Citation Hook: The U.S. Department of State has assessed more than $1.6 billion in ITAR civil penalties since 2007, making export control enforcement one of the most financially consequential compliance risks facing defense and aerospace companies today.
If you've ever wondered how seriously the U.S. government takes International Traffic in Arms Regulations (ITAR) violations, look no further than the public enforcement record. The penalties are staggering — nine-figure settlements, multi-year consent agreements, and in the most serious cases, criminal prosecution of individual executives. After more than eight years helping 200+ clients navigate ITAR compliance, I can tell you that no single investment pays a higher return than a proactive compliance program built before enforcement comes knocking.
This article breaks down the most significant ITAR enforcement actions in history, what triggered each case, and — most importantly — what every defense contractor, manufacturer, and broker can learn from them.
What Governs ITAR Enforcement?
ITAR is administered by the U.S. Department of State's Directorate of Defense Trade Controls (DDTC). Enforcement authority is shared across three agencies:
- DDTC (State Department): Civil penalties up to $1,394,010 per violation (inflation-adjusted; 22 U.S.C. § 2778)
- Department of Justice (DOJ): Criminal prosecution for willful violations — up to 20 years imprisonment and $1 million per criminal count
- Department of Homeland Security / Commerce: Parallel enforcement for overlapping EAR jurisdiction
The legal framework sits under the Arms Export Control Act (AECA), 22 U.S.C. § 2778, with implementing regulations at 22 CFR Parts 120–130. DDTC's enforcement posture is guided by its Compliance Program Guidelines (CPG) and the Consent Agreement framework, which it has used to impose structural remediation requirements on the largest violators.
Citation Hook: Under 22 CFR § 127.10, a single unauthorized export of a defense article on the U.S. Munitions List (USML) can constitute a separate, independently penalizable ITAR violation — meaning a single transaction can generate dozens of discrete violations and tens of millions of dollars in potential liability.
The Anatomy of an ITAR Violation: What Triggers Enforcement?
Before examining specific cases, it's useful to understand the most common violation categories that have driven major enforcement actions:
| Violation Category | Description | Common Trigger |
|---|---|---|
| Unauthorized Export | Transferring a USML-listed defense article without a license | Shipping hardware to unlicensed foreign recipients |
| Unauthorized Re-Transfer | Foreign party transfers U.S. defense article to a third country | Inadequate end-use monitoring |
| Unauthorized Brokering | Acting as a broker for defense articles without DDTC registration | Unregistered intermediaries |
| Technical Data Disclosure | Sharing ITAR-controlled technical data with foreign nationals | Foreign national employees, cloud storage, emails |
| Recordkeeping Failures | Failure to maintain required transaction records for 5 years (22 CFR § 122.5) | Missing or incomplete export documentation |
| False Statements | Misrepresentation on license applications or export documents | Inaccurate end-user certifications |
| Failure to Register | Manufacturing or exporting without DDTC registration | New entrants unaware of registration requirement |
The majority of large-dollar settlements involve multiple violation categories occurring over multi-year periods — often discovered internally and then voluntarily disclosed, or uncovered by government audits and law enforcement investigations.
The Landmark Cases: ITAR's Biggest Enforcement Actions
1. Hughes Electronics / Boeing — $32 Million (2003)
One of the earliest blockbuster ITAR cases, the Hughes Electronics / Boeing settlement arose from the unlicensed transfer of satellite and rocket technology to China during the 1990s. Hughes (subsequently acquired by Boeing) provided technical assistance to Chinese entities that materially aided China's ballistic missile program — a USML Category XV violation of the highest severity.
Key facts: - Over 123 ITAR violations cited across multiple transactions - Technology transfers benefited Chinese Long March rocket programs - Settlement included $32 million in civil penalties plus extensive corrective actions - Congressional investigations ran parallel to the DDTC enforcement action
Lesson: Third-party technology transfer arrangements — especially in joint ventures with foreign governments — require exhaustive ITAR review. The "we didn't know" defense collapses when the transferred technology is clearly USML-controlled.
2. BAE Systems — $79 Million (2011)
BAE Systems, one of the world's largest defense contractors, entered into a $79 million consent agreement with DDTC after self-disclosing hundreds of ITAR violations spanning more than a decade. The violations included unauthorized exports of technical data, defense services, and defense articles to dozens of countries — including several U.S. allies — without required DDTC licenses.
Key facts: - More than 2,591 instances of unauthorized exports and disclosures cited - Violations spanned approximately 10 countries across multiple business divisions - BAE's voluntary disclosure and cooperation credited in the final settlement - Consent agreement required a 3-year external Special Compliance Official (SCO) monitorship
Lesson: Scale is not a defense. Even the most sophisticated global defense contractors can accumulate systemic violations when compliance programs are siloed by business unit. The BAE case is a textbook argument for enterprise-wide ITAR compliance governance.
3. United Technologies Corporation (UTC) — $75 Million (2012)
United Technologies Corporation — parent company of Pratt & Whitney and Sikorsky — paid $75 million to resolve DDTC and DOJ charges stemming from the unauthorized export of military helicopter engine software to China. The software, used on U.S. military Black Hawk helicopters, was transferred to a Chinese state-owned enterprise in connection with a commercial helicopter program.
Key facts: - Violations centered on USML Category VIII (aircraft and related articles) - The software gave China insights into military-grade rotor systems - Both civil ($55M to DDTC) and criminal ($20M to DOJ) components - Former UTC employee faced separate criminal charges
Lesson: Dual-use technology decisions — where commercial programs overlap with military-origin hardware or software — demand formal USML/EAR jurisdiction determinations before any transfer. UTC's case is often cited as the definitive example of the commercial-military technology bleed risk.
4. Raytheon — $8 Million (2013)
Raytheon's 2013 consent agreement with DDTC resolved approximately 500 violations related to unauthorized exports of technical data and defense services across multiple classified and unclassified programs. The case highlighted how routine business activities — travel briefings, engineering collaboration calls, and proposal responses — can constitute unauthorized ITAR disclosures.
Key facts: - Violations occurred across 10+ countries and multiple business segments - Several violations involved disclosures to foreign nationals within the United States (deemed export violations) - Raytheon's voluntary disclosure and compliance remediation efforts reduced the final penalty - Two-year SCO monitorship imposed
Lesson: Deemed exports — the transfer of ITAR-controlled technical data to a foreign national physically present in the United States — are among the most frequently overlooked violation categories. Every company with a global workforce must address this risk explicitly in its Technology Control Plan (TCP).
5. Cobham Holdings — $90 Million (2020)
The Cobham Holdings consent agreement is among the largest ITAR civil penalties ever assessed, resolving charges that Cobham's legacy companies exported defense articles and technical data without required authorizations to numerous foreign countries over a period spanning more than a decade. The case was complicated by Cobham's acquisition of multiple companies that themselves had legacy compliance failures.
Key facts: - More than 1,000 violations cited across multiple product lines - Violations discovered through post-acquisition compliance reviews — a critical M&A lesson - $90 million penalty; $67.5 million suspended upon compliance with consent agreement terms - Five-year consent agreement with SCO oversight
Lesson: ITAR compliance due diligence in mergers and acquisitions is not optional. Acquiring companies assume the ITAR liability of their targets. Cobham's case has fundamentally changed how defense-sector M&A deals are structured, with ITAR representations and warranties now standard in purchase agreements.
6. Sensors Unlimited / Collins Aerospace — $4.6 Million (2021)
A more recent case, the Sensors Unlimited (a Collins Aerospace subsidiary) enforcement action involved the unauthorized export of short-wave infrared (SWIR) cameras — USML Category XII items — to foreign end-users without required licenses. What makes this case instructive is that the violations were traceable to a systematic failure in export classification at the business unit level.
Key facts: - Cameras were used in military targeting and surveillance applications - Violations spanned multiple transactions to multiple countries - Case resolved through a combination of voluntary disclosure and negotiated settlement - Remediation required overhaul of the subsidiary's classification and licensing procedures
Lesson: Export classification accuracy is the foundation of every ITAR compliance program. When classification is wrong, every subsequent export transaction built on that classification is also wrong — creating multiplicative violation exposure.
7. General Atomics — $13 Million (2022)
General Atomics — manufacturer of the Predator and Reaper drone series — settled with DDTC for $13 million following the unauthorized export of technical data and defense services related to unmanned aerial systems (UAS). The case is significant because it involved USML Category X (vessels of war) and Category XI (military electronics) violations tied to drone technology — one of the hottest areas of ITAR enforcement scrutiny today.
Key facts: - Violations included unauthorized disclosures to foreign national employees (deemed exports) - Drone-related ITAR violations are an increasing enforcement priority post-2020 - Consent agreement required enhanced training and a compliance program overhaul - $9.75 million suspended upon completion of remediation milestones
Lesson: The UAS/drone sector is under heightened DDTC scrutiny. If your company designs, manufactures, or services unmanned systems, ITAR classification of every component, software module, and technical document must be current and defensible.
Penalty Trends: What the Data Tells Us
Citation Hook: DDTC consent agreements entered between 2011 and 2023 show an average civil penalty of approximately $41 million per resolved enforcement action, with the suspended-penalty mechanism used in nearly 80% of cases as an incentive for remediation compliance.
The following table summarizes the major enforcement actions discussed above:
| Company | Year | Total Penalty | Violations Cited | Key Issue |
|---|---|---|---|---|
| Hughes/Boeing | 2003 | $32M | 123+ | China satellite/rocket tech transfer |
| BAE Systems | 2011 | $79M | 2,591+ | Unauthorized exports, 10+ countries |
| UTC (Pratt & Whitney) | 2012 | $75M | Multiple | China helicopter engine software |
| Raytheon | 2013 | $8M | ~500 | Deemed exports, technical data |
| Cobham Holdings | 2020 | $90M | 1,000+ | Post-acquisition compliance failures |
| Sensors Unlimited | 2021 | $4.6M | Multiple | Misclassified SWIR cameras |
| General Atomics | 2022 | $13M | Multiple | UAS technical data, deemed exports |
Key enforcement trends to watch:
- Deemed exports are rising. As the U.S. defense industrial base employs more foreign nationals, DDTC has made deemed export violations a consistent enforcement priority.
- M&A-related violations are accelerating. Post-acquisition compliance failures (like Cobham) are driving a new wave of enforcement as private equity consolidates the defense sector.
- UAS/drone technology is a focal point. The proliferation of unmanned systems in military applications has put drone manufacturers under intensified scrutiny.
- Voluntary disclosure yields real results. In nearly every major case, voluntary disclosure and proactive cooperation materially reduced final penalty amounts.
- Suspended penalties create accountability. DDTC's practice of suspending a portion of assessed penalties contingent on remediation compliance effectively converts the consent agreement into a multi-year compliance monitorship.
The Voluntary Disclosure Calculus
DDTC's enforcement posture strongly rewards voluntary self-disclosure under 22 CFR § 127.12. When a company discovers a potential ITAR violation, the decision of whether — and how — to disclose is one of the highest-stakes calls an export compliance officer will ever make.
The enforcement record supports disclosure in most cases: - Companies that self-disclose before government discovery typically receive 40-60% reductions in final penalty amounts - Voluntary disclosure triggers a structured DDTC review process with defined timelines - Failure to disclose a known violation — and subsequent government discovery — is treated as an aggravating factor that can turn a civil matter into a criminal referral
The disclosure analysis should always involve outside export control counsel and should document the internal deliberation process thoroughly. At Certify Consulting, I help clients assess disclosure risk, structure the submission, and navigate the DDTC review process from initial notification through final resolution.
What an Effective ITAR Compliance Program Looks Like
The common thread across every major enforcement action in this article is the absence of, or failure in, a documented ITAR compliance program. DDTC's Compliance Program Guidelines identify five core elements of an effective program:
- Management Commitment — C-suite accountability and documented compliance policy
- Export Compliance Program Documentation — Written ITAR manual, Technology Control Plan (TCP), and procedures
- Training — Role-specific, frequency-defined, and records-retained
- Auditing and Monitoring — Regular internal audits and third-party assessments
- Violation Response and Voluntary Disclosure — Documented procedures for detection, escalation, and disclosure
Companies with mature programs across all five elements not only reduce violation risk — they receive credit in DDTC's penalty calculus when violations do occur. BAE Systems' cooperation and compliance investment, for example, was explicitly credited in its 2011 consent agreement.
If your organization doesn't have a current, written ITAR compliance program, contact our team at itarconsultant.us to discuss a program assessment.
The Cost of Non-Compliance vs. the Cost of Compliance
Let's put the numbers in perspective. A mid-size defense contractor with 500 employees might invest $150,000–$300,000 annually in a robust ITAR compliance program — covering personnel, training, technology, and consulting support. Against the backdrop of an average $41 million consent agreement, that investment represents less than 1% of the average enforcement outcome.
The reputational costs are harder to quantify but equally real: debarment from U.S. government contracting, loss of export privileges, and — in criminal cases — imprisonment of key personnel. In today's defense industrial base, where export control compliance is increasingly a condition of contract award and security clearance maintenance, non-compliance is an existential risk.
How Certify Consulting Helps You Stay Off This List
With 200+ clients served and a 100% first-time audit pass rate, Certify Consulting brings proven ITAR compliance expertise to defense manufacturers, exporters, and brokers at every stage of their compliance journey. Whether you're building a compliance program from scratch, responding to a DDTC audit, or navigating voluntary disclosure, I bring the legal background (JD), business acumen (MBA, PMP), and regulatory expertise (CMQ-OE, CPGP, CFSQA, RAC) to guide you through it.
Learn more about our ITAR compliance consulting services or reach out directly at certify.consulting to schedule a confidential consultation.
Frequently Asked Questions About ITAR Penalties
What is the maximum ITAR civil penalty per violation?
The maximum civil penalty for an ITAR violation is $1,394,010 per violation (inflation-adjusted under the Federal Civil Penalties Inflation Adjustment Act). Because each unauthorized export, transfer, or disclosure can constitute a separate violation, total exposure can reach into the tens or hundreds of millions of dollars.
Does voluntary disclosure actually reduce ITAR penalties?
Yes, significantly. DDTC's enforcement record consistently shows that companies that voluntarily self-disclose under 22 CFR § 127.12 receive materially reduced penalties — typically 40–60% lower than what would be assessed in cases where violations are discovered by the government. Cooperation, remediation, and the quality of the disclosure submission all factor into the final outcome.
Can individuals face criminal charges for ITAR violations?
Yes. The Arms Export Control Act (22 U.S.C. § 2778) authorizes criminal penalties of up to 20 years in prison and $1 million per count for willful ITAR violations. Individual employees, executives, and compliance officers can face personal criminal liability separate from corporate civil settlements.
What is a deemed export under ITAR?
A deemed export occurs when ITAR-controlled technical data is disclosed to a foreign national physically located within the United States. Under 22 CFR § 120.50, this disclosure is treated as an export to the foreign national's home country and requires the same DDTC license or authorization as a physical export.
What triggers a DDTC consent agreement?
A DDTC consent agreement is typically the resolution mechanism for cases involving multiple violations, systemic compliance failures, or high-severity disclosures. It combines a financial penalty (partially or fully suspended), a remediation plan, and external oversight by a Special Compliance Official (SCO) — often for a period of 3–5 years.
Last updated: 2026-04-08
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.