ITAR Compliance in 2026: What’s Changed and Why CUI Enclaves Matter Now

Back in 2018, we published a blog post breaking down the basics of ITAR compliance: what it means to register with the Directorate of Defense Trade Controls (DDTC), how to think about access controls and data transmission, and why “ITAR certification” is really a misnomer for ongoing regulatory compliance. That guidance still holds up. But the world around it has changed significantly.

Since then, the regulatory landscape for defense contractors has grown substantially more complex. The U.S. Munitions List has been revised multiple times. CMMC enforcement is now a contractual reality. Penalties for noncompliance have climbed to historic levels. And the way organizations handle Controlled Unclassified Information (CUI) has become a central compliance question—one that sits right at the intersection of ITAR and CMMC.

This post is an update. It revisits the core ITAR compliance requirements from our 2018 piece, incorporates recent regulatory changes, and explains why the CUI enclave model—introduced in our recent blog on Sharetru’s new enclave controls—is now one of the most practical architectural approaches for defense contractors juggling both ITAR and CMMC obligations.

A Quick Refresher: ITAR Compliance Basics

The fundamentals haven’t changed: ITAR continues to govern the export and import of defense-related articles, services, and technical data listed on the United States Munitions List (USML). If your organization manufactures, exports, or brokers items on the USML, you are required to register with the DDTC and comply with the full scope of ITAR regulations.

As we noted in 2018, there is no formal “ITAR certification.” You don’t receive a certificate from any organization. Instead, you register with DDTC (under Part 122 or Part 129) and then comply with the regulations that apply to your operations and receive a license (and other DDTC approvals) to ITAR related activities. That registration, as of January 2025, starts at $3,000 annually and must be renewed 30–60 days before expiration.

The three operational pillars we outlined in 2018 remain the foundation of ITAR compliance:

• Access Controls: Restricting who can access controlled information through user-specific credentials, role-based permissions, and physical security measures.
• Systems Management: Keeping systems patched, encrypted, and properly sanitized, following NIST SP 800–88 guidelines for media sanitization.
• Data Transmission: Encrypting all transfers, monitoring network traffic, using firewalls and intrusion detection, and only sharing controlled data on a need-to-know basis.

These areas haven’t become less important. If anything, the enforcement environment has made them more critical than ever.

What’s Changed Since 2018

The last several years have brought a wave of regulatory updates that ITAR-subject organizations need to understand. Let's explore a few of those before we discuss where they overlap.

USML Revisions and Expansion

The State Department’s multi-year revision project, launched in March 2022, has been actively restructuring the ITAR to improve clarity and organization. In September 2022, the first update restructured Part 120 of the ITAR to better organize its definitions and purposes.

Most notably, the September 2025 final rule amended 15 of 21 USML categories—marking the first time in years that DDTC has expanded the USML’s coverage more than it reduced it. The revisions added newer technologies like advanced sensors, propulsion systems, and unmanned underwater vehicles while also removing outdated entries. Organizations need to carefully review whether their products have shifted into or out of ITAR jurisdiction as a result.

Additional updates have recognized new NATO members (Finland and Sweden) in country-related regulations and suspended the denial policy for Cyprus through September 2026.

Cloud Storage Clarification

The 2020 ITAR update made clear that a cloud platform does not become a DDTC-registered ITAR entity simply because customer ITAR technical data passes through it. When unclassified technical data is kept properly end-to-end encrypted and access is limited to authorized recipients, its transmission or storage is not treated as an export under 22 CFR § 120.54.

DDTC registration is generally tied to actually manufacturing, exporting or temporarily importing defense articles, furnishing defense services, or engaging in brokering activities. Because Sharetru’s role is to securely store and transmit encrypted customer data—not to perform those regulated activities—Sharetru is not required to register solely because ITAR data passes through the platform.

Escalating Enforcement and Penalties

The enforcement posture has intensified dramatically. Civil penalties now reach up to $1,271,078 per violation (or twice the transaction value, whichever is greater). Criminal penalties can mean fines up to $1,000,000 per violation and imprisonment for up to 20 years. In 2024, Raytheon agreed to pay over $950 million to resolve multiple investigations including ITAR violations. A 2023 enforcement action resulted in $27 million in fines for a single U.S. manufacturer. These are not abstract risks—they represent the current enforcement reality.

Since June 2023, the State Department has also been barring individuals convicted of violating the Arms Export Control Act from ITAR-related activities for a minimum of three years, adding personal liability to organizational risk.

CMMC Is Now a Contractual Reality

The CMMC final DFARS rule became effective November 10, 2025. For defense contractors handling CUI, this means third-party assessments by C3PAOs are now a requirement for Level 2 contracts. Self-attestation alone is no longer sufficient for most contractors. CMMC is being phased into DoD contracts starting with major programs, and prime contractors are required to flow down requirements to subcontractors.

Where ITAR Meets CUI: The Compliance Overlap Contractors Can’t Ignore

This is where the conversation has evolved most significantly since 2018. For many defense contractors, ITAR-controlled technical data is also CUI. Export-controlled information is explicitly listed as a category in the CUI Registry. That means a single document—say, a technical drawing for a defense component—can simultaneously trigger ITAR export control obligations and CMMC cybersecurity requirements.

Why Sharetru’s CMMC requirement is different as a cloud provider

As an External Service Provider (ESP) that is acting as a Cloud Service Provider (CSP), Sharetru is not evaluated under CMMC the same way as a typical non-cloud contractor environment. When CUI is processed, stored, or transmitted in a cloud environment, the governing requirement is FedRAMP Moderate or FedRAMP Moderate equivalency under DFARS 252.204-7012 and 32 CFR Part 170 (CMMC). In practice, that means the relevant cloud control framework maps to the FedRAMP Moderate baseline, which is aligned to NIST SP 800-53 Rev. 5.

Why FedRAMP Moderate is not the full ITAR answer

This is where it gets a little sticky. FedRAMP Moderate addresses the cloud security control baseline, but it does not by itself answer every ITAR handling question. ITAR is focused on whether technical data is exported, released, or made accessible to an unauthorized person. Under 22 CFR § 120.54, encrypted storage and transmission can avoid becoming a controlled export if the rule’s conditions are satisfied, but disclosures of unclassified technical data to foreign persons still require authorization unless an exemption or other authorization applies. That is why, for ITAR-sensitive use cases, the real questions are not just whether the environment meets FedRAMP Moderate, but also who can access the data, from where, and under what authorization model.

Sharetru Federal as “FedRAMP Moderate+”

That is why we sometimes describes Sharetru Federal as a “FedRAMP Moderate+” environment. Yes, it’s a made up term, but it describes how the base cloud posture is built around the FedRAMP Moderate / NIST SP 800-53 Rev. 5 framework required for CSP support of CUI, and on top of that how Sharetru can support the stricter operational posture customers often want for ITAR-sensitive data, including U.S.-hosted and U.S.-person-administered handling models. If a customer has both CUI and ITAR-regulated technical data, it is important to identify those categories clearly, because the category of data drives which control framework applies and what additional handling restrictions may be needed.

The two frameworks address different dimensions of protection:

The critical point: an organization can be fully ITAR-compliant and still fail a CMMC Level 2 assessment, or vice versa. Neither framework substitutes for the other. Defense contractors must address both in tandem.

Why the Enclave Model Is the Answer for ITAR & CUI

This is where the CUI enclave concept becomes essential. As we detailed in our recent blog on Sharetru’s enclave capabilities, a CUI enclave is a defined, bounded environment where CUI is stored, processed, and shared—with controls that are well-documented, consistently enforced, and scoped specifically for CUI handling.

For ITAR-subject organizations, the enclave model solves two problems simultaneously:

1. It Contains the CMMC Assessment Scope

Every system that touches CUI is in scope for a CMMC assessment. If CUI is spread across email, shared drives, laptops, and personal cloud accounts, your entire enterprise becomes the assessment boundary. That’s expensive, operationally complex, and often impractical—especially for small and mid-sized defense contractors. An enclave lets you draw a hard line around a limited, well-controlled environment and defend that boundary instead of the whole enterprise.

2. It Enforces the ITAR Access Boundary

ITAR’s deemed export rule means that showing controlled technical data to a foreign national—even an employee within the United States—is legally equivalent to exporting it to their home country. An enclave with properly configured access controls ensures that only authorized U.S. persons can access ITAR-controlled data, and that every access event is logged and traceable.

What a Functional CUI Enclave Requires

An enclave isn’t just a label applied to a secure folder. It’s a set of enforceable properties that the environment must actually demonstrate:

Each of these properties maps directly to specific NIST SP 800-171 and CMMC Level 2 control families, and each reinforces the ITAR obligation to restrict and track access to controlled data.

How Sharetru Fits: The Controlled Transfer Surface

Sharetru isn’t a collaboration platform—it’s the edge of the boundary. It’s where CUI enters and leaves your organization under controlled, auditable conditions. With the recent release of view-only access, dynamic watermarking, and granular folder permissions, Sharetru now delivers each of the enclave properties described above as a managed control surface.

Here’s how this maps to the dual ITAR/CMMC challenge:

• View-only access prevents unmanaged copies of controlled data from leaving the boundary—addressing both CMMC’s CUI flow controls (AC.L2-3.1.3) and ITAR’s requirement to prevent unauthorized exports.
• Dynamic watermarking creates accountability at the moment of access, tying every document view to a specific identity and traceable token—supporting CMMC audit requirements (AU.L2-3.3.1, 3.3.2) and enabling incident investigation under both frameworks.
• Granular folder permissions enforce least-privilege access at the folder level, ensuring that ITAR-controlled data is segregated and accessible only to authorized U.S. persons—mapping to multiple CMMC access control practices (AC.L2-3.1.1, 3.1.2, 3.1.5).
• FedRAMP Moderate authorization provides the documented operating boundary that an enclave requires, with continuous monitoring against NIST SP 800-53 controls—satisfying both CMMC’s system security plan requirements and ITAR’s need for data to reside in a controlled, U.S.-based environment.

In a typical workflow, your collaboration happens elsewhere—in Microsoft GCC, a VDI environment, or an internal file server. Sharetru is the controlled transfer surface where CUI crosses organizational lines (to vendors, subcontractors, customers, or auditors) with the right controls enforced at the point of exchange.

Practical Steps for 2026

If you’re a defense contractor navigating both ITAR and CMMC requirements, here’s what to focus on:

• Review the September 2025 USML revisions. Fifteen of 21 categories were amended. Your products may have shifted into or out of ITAR jurisdiction.
• Map your ITAR-controlled data to CUI categories. Export-controlled information is a CUI category. If you handle ITAR technical data, you almost certainly handle CUI—and CMMC applies.
• Define your CUI boundary. Draw a hard line around the systems that handle CUI. Every uncontrolled copy of a controlled document expands your CMMC assessment scope.
• Implement an enclave strategy for file transfer. CUI leaving your organization through email, consumer file-sharing services, or unmonitored channels is both a CMMC scope problem and a potential ITAR violation.
• Align your compliance programs. ITAR and CMMC should be planned together from the start. When they’re handled as separate initiatives, gaps multiply.
• Ensure your DDTC registration is current. Annual registration must be renewed 30–60 days before expiration. Lapsed registration doesn’t pause your obligations—it creates a violation.

The Bottom Line

The fundamentals of ITAR compliance that we covered in 2018 are still valid: register with the DDTC, control access to controlled data, encrypt your transmissions, and manage your systems properly. But the stakes are higher, the enforcement is tougher, and the regulatory landscape now demands that you think about ITAR in the context of a broader compliance posture that includes CMMC and CUI handling.

A CUI enclave isn’t a product—it’s an architectural posture. But it requires a platform with the right controls to make it real. Sharetru’s combination of view-only enforcement, dynamic watermarking, granular permissions, and FedRAMP authorization gives you a controlled transfer surface you can point to in a CMMC assessment and rely on for ITAR compliance—a defensible boundary where controlled data is handled the way it should be.

Ready to see how Sharetru can protect you for both ITAR and CMMC?

If you’re a current customer, contact us at support@sharetru.com or visit the Sharetru portal to get started. If you’re evaluating solutions, click here to schedule a demo.