International Traffic in Arms Regulations (ITAR)
ITAR is the International Traffic in Arms Regulations, which is a set of United States government regulations that control the export and import of defense-related articles and services on the United States Munitions List (USML) and related technical data.
ITAR requires, in relevant part, that covered material (items listed on the USML) only be shared with U.S. persons absent special authorization or exemption. Unlike FedRAMP, there is no formal ITAR certification process for cloud providers.
Achieving ITAR Compliance When Using Files.com
ITAR compliance with Files.com is possible, but it requires that you carefully configure your site.
ITAR-Compliant Long-Term Storage
Files.com's built-in storage is not ITAR compliant. However, we have several customers who are able to use Files.com transfer data subject to ITAR.
This is done by configuring your site so that no data is stored on Files.com itself, and Files.com is only used as a transfer and governance layer on top of that data.
You do that, you can either use a trusted cloud provider that is ITAR compliant for storage, such as Amazon GovCloud S3, or you can install the Files.com Agent on an ITAR compliant environment that you control. If you are using a cloud provider, we strongly recommend Amazon S3 in Amazon GovCloud because our environment is highly optimized for working with S3.
You will then need to configure the relevant folders and/or Child Sites to mount that ITAR compliant storage as its storage. This can be done with our Remote Server Mount capability.
SIEM Integration
You should enable Files.com's SIEM integration and store an external copy of all log data generated by the Files.com system. This provides an additional audit trail you can use to prove the full history of access to any files subject to ITAR.
Do Not Create Any Full Access Support Tickets
To maintain ITAR compliance, do not use the feature of our Support tab which grants access to your site or files to Files.com's support representatives. We are unable to guarantee that all of our support reps are USA based.
Allowed Countries
Use the "Allowed/disallowed countries" capability of Files.com to restrict user access to the United States. This capability uses commercial IP geolocation services to disallow access from IP addresses not in the United States. Please note that this protection can be circumvented by VPNs, and should be consider just one layer of a defense-in-layers approach.
Possible Future Files.com Enhancements
Files.com is considering adding future direct support for GovCloud, which would save the manual integration requirements for long term storage. Additionally, we are considering adding the ability to "flag" your account as ITAR enabled. This would trigger a guarantee that your Support Tickets are never able to grant Full access to your site.