DoE 10 CFR Part 810
DoE 10 CFR Part 810 overview
The US Department of Energy (DoE) export control regulation 10 CFR Part 810 implements section 57b.(2) of the Atomic Energy Act of 1954 (AEA), as amended by section 302 of the Nuclear Nonproliferation Act of 1978 (NNPA). It is administered by the National Nuclear Security Administration (NNSA). The revised Part 810 (final rule) became effective on 25 March 2015, and, among other things, it controls the export of unclassified nuclear technology and assistance. It enables peaceful nuclear trade by helping to assure that nuclear technologies exported from the United States will be used only for peaceful purposes. Paragraph 810.7 (b) states that specific DoE authorization is required for providing or transferring sensitive nuclear technology to any foreign entity.
Azure and DoE 10 CFR Part 810
Azure Government can accommodate customers subject to DoE 10 CFR Part 810 export control requirements because it is designed to meet specific controls that restrict access to information and systems to US persons among Azure operations personnel. Azure Government also imposes background screening requirements mandated by US Government on operations personnel with access to production systems. For more information, see Screening and Azure support for export controls.
Aside from controls on operations personnel with access to production systems, Azure Government maintains compliance with rigorous US Government assessments and authorizations, including:
- FedRAMP High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
- US Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Impact Level 5 (IL5) provisional authorization (PA) issued by the Defense Information Systems Agency (DISA)
FedRAMP and DoD provisional authorizations are based on the National Institute of Standards and Technology (NIST) SP 800-53 controls. They include provisions for penetration testing and vulnerability scanning, continuous monitoring, Plan of Action & Milestones (POA&M), and so on, to provide assurances that assessed controls are operating effectively.
If you're deploying applications and data to Azure Government, you're responsible for your own security classification process. For data subject to DoE export controls, the classification system is augmented by the Unclassified Controlled Nuclear Information (UCNI) controls established by Section 148 of the AEA.
Azure and U-NNPI
The Naval Nuclear Propulsion Program was created under Executive Order 12344 (see also 50 USC 2511). It comprises the military and civilian personnel who design, build, operate, maintain, and manage the nuclear-powered ships and facilities that support the US nuclear-powered naval fleet. The program provides the design, development, and operational support required for effective military nuclear propulsion plants, and ensures their safe, reliable, and long-lived operation.
Naval Nuclear Propulsion Information (NNPI) that is designated as CUI is listed in the CUI category list. Unclassified NNPI (U-NNPI) is marked Not Releasable to Foreign Nationals (NOFORN), and it may not be released publicly or disclosed to foreign nationals. Table 1 and Exhibit 1 in OPNAVINST N9210.3 Safeguarding of Naval Nuclear Propulsion Information (NNPI) discuss the different classification levels/handling controls for NNPI, including access requirements for U-NNPI. Azure Government can accommodate U-NNPI workloads because it is designed to meet specific controls that restrict access to information and systems to US persons among Azure operations personnel. Azure Government also imposes background screening requirements mandated by US Government on operations personnel with access to production systems. For more information, see Screening and Azure support for export controls. Moreover, an accredited third-party assessment organization (3PAO) has attested that Azure Government has implemented the security controls that are part of the Navy's security overlay. For more information, see Azure NIST SP 800-171 documentation.
Note
You must contact Naval Reactors (Naval Nuclear Propulsion Program) to obtain authorization prior to hosting unclassified NNPI (U-NNPI) in Azure Government.
Applicability
- Azure Government
Frequently asked questions
How does NRC 10 CFR Part 110 relate to DoE 10 CFR Part 810?
The Nuclear Regulatory Commission (NRC) is responsible for the Export and import of nuclear equipment and materials under the 10 CFR Part 110 export control regulations. The NRC regulates the export and import of nuclear facilities and related equipment and materials. The NRC doesn't regulate nuclear technology and assistance related to these items which are under the DoE jurisdiction. Consequently, the NRC 10 CFR Part 110 regulations wouldn't be applicable to Azure or Azure Government.
How can I supply evidence that I am complying with DoE 10 CFR Part 810?
If your organization is deploying data to Azure Government, you can rely on the Azure Government FedRAMP High P-ATO as evidence that the underlying cloud services platform is handling data in an appropriately restricted manner. However, you're responsible for getting a DoE authorization for your own systems, including the use of cloud services.
Can Azure Government accommodate U-NNPI?
Yes; however, you must contact Naval Reactors (Naval Nuclear Propulsion Program) to obtain authorization prior to hosting U-NNPI in Azure Government. Naval Nuclear Propulsion Information (NNPI) that is designated as controlled unclassified information (CUI) is listed in the CUI category list. Unclassified NNPI (U-NNPI) is marked Not Releasable to Foreign Nationals (NOFORN), and may not be released publicly or disclosed to foreign nationals. Azure Government can accommodate U-NNPI workloads because it is designed to meet specific controls that restrict access to information and systems to US persons among Azure operations personnel. Azure Government also imposes background screening requirements mandated by US Government on operations personnel with access to production systems. For more information, see Screening and Azure support for export controls. Moreover, an accredited third-party assessment organization (3PAO) has attested that Azure Government has implemented the security controls that are part of the Navy's security overlay. For more information, see Azure NIST SP 800-171 documentation.
What are my responsibilities for classifying data deployed to Azure Government?
If you're deploying data to Azure Government, you're responsible for your own security classification process. For customer data subject to DoE export controls, the classification system is augmented by the Unclassified Controlled Nuclear Information (UCNI) controls established by Section 148 of the Atomic Energy Act of 1954 (AEA).
Resources
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- What is Azure Government?
- Explore Azure Government
- Microsoft government solutions
- Microsoft for defense and intelligence
- Azure support for export controls
- 10 CFR Part 810
- Atomic Energy Act of 1954 (AEA)
- Nuclear Nonproliferation Act of 1978 (NNPA)
- National Nuclear Security Administration (NNSA)
- Unclassified Controlled Nuclear Information (UCNI)
- NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations