← Blog
defense 2026-03-02 7 min read

CMMC 2.0 and AUKUS: Why Australian and UK Defence Contractors Need US Compliance

AUKUS is creating new compliance obligations for Australian and UK defence contractors. Here's what CMMC 2.0, ITAR, and DFARS mean for non-US companies in the trilateral supply chain.

By AuditDSS Team

The AUKUS trilateral security partnership between Australia, the United Kingdom, and the United States is reshaping defence procurement across all three nations. For Australian and UK defence contractors, the partnership means something very specific: US compliance frameworks now apply to you.

If you’re in the AUKUS supply chain — or plan to be — you need to understand CMMC 2.0, ITAR, DFARS, and how they interact with your domestic compliance obligations. This guide covers what’s required, who’s affected, and how to assess your readiness.

What AUKUS changes for defence contractors

AUKUS has two pillars. Pillar I covers nuclear-powered submarine acquisition for Australia. Pillar II covers advanced capabilities: quantum computing, AI, hypersonics, electronic warfare, and cyber. Both pillars involve deep technology sharing between the three nations.

That technology sharing triggers US export control and cybersecurity requirements. When Controlled Unclassified Information (CUI) flows from US defence primes to Australian or UK subcontractors, those subcontractors inherit the same compliance obligations as US-based companies.

This isn’t theoretical. AUKUS defence contracts are already flowing, and US primes are already requiring CMMC certification from their international partners. Australian and UK companies that can’t demonstrate compliance are being excluded from supply chains.

CMMC 2.0: the framework

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the US Department of Defense’s framework for protecting CUI across the defence industrial base. It replaced the self-attestation model under DFARS 252.204-7012 with a tiered certification system.

The three levels

  • Level 1 (Foundational): 17 practices based on FAR 52.204-21. Self-assessment. Applies to contracts involving Federal Contract Information (FCI) only.
  • Level 2 (Advanced): 110 practices aligned to NIST SP 800-171 Rev 2. Requires third-party assessment by a C3PAO (Certified Third-Party Assessment Organisation) for critical contracts. This is where most AUKUS-related contracts sit.
  • Level 3 (Expert): 134 practices based on NIST SP 800-172. Government-led assessment. Reserved for the most sensitive programmes.

What Level 2 requires

Level 2 maps to the 110 security requirements in NIST SP 800-171. These cover 14 families:

  • Access Control (22 requirements)
  • Awareness and Training (3 requirements)
  • Audit and Accountability (9 requirements)
  • Configuration Management (9 requirements)
  • Identification and Authentication (11 requirements)
  • Incident Response (3 requirements)
  • Maintenance (6 requirements)
  • Media Protection (9 requirements)
  • Personnel Security (2 requirements)
  • Physical Protection (6 requirements)
  • Risk Assessment (3 requirements)
  • Security Assessment (4 requirements)
  • System and Communications Protection (16 requirements)
  • System and Information Integrity (7 requirements)

Each requirement contains multiple testable obligations. “Limit system access to authorised users” is one requirement, but it decomposes into specific obligations about authentication mechanisms, access provisioning, access reviews, privilege management, and session controls.

ITAR and defence trade controls

ITAR — the International Traffic in Arms Regulations — controls the export of defence articles, services, and technical data on the US Munitions List. Under AUKUS, exemptions have been created to facilitate technology sharing between the three nations, but these exemptions come with conditions.

The AUKUS ITAR exemption

In 2024, the US amended ITAR to create a licence-free environment for most defence trade between AUKUS nations. However, this exemption requires:

  • Personnel handling ITAR-controlled data must be nationals of an AUKUS country or have appropriate security clearances
  • End-use restrictions remain in place
  • Certain items on the Excluded Technology List still require individual licences
  • Record-keeping and reporting obligations apply to all transfers
  • Physical and cybersecurity protections must meet US standards

The exemption simplifies trade but doesn’t eliminate compliance. Australian and UK companies must still demonstrate they can protect ITAR-controlled technical data to US standards.

Australia’s Defence Trade Controls Act 2012

Australian defence contractors also need to comply with the Defence Trade Controls Act 2012 (DTCA), which controls the supply of goods and technology on the Defence and Strategic Goods List (DSGL). The DTCA creates its own set of obligations around:

  • Permits for supply of controlled goods and technology
  • Record-keeping requirements
  • Intangible transfers (including electronic transmission of controlled technology)
  • Brokering controls

The intersection of DTCA and ITAR creates a dual compliance burden. An Australian company handling AUKUS-related technology may need to satisfy both frameworks simultaneously.

DFARS: the contractual layer

The Defense Federal Acquisition Regulation Supplement (DFARS) translates CMMC and CUI protection requirements into contractual obligations. Key clauses for AUKUS contractors:

  • DFARS 252.204-7012: Safeguarding Covered Defence Information. Requires implementation of NIST SP 800-171, incident reporting within 72 hours, and cloud service provider compliance with FedRAMP Moderate or equivalent.
  • DFARS 252.204-7019: Notice of NIST SP 800-171 assessment requirements.
  • DFARS 252.204-7020: NIST SP 800-171 assessment requirements (supplier performance risk system scores).
  • DFARS 252.204-7021: CMMC certification requirements.

These clauses flow down to subcontractors. If a US prime includes DFARS 252.204-7021 in its subcontract, the Australian or UK subcontractor must hold the required CMMC certification level.

The practical challenge for AU/UK companies

Australian and UK defence contractors face several challenges that US companies don’t:

1. Infrastructure sovereignty

CMMC Level 2 requires that CUI is processed and stored in environments that meet specific security requirements. For non-US companies, this raises questions about data residency, cloud provider selection, and whether Australian or UK sovereign cloud environments meet DFARS equivalency requirements.

2. Assessment availability

C3PAO assessments for CMMC are still primarily US-focused. Australian and UK companies may face longer wait times and higher costs for third-party assessments, particularly in the early years of the programme.

3. Dual framework compliance

An Australian defence contractor in the AUKUS supply chain may need to comply with CMMC 2.0, ITAR, DFARS, the Defence Trade Controls Act, the Australian Government Information Security Manual (ISM), and potentially the UK’s Cyber Essentials Plus. Managing overlapping obligations across these frameworks is the central challenge.

4. Supply chain flow-down

CMMC obligations flow down through the supply chain. An Australian prime contracting with US defence must ensure its own Australian subcontractors also meet the required certification level. This creates a cascading compliance requirement through the domestic supply chain.

How to assess readiness

Step 1: Identify your CUI exposure

Map which contracts involve CUI, what categories of CUI you handle, and where it flows in your organisation. Not every defence contract triggers CMMC Level 2 — but most AUKUS-related work will.

Step 2: Gap assessment against NIST SP 800-171

Conduct a detailed gap assessment against all 110 NIST SP 800-171 requirements. Don’t assess at the requirement level — decompose each requirement into its constituent obligations and test each one independently.

Step 3: Map your overlapping frameworks

Identify where CMMC, ITAR, DFARS, and your domestic frameworks (DTCA, ISM, Cyber Essentials) overlap and where they diverge. Common controls can be shared; divergent requirements need separate treatment.

Step 4: Build a Plan of Action and Milestones (POA&M)

CMMC 2.0 allows limited use of POA&Ms for Level 2 certification — you can have a conditional certification while addressing certain gaps, provided they’re documented with specific milestones and timelines. But not all requirements are eligible for POA&M; some must be fully met at assessment time.

Step 5: Engage early with your US primes

Don’t wait for the CMMC clause to appear in your subcontract. Engage proactively with your US prime contractors to understand their timeline, assessment requirements, and expectations for international subcontractors.

The compliance timeline

CMMC 2.0 requirements are being phased into new DoD contracts starting in 2025-2026. By 2028, virtually all contracts involving CUI will require CMMC Level 2 certification. For AUKUS-related contracts, the timeline is likely accelerated given the programme’s strategic priority.

Australian and UK contractors should be working toward assessment readiness now, not when the contractual requirement appears.

AuditDSS covers CMMC 2.0, ITAR, DFARS, and Australia’s Defence Trade Controls Act with obligation-level decomposition and cross-framework mapping. Assess your defence compliance posture across all applicable frameworks in a single analysis. Start your assessment.

Ready to score your compliance?

Upload your compliance document and get a risk-scored gap analysis in under 5 minutes.

Get started