Some key aspects of the ITAR that make cloud adoption a challenge include:
Based on the scope and definitions in the ITAR, data and information assets are considered exports. Given this, it is generally acknowledged that ITAR-controlled documents saved in the cloud need to maintain compliance with ITAR rules and policies. While most companies that need to comply with ITAR Rules have detailed compliance programs in place covering strict control of documents, information security, and materials and equipment on-premise (i.e., in their own facilities and data centers), it is a significant challenge to maintain these same strict guidelines when the decision is made to move to cloud-based IT infrastructures for critical business needs.
And as far as protecting data, the authorities have stated that encryption is not enough – ITAR applies even to encrypted data in the cloud if the servers are located outside the U.S. The CIO Journal recently quoted a State Department official, “currently there is no license exemption for the use of encryption to store data in the cloud.”