Can ITAR Be CUI? Why ITAR Could Be in Scope for your CMMC Assessment
Introduction
Many defense contractors working with ITAR-controlled data mistakenly believe that it falls outside the boundaries of CMMC Level 2 requirements. That misunderstanding could lead to serious compliance failures.
In a June 2025 Cyber AB Town Hall, Jim Goepel, a recognized expert on Controlled Unclassified Information (CUI), emphasized a key point: NARA (the National Archives and Records Administration) is the definitive authority on what counts as CUI—not your C3PAO, not your consultant.
According to the CUI Registry maintained by NARA, certain types of export-controlled information, including content subject to ITAR, are considered CUI Specified when applicable laws require safeguarding or dissemination controls.
Yet some contractors continue receiving conflicting guidance from C3PAOs, potentially leading them to exclude ITAR data from their CMMC scoping efforts. That’s a mistake—one that could result in assessment failures or exposure of sensitive information.
This article breaks down the relationship between ITAR and CUI, explains how ITAR fits into CUI categories, and outlines the impact on your CMMC assessment strategy.
Contents
Why This Matters
Organizations preparing for a CMMC Level 2 assessment have shared recent examples of being told by assessors that ITAR-regulated information isn’t CUI—and therefore doesn’t need to be secured within the CMMC enclave.
Some have even designed cloud environments (e.g., in Azure GovCloud) based on this assumption, intentionally keeping ITAR out of scope.
This advice is incorrect—and risky.
ITAR data is often considered CUI Specified, and must be protected accordingly under federal guidelines. Misclassifying or omitting it from your assessment boundary could create significant vulnerabilities, lead to a failed certification, or violate contractual obligations.
As more assessment organizations come online, inconsistent interpretations are becoming more common. Organizations need to go back to authoritative sources to ensure they're making sound compliance decisions.
How ITAR and CUI Intersect
Let’s clarify the distinction:
CUI refers to unclassified information that requires safeguarding under U.S. laws and regulations.
ITAR (International Traffic in Arms Regulations) is a set of rules issued by the U.S. Department of State to control the export of defense-related articles and technical data.
Although ITAR and CUI come from different regulatory origins, they overlap. When ITAR-controlled data is subject to specific legal controls for safeguarding or dissemination, it qualifies as CUI Specified.
Quick Summary
Question Answer Can ITAR data be CUI? Yes. Is all ITAR data automatically CUI? No, it depends on context and designation. Should ITAR data be excluded from CMMC scoping? Absolutely not.
Understanding CUI Basic vs. CUI Specified
One area that causes confusion is the distinction between CUI Basic and CUI Specified. Here’s how they differ—and where ITAR fits in:
CUI Category Description Applicability to ITAR CUI Basic Requires standard protection under NIST SP 800-171. Default for most CUI. Rarely includes ITAR. CUI Specified Has additional legal protections or dissemination restrictions beyond NIST SP 800-171. Most ITAR data fits here.
Only the authority that originally designates the information as CUI can apply “Specified” status. Other organizations cannot upgrade or downgrade that classification arbitrarily.
So if your ITAR data is labeled—or required by law—to be safeguarded, it must be treated as CUI Specified, and handled accordingly within your CMMC environment.
What the CUI Registry Says About ITAR
The NARA CUI Registry explicitly addresses export-controlled data. Under the “Export Control” category, the registry includes:
“Information… subject to the International Traffic in Arms Regulations (ITAR)… These may be designated as CUI Specified when laws or regulations require safeguarding or dissemination controls.”
The takeaway? If ITAR data is protected by statute—and it almost always is—it qualifies as CUI Specified and falls within the scope of CMMC Level 2 if processed or stored in your environment.
You cannot exclude it just because it hasn’t been formally marked. The legal requirements drive the designation—not convenience.
Scoping Implications for CMMC Level 2
Failing to recognize ITAR-controlled data as in scope can have serious consequences. If ITAR data qualifies as CUI Specified, you must:
Include it in your System Security Plan (SSP)
Protect it according to CUI safeguarding requirements
Reflect it accurately in network boundary diagrams and data flow maps
Neglecting this data can result in:
❌ Incomplete or inaccurate scoping
❌ Failed CMMC assessments
❌ Potential noncompliance with export control laws
When designing your enclave, especially in the cloud, confirm where ITAR data resides, and how it’s being protected.
Recommended Approach: Treat ITAR as CUI
Even in edge cases where ITAR data isn’t technically classified as CUI, it’s still highly regulated. The safest move?
Always apply CUI protections to ITAR data.
Why?
It's subject to strict federal controls
It’s often co-located with other CUI
You avoid introducing scoping errors or inconsistent controls
It simplifies audit prep and protects your reputation
Treating ITAR like CUI isn’t just good security—it's smart risk management.
How We Can Help
At Maverc , we help defense contractors and federal suppliers:
Properly scope CMMC environments—including for ITAR data
Understand the legal boundaries of CUI and export controls
Implement technical controls aligned with NIST SP 800-171
Prepare for CMMC assessments with confidence
Whether you’re building a compliant enclave or need a second opinion on scope, our team brings deep expertise in both CMMC and ITAR compliance.
Conclusion
If you're handling ITAR-controlled information, don't assume it's out of scope for CMMC Level 2.
Most of the time, it qualifies as CUI Specified, and must be protected as such. Ignoring this reality based on informal or outdated advice can lead to costly compliance gaps. When in doubt, consult NARA’s CUI Registry, align with NIST SP 800-171, and seek expert guidance. Your ability to safeguard sensitive government data—and pass your CMMC assessment—depends on it.
Need support scoping your ITAR and CUI environments?
Contact Maverc to ensure your data is secure—and your certification path is clear.
