Last updated: 2026-04-11
If you work in the defense industrial base, you've almost certainly encountered both the term "ITAR" and the label "CUI" — often on the same contract, sometimes on the same document. Yet despite how frequently they appear together, ITAR and CUI are governed by entirely separate legal frameworks, enforced by different federal agencies, and carry different compliance obligations. Conflating them is one of the most common — and costly — mistakes I see defense contractors make.
This pillar article cuts through the confusion. Whether you're a prime contractor, a Tier 2 supplier, or a small manufacturer trying to understand what your government customer actually wants from you, this guide gives you a complete, practical picture of how ITAR and CUI interact, where they diverge, and exactly what your organization needs to do to stay compliant with both.
What Is ITAR? A Foundational Overview
The International Traffic in Arms Regulations (ITAR), codified at 22 C.F.R. Parts 120–130, govern the export and temporary import of defense articles, defense services, and related technical data listed on the United States Munitions List (USML). ITAR is administered by the Directorate of Defense Trade Controls (DDTC) within the U.S. Department of State.
ITAR is not merely a paperwork exercise. Violations carry civil penalties of up to $1,308,326 per violation (as adjusted for inflation under the Federal Civil Penalties Inflation Adjustment Act) and criminal penalties of up to $1 million per violation and 20 years imprisonment. Since 2020, DDTC has imposed more than $300 million in penalties on companies of all sizes for ITAR noncompliance — including household defense names like Raytheon, General Atomics, and Axon.
Key ITAR concepts every compliance professional must understand:
- Technical Data: Information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles (22 C.F.R. § 120.33).
- Defense Services: Providing assistance, including training, to a foreign person in the development or production of a defense article.
- Deemed Export: Releasing ITAR-controlled technical data to a foreign national on U.S. soil — treated as an export to that individual's country of citizenship (22 C.F.R. § 120.50).
- Registration Requirement: Any manufacturer or exporter of ITAR-controlled items must register with DDTC under 22 C.F.R. Part 122, regardless of whether they have an active export license.
What Is CUI? Understanding the Federal Framework
Controlled Unclassified Information (CUI) is a category of government-created or government-owned information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy — but is not classified under Executive Order 13526 or the Atomic Energy Act.
The CUI program is established by Executive Order 13556 (2010) and implemented through 32 C.F.R. Part 2002, administered by the National Archives and Records Administration (NARA) through the CUI Executive Agent (EA). The authoritative reference for all CUI categories and subcategories is the CUI Registry, maintained at archives.gov.
The CUI framework standardizes what was previously a patchwork of agency-specific labels — "FOUO" (For Official Use Only), "SENSITIVE BUT UNCLASSIFIED," "LAW ENFORCEMENT SENSITIVE" — under a single, government-wide marking and handling system.
For defense contractors specifically, CUI obligations flow through contracts via DFARS clause 252.204-7012, which requires contractors to implement the security controls in NIST SP 800-171 to protect CUI in Nonfederal Systems and Organizations. Compliance with NIST SP 800-171 is now a prerequisite for competing for DoD contracts, and starting in 2025, contractors must achieve a CMMC (Cybersecurity Maturity Model Certification) level commensurate with the sensitivity of the CUI they handle.
According to NARA's CUI Registry, there are currently more than 100 approved CUI categories spanning domains from Agriculture to Transportation, including a dedicated Defense category with subcategories directly relevant to DoD contractors.
ITAR vs. CUI: A Side-by-Side Comparison
The table below captures the most operationally significant differences between ITAR and CUI — the distinctions that actually affect your day-to-day compliance program.
| Dimension | ITAR | CUI |
|---|---|---|
| Governing Law | Arms Export Control Act (AECA), 22 U.S.C. § 2778 | Executive Order 13556; 32 C.F.R. Part 2002 |
| Administering Agency | Dept. of State – DDTC | NARA (CUI Executive Agent) |
| Enforcing Agency | DDTC; DOJ; CBP; DCSA | Agency-specific; DoD via DFARS |
| Primary Regulation | 22 C.F.R. Parts 120–130 | 32 C.F.R. Part 2002; NIST SP 800-171 |
| What It Protects | Defense articles, services, and USML technical data | Gov't-created/owned unclassified info requiring safeguarding |
| Export Control Focus | Yes — cross-border movement and foreign national access | No — focused on cybersecurity and information handling |
| Marking Requirement | "ITAR" or category-specific USML marking | "CUI" with category designation (e.g., CUI//CTI) |
| Contractor Flow-Down | Required to all subcontractors handling technical data | Required via DFARS 252.204-7012 |
| Cybersecurity Standard | No specific mandate (good security practices expected) | NIST SP 800-171 (110 controls); CMMC for certification |
| Civil Penalty (max) | ~$1.3M per violation | Contract termination; False Claims Act exposure |
| Criminal Penalty (max) | $1M fine + 20 years imprisonment | Potentially via 18 U.S.C. § 1030 (CFAA) |
| Registration Required? | Yes — DDTC registration (22 C.F.R. Part 122) | No separate registration |
| Foreign National Rules | Strict — deemed export requires license or exemption | CUI not to be shared with unauthorized persons; no export license framework |
Where ITAR and CUI Overlap — and Why It Matters
Here is the nuance that trips up even experienced compliance professionals: ITAR-controlled technical data can simultaneously be CUI, and the obligations of both frameworks apply concurrently. Understanding the overlap is essential to building a unified compliance program rather than two siloed ones.
CUI//CTI: The Critical Defense Intersection
The CUI category most directly relevant to ITAR contractors is CUI//CTI — Controlled Technical Information. Per the DoD CUI Registry, CTI is defined as technical information with military or space application that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
In practice, if your company receives a DoD contract that involves technical data related to a USML-listed system, that data is likely both ITAR technical data and CUI//CTI simultaneously. This dual-designation creates layered obligations:
- Under ITAR: You must control access to prevent unauthorized exports or deemed exports, mark documents appropriately, and flow down obligations to subcontractors under 22 C.F.R. § 124.
- Under CUI/DFARS: You must implement all 110 security requirements in NIST SP 800-171, report cyber incidents to DoD within 72 hours via the DIBNet portal, preserve images of affected systems for 90 days, and flow down DFARS 252.204-7012 to all subcontractors that process CUI.
Citation hook: ITAR technical data and CUI//CTI are legally distinct designations governed by separate federal frameworks, but they frequently co-exist on the same document, requiring defense contractors to satisfy the compliance obligations of both regimes simultaneously.
EAR-Controlled Information and CUI
The overlap isn't limited to ITAR. Information controlled under the Export Administration Regulations (EAR), 15 C.F.R. Parts 730–774, can also be CUI. The EAR CUI category covers export-controlled information subject to the EAR that is not otherwise categorized. Defense contractors who produce both USML and dual-use items — a very common situation — may be managing ITAR, EAR, and CUI requirements concurrently.
Common Compliance Gaps I See in the Field
After working with more than 200 defense contractors over 8+ years, certain compliance failures appear repeatedly at the ITAR/CUI intersection. Here are the most consequential:
Gap 1: No Unified Information Classification Scheme
Most contractors I audit have separate processes for marking ITAR technical data and for handling CUI. Documents fall through the cracks — an engineer emails a USML-adjacent drawing to a foreign national colleague without realizing it is both ITAR-controlled and CUI. A unified information classification scheme, driven by a cross-functional team (Legal, IT, Export Compliance, and Program Management), is the structural fix.
Gap 2: Foreign National Access Controls Not Aligned to CUI Requirements
ITAR is explicit about foreign national access — you need a license or an applicable exemption (e.g., the U.S. Person exemption at 22 C.F.R. § 120.62). CUI, by contrast, focuses on "authorized users" per your access control policies. Contractors often satisfy one but not the other. NIST SP 800-171 control 3.1.1 (Limit system access to authorized users) and 3.1.3 (Control the flow of CUI) must be read alongside ITAR's deemed export rules to build a coherent access control policy.
Gap 3: Subcontractor Flow-Down Failures
Under 22 C.F.R. § 124.1 and related ITAR provisions, technical assistance agreements and manufacturing license agreements must include appropriate flow-down clauses. Under DFARS 252.204-7012(m), contractors must also flow down to subcontractors that process, store, or transmit CUI. In my experience, many primes flow down ITAR correctly but forget to include — or verify compliance with — DFARS 252.204-7012 at the Tier 2 and Tier 3 levels.
Gap 4: Cyber Incident Reporting Under CUI vs. ITAR Breach Notifications
A cybersecurity incident involving CUI on a DoD contract triggers a mandatory 72-hour report to DoD via DIBNet under DFARS 252.204-7012(c). An ITAR breach — unauthorized disclosure of ITAR-controlled technical data — requires voluntary or mandatory self-disclosure to DDTC. These are entirely separate reporting obligations, with different timelines, recipients, and content requirements. Companies that suffer a breach often report only under one framework without realizing the other applies.
Citation hook: A cybersecurity incident affecting defense contractor systems may simultaneously trigger a 72-hour CUI cyber incident report to DoD under DFARS 252.204-7012 and a separate voluntary disclosure to DDTC under 22 C.F.R. § 127.12 — two independent legal obligations with different deadlines, recipients, and evidentiary requirements.
How to Build a Unified ITAR + CUI Compliance Program
The most efficient approach is to build a single, integrated compliance framework that satisfies both ITAR and CUI requirements. Here is the architecture I recommend to clients:
Step 1: Conduct a Dual-Framework Information Audit
Map every category of information your organization creates, receives, or transmits. For each, determine: - Is it ITAR-controlled technical data? (Check USML categories, 22 C.F.R. Part 121) - Is it CUI? (Check the NARA CUI Registry) - Does it fall under another export control regime (EAR)?
Document the results in a Technology Control Plan (TCP) — the same document that ITAR requires for facilities visited by foreign nationals — and expand it to include CUI categories, system boundaries, and applicable NIST SP 800-171 controls.
Step 2: Align Physical and Logical Access Controls
Implement a unified access control framework that satisfies both ITAR's foreign national access requirements and NIST SP 800-171's access control family (controls 3.1.1 through 3.1.22). This includes: - Role-based access control (RBAC) with nationality-aware permissions for ITAR data - Documented authorization for all CUI access (satisfying 800-171 control 3.1.2) - Visitor control procedures that address both ITAR foreign national rules and CUI physical access controls
Step 3: Implement and Document IT Security Controls to NIST SP 800-171
CUI requires all 110 controls across 14 families in NIST SP 800-171. A System Security Plan (SSP) is mandatory. Where controls cannot be fully implemented, a Plan of Action and Milestones (POA&M) must document the gap, the risk, and the remediation timeline. As of 2025, DoD contractors handling CUI must complete a CMMC Level 2 assessment (conducted by a C3PAO — Certified Third-Party Assessor Organization) to be eligible for contracts with CUI requirements.
Strong IT security practices also benefit ITAR compliance — they reduce the risk of unauthorized access by foreign nationals through digital channels, a deemed export risk that DDTC takes seriously.
Step 4: Train Personnel on Both Frameworks
ITAR training alone is insufficient if your employees handle CUI, and cybersecurity awareness training alone misses the export control dimension. I recommend annual training that covers: - The ITAR deemed export rule and how to identify USML-controlled information - CUI marking, handling, and destruction requirements - How to recognize a cyber incident involving CUI - Who to call for both an ITAR concern and a CUI/cybersecurity incident - Subcontractor and vendor obligations
Step 5: Establish Dual-Track Incident Response
Build incident response procedures that simultaneously address: 1. ITAR breach: Assess whether ITAR-controlled technical data was disclosed to an unauthorized foreign national or foreign government. Preserve evidence. Consult export counsel. File a voluntary disclosure with DDTC within a reasonable timeframe (typically 60 days of discovery per DDTC practice guidance). 2. CUI cyber incident: Report to DoD via DIBNet within 72 hours. Preserve images of affected systems and malicious software for 90 days. Conduct a damage assessment under DFARS 252.204-7012(c)(3).
Step 6: Flow Down to Subcontractors
Every subcontractor that touches ITAR technical data or CUI must receive appropriate flow-down clauses. Establish a Supplier Compliance Program that includes: - Pre-award questionnaires assessing ITAR registration status and CUI/CMMC posture - Contract clauses flowing down ITAR obligations and DFARS 252.204-7012 - Periodic supplier audits or attestation requirements
CMMC 2.0 and Its Impact on CUI Compliance in 2025–2026
The Cybersecurity Maturity Model Certification (CMMC) 2.0 final rule became effective December 16, 2024. Starting in 2025, DoD is incorporating CMMC requirements into contracts on a phased basis. Here's what defense contractors need to know:
| CMMC Level | Applicable To | Requirement |
|---|---|---|
| Level 1 (Foundational) | Contractors handling only FCI (Federal Contract Information) | Annual self-assessment; 15 basic practices |
| Level 2 (Advanced) | Contractors handling CUI | Third-party assessment (C3PAO) or self-assessment depending on program sensitivity; 110 practices (NIST SP 800-171) |
| Level 3 (Expert) | Contractors on highest-priority DoD programs | Government-led assessment; NIST SP 800-172 controls |
For most defense contractors in the ITAR space, CMMC Level 2 is the relevant threshold. If your organization handles CUI — and if you hold ITAR-controlled contracts, you almost certainly do — you need a third-party CMMC assessment before you can bid on affected DoD contracts.
Citation hook: As of December 2024, CMMC 2.0 is a binding regulatory requirement embedded in the DFARS, meaning any defense contractor that processes, stores, or transmits CUI must achieve and maintain the applicable CMMC level as a condition of contract award — not simply as a best practice.
Penalties and Enforcement: What's Actually at Stake
Many contractors underestimate the enforcement risk on the CUI side because there is no standalone criminal statute with "CUI" in its title. But the enforcement mechanisms are real:
- False Claims Act (FCA) exposure: If your organization submits a bid or contract performance report certifying NIST SP 800-171 compliance when you have unmitigated gaps, you face FCA liability — treble damages plus civil penalties. The DOJ has pursued this theory aggressively since the 2021 Civil Cyber-Fraud Initiative.
- Contract termination: DFARS 252.204-7012 noncompliance can justify a default termination.
- Loss of facility clearance: Systemic CUI mishandling can trigger a Defense Counterintelligence and Security Agency (DCSA) review that puts your facility clearance at risk.
- ITAR enforcement: If a CUI/cybersecurity incident results in foreign national access to ITAR-controlled technical data, DDTC can pursue a separate ITAR enforcement action.
The convergence of FCA enforcement and ITAR penalties means that a single cybersecurity incident in a defense contractor environment can produce simultaneous multi-agency enforcement actions.
Why You Need Expert Help at the ITAR/CUI Intersection
The ITAR and CUI frameworks were developed by different agencies, under different statutes, for different purposes — yet they converge daily in the operations of every defense contractor. Managing them in isolation — separate ITAR compliance teams and separate IT security teams — creates exactly the gaps that regulators and adversaries exploit.
At Certify Consulting, I help defense contractors build integrated compliance programs that address both frameworks simultaneously. With a 100% first-time audit pass rate across more than 200 clients, our approach is built on practical implementation, not theoretical checklists.
Whether you need help identifying which of your information assets are ITAR-controlled, CUI, or both; building your System Security Plan; preparing for a CMMC Level 2 assessment; or responding to a cyber incident with dual reporting obligations — we can help.
👉 Contact Certify Consulting to schedule a confidential compliance assessment. You can also explore our ITAR Compliance Services to see the full scope of how we support defense contractors like you.
Frequently Asked Questions: ITAR vs. CUI
Is all ITAR technical data also CUI?
Not automatically, but in practice the overlap is substantial. ITAR technical data related to DoD contracts is frequently designated as CUI under the CTI (Controlled Technical Information) subcategory. However, ITAR-controlled information held entirely in the private commercial sector — with no government contract nexus — may not carry a CUI designation. The determination depends on the nature of the information, its origin, and whether it was created under or pursuant to a government contract.
Do I need to register with NARA for the CUI program?
No. Unlike ITAR, which requires affirmative registration with DDTC, the CUI program does not require a separate registration. CUI obligations flow through your contracts (via DFARS 252.204-7012) and the legal authorities listed in the CUI Registry. Your compliance obligation is to implement the required security controls and mark and handle CUI as required by 32 C.F.R. Part 2002.
What happens if a foreign national accesses CUI?
Foreign national access to CUI implicates multiple frameworks simultaneously. If the CUI is also ITAR technical data, unauthorized access by a foreign national is a deemed export — a potential ITAR violation requiring DDTC disclosure. Under the CUI framework, unauthorized disclosure must be reported per your contract and agency-specific requirements. Under DFARS 252.204-7012, if the access resulted from a cyber incident, a 72-hour report to DoD is mandatory. All three obligations can apply at once.
What is the difference between ITAR markings and CUI markings?
ITAR markings (e.g., "ITAR — Restricted" or USML category references) alert recipients that the information is subject to export control and cannot be shared with foreign nationals without a license or exemption. CUI markings (e.g., "CUI" or "CUI//CTI") indicate the information requires safeguarding per 32 C.F.R. Part 2002 and the CUI Registry. A document can carry both markings if it contains ITAR-controlled technical data that is also CUI. The markings serve different purposes and are not interchangeable.
How does CMMC relate to ITAR compliance?
CMMC directly governs CUI protection and has no formal ITAR component. However, achieving CMMC Level 2 — which requires full implementation of NIST SP 800-171's 110 controls — significantly strengthens the cybersecurity posture that ITAR compliance also depends on. Strong access controls, audit logging, incident response, and media protection all reduce the risk of deemed exports through digital channels. Many ITAR-heavy contractors find that pursuing CMMC Level 2 simultaneously improves their ITAR compliance posture.
Last updated: 2026-04-11 | Written by Jared Clark, JD, MBA, PMP, CMQ-OE, CQA, CPGP, RAC — Principal Consultant, Certify Consulting
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.