Is AWS GovCloud an ITAR Compliant Cloud Services Platform?


The International Traffic in Arms Regulations (ITAR) are rules which pertain to individuals and companies that deal with defense technology, services, or technical data. This includes documents, schematics, photos, and other materials included in the United States Munitions List (USML). The guidelines were created to prevent confidential material (with possible defense and space application) from falling into the hands of non-U.S. citizens. You may be thinking – but Amazon Web Services (AWS) is a cloud service platform. So why does it need to be ITAR compliant? Well, AWS provides cloud services, but it has no direct control over what its users store on its platform. Since there may be people in the defense industry who are interested in using AWS to store and transmit data, the company created AWS GovCloud.

What is AWS GovCloud?

AWS GovCloud is ITAR compliant. It was developed for individuals and companies who deal with data subjected to ITAR rules. In keeping with ITAR regulations, AWS GovCloud is an isolated cloud platform and has its servers located within U.S. territory. Also, AWS only allows its workers who are U.S. citizens to access the platform. Additionally, AWS works with a third-party organization to assess and validate that AWS GovCloud is compliant with ITAR guidelines. AWS GovCloud has no ITAR certificate, but it has been awarded a provisional authority to operate a platform for ITAR data by the Joint Authorization Board (JAB).

AWS GovCloud accounts are only available to U.S. nationals. There is a vetting process for the primary account holder before access to the platform is granted. The goal of the platform is to make it easier for companies that deal with ITAR data to take advantage of modern technology without violating the law.

Here are a few advantages of using AWS GovCloud

A. Makes it easier to comply with ITAR regulations.

It can be challenging to adhere to ITAR regulations as far as data management is concerned. While it can be easy to physically restrict access to certain documents, how can you do so in the virtual world? This is where AWS GovCloud comes in. Using this platform, you can effectively cordon access to USML data and avoid flouting the ITAR regulations. Also, since AWS GovCloud is separate from other Amazon Cloud services, you can keep your USML-related documents isolated to avoid a mixup. AWS GovCloud is not only ITAR compliant but also adheres to FedRAMP regulations.

B. Total security.

All the data on AWS GovCloud servers are encrypted. The platform supports FIPS 140-2, which guarantees that your data will not fall into the wrong hands during storage and transmission. Given the recent spate of hacking incidents, data encryption has become more critical, and AWS GovCloud encryption is top-of-the-line.

C. Control access to sensitive data.

AWS GovCloud allows you to control access to sensitive data. You can limit access to specific individuals or to particular times of the day and location. AWS GovCloud also gives you an overview of the individuals that have access your data on the platform. This complies with the regulation that all ITAR-related data must be monitored, and audited.

All these features make it easy to maintain an ITAR compliant status. It is important to note that the U.S. government takes compliance with the ITAR very seriously. In the past, companies who violated these guidelines have been fined millions of dollars. The penalty for not adhering to the ITAR is up to $500,000 in civil cases and $1,000,000 in criminal cases per instance of violation as well as an imprisonment sentence of up to 10 years.

Why is AWS GovCloud Important?

It can be difficult for companies to restrict access to data on a public cloud platform. There are chances that your non-U.S. workers may inadvertently open certain documents that they’re not supposed to. This is the reason why AWS GovCloud exists. It makes the process of complying with the ITAR easier. 

Are There Exceptions to ITAR?

Technically, everything in the USML is subject to ITAR and are not to be exposed to non-U.S. nationals. However, the ITAR can be extremely difficult to enforce in some situations. We live in a globalized world. There are multinational companies. Also, the internet and increased migration have made it easier than ever for companies to hire foreign experts. As a result, the U.S. State Department can grant exemptions to some individuals. Also, countries like the UK and Canada have a standing agreement with the U.S. that covers ITAR so people from these countries can be permitted to access data in the USML.

How to Avoid Violating ITAR with AWS GovCloud

As indicated above, it can be tricky to enforce ITAR in an organization. However, these steps can help you avoid running afoul with the law.

The very first step is to identify the documents in your database that are covered by the ITAR. You can then restrict access to them. It is also advisable to indicate on the documents that they are covered by ITAR to ensure your workers do not mistakenly share them with unauthorized persons. Most importantly, you must educate your workers on the importance of ITAR and lay down policies on how documents that fall under the USML must be treated to avoid breaking the law.

If you plan to export ITAR data and materials, you need a license from the State Department. In some situations, transferring data to a server in another country may also be categorized as export. Therefore, you need to consult a lawyer and other experts on the subject. Remember, due diligence is crucial. You will be held accountable for sharing USML data with any non-U.S. person or company even if they are based in the country.

Ultimately, AWS GovCloud is not responsible if USML data on its platform is shared with unauthorized persons or if you wrongly provide access to non-U.S. citizens. AWS is only accountable for the integrity of its servers. It is up to you to take the necessary precautions in terms of accessing and sharing data when using AWS GovCloud.

Author: Rahul Sharma