For companies in the Defense and Aerospace sectors, choosing the right manufacturing partner goes deeper than just awarding the job to the lowest bidder. When evaluating potential vendors, in addition to quality, reliability and value, you should be looking for a partner that is ITAR and CMMC compliant.

ITAR, or International Traffic in Arms Regulations, is one of the U.S.’s defense export controls intended to safeguard technologies that provide a critical military or intelligence advantage for the U.S. Import and export controls are put in place to mitigate risks and bolster national security. ITAR is currently administered and managed by the Directorate of Defense Trade Controls (DDTC) which operates within the State Department. ITAR applies to any defense products found on the United States Munitions List (USML) which is made up of 3 sub-categories: defense articles, defense services, and related technical data. Essentially, the government is attempting to prevent the disclosure or transfer of sensitive information to a foreign national.

ITAR compliance is a self-certification process subject to potential audits by the State Department. The responsibility of ITAR compliance falls on the manufacturer/exporter to take necessary precautions to ensure ITAR compliance. This presents challenges to global corporations since data related to their technologies may need to be shared and accessed over the internet or stored locally (outside of the U.S.) in order for operations to run smoothly.

While ITAR focuses on the control of physical exports, imports, and services related to defense, the U.S government recognized a huge need to protect the information that accompanies such contracts. With cyberattacks becoming more frequent and more complex, many buyers are including cybersecurity in their vendor evaluation criteria. Cybersecurity has also become a top priority for the Department of Defense. In 2019, the DoD introduced the Cybersecurity Maturity Model Certification, or CMMC, with implementation initially slated to roll out in 2024.

CMMC is a unified cybersecurity standard for all DoD acquisitions. Specifically focused on cybersecurity practices, once CMMC is fully implemented, it will be a prerequisite for the award of all new DoD contracts. CMMC compliance is determined by a certification process which is evaluated by third-party accredited bodies, whereas ITAR is a self-certification process based on long-standing regulations, and is subject to audits by the Department of State.

According to his article titled “Supply Chain Risk Management and CMMC,” Hank Hagedoorn of Verify, Inc. says “once CMMC is implemented, offerors and their supply chain, will be required to hold a CMMC certification at a specific level or higher to be eligible for award on DoD solicitations. Controls must be adequate and in place to protect controlled unclassified information (CUI) that resides on the DoD’s industry partners networks.” Essentially, if a customer has DoD work that uses CUI, they have to flow the federal requirements down to any suppliers handling that CUI.

At Janco Electronics, we remain committed to manufacturing quality goods for the defense and aerospace market sectors, so we are ITAR registered and are currently working toward our CMMC certification. CMMC is currently in its 2.0 phase with a phased implementation expected to begin in early 2025. It is expected that CMMC will be in all DoD contracts by 2028. When vetting out potential new contract manufacturing partners, it’s time to start asking those CMs where they are in the process. The average preparation timeline is 12-18 months, so if your manufacturing partners don’t currently have an implementation plan in place, they risk not getting the certification in time to handle your assemblies.