SECURE PRODUCT DEVELOPMENT FOR AEROSPACE AND DEFENSE

Demonstrating ITAR, EAR, and CMMC Compliance to Gain Market Advantage

KEY BUSINESS CONSIDERATIONS FOR ITAR and EAR, AND CMMC COMPLIANCE

ITAR and EAR

ITAR compliance applies to any entity in the United States that manufactures, sells, distributes, exports, or temporarily imports defense articles, services, or related technical data. These entities span the entire supply chain—from wholesalers, distributors, and vendors to contractors and third-party suppliers.

The items regulated under ITAR are defined in the United States Munitions List (USML)¹. Product categories include:

Firearms and ammunition
Military vehicles
Aircraft and associated equipment
Spacecraft systems

FAST FACTS ON ITAR Associated technical data, software, and defense services are defined for each product category. Services encompass design, development, testing, repair, and maintenance.

While ITAR regulates defense-related articles, EAR regulates the manufacture, sale, distribution, and export of dual-use items, commercial goods, technology, and data. Dual-use items that have both commercial and military applications, as well as items intended only for commercial use, are outlined in EAR’s Commerce Control List (CCL)². Product categories include:

Electronics
Computers
Telecommunications
Sensors and lasers
Navigation and avionics
Marine
Aerospace and propulsion

Companies must register for export licenses through the U.S. Department of State Directorate of Defense Trade Controls (DDTC)³ and the U.S. Department of Commerce’s Bureau of Industry and Security (BIS)⁴ to be ITAR and EAR compliant. As part of the registration, manufacturers define the type of product information that is under export control. This could include component descriptions, engineering drawings, specifications, test procedures, and bills of materials (BOMs). Regulated data must be controlled and not exported outside the U.S. or accessible to any non-U.S. citizen at any point during design, production, or sustaining activities unless covered under the export license.

Key Business Questions ITAR and EAR Compel

CMMC

FCI and CUI Explained

CMMC compliance applies to U.S. Department of Defense (DoD) contractors, subcontractors, and suppliers. Most small to midsize defense manufacturers must be CMMC-certified once the new ruling goes into effect⁵.

The CMMC model is derived from National Institute of Standards and Technology (NIST) and Defense Federal Acquisition Regulation Supplement (DFARS) guidelines—primarily NIST SP 800-171 and DFARS 252.204-7012. Certification requirements are divided into three levels based on the organization’s cybersecurity maturity and type of information they handle. Level 1 certification applies to companies handling Federal Contract Information (FCI), whereas Level 2 and 3 certifications apply to companies handling Controlled Unclassified Information (CUI). DoD contractors that use enterprise cloud solutions to handle this information must ensure that the cloud service providers have Federal Risk and Authorization Management Program (FedRAMP) Moderate Baseline or Equivalent level security in place.