Microsoft Azure announced in June of 2016 that the Microsoft Azure Government (MAG) region can now support the processing and storing of ITAR-regulated workloads and controlled applications. Since the announcement, we have added over 8 services to the ITAR product catalog. ITAR, or International Traffic in Arms Regulations, controls the export and import of defense related articles and services on the United States Munitions List (USML). ITAR stipulates that all regulated data must be stored and processed in an environment where logical and physical access is limited to US Persons.
Microsoft Azure Government, which has already been granted Authority to Operation (ATO) at the FedRAMP Moderate and High authorizations, has already implemented a series of controls and have passed an independent security assessment, by a third party auditor. ITAR Readiness leverages those controls, adds additional access restrictions to US Persons, and establishes a robust (proactive and reactive) Incident Response plan for customers.
You can read more about Azure’s security processes, certifications, and accreditations in the Azure Trust Center.
The following Azure Products are now available for ITAR regulated workloads:
- Azure Virtual Machines
- Azure Storage
- SQL Database
- Document DB
- App Service: Web Apps
- Application Gateway
- Cloud Services
- Traffic Manager
- Virtual Network
- VPN Gateway
- Azure Active Directory
Cloud and App Services may be used as long as the design and implementation complies with ITAR access and processing regulations.
Guidance on storing and processing ITAR guidance can be found here.
Government agencies, contractors, software integrators, and service providers with a need to meet ITAR requirements within Azure Government must sign an Azure Government (US) Enterprise Agreement. Company eligibility for ITAR processing can be found here.