A U.S. aerospace manufacturer thought they had their export controls figured out. Their products were commercial-grade components, nothing obviously military. They filed under EAR, worked through BIS, managed their Commerce Control List classifications. Then a DDTC audit revealed that three of those "commercial" components had been specifically designed for integration into military targeting systems — USML Category XII items. Every export to their foreign distributor over the previous four years had been made without ITAR authorization. The company was looking at hundreds of separate violations at up to $1.3 million each.
The technology didn't change. The components were the same. What changed was the discovery that the wrong agency had been in charge of regulating them the entire time.
This is the consequence of the most common mistake in U.S. export compliance: not knowing which of two separate, parallel, and fundamentally different regulatory regimes actually governs your products. Most companies know that "export controls" exist. Far fewer understand that there are two distinct systems — administered by two different agencies, built on two different legal frameworks, with two different lists of controlled items, two different licensing authorities, and two different enforcement arms — and that getting the jurisdictional assignment right is the foundation everything else is built on.
This article breaks down exactly how the State Department and Commerce Department divide that authority, what each regime controls, why jurisdiction determines everything downstream, and how to build a defensible classification process that holds up under government scrutiny.
The Two Regulatory Regimes at a Glance
U.S. export controls divide into two principal regimes. They are parallel systems that cover different categories of goods, technology, and services. An item is subject to one or the other — not both — but a company can have products regulated under both simultaneously.
| Dimension | ITAR (State Dept.) | EAR (Commerce Dept.) |
|---|---|---|
| Administering Agency | Directorate of Defense Trade Controls (DDTC) | Bureau of Industry and Security (BIS) |
| Enabling Law | Arms Export Control Act (AECA), 22 U.S.C. § 2778 | Export Controls Act of 2018 (ECRA) |
| Regulations | 22 C.F.R. Parts 120–130 | 15 C.F.R. Parts 730–774 |
| Controlled Items List | United States Munitions List (USML) — 21 categories | Commerce Control List (CCL) — ECCNs + EAR99 |
| Item Focus | Defense articles, defense services, technical data | Dual-use goods, software, technology |
| Registration Required? | Yes — mandatory for all manufacturers/exporters/brokers | No general registration requirement |
| Key License Types | DSP-5, DSP-73, TAA, MLA | BIS-748P; License Exceptions (STA, ENC, TMP) |
| Catch-All Concept | "Specially Designed" (§ 120.41) | EAR99 |
| Max Civil Penalty | ~$1.3M per violation | ~$1.5M per violation (or 2x transaction value) |
| Criminal Exposure | Up to 20 years / $1M per count | Up to 20 years / $1M per count |
| Deemed Export Rules | Yes — foreign nationals in the U.S. | Yes — foreign nationals in the U.S. |
| Voluntary Disclosure | Available under 22 C.F.R. § 127.12 | Available under 15 C.F.R. § 764.5 |
What the State Department Controls (ITAR)
The International Traffic in Arms Regulations — ITAR — sit under the Arms Export Control Act and are administered by DDTC within the State Department. The policy rationale is explicit: items on the USML are so closely tied to national security and U.S. military effectiveness that their export, re-export, and transfer must be supervised at the diplomatic level. This is not a trade agency making cost-benefit calculations about commercial access. It is a foreign policy instrument.
Defense Articles, Defense Services, and Technical Data
ITAR controls three categories of things, and all three matter independently.
Defense articles are any item or technical data designated on the USML. The threshold concept is "specially designed" — if an item was specifically designed, developed, configured, adapted, or modified for a defense application, and it meets the criteria at ITAR § 120.41, it is a defense article. This can apply to components, subsystems, or software, not just finished weapons systems.
Defense services means furnishing assistance — including training, technical support, or the sharing of technical data — to foreign persons in connection with the design, development, production, use, maintenance, or modification of defense articles. A U.S. engineer consulting for a foreign defense manufacturer is providing defense services. That requires authorization, regardless of whether any physical item crosses a border.
Technical data under ITAR means information required for the design, development, production, manufacture, assembly, operation, repair, testing, or maintenance of defense articles. This explicitly includes blueprints, specifications, manufacturing instructions, test protocols, and source code. It does not matter whether the data is marked "ITAR" — if it meets the definition, it is controlled.
The USML: 21 Categories That Define "Defense"
The United States Munitions List in 22 C.F.R. Part 121 organizes defense articles into 21 categories. The breadth is significant:
- Category I — Firearms, Close Assault Weapons, and Combat Shotguns
- Category II — Guns and Armament
- Category III — Ammunition and Ordnance
- Category IV — Launch Vehicles, Guided Missiles, Rockets, and Torpedoes
- Category VI — Surface Vessels of War
- Category VII — Ground Vehicles
- Category VIII — Aircraft and Related Articles
- Category XI — Military Electronics
- Category XII — Fire Control, Laser, Imaging, and Guidance Equipment
- Category XIII — Materials and Miscellaneous Articles
- Category XIV — Toxicological Agents
- Category XV — Spacecraft Systems and Related Articles
- Category XVI — Nuclear Weapons-Related Articles
- Category XXI — Miscellaneous Articles (catch-all for items not otherwise enumerated)
Following Export Control Reform (ECR) completed between 2013 and 2020, the USML was revised to a positive list — items must be specifically enumerated to fall under ITAR. Items that previously fell under broad USML catch-alls were migrated to the CCL, typically receiving "600 series" ECCNs. This reform clarified thousands of items but did not eliminate jurisdictional ambiguity — it just moved the boundary.
Why ITAR Is Strict: There Is No De Minimis Exception
EAR has a de minimis rule — if the U.S.-controlled content in a foreign-made item falls below a certain percentage threshold, EAR jurisdiction may not follow the item abroad. ITAR has no equivalent. Once an item is ITAR-controlled, ITAR jurisdiction follows it everywhere, permanently, regardless of how much U.S. content it contains in a foreign-manufactured end product. This has major implications for supply chains, joint ventures, and foreign production arrangements.
ITAR also requires mandatory DDTC registration for any company that manufactures, exports, or brokers USML-controlled items — even if they have never actually exported anything. Registration is not a license. It is a precondition for holding a license. Operating without registration while conducting any ITAR-regulated activity is itself a violation.
What the Commerce Department Controls (EAR)
The Export Administration Regulations — EAR — are administered by BIS within the Commerce Department. The policy rationale is different from ITAR: EAR governs dual-use items, things with legitimate commercial applications that also have potential military or proliferation uses. The default presumption under EAR is that trade is permissible; controls exist to carve out exceptions for items and destinations where national security or foreign policy concerns are elevated.
Dual-Use Items: The CCL and ECCNs
The Commerce Control List organizes controlled items using Export Control Classification Numbers (ECCNs). An ECCN is a five-character alphanumeric code — for example, 3A001 (electronic components), 6A002 (optical sensors), or 9E018 (technology for turbine engines) — that identifies what the item is, why it is controlled, and which license requirements and exceptions apply.
The CCL covers ten product categories (0 through 9) across five product groups:
- Group A — Systems, Equipment, and Components
- Group B — Test, Inspection, and Production Equipment
- Group C — Material
- Group D — Software
- Group E — Technology
Each ECCN entry specifies the reasons for control — national security (NS), missile technology (MT), nuclear nonproliferation (NP), chemical and biological weapons (CB), crime control (CC), regional stability (RS), and others. The applicable reasons for control determine which country groups require a license and which license exceptions are available.
EAR99: The Catch-All and Its Limits
Items subject to EAR that are not specifically listed on the CCL carry the EAR99 designation. EAR99 is the lowest-sensitivity tier under EAR — and for most commercial exports to most destinations, it means no license required. But EAR99 is not a compliance-free zone.
EAR99 items still require screening against BIS's restricted-party lists (Entity List, Denied Persons List, Unverified List, Military End User List) and the Treasury Department's OFAC sanctions lists. And under EAR Part 744, an EAR99 item can require a license if it will be used in connection with weapons of mass destruction, by a military end-user in designated countries, or for other prohibited end-uses. The item's classification is only part of the analysis.
Licensing Exceptions Under EAR
EAR provides significantly more flexibility than ITAR through its system of licensing exceptions. Where ITAR exemptions are narrow and require careful analysis, EAR licensing exceptions — when properly documented — can authorize a broad range of exports without a formal license application. Key exceptions include:
- STA (Strategic Trade Authorization) — Allows exports to 36 close-ally countries for most controlled items when certain conditions are met
- ENC (Encryption) — Authorizes exports of mass-market commercial encryption products after a one-time review
- TMP (Temporary Exports) — Covers short-term exports for exhibitions, inspections, or personal use
- RPL (Replacement Parts) — One-for-one replacement of previously authorized exports
- GOV (U.S. Government) — Exports for official U.S. government end-use
Licensing exceptions are not self-executing — eligibility must be verified, conditions must be documented, and the exception must be cited on shipping documentation. Citing an exception you don't qualify for is an EAR violation.
The Critical Difference: Jurisdiction Determines Everything
Here is where the rubber meets the road. Jurisdiction — the determination of which regime controls your item — is not administrative paperwork. It is the foundational question that every subsequent compliance decision is built on. Get it wrong and everything downstream is wrong: your license type is wrong, your registration status is wrong, your technology controls are wrong, your training program is wrong, and your export documents are wrong.
Why Getting Jurisdiction Wrong Is the #1 Compliance Mistake
I have worked with companies that successfully built complete EAR compliance programs — solid ECCN classifications, robust BIS screening, clean license documentation — and then discovered that several of their products were actually ITAR-controlled. Every export those products touched, going back years, was potentially a DDTC violation. The EAR compliance program, however well-built, was irrelevant to those items.
The reverse happens too. Companies managing ITAR obligations sometimes discover items that were treated as USML-controlled actually migrated to the CCL during Export Control Reform — which means they may have been requiring licenses and implementing ITAR controls that weren't legally necessary, while potentially missing EAR obligations they were unaware of.
Neither scenario is trivial to unwind. Both require a full historical analysis, a corrective action plan, and in many cases, consultation with outside counsel about voluntary disclosure obligations.
The Commodity Jurisdiction (CJ) Process
When a company cannot definitively determine whether an item is ITAR- or EAR-controlled — a situation more common than many compliance professionals acknowledge — the formal resolution mechanism is a Commodity Jurisdiction (CJ) request to DDTC.
A CJ request asks DDTC to issue an official written determination on whether a specific item, service, or data is subject to ITAR or should be regulated by another agency (typically Commerce). CJ requests are submitted through DDTC's online D-Trade system and must include a complete technical description of the item, its intended end-uses, and any prior classification determinations.
The interagency review process for a CJ involves DDTC, the Departments of Defense and Commerce, and sometimes other agencies. DDTC is supposed to issue decisions within 45 days, but complex cases frequently take longer.
A CJ determination does three things simultaneously. It resolves the immediate jurisdictional question. It creates a written, government-issued classification record that is admissible in your defense if you are ever audited or investigated. And it establishes a precedent that applies to all substantially similar items in your product line.
What Triggers a CJ Request?
Not every product needs a formal CJ. Clear USML items — a military rifle, a battlefield communications radio, a missile guidance unit — don't require confirmation. But a CJ request is appropriate in several situations:
- Your item was redesigned from a military specification to a commercial one, or vice versa
- Your item incorporates both USML-derived technology and commercially available components
- Your item sits in a product category that was revised during Export Control Reform
- A customer, government contractor, or foreign partner has asked for a jurisdictional determination
- Your legal team and your technical team disagree on which list applies
- You are about to sign a manufacturing agreement or joint venture that will transfer technical data
If any of these conditions exist and you cannot produce a contemporaneous written classification rationale, you should either work through the self-classification process to document one — or file a CJ request to get government confirmation.
How DDTC and BIS Sometimes Disagree — and What Happens Then
The interagency CJ process is supposed to produce consensus, but DDTC and Commerce have historically had different views on where specific items land. The most significant source of ongoing disagreement involves "specially designed" determinations — whether a particular component was designed with sufficient military specificity to trigger ITAR, versus whether its commercial pedigree puts it on the CCL.
When agencies disagree, the matter escalates through the interagency process, and in some cases to a formal appeal or a policy-level resolution. For companies, this means a pending CJ request does not automatically shield them from enforcement during the review period — though a good-faith pending CJ filing is typically viewed favorably in any enforcement context.
Penalties: What's at Stake When You Get It Wrong
Both regimes carry severe civil and criminal penalties. The numbers are large enough that even a small number of violations can represent an existential financial risk for a mid-size company.
ITAR Penalties
ITAR civil penalties are assessed by DDTC under 22 U.S.C. § 2778 and can reach approximately $1.3 million per violation (inflation-adjusted under the Federal Civil Penalties Inflation Adjustment Act). Criminal penalties under the Arms Export Control Act reach up to $1 million per count and 20 years imprisonment for willful violations.
The "per violation" structure is what makes ITAR exposure so severe. Each unauthorized export, each unauthorized re-export, each unauthorized disclosure of technical data — including to a foreign national employee inside the United States — is a separate violation. A company that made 50 unauthorized exports over three years is not facing one violation. It is facing up to 50 violations at $1.3 million each.
DDTC can also debar a company from participating in U.S. defense export activities — a consequence that can be more damaging than any financial penalty for companies whose business depends on DDTC licenses and government contracts.
Major consent agreements have exceeded $75–$90 million and included mandatory multi-year compliance oversight by an external Special Compliance Official (SCO). The BAE Systems 2011 consent agreement involved more than 2,500 violations. The Cobham Holdings 2020 agreement involved more than 1,000 violations and a $90 million penalty.
EAR Penalties
EAR civil penalties are assessed by BIS under the Export Controls Act and can reach approximately $1.5 million per violation or twice the value of the transaction, whichever is greater. Criminal penalties mirror ITAR at up to $1 million per count and 20 years imprisonment.
BIS enforcement has intensified sharply since 2022, particularly around exports of advanced semiconductors, electronics, and related technology to Russia, China, and Iran. BIS has pursued criminal indictments against individual executives in addition to civil penalties against companies, and has added hundreds of entities to the Entity List — a designation that effectively bars U.S. companies from doing business with them without a license that BIS will rarely grant.
How Penalties Compound
Export control penalties do not work on a sliding scale. There is no volume discount. Every shipment is a separate violation. Every email containing controlled technical data is a separate violation. Every time a foreign national employee accessed controlled technical drawings without authorization is a separate violation.
A company that discovers a systemic classification error — and determines it has been exporting the wrong way for three years across dozens of transactions — is not looking at one fine. It is looking at a number that can climb into the tens or hundreds of millions before any mitigating factors are applied.
Common Scenarios That Trip Up Companies
The abstract jurisdictional framework becomes concrete fast when you look at the situations that actually generate enforcement actions. These are the patterns I see most often.
A Commercial Product Upgraded With Military-Grade Specs
A manufacturer produces a sensor that has been EAR-controlled for years. A defense customer asks them to modify it for integration into a targeting system — new sensitivity parameters, enhanced environmental hardening, modified interface specifications. The product that ships looks similar to the commercial version. The company classifies it under the same ECCN it always has.
The modification that made the sensor suitable for military targeting integration may have triggered USML Category XII coverage — not because the hardware changed dramatically, but because the "specially designed" test under ITAR § 120.41 turns on the design intent and military application, not just the physical specifications. A product that was EAR-controlled before the modification is now ITAR-controlled after it.
Foreign National Employees and Deemed Exports
Under both ITAR (22 C.F.R. § 120.50) and EAR (15 C.F.R. § 734.13), releasing controlled technical data to a foreign national physically located inside the United States is treated as an export to that person's home country. This is the deemed export rule, and it catches more companies than any other single concept.
An engineering firm hires a talented Chinese national to work in its R&D group. Over two years, that engineer reviews design documents, attends project briefings, and has access to the shared drive where technical specifications are stored. If those specifications are ITAR-controlled, every access is a potential deemed export to China — a country requiring DDTC licensing for most USML technology. The company never shipped anything. The engineer never left the building. The violation happened in the conference room.
Technology Transfer via Email or Cloud Storage
This is the invisible export. ITAR-controlled technical data stored in a cloud environment accessible to foreign nationals, emailed to a foreign partner in connection with a contract, or shared via a collaboration platform is an export. The data doesn't physically cross a border. The violation happens at the moment of access.
Companies that have invested in physical security — badged access to the engineering floor, locked filing cabinets, on-site security clearances — and then store the same information on a consumer cloud platform accessible from anywhere in the world have not actually controlled anything. The Technology Control Plan (TCP) must explicitly address digital environments, and ITAR-controlled data requires protections that most commercial cloud services do not provide natively.
Acquisitions: Buying a Company With Undisclosed ITAR Obligations
When you acquire a company, you acquire its ITAR history. Any ITAR violations that occurred before the acquisition date — unauthorized exports, unregistered manufacturing, undisclosed technical data disclosures — became your liability the moment the deal closed. The Cobham Holdings 2020 consent agreement is the archetype: Cobham acquired multiple companies that had legacy compliance failures, discovered them through post-acquisition review, and ended up in a $90 million enforcement action.
ITAR due diligence in M&A is now standard practice in serious transactions. It means reviewing DDTC registration status, license history, Technology Control Plans, Empowered Official records, and export documentation going back at least five years. Companies that skip this step in the name of deal velocity are accepting liability they haven't quantified.
Subcontractors Who Don't Know They're Handling ITAR-Controlled Data
A prime contractor flows ITAR-controlled technical data to a subcontractor under a manufacturing agreement. The subcontractor — a machine shop, a coatings vendor, a software developer — has no ITAR compliance program, no DDTC registration, and no awareness that the data they received was controlled. They have foreign national employees who accessed the data. They stored it on a shared network drive. They may have discussed it with a foreign supplier.
The prime contractor has an obligation under ITAR to ensure that controlled data flows only to authorized recipients. The subcontractor, by receiving and using ITAR-controlled technical data without proper authorization, is in violation of ITAR. Both parties have exposure. This is why serious prime contractors require ITAR compliance representations from subcontractors and conduct supplier audits — not because it is a nice-to-have, but because their own compliance record depends on it.
How to Determine Which Regime Applies to Your Product
Jurisdictional classification follows a defined, hierarchical process. There is no shortcut, and the analysis must be documented in writing to be defensible.
Step 1: USML First
Begin with the United States Munitions List at 22 C.F.R. Part 121. Review each of the 21 categories that could plausibly apply to your item. Pay close attention to the "specially designed" standard under ITAR § 120.41 — it has a specific two-part test that includes a "catch" and a "release" mechanism. An item meets the "catch" if it was designed or modified for military application; it is "released" from USML coverage if it meets certain exceptions related to common commercial use, availability, or performance parameters.
Also review the relevant "see-through" rules. Components and subsystems that were designed for integration into USML-controlled end items may themselves be USML-controlled, even if the component standing alone looks commercial.
If your item is on the USML: it is ITAR-controlled. Full stop. ITAR takes priority over EAR. Do not proceed to the CCL analysis for this item.
Step 2: CCL Second
If your item is not on the USML, proceed to the Commerce Control List at 15 C.F.R. Part 774, Supplement No. 1. Use the CCL's ten product categories and five product groups to locate the applicable ECCN. BIS's online SNAP-R classification system can assist with self-classification, and BIS also offers a formal Classification Request process for official determinations.
Pay special attention to "600 series" ECCNs — these are items that were transitioned from the USML to the CCL during Export Control Reform and carry more stringent EAR controls than typical dual-use items.
If your item has an ECCN: it is EAR-controlled. Proceed to license determination based on the ECCN, the destination country, the end-user, and the end-use.
Step 3: EAR99 Last
If your item is not on the USML and not specifically listed on the CCL, it is EAR99. EAR99 items generally do not require an export license but are not exempt from restricted-party screening or end-use controls under EAR Part 744.
Step 4: Document Everything
The classification analysis must be written down. A verbal conclusion or an implicit assumption that "this is clearly commercial" does not constitute a defensible classification record. Your documentation should identify the specific USML categories reviewed, the specific CCL entries reviewed, the reasoning for why each applies or does not apply, the technical parameters of the item, and who performed and approved the classification. This record should be revisited whenever the item's design, intended end-use, or customer base changes.
When to Self-Classify vs. When to File a CJ Request
Self-classification with documented rationale is appropriate for most items where the jurisdictional analysis is reasonably clear. A CJ request is appropriate when:
- The analysis is genuinely ambiguous after thorough review
- The stakes are high — large export volumes, sensitive technology, or high-risk destinations
- A customer, partner, or government counterparty requires formal government confirmation
- Your company is preparing for M&A due diligence and needs a clean, government-issued classification record
- Your item sits in a product category that underwent significant change during Export Control Reform
Building a Compliance Program That Covers Both
Most companies that work anywhere near the defense industrial base operate in a world that includes both ITAR and EAR obligations simultaneously. Even if your core products are clearly on one list, you may have ancillary items — testing equipment, software tools, raw materials, technology licenses — that fall under the other regime. A compliance program designed around only one regime has a hole in it.
Classification as the Foundation
The entire compliance program rests on correct classification. If you don't know which regime controls each item in your product line, you cannot correctly set licensing requirements, access controls, screening procedures, or training curricula. Classification reviews should be conducted by a qualified person — not just a business or legal generalist — with specific training in both USML and CCL analysis. And they must be refreshed when products change.
Screening, Licensing, and Documentation
Both ITAR and EAR require screening every transaction party against government restricted-party lists before export. ITAR requires DDTC-issued licenses for most exports to foreign persons; EAR requires licenses for specific item/country/end-user combinations and allows a broader range of licensing exceptions. All license determinations and the basis for any exception claim must be documented and retained for a minimum of five years under both regimes.
Technology Control Plans
A Technology Control Plan (TCP) is required under ITAR when a company has ITAR-controlled technical data in an environment where foreign nationals have access — which, for most companies with a global workforce, means everywhere. The TCP documents physical and digital access controls, identifies controlled data and who has authorized access to it, and establishes procedures for managing foreign national employees and visitors. A TCP is not just a document — it is an operational system that must be actively maintained.
For EAR, the equivalent is a deemed export review process incorporated into your export compliance program. The analysis is the same — what technology do we have, which foreign nationals have access, and is a deemed export license required for any of them — but the procedural framework is less prescriptively defined than the ITAR TCP requirement.
Training That Actually Reaches the Right People
The engineers, not just the compliance officers, need to understand what ITAR and EAR mean for their daily work. A compliance training program that covers the legal framework in the abstract but does not translate to concrete guidance for how an engineer handles a foreign partner's email, or how a sales team manages an inbound inquiry from a restricted country, is not doing its job. Role-specific training — with documentation of completion — is what DDTC's Compliance Program Guidelines call for, and it is what enforcement actions consistently reveal was absent in companies that found themselves in trouble.
When to Bring in Outside Expertise
Not every jurisdiction analysis needs a consultant. Clear-cut classifications don't require outside review. But there are inflection points where outside expertise pays for itself many times over:
- Building a compliance program from scratch, or rebuilding one after an audit finding
- Completing a CJ request for an ambiguous product
- Preparing for or responding to a DDTC or BIS audit
- Evaluating whether a potential violation warrants voluntary disclosure
- Conducting ITAR/EAR due diligence in an M&A transaction
- Establishing a compliance program after winning a first defense contract
The cost of getting expert guidance before a problem develops is a fraction of the cost of managing enforcement after one does.
Frequently Asked Questions
What is the difference between ITAR and EAR?
ITAR (22 C.F.R. Parts 120–130) is administered by the State Department's DDTC and controls defense articles, defense services, and related technical data on the United States Munitions List (USML). EAR (15 C.F.R. Parts 730–774) is administered by the Commerce Department's BIS and controls dual-use goods, software, and technology on the Commerce Control List (CCL). At the item level, a product is controlled under one regime or the other, not both — but a company can have products subject to both simultaneously.
What is a Commodity Jurisdiction (CJ) request?
A Commodity Jurisdiction (CJ) request is a formal petition submitted to DDTC asking for an official determination of whether a specific item, service, or data is subject to ITAR or EAR. It is the gold-standard mechanism for resolving jurisdictional ambiguity, particularly for items that sit on the USML/CCL boundary. A CJ determination creates a documented, defensible classification record.
What is EAR99 and does it still require an export license?
EAR99 is the catch-all designation for items subject to EAR that are not specifically listed on the Commerce Control List (CCL). Most EAR99 items do not require an export license for most destinations, but they still require screening against restricted end-users and end-uses. If an EAR99 item is destined for a sanctioned country, a denied party, or a prohibited end-use (such as WMD development), a license or license exception is required.
What happens if I apply the wrong export control regime to my product?
Misidentifying jurisdiction is one of the most consequential compliance errors a company can make. If you treat an ITAR-controlled item as EAR-controlled, every export and disclosure you made without DDTC authorization is a potential ITAR violation — each carrying civil penalties up to approximately $1.3 million per violation. The correction requires a full compliance remediation, potential voluntary disclosure to DDTC, and retroactive license review.
Does a company need to register with both DDTC and BIS?
Registration requirements differ significantly. ITAR requires mandatory DDTC registration for any company that manufactures, exports, or brokers defense articles or defense services — regardless of whether you hold an active license. EAR does not have a general registration requirement; compliance is classification-based. A company with both ITAR and EAR products must maintain DDTC registration and comply with EAR requirements for its CCL-controlled items without a separate BIS registration.
Jurisdiction Is Not Optional to Understand
The State Department and the Commerce Department are not two names for the same thing. ITAR and EAR are not interchangeable frameworks with similar rules. They are built on different legal authorities, enforced by different agencies, structured around different product lists, and calibrated to different policy objectives.
Every company that manufactures, exports, or handles U.S.-origin technology has an obligation to understand which of these regimes governs their products — and to make that determination through a documented, defensible process. The USML analysis comes first. The CCL analysis comes second. EAR99 is the default if neither applies. And when the answer is genuinely uncertain, the Commodity Jurisdiction process exists precisely to give you certainty.
The cost of getting this right proactively is a compliance program, trained personnel, and the occasional expert consultation. The cost of getting it wrong is measured in millions of dollars per violation, potential criminal liability for individuals, and in serious cases, the loss of the ability to participate in U.S. defense trade at all.
If your company is working through a jurisdiction analysis, building a compliance program that covers both ITAR and EAR, or navigating a specific situation where the regulatory lines are unclear, the right time to get expert guidance is before the problem becomes a violation. At Certify Consulting, we've helped more than 200 defense manufacturers, exporters, and contractors build compliance programs that hold up — achieving a 100% first-time audit pass rate. Reach out for a confidential consultation and let's figure out where your products actually stand.
Last updated: 2026-04-12
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.