Cybersecurity Requirements: ITAR vs EAR vs FAR vs DFARS

It is common to have questions pertaining to cybersecurity requirements for International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS), since ITAR, EAR, FAR and DFARS each serve different regulatory masters, sometimes with conflicting guidance (e.g., FIPS-validated vs FIPS-compliant encryption requirements). There are multiple stakeholders that have to be identified and their roles understood:



If you take the time to read through ITAR/EAR requirements, you will not find a specified set of cybersecurity controls that are required to protect ITAR/EAR data. This is where NARA comes into play through its authority to operate the US Government's Controlled Unclassified Information (CUI) Program, where "export controlled" information has its own unique CUI category -

ITAR/EAR CUI Category:  Export Controlled (CUI//SP-EXPT) 

NARA Definition: Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations (ITAR) and the munitions list; license applications; and sensitive nuclear technology information.

Minimum Cybersecurity Requirements for ITAR / EAR 

While it might be possible that there is some ITAR/EAR that falls outside of NARA's classification of "export-controlled" information, the reality is NIST SP 800-171 CUI and Non-Federal Organization (NFO) controls are the minimum cybersecurity requirements for ITAR/EAR due to NARA's CUI Notice 2020-04. However, it is important to understand that NIST SP 800-171 will not address an organization's need for a broader export control program that governs how ITAR/EAR compliance is administered (e.g., registering for licenses, maintaining records, disclosures, etc.). The reason that NIST SP 800-171 is considered a "minimum" is that the controls may not be sufficient to address your organization's specific risk profile, so additional administrative, technical and physical controls may be necessary to become both secure and compliant.



Browse Our Products

  • Digital Security Program (DSP)

    Digital Security Program (DSP) - SCF Policy Template

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    Choose Options
  • NIST 800-53 rev5 policies & standards

    NIST 800-53 R5 (moderate) Policy Template

    ComplianceForge NIST 800-53 Compliance Documentation Templates

    NIST 800-53 Rev5 Policy Template  LOW & MODERATE BASELINE   Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common questions we receive...

    Choose Options
  • CDPP Bundle #1c: Cybersecurity policies, standards and procedures. NIST 800-53 - moderate baseline.

    NIST 800-53 R5 (moderate) Policies & Procedures Bundle

    ComplianceForge NIST 800-53 Compliance Documentation Templates

    Cybersecurity & Data Protection Program (CDPP) Bundle #1C -  NIST SP 800-53 R5 Low & Moderate Baselines  (20% discount) This is a bundle that includes the following two (2) ComplianceForge products that are focused on operationalizing...

    Choose Options

Learn More About Cybersecurity & Data Privacy