ITAR Compliant File Sharing: The Encryption Carve-Out Explained

Defense contractors have shared ITAR technical data by hand for decades — printed drawings in locked briefcases, couriered drives, air-gapped machines. This wasn't because digital transfer was impossible, but because export control law treated it as an export.

That changed in March 2020, and it's changed the math on ITAR compliant file sharing ever since.

A rule from the State Department's Directorate of Defense Trade Controls (DDTC) created a formal encryption carve-out under 22 CFR § 120.54. When you meet its requirements, storing or transmitting unclassified ITAR technical data over the internet — including in commercial cloud environments — is no longer classified as an export. No license required.

This post explains what the carve-out actually requires, where organizations misread it, and how to build a compliant technical data sharing workflow without filing export licenses every time an engineer shares a CAD file.

What the ITAR Encryption Carve-Out Permits

The core idea is simple: encryption changes the legal character of data transmission.

Under 22 CFR 120.54(a)(5), sending or storing unclassified ITAR-controlled technical data is not considered an export, reexport, or retransfer — provided all four conditions are satisfied:

1. The data is unclassified. Classified defense technical data operates under different rules entirely. This carve-out applies only to unclassified ITAR technical data.
2. End-to-end encryption is applied. The data must be encrypted from origin to destination. No intermediary — including the cloud service provider — can access the plaintext.
3. The encryption meets FIPS 140-2 standards. Cryptographic modules must be validated under the Federal Information Processing Standards Publication 140-2 (or successor), or provide security strength equivalent to AES-128 or higher.
4. Decryption keys are not provided to any foreign person. Not to the cloud provider, not to a foreign employee, not to anyone unauthorized under ITAR. The carve-out protects the encrypted transmission — it does not protect sloppy key management.

Meeting all four conditions means your technical data can move through commercial cloud infrastructure without triggering export control licensing requirements. This creates a meaningful operational advantage for organizations managing cross-functional engineering workflows, supply-chain collaboration, or remote teams.

What the Carve-Out Does Not Cover

The carve-out is precise. Organizations that misread it create real legal exposure.

It protects the transmission, not the access. If an unauthorized foreign person accesses your ITAR technical data in unencrypted form — regardless of how it was transmitted — that access is still an export. Compliance ends at the point of decryption, not at the cloud boundary.

Encryption at rest is not enough. Server-side encryption, where the cloud provider holds the keys, does not satisfy the carve-out. The requirement is end-to-end encryption: Only authorized parties should hold the means of decryption. If your cloud provider can decrypt your files on request, you do not qualify.

Proscribed countries remain off-limits. Under 22 CFR § 126.1, certain countries — including China, Russia, Iran, and North Korea — are arms-embargoed. Technical data must not be intentionally transmitted to persons in, or stored in, those countries regardless of encryption status.

Long-term storage abroad requires care. Transient storage incidental to transmission (data passing through a router, a CDN node) does not create a problem. Intentional long-term storage in a foreign jurisdiction is treated differently and warrants separate legal review.

Why Key Management Is the Critical Control

Every ITAR file sharing conversation eventually comes back to encryption keys.

The regulation's fourth condition — that the means of decryption must not be provided to any third party, including the cloud provider — is where most commercial encryption setups fall short.

Standard cloud storage encrypts your files, but the provider holds the keys. This is especially true for the Microsoft ecosystem, as we have seen in recent news like the Bitlocker controversy where Microsoft handed over encryption recovery keys to law enforcement. Legal process, foreign government order, or insider access can unlock your data without your knowledge or consent if the cloud provider holds both your content and your keys.

Effective, ITAR compliant email and file sharing requires a different model. Protection must travel with the data itself, and the keys should remain in your custody.

This is why customer-controlled key management is not an optional add-on for ITAR compliant file transfer, but a compliance requirement. Organizations handling ITAR technical data need:

• Client-side encryption that encrypts data before it reaches the cloud, not after
• Customer-held keys where the cloud provider stores only ciphertext, and unlocking requires your explicit authorization 
• Key access controls that log every request and require authorization by U.S. persons
• Audit trails that document who accessed what, when, and from where

An immutable audit log is increasingly non-negotiable. DDTC's enforcement posture relies on evidence when voluntary disclosures are filed — organizations that can demonstrate controlled access recover faster than those who cannot.

Applying the Carve-Out to Email and File Workflows with Virtru

Defense contractors typically need ITAR compliant file sharing and ITAR email encryption across the same workflows: design reviews, proposal development, supplier collaboration, and program documentation. The carve-out applies equally to both transmission types.

ITAR Compliant Email Communications

Sending a message containing ITAR technical data to a cloud-based provider that can read the content does not meet the carve-out. End-to-end encrypted email — where encryption is applied client-side before the message leaves the sender's device — satisfies the requirement, provided the recipient is a U.S. person authorized under ITAR and key access is controlled.

Virtru's Solution: Virtru for Outlook, Virtru for Gmail 

ITAR Compliant files in Cloud Storage

Uploading an unencrypted file to Google Drive or SharePoint, then relying on the platform's native encryption, does not satisfy the carve-out. The platform holds the keys. The correct approach is to encrypt the file client-side before upload, with keys controlled by your organization. Platforms like Google Drive support client-side encryption configurations that enable this workflow without replacing existing tools.

Virtru's Solution: Virtru Private Keystore for encryption key management independent of your cloud provider

ITAR Compliant External Collaboration

Sharing technical data with suppliers, subcontractors, or teaming partners introduces additional access control requirements. Each recipient must be a U.S. person (or a foreign person specifically authorized under ITAR). Access should be grantable and revocable at the file level, with policies that expire or restrict forwarding.

Virtru's Solution: Virtru Secure Share 

The principle across all workflows is the same: first mile to last mile data protection. Encryption must be present and under your control at every stage — not just in transit via TLS, not just at rest, but end-to-end, with no gaps.

FIPS 140-2 Validation: What It Actually Means

Meeting the carve-out requires FIPS 140-2 validated cryptographic modules — not simply using FIPS-approved algorithms.

This distinction matters. Many commercial encryption tools use AES-256, which is a FIPS-approved algorithm. But the module that implements that algorithm must itself be independently validated by the Cryptographic Module Validation Program (CMVP) and listed in the NIST CMVP database. Using AES-256 through an unvalidated implementation does not meet the FIPS 140-2 requirement.

When evaluating tools for ITAR file sharing, confirm that the vendor can provide a CMVP certificate number. "FIPS compliant" and "FIPS 140-2 validated" are different claims — only the latter satisfies the carve-out.

How Recent ITAR Updates Affect Cloud Data Sharing

The encryption carve-out regulation itself has remained stable since its March 2020 effective date. However, ITAR continues to evolve in ways that affect compliance programs.

In August 2025, the State Department published a final rule (effective September 15, 2025) amending 15 of 21 USML categories. The amendments introduced new controls on certain unmanned underwater vehicles, removed several legacy items, and clarified jurisdictional boundaries for dual-use technologies. Organizations holding existing ITAR licenses or classification determinations for affected categories should review their classifications against the revised USML.

None of the 2025 amendments altered the encryption carve-out standards. The four-condition framework under 22 CFR § 120.54(a)(5) remains the operative rule for cloud-based ITAR technical data sharing.

DDTC has 14 additional rulemaking actions planned through the current regulatory cycle, including further revisions to USML definitions that may affect cloud-related technology classifications. Organizations should maintain current ITAR counsel to track these changes as they progress through the Federal Register.

Building a Compliant ITAR File Sharing Program

For organizations that implement it correctly, the carve-out creates opportunity for streamlined, secure collaboration. A compliant ITAR technical data sharing program requires:

Access control policies that restrict technical data to U.S. persons, with documented authorization procedures for any foreign person access under existing ITAR exemptions or licenses.

Encryption with customer-held keys across every sharing channel — email, file storage, collaboration platforms, and external transfer.

FIPS 140-2 validated modules throughout the encryption stack, with certificate numbers documented in your compliance program records.

Immutable audit logs covering every access event, key request, and sharing action, retained and accessible for voluntary disclosure or regulatory inquiry.

Training for all personnel who handle technical data, covering what qualifies as ITAR-controlled, what the carve-out permits, and what actions still require export authorization.

Legal oversight is critical. Virtru and other ITAR encryption solutions support and enable regulatory compliance under ITAR — but compliance determination for a specific organization's technical data classifications, licensing obligations, and export authorization requirements requires qualified export counsel.

How Data-Centric Security Supports ITAR

Most ITAR compliance programs were designed around physical and network controls: Restricted facilities, access-controlled servers, VPN tunnels. These controls work inside defined boundaries.

Modern defense supply chains don't operate inside defined boundaries. Technical data moves to prime contractors, subcontractors, foreign partners on approved programs, government reviewers, and cloud-based design environments. Network-centric controls fail the moment data leaves your environment.

The encryption carve-out implicitly points toward a different model, where protection travels with the data regardless of where it goes. Self-protecting data objects that enforce their own access policies don't rely on network perimeter integrity — nor should they, as one of the core principles of information security is to assume breach. Self-protecting data proves its value by persisting in cloud storage, in email, in collaboration tools, and at the far end of a supply chain where you have no direct control over infrastructure.

This is truly achievable data-centric security: Rather than trying to secure every environment your data might enter, you embed the security in the data itself.

Next Steps

If your organization handles ITAR-controlled technical data in cloud environments, start with these questions:

• Who manages your encryption keys?
• Does your current encryption solution use client-side encryption, or does it use server-side encryption?
• Can you provide a CMVP certificate number for your cryptographic modules?
• Do your audit logs capture key access requests with enough detail to support a voluntary disclosure?
• Have you reviewed your USML classifications against the September 2025 ITAR amendments?

For organizations evaluating how to apply the carve-out to specific workflows, Virtru's ITAR Encryption Carve-Out guide covers the requirements in detail. For broader ITAR compliance programs, see our ITAR Compliance Checklist and the CMMC compliance resources for organizations managing overlapping defense compliance requirements.

Export control law is fact-specific. This post describes the general framework and is not not legal advice for your specific compliance program. To learn more about how Virtru could help your organization bolster secure information sharing aligned with ITAR requirements, contact our team for a demo. 

Virtru's encryption is FIPS 140-2 validated (Certificate #4440). Virtru Data Security Platform is FedRAMP Moderate authorized. For ITAR/EAR compliance questions specific to your organization, consult qualified export control counsel.