CUI vs ITAR for CMMC Compliance
Jan. 2, 2025
If you’re a Department of Defense (DoD) manufacturer preparing for CMMC, you’ve probably seen CUI and ITAR misused or mixed up. Confusion about these terms is common among defense contractors working toward compliance.
One of the most common statements we hear is: “We thought ITAR was lower security than CUI.”
It’s understandable how someone reaches that conclusion, but it is still incorrect. Misunderstanding the relationship between CUI and ITAR creates costly compliance gaps and increases exposure during assessments.
This guide explains the difference in plain language, why manufacturers often mix them up, and how both impact your Cybersecurity Maturity Model Certification (CMMC) readiness.
What Is CUI?
CUI (Controlled Unclassified Information) is a federal information category created to standardize how sensitive government data must be protected. Although it is not classified, CUI carries specific handling and cybersecurity requirements.
Examples of CUI in a defense manufacturing environment include:
- Technical drawings and CAD files
- Engineering or manufacturing instructions
- Test, inspection, and quality records
- Contract data tied to DoD programs
- Material certifications or weld maps
- Any data marked or handled under DFARS 252.204-7012
Whenever CUI appears in a contract, it triggers:
- DFARS 252.204-7012 compliance
- Implementation of NIST SP 800-171
- CMMC Level 2 certification for most subcontractors
In simple terms, CUI defines how information must be safeguarded inside your IT and operational systems.
What Is ITAR?
ITAR (International Traffic in Arms Regulations) is a U.S. export control rule enforced by the State Department. Unlike CUI, ITAR is not an information category. It is a legal framework that controls defense articles, technical data, and defense services listed on the U.S. Munitions List.
ITAR restrictions apply not only to the item being produced but also to the related technical information, including:
- Drawings and specifications
- CAM or CNC programs
- Shop travelers and work instructions
- Test results and inspection data
- Emails or conversations describing manufacturing steps
If a part appears on the U.S. Munitions List, it is ITAR-controlled even if it never leaves your facility.
At its core:
ITAR controls who can access the information and where that information is allowed to reside.
There is no built-in cybersecurity standard inside ITAR, yet its rules significantly influence how data must be stored and who may access it.
Why Manufacturers Confuse CUI and ITAR
For years, many defense suppliers treated ITAR as primarily a physical access concern, focusing on:
- Keeping foreign nationals out of restricted areas
- Using ITAR cover sheets
- Posting warning signs
- Segregating workstations and storage areas
CUI came later, carrying explicit IT and cybersecurity requirements enforced through DFARS and NIST SP 800-171.
This created a simplified mental model:
- ITAR belongs on the shop floor
- CUI belongs in the IT department
From there, some firms assumed ITAR must be a lower-level requirement.
In reality:
ITAR is often more restrictive because it limits access based on nationality, not just cybersecurity posture.
CUI is about protection.
ITAR is about authorization.
You need both.
How CUI and ITAR Overlap
The easiest way to understand the relationship is this:
- CUI dictates how information must be secured.
- ITAR dictates who is allowed to access it and where it can be stored.
Important points:
- ITAR technical data is frequently also CUI.
- Not all CUI is ITAR-controlled.
- Businesses handling ITAR almost always handle CUI.
- CMMC Level 2 does not replace ITAR obligations.
- ITAR restrictions sit on top of your cybersecurity requirements.
Quick comparison
| Requirement | Applies to CUI | Applies to ITAR |
|---|---|---|
| NIST SP 800-171 | Yes | Often, when CUI is present |
| CMMC Level 2 | Yes | Often, when CUI is present |
| Export control restrictions | No | Yes |
| U.S.-person-only access | Sometimes | Always |
This layered compliance model is where many manufacturers run into trouble, especially when their systems were configured long before CMMC or modern export rules existed.
Why This Matters for CMMC Level 2
CMMC Level 2 evaluates whether your company can reliably protect CUI. The standard doesn’t certify or validate ITAR compliance.
However, ITAR-related weaknesses tend to surface during CMMC readiness work, including:
- Non-U.S. citizens with access to file shares, servers, or cloud storage
- ITAR technical data stored in cloud regions outside the United States
- Backups replicated internationally by default
- Overseas support teams from outsourced IT vendors
- Remote access by machine or software vendors located abroad
- Collaboration tools (Teams, SharePoint, Dropbox, etc.) without geographic or identity restrictions
Any of these issues can derail a CMMC audit and create severe export compliance exposure at the same time.
This’s why defense suppliers must address both sets of requirements early, not as an afterthought.
How STACK Cybersecurity Helps Federal Contractors
STACK Cybersecurity is a Registered Practitioner Organization (RPO) authorized by the Cyber AB to prepare companies for CMMC Level 2.
We work closely with manufacturers, machine shops, engineering firms, and defense suppliers to:
-
Identify where CUI and ITAR intersect
Many contractors underestimate how widely technical data spreads throughout their networks and workflows.
-
Align cybersecurity controls with export restrictions
We help ensure your NIST SP 800-171 implementation does not violate ITAR rules on foreign access or foreign data storage.
-
Reduce assessment risk before a C3PAO arrives
We find gaps early so your team is not scrambling during an audit.
-
Translate complex regulations into practical safeguards
Our process focuses on achievable, defensible controls that improve security and operational resilience.
Our process focuses on achievable, defensible controls that improve security and operational resilience.
Our mission is to help defense suppliers move confidently toward compliance while strengthening their overall cybersecurity posture.
Frequently Asked Questions
Looking for a deeper evaluation tool?
Download our 10-question MSP evaluation checklist.
Is ITAR lower security than CUI?
No. ITAR isn’t a security level. It’s a separate export law that often imposes stricter access controls than CUI.
Can technical data be both ITAR and CUI?
Yes. ITAR technical data on a DoD program is commonly treated as CUI as well.
Does CMMC Level 2 cover ITAR requirements?
No. CMMC verifies CUI protection, not export compliance.
If we put ITAR labels on shop documents, are our IT systems compliant?
Not necessarily. Physical controls do not guarantee digital compliance.
Does ITAR still apply if the data never leaves our facility?
Yes. An export violation occurs when unauthorized individuals access controlled data, even if it stays inside your building.
Cybersecurity, Export Rules Overlap
If your firm builds defense-related components or assemblies, understanding the difference between CUI and ITAR is essential. The overlap between cybersecurity and export rules is where most contractors face the greatest risk.
Addressing these requirements early helps prevent failed audits, production delays, and unintentional violations.
If you’re unsure how your business aligns with CMMC or ITAR today, STACK Cybersecurity can help you gain clarity and reduce risk before it becomes a problem.