How ITAR Impacts CMMC’s FedRAMP Requirements

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

How ITAR Impacts CMMC’s FedRAMP Requirements
Disclaimer: As of the time this article was published, the CMMC Rule is in a Proposed status and is published into the Federal Register. Although we do not expect changes in the Final Rule to impact the content of this article, please be aware of the time this article was published.

 


CMMC compliance cohabitates with ITAR compliance

Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity regulatory requirement that is emerging from the Department of Defense.

It is intended to help better protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by requiring defense contractors to meet certain cybersecurity requirements prior to contract award.

If an organization only handles FCI, then CMMC Level 1 requirements will apply. If an organization handles CUI, then CMMC Level 2 or Level 3 requirements will apply.

At Level 2 and Level 3, CMMC’s security requirements apply not only to the Organization Seeking Assessment (OSA) but also to their External Service Providers (ESPs). One such type of ESP is a Cloud Service Provider (CSP).

The CMMC Proposed Rule defines a CSP as “an external company that provides a platform, infrastructure, applications, and/or storage services for its clients.” Additionally, the rule stipulates that an OSC can use a CSP that stores, processes, or transmits CUI if the CSP is FedRAMP Moderate or High Authorized or Equivalent.

How does CUI relate to ITAR?

Within the Defense Industrial Base (DIB), much of the CUI is subject to export controls under International Traffic in Arms Regulations (ITAR).

Among other things, ITAR restricts unauthorized export of covered technical data to non-U.S. persons. Practically, this means that:

  1. Cloud Service Provider (CSP) staff with access to ITAR data must be U.S. persons, and
  2. ITAR data cannot be stored in foreign countries, unless certain cryptographic requirements are met.

Although not all CUI is ITAR data and not all ITAR data is CUI, for practical purposes, most OSC’s that handle both will find it impractical to maintain separate systems to store, process, or transmit export-controlled CUI and non-export-controlled CUI. It is a helpful heuristic to simply assume that all systems or system components that store, process, or transmit CUI will also store, process, or transmit ITAR data and vice versa.

This means that when the technical requirements for ITAR and CUI diverge, the more stringent requirement prevails.

As noted above, the CMMC Proposed Rule requires that CSPs be, at least, FedRAMP Moderate Authorized or Equivalent. This limits the population of CSPs to those listed in the FedRAMP Marketplace and those which have received a separate Equivalency determination in accordance with the DoD CIO’s memorandum.

The FedRAMP High baseline sets forth additional security requirements, including those that “Restrict the location of information processing, information or data, AND system services to U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction based on all High impact data, systems, or services.”

These geographic restrictions allow FedRAMP High solutions to satisfy the ITAR export control requirements regarding technical data. The FedRAMP Moderate baseline has no such geographic restrictions, and therefore does not satisfy ITAR export control requirements.

However, as of March 25, 2020, ITAR was amended such that a FedRAMP Moderate CSPs may meet ITAR requirements. Specifically, the amended ITAR added several “activities” that are not subject to ITAR requirements. Specifically, §120.54(a)(5)(ii) indicates that “sending, taking, or storing technical data that is secured using end-to-end encryption” is not an export activity. Therefore, FedRAMP Moderate CSPs can meet both ITAR and CMMC requirements if the technology solution also uses end-to-end encryption[1] that prevents anyone other than the sender and recipient from viewing the unencrypted data. Accordingly, a FedRAMP Moderate Authorized or Equivalent service that stores export restricted CUI or employs non-U.S. persons in the CSPs service delivery may be permitted.[2]

Approach Security Protection Assets with Caution

In the CMMC, Security Protection Assets are “assets providing security functions or capabilities to the OSC’s CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI [emphasis added].” Said differently, a Security Protection Asset provide security functions, but, in doing so, they may also handle CUI. In such instances, the guidance in this article applies to Security Protection Assets as well.

For example, cloud backup systems clearly “provide security functions or capabilities,” yet they also clearly “store, process, or transmit” CUI.

Other examples may not be so cut and dry. For example, do cloud-enabled agent-based web filters – which temporarily decrypt web traffic (which may contain CUI) to perform deep packet inspection to identify malware – store, process, or transmit CUI? Perhaps.

Additionally, consider the possibility that a security product adds a feature that causes it to store, process, or transmit CUI when previously it had not. For example, a cloud-enabled endpoint antivirus tool adds a sandboxing feature. This feature scans downloaded files by copying it to the CSPs cloud environment and opening it in an isolated environment (sandbox) away from the OSC’s network where it can be safely observed for malicious behavior. Now imagine this happens on the eve of your CMMC Assessment.

Given the above, we recommend organizations exercise caution when considering whether their Security Protection Assets do or have the potential to store, process, or transmit CUI or export-controlled data.

The FedRAMP CUI and ITAR Decision Tree

The decision tree below can help OSA’s determine whether a technology solution should meet FedRAMP Moderate or High Authorized or Equivalent requirements in light of both CMMC and ITAR requirements.

ITAR Decision Tree - CMMC Rule considerations for DoD Contractors - Keiter Technologies

Conclusion

The structure of the CMMC program outlined in the Proposed Rule is enough to make newcomers dizzier than a five-year-old on a turbo charged teacup ride. And that’s without even considering the actual security requirements.

The ITAR is similarly complex enough to create its own cottage industry of compliance experts and tools, and it has.

For organizations where these two regulations overlap and affect each other, as is the case for many DoD contractors, the result is a labyrinth loaded with layers of certifications, accreditations, attestations, affirmations, definitions, guides, and requirements intertwined and nested one under the other like a Frankenstein Matryoshka doll from the Island of Dr. Moreau.

Unfortunately, this complexity creates risk, and lots of it. ITAR violations have civil and criminal penalties, which include stiff monetary fines and up to 20 years of free room and board at your favorite Federal prison. CMMC noncompliance, once implemented, can (at best) result in lost contract opportunities, and (at worst) result in Federal False Claims Act prosecution.

Defense contractors are rightfully laser focused on CMMC, but they should not get tunnel vision. They must remember their CMMC compliance cohabitates with their ITAR compliance, and they have to get along. Many contractors are looking to cloud solutions to simplify their CMMC compliance. In doing so they should not forget that:

  1. CMMC’s FedRAMP Moderate requirements for CUI handling cloud service providers do not meet ITAR requirements, unless it is coupled with sufficient end-to-end encryption.
  2. Classifying an asset as a Security Protection Asset does not preclude it from handling CUI, which may also be subject to ITAR requirements.

[1] For CMMC, encryption must be FIPS-validated. For ITAR, encryption must either be FIPS 140-2 validated or be as strong as AES-128. CMMC sets the stronger standard, so it is the one that must be followed.

[2] Subject to limitations §120.54(a)(5)(iv) and (v).


Many DoD contractors will not have the expertise or resources needed to perform a CMMC CMMC RPOreadiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.

Our team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.


Share this Insight:

About the Author


Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.

Categories

Contact Us