Your Data Has a Passport: Risks to Global Data Movement w/ Steven Casazza

In 2026, organizations no longer need a physical shipment to trigger export-control risk. Data movement alone can be enough. I sat down with Steven Casazza, President of Defense Trade Solutions, to discuss the overlap between CUI, CMMC, and export controls.

Cloud collaboration platforms, remote workforces, international subsidiaries, and third-party vendors have made cross-border data access routine.  This is often without organizations realizing when export-controlled and sensitive data is involved. For companies operating in or adjacent to the Defense Industrial Base (DIB), that creates a growing blind spot at the intersection of cybersecurity compliance (CMMC) and U.S. export control regulations. 

Your people may never leave the U.S., but your data already has. 

Watch Steven Casazza (Defense Trade Solutions) and myself explain where CUI, CMMC, and export controls intersect—and why many organizations underestimate the resulting risk. 

Data movement is the new export 

Export control exposure is no longer limited to intentional transfers or physical shipments. In modern digital environments, routine business operations can create export compliance risk, including: 

• Cloud-hosted environments with global data residency 

• International subsidiaries accessing shared systems 

• Foreign national employees or contractors accessing controlled data 

• Third-party SaaS tools processing controlled data 

• Collaboration platforms syncing data across regions 

From an export control standpoint, the question is no longer whether data is moving, but who can access controlled data, from where, and under what legal authority. 

“From an export perspective… if it moves outside the U.S., then it would be an export.”

- Steven Casazza

Where CMMC and export controls collide 

Many organizations still treat CMMC compliance and export controls as separate workstreams. In reality, they overlap in several critical areas: 

• CUI location and access controls 

• Identity and access management 

• Data segmentation and boundary definition 

• Vendor and supply chain risk 

• Auditability and evidence 

CMMC focuses on protecting sensitive information through defined cybersecurity controls. Export controls add a legal and regulatory layer to the mix.  Specifically, who is legally permitted to access controlled technical data, where that data may reside, and from which countries it may be accessed . 

CUI and ITAR are two different things… but ITAR can also fit under CMMC if it’s done under a federal contract. 

The “invisible risk” 

Organizations most exposed to this risk often don’t see themselves as exporters at all, including: 

• Commercial companies supporting DoW primes 

• Multinational firms with shared IT infrastructure 

• Companies with international engineering or support teams 

• Organizations leveraging global cloud providers by default 

Even CMMC-aware organizations remain exposed if they cannot confidently answer: 

• Where does our sensitive data live? 

• Who can access it? 

• From which countries can it be accessed? 

• What third parties may have administrative access? 

These are not hypothetical questions; they are the foundation for both cybersecurity compliance and export control defensibility. 

What good looks like in 2026 

Organizations getting ahead of this risk are taking a deliberate, export-aware approach to data governance and system design: 

• Clearly defining where controlled data is allowed to reside 

• Enforcing access controls tied to nationality and location requirements 

• Aligning cloud architecture to contractual and regulatory obligations 

• Treating export controls and cybersecurity as connected, not siloed 

• Building defensible documentation and evidence trails 

This isn’t about stopping collaboration. It’s about enabling global collaboration without creating hidden export-control violations. 

Why this requires both disciplines 

This is not a problem one discipline can solve alone. 

• Cybersecurity teams understand system architecture, access controls, and frameworks like CMMC. 

• Export-control professionals and trade compliance teams understand regulatory triggers, jurisdictional exposure, licensing requirements, and enforcement realities. 

When these perspectives work together, organizations reduce risk without over-engineering systems or slowing the business. 

“CMMC is providing that cybersecurity hygiene… not just for CUI, but also for export-controlled information, even if it wasn’t developed under a U.S. government contract.” 

- Steven Casazza

Awareness is the first control 

Compliance failures often do not stem from bad intent.  They stem from blind spots. 

Understanding how your data moves, who can access it, and how that aligns with both cybersecurity and export-control requirements is no longer optional. In 2026, data awareness is a foundational compliance control. 

About Defense Trade Solutions (DTS) 

Defense Trade Solutions (DTS) is a global trade compliance firm supporting small- and mid-sized aerospace and defense companies. DTS operates as a fractional trade compliance office, helping organizations navigate ITAR/EAR requirements, foreign military sales, technology security & foreign disclosure (TSFD), logistics & customs compliance, and international regulatory obligations, so compliance becomes a competitive advantage, not a barrier to international business. 

About Steven Casazza 

Steven Casazza is President of Defense Trade Solutions. Steven brings two decades of experience shaping defense trade and export strategies. Today Steven helps aerospace and defense companies remove friction, navigate complex regulations, and accelerate approvals by translating policy into practical processes - aligning commercial growth with U.S. national security and foreign policy priorities while moving at the speed of business. He previously served as an ITAR Empowered Official, building global trade compliance programs at mid-tier defense firms, operationalizing Technology Security & Foreign Disclosure (TSFD) requirements to secure export policy approvals for critical technologies, and helped establish Foreign Military Sales (FMS) & Direct Commercial Sales (DCS) export policy and export-control reform requirements while supporting the Department of Defense. He is a serving member of the Department of State’s Defense Trade Advisory Group and Vice Chair of the National Defense Industrial Association International Division.