Export Administration Regulations (EAR)

EAR overview

The US Department of Commerce is responsible for enforcing the Export Administration Regulations (EAR) through the Bureau of Industry and Security (BIS). According to BIS definitions, export is the transfer of protected technology or information to a foreign destination or release of protected technology or information to a foreign person in the United States, also known as deemed export. Items subject to the EAR can be found on the Commerce Control List (CCL), and each item has a unique Export Control Classification Number (ECCN) assigned. Items not listed on the CCL are designated as EAR99, and most EAR99 commercial products don't require a license to be exported. However, depending on the destination, end user, or end use of the item, even an EAR99 item may require a BIS export license.

The EAR is applicable to dual-use items that have both commercial and military applications, and to items with purely commercial application. The BIS has provided guidance that cloud service providers (CSP) aren't exporters of customers’ data due to the customers’ use of cloud services. Moreover, in the final rule published on 3 June 2016, BIS clarified that EAR licensing requirements wouldn't apply if the transmission and storage of unclassified technical data and software were encrypted end-to-end using FIPS 140 validated cryptographic modules and not intentionally stored in a military-embargoed country (that is, Country Group D:5 as described in Supplement No. 1 to Part 740 of the EAR) or in the Russian Federation. The US Department of Commerce has made it clear that, when data or software is uploaded to the cloud, the customer, not the cloud provider, is the exporter who has the responsibility to ensure that transfers, storage, and access to that data or software complies with the EAR.

Azure and EAR

If you are subject to the EAR, Azure, Azure Government, and Azure Government Secret can help you meet your EAR compliance requirements.

Except for the Azure region in Hong Kong SAR, Azure datacenters aren't located in proscribed countries or in the Russian Federation. Azure services rely on FIPS 140 validated cryptographic modules in the underlying operating system, and provide you with many options for encrypting data in transit and at rest, including encryption key management using Azure Key Vault. The Key Vault service can store encryption keys in FIPS 140 validated hardware security modules (HSMs) under your control, also known as customer-managed keys (CMK). Keys generated inside the Azure Key Vault HSMs aren't exportable – there can be no clear-text version of the key outside the HSMs. This binding is enforced by the underlying HSM. Azure Key Vault is designed, deployed, and operated such that Microsoft and its agents don't see or extract your cryptographic keys. For more information, see How does Azure Key Vault protect your keys?

Note

You're responsible for choosing the Azure regions for deploying your applications and data. Moreover, you're responsible for designing your applications to use end-to-end data encryption that meets EAR requirements. Microsoft doesn't inspect, approve, or monitor your Azure applications.

Azure Government provides an extra layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons.

For more information regarding the EAR, your should review:

Applicability

  • Azure
  • Azure Government
  • Azure Government Secret

Office 365 and EAR

For more information about Office 365 compliance, see Office 365 EAR documentation.

Frequently asked questions

What should I do to comply with export control laws when using Azure?
Under the EAR, when data is uploaded to a cloud service, the customer who owns the data — not the cloud services provider — is considered to be the exporter who has the responsibility to ensure that transfers, storage, and access to that data or software complies with the EAR. For that reason, you, as the owner of the data, must carefully assess how your use of the Microsoft cloud may implicate US export controls and determine whether any of the data you want to use or store there may be subject to EAR controls, and if so, what controls apply. To learn more about how Azure can help you ensure your full compliance with US export controls, review the Microsoft Azure Export Controls whitepaper.

What technical features does Azure provide to help customers meet their EAR compliance obligations?
The following Azure features are available to you to manage potential export control risks:

  • Ability to control data location – You have visibility as to where your data is stored, and robust tools to restrict data storage to a single geography, region, or country. For example, you may therefore ensure that data is stored in the United States or your country of choice and minimize transfer of controlled technology/technical data outside the target country. Customer data isn't intentionally stored in a non-conforming location, consistent with the EAR rules.
  • Control over access to data – You can know and control who can access your data and on what terms. Microsoft technical support personnel don't need and don't have default access to customer data. For those rare instances where resolving customer support requests requires elevated access to customer data, Customer Lockbox for Azure puts you in charge of approving or rejecting customer data access requests.
  • End-to-end encryption – Implies the data is kept encrypted at all times between the originator and intended recipient, and the means of decryption aren't provided to any third party. Azure relies on FIPS 140 validated cryptographic modules in the underlying operating system, and provides you with many options for encrypting data in transit and at rest, including encryption key management using Azure Key Vault. The Key Vault service can store encryption keys in FIPS 140 validated hardware security modules (HSMs) under your control, also known as customer-managed keys (CMK). Azure Key Vault is designed, deployed, and operated such that Microsoft and its agents don't see or extract your cryptographic keys.
  • Tools and protocols to prevent unauthorized deemed export/re-export – Apart from the EAR end-to-end encryption safe harbor for physical storage locations, the use of encryption also helps protect against a potential deemed export (or deemed re-export), because even if a non-US person has access to the encrypted data, nothing is actually revealed to non-US person who can't read or understand the data while it is encrypted and thus there is no release of any controlled data. Azure offers many encryption capabilities and solutions, flexibility to choose among encryption options, and robust tools for managing encryption.

Are Microsoft technologies, products, and services subject to the EAR?
Most Microsoft technologies, products, and services are either 1) not subject to the EAR and thus aren't on the Commerce Control List and have no ECCN; or 2) they're EAR99 or 5D992 Mass Market-eligible for self-classification by Microsoft and may be exported to non-embargoed countries without a license as No License Required (NLR). That said, a few Microsoft products have been assigned an ECCN that may or may not require a license. For more information, see Exporting Microsoft Products where you can find exporting information under Product Lookup. Consult the BIS or legal counsel to determine the appropriate license type and eligible countries for export purposes.

What’s the difference between the EAR and International Traffic in Arms Regulations (ITAR)?
The primary US export controls with the broadest application are the EAR, administered by the US Department of Commerce. The EAR is applicable to dual-use items that have both commercial and military applications, and to items with purely commercial applications.

The United States also has separate and more specialized export control regulations, such as the ITAR, that governs the most sensitive items and technology. Administered by the US Department of State, ITAR imposes controls on the export, temporary import, re-export, and transfer of many military, defense, and intelligence items – also known as defense articles – including related technical data documented on the Unites States Munitions List (USML).

Should I use Azure or Azure Government for workloads that are subject to EAR?
You're wholly responsible for ensuring your own compliance with all applicable laws and regulations, and should consult your legal advisor for questions regarding regulatory compliance. Azure and Azure Government have the same security controls in place, including the same provisions for data encryption in transit and at rest to support EAR requirements. The cloud environment decision will rest with you based on your business requirements. Most US government agencies and their partners are best aligned with Azure Government, which provides an additional layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons.

Resources