Export control implications on Azure and Azure Government
Disclaimer: Customers are wholly responsible for ensuring their own compliance with all applicable laws and regulations. Information provided in this post does not constitute legal advice, and customers should consult their legal advisors for any questions regarding regulatory compliance.
This blog is the first of two parts containing a review of the current U.S. export control regulations and considerations for cloud computing. In the second part, we’ll cover Azure features and commitments in support of export control requirements
Export-related definitions vary among various export control regulations; however, in simplified terms, an export often implies a transfer of restricted information, materials, equipment, software, etc., to a foreign person or foreign destination by any means.
To help Azure and Azure Government customers navigate export control rules, Microsoft has published the “Microsoft Azure Export Controls Whitepaper” that customers can download from the Service Trust Portal (see FAQ and White Papers section). The whitepaper describes U.S. export controls (particularly as they apply to software and technical data), reviews potential sources of export control risks, and offers specific guidance to help customers assess their obligations under these controls.
U.S. export control policy is enforced through export control laws and regulations administered primarily by the Department of Commerce, Department of State, Department of Energy, Nuclear Regulatory Commission, and Department of Treasury (see table below).
Law / Regulation
|Department of Commerce: Bureau of Industry and Security (BIS)|
|Department of State: Directorate of Defense Trade Controls (DDTC)|
|Department of Energy: National Nuclear Security Administration (NNSA)|
|Nuclear Regulatory Commission|
|Department of Treasury: Office of Foreign Assets Control (OFAC)|
Export Administration Regulations (EAR)
The U.S. Department of Commerce enforces the Export Administration Regulations (EAR) through the Bureau of Industry and Security (BIS). Items subject to EAR can be found on the Commerce Control List (CCL), and each item has a unique Export Control Classification Number (ECCN) assigned. Items not listed on the CCL are designated as EAR99.
The EAR is applicable to dual-use items that have both commercial and military applications, as well as to items with purely commercial application. The BIS has provided guidance that cloud service providers (CSP) are not exporters of customers’ data due to the customers’ use of cloud services. In the final rule published on 3 June 2016, BIS clarified that EAR licensing requirements would not apply if the transmission and storage of unclassified technical data and software were encrypted end-to-end using FIPS 140-2 validated cryptographic modules and were not intentionally stored in a military-embargoed country or in the Russian Federation. The Commerce Department has made it clear that, when data or software is uploaded to the cloud, the customer, not the cloud provider, is the “exporter” who has the responsibility to ensure that transfers, storage, and access to that data or software complies with the EAR.
Azure and Azure Government rely on FIPS 140-2 validated cryptographic modules in the underlying operating system, and provide customers with a wide range of options for encrypting data in transit and at rest, including storing encryption keys in FIPS 140-2 Level 2 validated Hardware Security Modules (HSM). Both Azure and Azure Government provide technical features to help customers subject to the EAR meet their compliance requirements.
International Traffic in Arms Regulation (ITAR)
The U.S. Department of State has export control authority over defense articles, services, and related technologies under the International Traffic in Arms Regulations (ITAR) managed by the Directorate of Defense Trade Controls (DDTC). Items under ITAR protection are documented on the United States Munitions List (USML). While there is no ITAR compliance certification, Microsoft has implemented controls in Azure Government that support customers subject to ITAR obligations. Microsoft also offers additional contractual commitments to customers with data subject to ITAR regarding the location of stored data, as well as limitations on Microsoft’s potential access to such data to U.S. persons. Nonetheless, customers with ITAR-controlled technical data or software have the responsibility to ensure ITAR compliance.
Customers who are manufacturers, exporters, and brokers of defense articles, services, and related technologies as defined on the USML must be registered with DDTC, must understand and abide by ITAR, and must self-certify that they operate in accordance with ITAR. Customers with ITAR-controlled data are eligible for enrollment in Azure Government provided they sign additional agreements formally notifying Microsoft of their intention to store ITAR-controlled data so that Microsoft may comply with responsibilities both to customers and to the U.S. government.
DoE 10 CFR Part 810
The U.S. Department of Energy (DoE) export control regulation 10 CFR Part 810 implements Section 57b.(2) of the Atomic Energy Act of 1954 (AEA), as amended by Section 302 of the Nuclear Nonproliferation Act of 1978 (NNPA). This regulation is administered by the National Nuclear Security Administration (NNSA). The revised Part 810 (final rule) became effective on 25 March 2015, and, among other things, controls the export of unclassified nuclear technology and assistance. It enables peaceful nuclear trade by helping to assure that nuclear technologies exported from the United States will not be used for non-peaceful purposes. Paragraph 810.7 (b) states that specific DoE authorization is required for providing or transferring sensitive nuclear technology to any foreign entity.
Azure Government can accommodate customers subject to the DoE 10 CFR Part 810 export control requirement because it is designed to meet specific controls that restrict access to information and systems to U.S. persons among Azure Government operations personnel. Customers deploying data to Azure Government are responsible for their own security classification process. For data subject to DoE export controls, the classification system is augmented by the Unclassified Controlled Nuclear Information (UCNI) controls established by Section 148 of the AEA.
NRC 10 CFR Part 110
The Nuclear Regulatory Commission (NRC) is responsible for the Export and Import of Nuclear Equipment and Materials under the 10 CFR Part 110 export control regulations. The NRC regulates the export and import of nuclear facilities and related equipment and materials. The NRC does not regulate nuclear technology and assistance related to these items which are under the DoE jurisdiction. Consequently, the NRC 10 CFR Part 110 regulations would not be applicable to Azure or Azure Government.
Office of Foreign Assets Control (OFAC) Sanctions Laws
The Office of Foreign Assets Control (OFAC) is responsible for administering and enforcing economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction.
The OFAC defines prohibited transactions as trade or financial transactions and other dealings in which U.S. persons may not engage unless authorized by OFAC or expressly exempted by statute. For web-based interactions, see FAQ No. 73 for general guidance released by OFAC, which specifies for example that “Firms that facilitate or engage in e-commerce should do their best to know their customers directly.”
As stated in the Microsoft Online Services Terms, “Microsoft does not control or limit the regions from which customer or customer’s end users may access or move Customer Data.” For Microsoft PaaS and SaaS offerings, Microsoft conducts due diligence to prevent transactions with entities from OFAC embargoed countries, e.g., sanctions targets including OFAC Specially Designated Nationals are not allowed to provision Azure or Office 365 services. It is the responsibility of Microsoft customers to exclude sanctions targets from online transactions involving customer websites deployed to Azure or Azure Government.
Note that OFAC sanctions are in place to prevent “conducting business with a sanctions target”, i.e., preventing transactions involving trade, payments, financial instruments, etc. OFAC sanctions are not about preventing a resident of a proscribed country from viewing a customer’s public website.
Customers should carefully assess how their use of Azure or Azure Government may implicate U.S. export controls and determine whether any of the data they want to store or process in the cloud may be subject to export controls. In Part 2 of this blog series, we will discuss Azure and Azure Government features in support of export control requirements.
To help put your organization on a more solid footing in complying with U.S. export controls, read the Microsoft Azure Export Controls Whitepaper. To learn more about how Microsoft helps customers meet their own compliance obligations across regulated industries and markets worldwide, see Microsoft Azure Compliance Offerings.