If you handle defense work, you already know that ITAR (International Traffic in Arms Regulations) and CUI (Controlled Unclassified Information) often come up in the same conversation. They overlap, but they are not the same thing.
This post explains when ITAR-controlled information must also be handled as CUI and when it stands alone under export control.
Oh yeah — I am not a lawyer. Always discuss ITAR with your legal counsel before making compliance decisions.
Understanding the Basics
ITAR (International Traffic in Arms Regulations)
ITAR governs defense articles, defense services, and related technical data listed on the USML (United States Munitions List). It restricts who can access that data and how it can be stored, transmitted, or exported.
CUI (Controlled Unclassified Information)
CUI is a standardized federal program established by Executive Order 13556 and implemented under 32 CFR Part 2002. It applies to unclassified information that the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, when a law or policy requires safeguarding or limits dissemination.
CUI defines how and when that control must be applied in the federal system.
ITAR defines what must be controlled under export law.
ITAR data becomes CUI when 2 conditions are met:
It is subject to export control under ITAR or a related law, and
It was created or possessed by the U.S. Government, or for or on behalf of the Government.
When these conditions exist, the data falls under the CUI Specified (SP-EXT) category in the NARA CUI Registry. This designation is part of the Export Controlled category.
Example: ITAR Data That Is CUI
Controlled Technical Information (CTI) under a DoD contract:
A defense contractor develops engineering drawings and specifications for a component listed on the USML as part of a DoD deliverable. Because it is both ITAR-controlled and created for the government, it qualifies as CUI.
Why it qualifies:
- The information is export-controlled under ITAR.
- It was created for the DoD under contract.
- It must be handled as CUI Specified (Export Controlled) under DoD Instruction 5200.48.
Marking requirements:
- Include CUI in the banner and footer.
- Add a CUI designation block on the first page listing the authority, category (CTI or Export Controlled), and a point of contact.
- Apply a Distribution Statement (typically C, D, or E) identifying Export Controlled as the reason for restriction.
Safeguarding requirements:
These requirements are flowed down through DFARS 252.204-7012.
Systems storing or transmitting this data must comply with NIST SP 800-171 controls.
How to Determine if Information Is ITAR-Controlled
Defense Articles or Technical Data
- Is the information tied to an item on the USML (22 CFR Parts 120–130)
- Does it involve the design, production, testing, or operation of a defense article
Export Restrictions
- Does a foreign person need a license or TAA (Technical Assistance Agreement) to access it? If so, ITAR applies
Military or Space Application
- Can the information be used or adapted for a military or space purpose?
If the answer to any of these questions is yes, the information is ITAR-controlled.
When ITAR Data Is Not CUI
Example: ITAR Data Not Considered CUI
A manufacturer develops CAD models and testing data for a USML-listed sensor using private funds. The data remains in-house and is not part of any federal contract. It is ITAR, but it is not CUI.
Not all ITAR-controlled data meets the definition of CUI. The distinction depends on the federal relationship.
1. Company IP with No Federal Nexus
A company designs a USML-listed component using their internal IR&D funds. The data is export-controlled but has never been shared with or created for the U.S. Government.
- Status: ITAR-controlled, not CUI
- Handling: Comply with ITAR restrictions on access and export, but the CUI Program does not apply
2. Public or Classified Exceptions
- If the data is lawfully public, it is neither ITAR nor CUI.
- If the data is classified, it is handled under classified rules, not the CUI framework.
How to Tell the Difference
| Relationship | ITAR Status | CUI Status | Notes |
|---|---|---|---|
| Government-created or government-owned ITAR data | ITAR-controlled | CUI (Export Controlled) | Must be marked under DoDI 5200.48 |
| Contractor-created ITAR data for a DoD contract | ITAR-controlled | CUI (Export Controlled) | Treated as Controlled Technical Information |
| Contractor-created ITAR data for internal R&D | ITAR-controlled | Not CUI | Still export-controlled under ITAR |
| Publicly available technical data | Not ITAR | Not CUI | Outside both programs |
Common Mistakes Companies Make
- Treating all ITAR data as CUI without verifying a government relationship
- Missing CUI markings on deliverables that clearly qualify
- Assuming unmarked data cannot be CUI
- Storing ITAR or CUI data in cloud services that are not FedRAMP Moderate authorized
- Sharing export-controlled data with subcontractors who lack ITAR authorization or CUI-compliant systems
- Skipping employee training on recognizing and handling export-controlled data
Real-world example: a subcontractor stored ITAR-controlled design files in a personal cloud drive. The system was not FedRAMP compliant and had no access logging. During a DFARS review, the prime contractor could not prove proper safeguarding and lost the ability to bid until remediation was complete.
Quick Decision
- ITAR plus Government relationship equals CUI (Export Controlled)
- ITAR without Government relationship equals Not CUI but still export-controlled
- No ITAR equals check other CUI categories such as EAR
Compliance Checklist
- Verify ITAR applicability using the USML.
- Determine if the data was created for or on behalf of the Government.
- If yes, mark and handle as CUI Specified (Export Controlled).
- Implement NIST SP 800-171 security controls on nonfederal systems.
- Apply Distribution Statements and Limited Dissemination Controls such as NOFORN when required.
- If the data is ITAR-only, enforce export control safeguards but skip CUI markings.
Why This Matters
Getting this distinction right affects your scope, compliance posture, and contract eligibility. Over-marking creates unnecessary CUI management overhead. Under-marking can lead to noncompliance, export control violations, or assessment findings.
Before labeling data, confirm both the regulatory source (ITAR) and the government relationship (CUI). Document your reasoning and keep evidence of your decision. Assessors will look for that documentation during your CMMC readiness review.
Helpful Resources
- NARA CUI Registry — Export Control Category
- DoD CUI Guidance — Export Controlled Information
- 22 CFR 120–130 — ITAR Regulations
- DFARS 252.204-7012 Clause
- NIST SP 800-171 Publication
Acronyms in This Post
| Acronym | Meaning |
|---|---|
| CAD | Computer-Aided Design |
| CTI | Controlled Technical Information |
| CUI | Controlled Unclassified Information |
| DFARS | Defense Federal Acquisition Regulation Supplement |
| DoD | Department of Defense |
| IR&D | Independent Research and Development |
| ITAR | International Traffic in Arms Regulations |
| NARA | National Archives and Records Administration |
| NIST SP 800-171 | Protecting CUI in Nonfederal Systems and Organizations |
| NOFORN | Not Releasable to Foreign Nationals |
| TAA | Technical Assistance Agreement |
| USML | United States Munitions List |