Skip to content

Your Enterprise Cloud Data Protection Platform

StratoKey's Cloud Data Protection (CDP) Platform helps provide enterprises the security controls needed to keep data safe and compliant in the cloud.

Cloud Data Protection Platform

Cloud Compliance Manager

Compliance management and reporting for HIPAA, GDPR, ITAR, CMMC, NIST 800-53 & 171 and any other regulation or standard.

When You Can't Compromise on Security

StratoKey helps enterprises meet evolving security and compliance requirements with encryption, tokenization, and access controls across SaaS, APIs, and cloud.

There is a new CMMC Style Cybersecurity Guide for GSA: CIO-IT Security-21-112
GSA’s CMMC-LIKE GUIDE

StratoKey

StratoKey has secured sensitive cloud data for clients globally since 2014. Trusted for when you cannot compromise on security, it’s a mission-critical platform used daily for reliable data protection.

Company

Connect

The CDP Platform Now Secures NetSuite SuiteProject Pro

Secure-suiteprojects-pro-with-encryption

 

SOLUTIONS

ITAR Compliance Solutions

StratoKey’s Cloud Data Protection (CDP) platform empowers organizations to confidently manage and secure International Traffic in Arms Regulations (ITAR)-controlled data across cloud applications. By delivering robust end-to-end encryption, tokenization, and granular access controls, StratoKey ensures that sensitive defense-related ITAR-controlled data remains secure and compliant throughout its lifecycle. With StratoKey, organizations can enforce ITAR data protection requirements; meet ITAR encryption carve-out requirements; store data locally in a FedRAMP-authorized environment; minimize the risk of unauthorized access; reduce the scope of compliance, and maintain full control over access to ITAR-controlled data.

CONTACT US ABOUT ITAR

Get in Touch to Learn More About ITAR Compliance With StratoKey

Please provide your details so we can get in touch about your inquiry.

What is ITAR Compliance?

ITAR compliance means following the International Traffic in Arms Regulations, which implement the Arms Export Control Act (AECA) by controlling the export (and import) of defense-related articles, services, and technical data listed on the United States Munitions List (USML). These regulations are intended to protect U.S. national security by restricting access to sensitive military technologies and information, allowing only U.S. citizens or those specifically authorized by the Department of State to access such items.

Who Needs To Be ITAR Compliant?

Any organization that manufactures, exports, brokers, or handles items or technical data on the USML, including contractors, suppliers, distributors, and technology providers, must comply with ITAR. This includes both physical items and digital technical data, making ITAR compliance essential for companies with global operations, cloud environments, or foreign employees.

Shared Responsibility

Every company in the supply chain must be ITAR compliant. If Company A sells a part to Company B, and Company B exports it without proper authorization, both can be held liable. This shared responsibility means all parties handling ITAR-controlled items must ensure compliance at every stage.

ITAR who needs to be compliant?

What is ITAR Regulated Data?

Defense articles, controlled technical data, and defense services are the three primary categories regulated under ITAR. When stored or processed in the cloud, ITAR requires that data or services associated with their design, production or use, be protected with stringent access controls, continuous monitoring, and strong end-to-end encryption (FIPS 140-2 validated), and that access is restricted to authorized U.S. persons; data residency requirements also mandate that data must remain within the U.S. or, if stored abroad, must be encrypted and inaccessible to unauthorized parties, under 22 CFR § 120.54.

Defense Articles 

These are physical items specifically listed on the United States Munitions List (USML), which includes a broad range of military and defense-related equipment. These items are tightly controlled to prevent unauthorized export or use.

Controlled Technical Data

Technical data includes information required for the design, development, production, or use of defense articles, such as blueprints, drawings, specifications, and software. This data is controlled to prevent unauthorized access or export, especially to foreign persons or entities.

Defense Services

Defense services are help or training given to foreign people related to defense articles, like teaching how to build or operate military equipment. These services are regulated and usually need government approval before being provided.

Cloud Systems and ITAR Challenges

Cloud systems pose challenges for ITAR compliance because organizations must tightly control where and how sensitive data is stored and, importantly, who can access it, while also managing the shared compliance responsibilities with third-party cloud vendors. However, under the “encryption carve-out” in 22 CFR § 120.54(a)(5), FIPS 140-2 validated end-to-end encryption can allow ITAR technical data to be stored or transmitted in the cloud without being considered an export.

ITAR Encryption Carveout

The U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) published an Interim Final Rule in 2019, which formally created ITAR 22 CFR 120.54 to define activities that are not considered exports, reexports, or retransfers - including the storage and transmission of technical data that is properly end-to-end encrypted.

  • Ensuring data remains within the U.S. or is protected by strong end-to-end encryption if stored elsewhere, 22 CFR § 120.54(a)(5).
  • Preventing unauthorized access by foreign nationals or cloud provider staff, 22 CFR § 120.17.
  • Managing the risks of shared (multi-tenant) cloud environments
  • Maintaining full visibility and control over the storage, processing, and movement of ITAR-regulated data at all times

Encryption Implemented With StratoKey Can Exclude Data as an Export 

The “encryption carve-out” can be achieved by the use of the StratoKey encryption engine. The engine is built to NIST standards and provides FIPS 140-2 validated end-to-end encryption at arms length from data storage, meeting the implementation requirements within 22 CFR § 120.54(a)(5).

Approved Encryption Standards

StratoKey uses FIPS 140-2/140-3 validated encryption to protect data in transit and at rest. StratoKey’s encryption exceeds the minimum 128-bit security strength and aligns with NIST guidance, satisfying the technical requirements for the ITAR encryption carveout specified in 22 CFR 120.54(a)(5)(iii).

Mandatory End-to-End Encryption

The encryption provided by StratoKey is end-to-end meaning data is encrypted from the point of origin (or the in-country security boundary) to the point of destination (or the recipient's in-country security boundary), ensuring it is never exposed in unencrypted form while in transit or at rest, meeting 22 CFR 120.54(b)(1)(i).

No Third-Party Access to Decryption Keys

StratoKey’s architecture allows organizations to maintain control over encryption keys, ensuring that decryption keys are never transmitted to third parties, including cloud service providers. This aligns with 22 CFR 120.54(b)(1)(ii).

Authorized Recipient Access Only

The encryption provided by StratoKey is enhanced with granular and group access controls. This helps ensure only authorized U.S. persons or those specifically authorized under ITAR can decrypt and access ITAR-controlled data. Geo-locking features also bar access from designated regions. StratoKey can prevent non-citizen or unauthorized access.

How StratoKey Helps You Meet a Wider Range of ITAR Compliance Requirements

StratoKey helps organizations meet ITAR compliance requirements by securing ITAR-regulated data with encryption and tokenization, enforcing strict access controls, monitoring user activity, and providing audit trails. These features ensure only authorized U.S. persons can access ITAR-regulated data and support ongoing compliance with ITAR and related NIST standards.

Encryption & Tokenization

Secures technical data using FIPS-validated encryption libraries or tokenization before data leaves your control, helping secure it in transit and at rest. Properly implemented, this means the activity of sharing the technical data is not deemed an export activity, 22 CFR 120.54

Access Control 

Enforces user identification, granular user permissions, group policies, and advanced authentication, allowing only authorized U.S. persons to access controlled technical data and preventing unauthorized or offshore access with the use of cloud technologies.

Audit Controls

Audit capabilities log interaction with secured technical data. This supports the end-use monitoring requirements, 22 CFR 120.17. Audit controls help in partnership with monitoring capabilities to identify control violations. Voluntary disclosures are a mitigating factor in determining penalties imposed 22 CFR 127.12.

Monitoring & Policy Enforcement

Continuous monitoring directly supports the ongoing responsibility to monitor end-use and the ability to identify and self-report on violated controls. Policy enforcement ensures only authorized users can access ITAR-regulated data by blocking unauthorized actions, and enforces compliance with regulatory requirements.

StratoKey Provides Clear Benefits for ITAR-Regulated Organizations

  • Use end-to-end encryption to exclude data from being considered an export per 22 CFR § 120.54(a)(5).
  • Meet ITAR regulatory requirements and NIST 800-53, NIST 800-171 standards for the handling and storage of technical data.
  • Store data in a local or FedRAMP-authorized environment with tokenization.
  • Limit access of export controlled data to U.S. citizens or ITAR approved recipients.
  • Reduce exposure of technical data to subcontractors and cloud service providers and their employees.
  • Mitigate third-party breach risk with encryption managed at arms-length from CSPs.
  • Meet a wide range of ITAR requirements with audit capabilities, access management, monitoring and defensive features.
  • Secure ITAR-regulated data across popular applications (NetSuite, Salesforce, Jira, Pipedrive etc.) and maintains app functionality.

Meet ITAR Compliance Requirements Across Your Cloud Applications

StratoKey is application agnostic and can be configured to your organization's specific CMMC compliance requirements. StratoKey offers support for several integrations including, NetSuite, SuiteProjects Pro, Salesforce, Pipedrive, Jira, Confluence, Slack and ServiceNow.

Ready to Secure Technical Data for ITAR Compliance?

Our team is experienced at assisting organizations in securing technical data regulated under ITAR. Built with NIST standards at its core, ask us how the StratoKey CDP platform can help.

 

CONTACT US ABOUT ITAR

Get in Touch to Learn More About ITAR Compliance With StratoKey

Please provide your details so we can get in touch about your inquiry.