ITAR & CMMC 2.0: Why Self-Hosting Is Non-Negotiable for Defense eCommerce
Key Takeaways
Last verified: March 2026
Regulation: ITAR prohibits any foreign access to controlled defense technology, source code, or technical data. CMMC 2.0 requires AES-256 encryption, full audit trails, role-based access controls, and third-party certification of cybersecurity maturity.
The SaaS problem: No SaaS platform (Shopify, BigCommerce, commercetools, Salesforce) meets these requirements, and all explicitly prohibit ITAR-controlled content.
The solution: Only self-hosted, open source commerce platforms with enterprise security controls and full source code visibility can support CMMC assessment and ITAR compliance.
Penalties: ITAR violations carry fines up to $1 million per violation, criminal penalties up to 20 years imprisonment, and permanent debarment from federal contracts.
What Do ITAR and CMMC 2.0 Mean for eCommerce in 2026?
ITAR and CMMC 2.0 together make self-hosted infrastructure non-negotiable for any eCommerce platform handling defense procurement. No SaaS platform qualifies, and violations carry penalties up to $1 million per incident plus criminal prosecution.
ITAR (the International Traffic in Arms Regulations) controls the export of defense-related articles, services, and technical data. CMMC 2.0 (the Cybersecurity Maturity Model Certification) is the DoD’s mandatory requirement for contractors and subcontractors handling Controlled Unclassified Information (CUI), including ITAR-restricted technical data. Together, they govern how defense contractors, aerospace suppliers, and vendors in the defense industrial base build and operate commerce platforms.
The stakes are exceptionally high. A single ITAR violation (unauthorized access to defense technical data, transfer of source code to unauthorized personnel, or disclosure of controlled defense information to foreign nationals) carries penalties up to $1 million per violation. Criminal liability includes imprisonment up to 20 years and permanent debarment from federal contracts (22 USC § 2778, Arms Export Control Act).
In December 2025, the DOJ settled with Swiss Automation Inc for ITAR cybersecurity failures (DOJ Press Release, Dec 2025). The case reinforced that both ITAR violations and the cybersecurity failures that enable them are prosecuted. The US defense industrial base includes over 300,000 companies. The DoD estimates that roughly 80,000 contractors will require CMMC certification by 2028 (DoD CMMC Program Office, 2024).
For eCommerce specifically, this means any platform handling defense procurement must operate under ITAR and CMMC 2.0 constraints. Parts catalogs for aerospace contractors, supply chain marketplaces for defense subcontractors, configuration management systems for controlled components, or any B2B transaction involving technical data, engineering drawings, or compliance documentation all fall under these rules. These are not compliance considerations. They are existential constraints on architecture, infrastructure, and vendor selection.
CMMC Phase 1 enforcement began November 10, 2025, with mandatory self-assessment. Phase 2 begins November 2026, with required third-party C3PAO (Certified CMMC Assessor Organization) assessments. Phase 3 in November 2027 enforces Level 3 CMMC certification as a contract requirement for all DoD prime contractors and critical suppliers.
Every defense contractor with active DoD contracts or pending renewals is now in the compliance window. If your eCommerce platform touches defense procurement, CMMC maturity assessment of that platform is mandatory within the next 20 months.
ITAR restrictions also apply if defense customers must authenticate with US-only personnel, or if you are a foreign-headquartered company operating a defense procurement system. The False Claims Act creates secondary compliance exposure: misstatements of CMMC or ITAR compliance to federal customers create FCA liability on top of direct CMMC/ITAR violations.
For a full overview of US regulations affecting commerce (including HIPAA, FedRAMP, and international compliance), see our US Regulated Industries Commerce Guide (coming soon).
What Do ITAR and CMMC 2.0 Require for eCommerce Platforms?
ITAR and CMMC 2.0 impose ten core requirements on any eCommerce platform handling defense procurement. These cover source code control, encryption at rest and in transit, full audit trails, role-based access controls, multi-factor authentication, US-only data residency, incident response, system integrity, and vendor management. Unlike HIPAA or general cybersecurity regulations, these create hard architectural constraints that no configuration can resolve.
NIST SP 800-171 (the basis for CMMC Level 2) requires organizations to “limit system access to authorized users, processes acting on behalf of authorized users, and devices” (Section 3.1). It also mandates “cryptographic mechanisms to prevent unauthorized disclosure of CUI” (Section 3.13). For defense eCommerce, your platform must enforce US-person-only access at every layer: infrastructure, code, operations, and support.
| Requirement | What It Means for Commerce | Technical Implementation |
|---|---|---|
| Source code control and audit | ITAR restricts access to US persons only; CMMC requires audit trails of code changes and builds | Self-hosted platform with complete source code visibility, US-person-only access, immutable build logs, and SBOM |
| Encryption at rest | CMMC Level 2+ requires AES-256 encryption for all CUI | AES-256 encryption on all data stores, with organization-managed keys and documented key management |
| Encryption in transit | CMMC requires TLS 1.2+ encryption for all data in motion | TLS 1.3 enforced on all API endpoints, with no fallback to weaker protocols |
| Full audit trail | CMMC Level 2+ requires detailed logging of all CUI access | Immutable audit log capturing identity, timestamp, action type, data accessed, IP address, and outcome. Retained 1-3+ years |
| Role-based access controls (RBAC) | CMMC requires least-privilege role-based authorization | Granular RBAC: procurement staff see only approved catalogs; suppliers see only their own data |
| Multi-factor authentication (MFA) | CMMC Level 2+ requires MFA for all accounts accessing CUI | MFA enforced for all admin, supplier, and customer accounts with authenticator apps or hardware keys |
| Data residency and hosting | ITAR restricts hosting to US territory and US-person-only access. CMMC Level 3 may require dedicated hosting or government-approved environments | Self-hosted or GovCloud deployment. No shared SaaS infrastructure, no foreign access, no third-party data centers without explicit DoD approval |
| Incident response and breach notification | CMMC requires documented procedures with timely DoD notification | Automated alerting, forensic capability, 60-day incident reporting to CISA and DoD |
| System and information integrity | CMMC requires validated software and protection against malicious code | Software supply chain validation, dependency scanning, and vulnerability management |
| Third-party and supplier management | ITAR and CMMC require assessment of any vendor touching the platform, including hosting providers, payment processors, support vendors | All vendors must be US-based or under explicit ITAR exemption, with signed agreements covering ITAR/CMMC requirements. BAAs are effectively mandatory |
ITAR compliance is not platform-only. It extends through the entire infrastructure stack. Your commerce platform, hosting provider, development tools, CI/CD systems, backup infrastructure, logging systems, and support vendors must all comply. A single foreign-accessible component (a vendor monitoring tool, an offshore support provider, a shared cloud service with international data centers) can create ITAR exposure.
Industries Affected by ITAR and CMMC 2.0
ITAR and CMMC 2.0 directly affect commerce operations in defense prime contractors, aerospace distributors, defense marketplaces, and firearms distributors. Each faces unique compliance challenges:
Defense prime contractors operating CMMC 2.0-required systems as a DoD contract condition must ensure any eCommerce capability is CMMC 2.0 certified. Moving from closed procurement networks to commercial eCommerce while maintaining compliance requires re-architecting procurement workflows.
Aerospace component distributors handle ITAR-controlled components and engineering documentation. Multi-vendor marketplaces must isolate technical data per vendor while preventing foreign access.
Defense manufacturing marketplaces connecting subcontractors with prime contractors operate at the highest compliance risk. The platform operator becomes responsible for CMMC/ITAR control over all vendors, requiring native multi-vendor architecture with per-vendor data isolation and continuous verification.
Firearms and ammunition distributors handling restricted items must comply with ITAR and federal firearms regulations. See Firearms eCommerce compliance for specialized guidance.
International requirements layer on top of ITAR. UK defense commerce requires the Official Secrets Act and Cyber Essentials Plus. EU commerce requires GDPR for any EU personnel accessing the system. For defense procurement platforms, see Defense procurement eCommerce for detailed guidance.
Why Can’t SaaS Commerce Platforms Meet ITAR and CMMC 2.0 Requirements?
SaaS commerce platforms are architecturally incompatible with ITAR and CMMC 2.0. They use proprietary source code inaccessible to security teams, operate with international development and support staff, and run on shared multi-tenant infrastructure.
A 2024 DoD Inspector General report found that 73% of defense contractors cited third-party IT vendor access as their primary CMMC compliance gap (DoD IG Report DODIG-2024-063). SaaS platforms are designed for open, international commerce, while ITAR and CMMC demand closed, dedicated, US-person-only systems.
The ITAR source code problem
ITAR controls any technical data related to defense technology, including source code, algorithms, cryptographic implementations, and system designs. A SaaS platform with proprietary code, offshore development teams, or international support staff is disqualified from handling ITAR-controlled content. Every major SaaS commerce platform (Shopify, BigCommerce, commercetools, Salesforce) has international development teams and proprietary source code customers cannot audit. For ITAR compliance, these platforms are automatically disqualified.
The CMMC certification problem
CMMC 2.0 requires third-party C3PAO assessment of any system handling CUI. No major SaaS commerce platform has pursued CMMC certification. Salesforce has FedRAMP High for government cloud, but prohibits ITAR-controlled information. Without independent CMMC certification, you cannot claim CMMC compliance. The vendor must certify, or you must self-host.
The shared tenancy and data residency problem
SaaS platforms operate on shared multi-tenant infrastructure. Your data sits alongside thousands of other merchants’ data, managed by shared operations teams. This creates three conflicts with ITAR and CMMC:
- Foreign access: If infrastructure is managed by international teams, ITAR data residency requirements are violated. ITAR requires US-persons-only access.
- Hosting location: ITAR prefers on-prem or dedicated US hosting. Shopify, BigCommerce, and commercetools run on standard AWS regions, not GovCloud. This is an automatic ITAR disqualifier.
- Data sovereignty: CMMC Level 3 requires strict control over data location and access. SaaS platforms’ multi-region model fails to meet this requirement.
The audit, access control, and transparency problem
CMMC 2.0 requires detailed audit trails of all CUI access and granular role-based access controls. Most SaaS platforms offer limited activity logs instead of the full, immutable audit trails CMMC demands. SaaS platforms also lack source code visibility for cryptographic assessment. CMMC evaluates system integrity, including cryptographic implementations and access control logic. No major SaaS vendor will provide source code for this assessment.
How SaaS platforms compare on ITAR and CMMC compliance
| ITAR & CMMC Capability | Shopify Plus | BigCommerce | Salesforce Commerce Cloud | commercetools |
|---|---|---|---|---|
| Signs agreement for ITAR/CUI handling | ❌ No | ❌ No | ⚠️ Government Cloud only, no ITAR claim | ❌ No |
| Self-hosting option | ❌ SaaS only | ❌ SaaS only | ❌ SaaS only | ❌ SaaS only |
| GovCloud deployment | ❌ Standard AWS only | ❌ Standard AWS only | ❌ Standard AWS only | ❌ Standard AWS only |
| Source code audit capability | ❌ Proprietary | ❌ Proprietary | ❌ Proprietary | ❌ Proprietary |
| CMMC certification path | ❌ Not pursuing | ❌ Not pursuing | ❌ Not pursuing | ❌ Not pursuing |
| US-persons-only development | ❌ International teams | ❌ International teams | ⚠️ Government Cloud only | ❌ International teams |
| Full audit trail | ⚠️ Limited activity logs | ⚠️ Limited logs | ✅ Good audit features | ⚠️ API-level logging only |
| Granular RBAC | ⚠️ Basic roles | ⚠️ Basic roles | ✅ Available | ⚠️ Limited |
| AES-256 encryption | ✅ At rest | ✅ At rest | ✅ At rest | ✅ At rest |
| Multi-factor authentication | ✅ Available | ✅ Available | ✅ Available | ✅ Enterprise tier |
| US government contracts support | ❌ No | ❌ No | ✅ Government Cloud (limited) | ❌ No |
| Custom encryption key management | ❌ Platform-managed | ❌ Platform-managed | ❌ Platform-managed | ❌ Platform-managed |
SaaS platforms are disqualified for ITAR and CMMC 2.0 by design. The solution is self-hosted infrastructure you control entirely.
How Self-Hosted Open Source Commerce Meets ITAR and CMMC 2.0 Requirements
When you own your infrastructure, every ITAR and CMMC safeguard becomes a deployment decision instead of a vendor negotiation. Self-hosted open source platforms give organizations full control over source code, encryption, access policies, data residency, and audit logging. No other architecture enables independent CMMC C3PAO assessment. You choose the infrastructure, manage keys, configure access policies, and own the compliance posture.
| ITAR & CMMC Requirement | How Self-Hosted Commerce Meets It | Spree Enterprise Feature |
|---|---|---|
| Source code access and audit | Full source code visibility to your security team. Review cryptographic implementations, access control logic, dependency chain | BSD 3-Clause open source. Your team audits every line of code. No black boxes. Complete SBOM available. |
| US-person-only access | Restrict all development, operations, and support access to US persons only | Self-hosted deployment with documented access controls. You define who can access the infrastructure, code repository, and data. |
| Encryption at rest | Deploy on your infrastructure with organization-managed encryption keys | AES-256 encryption at rest, integrated with AWS KMS, Azure Key Vault, or on-prem HSM |
| Encryption in transit | Configure TLS 1.3 policies at the infrastructure level | TLS 1.3 enforced across all API endpoints, admin interfaces, supplier portals, and storefront. Documented cipher suite policy |
| Full audit trail | Complete control over what is logged, how long it is retained, who can access logs, and how logs are secured | Built-in audit trail logging every admin action, API call, data access, configuration change, login, and authentication event. Customizable retention (3+ years standard for defense) |
| Role-based access controls | Implement your organization’s IAM policies directly on the platform | Granular RBAC with minimum necessary access. Admin, procurement, supplier, warehouse, customer service, finance roles with customizable permissions |
| Multi-factor authentication | Enforce MFA for all accounts accessing defense data | MFA integrated with FIPS 140-2 compliant authenticators or hardware keys (YubiKey, etc.) |
| SSO and identity integration | Connect to your enterprise identity provider with full audit of authentication events | SSO/SAML/OIDC support for Okta, Azure AD, PingFederate. Authentication logs captured in full audit trail |
| Data residency | Host in any region, on any cloud, or on-prem. ITAR compliance is a deployment choice, not a vendor constraint | Deploy on AWS GovCloud, private cloud, on-premise servers, or air-gapped infrastructure. Your choice. No vendor access. |
| CMMC assessment ready | Full transparency into system design, control implementation, and security architecture enables CMMC C3PAO assessment | Self-hosted open source eliminates opacity that blocks CMMC certification for SaaS platforms. Your organization pursues C3PAO assessment independently. |
| Vendor management and BAAs | You control all vendor relationships. No hidden vendors, no international support staff, no unexpected data flows | Self-hosted eliminates platform vendor as a third party. BAAs needed only for hosting provider and payment processor, both under your control. |
| Breach response and forensics | Full logging enables forensic investigation and compliance with CMMC incident reporting requirements | Immutable audit trails enable forensic reconstruction of access patterns, changes, and incidents. Supports 60-day incident report capability |
For defense procurement commerce, self-hosted open source platforms like Spree Enterprise provide the strongest fit, combining enterprise security controls with full source code transparency. Security capabilities (AES-256 encryption, full audit trails, granular RBAC, SSO/SAML/OIDC, complete source code visibility) are part of the enterprise module, not third-party plugins.
Spree’s BSD 3-Clause open source license means your security team has full visibility before defense data enters the system. They can audit cryptographic implementations, review access control logic, and assess the dependency chain. Spree Enterprise provides enterprise RBAC and audit capabilities that community alternatives lack, with granular control to restrict procurement staff to assigned catalogs, isolate supplier portals, enforce workflows, and log every decision. You own the infrastructure, code, data, and compliance posture. No shared tenancy surprises or vendor-controlled patching.
Architecture and Deployment for ITAR and CMMC 2.0-Compliant Commerce
An ITAR and CMMC 2.0-compliant commerce architecture requires US-only hosting, US-person-only access at every layer, and network isolation with mutual TLS authentication between all internal services. AWS GovCloud or on-premises infrastructure are the standard choices. Here is what a compliant deployment looks like in practice.
Hosting and infrastructure
For ITAR and CMMC workloads, hosting must be on US territory with access restricted to US persons. AWS GovCloud is the most common choice for CMMC Level 2+ and ITAR workloads, providing FedRAMP High, HITRUST, and DoD CC SRG certifications. Alternatively, on-prem or private cloud hosting on US soil eliminates ambiguity about data residency.
Spree’s provider-agnostic architecture supports AWS GovCloud, dedicated AWS regions, on-prem infrastructure, or air-gapped environments based on your compliance team’s risk assessment.
Network architecture
Isolate the commerce application within a private VPC or on-prem network with no direct internet access to application servers or databases. Use a load balancer and WAF as the only entry point, with DDoS protection and rate limiting enabled. All internal traffic uses encrypted connections with mutual TLS authentication. All external integrations use authenticated, encrypted APIs with full audit logging.
Identity and access management
Integrate Spree’s SSO/SAML/OIDC support with your organization’s identity provider to centralize authentication and MFA requirements. Implement role-based access control: procurement officers see only approved catalogs, supplier portal users see only their own data, warehouse staff have no access to sensitive data, and audit reviewers get read-only log access.
Payment and procurement workflow
Implement approval workflows requiring multi-level authorization for sensitive procurement (defense technical data, restricted items, large amounts). Integrate with ERP and supply chain systems using authenticated, logged APIs.
Integration and vendor management
Every integration point must be auditable, with all API calls authenticated, authorized, and logged. BAAs with integration vendors must explicitly cover ITAR and CMMC compliance.
Incident response and monitoring
Deploy automated alerting for unusual access patterns, failed authentication, and data exfiltration. Maintain detailed logs enabling forensic reconstruction. Establish procedures to notify federal customers and CISA within the 60-day CMMC incident window.
ITAR and CMMC 2.0 Compliance by Industry
Compliance requirements vary significantly by industry and customer base. Defense primes face mandatory CMMC 2.0 Phase 2 assessment beginning November 2026. Aerospace distributors manage layered compliance: ITAR for US operations, Official Secrets Act for UK, and GDPR for EU personnel access. Defense manufacturing marketplaces bear responsibility for all vendor compliance. Export-focused commerce faces the toughest restrictions, combining ITAR, Official Secrets Act, GDPR, and national security controls.
Industry-specific deep dives:
| Industry | Key Challenges | Timeline |
|---|---|---|
| Defense Prime Contractors | CMMC 2.0 Phase 2 (Nov 2026) requires C3PAO assessment | Immediate |
| Aerospace Component Distribution | Multi-vendor data isolation, layered international rules | Q2 2026 |
| Defense Manufacturing Marketplaces | Multi-vendor CMMC/ITAR compliance, continuous verification | Q2 2026 |
| Defense Technology Export | ITAR + Official Secrets Act + GDPR + national security | Ongoing |
ITAR and CMMC 2.0 are part of a broader US regulatory environment. For a complete view (including HIPAA for healthcare, FedRAMP for government, and international compliance):
→ US Regulated Industries Commerce: ITAR, CMMC, HIPAA, FedRAMP and State-Level Compliance Guide (coming soon)
Build ITAR and CMMC 2.0-Compliant Commerce with Spree
Spree Enterprise gives defense contractors and aerospace suppliers full control over infrastructure, source code, data, security, and compliance, with enterprise RBAC, full audit trails, and complete transparency enabling CMMC assessment and ITAR compliance.
Spree’s open source architecture, enterprise security controls, and provider-agnostic deployment options provide the foundation for compliant defense commerce. Whether you are building a new defense supply chain marketplace, launching an aerospace component distribution platform, or migrating off a SaaS platform, the Spree team can help you scope the right architecture.
Frequently Asked Questions
Is Shopify ITAR compliant for defense procurement?
No. Shopify is not ITAR compliant and explicitly prohibits ITAR-controlled content. Shopify’s Acceptable Use Policy forbids use of the platform for exporting controlled goods or technical data. Shopify also operates on standard AWS infrastructure accessible to international employees and customers, a direct ITAR violation. Defense contractors have no compliant path to use Shopify for any platform that handles ITAR-restricted information, including defense technical data, controlled component specifications, or restricted supplier information.
What does ITAR require for defense ecommerce?
ITAR requires that access to defense technical data (including source code, engineering specifications, manufacturing processes, and compliance documentation) be restricted to US persons only. Any defense eCommerce platform must meet these requirements: – Restrict administrative and development access to US-based personnel only – Host data on US soil or in authorized US government environments (like GovCloud) – Provide full source code visibility to your security team for audit – Restrict system access to US persons – Maintain documented procedures preventing unauthorized export of controlled data Foreign nationals, even those with security clearances, have no access to ITAR-controlled information on a commercial eCommerce platform unless explicitly approved by DDTC (the State Department authority that enforces ITAR).
Can I build a defense supply chain marketplace under CMMC?
Yes, but the compliance architecture is significantly more complex than a single-vendor store. A multi-vendor defense marketplace creates CMMC assessment challenges at multiple levels. The platform operator must be CMMC certified. Each participating vendor must be CMMC certified for their handling of CUI on the platform. Data isolation between vendors must be enforced and auditable. Platforms with native multi-vendor architecture, per-vendor data isolation, per-vendor audit trails, and per-vendor access control (such as Spree Enterprise) provide the architectural foundation for CMMC-compliant defense marketplaces. Community open source alternatives lack the granular audit and RBAC capabilities necessary.
How much does ITAR/CMMC 2.0-compliant ecommerce cost?
Self-hosted ITAR/CMMC-compliant commerce typically requires $100K to $500K+ for the first year, covering platform licensing, infrastructure setup, security hardening, CMMC assessment, and compliance validation. Budget separately for ongoing CMMC recertification every 3 years and continuous compliance monitoring. The ROI calculation differs from HIPAA: defense procurement typically involves higher transaction values, longer customer relationships, and potential for multi-million-dollar contracts. For many defense suppliers, the compliance investment is a fraction of the revenue from a single prime contractor relationship. Unlike SaaS platforms, there are no recurring platform fees or GMV cuts. Costs scale with infrastructure and operational complexity, which you control.
Must my ecommerce platform itself be CMMC certified?
Yes, if your platform handles Controlled Unclassified Information (CUI) related to defense contracts. CMMC 2.0 Phase 2 (Nov 2026) requires C3PAO third-party assessment of any system handling CUI. Your commerce platform, if it touches defense technical data, orders involving restricted items, or supplier information related to DoD contracts, must be CMMC assessed. This is why SaaS platforms are problematic: the vendor must pursue the certification, and no major commerce SaaS platform is pursuing CMMC 2.0 certification. You have no way to certify their platform yourself. With self-hosted platforms, you own the system and can coordinate with a C3PAO to complete the assessment.
Can I use offshore development teams for a defense ecommerce platform?
No. ITAR requires that access to ITAR-controlled technical data be restricted to US persons. If your platform handles ITAR-restricted information, your development, operations, and support teams must be US persons with no unauthorized access by foreign nationals. This eliminates offshore development, offshore support, and international managed services for the platform. This is another structural advantage of self-hosted platforms: you control who has access. With SaaS platforms, the vendor’s offshore development teams have access to the infrastructure, creating potential ITAR violations that you have no way to fix.
What happens if I have ITAR violations on my ecommerce platform?
ITAR violations are among the most serious export control violations. Penalties include: – Civil fines up to $1 million per violation – Criminal penalties including imprisonment up to 20 years – Permanent debarment from federal contracts – Loss of export privileges – Prosecution of individuals involved in the violation If the violations involve unauthorized foreign access or transfer of technical data to foreign nationals, you may face criminal charges. The recent DOJ settlement with Swiss Automation Inc (Dec 2025) for ITAR cybersecurity failures demonstrates that inadequate cybersecurity enabling ITAR violations is prosecuted with the same severity as intentional violations.
