Executive summary. By 2026, ITAR export control and CMMC 2.0 are not on the horizon-they're embedded in contracts, with real penalties for lax access management. An idle SaaS account for a former contractor with access to ITAR-controlled technical data isn't just an IT backlog; it's potential evidence of an unauthorized export. This article explains the shift, how auditors scrutinize contractor access, and how modern identity governance-like Iden-must evolve.

This article is informational and does not constitute legal advice. Always consult qualified export-control counsel for definitive interpretations of ITAR, EAR, and related rules.

The 2026 Enforcement Landscape: When ITAR Meets CMMC

For years, export control and cybersecurity requirements operated separately. In 2026, they converge, placing identity and access management in the spotlight.

Key 2025-2028 milestones you can't ignore

The Department of Defense's CMMC 2.0 acquisition rule (48 CFR/DFARS) became effective November 10, 2025, making CMMC requirements enforceable in new DoD contracts1cmmc.com

Phase 2 of CMMC enforcement begins November 10, 2026, when third-party Level 2 certifications become mandatory for contracts handling Controlled Unclassified Information (CUI)2theodosian.com

Full CMMC implementation is planned by November 10, 2028. Nearly all non-COTS DoD contracts will require a CMMC level as a condition of award3bemopro.com

Simultaneously, DDTC (State Department administrator of ITAR) has heightened expectations for export-control compliance, specifically referencing access control, monitoring, and documented procedures as essential.4hoganlovells.com

In practice, this means:

  • ITAR and CMMC are linked in contracts. Defense contractors handling ITAR-controlled data almost certainly handle CUI and are subject to CMMC Level 2 based on NIST SP 800-171.
  • Identity controls are now auditable export-control controls. Who can access export-controlled data and how quickly you remove accounts are core compliance issues, not just IT administration.
  • 2026 is about evidence, not intent. Self-attestations and policy documents are being replaced by requirements to post assessment scores to SPRS, undergo third-party assessments, and prove live technical enforcement of access rules.5governmentcontracts.foxrothschild.com

Why Orphaned Contractor Accounts Are Now Export-Control Risks

ITAR often focuses on physical exports, but for SaaS-heavy organizations, the real risk is who can access technical data via a browser.

How ITAR actually defines an "export" in your SaaS stack

Under ITAR and related export-control guidance:

  • Any release or transfer of ITAR-controlled technical data to a foreign person in the U.S. is considered an export to that person's home countries (the "deemed export" rule)6aertc.org
  • A "release" includes visual access, downloads, or use of credentials or access information enabling a foreign person to view data.

If an orphaned account is tied to-or accessible by-a foreign national without authorization, regulators are not interested in usage logs or intent. The core question: Did a foreign person have the ability to access ITAR technical data without proper authorization or controls?

Idle contractor accounts in:

  • Jira projects with export-controlled design tickets
  • GitHub repos with ITAR code or models
  • Confluence or Notion spaces with controlled documentation

...are latent deemed-export violations, discoverable in an audit or investigation.

U.S. person-only, need-to-know, and contractor sprawl

Many ITAR contracts and Technology Control Plans (TCPs) explicitly require:

  • U.S. persons-only access to certain systems or datasets ("U.S. person" per export controls, not just HR citizenship fields).7generalcounsel.rpi.edu
  • Strict need-to-know segmentation, limiting data access to contract-relevant personnel.8en.wikipedia.org

These rules clash with common contractor management practices:

  • Shared vendor accounts, not unique identities
  • Access mimicking previous contractors
  • Untracked end dates or offboarding
  • Gaps in proving which accounts are U.S. persons vs. foreign nationals

When CMMC and ITAR audits demand "Show me exactly who could access export-controlled data during this period, and prove U.S.-person-only and need-to-know enforcement", these weaknesses become compliance risks.

Penalties: Why Regulators Now Care About Your Identity Hygiene

Financial and operational consequences make it logical for regulators to examine identity management closely.

As of 2025, civil penalties for most ITAR violations can reach approximately $1.27 million per violation or twice the value of the underlying transaction, adjusted for inflation9learnexportcompliance.com

Criminal violations of the Arms Export Control Act (AECA) and ITAR can result in up to $1 million in fines per violation and up to 20 years' imprisonment4hoganlovells.com

Recent enforcement actions highlight the trend:

  • In 2023, 3D Systems paid a $20 million penalty for unauthorized exports, including unlicensed access by foreign employees10americanbar.org
  • In 2024, Raytheon (now RTX) settled for nearly $950 million, including alleged ITAR and AECA violations11learnexportcompliance.com

While not every contractor will face penalties of this size, the message is clear: "We didn't realize that account was active" is not a defense. Regulators now treat poor identity governance as a root cause.

Where Manual Access Management and SSO Break Under ITAR

SSO and group-based roles are important, but not adequate.

The SSO coverage gap

Most defense contractors have adopted Okta or Entra ID. This solves authentication but only partially addresses governance:

  • Many ITAR-relevant tools (PLM, design apps, supplier portals) don't support SCIM or robust APIs.
  • Where SCIM exists, it usually manages group membership, not the fine-grained project, repo, or environment controls needed for technical data.

Iden's research shows SSO automates only a portion of the stack; manual governance persists, especially where orphaned and zombie accounts accumulate-and where ITAR data often resides.

Manual contractor workflows don't satisfy 2026 auditors

Common 2026 issues:

  • HR emails or Slack requests like "Add this contractor to the missile-guidance board in Miro" without structured workflows
  • Shared vendor or manufacturer accounts, with password sharing
  • Quarterly access reviews in spreadsheets, where managers approve without verifying assignments

CMMC Level 2 assumes you can prove, nearly in real time:

  • Account creation details, including authorizations
  • Which systems and data a user could access
  • When and how access changed
  • When access was revoked-and that revocation was enforced everywhere

If your proof of compliance is scattered across Okta groups, Jira tickets, spreadsheets, and email, you're relying on documentation while the regulatory climate demands evidence-based compliance.

What 2026 Auditors Will Expect to See Around Contractor Access

ITAR and CMMC differ in origin but converge on key identity governance questions.

The control questions behind the regulations

Auditors and assessors will ask:

  • Account lifecycle clarity

    • Can you show all joiner/mover/leaver events for ITAR contractors?
    • Are start and end dates technically enforced?

  • U.S. person and export-authorization checks

    • Is there a reliable attribute for U.S. person status and export authorization?
    • Are these attributes enforced in provisioning workflows?

  • Need-to-know enforcement

    • Are permissions scoped at the project/repo/space level?
    • Is there a documented justification for access?

  • Access review and recertification

    • Do managers regularly re-certify contractor access?
    • Is evidence automatically captured, not created just before an audit?

  • Audit trails and forensics

    • Can you reconstruct, for any date, exactly which individuals could log into ITAR systems and what access they had?

Mapping requirements to identity governance capabilities

Test your compliance by mapping regulatory expectations to identity features:

Regulatory expectation Identity & access requirement What auditors look for in 2026
Restrict ITAR data to authorized U.S. persons and licensees Identity attributes for U.S. person / nationality; policy-driven workflows enforcing those attributes on each system Evidence that non-U.S. persons can't be provisioned to ITAR systems without exceptions7generalcounsel.rpi.edu
Need-to-know access only Fine-grained permissions over projects, repos, spaces, environments-not broad roles Access maps linking entitlements to contract work or tasks, not job titles8en.wikipedia.org
Strong account management under CMMC Level 2 (NIST 800-171) Automated joiner/mover/leaver flows; time-bound access; no manual end-date tracking Logs showing account creation/disable events and how role changes were approved12media.defense.gov
Continuous monitoring and timely revocation Central visibility over all identities including contractors and service accounts Dashboards/reports showing zero or near-zero orphaned accounts in export-relevant systems

If your current tools can't provide this view quickly, auditors will assume gaps-even with strong intentions.

Designing Contractor Access Management for ITAR and CMMC

Here's a step-by-step framework for IT and compliance leaders to get ahead of 2026 audits.

1. Build a real inventory of export-controlled data and systems

Identify where ITAR technical data and CUI are stored:

  • CAD/PLM tools, code repositories, document systems
  • Issue trackers and collaboration tools
  • Supplier and manufacturing portals

Link these systems to contracts and export authorizations. This is the scope requiring precise control.

2. Treat every contractor as a first-class identity

Don't treat contractors as generic vendor accounts.

Each contractor identity should have:

  • A unique, non-shared account
  • Verified U.S.-person/export-authorization attributes
  • Contract start/end dates driving automated provisioning and deprovisioning
  • Association with a sponsoring internal owner

Within Iden, employees, contractors, and service accounts all reside in the same system of record.

3. Automate joiner/mover/leaver flows across all apps-not just SCIM apps

If ITAR contractor access relies on manual ticket closures, risks remain.

You need:

  • Automated role-based access assigned by identity attributes and contract data
  • Time-bound, project-specific access that expires unless renewed
  • Zero-touch offboarding triggered from HRIS or vendor management, revoking access across every app

Iden customers have achieved up to an 80% reduction in manual access tickets within 60 days by automating provisioning and deprovisioning across 175+ apps, including non-SCIM tools

For ITAR, this means fewer orphaned contractor accounts in your environment.

4. Go deeper than groups: enforce need-to-know at the project and repo level

ITAR requirements target actual data exposure-not broad job functions.

Iden enables fine-grained controls:

  • Slack: channel- and workspace-level access
  • GitHub/GitLab: repo- and branch-level permissions
  • Jira/Linear: project-level roles

Iden's connectors govern access at the channel, repository, and project level, surpassing SCIM's group-based model to enforce true need-to-know

With export-controlled programs, your Technology Control Plan becomes automated: only U.S.-person identities with the right attributes and project tags are granted access to ITAR spaces.

5. Turn access reviews into continuous, automated evidence

Quarterly or annual access reviews are explicit requirements and a CMMC Level 2/ITAR best practice.

Replace manual procedures with IGA-driven processes that:

  • Generate targeted campaigns (e.g., "All contractors with access to ITAR-tagged repos")
  • Automatically route to correct owners
  • Provide context: last login, project, contract, justification
  • Capture approvals/denials, right-size or revoke access automatically

Iden users report saving around 120 hours per quarter on user access reviews by automating certifications and evidence collection

More about Iden

For defense contractors facing ITAR and CMMC audits, this is the difference between scrambling and presenting a clean audit trail.

6. Normalize audit trails for multi-framework compliance

ITAR, CMMC, SOC 2, HIPAA, and sector regulations converge on the same identity issues.

Iden maintains asingle, normalized audit trail tracking:

  • Access requests
  • Approvals (and policy used)
  • Grant and removal timelines
  • Impacted systems and entitlements

Compliance teams gain a unified source of truth, filterable by regulatory context, without redundant evidence generation.

Actionable Next Steps for 2026

Translate these principles into an action plan for IT, security, and compliance leaders:

  1. Run an orphaned-account drill on your ITAR systems.

    • Choose an export-controlled system (e.g., PLM or code host).
    • Gather all active external and contractor accounts.
    • For each, verify contract status, U.S. person eligibility, and project involvement.

  2. Map identity coverage against export-controlled scope.

    • List ITAR-relevant apps: which are fully governed by IGA/SSO vs. managed manually?
    • Closely inspect long-tail SaaS, supplier portals, and collaboration tools.

  3. Define your compliance target before your next audit.

    • Set SLAs for contractor offboarding (e.g., 30 seconds to revoke access after HR termination).
    • Clarify how you'll prove U.S.-person-only and need-to-know enforcement to external assessors.

  4. Evaluate IGA solutions using ITAR-specific scenarios.
    In demos or POCs, ask:

    • Can you auto-remove all access for a contractor after their end date, across SCIM/non-SCIM apps, in under a minute?
    • Can you block non-U.S. persons from ITAR projects without a documented exception?
    • Can you export a full history of project access for a given period?

  5. Pilot automated governance on a high-risk program.

    • Choose an ITAR-heavy program and deploy automated identity governance.
    • Track reduction in manual tickets, orphaned accounts eliminated, and time saved on access reviews.

Iden is purpose-built for this: rapid deployment, connectivity to any app (SCIM, API, or proprietary), enabling lean IT teams to achieve end-to-end governance without legacy projects.

Frequently Asked Questions

Does leaving an ex-contractor's account active really count as an ITAR export violation?

Yes. Under ITAR's deemed-export rule, giving a foreign person the ability to access controlled technical data-even via active credentials-can be deemed an export.6aertc.org Investigators routinely check for such orphaned accounts in ITAR systems.

If all my data is in U.S. data centers and behind SSO, am I safe from ITAR issues?

No. Data location and SSO help, but regulators focus on who can access export-controlled data, not storage or SSO alone. Weak identity governance-shared accounts, poor offboarding, unenforced U.S.-person checks-still risks deemed-export and access violations, regardless of infrastructure location.7generalcounsel.rpi.edu

How does CMMC 2.0 interact with ITAR obligations in practice?

CMMC doesn't replace ITAR; it adds requirements. For defense contractors handling ITAR data:

  • ITAR and AECA govern who may access technical data and related authorizations
  • CMMC Level 2 (via NIST SP 800-171) defines how you technically enforce and monitor that access-including account management, least privilege, and auditing3bemopro.com

Identity governance operationalizes both sets of rules, providing required enforcement and audit evidence.

What evidence should I have ready for an auditor about contractor access?

Be able to produce, for a defined period (e.g., the past year):

  • A list of contractors with access to ITAR-relevant systems and key attributes (dates, U.S. person/export status)
  • Logs showing access grants, changes, and removals
  • Records of access reviews and approvals or revocations
  • Documentation or workflows showing enforcement of U.S.-person-only and need-to-know rules

Iden centralizes this into a single audit trail, allowing quick, targeted reports (by program, by access level) in minutes.

Can I meet ITAR and CMMC requirements without a legacy IGA platform?

Yes. For most SaaS-heavy organizations (50-2,000 employees), legacy IGA is excessive. Required capabilities:

  • Coverage of all apps, including non-SCIM and vendor portals
  • Fine-grained controls (repos, projects, channels)
  • Automated lifecycle management for all identity types
  • Built-in access reviews and evidence capture

Iden was designed for this: it delivers complete governance across 175+ apps, cuts manual access requests by up to 80%, and can be deployed in 24 hours without consultants or dedicated IAM staff. That's the speed and coverage modern compliance demands.

Book a call