Empowered Official on Paper vs. Real ITAR Compliance Culture

Q: What is an Internal Compliance Program (ICP) under ITAR?

An Internal Compliance Program (ICP) is DDTC's term for a comprehensive, documented framework that governs how a registered entity manages its ITAR obligations. A complete ICP includes a Technology Control Plan, empowered official designation, employee training, export authorization management procedures, recordkeeping, internal audit protocols, and corrective action processes. DDTC expects registered entities to maintain a functioning ICP.

Every ITAR-registered company in the U.S. defense industrial base has an Empowered Official. It is a legal requirement under 22 CFR Part 120, so by definition, every company that has gone through DDTC registration has checked the box. They have a name in the system. They have a title. They have signed something.

What a surprising number of those companies do not have is a compliance culture — and in enforcement actions, that distinction is the difference between a manageable corrective action and a consent agreement that costs millions of dollars and years of remediation.

The Directorate of Defense Trade Controls does not evaluate your program by looking at your Empowered Official designation form. It evaluates whether your organization actually behaves in compliance with the International Traffic in Arms Regulations (22 CFR Parts 120–130). Those are not the same exercise. This article is about why they diverge so consistently — and what it takes to close the gap.

What the Empowered Official Role Actually Requires

Legal Definition Under 22 CFR § 120.54

The definition of Empowered Official was substantially revised and codified as part of the 2020 ITAR amendments. Under 22 CFR § 120.54, an Empowered Official (EO) must be:

A U.S. person (as defined in 22 CFR § 120.62)
An employee, partner, or officer of the registered entity — not an outside consultant or third party
Someone who has authority to sign export license applications and other DDTC submissions on behalf of the applicant
Someone who is legally accountable for the accuracy and completeness of those submissions
Familiar with U.S. export control laws and regulations applicable to the registrant's activities

That last element is where the regulation bites in practice. The EO is not a notary. They are not a signature stamp. They are supposed to be the person inside your organization who understands enough about ITAR to take personal responsibility for what goes on a DDTC submission. When they sign a DSP-5 license application or a Technical Assistance Agreement, they are attesting — under penalty of law — that the information is accurate and complete.

What "Empowered" Actually Means Legally

The word "empowered" is not incidental. DDTC uses it to describe someone with genuine organizational authority, not merely a convenient title. An Empowered Official must have the authority to:

Refuse to sign a license application they believe contains inaccuracies
Stop an export transaction pending resolution of a compliance question
Escalate concerns to senior leadership without reprisal
Commit organizational resources to corrective action

If your EO does not actually have that authority — if they are a mid-level compliance manager whose concerns can be overridden by a business development executive who wants to close a deal — then what you have is a designation, not an empowered official. That gap has been a recurring theme in DDTC enforcement actions.

The Difference Between Designation and Qualification

Designating someone as Empowered Official is an administrative act. Qualifying them for the role is an operational one. The regulation requires that the EO be familiar with applicable export control laws. That is not satisfied by handing someone a regulatory text on a Friday afternoon and asking them to sign a designation letter by Monday. Genuine qualification means the EO understands:

The U.S. Munitions List (USML, 22 CFR Part 121) and how the company's products and services map to it
The license types and exemptions relevant to the company's specific export activities
The Technology Control Plan and internal compliance procedures
The "deemed export" rules governing access by foreign nationals to ITAR-controlled technical data
The voluntary self-disclosure process and when it applies
The personal liability dimensions of signing DDTC submissions

Designation without qualification is not compliance. It is a paper trail that makes your legal exposure worse, not better, when something goes wrong.

The Most Common Ways Companies Fake It

After working with more than 200 defense contractors and exporters across the defense industrial base, I have seen most of the failure patterns. They are not unusual. They are the norm at companies that treat ITAR compliance as a box-checking exercise rather than an operational commitment.

The "Title-Only" EO

This is the most common pattern. The company designates a senior executive — often the VP of Operations, CFO, or General Counsel — as Empowered Official because the title carries organizational weight. The problem is that the individual has no meaningful ITAR knowledge, no time in their schedule dedicated to export compliance, and no real engagement with the company's license applications beyond signing them when the compliance coordinator puts a stack of papers in front of them.

When DDTC asks that executive about the company's Technology Control Plan, or about the distinction between USML Category XI and USML Category XII, or about what exemption was used for a specific technical data transfer six months ago, the answer is silence. That silence tells DDTC everything it needs to know about whether your compliance program is real.

The "Deputy Everything" Problem

Some organizations designate a qualified EO — someone with genuine ITAR knowledge — but then structurally prevent them from doing the job. The EO is supposed to review and approve all export transactions, but in practice they delegate every substantive analysis to a junior compliance analyst, a paralegal, or an outside consultant. They sign without reviewing. They approve without engaging.

The regulatory problem here is that the EO's signature on a DDTC submission represents a personal attestation of accuracy. If they did not actually review the underlying information, their signature is not a compliance function — it is a legal liability they may not realize they are accepting.

The Isolated EO — Compliance in a Silo

Perhaps the most dangerous pattern from an enforcement standpoint is the EO who is technically qualified and engaged but operationally isolated. The compliance function lives in a corner of the legal or finance department. Engineering teams develop and transfer technical data without looping in compliance. Sales teams negotiate foreign customer agreements without asking whether DDTC authorization is required. HR onboards foreign national employees without consulting the EO about deemed export implications.

The EO knows the regulations. They could catch these problems — if they knew about them. But because compliance has never been embedded into the workflows where those decisions are actually made, violations occur that the EO never has an opportunity to prevent or detect.

No Training, No Policies, No Escalation Paths

A compliance program with an Empowered Official but no substantive employee training is a contradiction in terms. The EO cannot be everywhere at once. The program works only when the employees who handle ITAR-controlled items, data, and transactions every day know enough to recognize a potential issue and know exactly who to call when they see one.

Without documented training — with records showing who received it, when, and what it covered — you have no defense when DDTC asks how employees were trained on export control obligations. "We told them at the all-hands meeting" is not a defensible answer.

The "License Folder" Illusion

This pattern shows up frequently at companies that have been registered for years but have never invested in building a real program. They have a folder — physical or digital — containing their DDTC registration, copies of active export licenses, and perhaps a Technology Control Plan that was drafted during the registration process and never updated.

They point to this folder as evidence of their compliance program. What they cannot point to is: documented training records, a classification matrix for their current product line, records of internal compliance reviews, logs of employee escalations to the EO, or evidence that the TCP's procedures are actually followed. The folder exists. The program does not.

Why This Creates Serious Legal Exposure

DDTC enforcement actions do not typically begin with DDTC discovering a specific violation. They begin when a company files a voluntary self-disclosure, when a prime contractor's compliance audit surfaces a problem, or when a transaction triggers review through another channel. When DDTC opens an investigation, it does not limit its review to the disclosed violation — it examines the company's entire compliance program.

The consent agreements that DDTC has published over the years share a structural pattern. The company had an ITAR compliance program in some form. That program failed not because of one bad actor making a knowing, deliberate violation but because the program was not operationally real. Violations accumulated over time, undetected, because the infrastructure to detect and prevent them was absent.

Recent consent agreements have carried penalties in the range of $10 million to $100 million or more for large companies, along with mandatory remediation programs, external compliance monitors, and multi-year restrictions on certain export activities. The companies that end up in these agreements almost always had an Empowered Official on record. What they lacked was the compliance infrastructure around that EO that would have caught the problems before they became enforcement matters.

Personal Liability vs. Corporate Liability

Corporate penalties get the headlines. Personal liability is what should be keeping executives awake at night.

Under 22 U.S.C. § 2778, criminal penalties for willful ITAR violations reach $1,000,000 and 20 years imprisonment per violation — and those penalties attach to individuals, not just companies. Civil penalties under ITAR can reach $1,276,790 per violation (adjusted under Federal Civil Penalties Inflation Adjustment Act procedures).

The Empowered Official who signs a false or inaccurate DDTC submission — even if they did so without actual knowledge that the information was wrong, but in circumstances where they should have known — faces personal exposure. "I relied on what the compliance analyst told me" is not a complete legal defense. An EO who signs without substantive review is accepting liability they may not fully understand.

The "Knew or Should Have Known" Standard

ITAR violations do not require intent to create criminal or civil liability. The regulatory scheme applies a "knew or should have known" standard to many compliance obligations. If your company exported a defense article without proper authorization, and the company's size, resources, and business activities were such that a reasonable compliance program would have detected and prevented that export, liability may attach regardless of whether any individual specifically intended the violation.

This standard is what makes the paper-program problem so dangerous. A company that has invested in cosmetic compliance — an EO designation, a TCP on the shelf, a training session five years ago — has not built the infrastructure that makes the "should have known" defense credible. DDTC will ask: how was this detected? If the answer is "it wasn't detected internally, it was disclosed after we learned about it externally," the sufficiency of the compliance program is directly at issue.

How Audits Expose the Gap Between Designation and Culture

A DDTC compliance audit — whether formal or as part of an investigation — is not a document review. It includes interviews with employees at multiple levels of the organization. Those interviews are designed to test whether the compliance program exists in practice, not just on paper.

Auditors ask engineers whether they know what ITAR is and how it applies to their work. They ask sales personnel whether they have ever escalated a transaction to the EO. They ask HR whether the onboarding process includes an ITAR training component. They ask the EO to walk through the company's classification process and explain recent license applications from memory.

When the answers from different employees are inconsistent, or when employees cannot articulate what the compliance program actually requires, the auditor has learned what they need to know: the program is on paper, not in practice.

Voluntary Self-Disclosure vs. Discovered Violations

One of the most important factors in DDTC's enforcement calculus is whether a company voluntarily disclosed a violation or whether DDTC discovered it through other means. Voluntary self-disclosure — conducted promptly, thoroughly, and in accordance with DDTC's administrative procedures — consistently results in significantly more favorable enforcement outcomes than violations discovered externally.

The prerequisite for voluntary self-disclosure is having an internal compliance program that can detect violations in the first place. A paper program, by definition, has no detection capability. Companies with genuine compliance cultures find problems through internal audits, employee escalations, and transaction reviews. Companies with paper programs find out about their problems when someone else finds out first.

What a Real Compliance Culture Actually Looks Like

Leadership Commitment That Goes Beyond Signing Appointments

Genuine compliance culture starts with leadership behavior, not leadership declarations. When the CEO or General Counsel publicly treats ITAR compliance as a business-critical function — not a regulatory annoyance managed by a compliance team in the corner — employees notice. When senior leaders participate in training, ask compliance questions in business review meetings, and treat the EO as a peer rather than an administrative resource, the message reaches every level of the organization.

The EO designation letter means nothing if the CEO overrides the EO when the EO wants to pause a transaction. What matters is whether the EO is actually empowered — whether the organization behaves as if "no" from the compliance function is a protected answer that gets heard and respected.

Cross-Functional Integration

ITAR compliance is not a legal function. It is an operational one that touches engineering, manufacturing, sales, HR, IT, procurement, and supply chain. A genuine compliance culture embeds compliance checkpoints into the actual workflows where ITAR-relevant decisions are made:

Engineering: New product design reviews include a USML classification check before specifications are shared externally
Sales: Customer qualification processes include an export screening step before substantive technical discussions
HR: Foreign national employee onboarding includes an EO notification and deemed export assessment before access is granted to controlled technical data
Procurement: Vendor and subcontractor agreements include ITAR flowdown clauses and are reviewed for compliance implications
IT: Data systems that store ITAR-controlled technical data have documented access controls and audit logging that reflects the Technology Control Plan's requirements

When compliance is integrated at the workflow level, violations are prevented before they occur — not discovered after the fact.

Formal Training Programs With Documented Completion

ITAR does not specify a minimum training frequency, but DDTC has consistently cited inadequate training as a contributing factor in enforcement actions. A defensible training program includes:

Initial training for all new employees who will have access to ITAR-controlled items or data
Annual refresher training with documented completion records showing who attended, when, and what the training covered
Role-specific training for employees in functions with heightened ITAR exposure (sales, engineering, shipping, IT)
Training updates when the company's product lines change, when new licenses are granted, or when regulatory changes affect the compliance program

Training records are one of the first things a DDTC auditor requests. If you cannot produce them, the audit goes poorly from the outset.

Clear Escalation Paths — Who Do Employees Call?

One of the simplest tests of whether a compliance culture is real: ask any employee in the company what they would do if they were not sure whether a transaction or communication was permissible under ITAR. If they cannot answer — if they do not know the EO's name, do not have a process to follow, have never used an escalation channel — your program has a structural gap.

A functioning program has a documented escalation path that every relevant employee knows: here is what you do when something looks like it might be an issue. Here is who you contact. Here is what happens next. The EO receives those escalations, records them, and resolves them with documented rationale. That record of escalations and resolutions is one of the strongest evidence bases you can have in a DDTC audit — it demonstrates that the compliance function is actively being used.

Regular Internal Audits and Gap Assessments

A compliance program without an internal audit function is a program with no feedback loop. Internal audits test whether the policies in your Technology Control Plan are actually being followed. They identify gaps between procedure and practice before an external auditor finds them. They generate findings that produce corrective action — and the documented pattern of finding-and-fixing is itself evidence of a functioning program.

Annual internal compliance audits, structured against the company's compliance program documentation and the relevant provisions of 22 CFR Parts 120–130, are the baseline. Companies in high-risk environments — active foreign licensing, foreign national employees, complex supply chains — should consider more frequent reviews of high-risk areas.

Technology and Systems That Embed Compliance Into Workflows

Compliance that depends entirely on individual judgment — on employees remembering to ask the right questions — is compliance that will fail when employees are busy, under pressure, or simply unaware that a given situation requires compliance review. Embedding compliance into enterprise systems reduces the dependence on individual awareness:

Export screening software that automatically flags potential denied-party matches in customer and vendor onboarding
Document management systems with access controls that prevent foreign nationals from accessing controlled technical data without authorization
License management systems that track expiration dates, transaction counts against license limits, and condition requirements
ERP system configurations that flag international shipping transactions for compliance review before they can be processed

These systems are not a substitute for human judgment — the EO still needs to make decisions. But they transform compliance from a manual, awareness-dependent process into a structurally enforced one.

A Culture Where "No" Is a Protected Answer

The most culturally significant indicator of genuine compliance is whether the compliance function can say no — and have that answer respected. In companies where business development pressure consistently overrides compliance concerns, where the EO's objections are treated as obstacles to be managed rather than issues to be resolved, violations become inevitable. The EO stops raising concerns they know will be ignored. Transactions proceed without proper authorization because the organizational culture has made the EO's role functionally toothless.

Building a culture where "no" is protected means ensuring that the EO has genuine organizational standing, that leadership treats compliance decisions as binding rather than advisory, and that the EO has a direct line to the board or an audit committee if business-unit pressure is compromising compliance judgment. That is a leadership and governance question, not just a compliance one.

How to Assess Whether You Have a Culture or Just Paperwork

The Five Questions to Ask Your Team

Before bringing in an outside consultant, run this internal test. Ask five or ten employees in different functions these questions — not the compliance team, not the EO, but the people whose daily work involves ITAR-controlled items, data, or customer relationships:

"What is ITAR, and how does it apply to what you do in your job?" — A correct answer demonstrates that training has been effective and that employees understand their role in the compliance program.
"If you received a request from a foreign customer for technical information about one of our products, what would you do?" — A correct answer includes pausing the transaction and consulting the EO or following the documented escalation process.
"Who is our Empowered Official, and how would you reach them if you had a compliance question?" — If employees cannot name the EO and describe the contact process, the escalation path does not exist in practice.
"When did you last receive ITAR training, and what did it cover?" — Recent, specific answers indicate a functioning training program. Vague or distant answers indicate a training gap.
"Have you ever escalated a compliance question, and what happened?" — Employees who have used the escalation process and received a genuine resolution are evidence of a functioning program. Employees who have never escalated — in a company with active export activity — are a warning sign.

Red Flags That Signal Paper Compliance Only

The EO cannot describe the company's Technology Control Plan from memory and has not reviewed it in more than 12 months
No training records exist beyond an attendance sheet from a one-time session three or more years ago
The compliance function was not consulted before a significant foreign customer engagement was initiated
Engineers share technical data internationally via personal email or consumer cloud storage
Foreign national employees have access to ITAR-controlled technical data without documented deemed export analysis or authorization
Active export licenses have conditions that nobody has reviewed in months
The company has never conducted a formal internal compliance audit
The EO has never refused to sign or has never paused a transaction over a compliance concern

Green Flags That Signal Genuine Culture

The EO participates in business development reviews and has influence over go/no-go decisions for international opportunities
Engineering releases include a USML classification review as a standard checkpoint
Employees at multiple levels of the organization can describe the escalation process and have used it
Internal audit findings have generated documented corrective actions that were tracked to closure
The company has filed at least one voluntary self-disclosure — not because violations are inevitable, but because the internal audit function is effective enough to find edge cases before they become serious problems
New employees receive ITAR orientation before they are granted access to controlled items or data
The EO reviews all DDTC submissions personally before signing — including reading license conditions and confirming compliance rationale

Building From Designation to Culture: A Practical Path

Starting With a Compliance Program Assessment

If you are reading this article and recognizing your company in the warning signs described above, the right starting point is a structured compliance program assessment. This is not a DDTC audit. It is a systematic review of your current compliance program against the substantive requirements of 22 CFR Parts 120–130, conducted with the explicit goal of identifying gaps between your documented program and your operational reality.

A thorough assessment will evaluate:

Whether your Technology Control Plan reflects your current product line, export activities, and organizational structure
Whether your USML classifications are current and defensible
Whether your EO has the knowledge, authority, and time to genuinely perform the role
Whether your training program is current, documented, and effective
Whether your license management system is tracking all conditions and expiration dates
Whether your IT environment actually implements the access controls described in your TCP
Whether your foreign national employees have been assessed for deemed export implications

The assessment produces a written findings report with prioritized remediation tasks — a roadmap for moving from where you are to where DDTC expects you to be.

The Role of Outside Counsel and Third-Party Consultants

There is a debate in the defense industrial base about whether ITAR compliance work should be conducted by outside counsel (providing attorney-client privilege protection) or by independent compliance consultants (providing specialized technical expertise at lower cost). The answer depends on your risk profile.

If your gap assessment reveals potential violations — historical transactions that may not have been properly authorized, deemed exports that were never assessed, technical data transfers that may have exceeded license scope — you want that assessment and the associated findings conducted under attorney-client privilege. Engaging outside counsel first, with the consultant working under the attorney's direction, protects the assessment from becoming a discoverable document in a subsequent enforcement proceeding.

If your compliance program is intact and you are seeking to strengthen and maintain it, a specialized ITAR compliance consultant can often provide more cost-effective, technically precise support than a law firm. The two functions are not mutually exclusive — many companies maintain relationships with both.

Building the Internal Compliance Program (ICP) That Regulators Want to See

DDTC uses the term "Internal Compliance Program" to describe the comprehensive framework it expects registered entities to maintain. The components of a complete ICP are:

Senior Management Commitment: Documented leadership endorsement of the compliance program, with the EO's role formally defined and authorized
Risk Assessment: A written analysis of the company's export control risks — products, destinations, end-users, distribution channels, and business partners — that drives program priorities
Policies and Procedures: A current Technology Control Plan that accurately describes all compliance procedures, including those for licensing, classification, training, recordkeeping, audits, and corrective action
Training and Awareness: A structured training program with documented completion records, reaching all personnel who touch ITAR-controlled items, data, or transactions
Export Authorization Management: Procedures for obtaining, tracking, and managing all required DDTC authorizations, including monitoring license conditions and expiration dates
Recordkeeping: Systems and processes that ensure the retention of all required records for the five-year minimum under 22 CFR § 122.5, and that make those records retrievable on demand
Auditing and Compliance Reviews: Regular internal audits with documented findings and corrective actions
Handling Violations and Voluntary Self-Disclosure: Documented procedures for detecting, investigating, and reporting potential violations, including the criteria and process for voluntary self-disclosure to DDTC

Each of these components must be operationally real — not just drafted and filed. DDTC's evaluation of a compliance program looks for evidence that the ICP functions as designed in the company's daily operations.

The Gap That Gets Companies in Trouble

The enforcement record at DDTC tells a consistent story. The companies that end up in consent agreements are not, for the most part, companies that set out to violate the law. They are companies that built a compliance structure sufficient to satisfy a registration requirement, then failed to invest in making that structure operationally real. The Empowered Official exists. The Technology Control Plan exists. The training records may exist in some form. But the culture — the daily operational behavior of the organization, the conversations between engineers and sales and the compliance function, the escalations that prevent edge-case transactions from becoming violations — that culture was never built.

The gap between designation and culture is where ITAR liability lives. It is where voluntary self-disclosure never happens because internal audit never finds the problem. It is where an engineer emails a controlled drawing to a foreign customer because nobody ever explained what that meant or gave them a clear path to ask. It is where a new foreign national employee gets access to a controlled system because HR never looped in the EO.

Closing that gap is not primarily a legal exercise. It is a management one. It requires leadership that treats compliance as an operational priority, an EO with genuine authority and adequate resources, cross-functional integration that embeds compliance into actual workflows, and a training and audit function that keeps the program current and effective over time.

The ITAR compliance program you need is not the one that satisfies the registration form. It is the one that survives a DDTC audit — and that means it has to work every day, not just on the day someone signs the designation letter.

If you are assessing whether your current program constitutes genuine compliance culture or well-organized paperwork, the right starting point is an honest gap assessment conducted by someone who knows what DDTC actually looks for. At Certify Consulting, I work with defense contractors and technology exporters to build compliance programs that function — not just ones that file. With over 200 clients served and 8+ years of ITAR and export control consulting experience, I have seen both ends of this spectrum.

Contact us at itarconsultant.us/contact to schedule a free consultation, or call 858-240-4353. If your compliance program is on paper and you know it, there has never been a better time to change that.

Frequently Asked Questions

What is an ITAR Empowered Official?

Under 22 CFR § 120.54, an Empowered Official is a U.S. person who is an employee, partner, or officer of a registered ITAR entity, who has authority to sign license applications and other DDTC submissions, and who is legally accountable for the accuracy of those submissions. The role carries personal legal liability — not just organizational responsibility.

Can a company have an Empowered Official without having a real compliance program?

Yes — and this is exactly the problem DDTC enforcement actions reveal repeatedly. A company can designate an Empowered Official on paper while lacking the policies, training, escalation paths, cross-functional integration, and audit infrastructure that constitute a functioning compliance program. DDTC expects both designation and substantive culture.

What does DDTC look for during a compliance review?

DDTC auditors look beyond documentation to operational reality: whether employees can accurately describe ITAR obligations, whether the Empowered Official exercises genuine authority, whether escalation paths exist and are used, whether training records reflect actual learning, and whether internal audits have generated real corrective actions. A folder of policies with no operational backbone will not satisfy a DDTC compliance review.

What is an Internal Compliance Program (ICP) under ITAR?

An Internal Compliance Program (ICP) is DDTC's term for the comprehensive, documented framework that governs how a registered entity manages its ITAR obligations. A complete ICP includes a Technology Control Plan, empowered official designation, employee training, export authorization management procedures, recordkeeping, internal audit protocols, and corrective action processes.

What is the difference between personal liability and corporate liability under ITAR?

Corporate liability means the company faces civil and criminal penalties for ITAR violations. Personal liability means individual executives, Empowered Officials, and employees can be personally prosecuted and imprisoned for violations they participated in or approved. Under 22 U.S.C. § 2778, criminal penalties reach $1 million and 20 years imprisonment per violation — and these attach to individuals, not just companies.

Last updated: 2026-04-06

Jared Clark is a JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, and RAC with 8+ years of ITAR and export control consulting experience. He is the Principal Consultant at Certify Consulting, where he has helped 200+ defense contractors, aerospace manufacturers, and technology exporters build defensible compliance programs.

Why Having an Empowered Official on Paper Isn't the Same as Having a Compliance Culture