What is “Cloud Computing”?
Cloud computing is the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. Common examples of cloud computing include; file sharing applications, external e-mail services, instant messaging services, and social networking services. The use of cloud computing provides a number of advantages, which include accessibility, increased collaboration, streamlined work, and flexibility in costs and mobility. However, cloud computing does have certain disadvantages as its use may raise potential export control issues. Failure to properly understand and manage cloud computing can result in significant institutional and individual liability.
Cloud Computing’s Effect on Export Control and FAU
In June, 2016, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) amended its rules on cloud computing which now state that sending, taking, or storing technology or software will not be considered a controlled export if the technology or software is:
- Secured using end-to-end encryption;
- The encryption technology meets or exceeds Federal Information Processing Standards (FIPS); and
- Not intentionally stored in an embargoed country (Country Group D:5) or in the Russian Federation.
Organizations based in the U.S., whose technology and software meet the BIS’s criteria above, will be able to use cloud computing to send, take, and store technology or software that otherwise would be controlled by the Export Administration Regulations (EAR). Additionally, under the new BIS rule, U.S. nationals located outside of the U.S. will be able to access data on a U.S. server without it being considered an export.
FAU employees must be aware that the “deemed export” rule applies when utilizing cloud computing. For example, if an FAU employee sends, takes, or stores unencrypted controlled technology or software using cloud computing, a “deemed export” would occur if the server that hosts the cloud is located within the U.S. and the server’s IT administrator is a Foreign Person.
It is the responsibility of the FAU employee to determine the routing and physical destination of any controlled technology or software that is sent, taken, or stored using cloud computing. In addition, it is the responsibility of the FAU employee to ensure that the controlled technology or software is not accessible by foreign persons.
Although cloud computing can be beneficial, FAU employees are encouraged to follow the recommendations described below:
- Do not use cloud computing services if the data, technology, or software is controlled;
- Increase the security of your data, technology, or software by using end-to-end encryption for access;
- Be aware of the sensitivity and/or conditional uses of the data, technology, or software that you create, have access to, or receive; and
- Impose restrictions on the creation of copies of the data, technology, or software you provide to the cloud server host.
It is to be noted that the exemptions listed in the Bureau of Industry and Security’s rule above apply only to EAR controlled data, technology, and software. Data, technology, and software that is subject to the International Traffic in Arms Regulations (ITAR) is regulated by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC).
For more information on the security and management of electronic data, visit the website for Florida Atlantic University’s Research Integrity Office.