Information Security Considerations for U.S. Government Contractors
This is one of a series of Aerospace and Defense (A&D) industry spotlights. This
series focuses on key accounting and operational matters relevant to companies within
the A&D industry.
Companies that plan on working with the U.S. government (USG) need to be aware of
various requirements, including those related to maintaining cybersecurity
safeguards and export controls over technical data. Noncompliance with these
requirements can result in significant fines and penalties, business disruption,
and reputational damage and could even lead to a company’s prohibition from
bidding on future contracts with the USG. As described below, the Cybersecurity
Maturity Model Certification (CMMC) deals primarily with establishing
cybersecurity safeguards and cyber incident reporting for certain types of
federal contract information (FCI) and controlled unclassified information
(CUI). The second main category of information security described herein
addresses International Traffic in Arms Regulations (ITAR), which control the
export of certain defense-related information.
On October 21, 2016, the U.S. Department of Defense (DoD) adopted a final
rule amending the Defense Federal Acquisition Regulation Supplement (DFARS),
which requires DoD contractors to establish new cybersecurity safeguards and
cyber incident reporting for certain types of CUI. The CMMC, which was
designed as a result of collaboration with DoD stakeholders, is essential in
the effort to make cybersecurity the foundation of DoD acquisition.
CMMC 2.0 was announced in November 2021, and the proposed changes build upon
the CMMC 1.0 framework (published in 2020). CMMC 2.0 is expected to be
finalized and implemented through the rulemaking process and codified in the
Code of Federal Regulations (CFR) in 2024. Once CMMC 2.0 is codified,
companies will be required to comply with it to conduct business with the
The CMMC model is aimed at protecting FCI and CUI. FCI is not intended for
public release; such information is provided by or generated for the USG
under a contract to develop or deliver a product or service to the USG.
Examples of FCI include:
Contract performance reports.
On the National Archives Web site, CUI is described as “information that
requires safeguarding or dissemination controls pursuant to and consistent
with applicable law, regulations, and government-wide policies.” The
National Archives and Records Administration (NARA) has established the CUI
categories and marking guidelines for government agencies and
Examples of CUI include:
Military personnel records.
DoD critical infrastructure security information.
Unclassified controlled nuclear information for defense.
Identity-related and regulated information.
Patient data and records.
CMMC 2.0 is designed to (1) simplify DFARS compliance by allowing
self-assessment for some requirements while requiring third-party assessment
for other requirements, (2) reflect priorities for protecting DoD
information, and (3) reinforce cooperation between the DoD and industry in
addressing evolving cyber threats.
Further, the CMMC is intended to safeguard CUI and FCI through three levels
of cybersecurity maturity that consist of 14 different cybersecurity domains
made up of 110 controls. A comprehensive list of the domains and practices
referenced above is available on the DoD’s Web
site. The table below outlines the three levels of CMMC
To support the DoD’s initiative to make cybersecurity an integral part of the
acquisition process, contractors in the supply chain must adhere to the
requirements incorporated into their contract. Contractors that handle FCI
must comply, at a minimum, with the Level 1 requirements; higher levels will
be required for those handling CUI and information deemed critical to
national security. A CMMC certification may not be required for companies
that produce commercial off-the-shelf products, but other aspects within a
contract might and should be considered.
Potential Implications for Uncertified Companies
The CMMC should be considered a license to do business with the DoD.
Potential implications of noncompliance could include the following:
Loss of revenue.
Stop work orders.
Supply chain disruption.
Future proposal exclusion.
Inability to deliver contract requirements.
For additional resources on the CMMC, see Deloitte’s CMMC page.
ITAR is another key set of regulations that companies need to comply with
when performing work for the USG. The U.S. Department of State administers
ITAR through the Directorate of Defense Trade Controls (DDTC). The purpose
of ITAR is to protect U.S. national security interest by restricting the
physical movement, transfer, or release of certain military items, software,
technology, and defense services outside the United States or to non-U.S.
persons. Given the breadth of items covered under ITAR and the potential
risks of noncompliance, entities must be familiar with the requirements and
be proactive about protecting the dissemination of controlled
The articles, services, and related technology designated by the U.S.
Department of State for export and temporary import control under ITAR are
detailed in the United States Munitions List (USML). This list is
comprehensive, containing over 20 categories of defense articles and
services subject to regulation. To help organizations assess their level of
ITAR compliance with this extensive list of control items and services, the
U.S. Department of State issued a new ITAR Compliance Risk Matrix on September 15, 2023. The
matrix is broken down into the following risks:
Enterprise risks, which apply to “the entire organization, not
the size of structure of the organization.”
Organizational function risks, which primarily apply to “the
function or group within the identified responsibilities.”
Organizations that do not “have a function or group performing
these tasks specifically . . . should still consider these risks
and where they exist.”
ITAR compliance program element risks, which represent risks in
an organization’s compliance program and should be used to
identify potential gaps or vulnerabilities related to DDTC
compliance program guidelines.
Who Must Comply
Any organization that manufactures, exports, brokers, or temporarily imports
defense articles and defense services described on the USML must comply with
ITAR. A company that works with other companies during the handling of
ITAR-controlled items should ensure that each company in its supply chain
has policies in place to remain ITAR-compliant. Companies must register with
the U.S. Department of State’s DDTC, understand how ITAR applies to them,
and fulfill the ITAR requirements. Moreover, companies are expected to have
a robust and comprehensive ITAR compliance program that includes a defined
governance structure with designated roles and responsibilities, policies,
procedures, and controls (including automation and technology tools to
support internal controls) to manage compliance with ITAR requirements. This
program should also include processes and controls for properly identifying
ITAR data and ensure that systems are in place to restrict protected data
from non-U.S. persons.
Impacts of Noncompliance
DDTC is responsible for civil enforcement of ITAR, and the U.S. Department of
Justice handles criminal enforcement matters. ITAR violations may result in
civil penalties of $1 million or more per violation and/or criminal
penalties up to $1 million, 20 years’ imprisonment, or both per violation,
which can include both fines and debarment. Other consequences of ITAR
violations may include the denial or revocation of licenses and other export
authorizations, compliance oversight, and loss of business
The requirements in both ITAR and CMMC 2.0 (once codified) may have pervasive
impacts on companies and will necessitate company-wide education. Therefore, it
is imperative for companies to have a good understanding of both topics with
respect to the DFARS, the CMMC model, and the ITAR matrix. Please reach out to
the Deloitte & Touche LLP contacts below for assistance with CMMC and ITAR