- ITAR (International Traffic in Arms Regulations) covers defense articles on the US Munitions List. EAR (Export Administration Regulations) covers dual-use commercial/military goods.
- NIST SP 800-171 controls are the minimum cybersecurity requirements for ITAR/EAR data, established through NARA's CUI category for export-controlled information (CUI//SP-EXPT).
- ITAR/EAR require nationality-based and location-based access controls that go beyond standard NIST 800-171, particularly for release of technical data to foreign persons (22 CFR 120.56).
- NIST 800-171 alone won't address your full export control program. You still need license registrations, record maintenance, disclosures, and other obligations.
- Key NIST 800-171 controls for ITAR/EAR: access enforcement (3.1.1), information flow control (3.1.3), and privileged access (3.1.15).
ITAR vs EAR Comparison
It is important to understand that NIST SP 800-171 will not solely address an entity's needs for a broader export control program. This program-level understanding is needed to govern how ITAR/EAR compliance is administered across the entity, not just within cybersecurity (e.g., registering for licenses, maintaining records, disclosures, etc.). To authorize release of export-controlled information an entity must communicate with the appropriate authority within the US government:
International Traffic in Arms Regulations (ITAR)
ITAR regulates defense-related articles and services on the US Munitions List (USML).
- ITAR’s authority is based on 22 CFR Parts 120-130;
- ITAR is managed by the US Department of State (DDTC); and
- ITAR restricts the export and sharing of military technologies, requiring manufacturers and exporters to register with the US State Department and obtain export licenses.
Export Administration Regulations (EAR)
EAR controls the export of commercial and dual-use goods, software and technology that can have both civilian and military applications.
- EAR’s authority is based on 15 CFR Parts 730-774; and
- EAR is managed by the US Department of Commerce (BIS).
Compliance with ITAR/EAR is critical for companies working with defense contracts, aerospace, or technologies with potential national security implications. Violations can lead to severe penalties, including fines and export restrictions. ITAR and EAR information may be handled under CUI protections if it falls within CUI categories, but ITAR/EAR compliance involves additional controls such as strict export licensing and access restrictions.
US Government Authorities
It is important to understand that NIST SP 800-171 will not solely address an entity's needs for a broader export control program. This program-level understanding is needed to govern how ITAR/EAR compliance is administered across the entity, not just within cybersecurity (e.g., registering for licenses, maintaining records, disclosures, etc.). To authorize release of export-controlled information an entity must communicate with the appropriate authority within the US government:
International Traffic in Arms Regulations (ITAR)
The US Department of State Directorate of Defense Trade Controls (DDTC) is the primary authority within the US government for authorizing ITAR-controlled access based on nationality (e.g., non-US citizens). DDTC grants licenses, technical assistance agreements and/or approvals for foreign nationals to access US defense technology.
Export Administration Regulations (EAR)
The US Department of Commerce Bureau of Industry and Security (BIS) is the primary authority within the US government for authorizing the export, re-export, or in-country transfer of items subject to its jurisdiction, including determining the nationality / country restrictions for deemed exports.
The table below summarizes the primary US export-control regulations, the authorities that enforce them, and the categories of information each one protects:
Minimum Cybersecurity Requirements for ITAR & EAR
While it might be possible that there is some ITAR/EAR that falls outside of NARA's classification of "export-controlled" information, the reality is NIST SP 800-171 CUI and Non-Federal Organization (NFO) controls are the minimum cybersecurity requirements for ITAR/EAR due to NARA's CUI Notice 2020-04. However, it is important to understand that NIST SP 800-171 will not address an organization's need for a broader export control program that governs how ITAR/EAR compliance is administered (e.g., registering for licenses, maintaining records, disclosures, etc.). The reason that NIST SP 800-171 is considered a "minimum" is that the controls may not be sufficient to address your organization's specific risk profile, so additional administrative, technical and physical controls may be necessary to become both secure and compliant.
What Are Applicable NIST SP 800-171 Controls For ITAR & EAR?
NARA does not specify which controls are applicable to ITAR and/or EAR, so the expectation is all applicable NIST SP 800-171 controls and NIST SP 800-171A Assessment Objectives (AOs).
What Is NARA's Definition of CUI For ITAR & EAR?
Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations (ITAR) and the munitions list; license applications; and sensitive nuclear technology information.
However, there are a few specific controls and AOs that need to have explicit nationality and location criteria defined for ITAR/EAR compliance:
Applicable NIST SP 800-171 R2 Controls & Assessment Objectives
- 1.1[a]: authorized users are identified.
- 1.1[b]: processes acting on behalf of authorized users are identified.
- 1.1[c]: devices (and other systems) authorized to connect to the system are identified.
- 1.1[d]: system access is limited to authorized users.
- 1.1[e]: system access is limited to processes acting on behalf of authorized users.
- 1.1[f]: system access is limited to authorized devices (including other systems).
- 1.3[a]: information flow control policies are defined.
- 1.3[b]: methods and enforcement mechanisms for controlling the flow of CUI are defined.
- 1.3[c]: designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified.
- 1.3[d]: authorizations for controlling the flow of CUI are defined.
- 1.3[e]: approved authorizations for controlling the flow of CUI are enforced.
- 1.15[a]: privileged commands authorized for remote execution are identified.
- 1.15[b]: security-relevant information authorized to be accessed remotely is identified.
- 1.15[c]: the execution of the identified privileged commands via remote access is authorized.
- 1.15[d]: access to the identified security-relevant information via remote access is authorized.
Applicable NIST SP 800-171 R3 Controls & Assessment Objectives
- 03.01.02[01]: approved authorizations for logical access to CUI are enforced in accordance with applicable access control policies.
- 03.01.02[02]: approved authorizations for logical access to system resources are enforced in accordance with applicable access control policies.
- 03.01.03[01]: approved authorizations are enforced for controlling the flow of CUI within the system.
- 03.01.03[02]: approved authorizations are enforced for controlling the flow of CUI between connected systems.
- Prevent non-privileged users from executing privileged functions.
- Log the execution of privileged functions.
- 03.01.06.ODP[01]: personnel or roles to which privileged accounts on the system are to be restricted are defined.
- 03.01.06.a: privileged accounts on the system are restricted to <A.03.01.06.ODP[01]: personnel or roles>.
- 03.01.06.b: users (or roles) with privileged accounts are required to use non-privileged accounts when accessing non-security functions or non-security information.