ITAR Versus CMMC: What Manufacturers Need to Know

ECI Software Solutions offers JobBOSS² and M1 manufacturing ERP solutions that are cloud-based platforms and designed to align with International Traffic in Arms Regulations (ITAR) and Cybersecurity Maturity Model Certification (CMMC) compliance and meet those proposed standards.

These are cloud-based platforms that help our customers maintain compliance with the and now with CMMC.

Because there is still confusion in the small-to-midsize manufacturing sector about compliance with ITAR and the CMMC, the latter is a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks. Though the Department of Defense (DoD) publishes each contractor’s maturity levels and progress with the framework, unlike ITAR, the CMMC is not yet a fully scoped regulation, nor is compliance or certification mandatory.

Take a look at what manufacturers need to understand about each of these sets of standards.

ITAR and the DDTC

International Traffic in Arms Regulations (ITAR) is a set of U.S. government rules, first implemented in 1976, that control the import and export of various technologies, services, and articles on the U.S. Munitions List. If your company manufactures or exports defense articles, you are currently (as of 2022) required by law to be compliant with the regulations. This includes having an ITAR program in place and registering with the DDTC (Directorate of Defense Trade Controls). The DDTC ensures ITAR compliance through civil enforcement of the regulations and coordination with law enforcement regarding criminal violations.

When the DDTC discovers potential ITAR violations, it reviews voluntary disclosures regarding potential violations and issues disclosure requests to the organization. DDTC reviews approximately 1,000 compliance-related matters each year. DDTC generally works with industry organizations to help them ensure compliance, but potentially harmful violations to national security have resulted in civil penalties. These include fines from the U.S. Treasury and a Consent Agreement to enhanced compliance measures, ongoing monitoring, and a set of specific conditions that must be met. To date, 57 ITAR consent agreements have been issued.

In essence, manufacturers and job shops that do business with the DoD are bound by law to the regulations set forth in the ITAR.

JobBOSS² and M1 are available with ITAR-compliant platforms for any US aerospace and defense manufacturer who needs to securely access business data from anywhere. Our solution and internal experts can help you avoid potentially costly and disruptive compliance failures.

CMMC and the DoD

The Cybersecurity Maturity Model Certification (CMMC) is a developing framework for the enforcement of the Department of Defense’s Defense Federal Acquisition Regulation Supplement (DFARS) requirements. These cybersecurity requirements were first implemented in 2017 to provide security protection for certain types of unclassified information. The CMMC program was introduced in 2020 to formalize the most up-to-date security measures and to associate different practices with maturity “levels” based on complexity and importance.

Any manufacturing or job shop that wants to do business with the Department of Defense must meet at least all the provisions of the basic maturity level “Tier 1” of the CMMC program. This isn’t a law, but a basic requirement to do business. The DoD publishes maturity levels without detail about organizations’ strengths or deficiencies. The aims of the CMMC are to cut red tape for small-to-midsize businesses, set priorities for protecting classified information, and to reinforce cooperation between the DoD and industry in protecting against cyber threats.

Where is the program headed? The DoD aims to have qualified and accredited third-party organizations audit and establish the maturity levels contractors and subcontractors have achieved in the coming years, with the first date set around Q2 of 2023. This will be determined by the number of prescribed controls, practices, and processes they use. What is currently mandatory in order to be awarded a contract by the DoD is simply proof of adequate security controls for the contract’s maturity requirements.

In essence, there is plenty of variability built into this nascent, evolving system and there are no regulations yet on how the DoD treats cases of non-compliance.

ECI’s Position on Government Compliance for Manufacturers

In response to the ongoing CMMC 2.0 rulemaking process and the expected implementation of CMMC 2.0 compliance requirements, ECI has adopted a proactive approach to ensure that JobBOSS² and M1 ERP are able to integrate seamlessly with our customers’ contractual requirements and overall CMMC implementation strategy. As a result of multiple comprehensive third-party readiness assessments, ECI’s JobBOSS² and M1 ERP are designed to comply with CMMC 2.0 standards, including those necessary for receiving and safeguarding CUI (and other sensitive information) in an ITAR-compliant environment.

ECI Manufacturing is dedicated to serving our customers in the Aerospace, Defense, and Government sectors, with ITAR compliance being a prominent step in that direction. ECI will be looking towards supporting our customers as additional regulations like CMMC become clear, solidified, and enforced.

If you enjoyed reading this post, check out these articles:

• ECI Software Solutions’ JobBOSS² and M1 are ready for Cybersecurity Maturity Model Certification (CMMC 2.0) Standards
• Q&A With an Expert: ITAR for Job Shops
• Why ECI Government Compliance Cloud