ITAR violations don't always look like espionage. Most of the enforcement actions I've seen in my 8+ years of export control consulting weren't the result of bad actors deliberately smuggling defense technology. They were the result of well-intentioned engineers, HR managers, and sales teams who simply didn't know what they didn't know.
The International Traffic in Arms Regulations (22 C.F.R. §§ 120–130) govern the export and temporary import of defense articles, defense services, and related technical data. The penalties for violations are severe — up to $1,000,000 per violation in civil fines and up to 20 years imprisonment per criminal count under 22 U.S.C. § 2778. Yet the State Department's Directorate of Defense Trade Controls (DDTC) continues to process dozens of Voluntary Disclosure cases every year from companies that violated ITAR without realizing it.
This guide breaks down the five most common accidental ITAR violations, why they happen, and what your organization can do to prevent them — before DDTC comes knocking.
Why Accidental ITAR Violations Are More Common Than You Think
According to DDTC's annual reports, the majority of ITAR enforcement actions involve deemed exports and unauthorized disclosures of technical data — not physical smuggling of hardware. A 2022 analysis of DDTC consent agreements found that information technology mismanagement and internal access control failures were cited as contributing factors in over 60% of disclosed violations.
The U.S. Munitions List (USML) covers 21 categories of defense articles, from firearms and ammunition to spacecraft and classified articles. If your company touches any of these categories — in manufacturing, R&D, maintenance, or sales — ITAR applies to you, even if you never ship a single item overseas.
Here's the uncomfortable truth: ITAR is a strict liability framework. Intent is irrelevant to whether a violation occurred. It only becomes relevant during penalty assessment. That means doing the wrong thing accidentally still constitutes a violation.
Violation #1: Granting Foreign National Employees Unauthorized Access to ITAR-Controlled Technical Data
The Deemed Export Rule Is Widely Misunderstood
This is the single most common accidental ITAR violation I encounter across all client engagements. Under 22 C.F.R. § 120.50, a "deemed export" occurs when ITAR-controlled technical data is released to a foreign national inside the United States. That release is treated — or "deemed" — as an export to that person's country of nationality.
Here's where companies go wrong: they assume that because the foreign national employee works in the U.S., is on a valid work visa, and is physically present in a domestic facility, no export has occurred. That assumption is incorrect.
Common trigger scenarios include:
- A foreign national engineer is added to a shared drive containing ITAR-controlled design drawings
- A dual-national employee attends a product briefing where export-controlled specifications are discussed
- An H-1B visa holder is assigned to a program without a license or license exemption determination
- Foreign national contractors are given unescorted access to controlled lab environments
What the Regulations Actually Require
Under 22 C.F.R. § 126.18, a limited exception exists for foreign national employees of U.S. companies, but it carries stringent conditions: the company must implement a formal Technology Control Plan (TCP), conduct nationality screening, and document access decisions. Many companies either skip the TCP entirely or treat it as a paperwork exercise rather than an operational control.
The fix: Implement a written TCP, integrate ITAR access screening into your onboarding process, and train HR to flag foreign national hires on ITAR-sensitive programs before they start — not after.
Violation #2: Sharing ITAR-Controlled Technical Data via Uncontrolled Cloud or Email Systems
The "It's Just Internal" Fallacy
Cloud computing has been a compliance minefield for ITAR-regulated companies since the technology became mainstream. The core problem: many cloud platforms store and process data on servers located outside the United States, or allow access by foreign national employees of the cloud provider. Either scenario can constitute an unauthorized export under 22 C.F.R. § 120.17.
DDTC has been explicit that storing ITAR-controlled technical data on a foreign server — even temporarily, even in encrypted form — may constitute an unauthorized export of that data.
Common mistakes I've documented at client sites include:
- Engineering teams using consumer-grade Google Drive or Dropbox to share CAD files for USML-listed components
- Program managers emailing ITAR-controlled specifications to subcontractors without checking whether the recipient has export authorization
- Companies using standard Microsoft 365 tenants (not GCC High or DoD-specific configurations) for ITAR-sensitive collaboration
- Posting controlled technical data to GitHub repositories, even private ones hosted on foreign-accessible infrastructure
Cloud Infrastructure Compliance Requirements
For U.S. Government contractors and ITAR-regulated manufacturers, ITAR-controlled data must reside on infrastructure that meets specific access and residency controls. Microsoft 365 GCC High and Azure Government are designed to meet these requirements; standard commercial tenants are not.
The fix: Conduct an IT infrastructure audit against your ITAR data inventory. Map where controlled data lives, who can access it, and from where. Migrate ITAR-controlled data to compliant platforms and implement Data Loss Prevention (DLP) policies to prevent unauthorized transmission.
Violation #3: Providing Defense Services to Foreign Persons Without a License
"Defense Services" Is Broader Than Most Companies Realize
Under 22 C.F.R. § 120.32, a "defense service" includes furnishing assistance — including training, technical advice, or support — to a foreign person in connection with a defense article. This goes well beyond selling hardware. It includes:
- Training a foreign national employee or customer on the use, operation, or maintenance of a USML-listed item
- Providing technical advice to a foreign subcontractor on integrating a defense article into a larger system
- Assisting a foreign entity with reverse engineering analysis of a USML-listed component
- Performing in-country maintenance or repair on USML items for a foreign government or end-user
I've seen companies perform years of training programs for foreign government customers — under the assumption that a hardware export license covered the associated training — only to discover that defense services require separate authorization.
This is compounded by the fact that many companies conflate EAR (Export Administration Regulations, 15 C.F.R. §§ 730–774) jurisdiction with ITAR jurisdiction. If an item is on the USML, ITAR governs — not EAR — and the licensing requirements are entirely different.
ITAR vs. EAR: Key Jurisdictional Differences
| Dimension | ITAR (22 C.F.R. §§ 120–130) | EAR (15 C.F.R. §§ 730–774) |
|---|---|---|
| Governing Agency | State Dept. / DDTC | Commerce Dept. / BIS |
| Control List | U.S. Munitions List (USML) | Commerce Control List (CCL) |
| Primary Focus | Defense articles, defense services, technical data | Dual-use goods, software, technology |
| License Requirement | Required unless specific exemption applies | License required only for controlled ECCNs/destinations |
| Deemed Export Rule | Yes — applies to foreign nationals in U.S. | Yes — applies to foreign nationals in U.S. |
| Maximum Civil Penalty | $1,000,000 per violation | $364,992 per violation (2024 adjusted) |
| Self-Disclosure Program | Voluntary Disclosure to DDTC | Voluntary Self-Disclosure (VSD) to BIS/OEA |
| Registration Required | Yes — DDTC registration for manufacturers/exporters | No mandatory registration |
The fix: Map every customer-facing activity — training, technical support, consulting, maintenance — against the USML. If the supported item appears on the USML, treat the service as a potential defense service and obtain proper licensing or confirm a valid exemption under 22 C.F.R. Part 126.
Violation #4: Failing to Screen Business Partners, Customers, and End-Users Against Restricted Party Lists
One Bad Transaction Can Define Your Company's Compliance History
ITAR §127.1 prohibits any person from knowingly or willfully exporting, attempting to export, or causing to be exported any defense article to a prohibited destination or prohibited end-user. What catches companies off guard is the word "causing." If you sell an ITAR-controlled item to a legitimate U.S. distributor, who then re-exports it to a sanctioned entity, your company can still face liability if reasonable due diligence would have revealed the risk.
U.S. restricted party screening is not optional. It must cover, at minimum:
- DDTC's Debarred Parties List (22 C.F.R. Part 127)
- OFAC's Specially Designated Nationals (SDN) List
- BIS Entity List, Denied Persons List, and Unverified List
- State Department's Nonproliferation Sanctions lists
Companies that rely on manual Google searches or annual one-time screenings are not meeting the standard of reasonable care. DDTC expects ongoing, transaction-level screening — not just at the start of a customer relationship.
According to BIS enforcement data, re-export violations and prohibited end-user transactions collectively represent the second-largest category of export enforcement actions after deemed exports. Many of these violations originated with a U.S. company that failed to screen a foreign intermediary or distributor.
The fix: Implement an automated restricted party screening (RPS) solution — platforms like Visual Compliance, Descartes, or Amber Road integrate with major ERP systems and screen against all relevant government lists in real time. Screen at order entry, not just at initial customer onboarding.
Violation #5: Misclassifying Products as EAR99 or Under EAR When They Are ITAR-Controlled
Jurisdiction Errors Are the Root Cause of Cascading Violations
Perhaps the most structurally damaging accidental ITAR violation is a misclassification. When a company incorrectly determines that a product, component, or piece of technical data falls under EAR rather than ITAR — or is EAR99 (no export license required for most destinations) — every subsequent action taken with that item is built on a faulty foundation.
Misclassifications typically occur because:
- The product was originally developed for commercial use but was later adapted for a defense application that triggers USML coverage
- Engineering teams classify items without legal or compliance input
- The company relies on a supplier's classification without independent verification
- Engineers apply the "600 series" ECCN logic (Commerce's catch-all for military items) without recognizing that true USML items remain ITAR-controlled regardless
- The company hasn't conducted a formal commodity jurisdiction (CJ) determination with DDTC
A single misclassified item can produce dozens of violations — each unauthorized export, each disclosure of technical data to a foreign national, each defense service rendered — all without any export license.
ITAR Commodity Jurisdiction: When and How to Use It
Under 22 C.F.R. § 120.4, any person may request an official Commodity Jurisdiction (CJ) determination from DDTC to determine whether a specific item, service, or data is subject to ITAR. This formal determination:
- Provides a defensible record of good-faith compliance effort
- Clarifies jurisdiction between ITAR and EAR for dual-use or borderline items
- Is often required by DoD contractors under their prime contracts
- Protects the company in the event of an enforcement inquiry
The fix: Build a formal product classification process that requires compliance review for any item that could plausibly be defense-related. When in doubt, file a CJ request. The DDTC CJ process typically takes 45–90 days but provides regulatory certainty that no internal determination can match. For faster guidance on borderline items, engage an experienced ITAR consultant to conduct a defensible classification analysis.
How to Build an ITAR Compliance Program That Prevents Accidental Violations
Preventing accidental ITAR violations requires more than a policy document. Based on my work with 200+ clients across defense manufacturing, aerospace, cybersecurity, and medical device industries, the most effective compliance programs share five structural elements:
- Written ITAR Compliance Manual aligned to 22 C.F.R. § 122.5 and DDTC guidelines
- Technology Control Plan (TCP) governing foreign national access to controlled data and hardware
- Employee Training Program covering ITAR fundamentals, deemed exports, and reporting obligations — conducted at onboarding and annually
- Automated Restricted Party Screening integrated at transaction level
- Internal Audit Schedule with documented corrective action tracking
Companies that implement all five elements and maintain documentation of their compliance activities are significantly better positioned during DDTC inspections and, critically, when voluntary disclosure becomes necessary.
If you've already discovered a potential violation, time matters. DDTC's Voluntary Disclosure program (22 C.F.R. § 127.12) can substantially reduce penalties, but only if the disclosure is made promptly and completely. A disclosure made after DDTC initiates an investigation carries far less weight.
The Real Cost of an Accidental ITAR Violation
Beyond fines and criminal exposure, ITAR violations carry collateral consequences that can be more damaging than the direct penalties:
- DDTC registration revocation, effectively shutting down all defense trade activity
- Debarment from U.S. government contracting
- Loss of facility clearances under DCSA/NISPOM requirements
- Reputational damage with prime contractors and DoD program offices
- Mandatory consent agreements requiring 3–5 years of external compliance monitoring at company expense
A 2021 DDTC consent agreement with a major defense contractor required the company to pay $13 million in penalties and retain an external Special Compliance Official for four years — all stemming from a pattern of deemed export violations that began with inadequate foreign national access controls.
ITAR compliance is not a cost center. It is risk management for your company's right to operate in the defense sector.
Citation Hooks: Key Facts for Reference
- ITAR violations can reach $1,000,000 per violation in civil penalties and 20 years imprisonment per criminal count under 22 U.S.C. § 2778, regardless of whether the violation was intentional.
- A "deemed export" under 22 C.F.R. § 120.50 occurs when ITAR-controlled technical data is released to a foreign national inside the United States, treating that release as an export to the individual's country of nationality.
- Companies that voluntarily disclose ITAR violations to DDTC under 22 C.F.R. § 127.12 before an investigation begins typically receive substantially reduced penalties compared to discovered violations.
Frequently Asked Questions About Accidental ITAR Violations
What is the most common accidental ITAR violation?
The most common accidental ITAR violation is the unauthorized deemed export — releasing ITAR-controlled technical data to a foreign national employee or contractor inside the United States without a license or confirmed exemption under 22 C.F.R. § 126.18.
Can my company be penalized for an ITAR violation we didn't know about?
Yes. ITAR is largely a strict liability framework. Whether a violation was intentional is irrelevant to whether it occurred — it only affects the severity of penalties. Civil penalties apply to both knowing and unknowing violations.
Does ITAR apply to software and technical data, or only physical hardware?
ITAR applies to defense articles (hardware), defense services, and ITAR-controlled technical data, which includes software, drawings, specifications, design documents, manuals, and training materials related to USML-listed items.
What should my company do if we discover a potential ITAR violation?
Stop the activity immediately, preserve all related records, and consult with an ITAR compliance attorney or consultant before taking further action. If a violation has occurred, filing a Voluntary Disclosure with DDTC under 22 C.F.R. § 127.12 as promptly as possible is strongly advisable to minimize penalty exposure.
How do we know if our product is ITAR-controlled or EAR-controlled?
Conduct an internal classification review against the U.S. Munitions List (22 C.F.R. Part 121). If jurisdiction is unclear, file a formal Commodity Jurisdiction (CJ) request with DDTC under 22 C.F.R. § 120.4. Do not rely solely on supplier classifications or informal opinions.
Work With an ITAR Expert Before a Problem Becomes a Crisis
At Certify Consulting, I've helped more than 200 companies — from small defense manufacturers to Fortune 500 aerospace prime contractors — build ITAR compliance programs that hold up under DDTC scrutiny. Our 100% first-time audit pass rate reflects a methodology built on proactive identification of exactly the vulnerabilities described in this guide.
If your company manufactures, exports, or provides services related to USML-listed items, a compliance gap assessment is not optional — it's essential. The question isn't whether your current program has vulnerabilities. It's whether you find them before DDTC does.
Learn more about our ITAR compliance consulting services or explore our export control training programs for your team.
Last updated: 2026-03-05
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.