Skip to main content

SourceDay in ITAR and FedRamp-regulated environments

  • Updated
Follow

SourceDay is trusted by aerospace, defense, and federal contractors, even though we are not directly certified under ITAR or FedRamp. This is possible because SourceDay supports compliant workflows by giving customers full control over where sensitive data is stored and how it is accessed.

This guide explains how regulated companies can use SourceDay safely, what content is permitted, and how to share documents securely when working under ITAR (International Traffic in Arms Regulations) or FedRamp (Federal Risk and Authorization Management Program) compliance requirements.

Key facts about SourceDay and compliance

  • Not ITAR-registered or FedRamp-certified
  • Hosted on AWS Commercial Cloud (not GovCloud or Azure Government)
  • Does not store sensitive documents
  • Designed to enable secure collaboration by referencing files stored in your own document management systems (DMS)

What’s safe to include in SourceDay

Standard purchase order (PO) fields are typically acceptable under both ITAR and FedRamp compliance:

  • Item numbers or SKUs
  • Quantities and prices
  • Shipping and billing addresses
  • Payment terms and delivery schedules
  • Internal part numbers or generic descriptions

You can also safely include document links in custom PO fields, as long as the linked content is hosted in your secure DMS.

What to avoid under ITAR and FedRamp

To comply with regulations, avoid entering or uploading sensitive information directly into SourceDay, including:

  • Engineering drawings, specifications, or blueprints
  • Source code or software for defense-related items
  • Statements of Work (SOWs), change notices, or technical data packages
  • Export license details (DSP-5, DSP-73, TAAs, ECCNs)
  • Foreign suppliers or unauthorized persons listed in PO fields
  • Attachments that may contain Controlled Unclassified Information (CUI)

Best practices for ITAR-compliant workflows

If your organization handles ITAR-controlled data:

  • Use generic or internal part numbers on POs rather than specific specs
  • Reference ITAR items with a general label (e.g., “Subject to ITAR per spec”)
  • Store technical documents in your own ITAR-compliant encrypted file system
  • Share documents via secure links, not uploads
  • Ensure only authorized U.S. persons have access to the documents and POs

Best practices for FedRamp (CUI) compliance

If your organization handles Controlled Unclassified Information:

  • Do not include CUI directly in PO bodies or attachments
  • Store CUI in a FedRamp-authorized DMS (e.g., SharePoint, Box)
  • Share CUI through secure, access-controlled document links
  • Apply appropriate markings if CUI is involved (e.g., “CUI” labels)
  • Confirm with your compliance officer if unsure what qualifies as CUI

How to share documents securely with SourceDay

To support compliance, SourceDay allows customers to insert links to externally hosted documents without ever storing the sensitive files:

  1. Host the document in a secure, access-controlled DMS
  2. Add the document URL into your ERP’s PO header or line item field
  3. SourceDay maps that field and displays the link in the PO dashboard
  4. Only users with DMS access permissions can view the file
  5. Document access is managed entirely by your internal system

🚫 Do not upload technical documents directly into SourceDay
🔐 You control access, permissions, versioning, and audit logs

Optional integrations for advanced needs

If you require deeper control or automation, SourceDay offers integration options:

  • Connector
  • Flatfile
  • API

These options may require development work on your side. Contact your CSM or support team to explore what’s best for your setup.

Compliance checklist

Need a step-by-step guide for internal audits or onboarding?  Use our editable Compliance Checklist Template to confirm:

  • What content is safe to include
  • How to handle CUI or ITAR-controlled files
  • How to validate permissions and storage methods
  • What fields and workflows are recommended

Final reminders

  • You are responsible for ensuring that no regulated content is entered or transmitted via SourceDay
  • SourceDay enables compliant workflows through document linking, not file storage
  • Many ITAR and FedRamp-regulated organizations already use SourceDay successfully

If you’re unsure whether your workflow meets regulatory standards, consult your legal or compliance team.

Disclaimer: This guide is provided for informational purposes only and does not constitute legal advice or a representation of compliance with any regulation. SourceDay does not guarantee or certify compliance with ITAR, FedRAMP, CUI, or any other regulations. Organizations are solely responsible for their own compliance programs and should consult with legal counsel regarding regulatory requirements.

Related articles

Powered by Zendesk