ITAR

The International Traffic in Arms Regulations (ITAR) are U.S. State Department regulations administered under the Arms Export Control Act that control the export and re-export of defense articles, defense services, and related technical data. Items subject to ITAR are listed on the U.S. Munitions List.

Most technical data subject to ITAR is also categorized as Controlled Unclassified Information (CUI), which means defense contractors handling ITAR data are subject to both ITAR's export-control restrictions and DFARS 252.204-7012's safeguarding requirements. A CMMC Level 2 certification covers the safeguarding side; ITAR compliance is a separate program managed under the State Department.

For CMMC purposes, the most important consequence of handling ITAR data is that it almost always means CUI is in scope, which triggers the full Level 2 requirement set. ITAR data also typically must remain on U.S. soil under U.S.-citizen access controls, which influences where it can be stored (generally GCC High or an equivalent FedRAMP High environment).