Threat & Research Team Blog
- CMMC
- Vulnerabilities
- Government
- Security operations
- OT Security
- Compliance
- SOC
- Artificial Intelligence
- ThreatHunting
- Vulnerability Management
- Industrial Control Security
- Ransomware
- Cyber Security Compliance
- Zero-Day
- NIST 800-171
- Critical Infrastructure
- threat advisory
- Penetration Testing
- Emerging Threats
Can ITAR Be CUI? Why ITAR Could Be in Scope for your CMMC Assessment
Any defense contractors mistakenly believe ITAR-controlled data sits outside the boundaries of CMMC Level 2 — but that assumption could cost you your certification.
In reality, the National Archives and Records Administration (NARA) confirms that certain ITAR-regulated information qualifies as Controlled Unclassified Information (CUI Specified). That means if your organization handles ITAR data, it’s likely in scope for your CMMC assessment — and must meet strict safeguarding and dissemination requirements.
In this article, we explain how ITAR and CUI overlap, what the CUI Registry actually says, and why treating ITAR as CUI is both the safest and most compliant path forward for defense contractors.
Scoping CUI for CMMC Level 2 Certification
Defining the scope of your Controlled Unclassified Information (CUI) environment is the first and most critical step in preparing for a CMMC Level 2 assessment. Proper scoping ensures you know exactly which assets, people, and systems fall within your compliance boundary—and it can make the difference between a smooth certification process and costly setbacks. In this blog, we break down the scoping requirements, explain how to categorize assets, and share a practical checklist to help your organization build a clear, audit-ready System Security Plan (SSP).
CMMC Compliance Series: The CMMC Shared Responsibility Matrix
The CMMC Shared Responsibility Matrix helps businesses define which cybersecurity tasks they own and which are handled by service providers like AWS or Microsoft Azure. By clarifying roles in encryption, access control, and incident response, organizations can simplify compliance, strengthen security, and prepare for upcoming CMMC requirements
CMMC 2.1 Explained: How is the Cybersecurity Maturity Model Certification Program Changing?
CMMC 2.1 Explained: How is the Cybersecurity Maturity Model Certification Program Changing? Find out how updated CMMC regulations impact security compliance for government agencies and their partners.
MAVERC selected to provide CMMC remediation and consulting services to Manufacturers in the state of Virginia
Tips for preparing for Cyber Security Maturity Model Certification (CMMC)?
Maverc will be posting several articles and the latest news with guidelines on getting ready for CMMC, a new cyber security standard for defense contractors on our blog. Let’s start with an summary of CMMC and how to get started with piloting the certification process.
What role will Manufacturing Extension Partnerships (MEP) play in CMMC and NIST Compliance?
Established by the National Institute of Standards and Technology (NIST) in 1988, the Manufacturing Extension Partnership program, or MEP, is a national network created to support US supply chain manufacturers with organizational growth,
