NIST SP 800-171 Assessment Checklist
Download our checklist to help prepare for your NIST assessment.
.jpg?ext=.jpg)
What is ITAR?
ITAR, the Acronym
The International Traffic in Arms Regulations (ITAR) is a set of US government regulations that control the export and import of defense-related articles, services, and technical data under 22 CFR parts 120-130. ITAR is administered by the U.S. Department of State, Directorate of Defense Trade Controls (DDTC). DDTC also maintains the U.S. Munitions List (USML) ITAR part 121, which details the twenty-one (21) categories of defense articles subject to ITAR controls. Some of the categories are Submersible Vessels, Spacecraft, Guns and Armament, and more. The main idea is to prevent the export of technology and products to specific states that are viewed as antagonistic toward the United States.
The Relationship Between CUI and ITAR
All ITAR is CUI, but not all CUI is ITAR. ITAR products, technology, and data require special marking, handling, and restrictions on distribution and dissemination. Protecting ITAR and CUI are similar, but the requirements of protecting DoD CUI using NIST SP 800-171 may not meet the additional security and handling requirements of ITAR.
There are two additional key differences between ITAR and CUI: First, commercial off the shelf (COTS) or commercial products are general excluded from CUI and NIST SP 800-171 under the DFARS. However, commercially available components and software algorithms used in the development of a product can fall under the ITAR. Second, manufacturers can self-classify their items by reviewing the ITAR and USML, but under DFARS the designations of CUI can only be assigned by the Department of Defense.
While the U.S. Department of State does not have a CMMC equivalent, at this time, NARA’s CUI Notice 2020-04: “Assessing Security Requirements for CUI in Non-Federal Information” sets NIST SP 800-171 as the minimum cybersecurity requirements for ITAR.
How to Know if You Have ITAR
The first step is to register with the Director of Trade Defense Controls (DTDC). The DTDC website also has excellent guidance for defense contractors. The best starting point is the page titled “Getting and Staying in Compliance with ITAR.” In addition to hyperlinking other useful resources, the page also offers contractors tips on how to set up an ITAR compliance program. It also provides a checklist of items to review before exporting any type of product or data.
Can Smithers Help Me with ITAR?
While there is not a formal certification or audit for ITAR compliance and Smithers is not able to assess your organization’s ITAR conformance, we can conduct the assessment of the information systems used to store and protect the ITAR data under CMMC/NIST SP 800-171. Reach out to our experts if you’d like to start a conversation.