The Defense Department’s Cybersecurity Maturity Model Certification is uncovering more than just cyber gaps. It’s also revealing export control violations that many contractors didn’t even know existed.
Designed to strengthen protections around controlled unclassified information (CUI), CMMC is forcing companies to take a closer look at their data environments. In doing so, it’s exposing long-standing, previously undetected violations of export control laws under International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) that could expose many contractors to serious legal and financial consequences.
This raises the stakes for organizations that have treated export compliance and IT security as separate silos. What’s happening isn’t just about cybersecurity maturity. It’s about uncovering systemic gaps in how companies manage sensitive defense-related data, especially technical data subject to export restrictions.
Why this matters now
The final CMMC program rule is expected to go into effect as soon as Q4 2025, making certification a requirement for many new defense contracts. That means contractors will soon face formal audits and assessments that will expose the mishandling of export-controlled data. In fact, early assessments are already revealing these kinds of violations.
Now is the time for companies to get proactive: By mapping their CUI, defining data boundaries, and assessing access controls, they can identify export-controlled technical data that may have been improperly stored, shared or accessed. Under the previous regime, these violations often went unnoticed. Contractors were expected to comply with Defense Federal Acquisition Regulation Supplement 252.204-7012 and follow National Institute of Standards and Technology Special Publication 800-171, but those requirements were largely self-attested and inconsistently enforced. CMMC changes that by requiring companies to prove their compliance, and in doing so, it’s surfacing a broader set of risks tied to export control regulations.
In some cases, contractors are discovering that:
ITAR-restricted files are being stored in commercial cloud platforms that aren’t FedRAMP High or don’t restrict data residency to U.S. persons.
Foreign nationals on managed service provider (MSP) teams may have had access to technical documentation without proper authorization.
EAR-controlled encryption technology is being shared across collaborative tools with global access, in violation of deemed export rules.
These aren’t rare edge cases. They’re common scenarios that contractors are only now recognizing because CMMC forces them to ask hard questions they may have previously overlooked.
The overlap between CUI and export-controlled data
A major source of confusion is the unclear boundary between CUI and export-controlled data under ITAR and EAR. One critical area of overlap is controlled technical information (CTI), which is a category of CUI that includes drawings, schematics, system designs and engineering data generated or used in the performance of a defense contract.
Here’s what contractors often miss: CTI is frequently subject to ITAR or EAR, not just cybersecurity requirements. Just because data is labeled CUI doesn’t mean it’s only governed by DoD cybersecurity standards. It may also fall under export control laws enforced by the State or Commerce Departments. This dual classification is exactly where many contractors get caught off guard.
Who’s at risk?
Any company that:
Designs or builds parts, systems or subcomponents for defense applications.
Uses overseas developers, contractors or MSPs.
Stores technical data in commercial cloud platforms without strict access controls.
Lacks a clear export compliance program.
Even companies that have already begun their CMMC journey (including subcontractors and smaller manufacturers in the supply chain) may still be at risk of unintentional export control violations. Many of these firms handle CTI or work with technical data derived from defense contracts, which makes them subject to both CMMC and export regulations.
Five steps contractors should take now
CMMC isn’t just a cybersecurity checklist; it’s a trigger for deeper compliance analysis. If your company is preparing for CMMC certification or even just trying to meet DFARS/NIST obligations, use the opportunity to assess your export compliance posture. Here’s how:
Map your data: Identify where your CUI lives, and classify it based on content and source. Flag any data that meets the definition of CTI or technical data subject to ITAR/EAR. Work with legal or export compliance experts if necessary; this is not a task to delegate without oversight.
Assess access controls based on citizenship: ITAR and EAR require that export-controlled data only be accessed by U.S. persons unless a license is granted. Review every person (including contractors, developers and MSPs) who may have had access. Be prepared to implement role-based access controls or segment sensitive environments based on clearance or citizenship.
Review cloud and hosting environments: Is your data hosted in a cloud platform that meets both FedRAMP High and ITAR/EAR compliance? Do your providers subcontract to foreign companies or allow data to be accessed from overseas? Ensure your cloud contract has strict flow-downs, data residency assurances and access restrictions.
Audit your supply chain: Even if your systems are compliant, third parties who handle your data may not be. Ask your vendors and MSPs for detailed information about their access controls and personnel policies. Include export compliance clauses in your contracts and evaluate the risk of any offshore involvement.
Train your staff and document everything: Employees should be trained not only on CUI handling, but also on ITAR/EAR basics. Document your classification decisions, access control justifications, and corrective actions. This documentation will help during both CMMC assessments and any regulatory audit.
What this means for contractors
Contractors that address export control risks alongside their CMMC obligations are better prepared to avoid delays and surprises during assessments. They’re also more likely to meet the expectations of prime contractors, who increasingly require both CMMC and export compliance as part of doing business. As regulatory enforcement increases across the Defense Industrial Base, taking a hard look at both cybersecurity and export control is becoming less of a best practice, and more of a baseline requirement.
The stakes are high. Export control violations can result in multimillion-dollar fines, debarment from federal contracts, and even criminal liability — and malicious intent isn’t required. Unintentional violations are still violations. While CMMC doesn’t directly enforce export laws, it often brings violations to light. If issues are uncovered during an assessment or reported through incident disclosure, enforcement could follow, not only from the DoD, but from the departments of State or Commerce as well.
CMMC may be the starting point, but it’s only part of the picture. Contractors need a compliance posture that can stand up to scrutiny from multiple federal agencies, and not just during audits, but every day.
Daniel Akridge is director of engagement at Summit 7.
The post CMMC audits are uncovering hidden export control risks first appeared on Federal News Network.