When migrating to the cloud, one of our customers’ major concerns is complying with applicable security standards and understanding which accreditations apply to their needs. Oracle is committed to addressing the challenges of a complex and constantly changing regulatory environment. This post focuses on the International Traffic in Arms Regulations (ITAR) and follows a series of blog posts that discuss various security standards that are applicable to government and commercial entities. This post aims to help customers looking to migrate an existing environment to or build a new solution on Oracle Cloud Infrastructure (OCI) US Government Cloud.

An overview of ITAR

In an ever-changing world, the US Government is now more than ever relying on cloud service providers to enable business functions built on information systems. These government agencies and supporting commercial contractors process sensitive information to provide services to citizens, employees, and other agencies. ITAR, administered by the Directorate of Defense Trade Controls (DDTC) within the US State Department, regulates the manufacture, sale, and distribution of defense and space-related articles and services. The US Government agencies and contractors that need to store, manage, and access ITAR-covered data in a cloud environment need to ensure that specific controls are in place to meet their regulatory obligations.

ITAR requires that only US persons have physical or logical access to the items on the United States Munitions List (USML) list. US persons are essentially US citizens or US Green Card (Permanent Resident Card) holders. The USML includes the following 21 categories of Defense Articles:

  • Firearms and Related Articles

  • Guns and Armament

  • Ammunition and Ordnance

  • Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs, and Mines

  • Explosives and Energetic Materials, Propellants, Incendiary Agents and Their Constituents

  • Surface Vessels of War and Special Naval Equipment

  • Ground Vehicles

  • Aircraft and Related Articles

  • Military Training Equipment and Training

  • Personal Protective Equipment

  • Military Electronics

  • Fire Control, Laser, Imaging, and Guidance Equipment

  • Materials and Miscellaneous Articles

  • Toxicological Agents, Including Chemical Agents, Biological Agents, and Associated Equipment

  • Spacecraft and Related Articles

  • Nuclear weapons Related Articles

  • Classified Articles, Technical Data, and Defense Services Not Otherwise Enumerated

  • Directed Energy Weapons

  • Gas Turbine Engines and Associated Equipment

  • Submersible Vessels and Related Articles

  • Articles, Technical Data, and Defense Services Not Otherwise Enumerated

Customers with ITAR compliance requirements must know what’s required of their implementation.

OCI US Government Cloud authorizations and customer responsibility

While no formal ITAR compliance certification is available for any infrastructure- and platform-as-a-service (IaaS and PaaS) cloud provider, the OCI US Government Cloud is continuously audited by an accredited Federal Risk Authorization Management Program (FedRAMP) independent third-party assessment organization (3PAO). The OCI US Government Cloud is designed to support the cloud computing needs of US federal, state, and local government agencies and the US Department of Defense (DoD) and approved commercial entities.

As a FedRAMP High JAB authorized service, OCI US Government Cloud offers in-scope cloud services that meet or exceed the requirements of FedRAMP high level, and customers’ environment inherit the control that Oracle maintains. OCI US Government Cloud provides a physically and logically isolated environment supported and managed by trained US persons in the US. OCI’s team has no access to our customers’ data on OCI Government Cloud. OCI US Government Cloud regions are located exclusively within the United States, so all customer data remains on US soil unless our customers proactively move it elsewhere.

Oracle’s cloud services span applications and infrastructure solutions across PaaS and IaaS, making it easy for government agencies and approved contractors to digitally transform legacy mission systems securely, efficiently, and effectively. Customers can successfully migrate their necessary workloads to OCI US Government Cloud, knowing that Oracle can maintain compliance with US federal security requirements, such as FedRAMP High and DISA IL4 and 5 and continue to address heightened requirements. For more information about the FedRAMP authorized services that OCI US Government Cloud offers, see a list of OCI US Government Cloud services.

The customer is responsible for analyzing their cloud strategy to determine the suitability of using Oracle Cloud services, considering their unique regulatory compliance obligations.

Oracle has continuously proven to be one of the most outstanding government cloud service providers. We have resources and a dedicated team to help you successfully complete your journey to the cloud and your pursuit to secure your data.

Want to know more?

For specific information regarding Oracle Government Cloud instances, you can visit the Oracle Cloud Infrastructure US Government Cloud documentation.

The OCI US Government Cloud consists of FedRAMP High authorized regions and IL5 Department of Defense (DoD) authorized regions. If you prefer Oracle Government Cloud, consult your Oracle sales representative for a proof of concept in the appropriate region.

For more information from our compliance series, see the following posts: