Key Gaps Between CMMC Level 2 and ITAR

by | Nov 17, 2025 | CMMC, ITAR, Microsoft Government | 0 comments

If your company is already CMMC level 2 certified but also needs ITAR compliance, what is my current short fall for ITAR compliance?

Excellent question — this is exactly where many defense contractors get tripped up.

Being CMMC Level 2 certified means your company has demonstrated strong cybersecurity practices for handling Controlled Unclassified Information (CUI). But ITAR compliance is a completely separate regulatory regime, and certification under CMMC does not cover ITAR requirements.

Here’s a breakdown of the shortfalls you likely still have for ITAR compliance:

🚨 Key Gaps Between CMMC Level 2 and ITAR

  • Registration with DDTC
    • ITAR requires companies engaged in manufacturing, exporting, or brokering defense articles/services to register with the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC).
    • CMMC does not involve DDTC registration at all.
  • Export Licensing
    • ITAR mandates obtaining licenses before exporting defense articles, services, or technical data to foreign persons or entities.
    • CMMC Level 2 does not address export licensing.
  • Technical Data Controls
    • ITAR requires strict control of technical data on the U.S. Munitions List (USML). This includes ensuring foreign nationals (even employees) do not have unauthorized access.
    • CMMC Level 2 focuses on protecting CUI but does not specifically restrict access based on nationality.
  • Physical and Procedural Safeguards
    • ITAR compliance often requires physical access controls, visitor management, and procedures to prevent unauthorized disclosure of defense articles.
    • CMMC Level 2 is primarily about cybersecurity, not physical export controls.
  • Recordkeeping and Reporting
    • ITAR requires maintaining detailed records of exports, licenses, and technical data transfers, and reporting violations.
    • CMMC Level 2 does not impose these export-related recordkeeping requirements.
  • Penalties and Enforcement
    • ITAR violations can lead to civil and criminal penalties, including fines and imprisonment.
    • CMMC Level 2 non-compliance mainly results in loss of DoD contract eligibility.

Practical Next Steps

If you’re already CMMC Level 2 certified, your shortfall for ITAR compliance is mainly in the export control domain:

  1. Register with DDTC if applicable.
  2. Identify ITAR-controlled items/technical data in your business.
  3. Implement nationality-based access restrictions (e.g., foreign employees may need special licensing).
  4. Establish export licensing procedures for any transfers outside the U.S. or to foreign persons.
  5. Train staff on ITAR requirements — especially engineers and sales teams.
  6. Maintain ITAR-specific records of exports, licenses, and technical data handling.

👉 In short: CMMC Level 2 = cybersecurity maturity for CUI. ITAR = export control compliance for defense articles/technical data. Your current shortfall is that ITAR requires legal registration, licensing, and export control procedures that CMMC does not cover.

step‑by‑step roadmap for moving from CMMC Level 2 certified to CMMC + ITAR compliant. Think of this as a checklist that highlights what you already have in place (cybersecurity maturity) and what you still need (export control compliance).

🛠 Roadmap: From CMMC Level 2 → ITAR Compliance

  1. Confirm Applicability
  • Determine if your company manufactures, exports, brokers, or handles technical data on the U.S. Munitions List (USML).
  • If yes → ITAR applies. If not → you may only need CMMC.
  1. Register with DDTC
  • File registration with the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC).
  • This is mandatory for companies engaged in ITAR‑controlled activities.
  • Annual renewal required.
  1. Identify ITAR‑Controlled Items
  • Audit your products, services, and technical data against the USML.
  • Flag drawings, schematics, software, or components that fall under ITAR.
  • Separate ITAR‑controlled data from general CUI (already covered under CMMC).
  1. Implement Access Controls
  • Restrict ITAR technical data to U.S. persons only (citizens or permanent residents).
  • Foreign nationals (even employees) require export licenses for access.
  • This is a major gap compared to CMMC, which doesn’t restrict access by nationality.
  1. Establish Export Licensing Procedures
  • Develop processes for applying for and managing export licenses.
  • Ensure staff know when a license is required (e.g., sending technical drawings abroad, sharing data with foreign partners).
  1. Physical and Procedural Safeguards
  • Secure ITAR data physically (locked rooms, badge access).
  • Visitor management: track who enters restricted areas.
  • Train employees on handling ITAR materials.
  1. Recordkeeping and Reporting
  • Maintain detailed records of exports, licenses, and technical data transfers.
  • Establish procedures for reporting violations to DDTC.
  • CMMC doesn’t require this — it’s an ITAR‑specific obligation.
  1. Employee Training
  • Train staff on ITAR rules, especially engineers, sales, and IT teams.
  • Make sure they understand the difference between CUI (CMMC) and ITAR technical data.
  1. Compliance Monitoring
  • Conduct periodic audits for ITAR compliance.
  • Integrate ITAR checks into your existing CMMC cybersecurity program.
  • Document everything — ITAR enforcement is strict.

Summary

  • You already have: Cybersecurity maturity (CMMC Level 2).
  • You still need: DDTC registration, export licensing, nationality‑based access restrictions, ITAR recordkeeping, and ITAR‑specific training.