Citation Hook: The single most consequential determination in U.S. export control compliance is jurisdiction — specifically, whether your product, technology, or service falls under the International Traffic in Arms Regulations (ITAR), administered by the State Department's Directorate of Defense Trade Controls (DDTC), or the Export Administration Regulations (EAR), administered by the Commerce Department's Bureau of Industry and Security (BIS).
If you've ever stared at a product spec sheet and wondered, "Do I need a State Department license or a Commerce Department license — or both?" you're not alone. This question trips up seasoned compliance officers and first-time exporters alike. Getting the answer wrong isn't a paperwork inconvenience. It's a federal violation that can result in criminal penalties of up to $1 million per violation, civil penalties exceeding $1.3 million per violation under ITAR, and potential debarment from all future U.S. government contracting.
In my 8+ years of working with more than 200 clients across the defense, aerospace, biotech, and dual-use technology sectors, the jurisdiction determination is — without question — the most foundational step in any export compliance program. Everything else flows from it. Get it right, and your program is built on solid ground. Get it wrong, and no amount of well-intentioned paperwork will save you.
This article is your definitive guide to understanding which agency regulates what, how to make the jurisdiction call with confidence, and why the stakes are too high to guess.
The Two Major Export Control Regimes at a Glance
The United States maintains two primary export control frameworks, each with its own governing agency, regulatory authority, commodity control list, and licensing structure.
| Feature | ITAR (State / DDTC) | EAR (Commerce / BIS) |
|---|---|---|
| Governing Regulation | 22 C.F.R. Parts 120–130 | 15 C.F.R. Parts 730–774 |
| Primary List | U.S. Munitions List (USML) | Commerce Control List (CCL) |
| Jurisdiction Trigger | Defense articles & services | Dual-use items & less-sensitive defense items |
| License Authority | Directorate of Defense Trade Controls (DDTC) | Bureau of Industry and Security (BIS) |
| Penalties (Civil) | Up to $1,308,326 per violation | Up to $353,534 per violation (or 2x transaction value) |
| Penalties (Criminal) | Up to $1M/violation, 20 yrs imprisonment | Up to $1M/violation, 20 yrs imprisonment |
| Registration Requirement | Yes — mandatory DDTC registration | No general registration requirement |
| De Minimis Rule | Does not apply | Applies to foreign-made items with U.S. content |
| Key License Types | DSP-5, DSP-73, TAA, MLA | Individual, License Exception, NLR |
| Technology Control | Covers "technical data" broadly | Covers "technology" per CCL definitions |
Citation Hook: Under ITAR, registration with DDTC is mandatory for any U.S. company that manufactures, exports, or brokers defense articles or defense services — even if no actual export has occurred and even if no license is ultimately required. This requirement alone surprises a significant number of first-time clients.
The State Department's Role: ITAR and the USML
What the State Department Controls
The State Department, through its Directorate of Defense Trade Controls (DDTC), administers the International Traffic in Arms Regulations (ITAR). The ITAR's scope is defined by the U.S. Munitions List (USML), codified at 22 C.F.R. Part 121. The USML is organized into 21 categories, each covering defense articles and defense services with a primary military application.
The 21 USML Categories include: - Category I – Firearms, Close Assault Weapons and Combat Shotguns - Category II – Guns and Armament - Category IV – Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets - Category VIII – Aircraft and Associated Equipment - Category XI – Military Electronics - Category XIII – Auxiliary Military Equipment - Category XV – Spacecraft Systems and Associated Equipment - Category XXI – Articles, Technical Data, and Defense Services Not Otherwise Enumerated
If your product, component, software, or technical data was specifically designed, developed, configured, adapted, or modified for a military application, it almost certainly belongs on the USML.
The "Specially Designed" Standard Under ITAR
One of the most misunderstood concepts in ITAR jurisdiction is the term "specially designed." A product doesn't need to be exclusively military in use — it needs to have been developed with military application as its intended purpose. This is why a seemingly commercial-looking electronic component can be ITAR-controlled if its design origins trace back to a military program.
Who Must Register With DDTC
Any U.S. person (individual or company) that: 1. Manufactures defense articles on the USML 2. Exports or temporarily imports defense articles 3. Provides defense services 4. Acts as a broker of defense articles or services
...must register with DDTC under 22 C.F.R. Part 122. Registration fees currently run from $2,250 to $2,750 per year depending on the number of licenses held. Non-compliance with the registration requirement itself constitutes a violation — independent of any actual unauthorized export.
ITAR Licensing Mechanisms
ITAR licenses are not one-size-fits-all. The primary license instruments include:
- DSP-5: Permanent export of unclassified defense articles and technical data
- DSP-73: Temporary export of defense articles
- Technical Assistance Agreement (TAA): Authorizes the export of defense services, including training and technical data sharing
- Manufacturing License Agreement (MLA): Authorizes foreign parties to manufacture defense articles using U.S. technical data or assistance
TAAs and MLAs are particularly complex because they govern ongoing relationships rather than single transactions — and they require DDTC approval before execution, not after.
The Commerce Department's Role: EAR and the CCL
What the Commerce Department Controls
The Commerce Department, through its Bureau of Industry and Security (BIS), administers the Export Administration Regulations (EAR). Where ITAR covers items with a primary military purpose, the EAR covers a much broader universe: dual-use items (commercial products with potential military application), less-sensitive military items transitioned off the USML under Export Control Reform (ECR), and virtually all commercial goods not elsewhere controlled.
The Commerce Control List (CCL), found at 15 C.F.R. Part 774, Supplement 1, organizes controlled items into 10 categories:
| CCL Category | Description |
|---|---|
| 0 | Nuclear Materials, Facilities & Equipment |
| 1 | Materials, Chemicals, Microorganisms & Toxins |
| 2 | Materials Processing |
| 3 | Electronics |
| 4 | Computers |
| 5 | Telecommunications & Information Security |
| 6 | Sensors & Lasers |
| 7 | Navigation & Avionics |
| 8 | Marine |
| 9 | Aerospace & Propulsion |
Each item on the CCL is identified by an Export Control Classification Number (ECCN), which is a 5-character alphanumeric code (e.g., 3A001 for electronics). The ECCN determines what license requirements apply based on destination country, end-user, and end-use.
The EAR99 Designation
Items subject to the EAR but not listed on the CCL are designated EAR99. EAR99 items generally don't require a license for export — unless they're headed to embargoed countries, designated end-users, or prohibited end-uses. A critical mistake I see regularly: exporters assume that "EAR99" means "no controls apply." That's wrong. An EAR99 widget sold to a Russian military entity is still a violation.
Key EAR License Exceptions
Unlike ITAR, the EAR provides a robust system of License Exceptions that authorize exports without an individual license when specific conditions are met:
- TMP (Temporary Imports, Exports, Reexports, and Transfers)
- TSR (Technology and Software — Unrestricted)
- STA (Strategic Trade Authorization) — for exports to close allies
- LVS (Limited Value Shipments)
- ENC (Encryption Commodities, Software and Technology)
Using a license exception incorrectly — or citing one that doesn't actually apply — is one of the most common self-reported violations BIS receives.
Export Control Reform: How Lines Were Redrawn
The ECR Initiative and Its Impact
Beginning in 2013, the U.S. government undertook a sweeping Export Control Reform (ECR) initiative that fundamentally restructured the boundary between ITAR and EAR jurisdiction. The core objective was to move items that were ITAR-controlled but posed lower national security risk onto the CCL under the EAR.
Citation Hook: Under Export Control Reform, hundreds of previously ITAR-controlled items were transitioned to the Commerce Control List, typically to new ECCN "600 series" entries (e.g., 0A606, 9A610), creating a hybrid category of military items now subject to EAR rather than ITAR.
The "600 series" ECCNs were created specifically to absorb former USML items. For example: - 0A606 covers military vehicles (former USML Category VII items) - 9A610 covers military aircraft parts (former USML Category VIII items)
If your company was ITAR-registered and compliant before 2013 and you haven't revisited your commodity jurisdiction determinations since, there is a meaningful chance some of your products have moved to EAR jurisdiction — and your internal controls may not reflect that.
Why ECR Created More Complexity, Not Less
Counterintuitively, ECR didn't simplify the compliance landscape for most companies — it added a layer of complexity. Now, a single product family might include: - Components still controlled under ITAR (USML) - Components transitioned to EAR 600-series - Commercial components that are EAR99
Each layer requires different controls, different record-keeping, different license instruments, and in some cases, different personnel with different training.
How to Make the Jurisdiction Determination
Step 1: Is the Item on the USML?
Start with the USML. Review 22 C.F.R. Part 121 carefully. If your item — including its components, software, and technical data — appears on any USML category, it is presumptively ITAR-controlled. If you're unsure, you can submit a Commodity Jurisdiction (CJ) request to DDTC under 22 C.F.R. § 120.4. DDTC will issue a formal, binding determination.
Important: Filing a CJ request is not an admission of ITAR jurisdiction. It is a prudent, good-faith compliance step that demonstrates due diligence and can be critical in the event of a future enforcement inquiry.
Step 2: If Not USML, Is the Item on the CCL?
If the item is not on the USML, move to the CCL. Identify whether a matching ECCN exists. BIS also offers a formal classification mechanism: the Classification Request, submitted through the SNAP-R system. Like CJ requests, formal BIS classification provides a defensible record of your compliance decision-making.
Step 3: If Neither, Is the Item Still Subject to the EAR?
Items not on either the USML or the CCL may still be "subject to the EAR" as EAR99. And even EAR99 items are restricted when: - The destination is an embargoed country (Cuba, Iran, North Korea, Syria, Russia, Belarus) - The end-user appears on a restricted party list (SDN List, Entity List, Denied Persons List, etc.) - The end-use involves weapons of mass destruction (the "catch-all" controls at 15 C.F.R. § 744)
Step 4: Conduct Restricted Party Screening — Always
Regardless of whether an item is ITAR, EAR, or EAR99, restricted party screening is non-negotiable for every transaction. The relevant lists include: - OFAC Specially Designated Nationals (SDN) List - BIS Entity List - BIS Denied Persons List - BIS Unverified List - State Department Debarred Parties List - Non-proliferation Sanctions Lists
A single missed hit on the Entity List can transform an otherwise lawful EAR99 shipment into a federal violation.
Why Getting Jurisdiction Wrong Is So Costly
Enforcement Actions Tell the Story
The financial exposure from misclassifying jurisdiction is not theoretical. Recent enforcement actions illustrate the stakes:
- In 2023, a U.S. aerospace manufacturer paid $13 million in civil penalties to DDTC for unauthorized exports of defense technical data, in part because it had improperly classified ITAR-controlled items as EAR.
- BIS imposed a $300 million penalty against a global semiconductor company for export violations involving dual-use technology diverted to restricted military end-users.
- According to DDTC's most recent annual report, the average ITAR settlement in contested cases exceeded $8 million.
Beyond the financial penalties, ITAR violations can result in debarment from U.S. government contracting — often a business-ending consequence for defense contractors, even large ones.
The Voluntary Disclosure Calculus
Both DDTC and BIS operate voluntary self-disclosure (VSD) programs. Proactively disclosing violations before they are discovered by regulators typically results in significantly reduced penalties — sometimes 50% or more. But the window for a "voluntary" disclosure closes the moment the agency opens an investigation. This is why I recommend that clients conduct annual internal compliance audits as a standard practice, not a reactive one.
Building a Defensible Compliance Program Around Jurisdiction
A robust export compliance program doesn't treat jurisdiction as a one-time determination. It builds jurisdiction review into every product development cycle, every M&A transaction, every new customer onboarding, and every change in product specification. Here's what that looks like in practice:
Establish a Written Commodity Classification Policy
Your Export Management and Compliance Program (EMCP) — the framework recommended by BIS — and your ITAR compliance manual should both include documented procedures for how jurisdiction determinations are made, by whom, with what evidence, and how they are recorded. Documentation is your first line of defense in any enforcement inquiry.
Train Engineering and R&D, Not Just Compliance
One of the most underappreciated risk vectors in jurisdiction determination is the engineering team. Engineers make design decisions that can trigger ITAR or EAR classification without ever intending to enter the export control space. A mechanical engineer who modifies a commercial component's tolerances to meet a military specification may have just created a USML-controlled defense article. Training must extend beyond the compliance office.
Leverage Technology for Classification and Screening
Modern trade compliance platforms — including Amber Road (now part of E2open), Descartes, and OCR Services' restricted party screening tools — can automate large portions of the classification and screening workflow. But technology is not a substitute for expert judgment on close-call jurisdiction questions.
When in Doubt, Seek Expert Guidance
Formal CJ requests and BIS Classification Requests take time — often 60 to 120 days for DDTC, and 14 to 90 days for BIS depending on complexity. During that window, you can continue operations under a documented interim classification, provided it is made in good faith and you can demonstrate a reasonable basis for it. This is where experienced outside counsel or a qualified export compliance consultant becomes invaluable.
At Certify Consulting, we regularly support clients through the CJ and classification request process, including drafting the technical narratives that support DDTC and BIS determinations. Getting the submission right the first time dramatically shortens the review cycle.
ITAR vs. EAR: Practical Scenarios
To make this concrete, here are five common scenarios and how jurisdiction typically resolves:
| Scenario | Likely Jurisdiction | Key Rationale |
|---|---|---|
| Titanium fasteners designed per MIL-SPEC for fighter jet airframes | ITAR (USML Cat. VIII) | Specially designed for military aircraft |
| Commercial GPS chipset sold to a foreign university | EAR (ECCN 7A994 or EAR99) | No specific military design; dual-use |
| Night-vision goggle components designed for U.S. Army program | ITAR (USML Cat. XII) | Fire control, range finder, military electronics |
| Encryption software with >64-bit key length, mass market | EAR (ECCN 5D992) | Mass market encryption, license exception ENC may apply |
| Drone airframe originally designed for commercial mapping, later sold to a foreign military | EAR + possible ITAR analysis | End-use/end-user analysis required; "specially designed" re-evaluation |
Frequently Asked Questions
Can a product be controlled by both ITAR and EAR at the same time?
No. Under U.S. export control law, a single item cannot simultaneously be subject to both ITAR and EAR jurisdiction. The two regimes are mutually exclusive at the item level. However, a system or product family can contain components that fall under ITAR while other components fall under EAR — meaning your overall program must manage both regimes even if individual line items are controlled by only one.
What happens if I've been exporting under EAR when the item should have been ITAR-controlled?
This is a serious situation that requires prompt legal assessment. Continuing the practice after becoming aware of a potential misclassification significantly aggravates the violation. Your immediate next steps should include halting the exports in question, retaining qualified export counsel, and evaluating whether a voluntary self-disclosure to DDTC is appropriate. Proactive disclosure substantially reduces penalty exposure under 22 C.F.R. § 127.12.
Is technical data (software, blueprints, specs) controlled the same way as physical hardware?
Yes — and in many ways, technical data is more aggressively controlled. Under ITAR, the release of controlled technical data to a foreign national anywhere in the world — including on U.S. soil — constitutes a deemed export. The same principle applies under EAR. This means that cloud storage, email, collaborative engineering platforms, and even verbal conversations can constitute unauthorized exports of controlled technology.
How long does a Commodity Jurisdiction (CJ) determination take?
DDTC's published target for CJ determinations is 45 days for straightforward cases, but complex or novel items routinely take 60 to 120 days or longer. Interagency referrals — cases where DDTC consults with DoD, BIS, or other agencies — can extend timelines further. Filing a well-structured, technically thorough CJ request from the outset is the most effective way to minimize processing time.
Do foreign subsidiaries of U.S. companies need to comply with ITAR and EAR?
Foreign subsidiaries of U.S. companies are not themselves "U.S. persons" under ITAR, but they are not exempt from U.S. export control obligations. U.S.-origin technical data or hardware transferred to a foreign subsidiary is still subject to ITAR or EAR licensing requirements. Additionally, U.S. parent companies bear responsibility for ensuring their subsidiaries don't engage in conduct that would violate U.S. law — particularly with respect to re-exports, country sanctions, and restricted party obligations.
The Bottom Line: Jurisdiction Is the Foundation
Every export compliance program — no matter how sophisticated — is only as strong as its jurisdiction determinations. The State Department and the Commerce Department each control a distinct universe of items, with distinct legal requirements, distinct penalties, and distinct administrative processes. Confusing the two, or failing to make a formal determination at all, is not a minor procedural gap. It is the gap through which enforcement actions fall.
If your organization manufactures, sells, or transfers technology — physically or digitally — to foreign persons or countries, you need a defensible, documented answer to the jurisdiction question for every controlled item in your portfolio.
If you're not confident in your current classifications, or if your compliance program hasn't been reviewed since Export Control Reform restructured the USML-to-CCL transitions, that review is overdue. Explore our ITAR compliance consulting services to learn how Certify Consulting supports organizations at every stage of the export control compliance lifecycle — from initial jurisdiction determination through license management, audit preparation, and voluntary disclosure support.
Last updated: 2026-04-12
Jared Clark, JD, MBA, PMP, CMQ-OE, CQA, CPGP, RAC — Principal Consultant, Certify Consulting. Jared has guided 200+ organizations through export control compliance with a 100% first-time audit pass rate across 8+ years of practice.
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.