Over the last 3 years I was first the Individual Contributor then the people manager accountable to design, implement, secure and ensure compliance on the ITAR/CUI compliant infrastructure for the IVAS program at Microsoft. I will be sharing my learnings and knowledge of how to build an ITAR compliant systems meet NIST 800-171, and CMMC standards to help teach others how do build the best environment to maximize productivity and compliance/security. I won’t be sharing the Microsoft IVAS project system design rather focusing on sharing how a 3rd party could build a similar environment.
Starting in late 2018 I was tasked with determining the regulatory requirements with building a DoD defense article which has part of the Microsoft HoloLens (IVAS) for the U.S. Army program which is regulated under the ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations) Dual-Use regulations. Once the infrastructure and security constraints were determined the next task was to work to identify what systems existed within Microsoft that the IVAS team could use for the development.
Many Microsoft products like Windows, Azure, M365/O365 are capable of hosting ITAR information, however these products themselves and the source code are not regulated under the ITAR. Microsoft’s prior public product regulated under the ITAR was the Windows NT4 128-bit Encryption floppy disks. Making a physical or digital product that is ITAR or a defense article listed on the USML (United States Munitions List) requires that the digital information is protected from individuals that are either not a U.S. Citizen, U.S. Permeate Resident, or licensed by the U.S. State Department for access to ITAR. Additionally, any data that is regulated under ITAR can’t be stored (data a rest) or sent/accessed outside the United States or territories unless in a licensed location or per exceptions covered within the ITAR.
An update to ITAR in March 2020 (https://www.federalregister.gov/documents/2019/12/26/2019-27438/international-traffic-in-arms-regulations-creation-of-definition-of-activities-that-are-not-exports) provided clarity on how ITAR information could be encrypted and stored outside the U.S.A. One of the items that was clarified was defining “Access information” as “allows access to encrypted technical data in an unencrypted form, such as decryption keys, network access codes, and passwords.” It further clarified that if an individual has the “access information” that individual must be a U.S. Citizen, U.S. Greencard holder, or licensed and approved to access the information at the same level as if it was NOT encrypted. This means if someone has the ability to get the keys or passwords to access/decrypt data that it is equal to them accessing the ITAR data itself. You can’t have a datacenter, network, PKI, infrastructure engineer, support staff that isn’t allowed to access ITAR if that person has the capability to get to the keys/passwords used to protect ITAR. This presumption of access is different than non-ITAR information and is why Microsoft has ITAR compliant environments and products for hosting. These environment are physically in different datacenter, those datacenter are staffed by Only-US Citizens, with encryption keys and access also limited to only U.S. Citizens.
Hosting ITAR/EAR-600 Series/CUI information in proper compliance with NIST 800-171 in Azure requires the use of Azure Government and M365 GCC-HIGH. Microsoft’s commercial/Public Azure, O365/M365, and Azure DevOps/GitHub offerings don’t guarantee compliance with NIST-800-171/800-172, ITAR, and CMMC standards as a number of components and tools have customer data being accessible by Microsoft engineers and support staff. Microsoft will only support contracts that involve storing of ITAR only if stored in Azure Government/GCC-HIGH (https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/office-365-us-government#about-office-365-government-environments).
The start of IVAS
The Microsoft IVAS program contract was signed in Nov 2018 and had deliverables starting within 6 months. The fast turn around for initial delivery of prototypes seen in the public IVAS STP (Soldier Touch Point) events as part of the Soldier Centered Design (https://www.army.mil/article/231425/soldier_centered_design_proving_vital_to_kitting_soldiers_faster_and_more_efficiently) methodology which allowed the U.S. Army and Microsoft to modify the product design based on near consistent soldier feedback. The frequent and rapid changing of the design and product engineering requirements to work with the DoD schedule meant myself and a few other key staff members had to quickly design and build the Regulated IT environment for the project as minimal critical features then work to add functionality and controls while the IVAS program continued development. This meant we were doing a “building the plane while in flight” implementation. The just-in-time infrastructure allowed our Microsoft to reduce costs, use design and solutions that existed when they were needed and helped ensure we were mindful to not over engineer the solutions and ensure we had the balance between security and efficiency. Ultimately we build an U.S. Persons accessible environment that supported the personas of Information-worker, Engineering (Mechanical, Electrical, Software), Manufacturing, Reliability,Testing, support for ITAR/CUI components.
The Microsoft Corporate network is a world-wide group with the Active Directory Domain Administrators and Azure AD Global Administrators being of mixed citizenship and located worldwide. To ensure our compliance with ITAR, CUI and NIST 800-171 Azure Public cloud or normal Microsoft corporate resources could not be used to store ITAR/CUI source code, design diagrams or emails/documents that contained CUI/ITAR or other export controlled materials. Without Azure Government and GCC-High M365 proper controls could not be effectively be put place to prevent accidental spills of ITAR/CUI information to persons that were not screened to access them.
In future posts I will share design, configuration, and scripts, automation I have written to make the process of building and running an ITAR/CUI compliant environment easier. I will also work to point out delta’s and workarounds for missing Azure Government features or capabilities.
If you are looking for specific information or need help building your environment let me know.