September 30, 2018
In 2011, Amazon Web Services (AWS) launched AWS GovCloud, described as “a new AWS Region designed to allow U.S. government agencies and contractors to move more sensitive workloads into the cloud.” This was a necessary step for the cloud giant to cater to clients who must work in ITAR-compliant IT setups.
Born in the heat of the Cold War, International Traffic in Arms Regulations (ITAR) governs the transfer of sensitive defense and military technologies to non-U.S. persons. Items under the ITAR jurisdiction, as defined by the U.S. Munitions List, include launch vehicles, aircraft, nuclear weapons, chemical agents, submersibles and more. The rules stipulate that a U.S. person who wants to transfer technical data related to such items much first obtain authorization in a review process that involves the Department of Defense (DoD), the Directorate of Defense Trade Controls (DDTC) and the Bureau of Industry and Security in the Commerce Department, among others.
ITAR’s intent and guidelines are publicly available at the DDTC’s site at pmddtc.state.gov, but deciding what constitutes a violation gets complicated in the age of globally dispersed teams working on cloud-hosted infrastructures, on-demand software and browser-based file sharing systems. For instance, is uploading files to a server overseas considered a “transfer”? Can 3D CAD files for a DoD project be hosted and shared in a cloud server located outside the U.S.? Can engineers work on such a project with virtual machines (VM) hosted on a high-performance computing (HPC) server outside the U.S.?
Ordinary engineering firms and design shops may have neither the time nor the expertise to wade through the ITAR jungle. Their safest bet to ensure compliance may be to work with cloud service providers that are ITAR compliant.
Growing ITAR Queries
On the community forum of virtualization software provider VMware (communities.vmware.com), a user asks, “I need to implement a segregated VMware infrastructure to host VMs subjected to ITAR regulations, effectively ensuring that people of non-U.S.-approved nationalities can access this infrastructure. Does anyone have any clarity of what is needed to meet these requirements?” The five-year-old post remains unanswered.
With its cloud-straddling Fusion 360 products, Autodesk has convinced many CAD users that the online collaborative design environment is a much better approach than isolated desktops. One user asks on Autodesk’s online forum (forums.autodesk.com), “Is there an option for the Fusion A360 Enterprise subscription for an ITAR-certified cloud?” Phil Eichmiller, Autodesk software QA engineer, responds, “The short answer is no, not currently.”
Servers on U.S. Soil Only?
The common impression is that you could run afoul of ITAR, perhaps unwittingly, by working with software-as-a-service (SaaS) or cloud-hosted products. This may have stemmed from the notion that, when you work with cloud providers, you can’t control where and how the physical data is stored; therefore, you’re not in a position to comply with ITAR’s non-transfer guideline. Since manufacturing data in modern times is largely digital, the question comes down to the location of the physical servers on which the digital files are stored.
According to FileCloud, an enterprise file sharing and syncing service provider, you don’t necessarily need to rule out cloud offerings to remain ITAR compliant. “The State Department maintains that technical data can be stored on servers outside the U.S., provided … the ITAR license exemption conditions are met, and adequate measures are taken to obviate non-U.S. individuals from accessing technical data.”
In most cases, the measure typically involves ensuring that any data sent to a server beyond U.S. borders, or that is potentially accessible by a foreign person within or outside the U.S., has to be properly encrypted,” writes Gabriel Lando, the author of FileCloud’s company blog.
Rescale, an on-demand HPC provider that caters to heavy simulation users, prides itself on security leadership in cloud simulation. The company states that it is registered with the U.S. DDTC, and its products are ITAR compliant.
“Companies subject to ITAR export regulations, such as many of Rescale’s customers in the aerospace industry, must control unintended exports by restricting access to protected data to U.S. persons and restricting physical location of that data to the U.S. Rescale works with partners to provide an end-to-end environment physically located in the U.S. and where access is limited to U.S. persons, thereby allowing qualified companies to transmit, process and store protected articles and data subject to ITAR restrictions,” the company writes.
John McEleney, Jon Hirschtick and their colleagues at Onshape are veterans of the CAD world. In the mid-1990s, most of them had a hand in launching SOLIDWORKS, the first Windows PC-based CAD program. They have since moved on from SOLIDWORKS. Not quite ready to fade away, they got together to do what many CAD vendors said couldn’t be done—run CAD from a browser. Three years after the launch of Onshape, the first SaaS CAD program, many other CAD vendors—including their former company SOLIDWORKS—are working to develop some kind of cloud-hosted solution.
“The important requirement for people who want to be ITAR compliant is to know and control where the data is,” says McEleney, cofounder of Onshape. “We have ways to manage the client’s data to ensure it stays within the U.S.”
Onshape lets you run the CAD program from a standard browser, and work with design files saved and shared in a secure cloud. Technically, you could choose to disregard the cloud-hosted repository and use complicated workarounds to save files locally, but it proves cumbersome since it goes against Onshape’s basic tenet and architecture.
In May, Onshape launched a new offering for its lineup: Onshape Enterprise. Onshape Standard and Professional cost $1,500 and $2,100 per user per year, respectively. Onshape Enterprise starts at a $20,000 minimum configuration.
Enterprise clients get their own domain URL. They can have a mix of full users with more privileges ($3,000 per user per year) and light users with limited rights and access ($300 per user per year), to reach the $20,000 minimum required for an Enterprise account. This mix allows a firm to have, for example, a pool of designated design engineers and project overseers with full rights, as well as a set of reviewers and sales staff with limited rights. The Enterprise version comes with project activity reports, centralized IP control, real-time analytics and other functions. It also has application protocol interfaces that allow integration with data from other product lifecycle management and product data management systems.
McEleney sees ITAR’s importance, but also thinks it needs some reform to “recognize the power of the cloud and be put into the modern context.” To him, a system like Onshape with strict digital history of file ownership and revision records is much more secure than some of the ITAR-compliant facilities where people habitually pass around files on USB drives, he reasons.
“Many of our larger customers love our product, but want some tools to manage it at the enterprise level. So the launch of Onshape Enterprise reflects the customers’ interest to take advantage of the cloud,” says McEleney.
The Enterprise setup brings Onshape one step closer to servicing the more IP-sensitive clients, such as military contractors working on DoD projects. Onshape says it is working toward ITAR compliance.
Order From the Cloud
With the rise of on-demand manufacturing, small design shops and even large enterprises now frequently turn to service providers like Xometry, Protolabs, Plethora, Stratasys Direct and Fictiv to produce their prototypes and parts. The convenience comes from the ability to upload the CAD files to the provider through a browser and obtain a quick job quote.
Perhaps to attract IP-sensitive projects, some of the service providers have registered with the DDTC. “Being ITAR registered tells our customers Protolabs is committed to physical security and logical access controls throughout the entire manufacturing process,” says Jacob Heilman, director of Legal and Compliance, Protolabs.
“Protolabs’ IT infrastructure was created to be ITAR compliant from the start ... Our online upload system incorporates strong encryption, CAD files are stored on-site on Protolabs’ servers and all parts are manufactured in ITAR-controlled facilities,” Heilman adds.
Who’s Responsible for What?
On its page for GovCloud, AWS states, “Because AWS GovCloud is physically and logically accessible by U.S. persons only, government agencies can now manage more heavily regulated data in AWS while remaining compliant with strict federal requirements.” AWS counts the Department of Veterans Affairs, the Department of Justice and Defense Digital Service among its customers.
Because AWS is one of the largest cloud infrastructure providers, its compliance is bound to have a downstream impact on the fate and fortunes of other companies that have their cloud offerings on AWS hardware. On AWS’s website, the company spells out the shared burden of ITAR between it and its customers: “AWS is responsible for the logical and physical compliance of the cloud infrastructure and core services we offer. Customers are responsible for their own on-premises IT infrastructure, applications and systems.”
The complexity of ITAR is such that it has spawned a thriving industry for consulting firms that help companies become compliant. ECS, which stands for Export Compliance Solutions & Consulting, is one such business.
“Even though cloud computing is a rapidly advancing technology at present, with more and more businesses routinely using Dropbox, Google Drive and similar online services, this has been—and still is—a confusing regulatory area for which State and Commerce have provided very limited guidance until recently,” the company writes on its blog. “We’re glad that appears to be changing now.”
Whereas regulation changes seem slow and sluggish, technology is evolving at a furious pace, raising more questions for which only a few to date have good answers. One of the controlled items in the ITAR list is military training equipment and training. Does that mean those developing virtual reality and augmented reality training programs for the military need to be ITAR compliant? If so, what does it mean for the HPC server (which may be virtualized) where the virtual 3D environment data (which is usually a replica of some real-world terrain) lives? The answer is to be found somewhere in the murky borders between the virtual world and the regulatory hallways.