Find your CMMC path
No CUI, ITAR data, or contract attachmentsStart →

Phase 1 (Nov. 10, 2025–Nov. 9, 2026): Level 1 and Level 2 self-assessments; DoD may include Level 2 C3PAO at its discretion. Phase 2 (begins Nov. 10, 2026): Level 2 C3PAO certification becomes standard for applicable contracts. What the phases mean for your contract →

CMMC Compliance for ITAR Companies

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance

Last verified: June 8, 2026 · Published: June 8, 2026

Editorial research, not legal or compliance advice. Not affiliated with the Cyber AB, DCMA DIBCAC, the DoD, NIST, the State Department’s DDTC, or any U.S. government agency. Confirm your contract language, CUI markings, and export-control obligations with your contracting authority or qualified counsel.

If you run an ITAR-registered shop and a CMMC clause just landed in a new solicitation — or a prime emailed you about “flow-down” — here’s the short version. CMMC compliance for ITAR companies is not triggered by your ITAR registration. It’s triggered by your Department of Defense contract, specifically whether your systems process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). And here’s the part that trips people up: your ITAR registration doesn’t get you any credit toward CMMC. They’re parallel obligations with different triggers, different governing agencies, different control sets, and different penalties for failure.

So if you came here asking “we’re ITAR, do we need CMMC?”, the honest answer is: probably yes, but not for the reason you think, and not necessarily at the level a vendor just quoted you. The thing that actually decides your cost and your deadline isn’t the level. It’s your assessment path, where your data lives, and one date on the calendar — November 10, 2026. We’ll come back to all three.

One honest note first, because it shapes everything below. We’re a publication — not your assessor, your lawyer, or your managed service provider. We can’t certify you, and we won’t insult you by claiming any single product “makes you compliant.” What we do is read the primary sources, separate what the rules actually require from what’s being sold to you, and point you to the provider category that fits your situation. That’s the whole job. It’s also why we can be blunt about what the rules actually say.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. This page is informational, not legal, contractual, or export-control advice.

What actually triggers CMMC compliance for ITAR companies?

CMMC is triggered by a DoD contract requirement, not by ITAR status. It applies when a solicitation, contract, subcontract, or prime flow-down requires a CMMC level because your information system handles FCI or CUI. ITAR — the International Traffic in Arms Regulations, 22 CFR Parts 120–130, administered by the State Department’s Directorate of Defense Trade Controls (DDTC) — controls who may access defense articles and related technical data, and where that data may go. CMMC controls how you cybersecurity-protect the information you handle under DoD contracts. They’re different triggers, different agencies, different obligations.

Most of the confusion comes from collapsing those two regimes into one. Before you buy anything, find your row in the table below — built by cross-reading the CMMC Program rule (32 CFR Part 170), the CMMC contract clause (DFARS 252.204-7021), and the ITAR definition of technical data (22 CFR §120.33).

The ITAR → CMMC Trigger Matrix

Your situation	Does ITAR alone trigger CMMC?	Likely CMMC path	First evidence to pull	Provider category to consider first
ITAR-registered, but no DoD contract/subcontract requiring FCI or CUI handling	No — separate triggers	CMMC may not apply yet. Keep your export-compliance program current and watch new solicitations and flow-downs.	DDTC registration, export classifications, current contracts/POs, any prime flow-down language	Export-control counsel/advisor first; a CMMC provider only when DoD FCI/CUI enters scope
You handle FCI only, no CUI	ITAR may still apply separately; the CMMC path follows the FCI	Usually Level 1 — 15 safeguarding requirements (FAR 52.204-21), annual self-assessment and affirmation	The contract clause, an FCI data map, FAR 52.204-21 applicability	A light-touch readiness consultant or MSP if internal IT is thin
You handle ITAR technical data that is also DoD CUI (Export Controlled and/or CTI)	ITAR doesn’t “become” CMMC, but this overlap usually makes the practical problem Level 2	Level 2 on NIST SP 800-171 Rev. 2; assessment type set by the contract	CUI markings, the contract clause, a data-flow map, a DD Form 254 if one exists	RPO / CMMC-focused MSP or MSSP; enclave or GRC support depending on data flow
Your solicitation/flow-down specifies Level 2 (self-assessment)	CMMC is contractually triggered; third-party certification may not be required for that contract	Level 2 self-assessment plus the required SPRS affirmation	The DFARS clause, required CMMC status, your SSP, POA&M, evidence set	Readiness/RPO, a GRC/evidence tool, an MSP/MSSP
Your solicitation/flow-down specifies Level 2 (C3PAO certification)	CMMC is triggered and an independent assessment is required	Level 2 certification by a C3PAO; do readiness first, then assessment	Scope definition, SSP, evidence, a POA&M closeout plan, C3PAO availability	Readiness provider first if gaps remain; a C3PAO only when you’re assessment-ready
DoD designates Level 3	ITAR may be part of the sensitivity profile, but Level 3 is a DoD designation	Level 3 after Level 2, using selected NIST SP 800-172 requirements, assessed by DIBCAC	The contract requirement, your Level 2 final status, the Level 3 scope	High-end readiness / vCISO / MSSP plus DIBCAC preparation
You’re a prime flowing FCI/CUI down to subs	Flow-down depends on whether the sub will handle FCI or CUI	Flow down the appropriate CMMC requirement before award	The subcontract data package, a CUI/FCI flow map, subcontractor SPRS/CMMC status	Supply-chain compliance advisor, GRC workflow, subcontractor readiness partners

Source basis: 32 CFR Part 170 (CMMC applicability to DoD contractors handling FCI or CUI); DFARS 252.204-7021 and 252.204-7025; 22 CFR Part 120 (ITAR, technical data and access rules).

Not sure which row is really you?

Tell us your contract clause, the type of data you handle, and your timeline — no CUI, ITAR technical data, drawings, or contract attachments — and we’ll help you identify the provider category that fits.

Find my CMMC path →

Does ITAR automatically require CMMC?

No. Being ITAR-registered does not, by itself, require CMMC. CMMC becomes a requirement when a DoD solicitation, contract, subcontract, or flow-down requires a CMMC status for systems that handle FCI or CUI. An ITAR company with no current DoD FCI/CUI obligation may not be in CMMC scope yet — though it still owes full export-control compliance under the ITAR.

When ITAR applies

ITAR governs defense articles, defense services, and technical data tied to the U.S. Munitions List (USML). “Technical data” is defined at 22 CFR §120.33 — information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of a defense article, including blueprints, drawings, plans, instructions, and documentation. Export-license and deemed-export obligations arise from the ITAR; CMMC does not relieve them.

When CMMC applies

CMMC is a DoD acquisition requirement. The CMMC Program rule at 32 CFR Part 170 became effective December 16, 2024, and the companion acquisition rule became effective November 10, 2025. From that date, contracting officers began inserting CMMC requirements into new solicitations for systems that process, store, or transmit FCI or CUI.

The ITAR-only case — and our advice for it

If you’re ITAR-registered but you don’t have a DoD contract that has you handling FCI or CUI, you may not have a CMMC obligation today. You still need export-control access controls, recordkeeping, and licensing analysis — but you should not be buying a C3PAO assessment or a cloud migration to solve a CMMC problem you don’t have yet. Keep monitoring your solicitations and flow-downs; engage a CMMC provider when DoD FCI or CUI actually enters your scope.

When does ITAR technical data become CUI for CMMC?

ITAR technical data and CUI are not the same label, but they overlap constantly inside DoD work. When export-controlled technical data is received or generated under a defense contract, it is typically controlled as CUI under the Export Controlled category (banner marking CUI//SP-EXPT) and/or Controlled Technical Information (banner marking CUI//SP-CTI). That overlap is what turns most ITAR companies’ CMMC question into a Level 2 scoping problem.

Here’s the relationship in one sentence: CUI tells you how the information must be protected; ITAR tells you who may access it and where it may live. You need both, and one doesn’t substitute for the other.

Export Controlled CUI (CUI//SP-EXPT)

The National Archives (NARA) CUI Registry defines an Export Controlled category that expressly includes information controlled under the ITAR and the munitions list. For ITAR data, the banner marking is CUI//SP-EXPT (the “SP” denotes a Specified category, which carries safeguarding or dissemination rules beyond baseline NIST SP 800-171).

Controlled Technical Information (CUI//SP-CTI)

Most defense manufacturers and engineering firms also handle CTI — technical information with military or space application, marked CUI//SP-CTI, carrying a distribution statement (B through F) under DoD Instruction 5230.24. Engineering drawings, specifications, process sheets, test reports, and technical data packages are textbook CTI.

It isn’t automatic — but treat it that way.

ITAR data is not “CUI” in the abstract; the originating authority designates and marks it. But in DoD contract performance, the safe operating assumption is that your ITAR technical data is CUI Specified — treat it as a Level 2 scoping issue until your contracting authority tells you otherwise. And if it shows up unmarked— which happens — see the FAQ on unmarked data below before you assume it’s out of scope.

Which CMMC level applies to ITAR companies?

Most ITAR companies that handle DoD CUI are looking at CMMC Level 2— but not every ITAR company needs Level 2, and not every Level 2 contract requires a C3PAO. Level 1 is for FCI only. Level 2 is for CUI and maps to the 110 requirements of NIST SP 800-171 Revision 2, organized into 14 control families. Level 3 layers selected NIST SP 800-172 requirements on top and is assessed by the government.

Level	Information type	Requirement source	Assessment path	Typical ITAR example
Level 1	FCI	FAR 52.204-21 — 15 basic safeguarding requirements	Annual self-assessment + affirmation in SPRS	A shop that only receives basic contract information, no CUI
Level 2	CUI	NIST SP 800-171 Rev. 2 — 110 requirements across 14 families	Self-assessment or C3PAO certification, set by the contract; reassess every 3 years + annual affirmation	An aerospace supplier handling CUI//SP-EXPT drawings
Level 3	Higher-sensitivity CUI	Selected NIST SP 800-172 requirements, on top of Level 2	DIBCAC — the Defense Industrial Base Cybersecurity Assessment Center, under DCMA	A contractor on a DoD-designated critical program

A correction that matters:

CMMC Level 2 currently maps to NIST SP 800-171 Revision 2, not Revision 3. NIST published Rev. 3 in 2024, but the CMMC rule (32 CFR Part 170) is anchored to Rev. 2. Build your System Security Plan and your control set to Rev. 2 for CMMC purposes unless and until DoD amends the rule. If a provider is preparing you against Rev. 3 “to be safe,” ask them to show you the contractual basis — there isn’t one yet for CMMC.

Level 2 self-assessment vs. Level 2 C3PAO: how do you know which one applies?

The deciding factor is not whether your data is ITAR — it’s the CMMC status your contract requires. Both paths use the same 110 Level 2 requirements from NIST SP 800-171 Rev. 2. What changes is the assurance: a Level 2 self-assessment you perform and affirm, versus a Level 2 certification assessment conducted by a C3PAO (a CMMC Third-Party Assessment Organization authorized by The Cyber AB). Read the clause; it tells you which one.

Level 2 self-assessment is still Level 2.It is not “Level 2 lite.” You implement all 110 requirements, document them in a System Security Plan (SSP), score yourself using the DoD methodology, post the score in SPRS, and have a senior official affirm it. The difference is who checks the work.

Level 2 C3PAO certificationis a formal assessment against NIST SP 800-171A objectives plus CMMC guidance. DoD’s assessment guidance confirms the assessment can cover your enterprise network or a defined enclave, depending on how you scope it. You don’t always have to bring the whole company into the assessment.

One thing not to do

Don’t hire one firm to remediate your environment and then use that same firm to certify it. The Cyber AB separates advisory and readiness roles (RPOs and Registered Practitioners) from assessment roles (C3PAOs), and under 32 CFR Part 170 and the Cyber AB Code of Professional Conduct, an assessor that consulted on your environment generally cannot also perform your certification assessment. Keep readiness help and the formal assessment on opposite sides of a clean line. It protects your result.

Know your assessment path before you buy anything

Share the required CMMC status from your solicitation or flow-down, and compare the provider categories that fit your stage.

Compare provider categories →

Which DFARS clause is actually controlling this for you?

The clause in your contract is what turns the regulatory background into an award requirement. For ITAR contractors, five Defense Federal Acquisition Regulation Supplement (DFARS) clauses do the heavy lifting: 252.204-7012, -7019, -7020, -7021, and -7025. They drive CUI safeguarding, the SPRS assessment posting, your CMMC status, the annual affirmation, and award eligibility.

Clause	What it tells the ITAR company	What to do about it
252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting	Protect CUI to NIST SP 800-171; use cloud services that meet FedRAMP Moderate (or equivalent) for CUI; report cyber incidents within 72 hours	Confirm which systems hold CUI; treat 800-171 as the baseline; have an incident-reporting path to DIBNET
252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements	To be considered for award, you need a current (within 3 years) NIST SP 800-171 assessment posted in SPRS	Verify your score, date, scope, and CAGE code are current in SPRS before you bid
252.204-7020 NIST SP 800-171 DoD Assessment Requirements	Defines Basic (self), Medium, and High assessments; you give the government access for higher-confidence assessments and flow the clause down	Know which assessment type applies; flow -7020 to applicable subs
252.204-7021 Contractor Compliance with CMMC Level Requirements	Achieve and maintain the required CMMC status, handle FCI/CUI only on systems at that status, affirm annually, and flow CMMC requirements down to subs handling FCI/CUI	Maintain your status for the life of the contract; affirm annually in SPRS; manage flow-down
252.204-7025 Notice of CMMC Level Requirements (solicitation provision)	The required CMMC status must be met before award for each system that will handle FCI/CUI; you’re not eligible if your status and affirmation aren’t current in SPRS	Confirm your CMMC status and affirmation are posted before the proposal deadline

The takeaway: 7012, 7019, and 7020 are the legacy NIST 800-171 obligations you may already carry; 7021 and 7025 are the CMMC layer that makes a current, posted status a go/no-go for award. If you see 7021 or 7025 in a solicitation, your CMMC status is now part of whether you can win the work — not a someday problem.

Do ITAR companies need GCC High, Azure Government, AWS GovCloud, or a secure enclave?

No single cloud product automatically solves CMMC or ITAR — but your environment has to do two jobs at once: meet the CUI cybersecurity bar and keep access restricted to U.S. persons. That second job is pure ITAR, and it’s the reason most ITAR contractors land on Microsoft 365 GCC High, AWS GovCloud, a U.S.-person-controlled enclave, or on-prem — not commercial cloud. No platform is “compliance in a box”; you still implement all 110 controls and prove it in your SSP.

The first two columns are regulatory requirements you must meet; “best fit” is our editorial read; and the platform capabilities are company-stated and dated, because vendors change their authorizations.

The environment decision, side by side

Environment	Meets CUI cyber bar?	Meets ITAR U.S.-person access?	What it does not solve	Best fit (DCR editorial)	Basis
Commercial M365 / Google Workspace	No	No	Neither obligation; at most FCI-only, and even that is discouraged	An FCI-only shop with no CUI/ITAR (rare once ITAR data is involved)	DFARS 252.204-7012; vendor docs
Microsoft 365 GCC	Often yes for CUI	Generally no for ITAR — Microsoft directs ITAR/DFARS-regulated-CUI customers to GCC High	ITAR U.S.-person access for export-controlled data	CUI-only firms without export-controlled data	Microsoft (company-stated); DFARS 7012
Microsoft 365 GCC High	Yes	Yes — Azure Government with screened U.S.-person support	Licensing premium and migration effort; still requires controls implementation	Most ITAR firms wanting one Microsoft environment for email/docs/collaboration	Microsoft (company-stated); DFARS 7012; ITAR access rules
AWS GovCloud (US)	Yes	Yes — AWS states GovCloud supports ITAR, U.S. location, U.S.-citizen personnel access	No native email/collaboration suite; you remain responsible for your configuration	Custom apps, compute, engineering and manufacturing workloads	AWS (company-stated); DFARS 7012
End-to-end-encrypted enclave (ITAR § 120.54 carve-out)	Yes when 800-171 is implemented inside the enclave	Yes for storage/transmission via the carve-out (decryption means not provided to any third party; no plaintext to non-U.S. persons)	Does not let non-U.S. persons see unencrypted data; covers ciphertext only; demands scope discipline	Cost-sensitive subs/SMBs isolating a small CUI/ITAR workflow	22 CFR § 120.54; FIPS 140-2/140-3
On-premises / private enclave	Yes if built to 800-171	Yes — full U.S.-person control; no cloud-provider access	Highest capital and maintenance burden; you own every control and all logging	Firms with an existing controlled facility or unique constraints	NIST SP 800-171 Rev. 2; ITAR access rules

Commercial Microsoft 365 / Google Workspace.Don’t assume your commercial tenant qualifies for CUI or ITAR work. Microsoft’s own guidance points ITAR and DFARS-regulated-CUI customers to GCC High, not commercial or GCC — largely because of U.S.-person administrative access and data-residency requirements.

Microsoft 365 GCC vs. GCC High. Microsoft states that GCC meets FedRAMP requirements and keeps data in the U.S., but positions GCC for customers who do not handle ITAR or DFARS-regulated CUI; GCC support staff may include non-U.S. persons. For ITAR/export-controlled data, Microsoft points you to GCC High, which runs on Azure Government with screened U.S.-person support. GCC High is not legally mandated by the CMMC rule at any level — it’s Microsoft’s recommended environment for ITAR. Treat all of this as company-stated, and verify licensing, configuration, and the support boundary before you sign.

AWS GovCloud (US).AWS states that AWS GovCloud supports ITAR compliance, sits physically in the United States, and limits AWS personnel with access to U.S. citizens — while you remain responsible for your own applications, systems, and configuration. Strong for custom applications, compute, and engineering workloads, but not a productivity suite.

The encrypted enclave.This is the option that can save real money for shops that can isolate a defined CUI/ITAR workflow. The rule behind it is widely misunderstood — see the next section. If the data leaks back into general email, ERP, CAD, and shared drives, the enclave’s scope advantage evaporates. See our guide: CMMC Secure Enclaves.

Before you migrate anything, scope it

Download our CMMC Readiness Checklist — the same data-flow and environment questions we’d ask before recommending a single platform. Use it before you sign a migration contract.

Download the CMMC Readiness Checklist →

Can the ITAR encryption carve-out (22 CFR § 120.54) shrink your scope?

Sometimes — and when it fits, it can meaningfully cut cost. Under 22 CFR §120.54(a)(5), sending, taking, or storing unclassified technical data is not an export, reexport, retransfer, or temporary import when: it is end-to-end encrypted; the encryption uses FIPS 140-2 (or successor) validated cryptographic modules orother cryptographic means at least as strong as AES-128; the means of decryption are not provided to any third party; and the data isn’t intentionally sent to or stored in — or sent from — a country proscribed under §126.1. In plain terms: properly encrypted data can ride on commercial infrastructure without U.S.-sovereign hosting. The carve-out covers the ciphertext — not plaintext access.

This rule came in as an Interim Final Rule published December 26, 2019 and effective March 25, 2020. Before it, the operating assumption was that ITAR technical data had to sit on U.S.-based, U.S.-person-managed systems. The carve-out changed the architecture math for a lot of small suppliers.

1. The carve-out is about the encrypted transmission and storage — not about who can read the data.

Section 120.54(c) says the ability to access technical data in qualifying encrypted form is not a release. But the unencrypted technical data inside that container is still ITAR-controlled. If a non-U.S. person can access the plaintext, that’s still a deemed export, carve-out or not. The “means of decryption” — keys, network access codes, passwords (defined as “Access Information” at 22 CFR § 120.55) — must stay out of any third party’s hands, including the cloud provider’s.

2. Encryption doesn’t relieve you of NIST SP 800-171.

Inside the enclave, you still implement the Level 2 controls and evidence them. The carve-out solves an export question, not your CMMC question.

Used correctly, an end-to-end-encrypted enclave is a legitimate scope-reduction strategy: shrink the boundary to a defined set of systems and users, keep CUI out of everything else, and avoid migrating the whole company. Used carelessly — data leaking back into general email and shared drives — it’s a false economy. See: CMMC Managed Enclave Guide and CUI Email Encryption for CMMC.

What systems are actually in scope when an ITAR company handles CUI?

Scope follows the data, not the org chart. Any system that processes, stores, transmits, or protectsCUI can be in scope — and for ITAR manufacturers, the surprises are usually email, CAD/PDM/PLM, file transfer, supplier portals, backups, and the admin systems that control access. Define the boundary in your SSP, map the data flows, and resist the urge to assume “the CMMC project” lives only in engineering.

Systems that catch ITAR companies off guard:

Email and attachments (CUI//SP-EXPT drawings get forwarded constantly)
SharePoint, OneDrive, and Teams
CAD, PDM, and PLM systems holding drawings and technical data packages
ERP/MRP systems that store specs, drawings, or routings
Supplier and customer portals
SFTP and managed file-transfer tools
Backup and disaster-recovery systems (encrypted backups of CUI are still CUI)
Endpoint sync folders on laptops
Remote access and VPN
Identity and admin systems that grant access to any of the above
Security tooling and the logs it generates

The single question that defines your boundary: “Can this system process, store, transmit, secure, or administer access to CUI?” If yes, it’s likely in scope. This is also where scope reductionpays off — the tighter you draw the boundary (often via an enclave), the fewer systems have to meet all 110 controls, and the lower your assessment cost. See: Enclave vs. enterprise compliance.

Foreign-national access: where ITAR goes beyond NIST 800-171

NIST SP 800-171 requires access control, but it does not, on its own, restrict access to U.S. persons. ITAR does. Releasing ITAR technical data to a foreign person — even inside the United States — is a “deemed export” that requires authorization. That includes foreign-national employees, foreign contractors, and your managed service provider’s offshore administrators. This is the exact failure mode where a company passes CMMC and still violates the ITAR.

Read this if you outsource IT:

Your MSP’s admins can access your systems.If any of them are non-U.S. persons and they can reach unencrypted ITAR technical data, you have an export-control problem that a clean CMMC assessment will not catch, because CMMC doesn’t ask the nationality question. ITAR does — and the penalties are not in the same universe as a missed control. ITAR civil penalties can reach into the seven figures per violation, with criminal exposure and debarment on the table.

A point of correction, because it’s commonly misstated and getting it wrong is dangerous: there is an ITAR “regular employee” exemption at 22 CFR §125.4(b)(10) — but it is written specifically for U.S. institutions of higher learningdisclosing unclassified technical data to their bona fide, full-time regular employees who are foreign persons, and only when each listed condition is met (U.S. permanent residence throughout employment, not a national of a §126.1 country, and written notice limiting further transfer). For most ITAR manufacturers, aerospace suppliers, MSPs, and engineering shops, this exemption does not apply.If a foreign person needs access to your unencrypted ITAR technical data, that calls for separate export-control analysis, an authorization, or a different valid exemption — not an assumption.

The practical move: inventory whocan touch your CUI/ITAR systems — employees, contractors, and provider admins — and make U.S.-person access control an explicit design requirement of your environment, not an afterthought you discover during an assessment.

Worried a foreign-national or MSP-access issue is hiding in your environment?

It’s the most expensive thing to find late. Tell us whether outside admins can reach your CUI/ITAR systems — describe the access question only, no controlled data through the form — and we’ll help you compare U.S.-person support, enclave, and managed-compliance options.

Check provider access fit →

What should an ITAR company do in the first 30 days?

Spend the first 30 days proving the trigger and scoping the problem — not buying tools. Confirm whether CMMC is contractually required, classify your data, map where it lives, check your SPRS status, and only then decide whether readiness, cloud/enclave, GRC, MSP/MSSP, or a C3PAO is the right next conversation. Buying an environment or an assessment slot before you’ve scoped is the most common — and most expensive — ITAR-CMMC mistake.

Days 1–3: Collect the contract evidence

The solicitation or subcontract, any prime flow-down, the DFARS clauses present (7012/7019/7020/7021/7025), a DD Form 254 if one exists, the CUI markings you’re seeing, the required CMMC level or status, and your award/option timeline.

Days 4–10: Classify the data and map the flow

Is it FCI only, or CUI? Is it CUI//SP-EXPT, CUI//SP-CTI, or both? Where does it enter, where does it rest, where does it move — email, CAD/PDM, file transfer, ERP, backups? Note any foreign-person access restrictions.

Days 11–20: Define the boundary and the users

List the in-scope systems, the users and admins, your external service providers and cloud platforms, your backups, and any subs or suppliers in the chain.

Days 21–30: Choose the provider category

Readiness/RPO, CMMC-focused MSP/MSSP, a GCC High / Azure Government / AWS GovCloud implementer, a secure-enclave provider, a GRC/evidence platform — or, only if you’re already assessment-ready, a C3PAO.

What provider type should an ITAR company hire first?

If you’re not already assessment-ready, hire readiness and scoping help before you hire a C3PAO. A C3PAO conducts the formal certification assessment — it’s the exam, not the tutor. RPOs, CMMC-focused MSPs and MSSPs, vCISOs, cloud/enclave implementers, and GRC tools solve the earlier problems: scoping, remediation, the SSP and POA&M, evidence, and the environment itself. Match the provider category to where you actually are in the process.

Provider category	Hire when	Don’t hire when	What to verify
RPO / Registered Practitioner / readiness consultant	You need a gap assessment, SSP/POA&M, evidence prep, and scoping	You need formal certification (different role)	Cyber AB status; ITAR/CUI experience; conflict-of-interest posture
CMMC-focused MSP	You need ongoing IT operations aligned to CMMC	You only need a one-time policy review	Their stack, cloud handling, support model, evidence depth
MSSP / MDR	You need monitoring, logging, and incident detection	You expect them to write your SSP alone	CUI handling, log retention, division of responsibility
GCC High / Azure Gov / AWS GovCloud implementer	You need environment migration and configuration	You haven’t mapped your CUI yet	Cloud commitments, configuration scope, the shared-responsibility split
Secure-enclave provider	You can isolate the CUI/ITAR workflow	CUI is everywhere and unmanaged	Boundary enforcement, user workflow, evidence
GRC / evidence platform	You need evidence, SSP/POA&M workflow, control mapping	You expect software alone to make you compliant	CMMC mapping; how it handles export-controlled data
C3PAO	You’re ready for a Level 2 certification assessment	You still need implementation help from that same firm	Cyber AB Marketplace status; conflict; availability; scope

A word on software: a GRC or compliance tool is a supporting layer, not a CMMC solution.It helps you organize evidence and track controls. It does not implement the controls, secure your environment, or certify you. And keep readiness/remediation and the formal C3PAO assessment appropriately separated — the Cyber AB’s role structure draws that line, and respecting it protects the validity of your certification.

Have the contract but not the path?

Send us the required CMMC level, your data type, and your timeline — no CUI, ITAR technical data, drawings, specs, or TDPs — and we’ll match you with source-checked provider options for the category that fits.

Get matched with source-checked provider options →

SPRS, affirmations, and award eligibility

SPRS — the Supplier Performance Risk System — is where DoD stores and checks your assessment information and CMMC status, and it’s where award eligibility gets decided. Before you assume you’re ready to bid, verify that the required status, the affirmation, the scope, and the right CAGE codes are actually posted and current. A perfect environment with nothing in SPRS still loses the bid.

SPRS’s NIST SP 800-171 module stores your assessment date, your score, the assessment scope, the POA&M completion date, your CAGE codes, your SSP name/version/date, and the assessment confidence level. That’s the record a contracting officer looks at.

The SPRS checklist before you bid:

Does the required CMMC status exist in SPRS?
Is the senior-official affirmation current?
Is the assessment scope correct and tied to the right environment?
Are the right CAGE codes included?
Does the SSP referenced in SPRS match the system you actually operate?

If any of those is “no,” fix it before the proposal deadline — not after you’ve won and can’t accept. See our detailed guide: SPRS Score: What It Is and How to Post It.

The deadline: Phase 1, Phase 2, and what’s actually enforced

CMMC is rolling out in four phases over three years, and the date most ITAR companies should circle is November 10, 2026. Phase 1 began November 10, 2025 and runs through November 9, 2026, focused primarily on Level 1 and Level 2 self-assessments. Phase 2 begins November 10, 2026, when Level 2 C3PAO certification becomes the standard condition of award for applicable contracts — though DoD retains discretion to delay a given Level 2 C3PAO requirement to an option period. Because readiness for an ITAR environment typically takes months and C3PAO availability is finite, “start when the clause shows up” is already behind.

Phase	Begins	What changes
Phase 1	Nov 10, 2025	Level 1 and Level 2 self-assessment requirements appear in new solicitations; contracting officers may require Level 2 C3PAO for select contracts at their discretion
Phase 2	Nov 10, 2026	Level 2 C3PAO certification becomes the standard requirement for applicable contracts handling CUI (DoD may defer some to an option period)
Phase 3	Nov 10, 2027	Level 3 DIBCAC assessments are introduced; Level 2 C3PAO extends to more contracts, including option periods
Phase 4	Nov 10, 2028	Full implementation across all applicable contracts (except those solely for commercial off-the-shelf items)

Two realities for ITAR suppliers specifically. First, you’ll likely feel this through a prime’s flow-down before a contracting officer ever talks to you directly — primes have been pressing their supply chains for months. Second, this is a phased rollout, not a grace period. If you want to bid on covered work in 2026, you need the required status when the solicitation hits, not in 2028.

POA&Ms and the edge cases that send you back to search

If you can’t meet every control by assessment day, a Plan of Action and Milestones (POA&M) can earn you Conditional CMMC Status — but the rules are strict. Under 32 CFR §170.21, you need an assessment scoreof at least 80% — that’s a score of 88 or higher out of the 110-point maximum, not “88 of 110 controls implemented” — only limited low-point items may sit on the POA&M, and you must close them within 180 daysthrough a closeout assessment or your Conditional status expires. Level 1 allows no POA&Ms at all.

It’s a score, not a count. CMMC Level 2 scoring is weighted: you start at 110 and subtract 1, 3, or 5 points per unmet requirement depending on its impact. The 80% threshold is about that weighted score, which is why a handful of high-value gaps can sink you even if most controls are met.
What can go on a POA&M.Generally only 1-point requirements. High-impact controls can’t be deferred — for example, multifactor authentication (IA.L2-3.5.3) carries a 3- or 5-point weight, so it must be implemented at assessment time, not parked on a POA&M.
The one narrow encryption exception.The CUI encryption requirement (SC.L2-3.13.11) can sit on a POA&M only where encryption exists but isn’t yet FIPS-validated (a 3-point condition). That’s the lone exception to the 1-point rule, and it’s specific.
Conditional vs. Final. Hit the 80% score with only eligible items open, and you can receive Conditional Level 2 status; close everything within 180 days via a closeout assessment to convert to Final. For a self-assessment you do the closeout yourself; for a certification, a C3PAO does it.
Specialized assets.Equipment like IoT or operational technology that can’t be fully secured is documented in your asset inventory, SSP, and network diagram as a specialized asset — accounted for, even if not assessed against every control.
The affirmation never stops.A senior official affirms continued compliance in SPRS after the initial assessment, after POA&M closeout, and annually thereafter. CMMC isn’t a one-and-done certificate; it’s a posture you attest to every year.

What does CMMC cost for an ITAR company?

There’s no single number — cost depends on scope, your starting maturity, how many people touch CUI, your current environment, and whether the contract requires a C3PAO. As a planning anchor, DoD’s Regulatory Impact Analysis for the CMMC Program rule estimates the Level 2 certification path at roughly $105,000 for a small entity and about $118,000 for a larger one over a three-year cycle (the triennial assessment plus two annual affirmations). One crucial caveat: that figure excludespreparation. DoD assumes you’ve already implemented NIST SP 800-171, so the big costs — remediation, technology, and the environment itself — sit on top.

Cost component	What it covers	Planning figure
Level 1 self-assessment	FCI-only path; no POA&M allowed	DoD estimate: low single-digit thousands
Level 2 self-assessment	When the contract permits self-assessment	DoD estimate: tens of thousands
Level 2 C3PAO (per 3-yr cycle)	Triennial certification + affirmations; excludes preparation	DoD estimate ≈ $105,000 (small) to ≈ $118,000 (larger)
C3PAO assessor fee alone	The assessor’s portion of the above	Often starts around $30,000 for small, tightly scoped firms; rises with size, sites, and assessor-days
Realistic first-cycle total	Prep + remediation + technology + assessment	Industry surveys commonly cite ≈ $75,000–$300,000+
Level 3	Selected NIST SP 800-172 requirements + DIBCAC	Materially higher; budget separately and confirm scope
ITAR adder: GCC High licensing	U.S.-sovereign productivity environment	Reported ≈ 30–40% premium over commercial; via an AOS-G partner
ITAR adder: encrypted enclave	Scope-reduction approach	Reported per-user enclave pricing; scales with the number of CUI users

The honest caveat:

CMMC Level 2 readiness for an ITAR environment is rarely fast and rarely cheap, and anyone who hands you a price before reading your contract and mapping your data flow is guessing. If you were hoping to be certified in three weeks for a few thousand dollars, that’s not the reality, and we’d rather tell you now.

On cost-reimbursable contracts, CMMC costs may be recoverable under FAR Part 31 cost principles — though the calculus is different on fixed-price work, and some states offer grants or tax credits. Tight scoping — pulling CUI into a defined enclave so fewer systems carry all 110 controls — can cut the bill dramatically. See our detailed breakdown: CMMC Level 2 Cost and CMMC Certification Cost.

Want a realistic budget for your scope before you talk to a C3PAO?

Tell us your level, scope, and timeline — no controlled technical data— and we’ll help you request scoped options from matched provider categories so you’re comparing real numbers against your environment, not someone’s brochure.

Request scoped provider options →

How to vet a CMMC provider — and why you should vet us too

Before you trust any provider, verify the category, the Cyber AB status where it’s relevant, the role limits, the conflict posture, what’s actually included, how they handle your data, and any compensation relationship. And hold us to the same standard.

Category: Are they an RPO, an MSP/MSSP, a GRC vendor, an enclave/cloud implementer, or a C3PAO? Match it to your need.
Cyber AB Marketplace status: For assessment providers, confirm current C3PAO authorization at cyberab.org. For RPOs, confirm RPO status. Don’t take a logo’s word for it.
Conflict of interest:Will the firm that prepares you also try to assess you? Where that’s prohibited, walk.
Data handling: Will they touch your CUI/ITAR data? If they host or process it, ask for their FedRAMP/cloud evidence and their U.S.-person access controls.
Evidence and fit: Can they show experience with ITAR/CUI environments like yours?
Compensation and disclosure:If a referral source is paid, that should be disclosed — by them and by us.

What we actually verified for this page — last verified June 8, 2026:

32 CFR Part 170— CMMC levels, applicability, and the four-phase schedule (including the Phase 2 date of November 10, 2026).
The 48 CFR CMMC Acquisition rule and DFARS 252.204-7012, -7019, -7020, -7021, and -7025 on Acquisition.gov.
NIST SP 800-171 Revision 2 as the controlling Level 2 standard (not Rev. 3, for CMMC purposes), plus NIST SP 800-172 for Level 3.
The NARA CUI Registry categories Export Controlled (CUI//SP-EXPT) and Controlled Technical Information (CUI//SP-CTI).
The ITAR, 22 CFR Part 120 and Part 125 — the technical-data definition at §120.33, the end-to-end-encryption carve-out at §120.54 (including its AES-128 alternative and the “means of decryption not provided to any third party” condition), “Access Information” at §120.55, the §126.1 proscribed-country limit, and the §125.4(b)(10) regular-employee exemption (written for U.S. institutions of higher learning).
32 CFR §170.21— the POA&M and Conditional/Final Status mechanics (the 80% score threshold and the 180-day closeout).
Cost figurescross-checked against DoD’s Regulatory Impact Analysis (the ≈$104,670 small-entity Level 2 estimate, which excludes preparation) and current market surveys (planning ranges, not guarantees).

What we did not independently verify:any individual provider’s current Cyber AB Marketplace status, licensing, or customer outcomes — verify those directly before you rely on them. Nothing here is legal, contractual, or export-control advice; confirm your specifics with your contracting authority or counsel.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. See our Editorial & Advertising Policy and Corrections Policy.

For how we research and correct our work, see our Methodology and Editorial Review Process.

What to do next

Your next move isn’t “buy CMMC.” It’s to confirm your trigger, classify your data, settle your level and assessment path, scope your environment, and then get matched to the right provider category. Find your situation below and take the one step that fits it.

Your situation	Your next step
ITAR-registered, no DoD FCI/CUI yet	Keep your export-compliance program current, monitor solicitations and flow-downs, don’t overbuy CMMC
FCI only	Level 1 self-assessment path
CUI / CUI//SP-EXPT / CUI//SP-CTI	Level 2 path — determine self-assessment vs. C3PAO from the clause
Level 2 C3PAO required	Readiness first; engage a C3PAO when your evidence is ready
Cloud/email/CAD sprawl	Make the scope/enclave/environment decision before any assessment

You came here because something changed — a clause, a flow-down, a quote that didn’t sit right. You don’t need to have it all figured out. You need the next correct step, and a partner who has nothing to sell you but that.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Find my CMMC path →

Describe your level, scope, and timeline only — please don’t paste or upload CUI, ITAR technical data, drawings, specs, or TDPs. Independent trade publication. No Cyber AB or DoD affiliation.

Frequently asked questions

Do ITAR companies automatically need CMMC?

No. ITAR companies don’t need CMMC solely because they’re ITAR-registered. CMMC applies through a DoD solicitation, contract, subcontract, or flow-down when systems process, store, or transmit FCI or CUI.

Is ITAR data always CUI?

No, but it overlaps constantly. ITAR and CUI are different control regimes, yet ITAR technical data handled under a DoD contract is typically controlled as CUI — usually Export Controlled (CUI//SP-EXPT) and/or Controlled Technical Information (CUI//SP-CTI).

What’s the difference between FCI and CUI for an ITAR company?

Federal Contract Information (FCI) is non-public information provided by or generated for the government under a contract that isn’t intended for public release; protecting it is CMMC Level 1 (15 requirements). Controlled Unclassified Information (CUI) is information the government requires to be safeguarded under law or policy — including export-controlled technical data — and protecting it is CMMC Level 2 (110 requirements). For most ITAR companies, the technical data is CUI, which is why Level 2 is the usual answer.

What if the prime sends ITAR drawings with no CUI markings?

Don’t assume “unmarked” means “out of scope.” Ask the prime or contracting authority to confirm the CUI status, the distribution statement, the DD Form 254 if one applies, and whether the data is CUI//SP-EXPT, CUI//SP-CTI, or neither. Document the answer. Mismarked or unmarked CUI is common, and the safer working assumption for ITAR technical data under a DoD contract is that it’s in Level 2 scope until the originator says otherwise.

What does a DD Form 254 have to do with ITAR and CMMC?

A DD Form 254 (Contract Security Classification Specification) tells you what classified and controlled information a contract involves and how to handle it. It won’t list your CMMC level, but it’s a strong signal of the data types in play — and if it points to CUI or export-controlled technical data, expect a CMMC Level 2 scoping conversation.

What CMMC level do ITAR companies usually need?

If you handle DoD CUI, the likely path is CMMC Level 2 (the 110 requirements of NIST SP 800-171 Rev. 2). FCI-only work may be Level 1. Level 3 applies only when DoD designates it.

Does CMMC replace ITAR compliance?

No. CMMC and NIST 800-171 govern how you protect the data; ITAR governs who may access it and where it can live. ITAR’s U.S.-person access and residency rules sit on top of your cybersecurity controls.

Is GCC High required for ITAR?

Not universally. GCC High is not legally mandated by the CMMC rule; it’s Microsoft’s recommended environment for Levels 2 and 3 and the cleanest single-vendor path for ITAR because of its U.S.-person access model. AWS GovCloud and properly built encrypted enclaves are valid alternatives. Commercial Microsoft 365 is generally not appropriate for CUI or ITAR, and Microsoft itself directs ITAR/DFARS-regulated-CUI customers to GCC High.

Can AWS GovCloud handle ITAR data?

AWS states that AWS GovCloud supports ITAR compliance, is located in the United States, and limits AWS personnel access to U.S. citizens. That does not remove your responsibility to configure, restrict, document, and operate the environment correctly.

Should we hire a C3PAO first?

Usually no — not unless you’re already assessment-ready or your contract timeline forces it. Most ITAR companies should complete scoping, remediation, the SSP/POA&M, and evidence preparation first, then engage a C3PAO for the formal assessment.

Can the same provider prepare us and assess us?

Be careful. The Cyber AB separates readiness/advisory roles from assessment roles, and an assessor that consulted on your environment generally cannot also perform your certification assessment. Keep the two on opposite sides of a clean line.

Does CMMC Level 2 use NIST SP 800-171 Rev. 2 or Rev. 3?

Revision 2. CMMC Level 2 is currently anchored to NIST SP 800-171 Rev. 2 under 32 CFR Part 170. NIST published Rev. 3 in 2024, but it doesn’t control for CMMC unless DoD amends the rule.

Primary sources we read

CMMC Program rule — 32 CFR Part 170 (eCFR), including §170.3 (phases) and §170.21 (POA&M / Conditional and Final Status). Effective December 16, 2024. Cost estimates: the rule’s Regulatory Impact Analysis (Federal Register, October 15, 2024).
CMMC Acquisition rule and clauses — DFARS 252.204-7021 and 252.204-7025; effective November 10, 2025.
Legacy safeguarding/assessment clauses— DFARS 252.204-7012, -7019, -7020.
Control standards — NIST SP 800-171 Rev. 2 and NIST SP 800-172; NIST SP 800-171A (assessment methodology).
CUI — NARA CUI Registry: Export Controlled (CUI//SP-EXPT) and Controlled Technical Information (CUI//SP-CTI).
ITAR — 22 CFR Parts 120 and 125: §120.33 (technical data), §120.54 (encryption carve-out), §120.55 (Access Information), §125.4 (exemptions), and §126.1 (proscribed countries). ITAR encryption Interim Final Rule (Federal Register, December 26, 2019; effective March 25, 2020).
Crypto standard— FIPS 140-2 / 140-3 (NIST CSRC).
Award/affirmation system — SPRS.
Ecosystem roles — The Cyber AB.
Cloud-provider statements (company-stated)— Microsoft (Office 365 Government / GCC High) and AWS (GovCloud / ITAR).

Related guides

Editorial disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. Not affiliated with the Department of Defense, the Cyber AB, DCMA DIBCAC, NIST, or any U.S. government agency. Read our editorial review process. Last verified: June 8, 2026.