Cybersecurity Requirements: ITAR vs EAR vs FAR vs DFARS

It is common to have questions pertaining to cybersecurity requirements for International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS), since ITAR, EAR, FAR and DFARS each serve different regulatory masters, sometimes with conflicting guidance (e.g., FIPS-validated vs FIPS-compliant encryption requirements). There are multiple stakeholders that have to be identified and their roles understood:



If you take the time to read through ITAR/EAR requirements, you will not find a specified set of cybersecurity controls that are required to protect ITAR/EAR data. This is where NARA comes into play through its authority to operate the US Government's Controlled Unclassified Information (CUI) Program, where "export controlled" information has its own unique CUI category -

ITAR/EAR CUI Category:  Export Controlled (CUI//SP-EXPT) 

NARA Definition: Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations (ITAR) and the munitions list; license applications; and sensitive nuclear technology information.

Minimum Cybersecurity Requirements for ITAR / EAR 

While it might be possible that there is some ITAR/EAR that falls outside of NARA's classification of "export-controlled" information, the reality is NIST SP 800-171 CUI and Non-Federal Organization (NFO) controls are the minimum cybersecurity requirements for ITAR/EAR due to NARA's CUI Notice 2020-04. However, it is important to understand that NIST SP 800-171 will not address an organization's need for a broader export control program that governs how ITAR/EAR compliance is administered (e.g., registering for licenses, maintaining records, disclosures, etc.). The reason that NIST SP 800-171 is considered a "minimum" is that the controls may not be sufficient to address your organization's specific risk profile, so additional administrative, technical and physical controls may be necessary to become both secure and compliant.



Browse Our Products

  • Digital Security Program (DSP)

    Digital Security Program (DSP)


    Enterprise-Class, Hybrid Framework For Cybersecurity & Privacy What Is The Digital Security Program (DSP)? The DSP is an enterprise-class solution for cybersecurity & privacy documentation consisting of thirty-three (33) domains that defines a...

    Choose Options

Find Out Exclusive Information On Cybersecurity