Enforcement & Exposure Guide

ITAR Violations & Penalties: What
Non-Compliance Actually Costs

By Jared Clark, JD, MBA, PMP, CMQ-OE · Updated July 2026 · ~15 min read

$1,267,619
Civil Penalty Per Violation
20 Years
Max Criminal Imprisonment
JD, CMQ-OE
Expert Credentials

ITAR violations carry three overlapping forms of exposure. Civil penalties under 22 CFR 127.10 reach $1,267,619 per violation (2025 penalty schedule), assessed by the State Department's DDTC without any criminal conviction. Criminal penalties under the Arms Export Control Act (22 U.S.C. § 2778(c)) reach $1,000,000 in fines and 20 years imprisonment per willful violation — for companies and individuals alike. Administrative consequences include debarment from defense trade, denial of export privileges, and binding consent agreements with compliance monitors. Because each unauthorized export or disclosure is a separate violation, total exposure multiplies quickly — the 2024 RTX/Raytheon settlement reached $950 million. Timely voluntary disclosure under 22 CFR 127.12 is the single most significant mitigating factor available.

Civil Penalties: $1,267,619 Per Violation

Civil enforcement is where most companies actually meet ITAR's teeth. Under 22 CFR 127.10, DDTC may impose civil penalties of up to $1,267,619 per violation under the 2025 inflation-adjusted schedule — and civil liability requires no showing of intent. A company that misclassified a component in good faith, and shipped it abroad without a license, has violated ITAR regardless of what anyone knew or intended. (If you are new to the regulatory framework itself — what ITAR controls and who must comply — start with our definitive guide to ITAR.)

The phrase that should command your attention is "per violation." ITAR exposure is not calculated per case, per audit, or per product line. It multiplies:

  • Each unauthorized export is a separate violation. Ship the same misclassified part 40 times over three years, and you have 40 violations before anyone examines the technical data.
  • Each unauthorized disclosure of technical data is a separate violation. Every drawing emailed to an unauthorized foreign person, every controlled file placed on a server accessible to foreign nationals, counts on its own.
  • Each regulatory failure within a transaction can be charged separately. One shipment can combine an unlicensed export, a proviso breach, and a recordkeeping failure — three violations from one event.

Run the arithmetic on an ordinary scenario: a mid-sized manufacturer with one misclassified assembly, shipped monthly to a foreign customer for two years, is facing 24 violations — a theoretical civil ceiling of over $30 million — before considering the technical data that traveled alongside the hardware. DDTC rarely charges the theoretical maximum, but the ceiling is what frames every settlement negotiation. This is why accurate USML classification is the foundation of everything else in ITAR compliance.

Criminal Penalties: Fines Up to $1M and 20 Years Imprisonment

Criminal exposure under the Arms Export Control Act, 22 U.S.C. § 2778(c), reaches $1,000,000 in fines per violation and up to 20 years imprisonment. Two features distinguish criminal ITAR enforcement from the civil track:

Willfulness Is the Trigger

Criminal prosecution requires a willful violation — the government must prove the defendant knew the conduct was unlawful and proceeded anyway. In practice, prosecutors establish willfulness through evidence that is depressingly common in violation cases: internal emails flagging license requirements that were ignored, compliance training the defendant attended and then contradicted, warnings from freight forwarders or prime contractors that went unheeded, and deliberate structuring of transactions to avoid scrutiny. "We decided not to look into it" is not a defense; courts treat conscious avoidance as knowledge.

Individuals Are Prosecuted, Not Just Companies

The Department of Justice prosecutes engineers, sales executives, empowered officials, and owners personally. A corporate settlement does not immunize the people whose decisions produced the violations. For anyone signing license applications or certifying compliance — the empowered official above all — this is the sharpest personal-risk edge in the entire regulatory scheme, and it is the reason ITAR judgment calls deserve legal-grade analysis rather than informal shop-floor decisions.

Debarment and Administrative Consequences

The third track of exposure is administrative — and for a defense business, it is frequently the most damaging, because it attacks revenue rather than reserves.

Debarment (22 CFR 127.7)

Debarment prohibits participation in the export of defense articles and defense services. Statutory debarment generally follows criminal conviction under the AECA; administrative debarment can be imposed through DDTC enforcement proceedings. The commercial effect is broader than the legal text: prime contractors purge debarred suppliers from their programs because an ineligible entity anywhere in the chain jeopardizes licensing across the program. Reinstatement is possible but requires a formal application and demonstrated remediation — and the customers rarely wait.

Denial of Export Privileges

DDTC may revoke existing licenses and refuse to grant new ones. A company mid-way through international programs can find every pending export license suspended while an enforcement matter is resolved — contract deadlines do not pause with them.

Consent Agreements and Compliance Monitors

Major civil settlements are typically embodied in consent agreements: binding, public commitments that commonly require an external special compliance officer or monitor, remedial compliance program investment, periodic audits and reports to DDTC, and suspended penalty amounts that spring back upon further violations. A consent agreement is, in substance, several years of supervised compliance rebuilt at your expense — on the government's schedule and to the government's standard.

The Cost Nobody Prices In: Reputation

Enforcement actions are public. Debarred and penalized parties are identified, and consent agreements are published. Defense primes screen suppliers against these records during source selection — which means an ITAR enforcement action keeps costing you contract awards years after the penalty is paid.

Enforcement in Practice: The RTX/Raytheon Settlement

Case Study: RTX/Raytheon Settlement (2024)

The $950 million RTX/Raytheon settlement in October 2024 is the largest ITAR enforcement outcome in history and the clearest signal of the current enforcement posture. The case involved unauthorized exports of defense articles and technical data, failure to disclose known violations, and systemic compliance program deficiencies — at a company with every resource needed to comply.

The lesson for everyone smaller: enforcement scales down, not just up. DDTC applies the same regulatory framework to a 20-person machine shop that it applied to RTX — and the small company has no nine-figure balance sheet to absorb the outcome.

Three durable lessons from the modern enforcement record:

  • Concealment costs more than the violation. Failing to disclose known violations converts a compliance problem into an enforcement problem. The aggravating factor DDTC punishes hardest is the decision to stay silent.
  • Systemic deficiency is itself the charge. Enforcement narratives focus on the absence of functioning compliance infrastructure — classification discipline, technology control plans, screening — not just the individual bad shipments.
  • Settlements restructure companies. Nine-figure headlines obscure the operational terms: monitors, mandated remediation, and years of DDTC oversight.

What Triggers an ITAR Investigation

Companies routinely assume violations surface only through government audits. In practice, investigations begin from many directions at once:

  • Voluntary disclosures — your own self-report defines the record DDTC reviews (and is treated far more favorably than any other path);
  • Tips and whistleblowers — former employees, competitors, and disgruntled business partners report suspected violations;
  • Prime contractor and freight forwarder referrals — supply chain partners who spot an unlicensed shipment or classification conflict protect themselves by reporting it;
  • License application review — DDTC licensing officers notice discrepancies between what you are requesting now and what you have already shipped;
  • Foreign government reports — end-use checks and allied customs authorities surface unauthorized retransfers;
  • Customs data — export filings that do not match licensing records are an automated red flag.

The practical takeaway: by the time you discover an internal violation, assume the information can reach the government through a channel you do not control. That assumption should frame the disclosure decision discussed below.

Common Violation Patterns

Across 200+ client engagements, the violations we encounter cluster into a handful of recurring patterns — almost none of which involve anyone intending to break the law:

1. Unauthorized Exports from Misclassification

The most common root cause. A part is assumed to be commercial (EAR or uncontrolled) when it is in fact a defense article, and it ships without a license — repeatedly. Every shipment is a violation. The cure is disciplined, documented USML classification, re-validated whenever the list changes, as it did in September 2025.

2. Deemed Exports to Foreign National Employees

Releasing ITAR technical data to a foreign person inside the United States is an export to that person's country of nationality. Foreign national engineers with access to controlled drawings, shared network folders without access controls, and undocumented visitor access are the classic fact patterns — and each individual disclosure is a separate violation. See our dedicated guide to deemed exports.

3. Manufacturing Without Registration

Manufacturers of defense articles must register with DDTC even if they never export. Component makers deep in the supply chain frequently miss this entirely — a compliance failure that runs for years and undermines the validity of everything downstream. If this describes your company, start with DDTC registration.

4. Recordkeeping Failures

ITAR requires records of controlled transactions to be maintained and producible. Missing shipment files, unretained license provisos, and untracked technical data transfers are violations in their own right — and they compound every other violation because you cannot demonstrate what actually happened.

5. Unauthorized Retransfers and Proviso Breaches

A license authorizes a specific transaction with specific parties and conditions. When your foreign customer re-sells the article, or your team exceeds a proviso's scope of disclosure, the violation is yours to manage — and to disclose.

Willful vs. Inadvertent Violations

The distinction between willful and inadvertent violations determines which enforcement track you are on. It deserves precision:

Attribute Inadvertent Violation Willful Violation
State of mind Good-faith error — misclassification, process failure, ignorance of a requirement Knowledge that conduct was unlawful, or conscious avoidance of that knowledge
Primary track Civil (DDTC) — penalties, consent agreements Criminal (DOJ) — fines and imprisonment, plus civil exposure
Still a violation? Yes — civil liability does not require intent Yes — with personal liability for individuals
Best mitigation Prompt voluntary disclosure + corrective action Immediate engagement of counsel; disclosure strategy is a legal decision

Note the trap in the middle: an inadvertent violation becomes evidence of willfulness the moment a company discovers it and keeps shipping. The discovery memo that sits unactioned in a compliance folder is, in a later prosecution, the government's proof that you knew. Discovery of a violation compresses your decision timeline — which is exactly why the disclosure framework matters.

Mitigation: The Voluntary Disclosure Path

ITAR builds in one powerful mitigation mechanism: the voluntary disclosure under 22 CFR 127.12. A timely, complete self-report is expressly treated by DDTC as a significant mitigating factor in enforcement decisions, and the practical difference in outcomes is dramatic — disclosed violations frequently resolve with no penalty or a warning letter, while the same conduct discovered through investigation draws civil charges with the disclosure's absence counted as an aggravating factor.

The mechanics, timelines, decision framework, and common mistakes deserve their own treatment: see our complete guide to ITAR voluntary disclosure. For penalty-exposure purposes, three points matter here:

  • Disclosure is a race against other channels. Mitigation credit belongs to the party who brings the violation to DDTC — a tip, referral, or customs flag that arrives first converts your disclosure into damage control.
  • Disclosure without remediation is worth little. DDTC weighs the corrective actions — root cause analysis, classification fixes, program improvements — as heavily as the confession itself.
  • The disclosure decision is a legal judgment. What to disclose, when, in what scope, and with what privileged preparation is exactly the kind of question that should be made with counsel and experienced compliance support, not by instinct.

How a Compliance Program Reduces Exposure

A functioning ITAR compliance program changes the penalty math at every stage — before, during, and after a violation:

  • Before: Disciplined classification, licensing workflows, technology control plans, and screening prevent the routine violations that account for most enforcement. The cheapest violation is the one that never happens.
  • During: A program surfaces violations early — through internal audits and empowered-official review — while the count is 3 violations instead of 300, and while voluntary disclosure is still yours to initiate.
  • After: DDTC's enforcement decisions expressly weigh the state of the company's compliance program. A documented, functioning program is your best evidence that a violation was an aberration rather than a symptom — the difference between a warning letter and a consent agreement.

The investment comparison is not close. A right-sized compliance program — registration discipline, written procedures, training, data controls, and audit cadence — costs a small fraction of a single civil penalty at the $1,267,619 ceiling, to say nothing of a settlement, a debarment, or a lost prime contract. Our clients maintain a 100% first-time audit pass rate precisely because the program is built before the government asks to see it. Learn what a complete program includes on our ITAR compliance program page, or contact us for a gap assessment.

Frequently Asked Questions About ITAR Penalties

Civil penalties under 22 CFR 127.10 reach $1,267,619 per violation under the 2025 inflation-adjusted penalty schedule. Critically, the penalty applies per violation, not per case: each unauthorized export, each unauthorized disclosure of technical data to a foreign person, and each failure to obtain required authorization is a separate violation. A single program with a misclassified part can generate dozens or hundreds of violations across its shipment history, which is why total civil exposure routinely reaches into the millions even for mid-sized companies.
Yes. Under the Arms Export Control Act (22 U.S.C. § 2778(c)), willful criminal violations carry fines of up to $1,000,000 per violation and imprisonment of up to 20 years — and those penalties apply to individuals as well as companies. Engineers, executives, and empowered officials have been personally prosecuted for willfully exporting defense articles or technical data without authorization. Criminal prosecution requires willfulness, but courts have found willfulness where individuals knew a license was required and proceeded anyway, or deliberately avoided learning their obligations.
Per violation — and one shipment can contain many violations. A single export transaction may involve multiple defense articles, associated technical data, and multiple regulatory failures (no license, no recordkeeping, inaccurate documentation), each of which can be charged separately. Likewise, a deemed export situation involving one foreign national employee can generate a separate violation for each controlled disclosure over months or years of employment. This multiplication effect is what turns a seemingly small compliance gap into catastrophic exposure.
Debarment under 22 CFR 127.7 is prohibition from participating in the export of defense articles and defense services. Statutory debarment generally follows criminal conviction under the Arms Export Control Act; administrative debarment can be imposed through DDTC enforcement proceedings. For a defense business, debarment is commercially existential: you cannot export, prime contractors will remove you from their supply chains because your ITAR ineligibility contaminates their programs, and reinstatement requires a formal application process with demonstrated remediation. Many debarred companies simply do not survive.
No — a voluntary disclosure under 22 CFR 127.12 is a significant mitigating factor, not an amnesty. DDTC consistently treats timely, complete self-reporting as evidence of good faith, and companies that disclose voluntarily fare dramatically better than those whose violations surface through investigation: many disclosures close with no penalty or a warning letter rather than civil charges. But DDTC retains full discretion to impose penalties, and a disclosure does not bind the Department of Justice on criminal matters. The decision of whether, when, and how to disclose is a legal judgment call that should be made with qualified counsel and compliance support. See our voluntary disclosure guide →
JC

About the Author

Jared Clark, JD, MBA, PMP, CMQ-OE

Jared Clark is an ITAR compliance consultant and export control expert with hands-on experience guiding 200+ clients through DDTC registration, compliance program development, USML classification, export licensing, and voluntary disclosure. Holding a Juris Doctor (JD), MBA, Project Management Professional (PMP) certification from PMI, and Certified Manager of Quality/Organizational Excellence (CMQ-OE) designation from ASQ, Jared brings legal, business, project management, and quality systems expertise to every engagement. His clients maintain a 100% first-time audit pass rate.

For broader certification consulting across ISO, GMP, and other regulatory frameworks, visit our parent practice at certify.consulting.

JD MBA PMP CMQ-OE

Worried About Your ITAR Exposure?

Schedule a free 30-minute consultation. We will assess your compliance posture, identify where violations are most likely hiding, and outline a clear path to reduce your exposure — no obligation, no pressure.

Or email us at [email protected]