Last Updated on May 5, 2025
If your business is part of the US defense industrial base (DIB), you’re probably already concerned about how much controlled unclassified information (CUI) you have, where it is stored, who you share it with, and how you protect it. But you may not be as familiar with International Traffic in Arms Regulations (ITAR) data and how that relates to CUI and your overall DoD compliance requirements.
A danger for SMBs that are unaware of their ITAR responsibilities is investing in new technology that satisfies CMMC 2.0 Level 2 requirements to protect CUI but doesn’t cover ITAR obligations—potentially leaving you in violation of your US Department of Defense (DoD) contract despite all your hard work.
This article introduces ITAR and explains some of the ways it could alter your path to compliance with NIST 800-171 or CMMC Level 2.
Key takeaways
- ITAR strictly limits the export of many defense-related goods and services, including technical data. Access to this technology is restricted to “US persons” and must be encrypted when at rest, in transit, and during use.
- ITAR applies to many defense suppliers and other US government contractors, as well as their subcontractors and vendors (e.g., SaaS providers) across the supply chain.
- Knowing for sure whether you have ITAR data or not is business critical, as the penalties for noncompliance are extremely onerous.
What is ITAR?
ITAR is a US government regulation that controls the export of sensitive, defense-related goods and services, including technical data. Its purpose is to protect US national security by preventing military assets from being stolen or misappropriated.
ITAR applies to the huge range of items on the United States Munitions List (USML), which includes firearms, ammunition, missiles, military vehicles, battlefield electronics, biological agents, spacecraft, drones, nuclear weapons, and many other weapons systems along with associated blueprints, schematics, manuals, software, etc. The Directorate of Defense Trade Controls (DDTC), an agency of the US Department of State, administers the ITAR program.
ITAR’s core requirement is that access to physical and technical assets related to defense and military technology is restricted to US citizens and permanent residents (so-called “US persons”). ITAR data can only be transmitted over secure, compliant networks.
Non-US persons may not access these assets without State Department authorization. More specifically:
- US businesses operating internationally cannot share ITAR data with employees outside the US without authorization.
- US businesses also need authorization to share ITAR data with non-US subcontractors.
- ITAR data shared with allied nations including Canada, Australia, and the UK may be exempt from these requirements in specific circumstances.
ITAR further requires organizations that handle ITAR assets to document and implement an ITAR compliance plan to demonstrate how they comply with the regulations. This plan should cover identifying, monitoring, tracking, and auditing ITAR data.
Who does ITAR apply to?
ITAR applies to all US government contractors, notably defense suppliers, that handle ITAR data and/or physical assets per the USML. The regulation also flows down the supply chain to subcontractors, service providers, wholesalers, distributors, and other third parties that receive ITAR data. Covered entities can include any business, research institution, or individual participating in the design, manufacture, import/export, brokering, and/or use of assets on the USML.
How do we know if we have ITAR data?
If your contract relates to anything on the USML, chances are you have ITAR data. Ways to verify that include:
- Check your contract for a clause mandating ITAR compliance.
- Work with your contracting officer to identify what specific ITAR data you are receiving from the government or a prime contractor.
- Classify your products and associated technical data against the USML categories to confirm they are ITAR-regulated.
- As a key initial step in achieving compliance with NIST 800-171, CMMC, or any other government cybersecurity standard, you will need to identify and categorize all your CUI, some of which might be ITAR-regulated or fall into another CUI Specified category, such as Not Releasable to Foreign Nationals (NOFORN) or Export Administration Regulations (EAR).
- Some ITAR data may already be marked by the DoD as CUI SP EXPT, meaning “specification export controlled.”
- Consult with a qualified legal specialist about your ITAR compliance.
Understanding your data protection obligations is business critical. Penalties for ITAR compliance violations can include civil fines up to $500,000 per violation or criminal fines up to $1 million or 10 years’ imprisonment per violation. The government can also ban a non-compliant entity from future import/export activities.
Because of this high noncompliance risk, if you have any lingering doubt about whether you handle any ITAR-regulated data, it may be best to err on the side of caution regarding how you secure it.
How should we deal with ITAR data?
While cybersecurity recommendations are rarely “one size fits all,” here are some common guidelines for protecting ITAR data:
- To ensure non-US persons cannot access regulated data, use only known ITAR compliant cloud storage services that employ only US persons in US locations.
- To meet ITAR requirements, many businesses move their email and other data to Microsoft Azure Government, Microsoft Office 365 GCC High, and other cloud platforms designed specifically to help DIB orgs meet ITAR mandates.
NIST 800-171 and CMMC Level 2 both require encryption in transit and at rest, but not during use. ITAR goes one step further, requiring end-to-end encryption for regulated data. As of March 2020, the State Department modified ITAR to allow the use of commercial cloud services to store and transmit ITAR data provided the data is encrypted end-to-end and encryption keys are never accessible to the cloud service provider (CSP).
Corbin Evans, Principal Director, Strategic Programs at the National Defense Industrial Association (NDIA), emphasizes: “It’s a pretty narrow exception, and I would encourage folks who are seeking to take advantage of that exception to read that regulation very closely to ensure they are in compliance.”
Reading your contracts in depth and getting questions answered to make sure you see your ITAR compliance picture clearly before making technology investments or potentially incurring noncompliance risk is the bottom line for every business.
This scenario is all too common: You know your firm handles CUI, so you gauge your DoD cyber compliance posture with a gap assessment against CMMC 2.0 Level 2. Based on those results, like many of your peers you undertake a $50,000, months-long migration to the Microsoft 365 GCC “government cloud” to meet CMMC Level 2 requirements. Unfortunately, because you didn’t accurately scope your CUI environment, you recognize too late that some of your CUI is ITAR-regulated. To provide the extra protection that ITAR demands, you should have moved to Microsoft 365 GCC High, whose infrastructure is 100% within the US and staffed only by resident US persons who have passed extensive background checks. As a result, the cost, time, and effort of your original migration was wasted, and you need to migrate yet again.
This Virtual CISO Podcast episode with Corbin Evans includes more information on ITAR compliance concerns in relation to CMMC 2.0 Level 2.
Will CMMC auditors be looking at ITAR compliance?
Failing to achieve holistic compliance with DoD mandates could leave your firm in compliance with CMMC and/or NIST 800-171, but not with the ITAR guidelines. Where would that leave you when you undergo your CMMC assessment? Might C3PAO or DoD auditors issue a nonconformity since you failed to comply with contract requirements?
It is difficult to answer those questions with certainty until more CMMC assessments take place and contractors report their experiences to the peer community. But it could be helpful in the overall interest of national security and defense cybersecurity for auditors to at least point out that best practices were not adhered to.
What’s next?
If your business handles CUI, you need to be certain about your specific cybersecurity requirements. CBIZ Pivot Point Security can provide expert support and in-depth guidance to identify, categorize, and map different CUI types, including ITAR and NOFORN.
Contact us to schedule a conversation with an Aerospace & Defense cybersecurity expert on how best to mitigate your total CUI compliance risks.
