The engineering team at a defense contractor shares a CAD file through Microsoft Teams. The file contains schematics for a specialized optical system destined for a military UAV. Within hours, that file has touched servers in three countries, been indexed for search, and generated automated thumbnails—all because Teams treated it like any other document.
This is how ITAR violations happen in 2026. Not through malicious intent or sophisticated espionage, but through engineers using the collaboration tools their IT department provisioned without understanding what makes defense technical data different from everything else flowing through enterprise systems.
The gap between what the International Traffic in Arms Regulations considers "technical data" and what most cloud services are designed to handle is wider than most defense contractors realize. It's not just about where data lives—it's about who can access it, how it moves, what happens to it in transit, and whether the architecture of the service itself creates unauthorized disclosures.
What Actually Counts as ITAR Technical Data
The regulatory definition is deceptively broad: information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. That includes blueprints, drawings, photographs, plans, instructions, and documentation.
In practice, this means most engineering work product at defense contractors is ITAR-controlled technical data. Not just the final design package—the iteration history, the test data, the failure analysis, the manufacturing tolerances. Even information about what didn't work can be technical data if it informs how someone would develop, produce, or operate a defense article.
The pattern I see: companies understand that CAD files and specifications are controlled. They miss the spreadsheet tracking component suppliers, the email thread discussing why a particular material was selected, the Slack conversation about tooling approaches. All of that can be technical data. All of it requires the same controls.
The regulations don't care about your file taxonomy or your information classification scheme. They care about the content and what it reveals about a defense article. A seemingly innocuous project schedule can be technical data if it discloses performance characteristics or development approaches. A photograph of a prototype taken during a team meeting is technical data if it shows sufficient detail.
The "Public Domain" Misconception
Technical data that's been published and is in the public domain is no longer controlled. This exception causes more confusion than it resolves. Companies assume that if information is "out there" somewhere, they can share it freely. That's not how public domain works under ITAR and technical data regulations.
Information is only in the public domain if it was lawfully published without export control restrictions. If your competitor violated ITAR by posting technical specifications online, those specifications didn't magically become public domain. If a research paper discusses general principles but your application of those principles to a specific defense article is novel, your work is still controlled even though the underlying science is published.
The public domain analysis requires legal judgment, not an engineer's Google search. I've seen companies treat anything they found in a patent database as fair game, ignoring that their specific implementation or the integration of multiple concepts creates new technical data that's absolutely controlled.
The End-to-End Encryption Carve-Out That Everyone Misunderstands
ITAR's 2019 amendments acknowledged reality: defense contractors need to use cloud services. The regulations now permit use of cloud infrastructure for ITAR technical data if end-to-end encryption is employed and if foreign persons never have the ability to access the data in unencrypted form.
This carve-out is not a blessing for mainstream cloud services. It's a specific technical requirement that most enterprise cloud platforms don't meet by default.
End-to-end encryption in the ITAR context means the customer controls the encryption keys and the data is encrypted before leaving the customer's control. The cloud provider should never have access to unencrypted data or to the keys that would decrypt it. This is not the same as "encryption in transit and at rest" that cloud providers advertise.
When Microsoft or Google or Dropbox encrypts your data, they control the keys. Their employees with sufficient privilege can decrypt your files. Their automated systems process the content for indexing, search, malware scanning, and content classification. That's not end-to-end encryption under ITAR. That's encryption managed by the service provider—encryption that protects against external attackers but does nothing to prevent the foreign persons working for the cloud provider from accessing your technical data.
What Foreign Person Access Actually Means
The test isn't whether a foreign person employee at the cloud provider does access your data. It's whether they could. If the architecture of the service allows a foreign national working for the cloud provider to access unencrypted technical data—even through automated systems, even through support functions—you've created an unauthorized export.
The major cloud providers employ engineers, support staff, and operations personnel globally. Unless you've implemented customer-managed encryption keys correctly and ensured the service architecture never exposes unencrypted data to cloud provider systems, you're relying on the provider's hiring and access controls to prevent ITAR violations. That's not a position any CISO should be comfortable defending to DDTC.
I've reviewed cloud service configurations where companies thought they were compliant because they selected a U.S.-only region or enabled customer-managed keys, but they hadn't disabled content indexing, automated classification, or support access features. Each of those created pathways for the cloud provider's global workforce to encounter unencrypted technical data.
Speaking on Export Controls and Cloud Architecture
Carl delivers keynotes on ITAR compliance, cloud security architecture, and defense industrial base requirements. His presentations cut through vendor marketing to show what actually works in regulated environments.
Book Carl to Speak
Where Mainstream Cloud Services Fail the ITAR Test
The enterprise collaboration platforms that work brilliantly for most industries create structural ITAR problems for defense contractors. It's not that these services are poorly designed—they're optimized for different requirements than export control compliance.
Microsoft 365, Google Workspace, Slack, Dropbox, Box—the tools IT departments deploy by default—all share architectural patterns that conflict with ITAR's technical data controls:
- Global infrastructure with automatic routing: Files and messages may replicate across regions for performance and redundancy. You often can't control or even see where copies of your data exist at any moment.
- Provider-managed encryption: The service provider holds the keys and has the technical ability to decrypt your content for search, compliance scanning, e-discovery, and support functions.
- Content processing for features: Thumbnail generation, search indexing, malware scanning, DLP classification, and AI-powered suggestions all require accessing the unencrypted content.
- Global support and operations teams: The workforce maintaining these systems and responding to support tickets is international by design.
None of these characteristics make the platforms insecure. They make them incompatible with ITAR's requirement that foreign persons never have access to unencrypted technical data.
The Customer-Managed Key Trap
Cloud providers offer customer-managed encryption keys as an answer to this problem. The pitch is straightforward: you control the keys, so the provider can't decrypt your data without your permission. In theory, this enables ITAR compliance.
In practice, customer-managed keys alone don't solve the problem because they often don't extend to all processing that happens to your data. When you upload a file to SharePoint with customer-managed keys enabled, what happens? The file itself may be encrypted with your key, but what about the metadata, the search index, the preview thumbnails, the version history? Different cloud services handle this differently, and the documentation is rarely explicit about which components remain accessible to provider systems.
I've seen companies deploy customer-managed keys and declare victory without testing whether search still works, whether mobile apps can preview files, whether data loss prevention scanning still functions. If those features still work, the provider's systems are still accessing your content—which means you haven't achieved end-to-end encryption in the ITAR sense.
The real test: if you revoke the provider's access to your key, does the service become completely unable to do anything with your data except store and retrieve the encrypted blob? If the answer is no, you likely have a technical data access problem.
How Engineering Teams Leak Export-Controlled Data Daily
The most common ITAR technical data violations I encounter aren't dramatic security breaches. They're engineers doing their jobs with tools that weren't configured for export-controlled work.
An engineer takes a photo of a test setup with their phone to document a configuration issue. Their phone automatically backs up to iCloud or Google Photos. That backup includes ITAR technical data, now stored on consumer cloud infrastructure with no export controls.
A project team creates a Slack channel to coordinate a design review. They paste screenshots, share CAD viewer links, discuss specifications. Slack's global infrastructure means copies of those messages and files may exist in data centers outside the U.S., accessible to Slack's international support and operations teams.
An engineer working from home emails a drawing to their work account so they can review it on their home computer. The email routes through their personal ISP, potentially touching international mail relays, and arrives in an inbox that may be accessed through a webmail interface hosted who-knows-where.
A supplier sends a quote that includes technical specifications for a component. Someone forwards it to the procurement team using the company's standard email system. That email is now indexed, searchable, and potentially accessible to IT administrators who haven't been through foreign person access determinations.
These aren't hypothetical scenarios. These are patterns I see during ITAR assessments at companies that consider themselves compliance-focused. The engineers aren't careless—they're using the tools and workflows their organizations provided without clear guidance about what's different when handling technical data.
The Remote Work Amplification Effect
Remote work multiplied these exposure pathways. Engineers working from home need access to technical data to do their jobs. The VPN gets them onto the corporate network, but what happens when they need to collaborate in real-time, share screens during a design review, or move files between their work laptop and their test environment?
The expedient solutions—personal Dropbox for file transfer, Zoom's free tier for meetings, screenshot tools that default to cloud storage—all create technical data exposures. Even when companies provide approved tools, engineers often don't understand why the approved tools are required or what risk they're mitigating.
I've investigated incidents where engineers used personal collaboration tools because the corporate-approved alternatives were too slow or too cumbersome, not realizing they were creating export violations. The security team saw policy violations; the engineers saw productivity impediments. Neither understood the ITAR implications.
Building Systems That Don't Leak by Default
Preventing these leaks requires architecture, not just policy. You can't train your way out of a system design that makes violations the path of least resistance.
Start with network segmentation that creates a distinct environment for ITAR technical data. This isn't about putting a firewall between engineering and corporate networks—it's about creating a separate collaboration infrastructure where the default tools, storage, and communication channels are all ITAR-appropriate. Engineers working in that environment should find it easier to use compliant tools than to reach for consumer alternatives.
Implement data loss prevention that understands what ITAR technical data looks like in your organization. Generic DLP that scans for "confidential" in file headers won't catch CAD files, test data, or engineering discussions. Your DLP needs to recognize file types, metadata patterns, and content characteristics specific to your defense work. Then it needs to block or quarantine, not just alert.
Deploy collaboration platforms that support true customer-managed encryption with key architectures you control. For some companies, this means building on infrastructure like AWS GovCloud or Microsoft's Azure Government cloud with rigorous configuration of encryption and key management. For others, it means purpose-built platforms designed for defense contractors that implement end-to-end encryption by default.
The harder path is accepting that some features don't work when you implement proper controls. You may not get instant search across all historical technical data. Mobile access may be limited. File preview and automatic classification may not function. These aren't bugs—they're confirmation that your encryption is actually preventing unauthorized access.
Defense Contractor Compliance Programs
Carl speaks to defense industry audiences about building practical ITAR compliance programs, including technical data controls, cloud architecture, and engineering team training. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventThe Vendor Question Nobody Wants to Answer
Cloud providers know their enterprise platforms don't meet ITAR's technical data requirements out of the box. Some offer specialized solutions—GovCloud regions, defense-specific services, compliance overlays. These can work, but they require configuration discipline and ongoing validation that the controls remain effective as the underlying platform evolves.
The question companies avoid asking: if Microsoft or Amazon or Google can't make their mainstream platforms ITAR-compliant without significant customer configuration and feature limitations, why would a smaller vendor's claims of easy ITAR compliance be credible?
When evaluating cloud services for ITAR technical data, focus on architecture over attestations. Don't ask whether the vendor "supports ITAR"—ask how their encryption works, who has access to keys, whether their systems process unencrypted content, where their workforce is located, what happens during support escalations, and how they prevent their own employees from accessing customer data.
The vendors who actually understand ITAR won't claim it's simple. They'll walk you through the technical controls, explain the limitations, and document why their architecture prevents foreign person access. The vendors who wave their FedRAMP certification and promise seamless compliance usually don't understand the difference between securing government data and controlling export-regulated technical data.
For more on the broader cloud compliance picture for defense contractors, see my article on ITAR and the Cloud: What Defense Contractors Need to Know in 2026, which covers infrastructure requirements and certification considerations.
What Export Control Training Actually Needs to Cover
Most ITAR training focuses on what technical data is and why it matters. That's necessary but insufficient. Engineers need to understand the practical implications: which tools they can use, how to share files safely, what to do when a supplier sends them specifications, how to collaborate with teammates remotely.
Effective technical data training answers specific questions: Can I take a photo of this prototype? Can I attach this drawing to an email? Can I share my screen during a Teams call with this CAD file open? Can I upload test data to the ticketing system? The answers depend on your organization's infrastructure and controls, not on generic ITAR principles.
Training should include recognition exercises. Show engineers examples of technical data from your organization—project schedules that disclose performance characteristics, supplier emails that contain specifications, test reports that document approaches. Help them develop judgment about what requires controls, not just memorize definitions from the regulations.
Address the home office scenario explicitly. What's allowed on a work laptop at home? How should engineers transfer files between systems? What collaboration tools are approved for technical data discussions? If you don't answer these questions in training, engineers will answer them themselves based on convenience.
The pattern I see in companies with mature ITAR programs: technical data training is role-specific, scenario-based, and updated when tools or processes change. It's not annual compliance theater where everyone clicks through the same slides—it's practical guidance integrated into engineering onboarding and refreshed when the organization deploys new collaboration platforms or modifies data handling procedures.
If you're trying to understand which export control regime applies to your work in the first place, my article on ITAR vs EAR: How to Tell Which Export Control Regime Applies to You covers the decision framework for determining jurisdiction.
What This Means for Security Leadership
ITAR technical data control is a CISO problem, not just a compliance office problem. The controls required are architectural and operational—they live in your cloud service configuration, your network design, your application selection, and your engineering workflows.
You can't delegate ITAR compliance to legal and expect them to specify the technical controls. The lawyers can tell you the regulatory requirements; they can't tell you whether your SharePoint encryption configuration actually prevents Microsoft's support team from accessing unencrypted technical data. That's a technical question that requires security expertise to answer.
When your organization considers new cloud services, collaboration platforms, or engineering tools, someone needs to ask the ITAR question early: does this architecture allow foreign persons to access technical data? If you wait until after deployment to discover that the new project management platform indexes all file contents on servers your company doesn't control, you've created an expensive remediation project and a potential violation to disclose.
The business will push back on ITAR restrictions. Engineering teams want the latest collaboration features. Project managers want universal search across all documentation. Executives want the cost efficiency of mainstream cloud platforms. Your job isn't to say no reflexively—it's to explain the actual risk and regulatory requirement, present alternatives that meet both business and compliance needs, and escalate when leadership wants to accept risks they don't fully understand.
This is where speaking from experience matters in security leadership. You need to distinguish between theoretical ITAR concerns and actual violation pathways, between vendor marketing claims and architectures that genuinely prevent foreign person access. The regulations are strict, but they don't require perfect isolation from all technology advancement—they require controls that match the specific risk of unauthorized technical data disclosure.
Defense contractors need CISOs who understand both the regulatory requirement and the engineering reality. You're building security programs that must prevent daily inadvertent violations while enabling engineering teams to collaborate effectively on complex defense systems. That requires technical depth, not just policy administration.
The companies that get ITAR technical data controls right don't achieve compliance through restriction alone. They build environments where the compliant path is also the productive path, where engineers have the tools they need configured in ways that prevent violations by default. That's a design challenge, an architecture challenge, and a leadership challenge—exactly the kind of problem security leadership exists to solve.