Can ITAR Be CUI? Why ITAR Could Be in Scope for Your CMMC Assessment

Many defense contractors mistakenly believe ITAR-controlled data sits outside the boundaries of CMMC Level 2 — but that assumption could cost you your certification.

In reality, the National Archives and Records Administration (NARA) confirms that certain ITAR-regulated information qualifies as Controlled Unclassified Information (CUI Specified). That means if your organization handles ITAR data, it's likely in scope for your CMMC assessment — and must meet strict safeguarding and dissemination requirements.

Where ITAR and CUI Overlap

The CUI Registry maintained by NARA explicitly lists "Defense" as a CUI category and "Controlled Technical Information" and "Export Controlled" as Specified subsets. ITAR-regulated technical data describing defense articles falls into Export Controlled CUI under the registry. The "Specified" designation is significant — it means the safeguarding and dissemination controls are dictated by the underlying authority (the Arms Export Control Act and the ITAR itself), and they are typically more restrictive than baseline CUI.

Why It Matters for CMMC

If ITAR technical data lives in your environment, the systems that process, store, or transmit it are CUI assets under the CMMC scoping guide. They must be inside your assessment boundary, and they must satisfy all 110 NIST SP 800-171 controls. Treating ITAR as out-of-scope and discovering otherwise during a C3PAO assessment is one of the most common — and most expensive — failure modes we see.

The Safe Path Forward

Treat ITAR data as CUI Specified from day one. Build your enclave to handle it. Document the categorization in your System Security Plan. Restrict access to U.S. persons per ITAR §120.62 and use FedRAMP-authorized infrastructure (GCC High, AWS GovCloud, Azure Government). The compliance overhead is real, but it is far less than losing your DDTC registration or failing your CMMC assessment.