HAVE ITAR DATA AND CMMC REQUIREMENTS? READ THIS TODAY: MEASURE TWICE, CUT ONCE!
In the world of defense industry regulations, ITAR and CMMC are two important sets of regulatory requirements that many within the defense industrial base need to adhere to. Although both regulations are distinct and tailored to their respective purposes, many companies dealing with ITAR-controlled items or information will need to comply with CMMC requirements to do business with the DoD, which adds an additional layer of complexity- and potential costs- that are frequently overlooked. This article will not only provide a basic introduction to the two compliance frameworks, it will also provide specific ITAR and CMMC considerations that companies need to keep in mind in order to ensure a favorable audit outcome.
Introduction to ITAR & CMMC
ITAR (International Traffic in Arms Regulations) and CMMC (Cybersecurity Maturity Model Certification) are both regulations that are related to the defense industry in the United States, but they address different aspects of security and compliance.
ITAR is a set of regulations that govern the export and import of defense-related goods, services, and technical data. ITAR requires companies that deal with defense-related items or information to register with the US Department of State and comply with strict security and compliance requirements.
CMMC, on the other hand, is a framework for assessing and certifying the cybersecurity practices of companies that provide products or services to the US Department of Defense (DoD). The CMMC framework includes a set of controls and practices that are designed to protect sensitive information and prevent cyber-attacks.
While ITAR and CMMC are separate regulations, they are both important for companies that work in the defense industry. Many companies that deal with ITAR-controlled items or information will also need to comply with CMMC requirements in order to do business with the DoD. In fact, CMMC certification may be required for some ITAR registrations or licenses, and CMMC requirements may impact ITAR compliance efforts as well. That being said, there are some areas where the two regulations overlap. For example, both ITAR and CMMC require companies to implement strict access controls and safeguard sensitive information. Both also require companies to establish and maintain effective security practices to protect against cyber -attacks and unauthorized access.
However, the specific requirements for each regulation are distinct and tailored to their respective purposes. For example, ITAR places a heavy emphasis on physical security, including the protection of facilities, equipment, and personnel. CMMC, on the other hand, focuses on the cybersecurity practices and controls that are necessary to protect against cyber threats and attacks. In summary, while ITAR and CMMC are mutually exclusive, they both play a critical role in ensuring the security and compliance of companies that operate in the defense industry. Companies that deal with defense-related items or information should ensure that they understand the requirements of both regulations and take steps to comply with them as necessary.
Important ITAR & CMMC Considerations
If you have ITAR data and require CMMC, there are a few key considerations to keep in mind to avoid non-compliance:
- CMMC is a set of cybersecurity standards that are designed to ensure that companies working with the DoD have appropriate cybersecurity controls in place. Depending on the level of CMMC certification required, you may need to implement additional cybersecurity controls to protect your ITAR data.
- It is important to work with a CMMC assessor who is knowledgeable about the requirements for protecting ITAR data. The assessor should be able to provide guidance on which CMMC level is appropriate for your organization based on the sensitivity of your ITAR data and the risks associated with its disclosure.
- You will need to demonstrate compliance with the relevant CMMC requirements through an assessment process, which will include both a review of your cybersecurity policies and procedures as well as technical testing of your systems and networks. This process can be time-consuming and may require significant resources, so it is important to plan accordingly. On average, we find that most organizations need at least a year to become what we would consider “CMMC assessment-ready”.
- It is critically important to ensure that your employees are trained on the proper handling of ITAR data and the cybersecurity controls that are in place to protect it. This includes regular training on cybersecurity best practices, as well as specific training on ITAR compliance and the handling of classified information.
- Last but not least, you must ensure that your 3rd party applications under scope are ITAR-Friendly/FedRAMP Compliant and that your MSP/MSSP is – or plans to be- compliant to the same regulatory requirements that you must adhere to. These 3rd parties all have theoretical access to the CUI/ITAR data you’re trying to safeguard so they must also adhere to these stringent standards.
How to Determine if Your Provider is ITAR-Friendly/FedRAMP Compliant
To determine if your provider is FedRAMP compliant, you can take the following steps:
- Check the FedRAMP Marketplace: The FedRAMP Marketplace is an online directory that lists all the cloud service providers (CSPs) that are FedRAMP compliant. You can search for your provider’s name in the marketplace to see if they are listed.
- Ask your provider: If your provider is not listed in the FedRAMP Marketplace, you can contact them directly and ask if they have undergone a FedRAMP assessment and achieved compliance. They should be able to provide you with information about their FedRAMP status, including the level of compliance they have achieved and the specific FedRAMP requirements they have met.
- Check with your agency: If you are working for a federal agency, you can check with your agency’s FedRAMP program office to see if your provider is listed as compliant. They may also be able to provide you with additional information about your provider’s compliance status and any concerns or issues that have been raised.
- Review the provider’s documentation: If your provider claims to be FedRAMP compliant, they should be able to provide you with documentation that demonstrates their compliance. This may include a FedRAMP authorization package, which provides detailed information about the provider’s security controls and compliance with the FedRAMP requirements.
Can I Achieve CMMC Compliance if I’m Not ITAR Compliant?
Yes, it is possible to be CMMC compliant without being ITAR compliant, as the CMMC framework covers a broader range of cybersecurity requirements than those specifically related to ITAR. However, if you are working with the DoD or other government agencies that require ITAR compliance, you will also need to ensure that your ITAR compliance measures are in place in addition to meeting the relevant CMMC requirements.
It is important to note that different levels of CMMC certification may require different levels of ITAR compliance. For example, if you are working with DoD contracts that involve ITAR-controlled technical data or defense services, you may need to comply with both ITAR regulations and the CMMC requirements at a higher level. In general, it is important to work with a knowledgeable CMMC assessor to determine the appropriate level of CMMC certification for your organization based on your specific cybersecurity needs and compliance requirements. The compliance partner, MSP/MSSP/RPO, can help you understand the requirements for both ITAR compliance and CMMC certification and work with you to develop a cybersecurity strategy that meets both sets of requirements. In summary, to determine if your provider is FedRAMP compliant, you can check the FedRAMP Marketplace, ask your provider directly, check with your agency’s FedRAMP program office, and review the provider’s documentation. It’s important to ensure that your provider is FedRAMP compliant if you are using cloud services for federal workloads, as this helps to ensure that your data is protected and secure.
Conclusion & Resource Information
The objective of this article is to hopefully clarify the ties between ITAR and the CMMC, including the important considerations to keep in mind in order to ensure you’re adequately addressing your compliance obligations. There is far too much at risk from a contractual and national security standpoint to overlook these considerations so its of the utmost importance that you partner with an organization that fully grasps the additional layer of complexity that the ITAR requirements can present toward becoming CMMC assessment ready. For more information about the compliance implications that ITAR, NIST 800-171, CMMC or ISO 27001 present to your organization, please contact us directly or refer to our compliance pages by clicking the link below.
Cybersecurity and Compliance Manager
Chris Riani joined TSI in 2021, and currently serves as our Cybersecurity and Compliance Manager. Chris has over a decade of experience in IT, with most of his time spent managing and protecting critical IT environments within the DoD and the private sector. A ten-year Air Force Veteran, his background includes Application Administration, Networking, and Systems Design, as well as Virtualization and Cloud Security.
Chris is a graduate of Champlain College in Vermont, where he studied a wide variety of technology and security focused topics. He holds numerous IT and security certifications, such as CompTIA’s CASP+ and is also a CISSP. It comes as no surprise that Chris’s true passion is bridging the gap between operational IT requirements and information security.
Outside of work, Chris enjoys coaching soccer, spending time with his family, and playing the guitar.