   One is Amazon Web Services who has introduced “GovCloud”.   This service is offered to some US Government agencies and defense contractors to address ITAR-related data security issues.   Apparently, the cloud storage is confined to the US  and service only by US Persons.   You can see more about it on their website at http://aws.amazon.com/govcloud-us/ .    This is a step in the right direction but there is still much work to be done to educate defense contractors and their IT professionals who may be totally unaware of this problematic area.   Until then, violations will persist.

– Cole Blumer