5. What is Sovereign Cloud Computing
● Isolated in-country platform
● Autonomous legal entity (not a
government owned entity)
● All operations are managed by sovereign
citizen of that country
6. Sovereign Computing & Data
● Data is subject to where the data is
collected
● Any foreign entity is not able to exert
control over the data
● All data (customer data & metadata) is
resident and controlled in that jurisdiction
7. Data Sovereignty
● Stored locally within the
autonomous cloud provider
within the country.
● Staff is subject to local laws of
the country.
○ May even have security
clearances and/or proper
approvals.
Data Sovereignty and Data Residency
Data Residency
● Customer’s data is in local zone or country
● Access to account information could be
overseas such as logins, passwords,
Network information, diagnostics, etc..
● The customer data is controlled access by
the foreign entity.
○ Example: US Contractor providing
services overseas or foreign contractor
(outsourced staff) providing technology
services to a US entity.
8. ● Government entities what complete control over their
data.
○ National Security (US) and/or Economical Benefit
(European)
● US Hyperscaler Dominance - global & critical data is
managed by US Cloud provider(s) - Rapid changes in
geo political climate.
○ Ukraine, China, Russia, etc..
● US Cloud Act gives USG complete access to
jurisdictional control of data even if the data is
residing in foreign soil.
Primary Drivers of Sovereign Cloud
9. Two main objectives:
● Amended the Stored Communications Act to require
providers to comply with their obligations to preserve, backup
or disclose electronic data in their possession regardless of
where that information is located;
● Allow the U.S. government to enter into executive
agreements with foreign governments for reciprocal
expedited access to electronic information held by providers
based abroad.
Enacted in March 2018
Also known as Section 702 of the US Foreign Intelligence Surveillance Act (FISA)
US Clarifying Lawful Overseas Use of Data (CLOUD) Act
10. ● European Countries (GDPR)
○ UKCloud, Germany (Gaia-X), Switzerland, France,
etc..
● Asia
○ India, China & Taiwan
● Middle East
● United States
○ GovCloud
Geographies Adopting
11. ● Azure GCC High
● Google Public Sector
● Amazon GovCloud
● Oracle Cloud
Examples of Sovereign Clouds - United States
13. ● Data fuels the defense economy
● Data fuels innovation and growth
● As a nation if we are not in control of the data - than
it is very hard for data to become a nation asset in
its own right.
National Impact
CUI is the path of least resistance for adversaries.
Loss of aggregated CUI is the one of the most significant risks
to national security, directly affecting lethality of our
warfighters.
Defense Counterintelligence Agency
14. ● Wright Patterson AFB
● Defense Contractors
● Manufacturing
● Federally Funded Research Development Centers
(FFRDCs)
○ Educational Institutions
○ Science and Technology
● Supporting Technology Services Organizations
○ IT, MSPs, MSSPs, CSPs
Local Impact - Defense Industrial Base
15. ● Cyber Security Maturity Model Certification (CMMC)
○ Potential to replace many industry wide certification
schemes
○ Widest impact
● Federal Risk and Authorization Management Program
(FedRAMP)
● Executive Order 14028 Section 4e - Software Supply
Chain
Government Programs
16. US Data Restrictions
Regulation Authority Stakeholder Primary Focus Specifies
International Traffic in
Arms
(ITAR)
22 CFR Parts
120-130
US Department of State
(DDTC)
United States Munitions List
(USML)
Protection of defense-related articles
and services
Export Administration
Regulations (EAR) 15 CFR Parts
730-774
US Department of Commerce
(BIS)
Commerce Control List (CCL) Protection of commercial and
dual-use items, information and
technology.
Controlled Unclassified
Information (CUI)
Program
EO 13556 US National Archives (NARA)
Controlled Unclassified
Information (CUI)
CUl categories & protection
requirements
Defense Federal
Acquisition
Regulation Supplement
(DFARS)
252 204-7012
252.204-7021
US Department of Defense
(DoD)
Controlled Unclassified
Information (CUI)
- NIST SP 800-171
implementation
- Cybersecurity Maturity Model
Certification (CMMC)
Federal Acquisition
Regulation
(FAR)
52.204-21 General Services
Administration (GSA)
US Department of Defense
(DoD)
National Aeronautics and
Space Administration (NASA)
Federal Contract Information
(FCI)
15 basic cybersecurity requirements
17. Technical Definitions
FCI Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to
the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such
as necessary to process payments.
CUI Government-created or -owned UNCLASSIFIED information that must be safeguarded from unauthorized disclosure. An overarching term representing many
different categories, each authorized by one or more law, regulation, or Government-wide policy. Information requiring specific security measures indexed under
one system across the Federal Government.
CDI Unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at
http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and
Governmentwide policies, and is— (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf
of DOD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in
support of the performance of the contract.
CTI Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release,
disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria
set forth in DOD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available
without restrictions.
ITAR The International Traffic in Arms Regulations (“ITAR,” 22 CFR 120-130) implements the AECA. The Arms Export Control Act requires that all
manufacturers, exporters, temporary importers, and brokers of defense articles (including technical data) as defined on the United States Munitions List
(ITAR part 121) and furnishers of defense services are required to register with the Directorate of Defense Trade Controls (DDTC) as described in ITAR
part 122 (part 129 for brokers). It is primarily a means to provide the U.S. Government with necessary information on who is involved in certain ITAR controlled
activities and does not confer any export or temporary import rights or privileges. Registration is generally a precondition for the issuance of any license or other
approval and use of certain exemptions. Per ITAR §122.1, any person who engages in the United States in the business of either manufacturing or exporting or
temporarily importing defense articles or furnishing defense services is required to register with DDTC. Manufacturers who do not engage in exporting must
nevertheless register. Please review and thoroughly understand all definitions, especially the definition of Exporting as it applies to ITAR. Additionally, review and
understand entries on the United States Munitions List (ITAR part 121)
18. DoD Distribution Marked Information
DISTRIBUTION STATEMENT A Approved for public release: distribution unlimited.
DISTRIBUTION STATEMENT B. Distribution authorized to U.S. Government agencies (reason) (date of determination). Other requests for this document shall be
referred to (controlling DoD office).
DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government agencies and their contractors (reason) (date of determination). Other requests for this
document shall be referred to (controlling DoD office)
DISTRIBUTION STATEMENT D. Distribution authorized to Department of Defense and U.S. DoD contractors only (reason) (date of determination). Other requests for
this document shall be referred to (controlling DoD office).
DISTRIBUTION STATEMENT E. Distribution authorized to DoD Components only (reason) (date of determination). Other requests for this document shall be referred to
(controlling DoD office).
DISTRIBUTION STATEMENT F. Further dissemination only as directed by (controlling office) (date of determination) or higher DoD authority.
20. ● Sovereign Computing
● Isolated in-country platforms
● Data residency versus data sovereignty
● Data as the new oil - a national asset
● Economical & National Security Benefit
● Emerging Programs
● CMMC
● FedRAMP
● SBOMs via Executive Order
● Protection of CUI
Recap