Export control laws can feel like alphabet soup to organizations new to compliance. If your company manufactures, handles, or even stores data related to defense articles, you’ve likely heard of the International Traffic in Arms Regulations (ITAR). But here’s where it gets more complex: ITAR data is also considered Controlled Unclassified Information (CUI), which brings the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) into play.

That means ITAR compliance isn’t just about registration and export licensing. It also involves implementing strong cybersecurity protections like access controls, encryption, security training, and continuous monitoring, since the government expects organizations to safeguard ITAR-controlled information as CUI.

This guide walks through what ITAR is, what counts as export controlled information, how ITAR relates to CMMC, and the cybersecurity requirements you need to meet to stay eligible for contracts.

International Traffic in Arms Regulations: What is it and who does it apply to?

The International Traffic in Arms Regulations (ITAR) is a federal law administered by the U.S. Department of State through the Directorate of Defense Trade Controls (DDTC). Its purpose is to protect U.S. national security and foreign policy interests by controlling the export and temporary import of defense-related articles, services, and technical data.

ITAR centers on the United States Munitions List (USML), which catalogs items that are specifically designed, developed, configured, or modified for military applications. This includes:

• Physical defense articles such as weapons, ammunition, military aircraft, tanks, naval vessels, spacecraft, and protective equipment
• Technical data such as blueprints, engineering designs, source code, and manufacturing processes related to those items
• Defense services such as training, maintenance, or assistance provided to foreign nationals that involves U.S. defense technology

ITAR can apply even when nothing is shipped overseas. If you manufacture or store defense-related items or technical data inside the United States, you are still in scope. Even a small machine shop making seat belt assemblies or screws that are used in defense aircraft is subject to ITAR, even if the parts never leave the country.

Understanding export controlled information: Examples of ITAR data and CUI

Export controlled information (ECI) is the term the Department of War uses to categorize ITAR- and EAR-regulated data as a type of CUI. In other words, all ITAR data is CUI, and any organization that touches it is required to follow federal rules for safeguarding it.

Unlike classified information, which is handled under separate systems, export controlled information is unclassified but still considered sensitive information. Once it is released to an unauthorized party, the exposure is irreversible — which is why it carries strict data protections.

Examples of ITAR-controlled data include:

• CAD files and blueprints for military components
• Source code for software used in weapons or defense systems
• Technical manuals and training materials related to defense articles
• Maintenance records or performance specifications for military aircraft or vehicles

In very few cases, ITAR does not apply. Common exemptions include:

• Public domain information already published and widely available
• Fundamental research that is intended to be shared openly
• Certain exports to Canada under specific agreements
• Information shared with U.S. government agencies

Most organizations that touch defense work will not qualify for an exemption. That is why penalties are serious and why cybersecurity safeguards are expected, not optional.

Non-compliance penalties for ITAR violations

The penalties for ITAR violations are severe. Civil penalties can exceed $1 million per violation, and criminal penalties can include imprisonment. Companies may also face debarment, meaning they are prohibited from future defense contracts.

For example, a former Raytheon engineer was sentenced to more than three years in prison for sharing ITAR-controlled technical data with a foreign national. In another case, companies were fined millions of dollars for improperly storing ITAR data on cloud servers located overseas.

Whether you are a large defense contractor or a small supplier, the government expects you to take ITAR obligations seriously and be able to prove compliance through the CMMC framework.

Cybersecurity requirements under ITAR

NIST SP 800-171 was created specifically to safeguard CUI, which includes ITAR-controlled data. The standard organizes security requirements into 14 domains, each addressing a different aspect of how sensitive information must be protected. Together, these domains cover 110 individual controls that make up the foundation of CMMC Level 2.

Below, we’ll walk through each of the major domains and explain what they mean in practice for organizations handling ITAR data.  For a complete list of compliance requirements, you can download our CMMC Level 2 compliance checklist.

1. Access control

ITAR requires that only U.S. persons have access to ITAR-controlled systems and data, unless a license explicitly allows otherwise. This means you need strong barriers around your ITAR environment: separating it from your general IT systems, granting access strictly on a need-to-know basis, and enforcing unique identification for every user. Without these safeguards, even a quick look at a file by an unauthorized individual could count as an export violation.

Examples include:

• Limiting access to ITAR systems to verified U.S. persons
• Requiring multi-factor authentication for all users
• Segmenting ITAR data into dedicated enclaves or cloud tenants
• Using unique user IDs for all logins and disabling shared accounts

2. Identification and authentication

Closely tied to access control is the requirement to confirm the identity of every user and device. If you cannot prove exactly who accessed ITAR data, you cannot demonstrate compliance.

This means:

• Assigning unique user accounts to every employee and contractor
• Enforcing strong passphrase policies and lockouts for failed login attempts
• Requiring multi-factor authentication for remote and privileged accounts
• Using certificate- or key-based authentication for systems and services

3. System and communications protection

ITAR-controlled information must be protected both during transit and at rest. Encryption, secure network configurations, and restricted data sharing are essential to prevent exposure through everyday collaboration or remote work.

For example:

• Encrypting ITAR data at rest and in transit with FIPS 140-2 validated cryptography
• Using secure VPN or private network connections for remote access
• Blocking personal email and consumer file-sharing tools for ITAR data
• Configuring firewalls and intrusion prevention systems at network boundaries

4. System and information integrity

Even with strong barriers in place, vulnerabilities and cyber threats must be monitored continuously. ITAR requires you to patch quickly, detect intrusions, and respond to suspicious activity before sensitive data is compromised.

Examples include:

• Deploying endpoint detection and response (EDR) across all systems handling ITAR data
• Running regular vulnerability scans and applying patches within defined timelines
• Collecting and analyzing logs with a SIEM to detect anomalies
• Enforcing antivirus and malware protection at all endpoints

5. Cloud configuration and data residency

If you store ITAR data in the cloud, it must remain within the United States and be hosted in environments built for federal workloads. Using the wrong cloud service or region is a common compliance pitfall that can lead to severe penalties.

This requires:

• Hosting ITAR data only in U.S. regions of AWS GovCloud, Microsoft GCC High, or Azure Government
• Restricting administrative access to vetted U.S. persons
• Blocking cross-tenant sharing and foreign data replication
• Keeping configuration baselines documented and monitored for drift

6. Configuration management

Secure systems require consistent, controlled settings across all endpoints and servers. ITAR compliance expects you to define baselines, enforce them, and control any changes through documented approval processes.

Examples include:

• Applying hardened baselines to all devices with MDM tools
• Using infrastructure-as-code to deploy and manage cloud resources
• Documenting and approving system changes before implementation
• Monitoring systems for configuration drift and remediating promptly

7. Media protection

Controlled information does not lose its sensitivity when printed or saved to a USB drive. ITAR requires you to protect data on physical media as carefully as in digital systems.

This means you must:

• Encrypt USB drives or prohibit their use entirely
• Label and track all media containing ITAR data
• Sanitize or destroy media before disposal

8. CUI marking and labeling

Marking ITAR-controlled data as CUI//Export Control is mandatory. Clear labeling ensures employees recognize sensitive data and handle it correctly.

This includes:

• Adding CUI markings to headers and footers of digital documents
• Labeling folders, systems, and shared drives that store ITAR data
• Using email subject lines or banners to flag ITAR-related communications

9. Audit and accountability

Logs are your proof that ITAR requirements are being met. You need detailed audit trails of who accessed ITAR systems, when, and what they did.

For example:

• Enabling logging across servers, applications, and endpoints
• Storing logs in a tamper-resistant system for at least five years
• Reviewing logs regularly to identify unusual behavior

10. Personnel security

Because ITAR restricts access to U.S. persons, personnel vetting is an important part of compliance. You need documented proof that only authorized individuals can work with ITAR systems and data.

Requirements include:

• Verifying U.S. citizenship or permanent resident status before granting access
• Keeping personnel files and background check records on hand for auditors
• Terminating access immediately when employees leave or change roles

11. Awareness and training

Your employees are the first line of defense against ITAR violations. Training must cover what ITAR data is, how it is marked, and what counts as an export, including “deemed exports” to foreign nationals.

For example:

• Annual ITAR and cybersecurity training for all employees handling CUI
• Role-based training for engineers, admins, and buyers with elevated exposure
• Documented training records and completion rates for audit purposes

12. Incident response

When things go wrong, how quickly and effectively you’re able to respond makes all the difference. ITAR requires you to have a plan for identifying and containing incidents, documenting them, and disclosing violations if necessary.

This means you have:

• A clearly defined incident response plan, including roles and responsibilities
• The ability to detect and contain breaches quickly
• A process to document incidents and report them to DDTC if ITAR data is compromised
• A process to regularly test and improve incident response procedures

13. Maintenance and physical security

ITAR obligations extend beyond the digital environment. Servers, facilities, and workstations that handle ITAR data must be physically secured to prevent unauthorized access.

Examples include:

• Restricting physical access to ITAR data centers and server rooms
• Escorting and logging all visitors
• Supervising maintenance activities to prevent unauthorized exposure

14. Security assessment

You must be able to demonstrate that your security program is working and improving over time. This means conducting periodic self-assessments, documenting gaps, and tracking remediation progress through a formal plan of action.

This includes:

• Developing and maintaining a System Security Plan (SSP) that describes the data security controls in place to protect ITAR data
• Creating and maintaining a Plan of Action and Milestones (POA&M) to track remediation of gaps
• Performing internal self-assessments to verify ongoing compliance with NIST 800-171 controls
• Documenting evidence of completed remediation activities for assessors

Get ITAR compliant and CMMC certified with expert help

Ultimately, ITAR is not just about licensing and export paperwork. It’s about protecting some of the nation’s most sensitive unclassified data. For contractors, this means implementing concrete protections around access, encryption, cloud storage, logging, and training. It also means proving those safeguards are in place through documented evidence and third-party certification. 

Secureframe Federal helps government contractors close that gap by automating the hardest parts of ITAR and CMMC compliance:

• Real-time SPRS score tracking based on control implementation
• Automated SSP and POA&M generation tied to your actual environment
• Continuous evidence collection from federal-ready clouds like AWS GovCloud, Azure Government, and Microsoft GCC High
• Dedicated CUI enclaves to narrow the scope and complexity of compliance
• Expert guidance from specialists who have been through C3PAO certification themselves

CMMC Level 2 is now a hard requirement for winning DoW contracts. If ITAR applies to you, CMMC likely does too. The faster you get your controls in place and evidence organized, the faster you’ll be ready to protect your contracts and compete for new ones. Learn more about how Secureframe can help you get CMMC certified fast by scheduling a demo with an expert today.