ITAR-aligned cybersecurity for defense contractors and dual-use exporters

We build the cybersecurity program that backs an ITAR-registered manufacturer or service provider — technical-data segregation, citizenship-controlled access, file-sharing and cloud-storage controls that meet 22 CFR §120-130, and the audit posture that survives a DDTC inquiry. We work alongside your export-control counsel, not in their place.

What ITAR actually requires of your IT

ITAR (International Traffic in Arms Regulations) does not prescribe a cybersecurity framework the way NIST 800-171 does. It prescribes outcomes: technical data defined as defense articles must be controlled so it is not transferred to foreign persons without authorization — including your own employees, contractors, cloud providers, and email recipients who are not US persons. The cybersecurity work is in proving you can enforce that.

The four hard problems most contractors get wrong

Cloud storage and SaaS. The default Microsoft 365, Google Workspace, Dropbox, Slack, and Notion environments allow any tenant administrator to access any tenant data. ITAR requires that foreign-national personnel at the cloud provider not be able to access your technical data without authorization. Solution: use the GCC High, AWS GovCloud, or Azure Government variants — NOT the commercial tier — for any environment touching ITAR-controlled technical data.
Citizenship-controlled access. "Need-to-know" plus "US persons only" (or licensed-foreign-person only) for every system holding technical data. Active Directory groups, conditional access, audit logging that proves who accessed what.
Email and file transfer. Standard SMTP routes mail through servers in multiple countries. ITAR-grade email requires US-only routing, encrypted channels, and recipient verification. Most "encrypted email" products do not satisfy ITAR if the encryption keys are held outside the US.
Endpoint and device controls. Mobile device management with jurisdictional control on cross-border travel, full-disk encryption, USB controls, and documented procedures for foreign travel involving devices that may hold technical data.

What we deliver

Technical data inventory. What ITAR-controlled data you hold, where it lives, who touches it, and what systems it transits — the ground truth your DDTC registration commits to.
Network and tenant architecture. Segmentation between ITAR and non-ITAR data, GCC High / GovCloud migration where required, citizenship-controlled identity model.
Compliant file sharing. Vendor selection and configuration for ITAR-aligned file sharing — including the "no, not Dropbox" conversation when a project lead has been moving data through their personal Dropbox for a year.
Compliant cloud storage. Architecture review and configuration of Azure Government, AWS GovCloud, or GCC High — including the BAA-equivalent agreements (DPA + ITAR addendum) with the provider.
Endpoint program. MDM, full-disk encryption, USB controls, foreign-travel device procedures, hardware inventory.
Audit posture. Logging, evidence retention, and access-review cadence to support a DDTC compliance review or self-disclosure if you discover a violation.
Cross-border travel procedures. Burner-device protocols for sales, engineering, or executive travel to controlled destinations.
Empty-handed program. Coordinated with export-control counsel — we own the technical execution; they own the legal interpretation and DDTC filings.

Pairs with

CMMC 2.0. Most ITAR-registered companies also have CMMC obligations. The control sets overlap heavily; we run them together for ~30% efficiency gain. See CMMC compliance.
NIST 800-171. Foundation control set for handling CUI; substantial overlap with ITAR technical-data controls. See NIST 800-171.
DFARS 7012/7019/7020/7021. Cybersecurity flowdown clauses in DoD contracts — the regulatory mechanism for CMMC enforcement. We map all four against your existing controls.

Engagement structures

ITAR readiness assessment. 4-6 weeks. Technical data inventory, architecture review, gap analysis against 22 CFR §120-130, remediation roadmap. Fee: $25K–$60K.
Full ITAR program build-out. 12-24 weeks. Architecture, tenant migration to GCC High / GovCloud, identity model, MDM, file sharing, audit posture. Fee: $90K–$350K depending on existing maturity and tenant migration scope.
DDTC self-disclosure support. When you've discovered a potential violation and need the cybersecurity narrative for the disclosure. Hourly with milestone caps; coordinated with export-control counsel.
Combined ITAR + CMMC program. Most efficient path for defense contractors. Fee: $120K–$450K.

What we will not do

Practice export-control law — we coordinate with your counsel; we do not give legal opinions on whether a specific item is ITAR-controlled
Sign off on architecture that uses commercial-tier cloud for technical data covered by ITAR
Build a program that requires US-citizenship verification for roles where you have not actually verified citizenship
Take an engagement where DDTC registration itself is the gating issue — that's a counsel problem first

Available as referral or white-label

We deliver ITAR cybersecurity directly to manufacturers and service providers, sub- contract for IT firms and MSPs whose defense-contractor clients need an ITAR specialist, and partner with export-control counsel on combined legal-plus-technical engagements. Compensation negotiable per relationship.