Cloud adoption among defense contractors has accelerated dramatically — and so has confusion about what ITAR actually requires when you store, process, or transmit technical data in the cloud. I've worked with over 200 defense contractors at Certify Consulting, and the cloud compliance question is now among the top three issues I see in every initial assessment.
The short answer: there is no ITAR-approved cloud provider. The State Department does not certify cloud platforms. What matters is how you configure, control, and contractually bind your cloud environment — not which provider's logo appears on your invoice.
This article breaks down the real regulatory requirements, how AWS GovCloud and Azure Government stack up against those requirements, and what you actually need to do to use cloud services lawfully for ITAR-controlled technical data.
Why Cloud Matters Under ITAR: The Transfer Risk
ITAR's core prohibition is the unauthorized export or transfer of defense articles, technical data, or defense services to foreign persons. Under 22 CFR § 120.50, a "transfer" includes making technical data available to a foreign person — even if that person is in the United States.
Cloud computing creates transfer risk in ways that most contractors underestimate:
- Foreign nationals employed by the cloud provider with access to hypervisor layers, storage infrastructure, or support tickets
- Data replication across geographic regions, including non-U.S. data centers
- Multi-tenant architectures that could expose metadata or data pathways to unauthorized parties
- Overseas support staff accessing your environment during a service incident
According to DDTC guidance and multiple enforcement actions, storing ITAR-controlled technical data on a cloud platform where a foreign person could access it — even without authorization — constitutes a potential unauthorized export requiring a license or license exemption.
The ITAR does not distinguish between intentional and accidental disclosures — an unauthorized access event is a violation regardless of intent, making cloud configuration a matter of strict legal liability, not just best practice.
What the Regulations Actually Say
The ITAR (22 CFR Parts 120–130) does not mention cloud computing by name. Instead, compliance obligations derive from several interconnected provisions:
- 22 CFR § 120.50 – Transfer: Prohibits making technical data available to foreign persons without authorization
- 22 CFR § 120.53 – Export: Sending or taking controlled technical data outside the United States
- 22 CFR § 120.54 – Reexport: Transferring from one foreign country to another
- 22 CFR § 120.31 – Technical Data: Covers information required for the design, development, production, or use of defense articles on the USML
- 22 CFR § 126.1 – Prohibited Countries: Strict bars apply regardless of encryption or access controls
The State Department has issued guidance — most notably in the 2019 DDTC Cloud Storage FAQ — confirming that cloud storage of ITAR technical data is permissible only when the system is configured such that access is limited to U.S. persons, storage is restricted to U.S. soil, and the contractor maintains adequate access controls.
DDTC has confirmed that end-to-end encryption with U.S.-person-only key management, combined with contractual prohibitions on foreign-person access, can satisfy ITAR access control requirements for cloud-stored technical data.
AWS GovCloud vs. Azure Government: A Compliance Comparison
Both Amazon Web Services and Microsoft Azure offer government-focused cloud environments engineered specifically to address U.S. regulatory requirements including ITAR, FedRAMP, CMMC, and DoD IL4/IL5. Here's how they compare across the dimensions that matter most for ITAR compliance:
| Compliance Dimension | AWS GovCloud (US) | Azure Government | ITAR Relevance |
|---|---|---|---|
| Data Residency | U.S. soil only (East/West regions) | U.S. soil only (4 U.S. regions) | Required — no foreign replication |
| U.S. Person Staff | Screened U.S. persons for support | Screened U.S. persons for support | Required for admin/support access |
| FedRAMP Authorization | High baseline authorized | High baseline authorized | Foundational security control |
| ITAR Contractual Language | Available via AWS ITAR addendum | Available via Microsoft Amendment | Must be executed — not automatic |
| DoD IL4/IL5 Support | IL4 and IL5 authorized | IL4 and IL5 authorized | Aligns with CUI/controlled data handling |
| Encryption at Rest/Transit | AES-256 / TLS 1.2+ | AES-256 / TLS 1.2+ | Necessary but not sufficient for ITAR |
| Customer-Managed Keys | AWS KMS with CloudHSM option | Azure Key Vault with Managed HSM | Required for ITAR key control |
| Foreign Support Access Controls | U.S.-only support commitments available | U.S.-only support commitments available | Must be contractually required |
| Dedicated vs. Multi-Tenant | Multi-tenant with logical isolation | Multi-tenant with logical isolation | Physical isolation NOT required by ITAR |
| ITAR-Specific Certification | None (DDTC does not certify) | None (DDTC does not certify) | No cloud platform is ITAR-certified |
Critical takeaway: Both platforms are architecturally capable of supporting ITAR compliance. Neither is ITAR-compliant by default. The contractor — not the cloud provider — bears the compliance obligation.
The 7 Requirements You Must Actually Meet
Based on my work with defense contractors across aerospace, defense electronics, and weapons systems manufacturing, here are the seven non-negotiable requirements for ITAR-compliant cloud use:
1. U.S.-Only Data Residency
Your cloud environment must be configured to restrict data storage and processing to U.S. regions exclusively. In AWS GovCloud, this means disabling cross-region replication and backups outside GovCloud regions. In Azure Government, this means constraining your Azure Policy to U.S. Government regions only. Document this configuration and review it quarterly.
2. Executed ITAR Contractual Addendum
Both AWS and Microsoft offer ITAR-specific contractual language — but it is not automatically included in standard cloud agreements. You must request, negotiate, and execute these addenda. Without a signed agreement that includes ITAR-specific obligations (including foreign-person access controls and data residency guarantees), your cloud use is not defensible.
3. Foreign-Person Access Prohibition
Your contract must explicitly prohibit the cloud provider from allowing foreign nationals — including foreign nationals employed in the U.S. — to access your ITAR-controlled data or the systems that process it. This includes support staff, operations engineers, and contractors of the provider.
4. U.S.-Person-Only Key Management
Encryption keys for ITAR technical data must be managed exclusively by U.S. persons. Using customer-managed keys (CMK) in AWS KMS or Azure Key Vault — with access policies that restrict key administrators to U.S. persons — is required. If a foreign national holds key administrator rights, you have an exposure.
5. Access Control and Audit Logging
Implement role-based access controls (RBAC) that restrict ITAR data access to verified U.S. persons only. Enable comprehensive audit logging (AWS CloudTrail, Azure Monitor) and retain logs for a minimum period consistent with your ITAR recordkeeping obligations under 22 CFR § 122.5 (five years). Review access logs for anomalies monthly.
6. Employee Verification and Training
Your internal users must be U.S. persons (U.S. citizens or lawful permanent residents). You must verify citizenship or LPR status — not rely on self-attestation alone. All users with access to ITAR data in the cloud must complete documented ITAR training before access is granted.
7. Written ITAR Cloud Policy and Procedure
Your Technology Control Plan (TCP) or equivalent written procedure must explicitly address cloud use. It must identify authorized cloud platforms, configuration standards, access control requirements, and incident response procedures for potential unauthorized access events. DDTC expects to see documented procedures during voluntary disclosures and consent agreements.
Common Mistakes That Create Violations
In my eight-plus years of ITAR consulting, I've seen the same cloud compliance mistakes repeatedly. These are the patterns most likely to result in voluntary disclosures or enforcement actions:
Mistake 1: Using Commercial AWS or Azure Instead of Government Regions Standard AWS us-east-1 or Azure East US are not GovCloud or Azure Government. They lack the access controls, contractual protections, and U.S.-person staffing commitments that ITAR requires. Storing ITAR data in commercial cloud regions is a violation.
Mistake 2: Assuming the Platform Does the Work AWS GovCloud and Azure Government provide the infrastructure for compliance — they do not implement compliance for you. Leaving default settings in place, failing to enable CMKs, or using default support tiers that allow foreign-person access negates the protective value of the platform.
Mistake 3: Sharing Environments with Foreign Nationals Even if your cloud is configured correctly, granting a foreign national employee access to the same tenant — even a different folder or project — can create exposure if ITAR data is accessible through any shared service, identity, or logging system.
Mistake 4: Not Executing the ITAR Addendum This is shockingly common. Contractors assume that purchasing GovCloud services is equivalent to having ITAR protections. The addendum is a separate document. Without it, the provider has no contractual obligation to maintain foreign-person access controls.
Mistake 5: No Incident Response Procedure for Cloud Access Events If a support ticket inadvertently exposes ITAR technical data to a foreign national support engineer, you need a documented procedure for assessing, containing, and reporting that event. Absent a procedure, contractors often discover violations months later — which worsens the enforcement outcome.
Google Cloud and Other Providers: A Note
Google Cloud's Assured Workloads program offers ITAR-specific configurations similar to AWS GovCloud and Azure Government. As of 2024, Google has expanded its U.S.-person-only support capabilities for ITAR workloads. The same principles apply: data residency, contractual addendum, foreign-person access controls, and customer-managed keys are required regardless of provider.
For smaller contractors considering platforms like Dropbox, Box, or SharePoint, the analysis is straightforward: these platforms do not offer the contractual, architectural, or access control capabilities required for ITAR technical data. Their use for ITAR-controlled information is not defensible without significant additional controls — and in most configurations, represents an ongoing violation.
ITAR Cloud Compliance vs. CMMC: How They Interact
Many defense contractors subject to ITAR are also working toward CMMC 2.0 compliance. These frameworks interact but are not identical:
- CMMC 2.0 Level 2 governs Controlled Unclassified Information (CUI) under NIST SP 800-171 — it does not govern ITAR directly
- ITAR technical data and CUI frequently overlap but are legally distinct categories
- A CMMC-compliant environment is a strong foundation for ITAR cloud compliance — but additional ITAR-specific controls (foreign-person access prohibitions, TCP documentation) are still required
- DoD contractors should address both frameworks in their cloud architecture rather than assuming one satisfies the other
According to the National Defense Industrial Association (NDIA), over 220,000 defense contractors are estimated to handle CUI, many of whom also handle ITAR-controlled data — making integrated cloud compliance strategies economically critical.
Building a Defensible ITAR Cloud Program
ITAR enforcement is outcomes-based. DDTC and the Department of Justice evaluate whether your program reflects a good-faith, systematic effort to prevent unauthorized disclosures. A defensible cloud program includes:
- Written cloud use policy in your TCP or standalone cloud procedure
- Executed ITAR addenda with all cloud providers handling controlled data
- Documented configuration baselines for each cloud environment
- Periodic compliance reviews (at minimum, annual) with documented findings
- Training records for all users with cloud access to ITAR data
- Incident response procedures specific to cloud access events
- Third-party subcontractor flow-downs — if you share cloud environments or data with subcontractors, they must meet the same standards
At Certify Consulting, I help defense contractors build cloud compliance programs that satisfy both ITAR and CMMC requirements simultaneously — reducing cost and audit burden while maintaining defensibility.
FAQ: ITAR and Cloud Computing
Is AWS GovCloud ITAR-certified?
No. DDTC does not certify cloud platforms, and AWS GovCloud does not hold an ITAR certification. AWS GovCloud provides the architectural and contractual capabilities necessary to support ITAR compliance when properly configured — but the contractor bears the compliance obligation, not the provider.
Can foreign nationals access ITAR data if it's encrypted?
No. Encryption is a necessary control but does not authorize foreign-person access. Under 22 CFR § 120.50, making ITAR technical data available to a foreign person — including providing access to an encrypted system containing such data — constitutes a transfer requiring authorization. Foreign nationals must not hold access credentials or key management rights for ITAR-controlled cloud environments.
What's the difference between AWS GovCloud and standard AWS for ITAR purposes?
AWS GovCloud (US) is physically and logically separated from standard AWS regions, staffed exclusively by screened U.S. persons, and subject to contractual ITAR addenda. Standard AWS commercial regions do not offer these protections. Storing ITAR technical data in standard AWS regions (e.g., us-east-1) without extraordinary additional controls is generally not defensible.
Do I need a separate cloud policy if I already have a Technology Control Plan?
Your TCP must explicitly address cloud use — either as a standalone section or an addendum. A TCP that was written before your organization adopted cloud services and has not been updated is likely deficient. DDTC expects your TCP to reflect your actual operating environment, including cloud platforms, access control mechanisms, and incident response procedures.
What happens if a foreign national accidentally accesses ITAR data in the cloud?
This is a potential unauthorized export under 22 CFR Part 120. You should immediately assess the scope of access, engage export control counsel, document your findings, and evaluate whether a Voluntary Disclosure to DDTC under 22 CFR § 127.12 is required or advisable. Early, documented response is a significant mitigating factor in enforcement outcomes.
Work With an ITAR Cloud Compliance Expert
Cloud compliance under ITAR is one of the most technically and legally complex areas of export control — and one of the most frequently mishandled. With a 100% first-time audit pass rate across 200+ clients and eight-plus years of hands-on ITAR consulting experience, I help defense contractors get this right the first time.
Whether you're migrating to GovCloud for the first time, responding to a DDTC inquiry, or building an integrated ITAR/CMMC cloud program, Certify Consulting provides the expert guidance you need.
For more on building a complete ITAR compliance program, see our ITAR Technology Control Plan guide and our ITAR compliance checklist for defense contractors.
Last updated: 2026-03-10
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.