Insights

For many contractors within the Defense Industrial Base, Cybersecurity Maturity Model Certification (CMMC) assessments are becoming far more than cybersecurity hygiene exercises. As companies strive to become CMMC compliant, they are increasingly uncovering facts suggesting potential violations of export control laws, including the International Traffic in Arms Regulations (ITAR), administered by the Directorate of Defense Trade Controls under the U.S. Department of State, and the Export Administration Regulations (EAR), administered by the Bureau of Industry and Security under the U.S. Department of Commerce.

CMMC assessments require organizations to identify where Controlled Unclassified Information (CUI) resides, who can access it, how it moves through the organization, and whether third parties or cloud providers may have visibility into sensitive information. For companies handling ITAR technical data, these discoveries can create significant legal exposure extending well beyond cybersecurity compliance concerns. A company may successfully implement many NIST SP 800-171 controls, as required by the Defense Federal Acquisition Regulation Supplement (DFARS), and still face substantial liability under the ITAR, or EAR, if controlled technical data or technology has been exported or accessed without authorization.

Why CMMC Reviews Are Uncovering Export Compliance Problems

CMMC assessments force organizations to undertake detailed operational reviews that many companies have historically avoided or only performed superficially. In practice, these reviews often reveal that export controlled data has been stored in commercial cloud environments, accessed by foreign person administrators, or transmitted through collaboration tools and remote access systems without adequate export controls guardrails. For example, defense contractors sometimes discover that foreign parent company personnel or offshore managed service providers have maintained administrative access to systems containing export-controlled information for years.

Other organizations uncover more fundamental problems involving data classification itself. During CMMC scoping exercises, companies sometimes realize they never properly distinguished between ordinary CUI and ITAR or EAR-controlled data. As a result, sensitive export-controlled information may have been handled under policies designed for cybersecurity compliance, but not necessarily for export control compliance. These issues frequently emerge because CMMC implementation efforts require a level of visibility into technical environments that many organizations previously lacked.

What Companies Should Do After Discovering a Potential Export Control Violation

When a CMMC assessment reveals facts suggesting a possible export control violation, organizations should proceed carefully and deliberately. Initial reactions often shape both the scope of the investigation and the company’s ultimate regulatory exposure.

The first priority should be preserving relevant evidence and understanding the factual circumstances before making broad operational changes. System logs, access records, audit trails, communications, cloud configuration records, and contractual documentation may all become important in determining whether an export occurred. Companies should avoid impulsive remediation measures that could inadvertently destroy evidence or complicate later forensic analysis.

At the same time, organizations must evaluate whether unauthorized access remains ongoing. If foreign person access to ITAR-controlled technical data is continuing, interim containment measures may be necessary. Depending on the circumstances, this could involve restricting administrative privileges or firewalling affected systems while the company conducts a more thorough review.

Importantly, these matters should generally be investigated under attorney-client privilege with the involvement of counsel experienced in export controls and national security compliance. Determining whether an export violation occurred requires a highly fact-specific legal analysis involving the nature of the data, the nationality and location of individuals with access, applicable licensing requirements, and whether any exemptions or exceptions may apply.

Voluntary Self-Disclosures and Agency Expectations

One of the most consequential questions following discovery of a potential ITAR or EAR violation is whether the company should submit a voluntary disclosure to the DDTC or a voluntary self-disclosure with BIS.

Not every technical violation necessarily warrants disclosure, and not every compliance gap identified during a CMMC review will rise to the level of an actionable export violation. However, the export agencies have consistently emphasized the importance of timely and comprehensive disclosures where unauthorized exports may have occurred. Importantly, in some cases, disclosure of ITAR violations to DDTC is mandatory. (For more information on mandatory ITAR disclosures, see our previous article, Understanding ITAR Mandatory Disclosures and the “Duty to Inform” DDTC.) Companies that discover potential violations through internal reviews, audits, or compliance assessments and fail to adequately investigate or disclose them may face substantially greater enforcement risk later.

The decision whether to disclose requires careful legal and strategic analysis. DDTC and BIS will often evaluate the nature and sensitivity of the technical data/technology involved, the number and nationality of foreign persons with access, whether the conduct was systemic, the duration of the exposure, and whether the company implemented meaningful corrective actions once the issue was discovered. For further information on voluntary disclosures to DDTC, BIS, and other regulatory agencies involved in international trade and national security, see the Torres Voluntary Self-Disclosure Handbook.

Remediation Must Extend Beyond Cybersecurity Controls

One recurring mistake companies make after discovering potential export violations during CMMC assessments is treating the issue solely as a technical cybersecurity problem. While implementing additional security controls may be necessary, remediation must also address the underlying export compliance deficiencies.

In many cases, organizations need to revisit (and revise) Technology Control Plans, foreign-person access restrictions, export classification procedures, vendor oversight mechanisms, and internal governance structures. Cloud architectures may require redesign, administrative access models may need restructuring, and data segregation practices may need substantial improvement.

Training also becomes critical. Many IT personnel, system administrators, and cybersecurity teams lack detailed familiarity with export control requirements and may not recognize when routine technical activities implicate the ITAR or EAR. As cybersecurity and export compliance obligations continue to converge, companies increasingly need integrated compliance programs rather than isolated legal and IT functions operating independently.

                                                                        ***

In many respects, CMMC assessments now function as stress tests not only for cybersecurity programs, but for the overall integrity of a company’s national security compliance framework. For that reason, CMMC compliance efforts should be coordinated closely with export compliance personnel and experienced counsel. If you have any questions regarding CMMC assessments or ITAR compliance, or if you believe you have discovered an export control violation, please do not hesitate to contact me.