Organizations across the Defense Industrial Base (DIB) handle sensitive technical data that can’t be freely shared across borders or even with certain people inside the U.S. This data is known as Export Controlled Information (ECI).

Protecting it isn’t just federal law for certain organizations—it’s a contractual obligation. If you have defense contracts or subcontracts that involve ECI, you’re almost certainly in scope for CMMC Level 2, along with export laws and regulations, which dictate how to protect this type of data. 

With enforcement of CMMC requirements starting in November 2025, it’s essential to understand what this information might look like and how you’re responsible for safeguarding it.

What is export controlled information?

Export controlled information is unclassified information about items, commodities, technology, software, and related technical data with military or space application whose export could reasonably be expected to harm U.S. national security or nonproliferation objectives (like preventing the proliferation of Weapons of Mass Destruction, human rights abuses, and terroism). To prevent this harm, this information is regulated to restrict its exchange, sale, and/or transfer to foreign governments and entities or foreign nationals in the U.S (known as “deemed exports”).

The key regulations that control the export of this type of information are the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR), among others.

“Export Controlled” is also an official category of Controlled Unclassified Information (CUI) in the DoD CUI program. That means organizations must meet special safeguarding and dissemination requirements according to laws, regulations, or government-wide policies—including CMMC.

Image source: DoD CUI categories and abbreviations

Before we dive into the major export laws and regulations, let’s go over some examples of export controlled information so you better understand what this data is.

Examples of export controlled information

As listed in the DoD CUI registry, examples of ECI include:

• Documents revealing or containing information controlled under EAR or ITAR
• Information identified in the munitions list
• Export license applications and related data
• Information about dual use items that have both civilian and military applications (identified in the Commerce Control List)
• Potential or actual export control violations
• Shipper's export declarations
• EAR or ITAR compliance assessment
• Theater security cooperation
• Missile technology
• Defense articles
• Export control reviews
• Sensitive nuclear technology information
• Other technical data related to export controlled items

Export laws and regulations for export controlled information

There are several laws and regulations that govern how export controlled information must be disseminated. Violating them can result in severe criminal penalties and fines.

The most common are:

1. International Traffic in Arms Regulations (ITAR)

The International Traffic in Arms Regulations (ITAR) are administered by the U.S. Department of State. ITAR governs the export of defense articles, defense services, and related technical data that appear on the U.S. Munitions List (USML). 

22 U.S.C. 2751 et seq.—also known as the Arms Export Control Act (AECA)—serves as the statutory foundation for ITAR. Meaning, it authorizes the President to regulate the export of defense articles and services, maintain the U.S. Munitions List, and establish licensing requirements, while ITAR explains these requirements and how to implement then.

ITAR is intended to safeguard technologies and information that are vital to U.S. defense capabilities—such as weapon systems, satellite designs, or military-grade communications equipment. Any transfer of ITAR-controlled data to a foreign entity or person, even inside the United States, is treated as an export and may require a license.

You can find more information about ITAR in 22 CFR parts 120 through 130.

2. Export Administration Regulations (EAR)

The Export Administration Regulations (EAR) are maintained by the U.S. Department of Commerce. They govern the export, re-export, and transfer of “dual-use items,” meaning goods, software, and technologies that are designed for commercial use but have the potential for military application. 

 50 U.S.C. § 4801–4852—also known as the Export Control Reform Act (ECRA)—provides the statutory authority for the EAR and replaced much of the Export Administration Act of 1979.

The EAR specifies what technologies fall on the Commerce Control List (CCL) and outlines the licensing requirements for sharing these items with foreign entities and nationals. Common examples include advanced semiconductors, encryption software, and aerospace components.

You can find more information about EAR in 15 CFR parts 730 through 774

3. Assistance to Foreign Atomic Energy Activities regulations

Administered by the U.S. Department of Energy (DOE), these regulations implement part of the Atomic Energy Act and regulate the transfer of nuclear technology and assistance to foreign atomic energy programs. It ensures that sensitive nuclear information is shared only in ways that support peaceful uses of atomic energy and comply with nonproliferation commitments.

Activities such as sharing nuclear fuel cycle technology, reactor design information, or enrichment processes with foreign entities generally require DOE authorization under these rules.

You can find more information about these regulations in 10 CFR Part 810.

4. Office of Foreign Assets Control Regulations

Administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), these regulations enforce economic and trade sanctions based on U.S. foreign policy and national security objectives.
While not export controls in the traditional sense, OFAC regulations can directly affect the export, re-export, or transfer of goods, software, technology, and services, including export controlled information. Even if an item or technology is licensed under the ITAR or EAR, separate OFAC restrictions may prohibit transactions with sanctioned parties or destinations. Organizations that handle ECI must therefore screen all parties—customers, suppliers, and subcontractors—against OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List and other sanctions lists before sharing this information.

You can find more information about these regulations in 31 CFR parts 500 through 598.

Cybersecurity regulations for export controlled information

While export control laws and regulations restrict how ECI can be shared across borders or with foreign nationals, defense cybersecurity regulations dictate how this information must be safeguarded within an organization’s systems and networks. 

While the goal of the former is to prevent unauthorized exports or transfers of DoD export-controlled technical data and other personal property, the goal of these cybersecurity regulations is to prevent the unauthorized disclosure of this data. 

Let’s go over the two key defense regulations below: the DFARS 252.204-7012 and the Cybersecurity Maturity Model Certification (CMMC).

If you’re new to CMMC 2.0, check out our on-demand webinar that explains what this framework requires, who it applies to, and how to get certified.

DFARS 252.204-7012: Safeguarding Covered Defense Information

The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requires DoD contractors to:

• Safeguard covered defense information (CDI), which includes Export Controlled Information as well as other categories of information listed in the CUI registry, according to NIST SP 800-171 Rev 2 requirements.
• Report cyber incidents affecting CDI or the contractor’s ability to provide operationally critical support to the DoD within 72 hours.
• Flow down these requirements to subcontractors that handle CDI.

First introduced in 2016 and in effect by December 2017, DFARS clause 252.204-7012 remains the foundational cybersecurity clause for controlled technical information and lays the groundwork for CMMC.

The Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) strengthens DFARS 7012 by adding assessment requirements and metrics (i.e. the SPRS score) to verify that contractors are actually implementing NIST SP 800-171 requirements. This is designed to address the widespread noncompliance with DFARS 7012 across the DIB.

While CMMC has three levels, CMMC Level 2 is the minimum certification level required for handling CUI, including Export Controlled information, and aligns directly with the 110 requirements in NIST SP 800-171 Revision 2.

Contractors must document their control implementation in a System Security Plan (SSP) and any gaps through a Plan of Action and Milestones (POA&M) that must be remediated within 180 days. After completing a self- or third-party assessment depending on your Level 2 assessment requirements, they must submit their assessment results and scores in the Supplier Performance Risk System (SPRS) to get a current CMMC status and maintain DoD contract eligibility.

You can view the security requirements and SPRS point values for CMMC Level 2 using this free, interactive CMMC Requirement Explorer.

Image source: CMMC.com Requirement Explorer

Export controlled information compliance requirements: How to meet key safeguarding requirements from NIST 800-171

Protecting export controlled information requires a combination of technical, administrative, and physical controls. While we won’t list all 110 from NIST SP 800-171 Revision 2, we’ll focus on key areas for protecting ECI in your systems and environments below. You can find a comprehensive list in our CMMC Level 2 checklist. 

1. Implement robust access controls

Access to ECI must be limited to authorized personnel only, typically U.S. persons or individuals covered under an approved export license. To prevent unauthorized disclosure, implement role-based access control (RBAC) and enforce multi-factor authentication (MFA) for all privileged and remote accounts.

2. Protect data in transit and at rest

To ensure ECI is protected when in your information systems or transmitted over the internet, encrypt ECI using FIPS-validated cryptographic modules. Ensure any data transfers to cloud environments or subcontractors occur only over secure, approved channels that meet CUI and export-control requirements.

3. Establish secure system boundaries

Another critical safeguard for ECI is isolating systems that process or store ECI from other parts of your IT environment through logical and physical segmentation. Many contractors choose to host ECI on dedicated systems within U.S.-based cloud environments such as AWS GovCloud, Azure Government, or Microsoft GCC High.

4. Monitor, detect, and respond to incidents

Implement continuous monitoring, logging, and alerts to detect unauthorized access or exfiltration attempts of ECI, using a combination of manual and automation processes. Ensure your incident response plan meets DFARS reporting requirements—specifically around reporting cyber incidents affecting ECI or covered defense information to the DoD within 72 hours.

5. Train your personnel

Ensure all employees with access to ECI receive export-control and cybersecurity awareness training that meets CMMC requirements. Training should cover topics like identifying CUI markings, handling procedures, and recognizing potential deemed-export violations.

6. Manage subcontractors and data sharing

To ensure ECI is protected at every tier of the defense supply chain, you must flow down DFARS 252.204-7012 and CMMC requirements to subcontractors who may handle this information. Verify their compliance status before sharing any controlled data, and include contractual language requiring minimum or the same safeguarding measures as your own organization.