Every week I talk to defense contractors, aerospace manufacturers, and technology companies who believe they have an ITAR compliance program. What they actually have is a three-page policy document, a signed acknowledgment form from their employees, and a vague awareness that some of their products touch the U.S. Munitions List. That is not a compliance program. That is liability dressed up as paperwork.
After more than eight years helping 200+ companies build and audit ITAR compliance infrastructure — with a 100% first-time audit pass rate — I can tell you with precision where the gaps are, what the State Department's Directorate of Defense Trade Controls (DDTC) actually looks for, and how to build something that will survive scrutiny. This guide gives you the full picture.
Why the Policy-Only Approach Fails
The most common mistake companies make is conflating documentation with implementation. A written ITAR policy is a necessary starting point, but it answers only one question: What are the rules? A true compliance program answers four questions:
- What are the rules? (Policy)
- Who is responsible for enforcing them? (Program Structure)
- How do we prove we followed them? (Recordkeeping and Controls)
- What happens when something goes wrong? (Incident Response and Voluntary Disclosure)
The ITAR itself — codified at 22 CFR Parts 120–130 — is not a simple regulation. It governs the export and temporary import of defense articles, defense services, and technical data on the U.S. Munitions List (USML). Civil penalties can reach $1,308,326 per violation (adjusted annually under the Federal Civil Penalties Inflation Adjustment Act), and criminal penalties under 22 U.S.C. § 2778 can reach $1 million per violation and 20 years imprisonment. DDTC consent agreements — the agency's primary enforcement tool — routinely include mandatory third-party audits, compliance program overhauls, and multi-year monitoring.
The Consent Agreement with Raytheon Technologies Corporation in 2022, which imposed a $13 million civil penalty and required a comprehensive compliance program remediation, is a direct signal of what DDTC expects from companies at every size.
The Seven Foundational Elements of a Real ITAR Compliance Program
1. Empowered Compliance Leadership
A compliance program requires a designated, empowered Empowered Official (EO) as defined under 22 CFR § 120.67. This is not a checkbox. The EO must:
- Be a U.S. person employed by the registrant
- Have authority to sign export license applications
- Have responsibility to monitor compliance with the ITAR
- Have direct access to senior leadership — ideally reporting to the CEO or Board
The single biggest structural failure I see: companies assign ITAR compliance to someone in contracts administration or legal as a secondary duty, with no authority, no budget, and no direct line to the executive team. When that person raises a red flag, it gets buried in competing priorities.
Best practice: The EO should have documented authority in the company's organizational chart, a written delegation of authority, and a direct reporting line that bypasses the business development function — which has an inherent conflict of interest when deciding whether a deal requires a license.
2. Accurate and Current USML Classification
You cannot manage what you have not classified. Every product, component, subsystem, software, and technical data set your company produces or handles needs a documented ITAR/EAR classification determination.
Commodity classification is not guesswork. It requires:
- Technical review against the 21 USML Categories (22 CFR Part 121)
- Jurisdiction determination — is this ITAR or EAR-controlled?
- Documentation of the classification rationale, signed by a qualified reviewer
- Periodic review triggered by design changes, regulatory updates (USML reform has been ongoing since 2009), or customer-driven modifications
A critical mistake: companies classify at the product level and ignore components and technical data. The ITAR controls technical data — drawings, specifications, test data, source code — independently from hardware. A company can have a properly licensed product but still commit an ITAR violation by emailing a design specification to a foreign national without authorization.
Citation hook: Under 22 CFR § 120.33, "technical data" subject to ITAR controls includes information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles — a definition broad enough to capture engineering emails, manufacturing process sheets, and source code repositories.
3. Foreign National Access Controls (The "Deemed Export" Trap)
This is where mid-sized companies get into serious trouble. A "deemed export" under the ITAR occurs when controlled technical data is disclosed to a foreign national inside the United States. No physical export occurs. No product crosses a border. But if a German-national engineer on your team accesses an ITAR-controlled drawing without a license or applicable exemption, you have potentially committed a violation.
A comprehensive program requires:
- Foreign national inventory — a documented list of all non-U.S. person employees, contractors, and visitors with access to controlled information or facilities
- Technology Control Plans (TCPs) — written procedures governing what foreign nationals can and cannot access, which areas they can enter, and what technical data is available to them
- IT access controls — network segmentation, folder-level permissions, and audit logs that restrict ITAR-controlled data to authorized users
- Physical access controls — badging systems, visitor logs, and controlled areas for manufacturing and engineering
According to DDTC's enforcement data, deemed export violations represent a significant and growing share of ITAR enforcement actions, reflecting the globalization of the defense industry workforce.
4. License Management and Exemption Governance
Most companies either over-rely on licenses (creating unnecessary administrative burden) or over-rely on exemptions (creating unnecessary risk). A mature compliance program does both correctly.
License management must include:
- A centralized license registry tracking license number, scope, authorized parties, expiration date, and utilization
- Pre-shipment review confirming each export matches the license scope
- End-use and end-user verification procedures
- License condition tracking (many DDTC licenses include reporting requirements or prohibited party restrictions)
Exemption governance must include:
- Written SOPs identifying which exemptions the company uses and the conditions for each (e.g., 22 CFR § 125.4 for technical data exemptions, 22 CFR § 126.18 for foreign subsidiaries)
- Documented exemption applicability reviews at the transaction level
- Recognition that exemptions are not automatic — they have conditions, and misapplication of an exemption is a violation
5. Training That Actually Changes Behavior
Annual ITAR awareness training delivered via a 20-minute online module is not a training program. It is documentation that you told people the rules once. Real compliance training:
- Is role-differentiated — engineers, program managers, shipping personnel, HR, and executives need different content
- Is scenario-based — presenting real situations employees encounter, not abstract regulatory text
- Includes competency verification — not just a quiz at the end of a video, but demonstrated understanding of how the rules apply to their specific job function
- Is recurring and triggered by changes — when a new product is classified, when the USML is amended, or when an employee transfers to a new program
- Includes onboarding training for new hires before they have access to controlled systems
Best practice: Maintain training records for at least five years (22 CFR § 122.5 requires records retention for five years from the date of export). Train your EO and compliance staff on a separate, more advanced curriculum.
6. Auditing and Monitoring
A compliance program without an audit function is a static document. DDTC expects companies to conduct periodic self-assessments and internal audits — and the absence of an audit program is itself an indicator of a weak compliance culture.
Effective audit programs include:
- Transaction audits — random sampling of exports, shipments, and technical data transfers to verify proper licensing or exemption documentation
- System audits — periodic reviews of IT access controls, visitor logs, and license registries to verify they are current and accurate
- Process audits — structured reviews of key compliance processes against written SOPs
- Third-party audits — independent assessments by qualified outside consultants at intervals appropriate to the company's risk profile
The frequency and scope of auditing should scale with risk. A company with an active International Traffic in Arms Regulations manufacturing agreement (TAA or MLA) and daily exports needs monthly transaction sampling. A small manufacturer exporting occasionally under exemptions may conduct quarterly reviews.
7. Voluntary Disclosure and Incident Response
Violations happen. The question is whether your program is designed to detect them quickly, contain the damage, and respond appropriately. DDTC's voluntary disclosure process — governed by 22 CFR § 127.12 — provides meaningful mitigation credit for companies that self-report violations promptly and cooperate fully.
A compliance program must include:
- A violation reporting hotline or process — employees need a clear, protected channel to report suspected violations without fear of retaliation
- A documented triage process — who reviews a reported issue, what is the initial assessment criteria, and what triggers escalation to outside counsel or DDTC notification
- A root cause analysis framework — every confirmed violation should result in documented root cause analysis and corrective action, not just a one-time fix
- Pre-positioned outside counsel relationships — you do not want to be interviewing export control attorneys the same week you are deciding whether to file a voluntary disclosure
Citation hook: DDTC's voluntary disclosure framework under 22 CFR § 127.12 can significantly reduce civil penalties for companies that self-report violations, cooperate with the agency, and demonstrate remediation — but only if the company has the internal infrastructure to detect and document the violation in the first place.
Policy vs. Program: A Side-by-Side Comparison
| Element | ITAR Policy Only | Real Compliance Program |
|---|---|---|
| Compliance ownership | Assigned to legal/contracts as secondary duty | Dedicated Empowered Official with executive authority |
| Classification | Products classified at intake, rarely reviewed | All hardware, software, and technical data classified; reviewed on change triggers |
| Foreign national access | Addressed in policy language only | Technology Control Plans, IT access controls, visitor management |
| License management | Licenses filed when required, tracked informally | Centralized registry, condition tracking, pre-shipment review |
| Training | Annual awareness module, one-size-fits-all | Role-differentiated, scenario-based, competency-verified |
| Audit function | None or ad hoc | Scheduled transaction, system, and process audits |
| Incident response | Improvised when issues arise | Written process, hotline, outside counsel on retainer |
| DDTC audit readiness | Reactive scramble | Continuous documentation, audit-ready at all times |
The Five Most Common ITAR Program Failures I See
1. The "We Only Make Commercial Products" Blind Spot Companies that sell primarily commercial products sometimes have a small line of USML items and treat ITAR compliance as an afterthought. One unclassified item embedded in a larger commercial program can create enterprise-wide liability.
2. IT Systems Built for Productivity, Not Compliance Most enterprise IT environments were not designed with ITAR segregation in mind. Cloud storage, collaboration platforms, and email systems require specific ITAR-compliant configurations — or controlled technical data will flow freely to unauthorized parties, including foreign nationals.
3. Subcontractor and Supplier Passthrough The ITAR does not stop at your company's front door. When you export controlled technical data or hardware to a subcontractor, you are responsible for ensuring that subcontractor handles it properly. Most companies have no ITAR clauses in their supplier agreements and no mechanism to verify subcontractor compliance.
4. Ignoring the Registration Requirement Every manufacturer or exporter of defense articles must register with DDTC under 22 CFR Part 122. Registration does not authorize exports — it is simply the threshold requirement to operate in this space. I regularly encounter companies that have been manufacturing USML items for years without registration, which is itself a violation.
5. Treating ITAR as a Shipping Department Problem ITAR compliance is an enterprise-wide function. Engineering controls what technical data is created and shared. HR hires and onboards foreign nationals. IT manages system access. Business development pursues international opportunities. Compliance touches every one of these functions, and a program that lives only in the shipping department will miss the vast majority of ITAR risk.
Citation hook: A company's ITAR compliance risk is not concentrated in its export documentation — it is distributed across engineering data management, HR onboarding, IT access controls, subcontractor management, and international business development, any one of which can generate a violation independent of the others.
How Long Does It Take to Build a Real Program?
For a company starting from scratch, here is a realistic timeline based on my work across 200+ client engagements:
| Phase | Activities | Typical Duration |
|---|---|---|
| Phase 1: Assessment | Current state review, gap analysis, risk scoring | 4–6 weeks |
| Phase 2: Classification | USML classification of all products, software, and technical data | 6–12 weeks (scope-dependent) |
| Phase 3: Policy & SOP Development | Written compliance policies, TCPs, SOPs | 4–8 weeks |
| Phase 4: Controls Implementation | IT controls, physical access, license registry setup | 6–10 weeks |
| Phase 5: Training | Role-based curriculum development and delivery | 4–6 weeks |
| Phase 6: Audit Readiness | Mock audit, documentation review, gap closure | 4–6 weeks |
| Total | Full program buildout | 6–12 months |
The variability is driven by company size, product complexity, export volume, and the number of foreign nationals in the workforce. A lean 50-person defense component manufacturer moves faster than a 500-person aerospace systems integrator with 12 active TAAs.
Where to Start: The Honest Answer
If you are starting from zero, do not begin with policy writing. Begin with a gap assessment. You need an honest, documented picture of your current compliance posture before you can build anything meaningful. The gap assessment will tell you:
- Whether you are properly registered with DDTC
- Whether your products are accurately classified
- Whether your IT systems expose controlled data to unauthorized parties
- Whether your foreign nationals have TCPs in place
- Whether your license portfolio is current and complete
Every compliance program I build for a client starts with this assessment. Without it, you are writing policy in a vacuum — and that is exactly the policy-only trap that gets companies in trouble.
For help building or assessing your ITAR compliance program, visit Certify Consulting or explore our ITAR compliance services at itarconsultant.us.
You can also review our guidance on ITAR registration requirements to confirm your company's baseline registration status before proceeding with program development.
Frequently Asked Questions
Q: What is the difference between an ITAR policy and an ITAR compliance program? A: An ITAR policy states the rules. An ITAR compliance program implements, monitors, and enforces those rules through organizational structure, technical controls, training, auditing, and incident response. Having a policy without a program provides minimal protection against enforcement actions.
Q: How much does it cost to build an ITAR compliance program from scratch? A: Program buildout costs vary significantly by company size and complexity. Small companies with limited USML exposure may invest $25,000–$75,000 in a complete program buildout. Mid-sized companies with active international programs, multiple TAAs, and large foreign national workforces may invest $150,000–$400,000. These figures are a fraction of the civil penalties DDTC can impose for a single violation.
Q: Do I need an Empowered Official even if I only use exemptions and never apply for licenses? A: Yes. 22 CFR § 122.4 requires every registered company to designate an Empowered Official. The EO's responsibilities extend beyond license signing to include overall compliance oversight. The exemption-only posture also carries significant risk — misapplication of exemptions is a common source of violations.
Q: How often should we conduct internal ITAR audits? A: DDTC does not prescribe a specific audit frequency, but best practice for an active exporter is quarterly transaction sampling, annual system and process audits, and a comprehensive third-party audit every two to three years. Companies under a DDTC consent agreement typically face more frequent third-party oversight requirements.
Q: What is the first thing we should do if we discover a potential ITAR violation? A: Do not export any additional items that may be subject to the same issue. Preserve all related records immediately. Engage outside export control counsel before making any disclosures — including voluntary disclosures to DDTC — to protect privilege and ensure the disclosure is structured correctly. Time matters, but accuracy matters more.
Last updated: 2026-03-06
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.