Defense articles covered by the regulation are identified by the Department of the State in the U.S. Munitions List specified in the language of the regulation. The U.S. Munitions List is subject to change only by amendment.

In the context of the regulation, U.S. persons refers to:

U.S. person means a person (as defined in §120.14 of this part) who is a lawful permanent resident as defined by 8 U.S.C. 1101(a)(20) or who is a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any corporation, business association, partnership, society, trust, or any other entity, organization or group that is incorporated to do business in the United States. It also includes any governmental (federal, state or local) entity. It does not include any foreign person as defined in §120.16 of this part.

With the Smartsheet Gov environment, ITAR applies to customers ensuring that information regulated by ITAR (U.S. Munition List) is not disclosed to individuals who do not meet the requirements for access under the regulation such as individuals who are considered foreign persons as defined in the regulation.

Smartsheet supports our customers with ITAR related concerns by providing a platform hosted in the AWS GovCloud (operated by U.S. Persons) and operated by Smartsheet employees which conform to the definition of U.S. persons.

ITAR as a regulation, does not include a method for demonstrating direct compliance such as through a formal certification, attestation, or authorization. Smartsheet Gov operates out of the AWS GovCloud (operated by U.S. persons), maintains a FedRAMP Moderate (IL2) P-ATO, and is operated by Smartsheet employees which conform to the definition of U.S. persons.

Smartsheet maintains a number of features to help customers safeguard data appropriately in our Gov environment:

• Strong Access Controls: Smartsheet recommends the usage of an SSO provider and MFA with our Gov environment.
• Encryption: Smartsheet provides encryption implemented in this environment through in-transit and at-rest controls implemented in accordance with validated encryption standards.
• Monitoring: Smartsheet offers several features within the application for monitoring the activity-related data in your Smartsheet Gov account. A few of these include the sheet access report showing who can access specific sheets in your environment and an activity log for each sheet, providing a granular audit trail of actions within the sheet.

In order to support compliance with ITAR while using Smartsheet, you'll need to enable the following essential controls:

1. Disabling of Publishing:

   1. Ensure that the publishing feature is disabled at the account level to prevent unintended publishing of data to public-facing sites. This should include publishing being disabled for the following:

      1. Sheets

      2. Reports

      3. Dashboards

      4. Calendar

2. Do not add domains or individual emails to the approved sharing list (enabled by default in Gov) if they violate the requirements of ITAR (U.S. Persons-Only)

3. Forms

   

4. Welcome Screen (configured daily)

5. API usage - Limit integration as is appropriate

6. Monitor any external storage integration

Note: Each customer is responsible for independently evaluating its own use of the Subscription Services as well as Smartsheet’s security practices to ensure that its use is in compliance with ITAR.

If you have additional questions not answered above, please complete this form and a Smartsheet Security Engineer will reach out to you.