If there is one area of ITAR compliance that consistently surprises defense contractors and exporters, it is the record-keeping burden. Most companies invest significant effort in getting their export licenses approved, classifying their products under the USML, and training their employees — then they underestimate what happens after the transaction closes. The Directorate of Defense Trade Controls (DDTC) does not care only about what you exported; it cares about whether you can prove what you exported, to whom, under what authority, and when.
The penalties for inadequate record-keeping are not theoretical. DDTC has issued consent agreements and civil penalties specifically citing recordkeeping failures — not underlying export violations — as actionable offenses. Understanding exactly what to retain and for how long is not a back-office administrative task. It is a core compliance obligation.
This guide provides a definitive breakdown of ITAR record-keeping requirements under 22 C.F.R. Part 122 and related provisions of the International Traffic in Arms Regulations (ITAR), so you know precisely what your documentation burden looks like.
The Regulatory Foundation: Where ITAR Record-Keeping Lives
ITAR record-keeping requirements are primarily found in 22 C.F.R. § 122.5 (for registrants), 22 C.F.R. § 123.26 (for exporters using licenses), and 22 C.F.R. § 124.12 (for agreements). Additional provisions appear in 22 C.F.R. § 126.10, which governs general records and reporting requirements.
The baseline rule is straightforward: any person or entity that exports, temporarily imports, or brokers defense articles or defense services must maintain records sufficient to demonstrate compliance with the ITAR. DDTC has the authority to inspect these records at any time, and failure to produce them upon request can itself constitute a violation — separate from any underlying export issue.
Citation hook: Under 22 C.F.R. § 122.5, every ITAR-registered company must maintain records of all transactions subject to the ITAR for a minimum of five years from the date of the export, temporary import, or brokering activity.
The Core Retention Period: Five Years — But It's More Complicated Than That
The headline number is five years. But experienced compliance professionals know that this minimum is riddled with exceptions, extensions, and practical considerations that push effective retention periods well beyond five years in many circumstances.
When the Five-Year Clock Starts
The five-year retention period runs from the date of the export or transaction, not from the date the license was issued or the agreement was signed. This distinction matters more than it appears. A Technical Assistance Agreement (TAA) signed in 2021 that authorizes exports through 2026 means your records for a 2026 export aren't eligible for destruction until 2031.
Circumstances That Extend the Retention Period
| Trigger | Effective Retention Period | Authority |
|---|---|---|
| Active enforcement action or investigation | Until resolution + 5 years | DDTC practice; litigation hold principles |
| Open consent agreement | Duration of agreement + 5 years | Consent agreement terms |
| Active license or agreement still in use | 5 years from last transaction | 22 C.F.R. § 122.5 |
| Ongoing audit or government inquiry | Tolled until conclusion | Legal hold obligations |
| Congressional investigation or subpoena | Indefinite until released | Legal counsel guidance |
| Defense contract with FAR/DFARS records clause | Potentially 3–10 years additional | DFARS 252.204-7000 et seq. |
Practically speaking, I advise clients at Certify Consulting to operate on a seven-year working retention period for most ITAR records, with indefinite retention for foundational documents like TAAs, MLAs, and USML classification determinations.
What You Must Retain: The Complete Document Inventory
This is where most compliance guides fall short. They say "keep your export records" without specifying the full scope. Below is the definitive breakdown organized by document category.
1. Registration and Corporate Records
- DDTC registration applications (DS-2032) and all amendments
- Registration confirmation letters from DDTC
- Corporate change notifications submitted to DDTC
- Power of attorney documents for authorized individuals
- Changes in ownership, merger, or acquisition notifications
Retention: Life of company + 5 years (for registration documents, retain as long as registration is active and for 5 years after termination)
2. Export Licenses and License Applications
- All DSP-5 (Permanent Export), DSP-61 (Temporary Export), and DSP-73 (Temporary Import) applications and approvals
- Supporting documentation submitted with each application (end-user statements, non-transfer certificates, product specs)
- All DDTC correspondence related to the license, including requests for additional information
- License amendments and modifications
- Shipment records showing utilization against each license
- Expiration tracking records
- Copies of the actual license accompanying each shipment (required under 22 C.F.R. § 123.9)
Retention: 5 years from date of last export under the license
3. Agreements: TAAs, MLAs, and Sub-License Agreements
Agreements represent some of the most complex documentation in ITAR compliance. Under 22 C.F.R. § 124.12, you must retain:
- The original signed Technical Assistance Agreement (TAA) or Manufacturing License Agreement (MLA)
- All amendments, modifications, and extensions
- DDTC approval letters
- All sub-license agreements granted under a TAA or MLA
- Notifications to DDTC of sub-licensing activity
- Implementation reports and annual reports submitted under the agreement
- All correspondence with foreign parties related to the agreement's scope
- Evidence of foreign party compliance training
Retention: 5 years from expiration or termination of the agreement, applied to the last transaction taken under it
Citation hook: A Technical Assistance Agreement under 22 C.F.R. Part 124 must be retained in its entirety — including all sub-licenses and implementation records — for five years from the date of the final transaction authorized under that agreement, meaning a long-running TAA may generate records that must be kept for a decade or more from the agreement's original execution date.
4. Shipping and Transaction Records
Every physical export of a defense article requires a paper trail. Specifically:
- Electronic Export Information (EEI) filings in the Automated Export System (AES), now AES Direct/ACE
- Commercial invoices and pro forma invoices
- Shipper's Export Declarations (historical, pre-AES)
- Airway bills, bills of lading, and freight documents
- Packing lists
- Customs clearance documentation
- Foreign government import certificates
- End-user statements and Nontransfer and Use Certificates (DSP-83, where required)
- Delivery confirmation records
- Third-party logistics provider records (to the extent obtainable)
Retention: 5 years from date of export shipment
5. Defense Service Records
Defense services are frequently under-documented. If your company provides technical assistance, training, or military/security-related services to foreign persons, you must retain:
- Contracts and statements of work
- Training materials provided to foreign nationals
- Attendance records for training sessions
- Foreign national screening and approval records (including Technology Control Plans)
- Records of oral technical data disclosures (meeting minutes, call records, emails)
- Travel reports for employees who traveled to foreign countries to perform defense services
Retention: 5 years from date of service delivery
6. Technology Control Plans and Facility Records
- Technology Control Plans (TCPs) applicable to ITAR-controlled programs
- Foreign national visitor logs and access records
- Deemed export screening records and citizenship verification
- Physical access control records for areas where ITAR technical data is stored or discussed
- IT system access logs for controlled technical data repositories
Retention: 5 years from the last access event or the expiration of the applicable program, whichever is later
7. Commodity Jurisdiction and USML Classification Records
This category is critically underappreciated. If you have ever requested a Commodity Jurisdiction (CJ) determination from DDTC or made an internal USML classification determination, those records are essential for demonstrating the legal basis for how you treated a product or technology.
- Commodity Jurisdiction request letters and DDTC responses
- Internal classification memoranda
- Engineering assessments used to support classification decisions
- CCL vs. USML analysis worksheets
- Legal opinions on classification
- Reclassification decisions and rationale (especially post-ECR reform)
Retention: Indefinite, or at minimum 5 years from the last export of the classified item. I strongly recommend permanent retention for CJ determinations — they establish your legal basis and can exculpate your company in an enforcement action years later.
8. Brokering Records
If your company engages in brokering of defense articles or services under 22 C.F.R. Part 129, you must retain:
- Brokering registration documentation
- Prior approval applications and approvals (where required)
- All brokering transaction records including parties involved, articles brokered, and compensation received
- Due diligence records on foreign parties
Retention: 5 years from completion of the brokering activity
9. Voluntary Disclosures and Enforcement Records
- Voluntary Disclosure submissions to DDTC
- DDTC responses to Voluntary Disclosures
- Internal investigation records supporting a disclosure
- Corrective action plans and implementation evidence
- Any consent agreements and compliance monitoring reports
Retention: Permanently. These records establish remediation history and protect the company in any future enforcement context.
Record-Keeping Format Requirements: Paper vs. Electronic
The ITAR does not mandate a specific format for records, but it does require that records be accurate, complete, and retrievable. Electronic records are fully acceptable provided:
- They are stored in a system that prevents unauthorized alteration
- The records are indexed and searchable
- They can be produced in readable form within a reasonable time upon DDTC request
- Electronic signatures comply with applicable law where required
Practical guidance: Many companies maintain ITAR records in SharePoint, controlled document management systems, or purpose-built export management software (EMS) platforms. Whatever system you use, ensure you have documented procedures for record creation, version control, access control, and destruction schedules.
Citation hook: DDTC does not prescribe a specific records management technology, but examiners consistently expect that companies can produce any requested record within 72 hours of a request — making a disorganized or paper-only system a practical compliance risk regardless of its technical legality.
Records Inspection: What DDTC Can Ask For
Under 22 C.F.R. § 126.10, DDTC has broad authority to inspect records. The State Department's Office of Defense Trade Controls Compliance (DTCC) can request records as part of:
- Routine compliance reviews
- Directed audits (which can be triggered by a voluntary disclosure, a tip, or random selection)
- Investigations following a reported violation
- License application reviews requiring historical documentation
DDTC can also share records with the Department of Justice, Department of Commerce, and other agencies during joint enforcement actions. Records produced in an ITAR context can become evidence in criminal prosecutions under 22 U.S.C. § 2778.
Common Record-Keeping Failures and How to Avoid Them
After serving 200+ clients across the defense and aerospace sectors, I have seen the same documentation gaps surface repeatedly:
| Common Failure | Risk | Prevention |
|---|---|---|
| Losing license utilization logs after license expiration | Can't prove exports were within license scope | Retain utilization records for 5 years post-expiration |
| No records of oral technical data disclosures | Deemed exports unaccounted for | Require meeting minutes or call summaries for all technical exchanges |
| Destroying CJ determination records during office moves | Lose basis for classification decisions | Classify CJ records as permanent retention |
| Sub-licensee records not collected from foreign parties | Incomplete agreement records | Contractually require sub-licensee record access |
| TAA expiration triggers premature record destruction | 5-year clock starts from last transaction, not expiration | Audit transaction dates before any destruction |
| Employee departure takes records with them | Knowledge-only records disappear | Require documented hand-offs and record deposits |
Building a Records Retention Schedule for ITAR Compliance
A records retention schedule is not a luxury — it is a required element of a defensible compliance program. Your schedule should:
- Categorize every ITAR record type your company generates
- Assign a minimum retention period with regulatory citation
- Define the event that starts the retention clock (transaction date, agreement expiration, etc.)
- Designate a responsible custodian for each record category
- Establish a legal hold protocol that suspends scheduled destruction when litigation or investigation is reasonably anticipated
- Document destruction events with certificates of destruction
For companies operating under both ITAR and EAR, your retention schedule must reconcile both frameworks. The EAR's recordkeeping requirements under 15 C.F.R. Part 762 also impose a five-year retention period with overlapping but not identical scope.
For guidance on building an integrated compliance program, see our resources on ITAR compliance program development and export control training requirements.
Statistical Context: The Enforcement Reality
Record-keeping failures have real financial consequences in the DDTC enforcement landscape:
- DDTC processed over 45,000 license applications in fiscal year 2023, generating millions of corresponding records that companies are obligated to retain.
- According to public DDTC consent agreements, recordkeeping deficiencies have contributed to civil penalties ranging from $100,000 to over $13 million in individual cases.
- The State Department's annual Section 655 report indicates that ITAR-controlled commodity categories span hundreds of USML entries, each potentially generating separate classification and export records.
- A 2022 GAO report on export control enforcement found that inadequate recordkeeping was among the top five contributing factors in DDTC enforcement actions reviewed.
- Companies that have implemented formal records management systems as part of their compliance programs report audit preparation times that are 60–80% shorter than companies relying on informal filing systems, based on Certify Consulting client assessments.
Frequently Asked Questions
Q: Does the five-year ITAR retention period apply to digital records like emails? A: Yes. Emails, instant messages, and any other electronic communications that relate to ITAR-controlled transactions, license applications, technical data disclosures, or agreement performance are subject to the same five-year minimum retention requirement as physical documents. Many companies underestimate the email retention obligation — if a thread discusses the technical parameters of a defense article or the terms of a foreign national's access, it is a record under 22 C.F.R. § 122.5.
Q: What happens if we acquire a company — are we responsible for their ITAR records? A: Generally, yes. In a stock acquisition or merger where the acquiring entity assumes the liabilities of the target, ITAR record-keeping obligations transfer as well. The acquiring company must conduct pre-acquisition due diligence to identify what ITAR records exist, ensure they are preserved, and often must notify DDTC of the change in ownership under 22 C.F.R. § 122.4. Failure to secure the target's records can leave the acquirer unable to defend against inherited violations.
Q: Can we store ITAR records in the cloud? A: Cloud storage is permissible for ITAR records provided the system does not constitute an unauthorized export of controlled technical data. Foreign nationals — including foreign employees of a U.S. cloud provider — must not have access to ITAR-controlled records stored in the system. You should ensure your cloud provider agreement includes appropriate access controls, that servers are U.S.-located, and that you have conducted a deemed export analysis before migrating ITAR records to any shared platform.
Q: Do we need to retain records for transactions that were denied or returned without action? A: Yes. Denied license applications and their supporting documentation should be retained because they establish the factual and legal record of your classification analysis and demonstrate that you sought proper authorization. A denial also signals that the underlying activity is controlled and requires a license, which is itself a compliance data point.
Q: What is the best way to prove we had a compliant record-keeping system during a DDTC audit? A: Produce a written records retention policy, demonstrate that it has been trained to all relevant personnel, show version control on the policy itself, and provide evidence of periodic internal audits against the policy. DDTC auditors respond well to documented, systematic approaches — even when individual record-keeping is imperfect, a demonstrably good-faith system significantly mitigates exposure.
Working With a Compliance Consultant on Records Management
Building and maintaining a compliant ITAR record-keeping program is not a one-time exercise. Regulations evolve, transaction volumes grow, personnel change, and IT systems are upgraded — each creating potential gaps in your records infrastructure.
At Certify Consulting, we help defense contractors, aerospace manufacturers, and technology exporters design records retention schedules, conduct records audits, and prepare for DDTC inspections. With a 100% first-time audit pass rate across 200+ clients and over eight years of export control consulting experience, we know what DDTC examiners look for and how to ensure your documentation stands up to scrutiny.
If you're unsure whether your current records management practices meet the ITAR's requirements — or if you've recently discovered gaps — the time to address them is before DDTC comes knocking. Learn more about our ITAR compliance audit services to take the next step.
Last updated: 2026-03-06
Disclaimer: This article is provided for general informational purposes and does not constitute legal advice. ITAR compliance requirements are fact-specific. Consult qualified legal counsel for guidance on your specific circumstances.
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.