ITAR vs CMMC
CMMC (Cybersecurity Maturity Model Certification) and ITAR (International Traffic in Arms Regulations) are two US regulatory frameworks related to the defense sector.
Among the questions frequently asked in the defense ecosystem is: are ITAR and CMMC equivalent? In other words, are you CMMC compliant if you are ITAR compliant, and vice versa?
In this blog post, we'll answer that question:
Introduction to ITAR (International Traffic in Arms Regulations)
ITAR is a set of regulations enforced by the U.S. Department of State.
ITAR controls the export and import of defense-related items and services on the United States Munitions List (USML). We're talking about armaments here.
CMMC (Cybersecurity Maturity Model Certification)
CMMC is a cybersecurity certification that all DoD contractors and subcontractors must comply with. There are 3 CMMC levels depending on the types of data you have access to as part of your business relationship with DoD.
DoD's suppliers are in various fields and are not all in the armaments sector.
CMMC vs ITAR
CMMC
CMMC is focused on cybersecurity and explicitly targets companies (regardless of size) that work with DoD and collect, process or generate confidential (CFI) or proprietary (CUI) information under DoD contracts.
If you are not yet a DoD supplier and want to be able to do business with DoD, you need to prepare for and obtain CMMC certification.
CMMC is a certification.
ITAR
ITAR, it has a broader scope than cybersecurity. It covers the export, import and brokering of defense technologies, defense services and related technical data.
Any company that manufactures, imports, exports or provides services related to items on the United States Munitions List (USML) must comply with ITAR, even if it is not a DoD supplier.
Some ITAR data are CUI (category CUI: Controlled Export). But not all ITAR data is CUI. For example, if you do R&D in the field of weaponry, your data and results are not considered CUI by default when you create them. But as soon as you get a contract with DoD, you have to consider and protect them as CUI.
As you can see, it's only when you obtain a contract with DoD that your ITAR data becomes CUI. In which case, you must comply with all CUI protection requirements, in accordance with CMMC, which is strongly derived from NIST-800-171.
Note that not all CUIs are ITAR.
ITAR is not a certification.
ITAR and penalties
Companies are required to disclose whether they have violated ITAR requirements. Violations include: exporting or transferring ITAR-controlled technologies without the required licenses and approvals, non-compliance with license conditions, falsification of information, etc.
The penalties for non-compliance with ITAR rules are quite severe:
fines of up to US$1,000,000 per offence
20 years' imprisonment per offence for criminal charges
prohibition from participating in ITAR-controlled transactions.
CMMC and ITAR
If you're a DoD contractor and subcontractor in the weapons business, you need to comply with ITAR and CMMC.
The good news is that some ITAR data is CUI. By complying with CMMC, you therefore cover the cybersecurity aspect of CUI protection required by ITAR. But always bear in mind that ITAR is broader than cybersecurity. You must also comply with ITAR requirements for exporting, importing or manufacturing equipment or services in the field of armaments.
You can be ITAR and not be obliged to comply with CMMC as long as you are not a DoD contractor or subcontractor. But as soon as you do, it's mandatory that you comply with CMMC.
So the best thing to do is to comply with CMMC and ITAR if you intend to be a DoD supplier.
How StreamScan can help you with your CMMC compliance process
Streamscan is a CMMC Registered Provider Organization (RPO) and is officially authorized to assist organizations in their CMMC process.
Contact one of our experts or call us at +1 877-208-9040 to discuss your CMMC compliance.