Microsoft and ITAR
Microsoft provides certain cloud services or service features that can support customers with ITAR obligations. While there is no compliance certification for the ITAR, Microsoft operates and has designed in-scope services to be capable of supporting a customer’s ITAR obligations and compliance program.
Microsoft Azure Government and Microsoft Office 365 U.S. Government for Defense provide support for customers with data subject to the ITAR through additional contractual commitments to customers regarding the location of stored data, as well as limitations on the ability to access such data to US persons. Microsoft provides these assurances for the infrastructure and operational components of these government cloud services, but customers are ultimately responsible for the protection and architecture of their applications within their environments.
Customers must sign additional agreements formally notifying Microsoft of their intention to store ITAR-controlled data, so that Microsoft may comply with responsibilities both to our customers and to the US government.
The ITAR has specific obligations to report violations, which can provide certain risk mitigation benefits. The Microsoft Enterprise Agreement Amendment enables Microsoft and the customer to work together in reporting such violations.
Customers seeking to host ITAR-regulated data should work with their Microsoft account and licensing teams to learn more, obtain proper agreements, and access relevant system architecture information.
Learn how to accelerate your ITAR deployment with our Azure Security and Compliance Blueprint.Download the ITAR Deployment Overview for Azure Government
Microsoft in-scope cloud services
- Azure Government detailed list
- Office 365 U.S. Government Defense
The US Department of State is responsible for managing the export and temporary import of defense articles (meaning any item or technical data designated under the US Munitions List, as described in Title 22 CFR 121.1) that are governed by the Arms Export Control Act (Title 22 USC 2778) and the International Traffic in Arms Regulations (ITAR) (Title 22 CFR 120-130). The Directorate for Defense Trade Controls (DDTC) is responsible for managing entities governed under these programs.
Frequently asked questions
Please contact your Microsoft account representative.