research

ITAR/EAR Export Controls and M&A: The Cleared Contractor Discovery Problem

When acquiring defense contractors or companies with cleared facilities, IT systems handling classified data must meet NISPOM Chapter 8 requirements. Here's what IT auditors find.

Luna ·
itar export-controls defense compliance m-and-a

International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) govern how defense-related technical data and munitions can be transmitted or accessed. For a company that manufactures, sells, or services defense articles — or that has contracts requiring access to classified information — these regulations create IT infrastructure requirements that are significantly more stringent than commercial IT standards.

When you’re acquiring a defense contractor, the IT due diligence needs to include ITAR/EAR compliance. The cleared facility audit requirements under NISPOM (National Industrial Security Program Operating Manual) Chapter 8 are the framework — and they directly affect IT infrastructure.

When ITAR/EAR Applies in M&A

ITAR applies when the target company:

  • Manufactures defense articles on the US Munitions List (USML)
  • Provides technical data related to USML items
  • Has contracts with the State Department’s Directorate of Defense Trade Controls (DDTC)

EAR applies when the target exports or re-exports items on the Commerce Control List (CCL), particularly those with encryption components.

The key M&A trigger: if the target has cleared facility status (a facility clearance granted by the Defense Counterintelligence and Security Agency), IT infrastructure must meet NISPOM Chapter 8 requirements. A change of ownership requires DCSA notification — and the new owner’s eligibility to hold cleared information must be established before access to classified information can transfer.

NISPOM Chapter 8: The IT Infrastructure Requirements

NISPOM Chapter 8 specifies requirements for Information Technology systems used in connection with classified contracts. Key requirements:

Isolation of Classified Networks: Classified and unclassified networks must be physically or cryptographically separated. In practice, this means air-gapped networks for systems processing classified data — or VLAN isolation with hardware-based separation validated by a Common Criteria evaluated gateway.

Access Control on Classified Systems: All persons with access to classified systems must have a personnel security clearance. The IT system must enforce role-based access control with least privilege. The system must log all access and retain audit logs for a defined period (typically 1 year minimum).

Media Control: Removable media (USB drives, external hard drives, optical media) must be controlled. Classified media must be properly marked, stored, and destroyed. The IT system must prevent unauthorized introduction or removal of media.

Incident Reporting: Any compromise of classified information — including IT security incidents on systems that process classified data — must be reported to DCSA within specified timeframes.

The Discovery Phase: What to Look For

In IT due diligence for a defense contractor, ACQI’s discovery modules run specifically against the network segments that support classified contracts:

Network Discovery: Map all network segments. Identify any segment that contains defense-related data or systems. Look for VLAN configurations that claim isolation but may have routing errors (a misconfigured router can accidentally bridge classified and unclassified segments).

Access Discovery: Enumerate all privileged accounts on systems processing defense-related data. Check whether all privileged users have active security clearances (from the DCSA’s National Industrial Security System). Flag any service accounts or system accounts used for automated processes — these need to be validated against the facility’s personnel security program.

Cloud and SaaS Discovery: Defense contractors using commercial cloud services (AWS, Azure, GitHub for code) need to ensure those services are authorized for defense workloads. FedRAMP High authorization is the standard for cloud services used for defense data. If the target is using non-FedRAMP authorized services for defense workloads, this is a compliance finding.

Foreign Ownership Concerns: Under NISPOM, cleared facilities must report any foreign ownership, control, or influence (FOCI). If the acquirer is foreign-owned or has foreign investors, this affects FOCI mitigation obligations. IT systems need to be reviewed for any data flows to foreign jurisdictions or foreign-owned infrastructure.

The Foreign Ownership Problem in the Supply Chain

If the target uses IT vendors, cloud providers, or SaaS tools that are foreign-owned or have foreign data center locations, the ITAR/EAR export control classification of the data processed on those systems needs to be reviewed.

A common finding in IT due diligence at defense contractors: IT infrastructure that has grown organically includes SaaS tools or cloud services that were not specifically authorized under the company’s IT security plan. A defense contractor using a CRM that stores engineer names and project codes may be storing technical data subject to ITAR — and if that CRM is Salesforce, the data is stored on servers that may not meet ITAR’s data handling requirements.

The DCSA Notification Timeline

Change of ownership at a cleared facility requires DCSA notification. This is not optional. The timeline for DCSA review and approval can be 6-12 months, depending on the complexity of the ownership change and whether any FOCI issues are present.

During the DCSA review period, the cleared facility’s ability to access classified information may be restricted or suspended. The integration plan needs to account for this — and it needs to be disclosed to the acquirer as a risk factor in the deal model.

Practical IT Due Diligence Checklist for Defense Contractors

Network (2 items)

  1. Identify all network segments. Confirm classified segments are isolated per NISPOM Chapter 8 requirements. Check for accidental bridging (VLAN misconfigurations, shared firewall zones).
  2. Confirm all cloud services used for defense workloads have FedRAMP High authorization (or appropriate tier for the classification level of data processed).

Access (3 items) 3. Cross-reference all privileged account holders against DCSA’s National Industrial Security System (NISS) — confirm all have active clearances. 4. Identify all system and service accounts used on classified systems. Verify each has a designated custodian with appropriate clearance. 5. Confirm access review cycle is documented and operating — who reviews access to classified systems, when, and what evidence exists?

Media and Data Handling (2 items) 6. Verify media control procedures exist and are in use — USB port controls, media destruction logs, media marking procedures. 7. Check data flow documentation — where does technical data for defense contracts flow, and through which systems?

Incident Response (1 item) 8. Confirm the incident response plan includes classified information compromise scenarios, and that the company knows how and when to notify DCSA.

The Bottom Line

Acquiring a defense contractor without a detailed IT due diligence review of ITAR/EAR compliance posture is a material risk that most acquirers don’t properly quantify. The DCSA notification requirement alone can disrupt integration timelines by 6-12 months. The cost of ITAR compliance remediation — if gaps are found — can be substantial, because many require hardware-level changes (network re-architecture, air-gapping) that can’t be done remotely.

Running an integration right now?

The research is clear: discovery-first integrations deliver on time. ACQI has the modules to get you there in weeks, not months.

See ACQI in action Talk to the team