Modifying Documents to Remove ITAR/CUI Designations
Quantum Naval Solutions (QNS) has a concern. Most of the components they design are unique parts for a cutting edge US Navy vessel. Not all of them are classified. But, they are all subject to International Traffic in Arms Regulations (ITAR). As such, they are also considered Controlled Technical Information (CTI). This means that they are CUI and must be protected per NIST 800-171 regulations.
QNS wants to limit the scope of its CMMC assessment so that the production workers will not have to access CUI. They want to take the drawings and specifications for these components and remove all references to the military from them. Then, they hope it is acceptable to give them to production workers using a computer system with minimal protections that does not meet CMMC requirements. They also want to send some of them to another company to make. But, the other company has not had a CMMC Level 2 assessment and may employ foreign nationals.
Is removing references to the military from the documents sufficient to keep them from being considered ITAR and CUI?
ITAR is extremely strict about technology and item transfers, and attempting to circumvent regulations can result in severe criminal and civil penalties.
Based on official U.S. State Department guidance, the answer is NO. You cannot share an ITAR-controlled item with foreign nationals without proper authorization, even if the end use is not explicitly stated. ITAR does the following:
- Covers “technical data” and physical items developed for solely for military use
- Mere ambiguity about end use does not exempt an item from regulation
- Any transfer of ITAR-controlled items or knowledge requires specific authorization. That even includes verbal transfer. And, all the more so, written documentation whether marked or not.
Let’s look at an example. Consider the picture below:
This is an AI generated picture. But, assume it is a bracket used inside of a naval surface-to-air missile that QMS is developing. This bracket would almost certainly be ITAR (and therefore CUI). Sending this picture to a foreign entity without an export license would be an export control violation and would subject the responsible party to possible criminal prosecution.
What does this mean for CMMC?
Simple. If a company has ITAR like this within a CMMC compliant system, they cannot simply remove the markings from the drawings and then transfer them to a non-compliant system within – or outside – their organization. Likewise, they cannot create drawings (even without ITAR or end use markings) of such parts on a non-compliant system.
This applies to hardware, software, and even technical support services.
