Most defense contractors I talk to understand they need ITAR compliance. They know the stakes. What trips them up isn't the concept—it's the implementation details around cloud infrastructure. Specifically: which cloud environments meet ITAR requirements, what the 2020 rule changes actually mean for encryption, and whether their current setup would survive a State Department audit.

The confusion is understandable. ITAR wasn't written with cloud computing in mind. For decades, defense contractors kept technical data on-premises, behind physical security controls, with clear geographic boundaries. Cloud fundamentally changed that model. Data moves. It replicates. It crosses jurisdictions in milliseconds. The regulatory framework has been playing catch-up, and the 2020 amendments to 22 CFR §120.50 were meant to clarify things. In some ways they did. In others, they created new questions.

I've spent years helping defense contractors build compliant cloud architectures. The patterns that work aren't always what vendors claim or what white papers suggest. Let me walk through what actually matters for ITAR cloud compliance in 2026.

Understanding the 2020 ITAR Cloud Rule Changes

Before 2020, ITAR's definition of "export" created real problems for cloud services. The regulation treated any transfer of technical data to a foreign person as an export, even if that data never left U.S. soil. This meant cloud providers employing foreign nationals—even within secure U.S. data centers—created potential export violations.

The State Department's 2020 amendments to §120.50 introduced the concept of end-to-end encryption as a compliance mechanism. The new language established that technical data encrypted using FIPS 140-2 validated cryptographic modules, where only U.S. persons control the keys, is not considered "in the possession" of a cloud service provider. This matters because if the CSP doesn't possess the data in a regulatory sense, foreign persons working for that CSP don't trigger export requirements.

Here's what that actually means: If you implement proper encryption with strict key management controls, you can use cloud infrastructure where foreign nationals might have access to the underlying systems—because they can't access your data. The encrypted bits they might touch don't constitute technical data under ITAR's framework.

This was a significant shift. It opened doors for broader cloud adoption while still maintaining security requirements. But—and this is where contractors get it wrong—the encryption and key management requirements are specific and unforgiving. You don't get ITAR cloud compliance by checking a box in your CSP's console.

The Encryption Standard Isn't Negotiable

FIPS 140-2 validation isn't the same as FIPS 140-2 compliance. Many encryption tools claim FIPS compliance, meaning they use approved algorithms. But ITAR requires validation, meaning the cryptographic module itself has been tested and certified by NIST's Cryptographic Module Validation Program. You need the certificate number. You need documentation that your specific implementation uses that validated module.

I've seen contractors assume their cloud provider's default encryption meets the standard. Sometimes it does. Often it doesn't, or it does but the key management model doesn't satisfy the "U.S. persons only" requirement. You need to verify this explicitly, with documentation, before you migrate ITAR-controlled data.

GovCloud vs Commercial Cloud: What's Actually Required

The most common question I get: Do we have to use AWS GovCloud or Azure Government? The short answer is no, not strictly for ITAR. The longer answer requires understanding what these environments provide and whether you need those features.

GovCloud regions were built for federal compliance frameworks. They provide physical and logical separation from commercial regions, U.S.-only support staff, and enhanced audit capabilities. For FedRAMP High or DoD IL5 workloads, GovCloud is typically required. For ITAR cloud deployments, it's not mandatory—but it makes several compliance requirements easier to meet.

Here's the practical breakdown. Commercial cloud regions can support ITAR workloads if:

GovCloud makes this easier because it's designed with these constraints in mind. The region is already restricted to U.S. persons. The service offerings are curated to support compliance frameworks. The audit logging is built for government requirements. You still need proper encryption and key management, but you're working with a platform that aligns with your compliance needs.

The pattern I see most often: contractors start in commercial regions because they already have infrastructure there or because GovCloud feels like overkill. They underestimate the configuration complexity. Six months later, during a compliance assessment, they discover their S3 buckets replicate to regions they didn't know about, or their database backups use encryption keys managed by foreign nationals, or their support plan gives their CSP access they shouldn't have.

If you're building a new ITAR environment from scratch, GovCloud or Azure Government is the cleaner path. If you're committed to commercial regions, budget significant architecture and compliance review time.

The Foreign Ownership Question

A related consideration: some cloud providers have foreign ownership or significant foreign investment. ITAR prohibits providing access to technical data to foreign persons or entities. This doesn't automatically disqualify a cloud provider, but it complicates due diligence.

You need to understand the corporate structure, where decisions get made, who has administrative access to your environment, and how the provider ensures U.S. person controls. The major U.S.-based providers have built compliance programs around this. Smaller or international providers may not have equivalent frameworks.

Need to Explain ITAR Cloud Requirements to Your Board?

Carl delivers targeted briefings and keynotes for defense contractors navigating the intersection of export controls, cloud adoption, and regulatory compliance. His sessions cut through vendor noise and provide actionable frameworks your leadership team can use.

Book Carl to Speak
Inline article illustration

Encryption Key Management: Where Most Programs Fail

The 2020 rule changes made encryption central to ITAR cloud compliance. But encryption is only as strong as your key management. This is where most programs I review have critical gaps.

ITAR requires that encryption keys remain under the control of U.S. persons. What does "control" mean? It means foreign nationals cannot access, decrypt, or recover keys. It means your CSP cannot access keys unless your CSP is a U.S. person entity providing that service through U.S. person staff. It means automated processes that handle keys must be configured and managed by U.S. persons.

Many contractors implement encryption but use their cloud provider's default key management service without understanding the access model. AWS KMS, Azure Key Vault, and Google Cloud KMS are powerful tools, but their standard configurations may not meet ITAR requirements.

Customer-Managed Keys Are Usually Required

Most ITAR-compliant architectures require customer-managed keys (CMKs) rather than service-managed keys. With CMKs, you control key policies, rotation schedules, and access permissions. The CSP cannot use your data without your keys, and you can configure key policies to restrict access to specific IAM roles held only by verified U.S. persons.

For sensitive ITAR workloads, some contractors go further and implement bring-your-own-key (BYOK) or hold-your-own-key (HYOK) architectures. These keep keys entirely outside the CSP's infrastructure. They're operationally complex and create availability risks, but they provide the clearest separation between your data and your provider's foreign national employees.

The approach you choose depends on your risk tolerance and technical sophistication. What's non-negotiable: you need documented processes that prove U.S.-person-only access to keys, and you need audit logging that would survive a State Department review.

Hardware Security Modules and FIPS 140-2 Level 3

For contractors handling particularly sensitive defense articles, FIPS 140-2 Level 2 validation may not feel sufficient. Level 3 requires tamper-evident physical security and identity-based authentication. Cloud HSM services from major providers can meet Level 3 requirements, but they require dedicated hardware and significantly higher costs.

I don't see Level 3 required in most ITAR programs. Level 2 with proper key management controls satisfies the regulation. But if you're working with especially sensitive technical data or want additional security assurance, Level 3 HSMs are available in GovCloud environments.

Access Controls and Personnel Verification

Encryption solves one problem: ensuring foreign nationals who might touch your cloud infrastructure can't access your technical data. But you still need comprehensive access controls for the U.S. persons who should access that data.

ITAR doesn't prescribe specific access control frameworks, but it requires that you prevent unauthorized access to technical data. In practice, this means implementing least-privilege access, role-based access controls, multi-factor authentication, and audit logging for all data access.

The verification piece is what catches contractors off-guard. You need documented processes to verify that individuals with access to ITAR-controlled data are U.S. persons as defined by 22 CFR §120.62. This isn't the same as verifying citizenship. The definition includes U.S. citizens, lawful permanent residents, protected persons under asylum or refugee status, and certain other categories.

Foreign Person Access Requires Authorization

You can grant foreign persons access to ITAR technical data, but it requires export authorization from the State Department—typically through a Technical Assistance Agreement (TAA) or manufacturing license agreement. This isn't something you do casually. It requires months of lead time and ongoing compliance obligations.

I've seen contractors inadvertently grant foreign nationals access to cloud environments containing technical data because they didn't properly segment their infrastructure. An engineer in a foreign subsidiary logs into a shared AWS account. A contractor working on an unrelated project has broader IAM permissions than intended. These access events can constitute unauthorized exports.

Your cloud architecture needs to assume that any account with access to ITAR data will be scrutinized. IAM policies should be explicit, documented, and regularly audited. You need logging that proves who accessed what data and when. If you can't produce that audit trail, you can't prove compliance. For a detailed look at what happens when these controls fail, see the consequences defense contractors face when ITAR violations occur.

Inline article illustration

Geographic Restrictions and Data Residency

ITAR doesn't explicitly require that data stay in the U.S., but it requires that you control who has access to technical data. When data leaves U.S. jurisdiction, that control becomes significantly harder to maintain and prove.

Most defense contractors implement a U.S.-only policy for ITAR data as a practical compliance measure. This means configuring your cloud environment to prevent replication, backup, or processing of ITAR-controlled data outside U.S. regions.

Cloud providers make this possible but not automatic. You need to:

The last point is where contractors often miss issues. You lock down your core infrastructure, then integrate a monitoring tool or collaboration platform that replicates data globally by default. Each service you add requires the same geographic compliance review as your primary cloud environment.

Service-Specific Restrictions

Not all cloud services support geographic restrictions equally. Some services are inherently global (like certain CDN or DNS services). Others offer regional deployment but with caveats around management plane access or metadata storage.

Before adopting a cloud service for ITAR workloads, you need to understand its data flow completely. Where does data at rest live? Where does data in transit go? Where are logs stored? Who has administrative access, and where are they located? The service's marketing materials won't answer these questions. You need architecture diagrams and data flow documentation from the provider.

Building a Defense-Ready Compliance Program?

Carl's keynotes address the strategic and operational challenges defense contractors face with ITAR, CMMC, and supply chain security. He brings a practitioner's perspective to help your team move from compliance theater to defensible programs. See all keynote speaking topics or reach out about your event.

Book Carl for Your Event

Third-Party Service Providers and the Supply Chain

Your cloud environment probably doesn't exist in isolation. You're using monitoring tools, security services, backup solutions, collaboration platforms, and other third-party services. Each one represents a potential export control issue if it processes ITAR technical data.

The State Department has made clear that cloud service providers themselves are not automatically considered exporters if proper encryption is in place. But that framework doesn't extend automatically to every third-party service you integrate. If a security vendor's foreign nationals have access to your technical data—even metadata or logs that contain technical details—you may have an export compliance issue.

This requires a supply chain approach to ITAR cloud compliance. You need to:

The pattern I see in mature programs: they limit third-party integrations in ITAR environments. They accept some operational inconvenience to reduce compliance complexity. They segment ITAR workloads from other systems specifically to control the third-party attack surface.

Contractors who try to maintain feature parity between their commercial and ITAR environments inevitably run into compliance issues. Some services just don't fit the ITAR model. Accept that limitation early and design around it.

Audit Trails and Documentation Requirements

ITAR doesn't specify technical controls the way NIST 800-171 or CMMC does. It's a performance-based regulation: you must prevent unauthorized access to technical data. How you accomplish that is largely up to you. But when the State Department comes knocking, you need to prove your controls work.

That proof comes from documentation and audit trails. You need records showing:

This documentation serves two purposes. First, it's evidence of compliance during audits or investigations. Second, it's how you identify gaps before they become violations. If you can't document a control, you probably don't have effective implementation.

The contractors who handle this well treat documentation as part of their architecture process, not an afterthought. Every design decision includes a compliance justification. Every service adoption includes a documented review. Every access grant includes a personnel verification record. If that sounds like a lot of process, it is. ITAR compliance isn't something you bolt on later.

The Role of Third-Party Assessments

Many defense contractors bring in third-party assessors to validate their ITAR cloud implementations. This isn't required by the regulation, but it provides useful assurance—both for your own confidence and for demonstrating due diligence to the State Department if questions arise.

Look for assessors with actual ITAR experience, not just generic cloud security credentials. The intersection of export controls and cloud architecture requires specific expertise. Ask for references from other defense contractors. Ask what their assessment methodology includes and what deliverables you'll receive.

A good assessment will identify configuration gaps you missed, but more importantly, it will validate that your documentation actually reflects your implementation. That alignment is what survives regulatory scrutiny. For contractors just getting started with these requirements, understanding who needs ITAR registration and how to approach it correctly is a critical first step.

Current Best Practices for ITAR Cloud Deployments

After years of helping contractors build and audit these environments, here's what actually works in 2026:

Start with GovCloud or equivalent unless you have compelling reasons otherwise. The architectural simplifications outweigh the cost premium for most programs. If you're determined to use commercial regions, bring in compliance expertise early, not after you've built your environment.

Implement customer-managed keys with explicit U.S.-person-only access policies. Don't rely on default encryption. Document your key management architecture with the same rigor you'd apply to physical security controls. Make sure you can prove who has access to keys and how their status was verified.

Treat data classification as a foundational requirement. You can't implement proper controls if you don't know which data is ITAR-controlled. This requires data classification schemes, tagging strategies, and processes to ensure ITAR data doesn't leak into non-compliant environments.

Build compliance into your deployment pipelines. Manual compliance processes don't scale and don't survive staff turnover. Use infrastructure-as-code to enforce geographic restrictions. Use automated policy enforcement to prevent non-compliant service configurations. Build compliance checks into your CI/CD workflows.

Limit third-party integrations in ITAR environments. Every additional service is another compliance review, another potential vulnerability, another thing to document. The operational convenience of comprehensive tool integration isn't worth the compliance complexity in most cases.

Maintain separate environments for ITAR and non-ITAR workloads. Trying to mix them in a single cloud account or subscription creates unnecessary risk. The segregation makes access controls clearer, auditing simpler, and compliance boundaries explicit.

Document everything before you need it. Don't wait for an audit or investigation to compile evidence of your controls. Build documentation into your operational processes. If you implement a new control, document it that day. If you grant someone access, document their verification that day.

Review your architecture quarterly. Cloud platforms change constantly. Services add features that might affect compliance. Your organization's technical data changes. Quarterly reviews ensure your controls remain aligned with your risk profile and regulatory requirements.

What This Means for Defense Contractor Leadership

ITAR compliance in cloud environments isn't a checkbox exercise. It requires architectural decisions, investment in proper controls, ongoing operational discipline, and cultural commitment to documentation and process. The contractors who get this right treat it as a business enabler, not just a compliance burden.

Cloud done properly gives defense contractors capabilities they couldn't achieve with on-premises infrastructure: better disaster recovery, faster development cycles, access to advanced analytics and machine learning tools, and reduced capital expenditure. But those benefits only materialize if you build on a compliant foundation.

The alternative—implementing controls poorly or attempting to retrofit compliance after deployment—creates risk that's hard to quantify and harder to mitigate. State Department investigations are thorough. Penalties for violations can be severe, both financially and through debarment from future defense work. The time to address ITAR cloud compliance is before you migrate workloads, not after someone asks questions about your architecture.

For organizations working across multiple defense-related compliance frameworks, understanding how ITAR compliance fits into the broader regulatory landscape helps leadership make informed decisions about resource allocation and risk management. These aren't isolated requirements—they're part of an interconnected compliance ecosystem that defense contractors must navigate effectively.

If you're responsible for your organization's cloud strategy or compliance program, make sure you have the right expertise in place. This isn't work for generalists. It requires people who understand both the technical details of cloud architecture and the legal nuances of export controls. That combination is rare but essential. Your competitors who handle defense work are figuring this out. The question is whether you'll lead or follow.

📖
Related Reading
ITAR Violation Consequences: What Happens When Defense Contractors Get It Wrong → ITAR Registration: Who Needs It and How to Get It Right →