Two Frameworks, One Facility: Understanding the Physical Security Overlap
If your organization handles both ITAR-controlled technical data and Controlled Unclassified Information (CUI) under CMMC, you are managing two distinct regulatory frameworks that each impose physical security obligations on your facility. Many compliance managers treat these as separate workstreams. That is a costly mistake. ITAR facility requirements and CMMC physical protection controls share significant common ground, and understanding exactly where they align—and where they diverge—can save your organization substantial time, money, and audit risk.
This post breaks down both frameworks from a practical standpoint, maps the overlapping requirements, and helps you identify where a unified physical security posture can satisfy both regulators simultaneously.
What ITAR Facility Requirements Actually Demand
The International Traffic in Arms Regulations (ITAR), administered by the Directorate of Defense Trade Controls (DDTC), do not publish a single prescriptive physical security checklist. Instead, the obligation is embedded in the broader requirement that registered entities implement policies, procedures, and controls sufficient to prevent unauthorized access to defense articles, technical data, and related services covered under the United States Munitions List (USML).
In practice, DDTC examiners and experienced ITAR compliance consultants look for the following physical controls at a minimum:
- Controlled access areas: Spaces where ITAR technical data is stored, processed, or discussed must be physically segregated and accessible only to authorized U.S. persons or properly licensed foreign nationals.
- Visitor management: Foreign national visitors must be escorted, logged, and prevented from accessing controlled areas without an appropriate license or exemption. Visitor logs must be maintained and available for audit. Many organizations use ITAR-compliant visitor log books and color-coded ITAR visitor badges to manage this operationally.
- Signage and demarcation: Controlled areas should be clearly marked to notify personnel and visitors of restricted access. Physical signage, such as ITAR-compliant restricted access signs, communicates boundaries to all who enter your facility.
- Document and media controls: Physical copies of technical data, drawings, and specifications must be stored securely and protected from unauthorized removal or viewing.
- Incident response and recordkeeping: Unauthorized access incidents must be documented, investigated, and reported as appropriate under your compliance program.
For a more comprehensive view of what DDTC expects on the physical side, see our detailed post on what physical security controls DDTC actually expects.
CMMC Physical Protection Controls: The PE Domain Explained
CMMC 2.0 Level 2 incorporates the Physical Protection (PE) domain drawn directly from NIST SP 800-171. There are six practice requirements in this domain, and every one of them applies to the environments where CUI is stored or processed. These requirements include:
- 3.10.1 – Limit physical access to organizational systems, equipment, and the operating environments to authorized individuals.
- 3.10.2 – Protect and monitor the physical facility and support infrastructure for organizational systems.
- 3.10.3 – Escort visitors and monitor visitor activity.
- 3.10.4 – Maintain audit logs of physical access.
- 3.10.5 – Control and manage physical access devices.
- 3.10.6 – Enforce safeguarding measures for CUI at alternate work sites.
If your team is still getting up to speed on these requirements, our post on how to meet CMMC 2.0 and NIST SP 800-171 physical security requirements provides actionable implementation guidance.
Where ITAR Facility Requirements and CMMC PE Controls Overlap
The practical overlap between these two frameworks is substantial. When you look at both sets of requirements side by side, the following physical controls satisfy obligations under both ITAR and CMMC simultaneously:
Access Control to Restricted Areas
Both frameworks require that only authorized personnel access areas where controlled information or defense articles are present. ITAR focuses on the U.S. person boundary and export control nexus. CMMC focuses on the CUI system boundary. In most defense contractor facilities, these boundaries overlap significantly or are identical. A single badged-access control system, properly configured and documented, can serve both compliance objectives.
Visitor Escort and Logging Requirements
This is perhaps the clearest area of overlap. ITAR requires escorts for foreign nationals and logging of all visits to controlled areas. CMMC 3.10.3 and 3.10.4 require visitor escorts and physical access audit logs regardless of nationality. A unified visitor management procedure—backed by proper ITAR-compliant visitor badging practices and maintained log books—addresses both frameworks with a single documented process.
Physical Access Device Management
CMMC 3.10.5 requires organizations to manage physical access devices such as keys, key cards, and combination locks. ITAR's implicit requirement to prevent unauthorized access to technical data maps directly onto this control. Managing issuance, revocation, and inventory of physical access credentials is a shared obligation that should be addressed in a single policy covering both regulatory drivers.
Monitoring and Surveillance
CMMC 3.10.2 calls for protecting and monitoring the physical facility. ITAR compliance programs benefit from the same monitoring infrastructure—particularly in areas where USML-controlled hardware or printed technical data is stored. CCTV coverage, alarm systems, and intrusion detection all count toward demonstrating compliance in both frameworks.
Incident Documentation
Both ITAR and CMMC require that unauthorized access incidents be documented. Under CMMC, this feeds into your broader incident response and audit log requirements. Under ITAR, unauthorized access to technical data by a foreign national may trigger a voluntary disclosure obligation to DDTC. A single incident response procedure that captures the required information for both frameworks is more efficient and more defensible.
Where the Frameworks Diverge
Despite the overlap, there are meaningful differences compliance managers must not overlook.
Scope of Who Is Controlled
ITAR's physical access controls are primarily driven by nationality. The core concern is preventing unauthorized access by foreign nationals who could constitute a deemed export. CMMC's PE domain applies to all individuals—nationality is irrelevant. Every insider, contractor, and visitor must be controlled based on their need to access CUI-processing systems.
Alternate Work Sites
CMMC 3.10.6 explicitly addresses remote and alternate work locations where CUI may be accessed. ITAR does not have an equivalent prescriptive control for telework, though the underlying obligation to prevent unauthorized foreign national access applies anywhere ITAR technical data is handled. This means CMMC pushes you further than ITAR in the remote work context, and your physical protection policies must account for that gap.
Documentation Expectations
CMMC assessors—particularly C3PAOs conducting Level 2 assessments—will ask for written policies, procedures, evidence of implementation, and records of activity across all PE controls. DDTC examiners during a consent agreement or voluntary disclosure review will also scrutinize physical security documentation, but the systematic evidence requirements are more rigorous under CMMC. Organizations that have historically satisfied ITAR through informal practices will need to formalize documentation to meet CMMC standards.
Building a Unified Physical Security Program
The most efficient path for defense contractors subject to both frameworks is to design a single, integrated physical protection program that explicitly maps each control to both ITAR and CMMC requirements. This means:
- Writing physical security policies that cite both regulatory drivers
- Maintaining a single visitor log and access control record that satisfies both audit populations
- Training security personnel on both the nationality-based ITAR requirements and the CUI system boundary requirements under CMMC
- Conducting periodic physical security reviews that assess compliance against both frameworks simultaneously
Our CMMC, CUI, and DFARS compliance services are specifically designed to help contractors integrate these requirements into a cohesive program rather than managing them as parallel, duplicative workstreams. For organizations that need ongoing strategic guidance across both frameworks, our Regulatory vCISO services provide fractional CISO-level support to maintain and continuously improve your program.
If you are building or formalizing your program from the ground up, our compliance program development services can provide the structured, documented foundation that both DDTC and CMMC assessors expect to see.
The Bottom Line for Compliance Managers
ITAR facility requirements and CMMC physical protection controls are not identical, but they share enough common ground that a well-designed program can satisfy both without building two separate compliance infrastructures. The key is intentional design—documenting the dual regulatory basis for each physical control, training your team on both frameworks, and maintaining evidence that demonstrates continuous compliance.
Treating these as separate programs creates redundancy, increases audit exposure, and wastes resources. Treating them as overlapping frameworks with a common physical security core is both smarter and more defensible under scrutiny from either DDTC or a C3PAO.
Ready to assess where your physical security program stands against both ITAR and CMMC requirements? Request a quote from Cleared Systems today, and let our team help you build a unified compliance posture that holds up under examination from either regulator.