From my trade compliance connections, I saw that GE Aerospace faces a $36 million ITAR fine. This arises from a voluntary self-disclosure (VSD)—which is something the U.S. Department of State encourages—of 116 ITAR violations within multiple categories. And China.
From the State Department's website:
"The administrative settlement between the Department of State and GE Aerospace, concluded pursuant to ITAR § 128.11, addresses multiple categories of ITAR violations, including GE Aerospace's unauthorized exports of technical data to the People's Republic of China; violations of terms, conditions, and provisos of several Directorate of Defense Trade Controls authorizations involving various countries; unauthorized exports of defense articles to two countries; and failure to report material changes to its ITAR registration.
GE Aerospace voluntarily disclosed all the alleged violations, a substantial portion of which predate 2023. GE Aerospace also fully cooperated with the Department's review of this matter and has implemented numerous improvements to its ITAR compliance program since the conduct at issue."
$18,000,000 of this fine is suspended and to be channeled into improvement of GE Aerospace's ITAR program and controls. I'm going to posit that improvements are underway and led to the discovery and disclosure—so, GOOD.
GE Aerospace is a prime contractor in the defense industrial base. So...
Now, I know I'm fairly new to this CMMC space, but ITAR trade compliance controlled data feels a whole lot like chocolate to export controlled CUI's peanut butter. Yes, it's entirely possible that the two are parallel and never the twain shall meet in this instance, BUT... here are my (possibly meandering ranting) thoughts:
CMMC doesn't really have a voluntary self-disclosure of "we're not doing the program right." The closest thing is the False Claims Act, which is scary, but they are not the same. With VSD, the company says "we broke this, we're fixing it," and gets acknowledgement that yes, there's a problem, but the company's doing the right thing. CMMC does require—like a trade compliance program—executive affirmation. So, yes, there's legal exposure under the False Claims Act, but there's no "safe" correction path.
CMMC – Yes, the organization must report breaches in 72 hours, but that's not the same thing.
What external circumstances, if any, should trigger a review of a company's CMMC out of band? What if we had Level 3 CMMC already in place, and this ITAR information was CUI? Do the State Department and the Department of Defense/War even talk about these things Again, CMMC has no defined "material compliance failure" trigger.
This is a prime. Is it too big to fail? It can certainly absorb that fine. Risk can be managed with $$$ and lawyers ($$$$), and failure for the bigger companies isn't existential threat. Smaller subs... much less wiggle room. A prime can tolerate hundreds of violations across years. But smaller subcontractors, individually, risk more in this space. The decision to enter it and play by the rules can't be by the default of having the contract now.
ITAR technical data is often CUI—export-controlled CUI. Often, not always. Consider often a strong enough argument here: Are we requiring mere compliance and box checking for CMMC if it runs fully separate from ITAR when the data might overlap and an organization's sanctioned for one? (Do we really have peanut butter cups? Two ingredients in the same candy? Or are the commercial actors due to roam the planet alone?)
While a large number of CMMC NIST SP 800-171 controls (practices, requirements, oh my) are technical in nature, the time-consuming, drift-controlling sections require extensive time and management. Governance. They're not what come to mind when people say "cybersecurity," and yet they're clearly in NIST SP 800-171 just as sure as they're considered in something as simple as NIST CSF with its focus on maturity.
You probably noticed that many of the 116 ITAR violations are from years ago. Yet, they must still be reported. CMMC cycles for certification are three years. CMMC sure does feel like certifying a moment in time (not the intent at all!) while ITAR is forever—like a diamond.
Here's what GE Aerospace says about CMMC on its page: "The CMMC is crucial for GE suppliers because it ensures the protection of sensitive information within the defense industrial base (DIB). The Department of Defense (DoD) developed CMMC to enhance the cybersecurity posture of companies in the supply chain, particularly those handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)."
So, what do you think? Am I ranting about things that are too separate to integrate (and we want to keep them that way because everything's working as intended), or are we looking at something that should be a system and isn't?
This post appeared originally on LinkedIn here.