Home Resources ITAR/EAR Controls
Specialized Topics · 11-minute read · Compliance overlay

ITAR, EAR, and US-Person Controls

For a meaningful subset of DIB contractors, CUI is also export-controlled — subject to ITAR or EAR in addition to DFARS 7012. The export-control layer adds requirements that CMMC compliance alone does not satisfy: US-person access restrictions, registration obligations, and constraints on cloud and offshore services. This guide explains how the layers interact and where the landmines are.

ITAR vs. EAR — Two Different Regimes

The United States operates two parallel export control regimes for items, software, and technical data with national security implications.

ITAREAR
Full name International Traffic in Arms Regulations Export Administration Regulations
Administered by Directorate of Defense Trade Controls (DDTC), Department of State Bureau of Industry and Security (BIS), Department of Commerce
Covers Items, software, and technical data on the United States Munitions List (USML) — defense articles, services, and the technical data necessary to design, develop, produce, or use them Items, software, and technology on the Commerce Control List (CCL) — primarily dual-use items with both commercial and military applications, plus some explicitly military items not on the USML
License regime Strict — exports and re-exports generally require an explicit license; very limited exemptions Broader — license requirements depend on the item, the destination country, the end-user, and the end-use
"Deemed export" rule Releasing technical data to a foreign person — even within the US — is an export. Requires a license unless an exemption applies. Same principle: releasing controlled technology to a foreign person within the US is a deemed export and may require a license.
Penalties Up to $1M per violation, 20 years imprisonment, debarment from federal contracts Up to $300K per violation (or twice the value of the transaction), 20 years imprisonment, debarment
Registration Anyone who manufactures, exports, or brokers ITAR-controlled defense articles must register with DDTC No general registration; license requirements apply transaction-by-transaction

The two regimes operate independently. An item can be ITAR-controlled, EAR-controlled, both, or neither. A single program may contain ITAR-controlled subsystems, EAR-controlled subsystems, and uncontrolled commercial items — and your handling rules differ for each.

How They Layer on CMMC

CMMC and DFARS 7012 establish requirements for safeguarding CUI. Export control regulations establish requirements for who may access certain technical data. These are separate obligations that apply simultaneously.

  • If you handle CUI that is not export-controlled: CMMC and DFARS 7012 apply. No US-person access restriction.
  • If you handle CUI that is also EAR-controlled: CMMC, DFARS 7012, and EAR all apply. EAR may restrict release to certain foreign persons depending on the technology and country.
  • If you handle CUI that is also ITAR-controlled: CMMC, DFARS 7012, and ITAR all apply. ITAR generally restricts technical data to US persons absent a license or specific exemption.
  • If you handle classified information: A different regime entirely (NISPOM, FACL, etc.). CMMC does not apply to classified networks or facilities.

The most consequential interaction: CMMC compliance does not satisfy ITAR or EAR. A FedRAMP Moderate cloud service that meets CMMC requirements may still be unsuitable for ITAR-controlled data if its administrative personnel include foreign persons. The export control regime adds people-based constraints that the CMMC regime does not.

The US-Person Rule

For ITAR purposes, "US person" means a US citizen, a US lawful permanent resident (green card holder), or certain protected individuals (refugees, asylees). Foreign persons working in the United States on visas (H-1B, L-1, OPT, etc.) are not US persons under ITAR.

The US-person rule has two operational implications:

  • Access to ITAR-controlled technical data within your environment requires the user to be a US person. A foreign-national engineer with otherwise legitimate access to your network may not access ITAR-controlled drawings, source code, or technical specifications without a license or exemption.
  • The "deemed export" rule means releasing ITAR data to a foreign person — anywhere — is an export. A foreign-national administrator viewing ITAR data on a server in the United States is, in regulatory terms, an export to that person's country of nationality. Without a license, the export is unauthorized.

EAR's analogous rule is more nuanced: not all EAR-controlled technology requires a license to release to foreign persons, but some categories do — typically those with national security or missile technology controls. The specific Export Control Classification Number (ECCN) of the technology dictates the rule.

For practical compliance: if you handle ITAR-controlled CUI, you must implement access controls that restrict ITAR data to US-person users. This is an additional layer on top of the access controls CMMC requires for CUI generally.

Cloud Constraints

Cloud services that handle ITAR data face two stacked requirements. First, the FedRAMP-equivalence rule from DFARS 7012 applies (the cloud must be FedRAMP Moderate authorized or equivalent). Second, the US-person rule applies to the cloud provider's administrative personnel — anyone with privileged access to the infrastructure that holds your data must be a US person.

The major cloud providers offer dedicated environments to address this:

  • Microsoft Azure Government and Microsoft 365 GCC High — operated by US-person Microsoft personnel, in US-only data centers, with screening and clearance levels appropriate to the government workload
  • AWS GovCloud (US) — same pattern: US-person administration, US-only infrastructure, designed for ITAR-eligible workloads
  • Google Cloud's Assured Workloads — provides a controlled environment within Google Cloud with US-person personnel constraints
  • Oracle Government Cloud — analogous offering for US-government workloads

Commercial cloud offerings — including the standard versions of Azure, AWS, and Google Cloud — do not meet the US-person requirement for administrative personnel and are therefore unsuitable for ITAR-controlled data. The same is true for general-public cloud services (Dropbox, Box commercial, Slack commercial, the consumer versions of Microsoft 365 and Google Workspace).

"FedRAMP equivalent" is necessary but not sufficient for ITAR. A cloud service that meets the FedRAMP Moderate equivalence bar may still fail ITAR if its administrative personnel include foreign persons. Verify both: (1) FedRAMP authorization or equivalence for CMMC compliance, and (2) US-person administration for ITAR compliance.

MSP and Offshore Constraints

The same US-person rule applies to managed service providers and outsourced IT support. An MSP whose technicians access your systems holding ITAR-controlled CUI must staff the engagement with US persons — even if the work is performed remotely from within the United States.

Common MSP arrangements that fail under ITAR:

  • Offshore tier-1 support. Many MSPs route initial support requests to offshore call centers (Philippines, India, Eastern Europe). If those technicians have any access to systems holding ITAR data, the arrangement is non-compliant.
  • Foreign-national US-based technicians. A US-based MSP may employ foreign-national engineers on H-1B visas. If those engineers have access to ITAR-controlled data, the arrangement is non-compliant unless a license or exemption applies.
  • "Follow the sun" support models. 24/7 support that hands off between US, EMEA, and APAC regions cannot be used for ITAR systems unless the non-US personnel are demonstrably excluded from the relevant access.
  • Outsourced cloud administration. If your cloud platform is administered by an MSP whose personnel include foreign persons, the same restriction applies.

The compliance posture for ITAR work is typically: (1) a US-person-only engagement model with the MSP, contractually required and verified through MSP attestation; (2) technical access controls that restrict the relevant systems to the named US-person personnel; (3) audit logging that confirms only authorized personnel actually access the systems.

For the broader vendor oversight picture, see the MSP and vendor oversight guide.

Common Scenarios

A small machine shop receives technical drawings from a prime for a Navy missile component. The drawings are marked "CUI//SP-CTI" and the contract notes the work involves USML Category IV.

CMMC Level 2 + ITAR. The CTI marking triggers DFARS 7012; the USML Category IV reference triggers ITAR. The shop must register with DDTC, restrict access to the drawings to US-person employees only, and use ITAR-compliant cloud or on-premise systems for storage. CMMC Level 2 controls apply on top of these export-control restrictions.

An aerospace contractor handles drawings for a commercial aviation product that has dual-use applications. The drawings are CUI but the underlying technology is on the Commerce Control List, not the USML.

CMMC Level 2 + EAR. The drawings fall under EAR rather than ITAR. EAR rules vary by ECCN and destination country — release to foreign persons may or may not require a license depending on the specific technology. The contractor must classify the technology to its ECCN and apply the appropriate handling rules. US-person restriction may or may not apply depending on the ECCN.

A software company is developing software for a defense program. The software itself is not classified, but its source code includes algorithms specifically designed for the program. The contract identifies it as ITAR-controlled.

CMMC Level 2 + ITAR for the source code. Source code embodies technical data; ITAR applies. Contributors must be US persons; the source repository must be hosted on infrastructure with US-person administration; CI/CD pipelines and code review tools must meet the same constraints. Note that compiled object code may also be ITAR-controlled in many cases — the regulatory analysis applies to both.

An engineering firm has a foreign-national engineer (a UK citizen on an H-1B) on staff. The firm is bidding on a Navy contract that will require ITAR-controlled work.

The engineer cannot access the ITAR data without a license. The firm has options: (1) staff the contract with US-person engineers only and exclude the foreign-national engineer from access to ITAR systems; (2) apply for a Technical Assistance Agreement (TAA) authorizing release to the specific foreign person; (3) use a license exception if one applies; or (4) decline the work. Architecturally, the most common solution is (1) — segregate ITAR systems and personnel from the rest of the engineering organization.

A subcontractor is told by their prime that they will receive ITAR-controlled drawings for an upcoming program. The sub uses an MSP for IT support, and the MSP staffs the account with a mix of US-person and foreign-national engineers.

The MSP arrangement must change before any ITAR data flows. The sub must require the MSP to provide US-person-only support for the ITAR-handling systems, contractually and operationally. If the MSP cannot or will not, the sub must either change MSPs, in-source the IT support for the ITAR systems, or decline the program. There is no "we trust them" workaround.

Registration Obligations

ITAR registration is a separate compliance obligation from CMMC. Anyone who manufactures, exports, or brokers ITAR-controlled defense articles must register with DDTC, regardless of whether they ever export anything. Manufacturing alone — making ITAR-controlled items in the United States, even for purely domestic delivery — triggers the registration requirement.

Registration is annual and involves a fee, a registration statement, and certification by a senior officer. DDTC publishes the requirements at the State Department's DDTC website. The registration creates an ongoing relationship with DDTC and certain reporting obligations (changes in foreign ownership, changes in officers, etc.).

EAR has no analogous general registration; license obligations attach to specific transactions. If your EAR-controlled work involves no exports (no release to foreign persons or foreign destinations), you may not need any specific authorization — though you must still classify the technology and confirm no transactions trigger license requirements.

Common Pitfalls

Patterns that result in violations

  • Treating ITAR as a marking that lives only on the document. ITAR controls follow the technical data wherever it goes — into your file shares, into your engineers' working files, into the prints sent to a vendor. The marking is a flag; the obligation is operational.
  • Assuming a US-based cloud satisfies the US-person rule. Microsoft commercial Azure, AWS commercial regions, and Google Cloud commercial all have US data centers — but global administrative personnel. The data center location is necessary but not sufficient; administrative personnel must also be US persons.
  • Forgetting that source code and CAD files are technical data. Software repositories, CAD/PLM systems, and engineering simulation environments are common ITAR data stores. They are subject to the same access controls as drawings.
  • Foreign-national contractor or consultant access. A consultant brought in for a specific project, an outside counsel reviewing a technical filing, an investor due-diligence team — any external party with access to ITAR data must include only US persons (or be operating under a license).
  • "Deemed export" through screen sharing. A screen-share with a foreign-national colleague where ITAR data is visible is a deemed export. This includes informal collaboration tools, video calls with screen share, and remote support sessions.
  • Mixed-environment compromise. An organization that handles both ITAR and non-ITAR work and lets users move between systems creates risk. Contracts that begin as non-ITAR and become ITAR mid-program are common; the access model must change accordingly.
  • Failure to flow ITAR obligations to subs. Just as DFARS 7012 flows down to subs handling CDI, ITAR obligations flow to subs handling ITAR-controlled technical data. Subcontracts must include explicit ITAR clauses.
  • Treating EAR as "lighter" than ITAR. EAR violations are also serious. The lower visibility of EAR enforcement does not change the severity of penalties for violations.
  • Not classifying the technology before deciding handling rules. The ECCN classification of EAR-controlled technology drives the entire compliance posture. Skipping this step leads to either over-restriction (unnecessary cost) or under-restriction (violation).

Authoritative References

DDTC — State Department
The Directorate of Defense Trade Controls — administers ITAR, including the USML, registration, and licensing
BIS — Commerce Department
Bureau of Industry and Security — administers EAR, including the CCL, ECCN classifications, and licensing
22 CFR 120-130 (ITAR)
The full text of the ITAR regulations
15 CFR 730-774 (EAR)
The full text of the Export Administration Regulations
DFARS 252.204-7012
The CMMC-related safeguarding clause that operates alongside ITAR/EAR for CUI that is also export-controlled
NARA CUI Registry: Export Controlled (EXPT)
The CUI category that flags information also subject to export control regimes

Related resources: See the FedRAMP equivalence section of the enclave architecture guide for the cloud-side constraints, and the vendor oversight guide for managing MSP relationships under ITAR.