What is an ITAR voluntary disclosure and when should I file one?

An ITAR voluntary disclosure is a self-initiated report to DDTC under 22 CFR § 127.12 disclosing a potential violation of the International Traffic in Arms Regulations. You should file one when an unauthorized export, retransfer, or disclosure of USML-controlled items or technical data has occurred, when a licensed activity exceeded its scope, or when a foreign national received unauthorized access to ITAR-controlled technical data. Filing before DDTC discovers the violation independently is the key factor that triggers mitigating treatment.

How long does the ITAR voluntary disclosure review process take?

DDTC's review of a voluntary disclosure typically takes between 6 and 24 months, depending on the complexity of the violations, the number of USML categories involved, and DDTC's current caseload. Companies should continue implementing their stated remediation measures throughout the review period, as DDTC monitors follow-through and may request status updates.

What are the possible outcomes of an ITAR voluntary disclosure?

DDTC can respond with a warning letter (no monetary penalty), a civil penalty, a formal consent agreement that may include compliance program requirements and third-party audits, a no-action letter, or in cases of knowing and willful violations, a criminal referral to the Department of Justice. Voluntary disclosure with strong, documented remediation most commonly results in a warning letter or significantly reduced civil penalty.

Can I file a preliminary notification to DDTC before my investigation is complete?

Yes. Under 22 CFR § 127.12(b)(1), you may file a preliminary notification within 60 days of learning of the potential violation. This preserves the mitigating benefits of voluntary disclosure while your internal investigation is underway. The preliminary notification should describe the nature of the violation, the USML categories involved, and your commitment to submit a full narrative report once the investigation is complete.

Do I need a lawyer to file an ITAR voluntary disclosure?

While not legally required, engaging qualified legal counsel — ideally alongside an experienced ITAR compliance consultant — is strongly advisable. A voluntary disclosure is a legal document with significant evidentiary implications. Attorney-client privilege protects the internal investigation from compelled disclosure, and experienced counsel can help ensure the narrative is accurate, complete, and strategically sound. Filing without professional guidance is one of the most common mistakes companies make.

ITAR Voluntary Disclosure: Step-by-Step Guide

When an ITAR violation occurs — whether a missed license, an unauthorized export, or a technical data transfer to a foreign national — the question isn't just what happened, but what do you do next. The answer, in nearly every case, is to consider a voluntary disclosure to the Directorate of Defense Trade Controls (DDTC).

Done correctly, voluntary disclosure is one of the most powerful tools available to a defense contractor or manufacturer facing an ITAR compliance breach. Done poorly, or not at all, it can be the difference between a warning letter and a multi-million dollar consent agreement.

This guide walks through the ITAR voluntary disclosure process step by step, covering what to disclose, how to structure your submission, what DDTC looks for, and how to protect your organization throughout the process.

What Is an ITAR Voluntary Disclosure?

A voluntary disclosure (VD) is a self-initiated report to DDTC — the federal agency within the U.S. Department of State that administers the International Traffic in Arms Regulations (ITAR), 22 CFR Parts 120–130 — in which a company or individual discloses a potential violation of those regulations before the government discovers it independently.

The legal and regulatory basis for voluntary disclosures is found in 22 CFR § 127.12, which explicitly states that DDTC "strongly encourages" the submission of voluntary disclosures and that the act of disclosing is a mitigating factor in any subsequent penalty determination.

Citation hook: Under 22 CFR § 127.12, DDTC treats voluntary self-disclosure as a significant mitigating factor, and companies that proactively report violations consistently receive reduced civil penalties compared to those whose violations are discovered through government audits or third-party referrals.

Why Voluntary Disclosure Matters: The Penalty Landscape

Before diving into the process, it's worth understanding what's at stake.

ITAR civil penalties can reach $1,307,922 per violation (adjusted annually for inflation under the Federal Civil Penalties Inflation Adjustment Act). Criminal penalties under 22 U.S.C. § 2778 can reach $1,000,000 per violation and 20 years imprisonment. In practice, enforcement actions often involve dozens or hundreds of alleged violations, meaning total exposure can run into the tens or hundreds of millions of dollars.

DDTC has entered into consent agreements with companies including major defense primes — some exceeding $100 million — where violations went undetected or undisclosed for years. By contrast, cases resolved through voluntary disclosure with strong remediation programs routinely result in warning letters with no monetary penalty, or substantially reduced civil fines.

Disclosure Scenario	Typical DDTC Outcome
Voluntary disclosure + strong remediation	Warning letter or significantly reduced penalty
Voluntary disclosure + weak remediation	Civil penalty, possible consent agreement
No disclosure, government-discovered violation	Full civil penalty, potential criminal referral
No disclosure, repeat violations	Consent agreement, debarment risk
Criminal knowing violation, no disclosure	DOJ referral, potential prosecution

Citation hook: Companies that submit a timely ITAR voluntary disclosure with documented remediation measures are statistically far more likely to receive a warning letter or reduced penalty than those whose violations are discovered independently by DDTC or referred by a foreign government.

The 7 Steps of the ITAR Voluntary Disclosure Process

Step 1: Identify and Triage the Potential Violation

The process begins the moment your organization becomes aware of a potential ITAR violation — through an internal audit, an employee report, a compliance review, or a contract partner's notification.

Your immediate priorities:

Stop the bleeding. If an unauthorized export or retransfer is ongoing, halt it immediately. Document the date and manner in which you stopped the activity.
Preserve evidence. Issue a litigation hold. Do not delete emails, shipping records, export control classification records (ECCRs), or Technical Assistance Agreements (TAAs). Destruction of records after discovering a violation dramatically worsens your legal exposure.
Assess whether ITAR applies. Not every compliance concern is an ITAR violation. Determine whether the items or data involved are on the U.S. Munitions List (USML) under 22 CFR Part 121, and whether the activity triggers the definitions of "export," "reexport," or "retransfer" under 22 CFR § 120.50.
Engage outside counsel and/or an ITAR compliance consultant. Attorney-client privilege is important here. Involving qualified legal counsel from the outset protects the internal investigation from compelled disclosure.

Practical note from Jared Clark: In my experience working with 200+ clients across the defense, aerospace, and dual-use sectors, the companies that handle voluntary disclosures best are those that treat the triage stage with the same urgency as an IT security incident. Speed and documentation discipline in the first 72 hours can materially change the outcome.

Step 2: Conduct a Privileged Internal Investigation

Before you can disclose anything to DDTC, you need to know exactly what happened. A credible, thorough internal investigation is the backbone of a successful voluntary disclosure.

Key investigation components:

Scope the incident. Identify all items or technical data involved, all transactions, all parties (U.S. and foreign), and all timeframes.
Classify the articles or data. Confirm USML classification. If classification is uncertain, a commodity jurisdiction (CJ) request to the State Department (or a classification request to BIS for EAR items) may be appropriate, though timing must be carefully managed.
Interview relevant personnel. Document interviews contemporaneously. Understand who knew what and when.
Quantify the violations. DDTC will want to know the number of discrete violations. Undercounting — and later having DDTC identify additional violations you missed — severely undermines your credibility and mitigating posture.
Determine root cause. Was this a process failure, a training gap, a licensing miscalculation, or willful misconduct? Root cause drives remediation.

The investigation should be conducted under the direction of counsel and documented carefully. If the investigation reveals conduct that may constitute a knowing and willful violation under 22 U.S.C. § 2778(c), the calculus around voluntary disclosure becomes more complex and requires experienced legal judgment.

Step 3: Decide Whether (and What) to Disclose

Not every ITAR compliance issue requires a formal voluntary disclosure to DDTC. Some internal compliance corrections — such as updating an outdated Technology Control Plan (TCP) or correcting a classification error with no actual unauthorized export — may be handled internally without a DDTC filing.

You should strongly consider filing a voluntary disclosure when:

An actual export, retransfer, or disclosure of USML-controlled items or technical data occurred without the required license or authorization
A licensed activity exceeded the scope or conditions of an applicable license or TAA
A foreign national received unauthorized access to ITAR-controlled technical data (the so-called "deemed export" scenario)
Brokering activities subject to 22 CFR Part 129 were conducted without proper registration or approval

Submitting a preliminary notification: Under 22 CFR § 127.12(b)(1), if the investigation will take time to complete, you may file a preliminary notification within 60 days of learning of the potential violation. This preserves the benefits of voluntary disclosure while you complete the investigation. The preliminary notification should include the nature of the violation, the USML categories involved, and a commitment to submit a full narrative report.

Step 4: Draft the Voluntary Disclosure Narrative

This is the most technically demanding step. DDTC expects a detailed, well-organized written submission that covers specific elements outlined in 22 CFR § 127.12(c).

Your narrative must include:

A complete description of the violation(s) — what happened, who was involved, what articles or technical data were involved, and where they went
The USML category/subcategory for each article or data element involved (e.g., USML Category VIII(h) for military aircraft technical data)
The number and nature of each discrete violation — DDTC counts violations individually, so precision matters
The date(s) of the violation(s)
Names of all parties involved — exporters, consignees, foreign end-users, and any intermediaries
A description of the root cause
A description of the corrective actions already taken
A description of the remediation plan going forward
An acknowledgment of whether the disclosure is voluntary (i.e., not triggered by a government inquiry or investigation)

Drafting tips:

Be accurate and complete, but strategic. You are not required to speculate about violations that are not supported by the investigation's findings.
Do not minimize or characterize violations in ways that could later appear misleading. DDTC investigators are experienced and will notice discrepancies.
Use precise regulatory language. Reference the specific ITAR sections, USML categories, and license types implicated.
Attach documentary evidence as exhibits: shipping records, emails, license documents, technical drawings (redacted as appropriate), and organizational charts.

Step 5: Submit to DDTC

Voluntary disclosures are submitted to DDTC's Office of Defense Trade Controls Compliance (DTCC) via the DDTC online portal or by written submission to:

Directorate of Defense Trade Controls Office of Defense Trade Controls Compliance Bureau of Political-Military Affairs U.S. Department of State Washington, D.C. 20522-0112

Submission checklist:

[ ] Preliminary notification filed (if applicable) within 60 days
[ ] Full narrative report complete and reviewed by counsel
[ ] All USML categories correctly identified
[ ] All violations individually enumerated
[ ] Documentary exhibits organized and labeled
[ ] Remediation plan included
[ ] Submission marked "VOLUNTARY DISCLOSURE — PRIVILEGED AND CONFIDENTIAL"

After submission, DDTC will acknowledge receipt and assign a case number. The review process typically takes 6 to 24 months, depending on the complexity of the case, the number of violations, and DDTC's current workload.

Step 6: Engage With DDTC During the Review Period

Submitting the disclosure is not the end of the process. During the review period, DDTC may:

Request supplemental information or clarification — respond promptly and completely
Request additional documentation — produce it in an organized, professional manner
Schedule a meeting or call with your compliance team — prepare thoroughly and present a unified, credible account
Coordinate with the Defense Technology Security Administration (DTSA) or other agencies for interagency review on sensitive defense articles

Maintain good posture throughout:

Continue implementing your remediation plan and document progress
Do not take any export actions involving the same or related articles without confirming they are compliant
Keep DDTC informed of material developments, including any related inquiries from other agencies (e.g., BIS, OFAC, DOJ)

Step 7: Respond to DDTC's Determination and Implement Remediation

DDTC will issue one of the following outcomes:

DDTC Outcome	Description
Warning Letter	No penalty; violation acknowledged; corrective actions noted
Civil Penalty	Monetary fine, typically with a negotiated consent agreement
Consent Agreement	Formal agreement with compliance program requirements, possible monitor
Referral to DOJ	Criminal referral for willful/knowing violations
No Action Letter	DDTC declines to take action (rare; typically for minor/technical violations)

If DDTC proposes a civil penalty or consent agreement, you have the right to respond and negotiate. Engage experienced ITAR counsel for this phase. Consent agreements routinely include requirements for:

Enhanced compliance programs
Third-party audits
Mandatory training
Hiring a Special Compliance Official (SCO)
Reporting obligations for a defined period (typically 3–5 years)

Whether the outcome is a warning letter or a consent agreement, the remediation work you committed to in your disclosure must be completed and documented. This is not optional — DDTC monitors follow-through, and failure to implement stated remediation measures can result in additional enforcement action.

Common Mistakes That Undermine a Voluntary Disclosure

Based on my work with defense exporters across the industry, here are the most frequent errors I see companies make:

Waiting too long. The longer you wait after discovering a violation, the weaker your "voluntary" posture becomes — especially if DDTC learns of the issue through another channel first.
Understating the scope. Disclosing fewer violations than actually occurred destroys credibility if DDTC discovers the full picture.
Filing without legal guidance. A VD is a legal document with evidentiary implications. Filing without counsel is a significant risk.
Weak or vague remediation. Saying "we will improve training" without specifics is not a remediation plan. DDTC expects concrete, measurable corrective actions.
Not preserving records. Failure to preserve evidence is both a legal risk and a credibility problem.
Continuing the violating conduct. If the unauthorized activity is still ongoing when you file, the mitigating benefit of voluntary disclosure is severely diminished.

ITAR Voluntary Disclosure vs. EAR Voluntary Self-Disclosure: Key Differences

Companies that export both ITAR-controlled and EAR-controlled items need to understand that the voluntary disclosure processes are separate and distinct.

Feature	ITAR Voluntary Disclosure (DDTC)	EAR Voluntary Self-Disclosure (BIS)
Governing regulation	22 CFR § 127.12	15 CFR § 764.5
Administering agency	DDTC (State Dept.)	BIS Office of Export Enforcement (Commerce Dept.)
Preliminary notification	Yes (within 60 days)	Yes (within 60 days)
Penalty mitigation	Explicitly recognized	Explicitly recognized
Criminal referral risk	Yes, to DOJ	Yes, to DOJ
Typical review timeline	6–24 months	6–18 months
Common outcomes	Warning letter, civil penalty, consent agreement	No action, warning letter, civil penalty

If a single transaction implicates both ITAR and EAR (e.g., a system with both USML and CCL components), you may need to file separate disclosures with both DDTC and BIS. Coordination between those disclosures is critical to ensure consistency.

Building a Culture That Prevents Future Disclosures

The best voluntary disclosure is the one you never have to file. A robust ITAR compliance program — including a written Technology Control Plan (TCP), regular export control training, a strong jurisdiction and classification process, and periodic internal audits — is the most effective way to prevent violations in the first place.

Citation hook: According to DDTC's published enforcement data, the most common root causes of ITAR violations leading to enforcement action are inadequate classification procedures, insufficient employee training, and failure to screen foreign national employees for deemed export exposure — all factors that a well-designed compliance program directly addresses.

For companies that have just navigated a voluntary disclosure, the process is also an opportunity to upgrade your compliance infrastructure so that the same violation never recurs. DDTC looks favorably on organizations that demonstrate genuine, lasting improvements — not just paper fixes.

How Certify Consulting Supports ITAR Voluntary Disclosures

At Certify Consulting, I've guided companies through the full spectrum of ITAR enforcement situations — from minor technical violations that resolved with warning letters to complex, multi-year consent agreements involving multiple USML categories and foreign government coordination.

My approach combines deep regulatory knowledge with practical case management: helping clients scope the investigation correctly, draft a compelling and complete disclosure narrative, engage effectively with DDTC during review, and build the compliance program improvements that stick.

With a 100% first-time audit pass rate across 200+ clients and 8+ years of focused experience in ITAR and export control compliance, Certify Consulting brings the expertise and track record to help you navigate one of the most consequential compliance processes your organization will ever face.

If you're dealing with a potential ITAR violation — or want to build the compliance program that prevents one — contact Certify Consulting today for a confidential consultation.

You may also find it helpful to review our resources on ITAR compliance program fundamentals and ITAR registration and licensing requirements as you assess your organization's overall compliance posture.

Last updated: 2026-03-30