ITAR Classification Guide: Is Your Product on the USML?

Q: How do I know if my product is 'specially designed' under ITAR?

Under 22 CFR § 120.41, an item is 'specially designed' if it was developed for a defense application and has properties peculiarly responsible for achieving controlled military performance levels. Commercial off-the-shelf items used in military systems without modification are generally not 'specially designed,' but items engineered to meet military specifications typically are.

Last updated: 2026-04-09

Misclassifying a product under the International Traffic in Arms Regulations (ITAR) is one of the most costly compliance mistakes a defense manufacturer, exporter, or technology company can make. Civil penalties alone can reach $1.37 million per violation, and criminal penalties can result in up to 20 years in federal prison. Yet every year, companies unknowingly export controlled defense articles without proper authorization simply because they never confirmed whether their product appears on the United States Munitions List (USML).

This guide walks you through exactly how to determine whether your product, technology, or service falls under ITAR jurisdiction — step by step, with the clarity and precision your compliance program deserves.

What Is the USML and Why Does It Matter?

The United States Munitions List (USML) is the definitive list of defense articles, defense services, and related technical data subject to ITAR, codified at 22 CFR Part 121. It is maintained and enforced by the Directorate of Defense Trade Controls (DDTC) within the U.S. Department of State.

The USML is organized into 21 categories, each covering a distinct type of defense article, ranging from firearms and ammunition (Category I) to spacecraft and satellites (Category XV) to nuclear weapons (Category XVI). If your product, component, software, or technical data falls within any of these categories, you are subject to the full weight of ITAR — including registration, licensing, and end-use monitoring requirements.

What makes the USML particularly challenging is that jurisdiction is activity-based, not intent-based. A company doesn't have to know it's violating ITAR to be held liable. The obligation to classify correctly rests entirely with the exporter.

The Two-Step Jurisdiction Question Every Exporter Must Ask

Before diving into the USML categories themselves, I tell every client to frame the classification question in two parts:

Is this item, technology, or service "specially designed" for a military application or controlled under a specific USML category?
If not ITAR-controlled, is it subject to the Export Administration Regulations (EAR) under the Commerce Control List (CCL)?

This two-step framework reflects the Export Control Reform (ECR) initiative completed in 2014–2018, which shifted many formerly ITAR-controlled items to the EAR's "600 series" Export Control Classification Numbers (ECCNs). Understanding where the ITAR/EAR boundary falls is essential — and often misunderstood.

Citation hook: Under U.S. export control law, an item that was formerly ITAR-controlled but transitioned to the EAR during Export Control Reform is not automatically free to export — it is now classified under a "600 series" ECCN and still requires licensing for most military end-users and destinations.

The 21 USML Categories at a Glance

Category	Description	Common Examples
I	Firearms, Close Assault Weapons & Combat Shotguns	Rifles, pistols, silencers
II	Guns and Armament	Artillery, mortars, recoilless rifles
III	Ammunition & Ordnance	Projectiles, fuzes, propellants
IV	Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets	Rocket motors, re-entry vehicles
V	Explosives & Energetic Materials	Military explosives, incendiary agents
VI	Vessels of War & Special Naval Equipment	Warships, submarines, naval mine equipment
VII	Tanks & Military Vehicles	Armored vehicles, military trucks
VIII	Aircraft & Associated Equipment	Military aircraft, UAVs, ejection seats
IX	Military Training Equipment	Flight simulators, gunnery trainers
X	Protective Personnel Equipment	Body armor, NBC protective suits
XI	Military Electronics	Electronic warfare, jamming systems
XII	Fire Control, Laser, Imaging & Guidance Equipment	Military targeting systems, FLIR
XIII	Auxiliary Military Equipment	Cameras, classified software
XIV	Toxicological Agents, Including Chemical & Biological	CW agents, biological agents
XV	Spacecraft & Related Articles	Military satellites, space launch
XVI	Nuclear Weapons, Special Nuclear Material & Related Equipment	Nuclear devices
XVII	Classified Articles	[Classified]
XVIII	Directed Energy Weapons	High-energy lasers, particle beams
XIX	Gas Turbine Engines & Associated Equipment	Military turbofan, turbojet engines
XX	Submersible Vessels & Related Articles	Military submarines, UUVs
XXI	Articles, Technical Data & Defense Services Not Otherwise Enumerated	Catch-all military articles

Citation hook: USML Category XXI serves as a residual catch-all category, meaning that any article, technical data, or defense service with a critical military or intelligence application that is not specifically enumerated elsewhere on the USML may still be subject to ITAR jurisdiction under 22 CFR § 121.1(b).

Step-by-Step: How to Determine if Your Product Is ITAR-Controlled

Step 1: Review the Relevant USML Category Text

Start with the full regulatory text at 22 CFR Part 121. Don't rely on summaries or third-party descriptions alone — the exact wording of each category paragraph controls what is and isn't covered. Each category is broken into paragraphs (e.g., Category VIII(a), VIII(b)), and the distinctions between paragraphs matter enormously for licensing.

Practical tip: Search the Electronic Code of Federal Regulations (eCFR) at ecfr.gov for the current, authoritative text. USML categories are periodically amended — confirm you're reading the current version.

Step 2: Apply the "Specially Designed" Standard

The term "specially designed" is one of the most critical (and most litigated) concepts in ITAR. Under 22 CFR § 120.41, an item is "specially designed" for ITAR purposes if it:

Was developed for a military application or as a result of a program with a defense application, AND
Has properties that are peculiarly responsible for achieving or exceeding the controlled performance levels, thresholds, or characteristics

The specially designed standard is not the same as "used by the military" or "sold to a defense contractor." A commercial off-the-shelf (COTS) bolt used in both a tractor and a tank is not specially designed for military use. A bolt engineered to survive ballistic impacts and designed exclusively for use in an armored vehicle platform likely is.

Step 3: Check for Enumerated Items vs. Performance Parameters

Some USML paragraphs list specific items by name (enumerated controls). Others establish performance thresholds — if your product meets or exceeds those thresholds, it falls within scope regardless of whether it's called out by name.

For example, USML Category XII covers night vision and thermal imaging equipment with specific resolution, sensitivity, and wavelength parameters. A commercial thermal camera that happens to meet those military-grade parameters may be ITAR-controlled even if it's marketed solely for industrial applications.

This is one of the most common sources of unexpected ITAR exposure for commercial technology companies.

Step 4: Assess Technical Data and Software Separately

ITAR controls don't stop at physical hardware. 22 CFR § 120.33 defines "technical data" broadly to include:

Information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles
Classified information relating to defense articles and defense services
Information covered by an invention secrecy order

Software that is directly related to defense articles — including source code, object code, and design tools — is also potentially ITAR-controlled under 22 CFR § 120.31.

Citation hook: Under ITAR, the transmission of controlled technical data via email, cloud sharing, or verbal disclosure to a foreign national inside the United States constitutes a "deemed export" and requires the same authorization as a physical export to that individual's home country.

Step 5: Determine Whether a "Parts and Components" Paragraph Applies

Nearly every USML category includes a paragraph controlling "parts, components, accessories, and attachments" — often designated as paragraph (f) or (h). Even if the end-item itself is not listed, a component specifically designed for a controlled defense article may independently trigger ITAR jurisdiction.

This is a critical step for Tier 2 and Tier 3 suppliers who believe they are insulated from ITAR because they "don't make weapons." If you manufacture a subcomponent that goes into a defense article, you need to trace that lineage carefully.

Step 6: Review the USML Exclusions and "See-Through" Rules

Each USML category also contains exclusions — items that are explicitly carved out from ITAR control, typically because they transitioned to the EAR under Export Control Reform. Look for "Note" paragraphs and "Excludes" language within each category.

The "see-through" rule is also important: in some cases, incorporating a controlled component into a larger system causes the entire system to be treated as ITAR-controlled, even if the system itself would otherwise fall under EAR jurisdiction.

Step 7: Request a Commodity Jurisdiction (CJ) Determination if in Doubt

When internal review leaves genuine ambiguity, the formal path is a Commodity Jurisdiction (CJ) determination from DDTC, governed by 22 CFR § 120.4. A CJ request asks the U.S. government to officially determine whether a specific item, technology, or service is subject to ITAR or EAR.

Key facts about the CJ process: - Average processing time: 45–90 business days (though complex cases can take longer) - No fee to submit a CJ request - The determination binds DDTC but does not automatically bind the Bureau of Industry and Security (BIS) for EAR purposes - CJ determinations can be appealed or revised if specifications change

Submitting a CJ request is not an admission of wrongdoing. In fact, proactively seeking a CJ demonstrates good faith compliance — a factor that DDTC and the Department of Justice both consider in enforcement decisions.

Common Classification Mistakes (and How to Avoid Them)

Mistake #1: Relying on a Customer's Classification

Suppliers routinely accept a prime contractor's ITAR or EAR classification without independent verification. This is a significant compliance gap. ITAR jurisdiction is determined by the item's characteristics, not by what a customer says it is. Each party in the supply chain bears independent responsibility for correct classification.

Mistake #2: Assuming Commercial = Not ITAR

Commercial availability does not equal ITAR exemption. As noted in Step 3 above, a commercially marketed product can still meet USML performance thresholds. The correct question is always: what are the item's technical characteristics, and do they meet the regulatory definition?

Mistake #3: Overlooking "Specially Designed" Subcomponents

Many companies correctly classify their end-item but fail to trace ITAR obligations through their own supply chain. If your product incorporates a subcomponent that is itself ITAR-controlled, your end-item may be controlled as well — and your supplier's ITAR registration status becomes your compliance risk.

Mistake #4: Treating Classification as a One-Time Event

Products evolve. Engineering changes, new software versions, and performance upgrades can shift an item's classification. ITAR compliance requires periodic reclassification reviews, particularly after design changes, contract modifications, or when the underlying USML regulations are amended.

Mistake #5: Ignoring the Deemed Export Risk for Foreign Nationals

According to DDTC enforcement data, deemed export violations — unauthorized disclosure of controlled technical data to foreign nationals within the U.S. — are among the most frequently cited ITAR violations. If foreign nationals are involved in your engineering, manufacturing, or R&D workforce, your classification process must include a deemed export assessment.

ITAR vs. EAR: Key Jurisdictional Differences

Understanding the boundary between ITAR and EAR is essential for accurate classification. Here's how the two regimes compare:

Factor	ITAR (State/DDTC)	EAR (Commerce/BIS)
Governing regulation	22 CFR Parts 120–130	15 CFR Parts 730–774
Controlling list	USML (22 CFR Part 121)	Commerce Control List (CCL)
Primary purpose of controls	Military/defense applications	Dual-use + commercial
Registration required?	Yes — ITAR registration mandatory	No standalone registration
License penalties (civil)	Up to $1.37M per violation	Up to $364,992 per violation
"Specially designed" standard	Yes — defined in 22 CFR § 120.41	Yes — defined in 15 CFR § 772.1
Deemed export rule	Yes — applies to foreign nationals	Yes — applies to foreign nationals
Voluntary disclosure program	Yes — DDTC voluntary disclosure	Yes — BIS voluntary self-disclosure

When to Engage a Professional ITAR Consultant

While the classification framework described above is something every compliance professional should understand, there are specific circumstances where engaging an experienced ITAR consultant is not just advisable — it's essential:

New product development targeting defense or dual-use markets
Mergers, acquisitions, or joint ventures involving defense technology
Supply chain expansion into international markets or with foreign suppliers
DDTC enforcement inquiries or voluntary disclosures in progress
First-time ITAR registration and internal compliance program build-out
License application preparation (DSP-5, DSP-73, TAA, MLA)

At Certify Consulting, I've guided more than 200 clients through ITAR classification and compliance challenges — with a 100% first-time audit pass rate across more than 8 years of practice. A proper classification review at the front end of product development is exponentially less expensive than a post-violation enforcement action.

If you're unsure whether your product belongs on the USML, don't guess. Contact an ITAR compliance consultant today to get a defensible, documented answer.

Building a Repeatable Classification Process

The goal isn't just to classify one product correctly — it's to build a sustainable classification workflow your organization can execute consistently. Here's a recommended framework:

Create a Product Classification Register — a living document that tracks every item, component, software, and technical data set, along with its current ITAR/EAR classification, the date of classification, the person responsible, and the regulatory basis.
Assign Classification Ownership — someone in your organization (ideally your Empowered Official or a designated compliance officer) must own the classification process and have authority to escalate ambiguous cases.
Establish a Change Review Trigger — any engineering change order (ECO), design revision, or new customer contract should automatically trigger a classification review.
Document Your Rationale — in the event of an audit or enforcement inquiry, you need to demonstrate not just what you decided, but why. Documented reasoning — including the specific USML paragraph reviewed and the "specially designed" analysis — is your best defense.
Train Your Team — engineers, program managers, and business development staff all interact with controlled technology. Annual ITAR training is a regulatory best practice and a defense against unintentional violations.

For organizations building their ITAR compliance program from the ground up, our ITAR registration and compliance services provide end-to-end support from classification through license management.

Key Statistics Every ITAR Compliance Professional Should Know

$1.37 million — maximum civil penalty per ITAR violation (as adjusted for inflation under 22 CFR Part 130)
Over $1 billion in ITAR-related fines have been levied by DDTC against U.S. companies in the past two decades, with individual settlements reaching hundreds of millions of dollars
45–90 business days — typical processing time for a Commodity Jurisdiction (CJ) determination from DDTC
21 categories make up the USML, covering everything from conventional firearms to nuclear weapons and classified articles
More than 15,000 U.S. companies are currently registered with DDTC as manufacturers or exporters of ITAR-controlled defense articles

Frequently Asked Questions

What is the USML and how is it different from the Commerce Control List?

The USML (United States Munitions List) is the list of defense articles and services controlled under ITAR, administered by the State Department's DDTC. The Commerce Control List (CCL) covers dual-use items under the EAR, administered by BIS. Items on the USML are subject to stricter licensing, registration, and end-use requirements than items on the CCL.

How do I know if my product is "specially designed" under ITAR?

Under 22 CFR § 120.41, an item is "specially designed" if it was developed for a defense application and has properties peculiarly responsible for achieving controlled military performance levels. Commercial off-the-shelf items used in military systems without modification are generally not "specially designed," but items engineered to meet military specifications typically are.

Can I export an ITAR-controlled item without a license?

In limited circumstances, yes — ITAR includes several exemptions, such as the Canadian exemption (22 CFR § 126.5) and the government-to-government exemption. However, these exemptions are narrow, condition-laden, and must be documented carefully. Most exports of ITAR-controlled defense articles require a State Department license or other authorization.

What happens if I misclassify a product under ITAR?

Misclassification can result in unauthorized exports, which carry civil penalties of up to $1.37 million per violation and criminal penalties of up to $1 million and 20 years imprisonment per count. DDTC also has authority to debar companies from future defense trade. Proactive voluntary disclosure can mitigate penalties significantly.

When should I submit a Commodity Jurisdiction (CJ) request to DDTC?

You should submit a CJ request when your internal classification review leaves genuine ambiguity about whether an item is subject to ITAR or EAR jurisdiction, when a product has recently undergone design changes that may shift its classification, or when a foreign customer, investor, or partner requires a formal government determination.

Last updated: 2026-04-09

Jared Clark, JD, MBA, PMP, CMQ-OE, CQA, CPGP, RAC — Principal Consultant, Certify Consulting | certify.consulting