FAQ: Is ITAR and EAR also CUI?

Why do ITAR and EAR-Restricted Items Qualify as CUI on U.S. DoD Contracts? (Advanced Version)

Prepared by DTC Global.us for CUI Suppy.com

Summary:

A common misconception is that ITAR or EAR compliance is separate from CUI or CMMC. Export-controlled information that is used, generated, or required for performance of a DoD contract qualifies as CUI. This FAQ answer offers authoritative, cited guidance from key regulations (32 CFR Part 2002, DoD Instructions 5200.48 and 5230.24, NARA CUI Registry) to ensure proper identification, marking, and facility-based protections of this highly regulated technical information.

For DoD contractors, export-controlled technical data and technology under ITAR and EAR qualify as Controlled Unclassified Information (CUI) in the Export Control (EXPT) category when provided by or generated during DoD contract performance, requiring proper CUI marking (e.g., DoD marking guidance) on all documents, files, and media to prevent unauthorized disclosure.

This same information demands robust safeguarding through designated CUI Zones—controlled physical and digital areas (such as engineering offices, manufacturing floors, quality/test labs, and visitor access points) equipped with signage, labeling, access controls, and visual/perceptual barriers to protect against inadvertent exposure to unauthorized persons, including foreign nationals restricted under ITAR/EAR. These marking and zoning requirements are integral to DFARS 252.204-7012 and CMMC compliance, combining ITAR/EAR access restrictions with CUI safeguarding obligations; failing to treat them as unified can lead to compliance gaps and contract risks.

On U.S. Department of Defense (DoD) contracts, technical data and technology controlled under the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR) qualify as Controlled Unclassified Information (CUI) when they are used, generated, or handled in support of contract performance.

This is because DoD policy explicitly requires that export-controlled information be protected as CUI to prevent unauthorized disclosure, including disclosure to unauthorized foreign persons. When implementing DFARS 252.204-7012 and preparing for CMMC certification you must implement DoD policy. See DoD Procurement Toolbox, Cybersecurity FAQ #22.and Question #28.

Citation:

22 CFR Parts 120–130 – International Traffic in Arms Regulations (ITAR)
15 CFR Parts 730–774 – Export Administration Regulations (EAR)
National Archives (NARA) – CUI Registry (Export Control / EXPT)
DFARS 252.204-7012(b)
32 CFR § 2002.4(b) enabling authority for (DoD) Agency policies on CUI handling and marking
DoD Procurement Toolbox, Cybersecurity FAR #22 and #28
DoD Instruction 5230.24
DoD Instruction 5200.48

Why This Matters for Defense Contractors

A common misconception is that ITAR or EAR compliance is separate from CUI or CMMC. In reality:

DFARS 252.204-7012 applies to any category of CUI that is provided by or generated on behalf of DoD in performance of a contract or subcontract.
ITAR / EAR determine access eligibility.
CUI determines safeguarding requirements and specific DoD guidance in relevant policies.

If an organization:

Designs or manufactures defense articles (ITAR)
Handles export-controlled drawings or specifications. (ITAR/EAR restricted categories)
Produces technical data or technology under a DoD contract. (ITAR/EAR restricted categories)

...then that information must be treated as CUI, including compliance with physical, visual, procedural, and information-system safeguards.

Citation:

22 CFR Parts 120–130 – International Traffic in Arms Regulations (ITAR)
15 CFR Parts 730–774 – Export Administration Regulations (EAR)
National Archives (NARA) – CUI Registry (Export Control / EXPT)
DFARS 252.204-7012(b)
DoD Procurement Toolbox, Cybersecurity FAQ #22 and #28
DoD Instruction 5230.24
DoD Instruction 5200.48

The Governing Principle

Export-controlled information that is used, generated, or required for performance of a DoD contract qualifies as CUI.

Export-controlled information + DoD contract performance = CUI.

Export-control regimes (ITAR and EAR) define who may access the information, while the CUI framework defines how that information must be safeguarded. This relationship is established in federal regulation and DoD-wide policy. See DoD Instruction 5230.24

Citation:

32 CFR § 2002.4(b) enabling authority for (DoD) Agency policies on CUI handling and marking
DoD Procurement Toolbox, Cybersecurity FAR #22 and #28
DoD Instruction 5230.24
DoD Instruction 5200.48

Regulatory Basis for ITAR / EAR as CUI

CUI Is Defined by Law, Regulation, or Government-Wide Policy

32 CFR § 2002.4(a) establishes that information qualifies as CUI when:

“Laws, regulations, or Government-wide policies require or permit agencies to control the dissemination of information.” Export-controlled information meets this standard because ITAR and EAR legally restrict dissemination and access.

Citation:

32 CFR § 2002.4(a)

Export-Controlled Information Is an Explicit CUI Category

The CUI Registry designates Export-Controlled (EXPT) information as a valid CUI category, covering:

ITAR-controlled technical data
EAR-controlled technology

When such information is associated with DoD contracts, it is handled as CUI/EXPT, often overlapping with Controlled Technical Information (CTI).

Citations:

32 CFR § 2002.4(f)
National Archives, CUI Registry – Export Control (EXPT)

DoD Policy Requires Export-Controlled Technical Data to Be Protected as CUI

DoD Instruction 5200.48 explicitly states that Controlled Technical Information (CTI)—including export-controlled technical data—must be safeguarded to prevent unauthorized disclosure.

CTI includes:

Engineering drawings
Technical data packages
Manufacturing and process data
Specifications, tolerances, and analyses

These materials are often visually and perceptually discernible, which is why physical, visual, and environmental controls are required.

Citations:

DoDI 5200.48, Controlled Unclassified Information
DoDI 5230.24, Distribution Statements on Technical Documents

Contractor-Generated Export-Controlled Data Is Still CUI

CUI is not limited to Government-furnished information. When a contractor generates technical data under a DoD contract—and that data meets a CUI category definition such as CTI or EXPT—it is CUI by virtue of contract performance and lawful government purpose. The technical data documents and package required to be provided or archived in performance of the DFARS 252.204-7012 and DFARS 252.204-7021 contracts is CUI and should be marked and handled accordingly because the relationship between regulatory requirements, technical information, DFARS contract clauses, and US DoD policy.

Citations:

32 CFR § 2002.4(h) (CUI/Lawful Government Purpose)
DFARS 252.204-7012(b)
DoDI 5200.48

DFARS Confirms Safeguarding Obligations for CUI on DoD Contracts

When DFARS 252.204-7012 is present, contractors are required to identify, mark*, safeguard, and report incidents involving CUI processed or stored in support of contract performance.

Export-controlled technical data handled under the contract falls within this safeguarding obligation.

Citation:

DFARS 252.204-7012(b)
DoD Procurement Toolbox, Cybersecurity FAQ #22 and #28
DoD CUI Marking Training Aid (Dec 2024) DOPSR 25-P-0275 *“While baseline CUI mapping is derived from the CUI Registry, the Department of Defense has issued additional implementation guidance for CUI marking through the DoD CUI Marking Training Aid (Dec 2024). This guidance is issued pursuant to DoD’s authority under 32 CFR § 2002.4(b) and 32 CFR § 2002.20, and is applied contractually through DFARS 252.204-7012 when included in a contract or subcontract.”

CUI Supply Application

CUI Supply products support compliance by helping organizations clearly identify and protect export-controlled CUI during the performance of the contract in controlled environments or CUI zones such as:

Engineering offices
Manufacturing floors
Quality and test areas
Visitor and customer access zones

Through signage, labeling, zoning, and visual-control mechanisms, CUI Supply helps prevent unauthorized disclosure of ITAR- and EAR-restricted information, aligning day-to-day operations with DoD CUI and export-control requirements.

Authoritative References

32 CFR Part 2002 (f)(h)– Controlled Unclassified Information
DoDI 5200.48 – Controlled Unclassified Information, Glossary
DoDI 5230.24 – Distribution Statements on Technical Documents
DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
22 CFR Parts 120–130 – International Traffic in Arms Regulations (ITAR)
22 CFR § 123.9(b) — Authorization and Conditions for Exports
22 CFR § 123.9(b) and 22 U.S.C. § 2778 (AECA)
15 CFR Parts 730–774 – Export Administration Regulations (EAR)
National Archives (NARA) – CUI Registry (Export Control / EXPT)

Disclaimer

This material is provided for general informational and educational purposes only and does not constitute legal advice, export control advice, cybersecurity advice, or a definitive compliance determination.

The identification and handling of Controlled Unclassified Information (CUI), including export-controlled technical data subject to the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR), is fact-specific and contract-dependent. Obligations may arise from statutes, regulations, DoD policy, contract clauses, program direction, or written Government authorization.

Organizations are responsible for reviewing their specific contracts, regulatory obligations, and applicable Government guidance, and for consulting with qualified legal counsel, export compliance professionals, or contracting officers as appropriate.

Use of CUI Supply products or materials does not by itself ensure compliance with CUI, export control, DFARS, or CMMC requirements. You can do this. Roll up your sleeves and get to work. Our mission is to help YOU #ProtectCUI

Back to blog