ITAR Applies to More Companies Than You Think
By Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC | Certify Consulting
Most business owners assume the International Traffic in Arms Regulations (ITAR) is a problem reserved for Lockheed Martin, Raytheon, and the other household names of the defense industrial base. If you're not building fighter jets or manufacturing guided missiles, you're safe — right?
Wrong. That assumption costs companies millions of dollars in fines, criminal liability, and reputational damage every single year.
Over my 8+ years working with 200+ clients on ITAR compliance, I've encountered machine shops, electronics firms, software developers, university research programs, chemical companies, and even satellite communications providers who had no idea their products or services placed them squarely under ITAR jurisdiction. By the time they found out, the compliance gap was significant — and in some cases, the violations had already occurred.
This guide is designed to close that knowledge gap. If you make, handle, broker, export, or even discuss certain technical data with foreign nationals, you need to read this carefully.
What Is ITAR, and Who Actually Enforces It?
ITAR — codified at 22 C.F.R. Parts 120–130 — implements the Arms Export Control Act (AECA) and is administered by the U.S. Department of State's Directorate of Defense Trade Controls (DDTC). Its purpose is to control the export and import of defense-related articles, services, and technical data to protect U.S. national security and foreign policy interests.
When most people hear "arms control," they think physical weapons. But ITAR's reach is far broader than firearms and bombs. The regulatory touchstone is the United States Munitions List (USML), a 21-category enumeration of defense articles and defense services. If your product, software, technology, or service fits any USML category — even partially — ITAR applies to you.
Citation hook: ITAR violations can result in civil penalties of up to $1,394,582 per violation (as adjusted for inflation) and criminal penalties of up to $1,000,000 per violation and 20 years imprisonment under 22 U.S.C. § 2778.
The United States Munitions List: It's Longer Than You Think
The USML's 21 categories cover far more ground than rifles and artillery shells. Here is a structured overview:
| USML Category | Title | Commonly Overlooked Subsectors |
|---|---|---|
| Cat. I | Firearms, Close Assault Weapons & Combat Shotguns | Receivers, barrels, suppressors |
| Cat. II | Guns and Armament | Turret components, mounts |
| Cat. III | Ammunition & Ordnance | Fuzes, primers, propellants |
| Cat. IV | Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets | Sounding rockets, UAV propulsion |
| Cat. V | Explosives & Energetic Materials | Specialty pyrotechnic compounds |
| Cat. VI | Vessels of War & Special Naval Equipment | Submarine components, hull coatings |
| Cat. VII | Tanks & Military Vehicles | Suspension systems, armored glass |
| Cat. VIII | Aircraft & Associated Equipment | Avionics, airframes, UAV components |
| Cat. IX | Military Training Equipment | Flight simulators, targeting trainers |
| Cat. X | Personal Protective Equipment | Military-spec body armor, helmets |
| Cat. XI | Military Electronics | Radar systems, EW hardware |
| Cat. XII | Fire Control, Range Finder, Optical & Guidance Equipment | Laser rangefinders, night vision |
| Cat. XIII | Materials & Miscellaneous Articles | Stealth coatings, ablative materials |
| Cat. XIV | Toxicological Agents & Equipment | Detection equipment, protective gear |
| Cat. XV | Spacecraft Systems & Associated Equipment | Satellites, spacecraft components, ground control |
| Cat. XVI | Nuclear Weapons-Related Articles | Radiation hardened components |
| Cat. XVII | Classified Articles | Classified by USG determination |
| Cat. XVIII | Directed Energy Weapons | High-power lasers, particle beam systems |
| Cat. XIX | Gas Turbine Engines & Associated Equipment | Military aircraft engine components |
| Cat. XX | Submersible Vessels & Related Articles | ROV components for military use |
| Cat. XXI | Miscellaneous Articles | Articles deemed defense articles by DDTC |
If your product or its components appear in any of these categories, you are a U.S. person subject to ITAR — regardless of whether you have ever applied for a registration or license.
The Registration Requirement Most Companies Miss
Here is something that surprises nearly every first-time client: ITAR registration is required before you manufacture, export, or broker defense articles — not after. Under 22 C.F.R. § 122.1, any U.S. person who engages in the manufacture of defense articles is required to register with DDTC.
Manufacturing is the key word. You don't need to have exported a single item. If you fabricate a part, assemble a component, or even modify an existing article that falls under the USML, you are a manufacturer under ITAR and registration is mandatory.
Citation hook: According to DDTC, failure to register as a manufacturer of defense articles constitutes an ITAR violation independent of any subsequent export activity — meaning a company can violate ITAR simply by making a product, without ever shipping it overseas.
The annual registration fee ranges from $2,250 to $2,750 depending on registration type, making cost a non-issue. The issue is awareness.
7 Types of Companies That Don't Realize They're Subject to ITAR
1. Precision Machining and Metal Fabrication Shops
Subcontractors who machine parts for aerospace and defense primes are frequently ITAR-controlled. If you're turning titanium housings for a missile guidance system — even if you never know the end use — the technical data you receive (drawings, specifications, tolerances) may itself be ITAR-controlled technical data. Receiving it from a prime contractor without proper safeguards can create violations at your facility.
2. Software and Cybersecurity Firms
Cat. XI (Military Electronics) and Cat. XII (Fire Control and Guidance Equipment) both include software specifically designed or modified for defense applications. Encryption software used in military command-and-control systems, electronic warfare algorithms, and software for autonomous military platforms can all be ITAR-controlled. The "software is just code" argument does not hold up with DDTC.
3. Commercial Satellite and Space Technology Companies
Cat. XV covers spacecraft systems and associated equipment. Since the Export Control Reform Act (ECRA) of 2018 and the associated ECR initiative, some commercial satellites migrated to the Commerce Control List (CCL) under EAR. However, military and intelligence satellites, certain remote sensing capabilities, and specific space launch vehicle components remain firmly on the USML. The commercial space boom has created a generation of NewSpace companies who are unknowingly manufacturing ITAR articles.
4. Optical and Photonics Manufacturers
Cat. XII controls fire control, range finder, optical and guidance equipment. Night vision devices (including Generation 3 image intensifier tubes), laser range finders, and certain thermal imaging systems are controlled. A company making lenses or optical coatings for these end uses — even as a Tier 2 or Tier 3 supplier — handles ITAR-controlled technical data.
5. Chemical and Materials Companies
Cat. V and Cat. XIII cover energetic materials, specialty chemicals, and unique defense-related material formulations. Companies developing advanced coatings, ablative materials for ballistic applications, or specialty propellant compounds may find themselves subject to ITAR without ever interacting with a defense contractor directly.
6. Universities and Research Institutions
Research institutions performing basic research typically benefit from the Fundamental Research Exclusion (FRE) under 22 C.F.R. § 120.43. However, that exclusion evaporates the moment a university accepts publication restrictions, access limitations on foreign national researchers, or proprietary controls from a sponsor. Many university labs are unknowingly operating outside the FRE — making their work ITAR-controlled technical data.
7. IT Service Providers and Cloud Vendors
If your managed service provider, cloud hosting company, or IT support firm has access to servers storing ITAR-controlled technical data, they may themselves be subject to ITAR. Unauthorized release of technical data to a foreign national — even a foreign employee of your own domestic IT vendor — constitutes a "deemed export" under 22 C.F.R. § 120.50 and requires a license or applicable exemption.
The Deemed Export Rule: ITAR's Most Misunderstood Provision
Perhaps no ITAR concept is more frequently misunderstood by non-defense companies than deemed exports. A deemed export occurs when ITAR-controlled technical data is released to a foreign national inside the United States. The release is "deemed" to be an export to that person's country of citizenship or permanent residence.
This means:
- Showing ITAR-controlled engineering drawings to a foreign national employee at your facility is an export.
- Emailing ITAR-controlled specifications to a foreign national colleague is an export.
- Briefing a foreign national on ITAR-controlled system performance parameters is an export.
Citation hook: Under 22 C.F.R. § 120.50, the release of ITAR-controlled technical data to a foreign national in the United States constitutes a deemed export requiring the same authorization as a physical export of the same article — a requirement that applies regardless of whether the individual is a lawful permanent resident, a student, or an employee.
In 2023, DDTC resolved multiple enforcement actions where the primary violation was not an overseas shipment but a domestic release of technical data to foreign national employees — often in engineering, IT, or manufacturing roles.
How to Determine If Your Products Are on the USML
The compliance methodology for a USML jurisdiction determination follows a structured process. Here's how Certify Consulting approaches it with clients:
Step 1: Product and Technology Characterization
Document your product's form, fit, function, and design parameters in detail. Include all materials, coatings, software, and performance specifications.
Step 2: USML Category Review
Systematically review each of the 21 USML categories against your product characterization. Pay particular attention to "specially designed" language — a term defined at 22 C.F.R. § 120.41 that captures components specifically engineered for defense applications even if they have commercial variants.
Step 3: "Specially Designed" Analysis
Under the ITAR "specially designed" definition, a component is controlled if it was designed or modified to provide performance levels, characteristics, or functions that meet or exceed the threshold for a USML article — even if it is now sold commercially.
Step 4: EAR/ITAR Boundary Analysis
For products that may have migrated from the USML to the CCL under export control reform, confirm current classification. A product that was ITAR-controlled in 2012 may now fall under EAR — but verify this formally.
Step 5: Commodity Jurisdiction Request (If Needed)
If the jurisdiction determination is genuinely ambiguous after internal analysis, submit a Commodity Jurisdiction (CJ) request to DDTC under 22 C.F.R. § 120.4. A CJ provides a formal government determination and protects against future enforcement for acting in good faith.
What Happens If You've Already Violated ITAR Without Knowing It?
Voluntary self-disclosure (VSD) is ITAR's answer to this scenario. Under the ITAR enforcement guidelines and DDTC's Compliance Program Guidelines, companies that proactively disclose violations typically receive significantly reduced penalties compared to those where violations are discovered through government investigation or third-party reporting.
The VSD process involves: 1. Submitting an initial notification to DDTC's Office of Defense Trade Controls Compliance (DTCC) 2. Conducting an internal investigation 3. Submitting a full disclosure with corrective action plan
The penalty differential between VSD and discovered violations is substantial. DDTC has historically imposed penalties 50–80% lower in VSD cases where strong corrective actions are demonstrated. If you suspect you've had unreported ITAR activity, address it proactively — the exposure only grows with time.
For guidance on building a defensible compliance program, visit ITAR Compliance Program Development or explore Certify Consulting's export control services.
Building an ITAR Compliance Program: The Essentials
For companies that discover ITAR applicability — whether through self-assessment or a consultant engagement — the minimum program elements include:
- DDTC Registration (22 C.F.R. Part 122) — annual, mandatory
- Written Technology Control Plan (TCP) — governing access to controlled technical data
- Export License Management — tracking licenses, exemptions, and provisos
- Deemed Export Protocols — screening foreign national employees and visitors
- Training Program — documented, role-based, recurring
- Recordkeeping System — 5-year minimum retention under 22 C.F.R. § 122.5
- Internal Audit Function — periodic reviews of program effectiveness
- Violation Reporting Procedure — internal escalation and VSD protocol
The good news: with 200+ clients and a 100% first-time audit pass rate, my team at Certify Consulting has helped companies across every sector stand up compliant programs efficiently — without the overhead of a full-time in-house compliance department.
For companies in regulated sectors who need an integrated compliance approach, our ITAR Registration and Compliance Services provide end-to-end support from initial jurisdiction determination through audit preparation.
ITAR vs. EAR: Quick Reference for Jurisdiction Determination
| Factor | ITAR (USML) | EAR (CCL) |
|---|---|---|
| Governing Regulation | 22 C.F.R. Parts 120–130 | 15 C.F.R. Parts 730–774 |
| Administering Agency | Dept. of State (DDTC) | Dept. of Commerce (BIS) |
| Primary List | USML (21 categories) | Commerce Control List (CCL) |
| Registration Required | Yes — all manufacturers | No general registration requirement |
| License Authority | State Department license | Export Administration Regulations license |
| Civil Penalty | Up to ~$1.4M per violation | Up to $353,534 per violation |
| Criminal Penalty | Up to $1M / 20 years | Up to $1M / 20 years |
| Deemed Export Rule | Yes — 22 C.F.R. § 120.50 | Yes — 15 C.F.R. § 734.13 |
| Key Trigger | "Defense article" or "defense service" | Dual-use items with national security/foreign policy concern |
| Fundamental Research Exclusion | Yes — 22 C.F.R. § 120.43 | Yes — 15 C.F.R. § 734.8 |
FAQ: ITAR and Unexpected Applicability
Does ITAR apply to my company if I only sell domestically?
Yes, in many circumstances. ITAR registration is required for U.S. manufacturers of defense articles regardless of whether they export. Additionally, deemed export rules mean that sharing ITAR-controlled technical data with a foreign national employee inside the U.S. constitutes a regulated export requiring a license or applicable exemption.
What is the "specially designed" standard, and why does it matter?
Under 22 C.F.R. § 120.41, an item is "specially designed" for ITAR purposes if it was developed, configured, adapted, or modified to achieve or exceed the performance parameters required for a USML-listed defense article. This means a component doesn't need to be exclusively military to be controlled — if it was engineered to meet military performance thresholds, it may be ITAR-controlled even if it is also sold commercially.
What is a Commodity Jurisdiction request, and when should I file one?
A Commodity Jurisdiction (CJ) request, filed under 22 C.F.R. § 120.4 with DDTC, asks the U.S. Government to formally determine whether a specific article, service, or technology is subject to ITAR or EAR jurisdiction. You should file one when your internal analysis cannot clearly resolve whether your product is on the USML or CCL, or when your product has evolved from a formerly classified application into a commercial one. A CJ determination provides a safe harbor against future enforcement if you act in reliance on it.
Can a company face ITAR liability for the actions of its foreign suppliers?
Yes. ITAR controls the import of defense articles (22 C.F.R. Part 123) as well as exports. Additionally, if a U.S. company directs or assists a foreign person in activities that would violate ITAR if performed by a U.S. person — such as transferring ITAR-controlled technical data to a third country — the U.S. company may bear liability under ITAR's brokering rules (22 C.F.R. Part 129) and general prohibitions.
How long does ITAR registration take, and how much does it cost?
DDTC registration typically takes 30–60 days from submission of a complete application via the DECCS online system. Annual registration fees range from $2,250 for a basic manufacturer/exporter registration to $2,750 for brokers. However, the application must accurately describe all defense article categories for which you are registering — errors or omissions can create compliance exposure and trigger DDTC scrutiny.
The Bottom Line: Ignorance Is Not a Defense
ITAR does not contain a knowledge requirement for jurisdiction. If your product is on the USML, you are subject to ITAR — full stop. The regulations do not offer an exception for companies that didn't realize they were manufacturing defense articles, didn't know their technical data was controlled, or didn't understand the deemed export implications of their workforce.
The companies I've helped over 8+ years that avoided serious enforcement exposure all had one thing in common: they got a proper jurisdiction determination done early, built a compliance program proportionate to their risk, and treated ITAR as an ongoing operational function rather than a one-time checkbox.
If you're reading this article and feeling uncertain about whether your products, services, or technical data might be subject to ITAR, that uncertainty is itself a signal. Reach out to Certify Consulting for a confidential initial assessment. The cost of a proper compliance review is a fraction of the exposure you carry by remaining unsure.
Last updated: 2026-03-04
Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC is the principal consultant at Certify Consulting, with 8+ years of experience and 200+ clients served in ITAR compliance, export control, and quality management system development. Certify Consulting maintains a 100% first-time audit pass rate across its client base.
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.