Cybersecurity should be a priority for every organization, but even more so for the thousands of contractors and manufacturing organizations that work with the federal government. These businesses produce and provide services that are critical to the national and global supply chain making them attractive targets for cyber criminals. In order to create a more secure environment that protects both the public and private sectors, manufacturers are often subject to various regulatory bodies and compliance frameworks that seek to establish standardized sets of security controls for every organization to follow.
For many businesses, these requirements can be complex and frustrating to sift through. SMBs specifically find themselves asking what applies to them, how they can achieve compliance, and how to maintain it. This blog seeks to address the differences between ITAR and CMMC compliance, two similar yet different standards that often confuse organizations.
The Cybersecurity Maturity Model Certification (CMMC) was created by the U.S. Department of Defense (DoD) in order to create a standardized certification process that addresses the protection of controlled unclassified information (CUI) within the Defense Industrial Base (DIB). The DIB "is the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements". This sector is made up of over 100,000 companies and subcontractors that work either directly or indirectly with the DoD. As many can probably guess, the attack surface for this sector is broad. In order to better secure sensitive information provided by the federal government, CMMC was founded.
Now in its second version, CMMC 2.0 is made up of three maturity levels that build upon each other. Level 1 (Foundational Cybersecurity) is applicable to any organization that is contracted by the Department of Defense and handles federal contract information (FCI). This level is the minimum requirement to do work with the DoD and consists of foundational security controls that are outlined in NIST SP 800-171. Compliance with level 1 does not permit companies to handle CUI.
Level 2 (Advanced Cybersecurity) is where many businesses will fall in regards to CMMC. Any contractor responsible for handling CUI must comply with level 2 and the controls outlined in NIST 800-171 in addition to practices beyond the scope outlined in NIST 800-171.
Finally, level 3 (Expert Cybersecurity) applies to critical infrastructure or programs that could have drastic consequences for the nations security posture. These organizations are held to the highest security standards and must implement strict security policies to ensure the protection of their technology.
The Department of Defense enforces the requirements outlined in CMMC 2.0 and require any organization seeking certification (OSC) to undergo a third party assessment to ensure compliance.
The International Traffic in Arms Regulations (ITAR) is the regulatory body that controls the export and import of defense and military technologies that reside on the United States Munitions List (USML). Being ITAR compliant means ensuring that if your organization produces, sells, or provides services for technology covered under the USML, you're committed to protecting the sensitive information involved in the process.
ITAR seeks to prevent the disclosure or leaking of private information to foreign entities and secure the global information sharing pipeline. Any defense contractor that provides services or manufactures items on the USML must register with the Department of State Directorate of Defense Trade Controls or DDTC. The DDTC is responsible for enforcing the regulations outlined by ITAR. Data security for ITAR involves maintaining a stringent information security policy, encrypting sensitive data, regularly conducting security assessments, firewall management, and more.
For organizations that are found to be neglecting ITAR compliance, the consequences are steep. Failing to comply with ITAR standards could result in criminal or civil penalties, being barred from future contracts, or imprisonment. This could mean civil fines as much as $500,000 per violation or criminal fines up to $1,000,000 and 10 years of prison per violation.
Both ITAR and CMMC can be difficult to navigate for SMBs who are required to comply with one or both. While compliance frameworks such as NIST 800-171 align well with both, there are fundamental differences to each that make compliance tricky.
So how are they different? For starters, CMMC is concerned with specific types of data or information that is provided to an organization that is seeking to become compliant. This data, provided by the DoD in the form of CUI, is required to be protected under the controls outlined in NIST 800-171. Conversely, ITAR is solely concerned with items listed on the USML list and everything related. As you can imagine, ITAR is applicable to a much broader pool of information than CMMC. Another key difference between the two is that where CMMC is founded on NIST SP 800-171, ITAR compliance is prescribed and determined by the DDTC. As previously mentioned, NIST 800-171 aligns well with both, but is not sufficient for ITAR.
CMMC and ITAR also differ in who they may apply to. CMMC applies to ANY defense contractor working with the DoD regardless of whether or not they have access to CUI. At the bare minimum, any contractor working with the DoD must comply with CMMC 2.0 maturity level 1. On the other hand, ITAR only applies to defense contractors who manufacture, export, or provide services for items and technology listed on the USML. This means that an organization may be required to comply with CMMC and ITAR if they handle both CUI and items related to the USML. It also could mean that an organization only has to comply with one of the two standards depending on the business. It is your responsibility to assess your organization and examine your contracts to determine where you need to pursue compliance.
CMMC 2.0 and ITAR are also different in the ways they are enforced. One common misconception is that there is an ITAR certification. No company is ever ITAR "certified", but rather are registered with the DDTC and obligated to remain compliant under ITAR's requirements. As long as your organization handles the items listed on the USML, you must comply. Failure to do so will result in financial and/or legal repercussions. CMMC is enforced very differently. As the name implies, CMMC is in fact a certification process. The DoD requires that any OSC undergo a third-party assessments conducted by a C3PAO to determine whether or not compliance has been achieved. Businesses will also receive a SPRS score based on how well they implemented the controls outlined in NIST 800-171. This certification is applicable throughout the entire contract period and failure to maintain compliance may also result in intense repercussions.
CorpInfoTech is a managed service provider (MSP) that specializes in providing security services for small-medium sized businesses across various industries. Our services includes comprehensive security assessments, vulnerability management, firewall management, and compliance help. All of these services are necessary for manufacturers and defense contractors looking to comply with CMMC, ITAR, or both.
We can help you identify key areas of risk, and provide you with a plan of action that empowers your organization to fill the gaps in your security. From there, CorpInfoTech can help you business manage and maintain your compliance no matter what changes may come. Contact us today to learn how we can help you become compliant!
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services, including security assessment, cybersecurity penetration tests, managed services (MSP), firewall management, and vulnerability management. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.