Is ITAR Data CUI?

In the alphabet soup of acronyms you need to be familiar with as a defense contractor, two terms stand out: Controlled Unclassified Information (CUI) and International Traffic in Arms Regulations (ITAR). Is ITAR data always CUI? What about the opposite? Keep reading to discover the answers to these questions.

What Is CUI?

Controlled Unclassified Information, or CUI, is information created by the U.S. government or on behalf of the U.S. government that doesn’t warrant the denomination of Classified National Security Information but still requires protection.

All CUI falls into one of two categories: CUI basic or CUI specified. CUI basic does not have specific handling or dissemination controls. CUI specified, on the other hand, has specific handling controls that differ from those for CUI Basic

There are two online sources you need to check out if you are a Defense contractor looking to make sense of CUI:

What Is ITAR?

The International Trade in Arms Regulations (ITAR) is a set of rules for the manufacture, export, and temporary import of defense articles and services.

So far so good. But what are “defense articles,” exactly? When it comes to ITAR, defense articles are those defined by the United States Munitions List (USML), in its 21 highly specific categories:

Firearms and related articles
Guns and armament
Ammunition and ordnance
Launch vehicles, guided missiles, ballistic missiles, rockets, torpedoes, bombs, and mines
Explosives and energetic materials, propellants, incendiary agents, and their constituents
Surface vessels of war and special naval equipment
Ground vehicles
Aircraft and related articles
Military training equipment and training
Personal protective equipment
Military electronics
Fire control, laser, imaging, and guidance equipment
Materials and miscellaneous articles
Toxicological agents, including chemical agents, biological agents, and associated equipment
Spacecraft and related articles
Nuclear weapons related articles
Classified articles, technical data, and defense services not otherwise enumerated
Directed energy weapons
Gas turbine engines and associated equipment
Submersible vessels and related articles
Articles, technical data, and defense services not otherwise enumerated

ITAR implements section 38 of the Arms Export Control Act (AECA), which gives the president the authority to control the commercial export of defense articles and defense services described on the USML.

Contact Our ITAR/EAR Experts Today

Together with Export Administration Regulation (EAR) data, ITAR data falls within the category of export-controlled information. In other words, they constitute information regulated for reasons of national security, foreign policy, anti-terrorism or non-proliferation.

It’s important to note that for compliance purposes, the term “export” doesn’t refer only to the physical transportation of items outside the United States.

An “export” occurs when controlled technical data is shipped, transmitted, or shared in any form or format, including oral, written, physical observation, email, phone, fax, etc., to persons in foreign countries or foreign nationals in the United States.

If you want to take a deep dive into ITAR, check out parts 120-130 of Title 22 of the Code of Federal Regulations (CFR); the United States Munition List is part 121.

This is a common question, probably due to the similarities between ITAR information and CUI. After all, both terms are associated with the protection of data that the U.S. government deems valuable.

However, the short answer is that not all ITAR data is CUI, and not all CUI is ITAR. Let’s see what this means.

Some ITAR data is CUI. In fact, if you check the CUI Registry, you will find that it contains a category called “Export Control.”

However, not all ITAR data is CUI because, as we mentioned earlier, CUI is information generated by or on behalf of the U.S. government. In other words, CUI is created for or included in requirements related to a government contract. However, ITAR data can be created by companies without contracts with the government.

Finally, not all CUI is ITAR data. To corroborate this, all you have to do is to take a look at the CUI registry — “Export Control” is just one among many other CUI categories.

Protecting ITAR Data With Microsoft

If you handle ITAR data, Microsoft GCC High is one of your best options to achieve compliance — and remain compliant.

Microsoft has four cloud offerings: Microsoft 365 “Commercial,” Microsoft 365 U.S. Government (GCC), Microsoft 365 Government (GCC High), and Microsoft 365 Government (DoD).

Of these, only GCC High and DoD meet the requirements to handle ITAR or EAR data. With Microsoft DoD being reserved for the Department of Defense, GCC High is the go-to option for many contractors.

But what makes GCC High such a great option for handling ITAR data? The reason is that both Microsoft 365 GCC High and DoD offer data sovereignty.

Simply put, this means that these two cloud offerings feature servers located in the United States and managed by screened U.S. persons only.

Now, why does this matter? Remember: from a compliance standpoint, export-controlled information is data that can’t be shared in any form or format with foreign nationals, even if they live in the United States

To learn more about data sovereignty and GCC High check our blog “GCC High and CMMC: What You Need To Know” and our GCC High Buyers Guide.

Need To Achieve ITAR Compliance? We Are Here To Help

Whether it’s CMMC, NIST 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.

Brea Neworks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.

We are the perfect choice for contractors with 5 to 50 seats thanks to our customer-centric approach, responsive staff, and 0% interest payment plans.

Contact our CMMC Registered Practitioners today by clicking here.