Microsoft
MicrosoftRichardWakeman - Great article as always! You do a great job of walking through some of the regulatory pieces that can be very complex at times.
A few points that I wanted to raise regarding ITAR data. As we have discussed on previous posts, in many instances ITAR data is authorized for use by non-US persons/companies under agreements or licenses. So while NOFORN may be the case for some data, there is a significant amount of ITAR data that is authorized for access by non-US persons. In addition, the updates to the ITAR earlier this year remove the explicit requirement for data to reside in the US if it meets certain criteria. The criteria being:
(i) Unclassified; (ii) Secured using end-to-end encryption; (iii) Secured using cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES-128); (iv) Not intentionally sent to a person in or stored in a country proscribed in § 126.1 of this subchapter or the Russian Federation; and (v) Not sent from a country proscribed in § 126.1 of this subchapter or the Russian Federation.
However, with that update, they also updated the definition of "release" to include providing "access information" to a foreign person. Previously if you could prove that there was no access, it was not considered a "release" (Microsoft's copious logging was great for this). Microsoft has always been forthcoming that there is no standing access to customer data by MS employees and access is only granted on a limited, time-bound basis when needed. If that is accurate, and a customer has Lockbox turned on in both O365 and Azure, then a "release" would not occur, even in a Commercial environment until a customer approves a lockbox request (pending the controlled data being in a service covered by Lockbox). Would you agree?
One additional challenge that I have seen is around the "level" of export-controlled data that should be caught by the CUI tag. Technically, EAR99 data is "export-controlled" to embargoed countries or 9E991 data is "export-controlled" if going to a military end-user in China. That same data could be going to the Airbus A320 line in Tianjin and not be considered "export-controlled."
Due to this, I would agree with setting controls to the high watermark that you mention. However, this complicates the issue as to how to work efficiently across a multi-national organization in one of the sovereign environments. This is where some type of federation between Commercial and Gov would be very beneficial. If environments could be managed through a single window, and a single identity could be synced, that would open up some new architecture possibilities.
