ITAR compliance applies to any entity in the United States that manufactures, sells, distributes, exports, or temporarily imports defense articles, services, or related technical data. These entities span the entire supply chain—from wholesalers, distributors, and vendors to contractors and third-party suppliers.
The items regulated under ITAR are defined in the United States Munitions List (USML)1. Product categories include:
Associated technical data, software, and defense services are defined for each product category. Services encompass design, development, testing, repair, and maintenance.
While ITAR regulates defense-related articles, EAR regulates the manufacture, sale, distribution, and export of dual-use items, commercial goods, technology, and data. Dual-use items that have both commercial and military applications, as well as items intended only for commercial use, are outlined in EAR’s Commerce Control List (CCL)2. Product categories include:
Companies must register for export licenses through the U.S. Department of State Directorate of Defense Trade Controls (DDTC)3 and the U.S. Department of Commerce’s Bureau of Industry and Security (BIS)4 to be ITAR and EAR compliant. As part of the registration, manufacturers define the type of product information that is under export control. This could include component descriptions, engineering drawings, specifications, test procedures, and bills of materials (BOMs). Regulated data must be controlled and not exported outside the U.S. or accessible to any non-U.S. citizen at any point during design, production, or sustaining activities unless covered under the export license.
CMMC compliance applies to U.S. Department of Defense (DoD) contractors, subcontractors, and suppliers. Most small to midsize defense manufacturers must be CMMC-certified once the new ruling goes into effect5.
The CMMC model is derived from National Institute of Standards and Technology (NIST) and Defense Federal Acquisition Regulation Supplement (DFARS) guidelines—primarily NIST SP 800-171 and DFARS 252.204-7012. Certification requirements are divided into three levels based on the organization’s cybersecurity maturity and type of information they handle. Level 1 certification applies to companies handling Federal Contract Information (FCI), whereas Level 2 and 3 certifications apply to companies handling Controlled Unclassified Information (CUI). DoD contractors that use enterprise cloud solutions to handle this information must ensure that the cloud service providers have Federal Risk and Authorization Management Program (FedRAMP) Moderate Baseline or Equivalent level security in place.
Key Business Considerations for ITAR, EAR, and CMMC Compliance
Opportunities and Challenges of Defense Market Entry
A Macro View of Product Lifecycle Management (PLM)
What ITAR/EAR/CMMC Means for Secure Product Development
The Newfound Benefits of Secure Cloud-Native PLM
How Arena Achieves ITAR/EAR/CMMC Compliance and Business Objectives