Cybersecurity Requirements: ITAR vs EAR vs FAR vs DFARS
It is common to have questions pertaining to cybersecurity requirements for International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS), since ITAR, EAR, FAR and DFARS each serve different regulatory masters, sometimes with conflicting guidance (e.g., FIPS-validated vs FIPS-compliant encryption requirements). There are multiple stakeholders that have to be identified and their roles understood:
If you take the time to read through ITAR/EAR requirements, you will not find a specified set of cybersecurity controls that are required to protect ITAR/EAR data. This is where NARA comes into play through its authority to operate the US Government's Controlled Unclassified Information (CUI) Program, where "export controlled" information has its own unique CUI category - https://www.archives.gov/cui/registry/category-detail/export-control.html.
ITAR/EAR CUI Category: Export Controlled (CUI//SP-EXPT)
NARA Definition: Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations (ITAR) and the munitions list; license applications; and sensitive nuclear technology information.
Minimum Cybersecurity Requirements for ITAR / EAR
While it might be possible that there is some ITAR/EAR that falls outside of NARA's classification of "export-controlled" information, the reality is NIST SP 800-171 CUI and Non-Federal Organization (NFO) controls are the minimum cybersecurity requirements for ITAR/EAR due to NARA's CUI Notice 2020-04. However, it is important to understand that NIST SP 800-171 will not address an organization's need for a broader export control program that governs how ITAR/EAR compliance is administered (e.g., registering for licenses, maintaining records, disclosures, etc.). The reason that NIST SP 800-171 is considered a "minimum" is that the controls may not be sufficient to address your organization's specific risk profile, so additional administrative, technical and physical controls may be necessary to become both secure and compliant.