What is the ITAR definition of technical data?

Under 22 C.F.R. § 120.231, ITAR technical data is any information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of a defense article listed on the U.S. Munitions List (USML). It includes drawings, specifications, manuals, software, and any other medium in which such information is recorded or transmitted.

What are some examples of ITAR-controlled technical data?

Examples include CAD/CAM files for military firearms components, source code for avionics mission computers, test procedures for guided missile seekers, metallurgical specifications for fighter jet engine blades, satellite payload integration drawings, and training manuals for military vehicle systems. Any information that enables someone to design, build, test, or maintain a USML-listed defense article is likely controlled.

What is the ITAR deemed export rule and how does it apply to technical data?

Under 22 C.F.R. § 120.50(a)(3), releasing ITAR-controlled technical data to a foreign person inside the United States is treated as an export to that person's country of citizenship or permanent residency. This means emailing a drawing to a foreign national colleague in your own office, or granting them access to a controlled file server, constitutes an export requiring State Department authorization or a valid exemption.

How is ITAR technical data different from EAR-controlled technology?

ITAR technical data relates specifically to defense articles on the USML and is controlled by the State Department's DDTC. EAR 'technology' relates to dual-use items on the Commerce Control List (CCL) and is regulated by the Commerce Department's BIS. When an item is on the USML, ITAR jurisdiction is exclusive. If jurisdiction is unclear, companies can file a Commodity Jurisdiction (CJ) request with DDTC under 22 C.F.R. § 120.97.

Is publicly available information exempt from ITAR technical data controls?

Only information that has been lawfully released into the public domain — as defined at 22 C.F.R. § 120.254 — is excluded from ITAR controls. Information that was disclosed without proper authorization, even if now widely accessible, does not automatically lose its controlled status. Fundamental research results from accredited institutions and general scientific principles taught in standard academic curricula are also excluded, but these are narrowly defined.

ITAR Technical Data: Definition, Classification & Examples

Last updated: 2026-03-23

If your company designs, manufactures, or supports defense articles — or even just discusses them with foreign nationals — you are almost certainly handling ITAR-controlled technical data. Getting this classification wrong isn't a paperwork problem. It's a federal criminal exposure problem. Penalties under the Arms Export Control Act (AECA) can reach $1,000,000 per violation and 20 years in federal prison per individual, per violation.

After more than eight years consulting on export control compliance and guiding 200+ clients to a 100% first-time audit pass rate, I can tell you that the single greatest source of unintentional ITAR violations is a misunderstanding of what "technical data" actually means — and how broadly the State Department's Directorate of Defense Trade Controls (DDTC) interprets it.

This pillar guide will give you a thorough, working understanding of ITAR technical data: its legal definition, how it's classified, where the hard cases are, and how to build internal controls that keep your organization on the right side of the law.

What Is ITAR Technical Data? The Legal Definition

The International Traffic in Arms Regulations (ITAR), codified at 22 C.F.R. Parts 120–130, define technical data at 22 C.F.R. § 120.231 (as revised under the April 2020 rule restructuring). The definition covers:

Information, other than software as defined in § 120.232, which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles.

This includes:

Information in any form — written, oral, electronic, visual, or otherwise
Blueprints, drawings, photographs, plans, instructions, and documentation directly relating to defense articles
Classified information relating to defense articles and defense services
Software that directly relates to defense articles (though software has its own definition at § 120.232)
Military specifications and standards that describe how to make, test, or modify a controlled defense article

Citation hook: Under 22 C.F.R. § 120.231, ITAR technical data encompasses any information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of a defense article, regardless of the medium in which it is recorded or transmitted.

One of the most important things to understand is what the definition does not include. The regulations specifically exclude:

General scientific, mathematical, or engineering principles commonly taught in accredited academic curricula
Basic marketing information on function or purpose
Information in the public domain (as defined at 22 C.F.R. § 120.254)

The "public domain" exclusion sounds broader than it is. Information that has been published without DDTC authorization — including improperly posted documents, leaked files, or unauthorized disclosures — does not become non-controlled simply because it is accessible.

The USML: Where Classification Begins

ITAR technical data does not exist in a vacuum. It is controlled only when it is "required for" the design, development, production, or use of a defense article listed on the United States Munitions List (USML), found at 22 C.F.R. Part 121.

The USML contains 21 categories, from Category I (Firearms) through Category XXI (Miscellaneous Articles). Key categories that generate the most technical data classification questions include:

USML Category	Description	Common Technical Data Examples
Cat. I	Firearms, Close Assault Weapons & Combat Shotguns	Dimensional drawings, tolerances for barrels; rifling specifications
Cat. IV	Launch Vehicles, Guided Missiles, Ballistic Missiles	Propulsion schematics, trajectory simulation code, guidance logic
Cat. VI	Vessels of War & Special Naval Equipment	Hull design files, sonar integration specs, damage control diagrams
Cat. VIII	Aircraft & Associated Equipment	Airframe stress data, avionics integration manuals, flight envelope specs
Cat. XI	Military Electronics	Frequency-hopping algorithms, radar waveform parameters, EW system source code
Cat. XIII	Auxiliary Military Equipment	Body armor material specifications, CBRN detection thresholds
Cat. XV	Spacecraft Systems & Related Articles	Satellite bus architecture, payload encryption schematics
Cat. XIX	Gas Turbine Engines & Associated Equipment	Engine control unit (FADEC) software, hot section metallurgical specs
Cat. XXI	Articles, Technical Data & Defense Services (Misc.)	Classified articles and information not elsewhere listed

The critical analytical step is always: Does this information relate to a USML-listed article, and is it required to design, make, test, operate, repair, or modify it? If yes, it is ITAR-controlled technical data, regardless of how it looks or where it lives.

How to Classify ITAR Technical Data: A Step-by-Step Framework

Classification is not a one-time checkbox — it's an ongoing analytical process. Here is the framework I walk clients through at Certify Consulting:

Step 1: Identify the Underlying Article or Service

Ask: Does the information relate to a tangible item, a software application, or a service? What does that item, application, or service do? Could it reasonably be characterized as a defense article or defense service?

Step 2: Check the USML

Review the USML category-by-category. Pay attention to both enumerated items (explicitly listed) and catch-all provisions (e.g., "specially designed" subparagraphs and ".x" entries under the revised USML). If the underlying article is on the USML, technical data relating to it is likely controlled.

Step 3: Apply the "Required For" Test

Not all information about a defense article is ITAR-controlled. A sales brochure describing the general capabilities of an aircraft is not the same as the aircraft's maintenance manual. Apply the "required for" standard: would a technically proficient person need this information to design, build, test, operate, repair, or modify the defense article? If yes, it is technical data.

Step 4: Check for Exemptions and Exclusions

Public domain (22 C.F.R. § 120.254): Has this information been lawfully made available to the public without export authorization?
Fundamental research (22 C.F.R. § 120.253): Is this basic or applied research conducted at an accredited institution where results are ordinarily published and shared broadly?
General scientific principles: Is this information taught in standard university curricula without restriction?

Step 5: Determine If an Export Has Occurred or Is Planned

Under 22 C.F.R. § 120.50, an "export" of technical data includes releasing it to a foreign person — in the United States or abroad. This is the "deemed export" rule. Emailing a CAD drawing to a Canadian supplier, presenting a specification to a German colleague in your conference room, or even allowing a foreign national employee to access a controlled file on your server — all are exports requiring authorization.

Step 6: Identify Required Authorization

If the data is controlled and an export is involved, you need either a license from DDTC, a Technical Assistance Agreement (TAA) or Manufacturing License Agreement (MLA), or a valid ITAR exemption (e.g., the NATO exemption at 22 C.F.R. § 126.14 for certain allies).

Real-World ITAR Technical Data Examples

Abstract rules only go so far. Here are concrete examples drawn from the types of scenarios I encounter with clients:

✅ Clearly Controlled Technical Data

CAD/CAM files for a military rifle receiver with dimensional tolerances and material callouts (USML Cat. I)
Source code for an avionics mission computer that processes targeting data (USML Cat. VIII / Cat. XI)
Test procedures for acceptance testing of a guided missile seeker head (USML Cat. IV)
Metallurgical specifications for titanium alloy used in fighter jet engine blades (USML Cat. XIX)
System integration drawings showing how a satellite communications payload interfaces with a military bus (USML Cat. XV)
Vulnerability assessments or penetration test reports for a classified military network (USML Cat. XI)
Training manuals that explain how to operate and maintain a military vehicle's fire suppression system (USML Cat. VII)

⚠️ Gray Area Technical Data (Requires Analysis)

Commercial off-the-shelf (COTS) hardware datasheets that are also integrated into a USML defense article — the datasheet itself may be public domain, but an integration specification showing how it interfaces with the defense article may be controlled
Dual-use test equipment calibration procedures — controlled if the calibration directly enables testing of a USML item, not controlled if used for purely commercial applications
Academic research papers citing classified or export-controlled underlying data — requires a case-by-case analysis of whether the published version triggers the fundamental research exclusion
Software tools (e.g., finite element analysis models) developed for commercial purposes but applied to USML structural analysis
Supplier quality requirements that reference military specifications (MIL-SPEC) for materials in a defense article

❌ Not ITAR Technical Data

A company overview brochure describing product lines at a general level
Publicly available MIL-SPEC standards accessible via approved government databases (e.g., ASSIST)
Basic physics, chemistry, or engineering principles published in standard academic textbooks
General business correspondence about pricing and delivery schedules (with no technical parameters)

The Deemed Export Rule: Your Biggest Hidden Risk

Citation hook: Under the ITAR deemed export rule at 22 C.F.R. § 120.50(a)(3), releasing technical data to a foreign person inside the United States is treated as an export to that person's country of citizenship or permanent residency, and requires the same State Department authorization as a physical shipment abroad.

According to a 2023 report from the DDTC, deemed export violations — primarily involving unauthorized disclosure of technical data to foreign nationals in domestic workplaces — represent a growing share of ITAR enforcement actions. Manufacturing companies, aerospace primes, and defense research organizations are consistently among the most cited.

This is not a hypothetical concern. Engineers collaborating on CAD models, researchers sharing simulation code in Slack channels, or foreign-national interns accessing restricted server directories are all potential deemed export scenarios that require a compliance program with teeth.

Practical controls to address deemed export risk:

Maintain a foreign national registry with visa status and country of citizenship for all employees with potential access to controlled data
Implement role-based access controls on document management systems (e.g., SharePoint, Windchill, Teamcenter) tied to ITAR sensitivity flags
Conduct annual export control training for all employees handling technical data
Review job postings — DDTC has cited "U.S. citizens only" postings without a supporting compliance rationale as a potential indicator of poor deemed export hygiene

ITAR vs. EAR: Which Controls Apply to Your Technical Data?

A recurring question I field from clients: "Is this ITAR or EAR?" The distinction matters enormously because the two regulatory regimes have different licensing bodies (State/DDTC vs. Commerce/BIS), different license requirements, and different penalty structures.

Factor	ITAR (22 C.F.R. Parts 120–130)	EAR (15 C.F.R. Parts 730–774)
Governing body	State Dept. / DDTC	Commerce Dept. / BIS
Control list	USML (21 categories)	Commerce Control List (CCL)
Primary focus	Defense articles & services	Dual-use goods, software & technology
Technical data term	"Technical data"	"Technology"
Catch-all for unlisted items	No (must be on USML)	Yes (EAR99 for uncontrolled items)
Deemed export rule	Yes (§ 120.50)	Yes (15 C.F.R. § 734.13)
Civil penalties	Up to $1.3M per violation	Up to $368,136 per violation (2025 adjusted)
Criminal penalties	Up to $1M / 20 yrs per violation	Up to $1M / 20 yrs per violation
Self-disclosure program	Yes (Voluntary Disclosure to DDTC)	Yes (Voluntary Self-Disclosure to BIS)

Citation hook: When an item is listed on the USML, all associated technical data is subject to ITAR regardless of whether a similar item or technology appears on the Commerce Control List — the ITAR's jurisdiction is exclusive for USML articles.

If you're uncertain whether your technical data falls under ITAR or EAR, the correct first step is a commodity jurisdiction (CJ) request to DDTC under 22 C.F.R. § 120.97 — a formal process by which State and Commerce jointly determine which regime controls a given item or technology.

Building an ITAR Technical Data Classification Program

A classification determination made once is not a compliance program. Here's how to build a sustainable system:

1. Create a Technical Data Inventory

Map every major category of controlled data your organization generates or receives: engineering drawings, specifications, test reports, software, manuals, and simulation models. For each, document the USML category, classification rationale, and authorized users.

2. Implement Document-Level Markings

Mark all ITAR-controlled technical data files with a clear legend, such as:

"This document contains technical data whose export is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec. 2751, et seq.) or the Export Administration Regulations (15 C.F.R. Chapters VII, 730–774). Violations of export laws are subject to severe criminal penalties."

3. Establish a Technology Control Plan (TCP)

A TCP is a written document that describes how your organization identifies, protects, and controls access to ITAR and EAR technical data. Many DDTC agreements (TAAs, MLAs) require a TCP as a condition of approval.

4. Train Employees Annually

Per DDTC best practices, export control training should be mandatory at onboarding and annually thereafter, with role-specific modules for engineers, program managers, HR, and IT.

5. Engage Outside Counsel or a Qualified Consultant

The regulatory landscape changes. DDTC issues new guidance, USML categories are revised, and enforcement priorities shift. Retaining expert support — whether for initial classification work, a Voluntary Disclosure, or a mock audit — is not a luxury for defense contractors of any size.

Why Classification Errors Happen — And How to Prevent Them

In my experience working with clients across the defense industrial base, classification errors cluster around four root causes:

"It's already on the internet" — Engineers often assume that if they can find a spec on Google, it's in the public domain. Under ITAR, unauthorized prior disclosure does not create a public domain exemption.
Program transition gaps — When a program moves from development to production, or from a prime to a subcontractor, classification documentation doesn't always follow. Gaps emerge.
Software underestimation — Source code, firmware, and simulation models are among the most frequently misclassified categories of technical data. Many organizations classify hardware correctly but overlook the software that controls it.
Foreign national oversight failures — HR onboarding processes are rarely integrated with export compliance programs. Foreign national employees gain access to controlled systems before a deemed export analysis is completed.

According to DDTC enforcement statistics, the average civil penalty per consent agreement in recent years has exceeded $500,000, with high-profile cases reaching into the tens of millions. The financial cost of a classification error compounds quickly — especially when it triggers a mandatory disclosure obligation or a government audit.

When to Request a Commodity Jurisdiction Determination

If you have a genuine ambiguity about whether your technical data is controlled under ITAR — particularly for dual-use technologies or items that were recently transitioned between the USML and the CCL as part of Export Control Reform (ECR) — you should strongly consider filing a Commodity Jurisdiction (CJ) request.

Under 22 C.F.R. § 120.97, a CJ request is a formal interagency process in which DDTC, in consultation with the Departments of Defense and Commerce, issues a binding determination on whether a specific item or technology is subject to the ITAR. The process typically takes 30–60 business days and creates a defensible administrative record.

CJ determinations are particularly valuable when: - Your product was reclassified during Export Control Reform and you have legacy technical data packages - You develop dual-use technologies with both commercial and military applications - You are acquiring a company and need to assess the ITAR exposure of its technical data library during due diligence

Get Expert Help With ITAR Technical Data Classification

ITAR technical data classification is one of the most analytically demanding tasks in export compliance — and one of the highest-stakes. A single misclassified drawing that gets emailed to the wrong recipient can trigger a mandatory DDTC disclosure, a State Department investigation, and penalties that dwarf the cost of getting it right from the start.

At Certify Consulting, I work directly with defense contractors, aerospace manufacturers, technology developers, and research organizations to build classification programs that are audit-ready and operationally practical. Whether you need a full technical data audit, a Technology Control Plan, employee training, or guidance on a specific transaction, I bring the regulatory depth and real-world experience to get you there.

Contact Certify Consulting to schedule a consultation, or explore our ITAR compliance services and export control training resources to learn more.

Last updated: 2026-03-23