ITAR catches more companies off guard than almost any other federal compliance regime. Most businesses that need to comply don't realize it until they're already in violation — and by then, the penalties can be existential.
Here's the short version: if your company manufactures, exports, or brokers defense articles or defense services listed on the U.S. Munitions List, you are subject to ITAR. There is no revenue threshold, no employee count exemption, and no grace period for figuring it out later.
In my eight-plus years helping more than 200 clients navigate export controls, the most common pattern I see is a company that has been technically violating ITAR for years without knowing it — usually through deemed exports (more on that below) or through a minor technical data transfer someone assumed was harmless.
This guide covers what ITAR requires, who it applies to, and how to build a compliance program that actually works.
What Is ITAR?
The International Traffic in Arms Regulations (ITAR), codified at 22 CFR Parts 120–130, govern the export and import of defense articles, defense services, and related technical data. ITAR is administered by the Directorate of Defense Trade Controls (DDTC) within the U.S. Department of State.
ITAR implements the Arms Export Control Act (AECA), 22 U.S.C. § 2778. Criminal violations carry penalties of up to $1 million per violation and 20 years in federal prison. Civil penalties can reach $1.27 million per violation, adjusted annually for inflation under the Federal Civil Penalties Inflation Adjustment Act.
Citation hook: ITAR violations are not treated as administrative oversights — they are federal crimes with both civil and criminal exposure, administered by the U.S. Department of State under 22 CFR Parts 120–130.
Who Must Register with DDTC?
Any U.S. company that manufactures, exports, or temporarily imports defense articles — or furnishes defense services — must register with DDTC before conducting any of those activities. This is true even if you never plan to export a single item.
Under 22 CFR § 122.1, registration is a precondition, not a step you take after winning a defense contract. The State Department does not offer a startup exemption or a trial period.
Three categories of companies must register:
- Manufacturers of defense articles listed on the USML, even if they only sell domestically
- Exporters who sell, transfer, or otherwise provide USML items outside the United States
- Brokers who facilitate USML transactions between foreign parties
Registration fees range from $2,250 to $2,750 per year depending on registration tier, and renewal is required annually. Letting a registration lapse while still manufacturing USML items is itself a violation.
The U.S. Munitions List: What's Controlled
The USML is organized into 21 categories (Categories I through XXI), covering everything from firearms and ammunition to satellites and nuclear weapons equipment. A selection of the most commonly encountered categories:
| USML Category | Description |
|---|---|
| I | Firearms, Close Assault Weapons & Combat Shotguns |
| II | Guns & Armament |
| III | Ammunition & Ordnance |
| IV | Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets |
| V | Explosives & Energetic Materials, Propellants & Incendiary Agents |
| VI | Naval Vessels & Related Articles |
| VII | Tanks & Military Vehicles |
| VIII | Aircraft & Related Articles |
| XI | Military Electronics |
| XIII | Auxiliary Military Equipment |
| XV | Spacecraft Systems & Related Articles |
| XXI | Miscellaneous Articles (catch-all for classified/unique items) |
The USML was substantially revised between 2013 and 2020 as part of the Export Control Reform (ECR) initiative, which moved many less-sensitive items from ITAR control to EAR (Export Administration Regulations) control under the Commerce Control List (CCL). If your product was ITAR-controlled before 2013, it may now fall under EAR — but only if it was formally moved to the CCL through a published rule. Don't assume; get a formal determination.
Export Licenses: When You Need One and When You Don't
Not every ITAR-controlled transaction requires an export license. But the exemptions are narrower than most companies expect, and relying on an exemption without proper documentation is itself a violation.
| Transaction Type | License Requirement | Common Exemptions |
|---|---|---|
| Permanent export of hardware | License required | 22 CFR § 123.4 (gov-to-gov); § 123.16 (personal use) |
| Technical data export | License required | § 125.4(b)(9) (public domain); § 125.4(b)(13) (fundamental research) |
| Defense services to foreign persons | License or TAA required | § 124.2 (foreign military sales) |
| Temporary export and return | May qualify for exemption | § 123.22 (exhibition or demonstration) |
| Re-export by foreign consignee | License required | Rare; end-use certificate review required |
| Deemed export (foreign national in U.S.) | May require license | § 125.4(b) for specific categories |
The two main authorization vehicles for ongoing defense work with foreign partners are:
- Technical Assistance Agreements (TAAs): Authorize sharing of technical data and defense services with foreign partners
- Manufacturing License Agreements (MLAs): Authorize foreign manufacture of U.S. USML items
Both require State Department approval and can take 60 to 120 days in straightforward cases. Applications involving sensitive technologies or restricted countries can run six months or longer.
Citation hook: The public domain exemption under 22 CFR § 125.4(b)(9) does not apply to technical data placed in the public domain through an unauthorized disclosure — a prior violation cannot cleanse subsequent transfers of the same data.
Deemed Exports: The Most Overlooked ITAR Risk
A "deemed export" occurs when a U.S. company shares ITAR-controlled technical data with a foreign national inside the United States. Under 22 CFR § 120.17, this is treated as an export to that person's country of citizenship or permanent residence — even if it happens in your own conference room.
This is where I see the most violations from otherwise careful companies. A defense contractor hires a talented engineer who has been in the United States for a decade with a green card. When someone emails him the technical data package for a Category VIII aircraft component, they have just made an unlicensed export to his country of citizenship.
The due diligence requirement is real. Under 22 CFR § 122.5, registered companies must screen employees and maintain records sufficient to demonstrate compliance. That means knowing the citizenship status of everyone with access to controlled technical data — not just engineers and program managers, but anyone who handles documents, manages IT infrastructure that stores controlled data, or works directly with international customers.
Statistic: DDTC enforcement actions consistently identify inadequate deemed export controls as a root cause in voluntary disclosure cases. Companies that self-report violations often discover the underlying failure was an access control system that never accounted for foreign national employees who were entirely lawful hires.
ITAR Penalties: What's Actually at Stake
The civil penalty ceiling is $1.27 million per violation. Criminal exposure is $1 million and/or 20 years imprisonment per violation. Under ITAR, each unauthorized export or disclosure of technical data constitutes a separate violation — meaning a single email chain shared with multiple unauthorized foreign recipients can generate multiple simultaneous violations.
Those numbers are not theoretical. DDTC has negotiated substantial consent agreements with some of the largest names in defense:
- BAE Systems — $79 million consent agreement (2011) for unauthorized exports to multiple countries
- General Atomics — $13.3 million (2016) for ITAR violations involving unmanned aerial systems technical data
- Raytheon — $8 million consent agreement (2013) for unauthorized technical data transfers
- L3 Technologies — $13 million (2019) for violations across multiple defense programs
Voluntary disclosure, while not a guarantee of reduced penalties, is consistently treated more favorably than discovered violations. Companies that self-report in good faith, cooperate fully, and implement genuine remediation typically receive meaningfully smaller penalties than those identified through enforcement activity. But voluntary disclosure without concurrent remediation is a poor trade — fix the problem alongside or before the disclosure, not after.
ITAR vs. EAR: Knowing Which Regime Applies
One of the most consequential determinations in export compliance is understanding the boundary between ITAR and EAR. They are not interchangeable, and the penalties for misidentifying which applies are real.
| Factor | ITAR | EAR |
|---|---|---|
| Governing authority | U.S. State Department (DDTC) | U.S. Commerce Dept. (BIS) |
| Controlling regulation | 22 CFR Parts 120–130 | 15 CFR Parts 730–774 |
| Control list | U.S. Munitions List (USML) | Commerce Control List (CCL) |
| Primary focus | Military & defense articles | Dual-use commercial/military items |
| Registration required | Yes, before any activity | No blanket registration requirement |
| Civil penalty ceiling | $1.27 million per violation | $368,136 per violation (or 2× transaction value) |
| License application portal | DECCS (State Dept.) | SNAP-R (Commerce Dept.) |
| Self-classification allowed | Yes, with documentation | Yes, with documentation |
A common mistake is treating "we sell to the military" as a proxy for "we're ITAR-controlled." Military sales are a risk indicator, not a determination. The actual question is whether the specific item is enumerated on the USML or has been moved to the CCL through a published ECR rule.
Building an ITAR Compliance Program That Actually Works
A compliance program that works has five core components. I've seen companies with two-inch-thick compliance manuals that were missing several of them, and companies with a thirty-page document that had everything they needed. The manual is not the compliance program.
Jurisdiction and Classification Determinations
Before anything else, know what you have. Every product, service, and piece of technical data your company produces needs a formal determination: ITAR, EAR, or neither. Document it, sign it, and review it whenever the item or its specifications change.
DDTC Registration and Licensing
Register before you need to. Maintain licenses for every active international program. Track expiration dates and assign ownership to a specific person — with calendar reminders, not just an entry in a spreadsheet no one reviews.
Technology Control Plan (TCP)
A TCP governs who can access controlled technical data inside your facility and under what conditions. It should address physical access to controlled areas, IT controls on servers and email systems containing controlled data, visitor screening and escort procedures, foreign national employee identification, and training requirements.
Employee Training
Annual ITAR training for everyone with access to controlled data is the floor, not the standard. The companies with the fewest violations train quarterly and make ITAR awareness part of onboarding for every new hire — not just engineers, but anyone who handles documents, manages IT systems, or interacts with international partners.
Monitoring, Auditing, and Voluntary Disclosure
Compliance programs without a self-audit mechanism are compliance programs waiting to become violations. Conduct an internal audit at least annually. When you find something, get legal counsel involved, assess voluntary disclosure candidacy, and document everything. The voluntary disclosure process under ITAR is a real mitigation tool, consistently applied by DDTC when companies self-report in good faith.
How Certify Consulting Approaches ITAR Work
In eight-plus years and 200+ client engagements, I have not had a single client fail a DDTC compliance review after we built or audited their program together. That record reflects the fact that we build programs designed for how auditors actually evaluate compliance — not programs designed to look good on paper.
Certify Consulting offers:
- ITAR compliance program development — full TCPs, classification determinations, and licensing strategy
- DDTC registration and renewal — initial registration, annual renewal, and amendment filings
- Export license applications — TAAs, MLAs, and commodity licenses through DECCS
- Compliance audits — internal assessments structured to surface real exposure before an auditor does
- Voluntary disclosure support — assessment, drafting, and remediation planning
- Employee training programs — live and on-demand formats for technical and non-technical staff
If you're not sure whether your company needs to be registered, start there. The question is almost always easier to answer than people expect — and the cost of not knowing is significant.
For an initial consultation, visit itarconsultant.us or reach out directly through certify.consulting.
Last updated: 2026-07-13
Jared Clark, JD, MBA, PMP, CMQ-OE, CQA, CPGP, RAC is the Principal Consultant at Certify Consulting, with 8+ years of experience and a 100% first-time audit pass rate across 200+ client engagements in defense, aerospace, and regulated industries.
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.