Citation Hook: ITAR and DFARS are not interchangeable frameworks — ITAR is an export control law governing who can access U.S. defense articles and services, while DFARS is a procurement regulation governing how the Department of Defense buys goods and services, yet both can simultaneously apply to the same contractor, the same contract, and even the same data.
If you're a defense contractor, you've almost certainly encountered both the International Traffic in Arms Regulations (ITAR) and the Defense Federal Acquisition Regulation Supplement (DFARS). In my experience advising 200+ defense clients at Certify Consulting, the single most common source of compliance confusion isn't understanding each framework in isolation — it's understanding how they interact. Companies routinely over-scope one and under-scope the other, creating blind spots that regulators and auditors exploit.
This pillar guide is designed to close that gap. We'll break down what each framework actually requires, identify the critical areas of overlap, walk through common compliance pitfalls, and give you a practical roadmap for managing both simultaneously.
What Is ITAR? A Foundational Overview
The International Traffic in Arms Regulations (ITAR), codified at 22 C.F.R. Parts 120–130, implement the Arms Export Control Act (AECA). ITAR is administered by the State Department's Directorate of Defense Trade Controls (DDTC) and governs the export, re-export, retransfer, and temporary import of defense articles, defense services, and related technical data.
At its core, ITAR is about access control — specifically, preventing foreign nationals (including employees, vendors, and cloud platform users) from accessing U.S. military-critical technology without prior U.S. government authorization.
Key ITAR Concepts
- United States Munitions List (USML): The master list of defense articles subject to ITAR, organized into 21 categories (e.g., Category I – Firearms, Category VIII – Aircraft, Category XI – Military Electronics).
- Defense Articles: Items specifically designed, developed, configured, adapted, or modified for military application.
- Technical Data: Information required for the design, development, production, manufacture, assembly, operation, repair, or modification of defense articles — including blueprints, drawings, photographs, plans, instructions, and documentation.
- Defense Services: The furnishing of assistance (including training) to foreign persons — whether in the U.S. or abroad — in the design, development, engineering, manufacture, or operation of defense articles.
- Deemed Export: When technical data is released to a foreign national in the U.S., it is "deemed" to have been exported to that person's country of nationality or citizenship. This is one of ITAR's most frequently misunderstood and violated provisions.
Who Must Register Under ITAR?
Any U.S. company that manufactures, exports, temporarily imports, or brokers defense articles or defense services is required to register with DDTC under 22 C.F.R. § 122.1. As of 2024, there are approximately 18,000+ active ITAR registrants in the DDTC registry — a number that has grown steadily as dual-use technologies migrate toward USML classification.
Registration alone is not authorization. Licenses or other approvals are required for most exports, re-exports, and retransfers unless a specific exemption applies (e.g., the § 126.4 exemption for government use, or the § 126.6 exemption for foreign military sales).
What Is DFARS? A Foundational Overview
The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of rules that supplement the Federal Acquisition Regulation (FAR) specifically for Department of Defense (DoD) contracts. DFARS is maintained by the Office of Defense Procurement and Acquisition Policy (DPAP) and codified at Title 48 of the Code of Federal Regulations, Chapter 2.
Where ITAR focuses on who can access defense technology, DFARS focuses on how the DoD procures defense goods and services — and the obligations that attach to contractors performing under DoD contracts.
Key DFARS Clauses Every Contractor Must Know
| DFARS Clause | Topic | Core Requirement |
|---|---|---|
| DFARS 252.204-7012 | Safeguarding Covered Defense Information (CDI) | Contractors must implement NIST SP 800-171 controls and report cyber incidents within 72 hours |
| DFARS 252.204-7019 | NIST SP 800-171 DoD Assessment Requirements | Contractors must conduct and submit a self-assessment score to SPRS |
| DFARS 252.204-7020 | NIST SP 800-171 DoD Assessment Requirements | Allows DoD to conduct medium or high assessments of contractor systems |
| DFARS 252.204-7021 | CMMC Requirements | Requires contractors to obtain the appropriate CMMC level certification (rolling out through 2025–2028) |
| DFARS 252.225-7001 | Buy American Act & Balance of Payments | Domestic sourcing preferences for DoD acquisitions |
| DFARS 252.227-7013 | Rights in Technical Data – Noncommercial Items | Governs government license rights in technical data produced under DoD contracts |
| DFARS 252.227-7014 | Rights in Noncommercial Computer Software | Governs government rights in software developed under DoD contracts |
| DFARS 252.239-7010 | Cloud Computing Services | Security requirements for cloud services processing DoD data |
The CMMC Factor
The Cybersecurity Maturity Model Certification (CMMC) program — implemented through DFARS 252.204-7021 — is arguably the most significant DFARS development in the past decade. Under the CMMC 2.0 framework finalized in the 32 CFR Part 170 final rule (October 2024):
- CMMC Level 1 (Foundational): Applies to contractors handling Federal Contract Information (FCI); requires annual self-assessment against 17 FAR 52.204-21 practices.
- CMMC Level 2 (Advanced): Applies to contractors handling Controlled Unclassified Information (CUI); requires third-party assessment (C3PAO) against all 110 NIST SP 800-171 Rev. 2 practices for most contracts.
- CMMC Level 3 (Expert): Applies to contractors on the most critical DoD programs; requires government-led assessment against NIST SP 800-172 practices.
According to the DoD, approximately 80,000 companies in the defense industrial base will eventually be subject to CMMC requirements. That's not a compliance suggestion — it's a market access requirement.
ITAR vs. DFARS: A Side-by-Side Comparison
Understanding the two frameworks is easiest when viewed comparatively:
| Dimension | ITAR | DFARS |
|---|---|---|
| Governing Authority | U.S. Department of State (DDTC) | U.S. Department of Defense (DPAP) |
| Legal Basis | Arms Export Control Act (AECA), 22 U.S.C. § 2778 | Federal Acquisition Regulation system, 41 U.S.C. § 1303 |
| Codification | 22 C.F.R. Parts 120–130 | 48 C.F.R. Chapter 2 |
| Primary Focus | Export/access control of defense articles & technical data | DoD procurement standards and contract requirements |
| Who It Applies To | Any person/entity that manufactures, exports, or brokers USML items | Contractors and subcontractors performing under DoD contracts |
| Registration Required? | Yes — DDTC registration mandatory for manufacturers/exporters | No standalone registration; flows through contract |
| Enforcement Agency | DDTC (State Dept.), DOJ, CBP | DoD DPAP, DCSA, DCAA |
| Key Data Concept | Technical Data (ITAR-controlled) | Covered Defense Information / CUI (DFARS-controlled) |
| Penalty for Violation | Up to $1.3M per violation (civil); criminal penalties up to $1M + 20 years | Contract termination, suspension/debarment, False Claims Act liability |
| Foreign National Restrictions | Yes — explicit deemed export / foreign person access controls | Indirect — through facility clearance and CUI access rules |
| Cybersecurity Component | Limited (access controls, IT system security for technical data) | Extensive — NIST SP 800-171, CMMC, 72-hour cyber incident reporting |
Citation Hook: ITAR violations carry civil penalties of up to $1,308,326 per violation (as adjusted for inflation under 22 C.F.R. § 127.10), while DFARS non-compliance can trigger False Claims Act liability under 31 U.S.C. § 3729, where treble damages and per-claim penalties apply — making the combined compliance risk for defense contractors among the highest in American industry.
Where ITAR and DFARS Overlap: The Critical Intersection
This is where the real complexity lives. Here are the five most significant areas of overlap that I see tripping up defense contractors:
1. Technical Data: ITAR "Technical Data" vs. DFARS "CUI/CDI"
Both frameworks regulate access to sensitive technical information — but they use different definitions and different control mechanisms.
- ITAR Technical Data (22 C.F.R. § 120.33) includes information required for the design, development, production, or operation of a defense article. It is controlled based on the nature of the information (i.e., is it on the USML?).
- DFARS Covered Defense Information (CDI) encompasses Controlled Unclassified Information (CUI) provided by or generated for the DoD under a contract. This is controlled based on the contractual relationship and the sensitivity marking on the information.
The critical overlap: Many ITAR-controlled technical data items are also CUI/CDI under DFARS. If you're storing or transmitting ITAR technical data on IT systems used in DoD contract performance, you need BOTH ITAR-compliant access controls (no foreign person access, encryption standards for transmission per 22 C.F.R. § 120.54) AND NIST SP 800-171 controls under DFARS 252.204-7012.
Failing to recognize this dual obligation is how companies end up with DFARS-compliant systems that still violate ITAR — or vice versa.
2. Subcontractor Flow-Down Obligations
Both ITAR and DFARS impose obligations on subcontractors — and both require prime contractors to ensure subcontractor compliance.
- Under ITAR § 126.8, a U.S. company that retransfers defense articles or technical data to a third party in the U.S. is responsible for ensuring the recipient is authorized and compliant.
- Under DFARS 252.204-7012(m), prime contractors must flow down the CDI safeguarding clause to subcontractors that will process, store, or transmit CDI.
- Under DFARS 252.204-7021, CMMC requirements must be flowed down to subcontractors handling CUI.
The practical risk: A prime contractor can be held liable for a subcontractor's ITAR violation or DFARS non-compliance if proper flow-down, vetting, and monitoring were not implemented. Subcontractor due diligence is not optional — it is a contractual and regulatory obligation under both regimes.
3. Foreign National Access Controls
ITAR's deemed export rule (discussed above) and DFARS facility clearance requirements both restrict what foreign nationals can access on defense contracts.
- ITAR prohibits disclosure of USML-controlled technical data to foreign nationals without a license or applicable exemption.
- DFARS and the National Industrial Security Program Operating Manual (NISPOM, 32 C.F.R. Part 117) require facility security clearances (FCL) and personnel security clearances (PCL) for access to classified information — and foreign nationals are generally excluded without a formal waiver.
The overlap: Even if ITAR technical data is unclassified, sharing it with a foreign national employee still requires ITAR authorization. Companies with multinational workforces must implement access control matrices that satisfy both ITAR deemed export rules and DFARS/NISPOM foreign national access restrictions. These are separate legal obligations that can run in parallel.
4. Cybersecurity and IT System Requirements
ITAR has historically been light on specific IT security requirements, directing registrants to protect technical data from unauthorized access. DFARS 252.204-7012 and the CMMC framework are far more prescriptive, requiring implementation of all 110 NIST SP 800-171 controls, a System Security Plan (SSP), and a Plan of Action & Milestones (POA&M).
The overlap: If ITAR technical data resides on the same IT systems as CDI/CUI (which is common in practice), the NIST SP 800-171 controls under DFARS effectively also protect ITAR data. Smart companies treat DFARS cybersecurity compliance as the floor — and add ITAR-specific access control layers (such as U.S.-person-only access restrictions) on top.
Citation Hook: According to the DoD's CMMC program office, as of late 2024, fewer than 50% of defense contractors had submitted a complete and accurate NIST SP 800-171 self-assessment score to the Supplier Performance Risk System (SPRS) — meaning a majority of the defense industrial base may be simultaneously out of compliance with both DFARS cybersecurity requirements and, indirectly, ITAR technical data protection obligations.
5. Rights in Technical Data: DFARS 252.227-7013 and ITAR Controls
DFARS 252.227-7013 governs the government's license rights in technical data developed under DoD contracts. But when that technical data is also ITAR-controlled, any delivery, disclosure, or transfer of that data to the government (or foreign governments under FMS programs) must also comply with ITAR.
This intersection is particularly acute in Foreign Military Sales (FMS) scenarios: the DoD may have unlimited rights in technical data under 252.227-7013, but delivery of that data to a foreign government customer still requires ITAR authorization — typically a government-to-government agreement under ITAR § 126.6 or a DSP-5 license.
The Most Common ITAR/DFARS Compliance Mistakes I See
After 8+ years working with defense contractors of all sizes, here are the compliance failures I encounter most frequently:
-
Treating ITAR registration as compliance. Registration with DDTC is the starting line, not the finish line. Companies must classify their products, implement Technology Control Plans (TCPs), manage licenses, and train employees.
-
Assuming CMMC compliance covers ITAR. NIST SP 800-171 controls protect all sensitive data, but they don't address ITAR's foreign national access restrictions, license requirements, or USML classification obligations. These are legally distinct obligations.
-
No Technology Control Plan (TCP). A TCP is the ITAR equivalent of an information security policy — it documents how the company identifies, controls, and protects technical data. Many companies subject to ITAR have no formal TCP. This is the first thing a DDTC enforcement review will ask for.
-
Inadequate subcontractor vetting. Both ITAR and DFARS require supply chain due diligence. I consistently find that prime contractors have robust internal programs but weak subcontractor oversight — a single non-compliant tier-2 sub can expose the entire contract.
-
Conflating CUI with ITAR. Not all CUI is ITAR-controlled, and not all ITAR technical data is marked CUI. Organizations must maintain separate inventories and classification logic for each framework, even when the same document is subject to both.
Building an Integrated ITAR + DFARS Compliance Program
The good news: with the right architecture, a single compliance program can efficiently address both ITAR and DFARS obligations without duplicating effort. Here's the framework I recommend to clients at Certify Consulting:
Step 1: Conduct a Dual-Framework Gap Assessment
Evaluate your current state against ITAR requirements (USML classification, TCP, license management, deemed export controls) AND DFARS requirements (NIST SP 800-171 assessment score, SSP, POA&M, CMMC level determination) simultaneously. Identify gaps, overlaps, and conflicts.
Step 2: Build a Unified Data Classification System
Create a single data classification taxonomy that maps to both frameworks. For example: Level 3 – ITAR Technical Data / CUI-Specified captures data that is both ITAR-controlled and CUI-marked. This prevents classification inconsistencies and simplifies training.
Step 3: Implement Layered Access Controls
Design IT access controls that satisfy the most restrictive requirement. ITAR's U.S.-person-only restrictions are typically more stringent than DFARS access controls for unclassified CUI — so design to the ITAR standard and you'll meet DFARS requirements as well.
Step 4: Develop a Technology Control Plan (TCP) That Incorporates DFARS Elements
Your TCP should document physical, IT, and procedural controls for technical data — and should cross-reference your System Security Plan (SSP) required under DFARS 252.204-7012. One integrated document is more defensible and easier to maintain than two parallel programs.
Step 5: Train Employees on Both Frameworks Concurrently
Annual dual-framework training (covering ITAR deemed export, license requirements, and USML awareness alongside CUI handling, CMMC requirements, and cyber incident reporting) is more efficient and produces better retention than siloed programs.
Step 6: Establish a Subcontractor Compliance Program
Create a standard subcontractor questionnaire that addresses both ITAR registration status and DFARS CMMC level (or self-assessment score). Incorporate compliance representations into subcontract language and conduct periodic audits of high-risk subs.
Key Regulatory References at a Glance
| Reference | Framework | What It Covers |
|---|---|---|
| 22 C.F.R. Parts 120–130 | ITAR | Full ITAR regulatory text |
| 22 C.F.R. § 120.33 | ITAR | Definition of Technical Data |
| 22 C.F.R. § 122.1 | ITAR | DDTC Registration requirement |
| 22 C.F.R. § 127.10 | ITAR | Civil and criminal penalties |
| 48 C.F.R. Chapter 2 | DFARS | Full DFARS regulatory text |
| DFARS 252.204-7012 | DFARS | CDI Safeguarding & cyber incident reporting |
| DFARS 252.204-7021 | DFARS | CMMC certification requirement |
| DFARS 252.227-7013 | DFARS | Rights in technical data – noncommercial items |
| NIST SP 800-171 Rev. 2 | DFARS/CMMC | 110 security requirements for CUI protection |
| 32 C.F.R. Part 170 | CMMC | CMMC 2.0 final rule (October 2024) |
| 32 C.F.R. Part 117 | NISPOM | Industrial security / facility clearance requirements |
Frequently Asked Questions
Does ITAR apply to all DoD contractors?
Not automatically. ITAR applies to any company that manufactures, exports, or brokers items on the USML — regardless of whether they hold a DoD contract. Many DoD contractors do handle ITAR-controlled items, but ITAR obligations arise from the nature of the items and activities involved, not the existence of a DoD contract. DFARS, by contrast, applies specifically to contractors and subcontractors performing under DoD contracts.
Can a company be in violation of both ITAR and DFARS for the same act?
Yes. For example, if a contractor stores ITAR technical data on an IT system that lacks the NIST SP 800-171 controls required by DFARS 252.204-7012, that single deficiency can constitute both an ITAR violation (inadequate protection of technical data) and a DFARS contractual breach. Dual-framework violations from a single act are more common than most compliance professionals expect.
What is the difference between ITAR technical data and DFARS CUI?
ITAR technical data is information controlled under the USML by virtue of its defense application — controlled by what the information relates to. DFARS CUI (Controlled Unclassified Information) is information the government designates as requiring protection per Executive Order 13556 and 32 C.F.R. Part 2002 — controlled by how the government has designated it. Many items are both, but not all ITAR technical data is CUI, and not all CUI is ITAR-controlled.
Does CMMC replace ITAR compliance?
No. CMMC is a cybersecurity certification framework focused on protecting CUI on contractor IT systems. It does not address USML classification, DDTC registration, export licensing, deemed export restrictions, or any of ITAR's substantive obligations. CMMC compliance does not provide any safe harbor under ITAR.
How do ITAR and DFARS interact in a Foreign Military Sales (FMS) transaction?
In FMS transactions, DFARS 252.227-7013 may give the U.S. government unlimited rights in technical data, but the actual transfer of that data to a foreign government customer still requires ITAR authorization — typically under the government-to-government agreement or a DSP-5 license. The government's contractual rights in data do not override ITAR export control obligations.
Working With Certify Consulting on ITAR and DFARS Compliance
Navigating ITAR and DFARS simultaneously is complex — but it's manageable with the right expertise and a structured approach. At Certify Consulting, Jared Clark has helped 200+ defense contractors build integrated compliance programs that satisfy both frameworks, maintain 100% first-time audit pass rates, and scale as contracts grow.
Whether you need a dual-framework gap assessment, help building a Technology Control Plan, CMMC Level 2 preparation, or ongoing compliance support, we're equipped to guide you from assessment through certification.
Learn more about how we approach ITAR compliance consulting or explore our DFARS and CMMC compliance services to take the next step.
Last updated: 2026-04-10
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.