Threat & Research Team Blog
- CMMC
- Vulnerabilities
- Government
- Security operations
- OT Security
- Compliance
- SOC
- Artificial Intelligence
- ThreatHunting
- Vulnerability Management
- Industrial Control Security
- Ransomware
- Cyber Security Compliance
- Zero-Day
- NIST 800-171
- Critical Infrastructure
- threat advisory
- Penetration Testing
- Emerging Threats
Can ITAR Be CUI? Why ITAR Could Be in Scope for your CMMC Assessment
Any defense contractors mistakenly believe ITAR-controlled data sits outside the boundaries of CMMC Level 2 — but that assumption could cost you your certification.
In reality, the National Archives and Records Administration (NARA) confirms that certain ITAR-regulated information qualifies as Controlled Unclassified Information (CUI Specified). That means if your organization handles ITAR data, it’s likely in scope for your CMMC assessment — and must meet strict safeguarding and dissemination requirements.
In this article, we explain how ITAR and CUI overlap, what the CUI Registry actually says, and why treating ITAR as CUI is both the safest and most compliant path forward for defense contractors.
CMMC 2.1 Explained: How is the Cybersecurity Maturity Model Certification Program Changing?
CMMC 2.1 Explained: How is the Cybersecurity Maturity Model Certification Program Changing? Find out how updated CMMC regulations impact security compliance for government agencies and their partners.
Managing Cybersecurity Risk for Small Government Agencies: Double Extortion Explained
Managing Cybersecurity Risk for Small Government Agencies: Double Extortion Explained Cybercriminals are increasingly targeting small public administration offices instead of large, federal-level targets.
