Regulatory Compliance. Legal Obligations Mapped to Security Controls.

Three regulatory regimes govern how defense contractors and exporters handle sensitive information and controlled technologies. DFARS 252.204-7012 is a contract clause inserted into Department of Defense contracts that requires contractors to safeguard Controlled Unclassified Information (CUI) by implementing the 110 security requirements of NIST 800-171. The International Traffic in Arms Regulations (ITAR), administered by the State Department's Directorate of Defense Trade Controls, controls the export and temporary import of defense articles, defense services, and related technical data listed on the United States Munitions List (USML). The Export Administration Regulations (EAR), administered by the Commerce Department's Bureau of Industry and Security, control the export of dual-use items, commercial items with military applications, and certain technologies listed on the Commerce Control List (CCL). These three regimes address different categories of controlled items through different legal authorities, but they converge on the same organizations.

The convergence is not coincidental. A defense contractor developing an advanced sensor system handles CUI (the system's design specifications marked as CUI under DoD guidelines), ITAR-controlled technical data (the sensor's performance parameters that appear on the USML), and EAR-controlled components (commercial microprocessors with military applications that appear on the CCL). The same engineer accessing the same file server may be subject to all three regimes simultaneously depending on which files are accessed. DFARS requires that the file server implement NIST 800-171 controls. ITAR requires that access be restricted to U.S. persons unless an export license or exemption applies. EAR requires that the dual-use components not be exported, re-exported, or transferred to prohibited end users, end uses, or destinations. Each regime imposes access restrictions, but the restrictions operate on different criteria: DFARS restricts based on CUI handling authorization, ITAR restricts based on citizenship and nationality, and EAR restricts based on end-use and destination analysis.

The legal authorities behind these regulations carry distinct enforcement mechanisms. DFARS violations are contract breaches that can result in False Claims Act liability, contract termination, suspension, and debarment from government contracting. ITAR violations are criminal offenses under the Arms Export Control Act, carrying penalties up to $1 million per violation and 20 years imprisonment. EAR violations under the International Emergency Economic Powers Act carry criminal penalties up to $1 million per violation and 20 years imprisonment, plus civil penalties up to $330,000 per violation or twice the transaction value. These are not theoretical maximums cited for deterrence. Federal agencies actively enforce all three regimes. Organizations that fail to distinguish between these regulatory obligations, or that treat them as interchangeable compliance requirements, expose themselves to enforcement actions across multiple jurisdictions simultaneously.

Organizations subject to multiple regulatory regimes face a classification problem before they face a compliance problem. The same piece of technical data may be CUI under DFARS, ITAR-controlled under the USML, or EAR-controlled under the CCL, and the applicable regime determines which controls apply, which persons may access the data, and which transfer mechanisms are permissible. Misclassification is not a minor administrative error. Treating ITAR-controlled technical data as merely CUI means applying NIST 800-171 controls without the ITAR access restrictions. A foreign national employee with CUI access authorization but without ITAR authorization could access defense technical data in violation of the Arms Export Control Act. The organization complied with DFARS but violated ITAR because it failed to classify the data under the correct regime. This classification failure is the most common source of inadvertent regulatory violations in organizations that handle multiple categories of controlled information.

The organizational structure of most companies compounds the classification problem. Export control compliance is typically managed by a dedicated export compliance officer or team within the legal department. DFARS compliance is managed by the cybersecurity or information security team. These teams use different tools, follow different procedures, and report to different executives. The export compliance team maintains a Technology Control Plan that specifies physical and logical access restrictions for ITAR and EAR data. The cybersecurity team maintains a System Security Plan that documents NIST 800-171 implementation for CUI systems. Neither document references the other. When a new system is deployed or an existing system is modified, each team conducts its own review independently. The export compliance team evaluates whether the system handles USML or CCL items. The cybersecurity team evaluates whether the system handles CUI. If both reviews occur, the results are filed separately. If one review is missed, the system enters production with an incomplete regulatory assessment.

The penalty asymmetry between regimes creates a dangerous incentive misalignment. DFARS noncompliance is primarily a contractual matter: the organization risks losing contracts and facing False Claims Act exposure. ITAR and EAR noncompliance is a criminal matter: individuals face imprisonment and the organization faces criminal prosecution. Yet most organizations invest more compliance effort in DFARS (because it directly affects contract eligibility) than in ITAR and EAR (because export control violations are perceived as unlikely until they occur). This perception is incorrect. The State Department and Bureau of Industry and Security conduct investigations based on tips, anomalous export patterns, and cooperation with intelligence agencies. Voluntary self-disclosures of ITAR violations receive more favorable treatment than violations discovered through investigation, but even voluntary disclosures result in consent agreements, monitoring requirements, and remediation obligations. Organizations that discover an ITAR violation during a DFARS compliance review face the additional complexity of managing a voluntary self-disclosure process while maintaining their defense contracts.

DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," is a contract clause that imposes two primary obligations on defense contractors. First, contractors must provide "adequate security" for covered contractor information systems by implementing the 110 security requirements of NIST 800-171 rev2 (or equivalent alternative security measures approved by the DoD CIO). Second, contractors must report cyber incidents to the DoD within 72 hours through the Defense Industrial Base Cybersecurity portal and preserve images of affected systems for 90 days. The clause applies to any contract that involves CUI: information that the government creates or possesses that requires safeguarding or dissemination controls, but that is not classified. CUI categories include Controlled Technical Information, Export Controlled information (creating direct overlap with ITAR and EAR), Critical Infrastructure Security Information, and Naval Nuclear Propulsion Information, among others defined in the CUI Registry. For the complete deep dive, see DFARS 252.204-7012 CUI Protection.

The DFARS clause flows down to subcontractors. When a prime contractor receives a contract containing DFARS 252.204-7012, it must include the clause in any subcontract where the subcontractor will handle CUI. This flowdown requirement creates a compliance cascade through the supply chain: a small machine shop subcontracting to manufacture a CUI-marked component must implement NIST 800-171 on the systems that store, process, or transmit the technical data package. The flowdown obligation is not discretionary. Prime contractors that fail to include the clause in applicable subcontracts violate their own contractual obligation. Subcontractors that receive the clause and fail to implement NIST 800-171 expose both themselves and their prime to False Claims Act liability. The CMMC certification requirement, when fully enforced, adds a verification layer: subcontractors must not only implement NIST 800-171 but demonstrate that implementation through third-party assessment at the level specified in the solicitation.

The 72-hour cyber incident reporting requirement deserves particular attention because it operates on a different timeline than any other regulatory obligation these organizations face. When a contractor discovers a cyber incident that affects a covered contractor information system or CUI, the clock starts. Within 72 hours, the contractor must report the incident to the DoD through the DIBNet portal, including a description of the incident, the CUI affected, the systems involved, and the contractor's internal investigation status. The contractor must preserve and protect images of all known affected information systems and all relevant monitoring and packet capture data for at least 90 days. If the DoD elects to conduct a damage assessment, the contractor must provide the preserved data. This reporting obligation exists independently of any other incident reporting requirements. An incident that also involves ITAR-controlled data requires a separate voluntary self-disclosure to the Directorate of Defense Trade Controls. An incident involving EAR-controlled data may require notification to the Bureau of Industry and Security. Each notification has its own timeline, its own format, and its own legal implications.

The International Traffic in Arms Regulations control the export, temporary import, and brokering of defense articles, defense services, and related technical data. ITAR is administered by the State Department's Directorate of Defense Trade Controls (DDTC) under the authority of the Arms Export Control Act (AECA). The scope of ITAR is defined by the United States Munitions List (USML), which enumerates 21 categories of defense articles ranging from firearms and ammunition (Category I) to spacecraft and related articles (Category XV) to classified articles not otherwise enumerated (Category XXI). If an item, service, or piece of technical data falls within the USML's definitions, ITAR applies. The determination of whether something is USML-controlled is a legal classification called a commodity jurisdiction determination. Organizations that are unsure whether their products or technical data fall under ITAR or EAR can submit a formal Commodity Jurisdiction Request to DDTC, but the organization bears responsibility for accurate self-classification in the interim. For the complete deep dive, see ITAR Defense Article Controls.

ITAR's access restriction model is fundamentally different from DFARS. Where DFARS restricts access based on CUI handling authorization (any authorized person may access CUI regardless of citizenship), ITAR restricts access based on citizenship and nationality. Only U.S. persons (citizens, lawful permanent residents, and protected individuals as defined under 8 U.S.C. 1324b) may access ITAR-controlled technical data without a license or exemption. Any disclosure of ITAR-controlled information to a foreign person, whether inside or outside the United States, constitutes an export. This includes a foreign national employee sitting in your office accessing a file share that contains ITAR technical data. It includes a video conference where ITAR-controlled information is discussed with foreign national participants. It includes cloud storage where the cloud provider's foreign national employees could theoretically access the data. The "deemed export" rule treats domestic disclosure to foreign persons identically to physical export across national borders. Organizations must implement access controls that enforce citizenship-based restrictions, not merely role-based restrictions.

ITAR compliance requires a Technology Control Plan (TCP) that documents the physical, logical, and administrative controls preventing unauthorized access to ITAR-controlled articles and data. The TCP must address facility access (preventing foreign national visitors from accessing restricted areas), IT system access (preventing foreign national employees and contractors from accessing ITAR data repositories), and verbal disclosure (preventing inadvertent discussion of ITAR-controlled information in mixed-citizenship settings). The TCP must be maintained as a living document that reflects the current environment. Personnel changes, facility modifications, IT system deployments, and new program starts all potentially affect the TCP's accuracy. Organizations registered with DDTC must also file annual compliance reports and maintain records of all export transactions, licenses, and agreements. The registration itself is an annual obligation; failure to maintain current registration while engaging in ITAR-controlled activities is an independent violation regardless of whether any unauthorized export occurred.

The Export Administration Regulations control the export, re-export, and in-country transfer of dual-use items: products, software, and technology that have both civilian and military applications. EAR is administered by the Commerce Department's Bureau of Industry and Security (BIS) under multiple legal authorities including the Export Control Reform Act of 2018. The scope of EAR is defined by the Commerce Control List (CCL), organized into ten categories (from Category 0: Nuclear Materials to Category 9: Aerospace and Propulsion) and five product groups (equipment, test and production equipment, materials, software, and technology). Items not specifically listed on the CCL but subject to EAR jurisdiction are classified as EAR99, which means they may generally be exported without a license unless the export involves a prohibited end user, end use, or destination. The classification process requires analyzing the item's technical specifications against the CCL's control parameters, a process called determining the item's Export Control Classification Number (ECCN). For the complete deep dive, see EAR Dual-Use Technology Controls.

EAR's control model differs from both DFARS and ITAR in a fundamental way. Where DFARS controls based on information category (CUI) and ITAR controls based on citizenship (U.S. persons only), EAR controls based on a matrix of item classification, destination country, end user, and end use. An item classified under ECCN 5A002 (information security equipment employing cryptographic functionality) may be exported to most allied nations without a license under License Exception ENC, but requires a license for export to countries subject to comprehensive sanctions. The same item may be exported license-free to a commercial end user in a permissive destination but require a license if the end user appears on the Entity List, Denied Persons List, or Unverified List maintained by BIS. This multi-factor determination means that EAR compliance cannot be reduced to a simple access control list. Each export transaction requires analyzing the specific item, the specific destination, the specific end user, and the specific end use against current regulations, sanctions programs, and restricted party lists.

The "deemed export" concept under EAR parallels ITAR but operates on different criteria. Under EAR, releasing controlled technology or source code to a foreign national in the United States is deemed an export to that person's most recent country of citizenship or permanent residency. Unlike ITAR's categorical restriction to U.S. persons, EAR's deemed export analysis depends on the specific technology's ECCN, the foreign national's country of citizenship, and the applicable reasons for control. A German national accessing EAR99 technology requires no license. The same person accessing ECCN 3E001 (technology for development of certain semiconductor equipment) requires an analysis of whether Germany triggers any reason for control for that ECCN. The determination may be straightforward or complex depending on the intersection of the technology's classification and the individual's nationality. Organizations with international workforces must conduct this analysis for every combination of controlled technology and foreign national employee, and must implement access controls that enforce the results. The analysis is not static; changes to the CCL, the Country Chart, or the restricted party lists can change the outcome for existing employee-technology combinations without any action by the organization.

When an item, technology, or dataset falls under multiple regulatory regimes simultaneously, precedence rules determine which regime's requirements govern. ITAR takes precedence over EAR for items on the USML. If a commodity jurisdiction determination places an item on the USML rather than the CCL, ITAR's stricter access controls apply. The Export Control Reform Act of 2013 moved several categories of items from the USML to the CCL as part of export control reform, but items that remain on the USML are subject exclusively to ITAR. CUI markings under DFARS and export control markings under ITAR or EAR are independent designations. A piece of technical data can simultaneously be CUI (requiring NIST 800-171 protection under DFARS), ITAR-controlled (requiring U.S. person access restrictions), and subject to a specific export license (requiring tracking of all disclosures under the license terms). Each designation adds requirements; none displaces the others.

Multi-regime items create operational complexity that cannot be resolved through uniform application of the most restrictive controls. Applying ITAR's U.S.-person-only restriction to all CUI would prevent authorized foreign national employees from accessing CUI that is not export-controlled. Applying EAR's destination-based analysis to ITAR-controlled items would understate the restriction because ITAR does not use destination-based exceptions in the same way. Applying DFARS' CUI controls to all ITAR data would omit the citizenship verification, deemed export analysis, and Technology Control Plan requirements that ITAR demands. Each regime's controls must be applied to the specific data and activities that fall under that regime's jurisdiction. This requires accurate classification at the data level, not the system level. A single file server may contain CUI-only files, ITAR-controlled files, EAR-controlled files, and files subject to multiple regimes. The access controls must enforce the correct restrictions for each category, which means the classification must be maintained at the file or dataset level and the access control system must evaluate each access request against the applicable regime's requirements.

Conflict resolution between overlapping regimes follows established principles but requires careful implementation. When DFARS requires NIST 800-171 access controls and ITAR requires U.S.-person access restrictions, both requirements apply simultaneously. The access control system must verify that the user is authorized to access CUI (DFARS) AND that the user is a U.S. person for ITAR-controlled data. Rampart maintains the regulatory classification for each system and maps applicable controls from every active regime. Sentinel monitors access patterns across regime boundaries, detecting when access to multi-regime data occurs without all applicable authorizations verified. Artificer generates regime-specific narratives that document how each regulatory obligation is satisfied, producing the DFARS System Security Plan, the ITAR Technology Control Plan documentation, and the EAR compliance records from the same underlying control implementations. The platform does not merge the regimes into a single compliance program. It maintains each regime's distinct requirements while identifying the shared controls that satisfy multiple obligations simultaneously.

DFARS 252.204-7012 does not exist in isolation. It is one node in a network of interconnected requirements that defense contractors must satisfy. CMMC Level 2 IS NIST 800-171 rev2, verified by a C3PAO. DFARS 252.204-7012 requires NIST 800-171 implementation as the minimum standard for CUI protection. Organizations pursuing CMMC Level 2 certification are simultaneously satisfying their DFARS obligation because the underlying security requirements are identical. FedRAMP enters the picture when contractors use cloud services to process CUI: DFARS requires that cloud service providers meet FedRAMP Moderate equivalency at minimum for CUI workloads. NIST 800-171 derives from the NIST 800-53 Moderate baseline, and FedRAMP Moderate is a specific selection from the same 800-53 catalog with additional FedRAMP-specific controls. The derivation chain connects these frameworks structurally: work done for one advances the others because they share the same control lineage.

ITAR and EAR compliance requirements map to specific NIST 800-53 control families even though neither regulation explicitly references 800-53. ITAR's access restrictions map to AC (Access Control) and PE (Physical and Environmental Protection) families. ITAR's technical data handling requirements map to MP (Media Protection), SC (System and Communications Protection), and AU (Audit and Accountability). EAR's end-user screening requirements map to organizational processes that can be supported by AC and PS (Personnel Security) controls. The Technology Control Plan required by ITAR describes implementations that correspond to 800-53 controls across multiple families. Organizations that have already implemented 800-53 controls for their security baseline possess the control infrastructure needed to satisfy regulatory requirements; the gap is in applying those controls to the specific regulatory criteria (citizenship verification for ITAR, end-use analysis for EAR) rather than only the security criteria (authorized access for CUI).

The cross-framework connection is most valuable when organizations recognize that their regulatory compliance investments compound. An organization that achieves CMMC Level 2 certification has implemented 110 security requirements that satisfy DFARS, advance FedRAMP Moderate readiness, and provide the control infrastructure for ITAR and EAR compliance. Adding ITAR compliance to that foundation requires extending existing access controls with citizenship verification, not building a parallel access control system. Adding EAR compliance requires extending existing data classification with ECCN analysis, not creating a separate classification scheme. Rampart computes readiness across all active regulatory and framework requirements simultaneously, showing exactly where DFARS compliance advances CMMC certification, where CMMC work satisfies FedRAMP controls, and where the existing security baseline provides the foundation for ITAR and EAR overlay requirements. Sentinel collects evidence once from connected infrastructure and maps it to every applicable requirement. Artificer produces the regulatory-specific documentation each regime demands from the shared control implementations. One security posture. Every regulatory obligation addressed.