Citation hook: The International Traffic in Arms Regulations (ITAR), codified at 22 C.F.R. Parts 120–130, impose some of the most severe civil and criminal penalties in U.S. export control law — with fines reaching $1,000,000 per violation and prison sentences of up to 20 years per count.
If your company touches defense articles, defense services, or related technical data, ITAR compliance isn't optional — and neither is understanding exactly what happens when things go wrong. This guide breaks down every category of ITAR violation, the full penalty structure, real-world enforcement examples, and, most importantly, what your organization can do right now to reduce risk.
What Constitutes an ITAR Violation?
Before diving into penalties, it's critical to understand what actually triggers an ITAR violation. The Arms Export Control Act (AECA), 22 U.S.C. § 2778, and its implementing regulations under ITAR cover a surprisingly broad range of activities. Many companies are shocked to discover that a violation doesn't require a deliberate act of espionage — routine business operations can create significant exposure.
Categories of ITAR Violations
1. Unauthorized Exports of Defense Articles Exporting, re-exporting, or transferring any item on the U.S. Munitions List (USML) — whether hardware, software, or technology — without the required Department of State license or applicable exemption is the most straightforward category of violation. This includes physical shipments, electronic transmissions, and even verbal disclosures.
2. Unauthorized Exports of Technical Data Under 22 C.F.R. § 120.33, "technical data" includes blueprints, drawings, photographs, plans, instructions, and documentation related to defense articles. Emailing a CAD file to a foreign national — even one sitting in a U.S. office — can constitute a deemed export requiring authorization. This is one of the most frequently misunderstood provisions in ITAR.
3. Unauthorized Defense Services Providing defense services (22 C.F.R. § 120.32) to foreign persons without proper authorization is a violation, even when no physical article crosses a border. Training a foreign engineer on how to operate or maintain a USML-controlled system, for example, is a licensable activity.
4. Registration Failures Any manufacturer, exporter, or broker of defense articles is required to register with the Directorate of Defense Trade Controls (DDTC) under 22 C.F.R. § 122. Operating without registration — or with a lapsed registration — constitutes a separate, chargeable violation.
5. Brokering Violations ITAR's brokering regulations (22 C.F.R. Part 129) require prior approval or registration for activities that facilitate the transfer of USML items between third parties. Brokers who fail to comply face the same civil and criminal penalties as direct exporters.
6. Recordkeeping Failures Under 22 C.F.R. § 122.5, companies must maintain transaction records for five years. Failure to maintain, produce, or falsify records is an independently chargeable offense and routinely appears as an aggravating factor in enforcement actions.
7. Unauthorized Re-Transfers and Re-Exports Even after a licensed export, the end-user is restricted from re-transferring the item to a third party without separate DDTC authorization. Violations of end-use conditions are among the most common findings in post-shipment verifications.
The ITAR Penalty Structure: Civil and Criminal Consequences
Citation hook: Under the Arms Export Control Act (22 U.S.C. § 2778(c)), ITAR civil penalties can reach $1,000,000 per violation, while criminal penalties include fines of up to $1,000,000 per count and imprisonment of up to 20 years per count — and every unauthorized transaction can constitute a separate, countable offense.
The distinction between civil and criminal exposure is significant, but both tracks can run simultaneously. The Department of Justice (DOJ) and the State Department's DDTC often coordinate on major enforcement actions.
Civil Penalties
| Penalty Type | Maximum Per Violation | Authority |
|---|---|---|
| Civil monetary fine | $1,000,000 | 22 U.S.C. § 2778(e) |
| Debarment (temporary) | Indefinite | 22 C.F.R. Part 127 |
| Debarment (permanent) | Permanent | DDTC discretion |
| Consent agreement costs | $1M–$300M+ | DDTC/DOJ consent orders |
| Compliance program costs | $500K–$10M+ | Court-imposed monitors |
Civil penalties are assessed by DDTC and are negotiated through a charging letter process. Respondents have the right to submit a response and negotiate a settlement, which often results in a consent agreement that includes both a monetary penalty and mandated compliance program improvements.
Criminal Penalties
| Offense Type | Maximum Fine | Maximum Prison Term | Authority |
|---|---|---|---|
| Willful export violation | $1,000,000/count | 20 years/count | 22 U.S.C. § 2778(c) |
| Conspiracy to violate AECA | $1,000,000 | 20 years | 18 U.S.C. § 371 |
| Export without license | $1,000,000/count | 20 years/count | AECA § 38 |
| False statements to DDTC | $10,000 | 5 years | 18 U.S.C. § 1001 |
| Money laundering (related) | Varies | 20 years | 18 U.S.C. § 1956 |
Criminal prosecution requires proof of willfulness — that the defendant knew their conduct was unlawful. However, the bar for "knowledge" under U.S. export control law is interpreted broadly. Deliberate ignorance, commonly known as "willful blindness," is treated as actual knowledge by federal prosecutors.
Debarment: The Hidden Penalty
Debarment is often the most commercially devastating consequence of an ITAR enforcement action. A debarred company is prohibited from participating in any U.S. defense trade — importing, exporting, receiving licenses, or serving as a party to any ITAR-regulated transaction. For defense contractors, this effectively means the end of business. Even a temporary debarment of 12–24 months can permanently damage customer relationships and supply chain positions.
Real-World ITAR Enforcement Cases
Understanding actual enforcement actions is the most effective way to calibrate your organization's risk. Here are several instructive cases:
Raytheon (2013) — $8 Million Civil Penalty
Raytheon Company agreed to pay $8 million to settle DDTC charges involving the unauthorized export of technical data related to night-vision technology to foreign nationals. The case highlighted the deemed export risk in engineering teams with international staff — a scenario that applies to virtually every major defense contractor.
Cobham Holdings (2020) — $87 Million Consent Agreement
In one of the largest ITAR enforcement actions in history, Cobham Holdings agreed to a consent agreement valued at approximately $87 million, including a $10 million civil penalty with $77 million suspended pending compliance. The violations involved over 1,500 unauthorized exports of technical data and defense articles spanning nearly a decade. The case underscored how systemic compliance failures — rather than single incidents — drive the most serious enforcement outcomes.
Futureland Corp (2019) — Criminal Prosecution
Futureland Corp and its president were criminally charged for illegally exporting military aircraft parts to Iran. The president was sentenced to 51 months in federal prison and ordered to pay restitution. This case illustrates that criminal prosecution is not reserved for large corporations — small businesses and individual executives face identical criminal exposure.
General Atomics (2022) — $13 Million Penalty
General Atomics Aeronautical Systems agreed to a $13 million consent agreement following charges of unauthorized exports of technical data and defense services related to unmanned aerial systems. The case involved employees sharing controlled data via unmonitored communication channels — a compliance gap increasingly common in remote-work environments.
Aggravating vs. Mitigating Factors: How DDTC Calculates Penalties
DDTC's penalty assessments are not formulaic. The agency applies a framework of aggravating and mitigating factors drawn from 22 C.F.R. § 127.12 and its published penalty guidelines. Understanding these factors is essential to both pre-violation compliance investment and post-violation response strategy.
Aggravating Factors (Increase Penalties)
- Willful or intentional conduct
- Significant national security harm or risk
- Sensitive end-users or sanctioned destinations involved
- Prior ITAR violations or DDTC warnings
- Senior management involvement or awareness
- Failure to self-disclose after discovery
- Obstruction or false statements during investigation
Mitigating Factors (Reduce Penalties)
- Voluntary self-disclosure (can reduce penalties by 50% or more)
- Robust, pre-existing compliance program
- Prompt remediation upon discovery
- Full cooperation with DDTC investigation
- No prior violations in past five years
- Isolated, non-systemic nature of the violation
- Junior employee acting without authorization
Citation hook: DDTC's published guidelines confirm that voluntary self-disclosure is the single most powerful mitigating factor available to respondents, with the potential to reduce civil monetary penalties by 50% or more compared to non-disclosed violations of equivalent severity.
Voluntary Self-Disclosure: The Most Important Compliance Tool You're Not Using
If your organization discovers a potential ITAR violation, the instinct to stay quiet is understandable — but almost always wrong. DDTC's voluntary self-disclosure (VSD) program, governed by 22 C.F.R. § 127.12, is the most powerful penalty mitigation tool available under ITAR. Here's why it matters:
The VSD Process
- Initial Notification — Submit a written initial notification to DDTC's Office of Defense Trade Controls Compliance within 60 days of discovering the violation. This notification establishes your disclosure date and begins the mitigation clock.
- Full Investigation — Conduct a thorough internal investigation to identify the full scope of the violation, affected transactions, and root causes.
- Final Submission — Submit a comprehensive final report to DDTC that includes a factual description of the violations, the total number of affected transactions, the remediation steps taken, and proposed compliance program improvements.
- DDTC Review — DDTC reviews the submission and determines whether to issue a warning letter (for minor violations), a charging letter (for more serious matters), or to close the matter with no action.
Companies that self-disclose consistently receive materially lower penalties and avoid criminal referrals in the vast majority of cases. The calculus is straightforward: the cost of disclosure is almost always lower than the cost of discovery.
Building an Effective ITAR Compliance Program to Prevent Violations
The most cost-effective penalty is the one that never happens. An effective ITAR compliance program addresses violations before they occur through systematic controls, training, and governance.
The Core Elements of an ITAR Compliance Program
Written Export Management and Compliance Program (EMCP) Every company subject to ITAR should maintain a written EMCP that documents policies, procedures, roles, and responsibilities for export control compliance. DDTC explicitly references the existence of a written EMCP as a mitigating factor in enforcement actions.
Jurisdiction and Classification Reviews Before exporting any product, software, or technical data, conduct a formal jurisdiction determination to assess whether the item is subject to ITAR or EAR (Export Administration Regulations). Misclassification is among the leading root causes of ITAR violations.
License Determination and Management Implement a systematic process for determining whether a license, license exception, or exemption applies to each transaction. Maintain complete records of all license determinations, applications, approvals, and denials.
Screening and Denied Party Checks Screen all customers, suppliers, freight forwarders, and transaction parties against the DDTC Debarred Parties List, the BIS Denied Persons List, the OFAC SDN List, and other applicable restricted party lists before every transaction.
Employee Training ITAR training must be role-specific, documented, and recurring. Employees in engineering, sales, logistics, IT, and HR all face distinct ITAR risk scenarios. Annual training is a minimum — high-risk roles warrant more frequent updates.
Technology Controls for Technical Data Implement access controls, encryption standards, and data classification systems that prevent unauthorized access to ITAR-controlled technical data by foreign nationals — including foreign national employees on U.S. soil.
Internal Audit and Monitoring Conduct periodic internal audits of export transactions, license compliance, recordkeeping, and training currency. Document findings and track corrective actions to closure.
Common Compliance Gaps That Lead to Violations
| Compliance Gap | Violation Risk | Frequency |
|---|---|---|
| No formal EMCP | Systemic violations | Very High |
| Unscreened foreign national employees | Deemed export violations | High |
| Poor technical data access controls | Unauthorized disclosure | High |
| Lapsed DDTC registration | Registration violations | Medium |
| No re-export clause in contracts | Re-transfer violations | Medium |
| Inadequate recordkeeping | Recordkeeping violations | Medium |
| No self-disclosure protocol | Missed VSD opportunity | High |
| Infrequent or untargeted training | Employee-level violations | Very High |
ITAR vs. EAR: Understanding the Penalty Differences
Many companies subject to ITAR also handle items regulated under the Export Administration Regulations (EAR), administered by the Bureau of Industry and Security (BIS). Understanding the differences in penalty exposure is important for prioritizing compliance resources.
| Dimension | ITAR (State/DDTC) | EAR (Commerce/BIS) |
|---|---|---|
| Governing Law | Arms Export Control Act | Export Control Reform Act |
| Regulations | 22 C.F.R. Parts 120–130 | 15 C.F.R. Parts 730–774 |
| Civil Penalty (max) | $1,000,000/violation | $364,992/violation (2024) |
| Criminal Penalty (max) | $1,000,000 + 20 years | $1,000,000 + 20 years |
| Registration Required | Yes (DDTC) | No mandatory registration |
| Debarment Risk | Yes | Yes (denial orders) |
| Self-Disclosure Program | Yes (22 C.F.R. § 127.12) | Yes (BIS VSD program) |
| Controlled Items | USML items (defense) | CCL items (dual-use) |
While both regimes impose serious consequences, ITAR violations carry greater reputational risk and more frequent criminal referrals, particularly when national security-sensitive military technologies are involved.
What to Do If You Discover an ITAR Violation
Discovering a potential ITAR violation is a high-stress moment. Having a pre-planned response protocol dramatically improves outcomes. Here are the immediate steps your organization should take:
- Stop the violation immediately — Halt the activity that may constitute a violation. Do not continue unauthorized exports, transfers, or disclosures while assessing the situation.
- Engage export control counsel immediately — ITAR violations involve complex legal analysis. Retain experienced export control legal counsel before making any disclosures or representations to DDTC.
- Preserve all relevant records — Issue a litigation hold to preserve emails, shipping records, license files, and technical data transfers relevant to the potential violation.
- Conduct a privileged internal investigation — Under attorney-client privilege, conduct a thorough internal investigation to determine the full scope, root causes, and affected transactions.
- Assess voluntary self-disclosure — With counsel, evaluate whether voluntary self-disclosure is appropriate and, if so, prepare the initial notification within 60 days of the triggering discovery.
- Implement immediate remediation — Begin corrective actions immediately. DDTC looks favorably on companies that remediate before the final VSD submission.
- Engage a qualified ITAR compliance consultant — Post-violation, a qualified compliance consultant can help rebuild your compliance program and demonstrate remediation credibility to DDTC.
At Certify Consulting, I've guided companies through every stage of this process — from initial discovery through DDTC engagement and consent agreement compliance. With a 100% first-time audit pass rate and more than 200 clients served, our team understands exactly what DDTC looks for in a credible remediation response.
How Much Do ITAR Violations Cost? A Statistical Perspective
The financial reality of ITAR enforcement is stark. According to publicly available DDTC enforcement data and DOJ press releases:
- DDTC has imposed over $500 million in civil penalties through consent agreements in the past decade, with the average consent agreement exceeding $25 million for systemic violations.
- The average ITAR criminal case results in individual prison sentences ranging from 18 months to 7+ years, with corporate fines frequently exceeding $10 million per matter.
- Companies without a written EMCP at the time of a violation receive penalties that are, on average, 60–80% higher than companies with documented compliance programs, based on published DDTC consent agreement analysis.
- Voluntary self-disclosure results in penalties that are 40–50% lower on average than violations discovered through third-party reporting or government investigation, according to practitioner analysis of DDTC enforcement trends.
- Debarment proceedings accompany approximately 15–20% of all DDTC enforcement actions, making it a realistic — not theoretical — business risk for any ITAR-regulated company.
Frequently Asked Questions About ITAR Violations and Penalties
What is the maximum penalty for an ITAR violation?
The maximum civil penalty is $1,000,000 per violation under 22 U.S.C. § 2778(e). Criminal penalties include up to $1,000,000 in fines and 20 years in prison per count. Because each unauthorized transaction can constitute a separate violation, total exposure in multi-transaction cases can reach tens or hundreds of millions of dollars.
Can an ITAR violation be accidental?
Yes — ITAR violations frequently occur without any intent to evade the law. Deemed exports to foreign national employees, misclassification of technical data, and lapses in registration are common unintentional violations. However, even unintentional violations are subject to civil penalties. Criminal prosecution requires willfulness, but DDTC may still impose substantial civil fines for negligent or inadvertent conduct.
Does voluntary self-disclosure really reduce penalties?
Yes. DDTC's guidelines explicitly recognize voluntary self-disclosure as the most significant mitigating factor in civil penalty assessment. In many cases, timely VSD has reduced or eliminated civil monetary penalties entirely for minor violations, and has reduced penalties by 50% or more for more serious matters. It also substantially reduces the likelihood of criminal referral to DOJ.
What is a deemed export under ITAR?
A deemed export occurs when ITAR-controlled technical data is disclosed to a foreign national within the United States. This includes showing a foreign national employee a controlled drawing, allowing them access to a server containing controlled data, or discussing controlled specifications verbally. Deemed exports require the same licensing analysis as physical exports.
How long does ITAR enforcement take?
ITAR civil enforcement actions typically take 1–3 years from initial disclosure or investigation to final consent agreement. Complex multi-party cases with criminal components can take longer. This timeline underscores the importance of early legal engagement and proactive compliance remediation.
Working with an ITAR Compliance Consultant
Navigating ITAR violations — whether preventing them or responding to them — is not a task suited to generalist counsel or internal compliance staff working in isolation. The regulatory framework is technical, the enforcement consequences are severe, and the nuances of DDTC practice require dedicated expertise.
As Principal Consultant at Certify Consulting, I work with defense manufacturers, aerospace companies, technology exporters, and government contractors to build, audit, and remediate ITAR compliance programs. Our ITAR compliance consulting services cover everything from initial program development through post-violation remediation and consent agreement compliance monitoring.
If your organization is navigating a potential ITAR violation, conducting a compliance gap assessment, or building a compliance program from the ground up, I encourage you to reach out. The investment in expert guidance is a fraction of the cost of a single enforcement action.
Last updated: 2026-03-27
Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC — Principal Consultant, Certify Consulting | certify.consulting
Disclaimer: This article is provided for informational purposes only and does not constitute legal advice. ITAR compliance determinations require case-specific legal and regulatory analysis. Consult qualified export control counsel before making compliance decisions.
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.