You Just Won a Defense Contract — Now You Need ITAR Compliance. Where Do You Start?
By Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC | Principal Consultant, Certify Consulting
Congratulations. You just won your first Department of Defense contract. After months of proposals, pricing negotiations, and nervous waiting, you have a signed contract in hand and a performance timeline that starts now.
Then someone on your team reads the fine print and says four letters that stop everything cold: ITAR.
The International Traffic in Arms Regulations govern the export, transfer, and disclosure of defense articles, defense services, and related technical data. If your contract involves items on the U.S. Munitions List (USML), and most DoD contracts do, you are now legally obligated to comply with a regulatory framework administered by the U.S. Department of State's Directorate of Defense Trade Controls (DDTC). Non-compliance is not a paperwork problem — it is a federal criminal exposure problem. Penalties can reach $1,000,000 per violation and 20 years in federal prison under 22 U.S.C. § 2778.
The good news: ITAR compliance is entirely manageable when you approach it systematically. Over eight years and 200+ clients served — with a 100% first-time audit pass rate — I have guided dozens of first-time defense contractors through exactly this situation. This guide gives you the honest, practical roadmap you need.
Step 1: Confirm Whether ITAR Actually Applies to Your Contract
Before you do anything else, confirm the regulatory trigger. Not every DoD contract automatically invokes ITAR, though the majority do.
ITAR applies when your work involves: - Items, services, or technical data that appear on the U.S. Munitions List (22 CFR Part 121) - Defense services provided to foreign persons, even on U.S. soil - Manufacturing, repair, modification, or testing of USML items - Technical data (drawings, specifications, software) that describes the design, development, production, or operation of USML articles
How to determine your classification: 1. Review your contract's DD Form 254 (Department of Defense Contract Security Classification Specification) — this document will signal if controlled technical data is involved 2. Identify the NSN (National Stock Number) or part numbers on your contract and cross-reference against the USML categories 3. Check whether your contract includes DFARS clause 252.225-7048 (Export-Controlled Items) or references to EAR/ITAR specifically
If there is any ambiguity, a commodity jurisdiction (CJ) request submitted to DDTC can formally determine whether your product falls under ITAR or the Export Administration Regulations (EAR). Do not guess. The wrong classification in either direction creates legal and operational risk.
Step 2: Register with DDTC Immediately
If ITAR applies, your very first compliance action is registration with the Directorate of Defense Trade Controls. This is not optional and it is not something you do eventually.
Under 22 CFR § 122.1, any person who engages in the United States in the business of manufacturing or exporting defense articles, or furnishing defense services, must register with DDTC. The registration fee for most manufacturers is $2,250 per year as of the current DDTC fee schedule.
What registration requires: - Completed DS-2032 (Statement of Registration) submitted through the DDTC portal - Documentation of your business entity and Employer Identification Number - Disclosure of any foreign ownership, control, or influence (FOCI) - List of USML categories you intend to be registered under
Registration typically takes 30–60 business days for initial approval. If your contract performance is imminent, notify your contracting officer and request any available grace provisions — but understand that performing ITAR-regulated work before registration is itself a violation.
Citation hook: DDTC registration under 22 CFR § 122.1 is a legal prerequisite for any U.S. company manufacturing, exporting, or providing defense services related to USML items — not a post-award administrative formality.
Step 3: Appoint an Empowered Compliance Officer
Regulators and auditors look for one thing above all else in a first-time contractor's compliance program: accountable human ownership.
Your organization needs a designated ITAR Compliance Officer (sometimes called an Empowered Official under 22 CFR § 120.67). This individual must: - Have authority to bind the company in export-related decisions - Be a U.S. person (citizen or lawful permanent resident) - Have the authority to stop a shipment or disclosure if a compliance question arises, without retribution or override - Understand the penalties for non-compliance and be responsible for communicating them internally
In small organizations, this is often the CEO, VP of Operations, or General Counsel. In larger organizations, it may be a dedicated compliance director. The title matters less than the authority and accountability.
Do not make this role ceremonial. One of the most common compliance failures I see in first-time contractors is appointing an Empowered Official on paper and then systematically excluding them from the business decisions that trigger ITAR obligations.
Step 4: Build Your Technology Control Plan (TCP)
A Technology Control Plan is your organization's documented system for preventing unauthorized access to ITAR-controlled technical data. If your contract involves foreign nationals working at your facility — or if there is any chance of foreign nationals accessing your systems — a TCP is not optional.
A compliant TCP addresses: - Physical access controls (badge access, visitor logs, restricted areas) - Information technology controls (server segmentation, access permissions, data labeling) - Employee and visitor screening procedures - Subcontractor and vendor access controls - Export license requirements for any foreign person access
The "deemed export" rule under 22 CFR § 120.50 is the most underestimated trap for new defense contractors. Sharing ITAR-controlled technical data with a foreign national inside the United States is treated as an export to that individual's country of citizenship. This applies to employees, vendors, interns, and visitors. According to DDTC enforcement data, deemed export violations consistently appear among the top categories of ITAR enforcement actions.
Citation hook: Under the ITAR deemed export rule (22 CFR § 120.50), releasing controlled technical data to a foreign national on U.S. soil constitutes an export to that person's country of citizenship and requires the same licensing analysis as a physical overseas shipment.
Step 5: Conduct a Comprehensive ITAR Compliance Gap Assessment
Once your registration is initiated and your Empowered Official is appointed, you need an honest inventory of where your organization stands against ITAR's requirements. A gap assessment evaluates your current state against the minimum requirements for a compliant program.
Core Program Elements to Assess
| Program Element | Minimum Requirement | Common Gap in New Contractors |
|---|---|---|
| DDTC Registration | Active, current registration under correct USML categories | Not registered or wrong categories |
| Written Compliance Policies | Documented ITAR/export compliance manual | No written policy exists |
| Employee Training | Initial and annual training for all personnel with ITAR access | No formal training program |
| Technology Control Plan | Written TCP with physical and IT controls | No TCP; no access controls |
| License Management | System to track all export authorizations | Licenses not tracked or maintained |
| Recordkeeping | 5-year retention of all ITAR-related records (22 CFR § 122.5) | Inconsistent or absent recordkeeping |
| Subcontractor Flow-Down | ITAR requirements flowed to all relevant subs | Subs not vetted or informed |
| Screening Procedures | Denied party screening for all transactions | No screening process |
| Internal Audit | Periodic internal review of compliance program | No internal audit schedule |
| Voluntary Disclosure Procedure | Defined process for identifying and reporting violations | No disclosure process defined |
Most first-time defense contractors have gaps in six to eight of these ten areas. That is not a character flaw — it reflects the fact that ITAR compliance infrastructure takes time to build. The gap assessment tells you exactly where to prioritize your resources.
Step 6: Implement Employee Training Before Work Begins
This step cannot wait. ITAR violations most frequently originate not from corporate decisions but from well-intentioned employees who simply did not know the rules.
Your initial training program should cover: - What ITAR is and why it matters - Which company products, services, and data are ITAR-controlled - The deemed export rule and how it applies to coworkers and visitors - How to handle unsolicited requests for technical data - Who the Empowered Official is and when to escalate - Consequences of violations (personal criminal liability, not just corporate)
Best practice is to document training completion with signed acknowledgments and maintain those records for the required five-year retention period. Training should be refreshed annually and whenever significant regulatory changes occur.
The DDTC has been increasingly active in its compliance and enforcement posture. In recent years, the agency has emphasized that the existence of a bona fide compliance program, including documented training, is a significant mitigating factor in enforcement actions and settlement negotiations.
Step 7: Establish Your Export License Management System
Depending on your contract, you may need to apply for export authorizations before certain activities can proceed. The three primary authorization mechanisms under ITAR are:
1. DSP-5 (Permanent Export License) — For permanent export of unclassified defense articles and related technical data to foreign end-users. Processing time: typically 30–60 days.
2. DSP-73 (Temporary Export License) — For temporary export of unclassified defense articles for demonstration, repair, or other temporary purposes.
3. Technical Assistance Agreements (TAAs) and Manufacturing License Agreements (MLAs) — For defense services, training, and technology transfers to foreign persons or entities. TAAs are frequently required when foreign subcontractors or partners are involved. Processing time: 60–90+ days.
License exemptions exist and are widely used — particularly License Exception ITAR § 126.4 for government-to-government transfers and the various exemptions in Part 126 — but each exemption has specific eligibility requirements that must be documented and met at the time of use. Using an exemption you do not qualify for is a violation, even if the underlying transaction was benign.
Build a license tracking spreadsheet or dedicated compliance software from day one. Record every authorization, its scope, expiration date, transaction history, and any conditions imposed by DDTC.
Step 8: Address Subcontractor and Supplier Obligations
One of the most frequently overlooked ITAR obligations for new defense contractors involves their supply chain. ITAR requirements flow down to subcontractors — if you are sharing controlled technical data with a sub to perform on your contract, that sub has ITAR obligations too.
Your subcontractor management process must include: - Screening all subs and suppliers against the Consolidated Screening List (denied parties, debarred entities) before engagement - Confirming that any sub receiving ITAR-controlled data is DDTC-registered (if required by their scope) - Including appropriate ITAR flow-down clauses in subcontracts - Verifying that subs have their own written compliance programs and employee training - Obtaining and retaining certifications from subs attesting to their compliance status
If a sub you are working with has a compliance failure, you can face shared liability. "I didn't know my sub was sending this data overseas" is not a defense that has held up in DDTC enforcement proceedings.
Step 9: Establish Recordkeeping and Internal Audit Processes
Under 22 CFR § 122.5, ITAR requires that you maintain records relating to all ITAR-controlled transactions for five years. This includes: - Export licenses and all shipping documents tied to those licenses - Technical Assistance Agreements and all correspondence with DDTC - Shipping and export control documentation - Commodity jurisdiction requests and responses - Records of employee training - Internal audit reports - Any voluntary disclosures made to DDTC
Beyond meeting the legal minimum, a robust internal audit schedule serves as your early warning system. Quarterly or semi-annual internal compliance reviews allow you to identify gaps before they become violations — and before a DDTC audit or government investigation identifies them for you.
When I conduct compliance program assessments for clients, I consistently find that organizations with documented internal audit programs respond to regulatory inquiries faster, more accurately, and with significantly better outcomes than those operating on informal systems.
What Happens If You Discover a Potential Violation?
If your internal processes surface a potential ITAR violation — a shipment that went out without a license, technical data shared with an unvetted foreign national, a missed exemption condition — do not ignore it and do not attempt to self-correct silently.
DDTC's Voluntary Disclosure program (22 CFR § 127.12) is one of the most powerful risk-mitigation tools available. Organizations that proactively disclose violations, implement corrective actions, and cooperate fully with DDTC investigations receive substantially reduced penalties compared to those whose violations are discovered through third-party complaints or government audits.
Voluntary disclosure is not an admission of systemic failure. It is evidence of a functioning compliance program. The DDTC has stated explicitly that voluntary disclosures are viewed as a significant indicator of good-faith compliance culture.
Citation hook: DDTC's voluntary disclosure program under 22 CFR § 127.12 consistently results in reduced penalties and favorable enforcement outcomes for organizations that self-report violations promptly, implement documented corrective actions, and cooperate fully with the agency.
How Long Does It Take to Build a Compliant Program?
This is the question every first-time defense contractor asks, and the honest answer depends on your organization's size, complexity, and starting point.
| Organization Size | Estimated Timeline to Baseline Compliance | Key Drivers |
|---|---|---|
| Small business (< 50 employees) | 60–120 days | Registration processing, policy drafting, training |
| Mid-size (50–500 employees) | 90–180 days | IT controls, TCP development, sub management |
| Large/complex (500+ employees) | 120–365 days | Multi-site controls, foreign national population, legacy systems |
These timelines assume dedicated resources and expert guidance. Organizations attempting to build ITAR programs while simultaneously learning the regulations from scratch typically experience delays of two to three times these estimates.
If you are starting from zero and your contract performance window is tight, the highest-priority actions are: (1) submit DDTC registration, (2) appoint your Empowered Official, (3) conduct initial employee training, and (4) implement screening procedures. These four actions address your highest immediate legal exposure while you build the rest of your program.
When to Bring in External ITAR Expertise
Not every ITAR compliance question requires outside help. But certain situations are consistently better served by experienced external counsel or a compliance consultant:
- First-time ITAR registration — The DS-2032 has nuances that affect your authorized scope; errors require amendments that delay your ability to operate
- Foreign ownership, control, or influence (FOCI) — If your company has any foreign investors, parents, or board members, FOCI analysis requires careful, expert handling
- TAA or MLA applications — These agreements are complex documents that DDTC scrutinizes carefully; errors cause rejections and delays
- Voluntary disclosures — The framing and documentation of a voluntary disclosure materially affects the outcome
- Government compliance audits — Having experienced representation during an audit is not optional for complex situations
- Acquisition or merger — ITAR compliance due diligence in M&A transactions requires specialized expertise
At Certify Consulting, we specialize in building ITAR compliance programs from the ground up for defense contractors at exactly this stage — organizations that have just won their first significant DoD contract and need to get compliant fast without disrupting performance.
If you're looking for more context on the underlying regulatory framework before engaging outside help, our overview of ITAR registration requirements and the DDTC process provides a solid foundation. And if your contract also implicates classified work, our guide to DD Form 254 and facility security clearance obligations covers the security-side requirements that run parallel to your export compliance obligations.
FAQ: New Defense Contractors and ITAR Compliance
Q: I just won a contract but haven't started performance yet. Am I already subject to ITAR? A: If your contract involves USML-listed items, services, or technical data, ITAR obligations attach the moment you are in the business of manufacturing or furnishing those items or services — not just when you physically export something. You should initiate DDTC registration immediately upon contract award, before performance begins.
Q: My company is 100% U.S.-owned with no foreign employees. Do I still need to worry about ITAR? A: Yes. ITAR applies based on the nature of your products and activities, not solely on foreign presence. Even an all-U.S. company needs DDTC registration, written policies, employee training, recordkeeping, and license management if it manufactures or provides services related to USML items. Foreign nationals could also interact with your business in the future — vendors, customers, trade show contacts — making a proactive program essential.
Q: What is the most common ITAR mistake first-time defense contractors make? A: The most common mistake is treating ITAR compliance as a one-time registration event rather than an ongoing operational discipline. Contractors register with DDTC, then continue business as usual without implementing training, access controls, or license management. The second most common mistake is underestimating the deemed export rule — sharing technical drawings or specifications with a foreign national colleague or vendor without a license or applicable exemption.
Q: How much does ITAR compliance cost to implement? A: Costs vary significantly based on organization size and complexity. For a small defense contractor, expect to invest $15,000–$50,000 in year one to build a baseline-compliant program, including DDTC registration fees ($2,250/year), policy and procedure development, training program creation, and technology controls. Ongoing annual compliance costs for small organizations typically run $8,000–$25,000. These figures are substantially less than the cost of a single enforcement action, which routinely results in civil penalties of hundreds of thousands of dollars.
Q: Can I hire foreign nationals now that I have a defense contract? A: You can hire foreign nationals, but you must conduct a thorough analysis before they access any ITAR-controlled technical data, hardware, or facilities. The deemed export rule requires either an export license authorizing the release of specific technical data to that person's country of citizenship, or a determination that an applicable exemption covers the access. This analysis should happen before hiring, not after the employee is onboarded.
The Bottom Line: Start Now, Build Systematically
Winning a defense contract is a significant business milestone. The compliance obligations that come with it are serious — but they are also entirely manageable with the right approach.
The organizations that struggle with ITAR are not the ones that lack resources. They are the ones that delay, minimize the regulatory requirements, or attempt to build compliance programs reactively after something goes wrong. The organizations that succeed are the ones that treat ITAR compliance as a core operational function from day one — the same way they treat quality management, financial controls, or safety programs.
Your roadmap: 1. Confirm ITAR applicability and your USML classification 2. Submit DDTC registration immediately 3. Appoint an Empowered Official with real authority 4. Conduct a gap assessment against all ten program elements 5. Build your Technology Control Plan 6. Train all employees before they access controlled data 7. Establish license management and screening procedures 8. Flow ITAR requirements down to subcontractors 9. Implement recordkeeping and internal audit processes 10. Know your voluntary disclosure options
If you need expert guidance to move through these steps efficiently — without disrupting your contract performance timeline — Certify Consulting is ready to help. With 200+ clients served and a 100% first-time audit pass rate, we have built ITAR compliance programs for first-time defense contractors in every sector of the defense industrial base.
The contract is signed. Now let's make sure you can keep it.
Last updated: 2026-03-03
Jared Clark is the principal consultant at Certify Consulting and founder of itarconsultant.us. He holds a JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, and RAC, and has provided ITAR and export control compliance consulting to defense contractors, manufacturers, and technology companies for over eight years.
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.