What to Know About ITAR, COTS, and CUI

By Carl Herberger • August 11, 2022

With all the acronym-labeled requirements and definitions related to doing business with the federal government, it can seem like you are swimming in an alphabet soup. In addition to the consumer off the shelf (COTS) designation which determines the presence of controlled unclassified information (CUI), there is another program to be aware of, ITAR.


ITAR defined

International traffic and arms regulations (ITAR) is a signed acknowledgement companies make with the government during contract on-boarding. ITAR is required if the government determines that your piece part or widget is going to be included in a weapon system designed, developed, or manufactured by the DoD.


For your fulfillment with the DoD contract, your company agrees to have your product reviewed by the government when you sell it to international companies. This applies to COTS products, like microprocessors or GPS receivers, as if these components are being put into a weapon system, the DoD wants to bind this technology to America. Also, if you are knowingly selling this same component to companies that are including it in weapons, you must acknowledge that to the government so that it can be trafficked.


As a current example, right now the drones that are being shot down by Russia have a lot of American chips in them. The FBI just launched an investigation against the companies that provide these chips to understand how those chips made it into the drones. These microprocessing companies were surely bound by ITAR and they should have had more control over their chips. As a result, the government can actually come back and claim restitution.


Why it is important to know if you have ITAR

Often if you’re bound by the government’s laws on international trade in arms or controlled technologies, your products are not available commercially off the shelf. The ITAR program means that there’s not a reselling marketplace without your knowledge, control, and authorization. Consequently, ITAR can be seen as the opposite of COTS.


ITAR itself binds your company to operating in a Federal Risk and Authorization Management Program (FedRAMP) high infrastructure, which requires more stringent cybersecurity controls than DFARS. Talking about COTS and CUI is actually a red herring when it comes to ITAR because ITAR actually bypasses all the DFARS requirements.


If you have any questions where your company and its wares fall in terms of ITAR, COTS, and CUI, get in touch with the experts at CyberSheath. We can help determine your current designation and strategize how to move forward with implementing the required security controls.


CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO