AI, CMMC, and ITAR: What Compliant AI Looks Like for Defense Manufacturers

As cybersecurity threats evolve, so do the rules built to protect sensitive data across the defense supply chain. Manufacturers that work with the Department of Defense have spent years meeting two of them: the International Traffic in Arms Regulations (ITAR), which controls who can access defense technical data, and the Cybersecurity Maturity Model Certification (CMMC), which verifies that contractors protect it. Neither was written with AI in mind, and both now apply to it.

‍

AI did not change the rules. It became something the rules govern. A model that reads a controlled drawing, an agent that sends a prompt to a server overseas, or an employee pasting a spec into a public chatbot is now a compliance event, not a shortcut. The question is no longer whether you can use AI in a defense operation, but whether you can use it without breaking the controls you already depend on.

What the rules actually require

At Level 2, the bar most manufacturers have to meet, CMMC maps to the 110 security controls in NIST SP 800-171 and centers on protecting Controlled Unclassified Information, or CUI, the government’s term for sensitive but unclassified material such as technical drawings, specifications, and process data that still has to be safeguarded. ITAR draws a sharper line on top of that. Defense technical data can only be accessed by United States persons on United States soil, so a foreign national who views it, even digitally from abroad, counts as a deemed export, where the access itself is treated as shipping the data overseas. A machine that moves it offshore is no exception. Put those together and AI inherits the same requirement as every other system that touches regulated data. It has to stay inside the boundary.

The deadlines are already here

This is not a future problem. CMMC Phase 1 began in November 2025, and self assessments are already appearing in contracts. In December 2025, the National Defense Authorization Act for fiscal year 2026, through its Section 1513, directed the Department of Defense to fold an AI and machine learning security framework into CMMC, with the government plan due in June 2026, a date that has now passed. By November 2026, Phase 2 will require third party certification for most CUI work. The framework that will govern AI in this industry is being written right now, against deadlines that are already live.

‍

The most common way manufacturers fall short is also the least dramatic. It is shadow AI: staff dropping controlled drawings and specs into public tools that sit outside the secure boundary, usually just to save time. The same exposure applies to any AI hosted on foreign infrastructure or quietly routed to a model abroad.

What compliant AI takes

Compliant AI is less exotic than it sounds. Controlled data has to stay in a United States based, United States staffed environment. Access has to be limited to United States persons and enforced when both people and tools log in. Processing has to stay inside the authorized boundary rather than routed to an outside model, a person has to stay in the loop before AI acts on regulated data, and any output built from CUI has to be treated as CUI itself.

‍

That rules out many open AI models (Like ChatGPT and Gemini). Anthropic’s Claude models are approved for FedRAMP High and Department of Defense Impact Level 4 and 5 workloads, the government’s authorization tiers for handling progressively more sensitive data, through Amazon Bedrock in AWS GovCloud. One detail matters: those authorizations apply to the cloud environment, not the model file, so where inference runs matters as much as which model you choose. The tradeoff is that the newest frontier models reach commercial regions first and arrive inside isolated government environments later, which is the price of staying inside the boundary.

How StartProto runs AI inside the boundary

StartProto was built to run AI inside that boundary rather than around it. Its AI runs on Claude’s Opus 4.6 through Amazon Bedrock in AWS GovCloud, the environment currently authorized to handle ITAR and CUI data, administered by United States based staff with role based access enforced at login. 

‍

NIST controls also specify the need for human-in-the-loop controls for AI automated actions. Before the AI acts on your data, StartProto’s Plan Mode puts a person in the loop: the system proposes a multi step workflow and waits for approval before anything runs. An MCP server lets AI agents read live production data to answer questions and write back to the app. 

‍

If you are evaluating AI for a defense operation, those are the questions to bring to any vendor: where the model runs, who can reach it, and whether a person can stop it before it acts.

The bottom line

The rules for AI in defense manufacturing are arriving on a published timeline, built on frameworks the industry already knows. The manufacturers that treat AI as one more system that has to live inside the boundary will be the ones still winning contracts after Phase 2.

‍