Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty

Hi Jonathan_Priganc Thank you for the feedback!  The key to protecting export controlled data is enabling End-to-End Encryption (E2EE) that prohibits unauthorized access where only intentional parties have access to decrypt and view the data in plain text.  You are correct there are valid scenarios where non-US persons may be authorized.  This is especially true for multi-national companies that may even have foreign site-based export control licenses.  It is common to give the non-US persons access to a tenant where CUI resides and ensure conditional access control policies enforce data protection appropriately.  There are even examples where customers are connecting from OCONUS locations and networks and still well within compliance.  After all, it is a shared responsibility model, such as ensuring the end-points are protected.

In the US Sovereign Cloud, Microsoft can offer an ITAR SLA as we may enforce that only authorized users (on our side) may ever access your data from CONUS-based locations and networks, such as offering Screened US Persons for support incidents where engineers are given access to your data (under your authority). 

It is possible to leverage compensating controls such as Customer Lockbox in Commercial to prevent non-US persons from having access to your data.  However, Customer Lockbox is not available in all services across Office 365, Azure, Dynamics 365, etc. and it does not infer a "screened" US Person (such as screening for the DDTC).  Ultimately, it's not a full-proof scheme across all Commercial Services.  In addition, not all services support E2EE with a customer-managed key.  Many do, but not all.  Thus, it becomes your responsibility to ensure the services you use support your compliance policies.  And for those that don't, you must leverage a client-based E2EE scheme that makes your data opaque to the CSP.  The risk of course, is that export controlled data may slip through the cracks. 

With the US Sovereign Cloud, the native support reduces the risk of the unintentional export happening at the CSP, as the added Customer Lockbox and E2EE is not strictly required.  Although, many customers still leverage Customer Lockbox there as well, for coverage of auditing and reporting requirements in NIST 800-171 and CMMC L3+.  And customers also leverage E2EE as well, especially for sharing scenarios where the data may leave the system boundary.

This all said, many customers have decided to implement their own compensating controls and find an acceptable amount of risk using Commercial or GCC.  And this is all in context of U.S. export controls.  Introduce Canadian CCG, UK Official-Sensitive, AU Protected, etc. etc. and your only choice may become compensating controls in Commercial Multi-Geo in order to use the cloud.  But that discussion is highly nuanced and contract-based agreements for cloud use.