AUKUS Nuclear Submarine Program: The Compliance Challenge for Australian and UK Companies

The AUKUS Pillar I nuclear-powered submarine programme is the largest and most complex defence procurement in Australian history. At an estimated AUD $368 billion over three decades, it involves the transfer of US nuclear propulsion technology to Australia — something the United States has done exactly once before, with the United Kingdom in 1958. For companies entering this supply chain, the compliance requirements are without precedent in the Asia-Pacific defence industrial base.

This is not a standard defence contract compliance exercise. AUKUS Pillar I sits at the intersection of nuclear technology controls, US export regulations, cybersecurity certification, and Australian defence trade law. Companies that fail to understand and implement the full compliance stack will not participate, regardless of their technical capabilities.

The AUKUS Pillar I programme structure

AUKUS submarine acquisition proceeds in three phases:

• Phase 1 (2023-2027): Increased US and UK submarine visits to Australian ports, embedded Australian personnel in US and UK submarine programmes, and workforce development at HMAS Stirling in Western Australia
• Phase 2 (2027-2032): Forward rotation of US Virginia-class and UK Astute-class submarines from Australian bases, building operational familiarity and port infrastructure
• Phase 3 (2032-2040s): Australia acquires three to five Virginia-class submarines from US production lines, followed by construction of the SSN-AUKUS — a new submarine class based on the UK’s next-generation design with US combat systems and weapons

Each phase escalates the compliance requirements for participating companies. Phase 1 involves personnel access and facility security. Phase 2 adds logistics, maintenance, and sustainment. Phase 3 requires full-spectrum manufacturing, integration, and through-life support — all subject to US, UK, and Australian regulatory frameworks simultaneously.

ITAR and nuclear propulsion technology

Naval nuclear propulsion is controlled under ITAR Category XX (Submersible Vessels, Oceanographic and Associated Equipment) and is among the most restricted items on the United States Munitions List. The technology encompasses reactor design, fuel fabrication, shielding, propulsion train integration, and the operational procedures for safe reactor operation at sea.

For AUKUS, the US has established a specific legal framework — the AUKUS legislation amending the ITAR exemptions under 22 CFR 126.17 — to permit certain defence trade between Australia, the UK, and the US without individual export licences. However, this exemption is narrow and conditional:

• Eligible items: Only defence articles and services authorised under the AUKUS exemption scope. Nuclear propulsion technology transfers require separate authorisation pathways, typically through DOE/NNSA channels under the Naval Nuclear Propulsion Information (NNPI) framework
• Eligible persons: Only citizens and permanent residents of Australia, the UK, or the US who hold appropriate security clearances and have no disqualifying foreign connections
• Facility requirements: Participating companies must have approved Technology Control Plans, secure facilities meeting US and Australian standards, and documented procedures for preventing unauthorised access
• End-use restrictions: AUKUS-transferred technology cannot be re-exported or retransferred without US Government authorisation

Companies must still register with the Directorate of Defense Trade Controls (DDTC), maintain ITAR compliance programmes, and ensure that all employees with access to ITAR-controlled technical data are properly vetted. The AUKUS exemption simplifies licensing — it does not eliminate compliance obligations.

CMMC certification for the submarine supply chain

Every company handling Controlled Unclassified Information (CUI) in the AUKUS submarine programme must achieve CMMC Level 2 certification. This requirement flows down from US prime contractors — General Dynamics Electric Boat and Huntington Ingalls Industries for submarine construction, and BAE Systems for the SSN-AUKUS design — to every tier of the supply chain.

For Australian companies, CMMC presents specific challenges:

• No domestic C3PAO infrastructure: As of 2026, certified third-party assessment organisations are predominantly US-based. Australian companies must engage US assessors or work with the limited number of C3PAOs establishing Asia-Pacific operations
• Cloud infrastructure requirements: CMMC Level 2 requires CUI to be processed and stored in FedRAMP Moderate-equivalent environments. Australian companies using domestic cloud providers must verify that their environments meet this standard, or migrate to authorised platforms
• 110 security requirements: The full NIST SP 800-171 Rev 2 control set covers access control, audit and accountability, configuration management, incident response, and 10 other security families. Each requirement must be fully implemented — not planned, not partially addressed
• Plan of Action and Milestones (POA&M) limitations: Under CMMC 2.0, a limited number of requirements can be addressed through POA&Ms, but critical controls must be fully implemented at the time of assessment

Australian defence primes like ASC (now Australian Submarine Corporation), Austal, and CEA Technologies are investing heavily in CMMC readiness. Their subcontractors — machine shops, electronics manufacturers, software developers, logistics providers — must follow or risk exclusion from the supply chain.

DFARS flow-down requirements

Beyond CMMC, the Defence Federal Acquisition Regulation Supplement (DFARS) imposes contract-level compliance obligations that flow down through the entire supply chain:

• DFARS 252.204-7012: Safeguarding Covered Defence Information — requires adequate security measures, cyber incident reporting within 72 hours, and cooperation with DoD damage assessments
• DFARS 252.204-7019/7020/7021: The CMMC clause set — requires self-assessment scores posted to the Supplier Performance Risk System (SPRS), government verification rights, and CMMC certification at the specified level
• DFARS 252.225-7048: Export-controlled items — requires identification and marking of all export-controlled items in contract deliverables
• DFARS 252.239-7010: Cloud computing services — additional requirements when CUI is stored or processed in cloud environments

For Australian and UK subcontractors, these DFARS clauses are not optional inclusions — they are mandatory flow-downs that US primes are contractually required to impose. A subcontractor that cannot accept these clauses cannot hold the subcontract.

Australia’s Defence Trade Controls Act

Australian companies in the AUKUS supply chain must simultaneously comply with the Defence Trade Controls Act 2012 (DTCA), administered by the Defence Export Controls branch of the Australian Department of Defence.

The DTCA controls:

• Supply of goods on the Defence and Strategic Goods List (DSGL): Including nuclear-related items in Part 1 (munitions list) and Part 2 (dual-use list, particularly Category 0 — Nuclear Materials, Facilities, and Equipment)
• Publication and supply of DSGL technology: Technical data, software, and intangible technology transfers related to controlled items
• Brokering of controlled goods: Facilitating the supply of DSGL items between foreign countries

The AUKUS ITAR exemption operates alongside the DTCA, not in place of it. Australian companies must maintain compliance with both the US and Australian export control frameworks. Where an item is controlled under both ITAR and the DSGL, both sets of requirements apply. The Australian Government has updated the DTCA permit framework to streamline AUKUS-related transfers, but companies still need documented compliance programmes, trained personnel, and auditable records for both regimes.

The dual-framework compliance challenge

The fundamental challenge for companies in the AUKUS submarine supply chain is that they must satisfy two (or three) national compliance frameworks simultaneously, across multiple regulatory domains:

• Export controls: ITAR (US) + DTCA (Australia) + UK Strategic Export Controls
• Cybersecurity: CMMC (US) + Australian Government Information Security Manual (ISM) + UK Cyber Essentials Plus
• Nuclear safety: NRC/DOE/NNSA frameworks (US) + ARPANSA requirements (Australia) + ONR requirements (UK)
• Facility security: National Industrial Security Program (NISP, US) + Defence Industry Security Program (DISP, Australia) + List X (UK)
• Personnel security: US security clearance reciprocity + Australian Positive Vetting + UK Developed Vetting

No single compliance framework covers all of these domains. Companies need to map requirements across frameworks, identify where they align and where they diverge, and implement programmes that satisfy all applicable obligations without creating operational contradictions.

Building a compliant AUKUS supply chain position

For companies seeking to enter or maintain their position in the AUKUS submarine supply chain, the compliance investment is front-loaded and substantial. The cost of CMMC Level 2 certification alone — including infrastructure upgrades, documentation, assessment preparation, and the C3PAO assessment itself — runs into six figures for mid-sized companies. Adding ITAR compliance programme development, DTCA permit applications, and facility security upgrades pushes the total compliance investment higher.

AuditDSS covers ITAR, CMMC, DFARS, and Australian DTCA compliance frameworks, providing companies with a structured approach to mapping obligations across the multi-national regulatory landscape that AUKUS creates. For supply chain participants navigating simultaneous US and Australian compliance requirements, having visibility across all applicable frameworks from a single platform eliminates the fragmentation that causes compliance gaps.

The companies that succeed in the AUKUS submarine programme will be those that treat compliance as a competitive advantage rather than an administrative burden. In a supply chain where non-compliance means exclusion — not just penalties — the investment in getting it right from the start pays for itself many times over.