1 Reply Latest reply on Nov 21, 2015 2:54 PM by abhissha

    I want to host a document review using the Adobe Document Cloud, does the cloud service that Adobe is offering conform to the ITAR requirements?

    matthewr91906437

      Some key aspects of the ITAR that make cloud adoption a challenge include:

      • Information and materials related to items on the USML may only be shared with “US Persons” (unless authorized by the US Department of State).
      • All US providers in the USML supply chain must register obtain appropriate import/export licenses from the U.S. Department of State.
      • Unauthorized Re-transfer or Re-export of any articles is a major breach of the law – and is tightly regulated.
      • Scope of the regulation includes data/information that’s accessed by authorized US persons when traveling outside the US and is then shared with foreign nationals.

      Based on the scope and definitions in the ITAR, data and information assets are considered exports. Given this, it is generally acknowledged that ITAR-controlled documents saved in the cloud need to maintain compliance with ITAR rules and policies. While most companies that need to comply with ITAR Rules have detailed compliance programs in place covering strict control of documents, information security, and materials and equipment on-premise (i.e., in their own facilities and data centers), it is a significant challenge to maintain these same strict guidelines when the decision is made to move to cloud-based IT infrastructures for critical business needs.

      And as far as protecting data, the authorities have stated that encryption is not enough – ITAR applies even to encrypted data in the cloud if the servers are located outside the U.S.  The CIO Journal  recently quoted a State Department official, “currently there is no license exemption for the use of encryption to store data in the cloud.”