What to Know About ITAR, COTS, and CUI

By Carl Herberger • August 11, 2022

With all the acronym-labeled requirements and definitions related to doing business with the federal government, it can seem like you are swimming in an alphabet soup. In addition to the consumer off the shelf (COTS) designation which determines the presence of controlled unclassified information (CUI), there is another program to be aware of, ITAR.


ITAR defined

International traffic and arms regulations (ITAR) is a signed acknowledgement companies make with the government during contract on-boarding. ITAR is required if the government determines that your piece part or widget is going to be included in a weapon system designed, developed, or manufactured by the DoD.


For your fulfillment with the DoD contract, your company agrees to have your product reviewed by the government when you sell it to international companies. This applies to COTS products, like microprocessors or GPS receivers, as if these components are being put into a weapon system, the DoD wants to bind this technology to America. Also, if you are knowingly selling this same component to companies that are including it in weapons, you must acknowledge that to the government so that it can be trafficked.


As a current example, right now the drones that are being shot down by Russia have a lot of American chips in them. The FBI just launched an investigation against the companies that provide these chips to understand how those chips made it into the drones. These microprocessing companies were surely bound by ITAR and they should have had more control over their chips. As a result, the government can actually come back and claim restitution.


Why it is important to know if you have ITAR

Often if you’re bound by the government’s laws on international trade in arms or controlled technologies, your products are not available commercially off the shelf. The ITAR program means that there’s not a reselling marketplace without your knowledge, control, and authorization. Consequently, ITAR can be seen as the opposite of COTS.


ITAR itself binds your company to operating in a Federal Risk and Authorization Management Program (FedRAMP) high infrastructure, which requires more stringent cybersecurity controls than DFARS. Talking about COTS and CUI is actually a red herring when it comes to ITAR because ITAR actually bypasses all the DFARS requirements.


If you have any questions where your company and its wares fall in terms of ITAR, COTS, and CUI, get in touch with the experts at CyberSheath. We can help determine your current designation and strategize how to move forward with implementing the required security controls.


CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO