10/06/2025
CMMC assessments and export control violations: What DIB contractors need to know
Learn how CMMC assessments are exposing export control violations and what DIB contractors must do to stay compliant and avoid costly penalties.
A recent news article by the Federal News Network(Opens a new window)(Opens a new window) brought to attention a mostly forgotten connection between export control requirements and CMMC assessments.
It is worth noting that CMMC does not enforce export laws; however, it brings unintentional or intentional violations to light. When this is discovered, the Department of War (the Department of Defense’s secondary title per Executive Order) and the Commerce Department step in.
What is export-controlled information
The Department of War considers all export-controlled information as Specified CUI with designations such as CUI//EXPT or CUI//EXPTR (Export Controlled Research). This is because the export of such unclassified items, commodities, technology, software, or other information could reasonably be expected to adversely affect the United States’ national security and nonproliferation objectives.
The International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) control certain exports of both actual shipments of a commodity out of the country and the transfer, release, or disclosure to foreign persons in or out of the United States of "technical data" or "technology" about controlled commodities ("deemed exports").
CMMC assessments for contractors that handle controlled technical information (CTI) may reveal violations of export controls laws under ITAR and EAR. CTI includes drawings, and engineering data generated or used in the performance of a defense contract. Violations could result in serious legal and financial repercussions.
DIB contractors need to understand that the transfer, release, or disclosure to US persons outside of the United States of "technical data" or "technology" about controlled commodities are also considered “deemed exports” without a valid export license. This raises the stakes for these contractors within the DIB.
How CohnReznick can help
As both a Registered Practitioner Organization (RPO) and Certified Third Party Assessor Organization (C3PAO), CohnReznick has firsthand experience in helping its DIB clients navigate ITAR and EAR requirements in their CMMC readiness or gap assessment so that they can successfully obtain their Level 2 (L2) certification.
Our specially designed CUI/Export Controlled Information Handling Training guides our clients in understanding and mapping their data flow (both CUI and non-CUI) within their environments, what kinds of CUI can be shared or not shared on their networks, document marking with appropriate CUI designations and distribution statements, how to safely print export controlled documents, definition of a US person vs a foreign person, and how to safely transfer CUI export controlled data to cleared third parties using approved communication channels.
Our DIB clients have benefited from a vastly improved situational and operational awareness of their business processes and compliance requirements, thus avoiding costly multimillion-dollar fines and criminal liability.
Compliance with US export control laws and meeting CMMC requirements should not be treated as separate silos. It should be treated as part of a holistic cyber program. DIB contractors are strongly advised to view CMMC compliance as a business issue rather than an IT or cyber requirement.
CohnReznick is proud to be one of the few firms recently reauthorized as a C3PAO. Renewal is more than just a milestone; it reflects our long-standing involvement with CMMC from its early stages. We have worked closely with clients through multiple phases of the program, adapting to changes and assisting organizations in achieving certification. We can leverage that experience to help your organization as well.
We support our clients through every phase of the journey:
- Readiness assessments tailored to your environment and risk profile
- Policy and documentation development aligned with NIST 800-171A
- Remediation planning and implementation support
- Official L2 assessments conducted by certified assessors
- Ongoing advisory services to maintain compliance and prepare for future audits
Whether you are just beginning your CMMC journey or preparing for a formal assessment, CohnReznick is ready to help you get CMMC-certified.
Learn more about our CMMC services or reach out to get started.
Adonye Chamberlain
Manager, Cybersecurity, Technology Risk, and Privacy
Close
Contact
Let’s start a conversation about your company’s strategic goals and vision for the future.
Please fill all required fields*
Please verify your information and check to see if all require fields have been filled in.
Insight
New SEC cybersecurity guidelines: Next steps for public companies
Insight
Today’s boards need cyber expertise more than ever
Insight
Federal agencies face complex cyber compliance – but relief is underway
Press Release
CohnReznick earns reauthorization of CMMC Third-Party Assessment Organization (C3PAO) designation
Related services
Our solutions are tailored to each client’s strategic business drivers, technologies, corporate structure, and culture.
Receive CohnReznick insights and event invitations on topics relevant to your business and role.
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.