Introduction
If you handle International Traffic in Arms Regulations (ITAR) data, you might be assuming it’s out of scope for your CMMC Level 2 certification. But that could be a costly mistake.
During the June 2025 Cyber AB Town Hall, Controlled Unclassified Information (CUI) expert Jim Goepel reminded contractors that the National Archives and Records Administration (NARA) is the authoritative source on what qualifies as Controlled Unclassified Information (CUI). In fact, NARA’s CUI Registry explicitly lists export-controlled information, including ITAR-regulated data, as CUI Specified when certain legal conditions are met.
But based on what some contractors are hearing from CMMC 3rd Party Assessment Organizations (C3PAOs), that message still isn’t landing.
In this post, we’ll clarify where ITAR and CUI intersect, unpack the difference between CUI Basic and CUI Specified, and explain what this means when scoping your CMMC enclave. If you’re working toward a Level 2 certification, this could be the difference between a successful assessment, or a significant gap.
Table of Contents
What Contractors Are Hearing (And Why It’s Concerning)
Recently, an OSC preparing for their CMMC Level 2 assessment shared that they were advised by multiple C3PAOs that ITAR data wasn’t considered CUI and didn’t need to be included in their enclave. Their Azure GovCloud environment had been designed to exclude ITAR entirely based on that guidance.
That’s not only incorrect. It’s risky.
In most cases, ITAR-regulated data is considered CUI—specifically, CUI Specified. When export-controlled information is subject to safeguarding or dissemination controls under law (like ITAR), it qualifies as CUI.
Even if this is an isolated case, it raises a red flag. As more C3PAOs enter the ecosystem, inconsistent interpretations of what qualifies as CUI are beginning to surface. And when those interpretations shape your enclave boundaries, they can create serious compliance gaps and leave sensitive data under protected.
What Is the Relationship Between ITAR and CUI?
Let’s be clear: ITAR and CUI are not mutually exclusive.
- Controlled Unclassified Information, AKA, CUI is information that the U.S. Government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies.
- The National Archives and Records Administration (NARA) oversees the CUI Program and maintains the CUI Registry, which identifies all categories and subcategories of CUI.
- International Traffic in Arms Regulation, AKA, ITAR is a set of U.S. Department of State regulations that control the export of defense and military technologies to safeguard national security and further its foreign policy objectives.
ITAR data can be CUI, specifically, CUI Specified, depending on the context and markings.
Q: Can ITAR Be CUI?
A: Yes
Q: Is all ITAR data considered CUI?
A: No
Q: Should you assume ITAR is exempt from CMMC scope?
A: Absolutely not.
CUI Basic vs. CUI Specified: How ITAR Fits In
One of the most misunderstood aspects of CUI is the difference between CUI Basic and CUI Specified, especially when it comes to ITAR-regulated data.
Let’s break it down:
| Type | How it Applies to ITAR |
| CUI Basic | This is the default category of CUI. It requires protection per NIST SP 800-171. ITAR data typically does not fall here. |
| CUI Specified | Where ITAR usually resides. Export-controlled data is listed in NARA’s Registry as CUI Specified. |
Reminder: Only the original designating authority can identify limited dissemination controls to CUI Specified. Other agencies cannot elevate CUI Basic to CUI Specified on their own.
When ITAR data is subject to additional legal or regulatory protections, as it often is, it qualifies as CUI Specified. That means it must be considered in your CMMC Level 2 scoping and documentation.
What NARA Says About ITAR
Let’s go straight to the source: NARA’s CUI Registry on Export Control explicitly identifies export-controlled information, including ITAR-regulated content, as CUI Specified when marked or required to be protected.
From the registry:
“Export Control includes information… subject to the International Traffic in Arms Regulations (ITAR)… These may be designated as CUI Specified when laws or regulations require safeguarding or dissemination controls.”
So yes, ITAR may be CUI if it meets this threshold. And if you’re storing ITAR alongside other CUI in your environment, you cannot arbitrarily exclude it from your CMMC enclave.
How ITAR Impacts Your CMMC Scope
When designing a CMMC-compliant enclave, especially in the cloud, understanding your data boundaries is essential. If your ITAR data is designated as CUI Specified, then:
- It’s in scope for Level 2
- It must be protected according to applicable CUI guidelines
- It should be included in your System Security Plan, boundary diagram, and policy documentation
Leaving ITAR out, based on bad advice, can dent your entire assessment.
Best Practice: Treat All ITAR Data Like CUI
Even in the rare cases where ITAR is not designated as CUI, ask yourself: “Would we really protect this data less just because it’s ‘only’ ITAR?”
The answer should be a resounding no.
From a compliance and business risk standpoint, it’s often best to apply CMMC-aligned controls to all ITAR-controlled data, even when not explicitly labeled as CUI. This approach helps avoid missteps in scoping, ensures consistent protections for export-controlled information, and reduces the risk of treating regulated data inconsistently.
How Redspin Helps
At Redspin, we’ve seen this confusion before, and we help organizations get it right before their assessment, not after. We’re one of the first Authorized C3PAOs, and we’ve conducted more CMMC assessments than any other organization in the ecosystem. Our CMMC readiness consulting and managed cloud services ensure your enclave is properly scoped from day one, including export-controlled data like ITAR.
Final Thoughts
In the rush to get certified, it’s hard to know who to trust. But when it comes to CUI, including ITAR, you can’t afford to get it wrong. CMMC validates that you are safeguarding the nation’s most sensitive data. Make sure your assessment reflects that reality.
Book a meeting to get CMMC certified with Redspin: