Civil Penalties: $1,267,619 Per Violation
Civil enforcement is where most companies actually meet ITAR's teeth. Under 22 CFR 127.10, DDTC may impose civil penalties of up to $1,267,619 per violation under the 2025 inflation-adjusted schedule — and civil liability requires no showing of intent. A company that misclassified a component in good faith, and shipped it abroad without a license, has violated ITAR regardless of what anyone knew or intended. (If you are new to the regulatory framework itself — what ITAR controls and who must comply — start with our definitive guide to ITAR.)
The phrase that should command your attention is "per violation." ITAR exposure is not calculated per case, per audit, or per product line. It multiplies:
- Each unauthorized export is a separate violation. Ship the same misclassified part 40 times over three years, and you have 40 violations before anyone examines the technical data.
- Each unauthorized disclosure of technical data is a separate violation. Every drawing emailed to an unauthorized foreign person, every controlled file placed on a server accessible to foreign nationals, counts on its own.
- Each regulatory failure within a transaction can be charged separately. One shipment can combine an unlicensed export, a proviso breach, and a recordkeeping failure — three violations from one event.
Run the arithmetic on an ordinary scenario: a mid-sized manufacturer with one misclassified assembly, shipped monthly to a foreign customer for two years, is facing 24 violations — a theoretical civil ceiling of over $30 million — before considering the technical data that traveled alongside the hardware. DDTC rarely charges the theoretical maximum, but the ceiling is what frames every settlement negotiation. This is why accurate USML classification is the foundation of everything else in ITAR compliance.
Criminal Penalties: Fines Up to $1M and 20 Years Imprisonment
Criminal exposure under the Arms Export Control Act, 22 U.S.C. § 2778(c), reaches $1,000,000 in fines per violation and up to 20 years imprisonment. Two features distinguish criminal ITAR enforcement from the civil track:
Willfulness Is the Trigger
Criminal prosecution requires a willful violation — the government must prove the defendant knew the conduct was unlawful and proceeded anyway. In practice, prosecutors establish willfulness through evidence that is depressingly common in violation cases: internal emails flagging license requirements that were ignored, compliance training the defendant attended and then contradicted, warnings from freight forwarders or prime contractors that went unheeded, and deliberate structuring of transactions to avoid scrutiny. "We decided not to look into it" is not a defense; courts treat conscious avoidance as knowledge.
Individuals Are Prosecuted, Not Just Companies
The Department of Justice prosecutes engineers, sales executives, empowered officials, and owners personally. A corporate settlement does not immunize the people whose decisions produced the violations. For anyone signing license applications or certifying compliance — the empowered official above all — this is the sharpest personal-risk edge in the entire regulatory scheme, and it is the reason ITAR judgment calls deserve legal-grade analysis rather than informal shop-floor decisions.
Debarment and Administrative Consequences
The third track of exposure is administrative — and for a defense business, it is frequently the most damaging, because it attacks revenue rather than reserves.
Debarment (22 CFR 127.7)
Debarment prohibits participation in the export of defense articles and defense services. Statutory debarment generally follows criminal conviction under the AECA; administrative debarment can be imposed through DDTC enforcement proceedings. The commercial effect is broader than the legal text: prime contractors purge debarred suppliers from their programs because an ineligible entity anywhere in the chain jeopardizes licensing across the program. Reinstatement is possible but requires a formal application and demonstrated remediation — and the customers rarely wait.
Denial of Export Privileges
DDTC may revoke existing licenses and refuse to grant new ones. A company mid-way through international programs can find every pending export license suspended while an enforcement matter is resolved — contract deadlines do not pause with them.
Consent Agreements and Compliance Monitors
Major civil settlements are typically embodied in consent agreements: binding, public commitments that commonly require an external special compliance officer or monitor, remedial compliance program investment, periodic audits and reports to DDTC, and suspended penalty amounts that spring back upon further violations. A consent agreement is, in substance, several years of supervised compliance rebuilt at your expense — on the government's schedule and to the government's standard.
Enforcement in Practice: The RTX/Raytheon Settlement
Three durable lessons from the modern enforcement record:
- Concealment costs more than the violation. Failing to disclose known violations converts a compliance problem into an enforcement problem. The aggravating factor DDTC punishes hardest is the decision to stay silent.
- Systemic deficiency is itself the charge. Enforcement narratives focus on the absence of functioning compliance infrastructure — classification discipline, technology control plans, screening — not just the individual bad shipments.
- Settlements restructure companies. Nine-figure headlines obscure the operational terms: monitors, mandated remediation, and years of DDTC oversight.
What Triggers an ITAR Investigation
Companies routinely assume violations surface only through government audits. In practice, investigations begin from many directions at once:
- Voluntary disclosures — your own self-report defines the record DDTC reviews (and is treated far more favorably than any other path);
- Tips and whistleblowers — former employees, competitors, and disgruntled business partners report suspected violations;
- Prime contractor and freight forwarder referrals — supply chain partners who spot an unlicensed shipment or classification conflict protect themselves by reporting it;
- License application review — DDTC licensing officers notice discrepancies between what you are requesting now and what you have already shipped;
- Foreign government reports — end-use checks and allied customs authorities surface unauthorized retransfers;
- Customs data — export filings that do not match licensing records are an automated red flag.
The practical takeaway: by the time you discover an internal violation, assume the information can reach the government through a channel you do not control. That assumption should frame the disclosure decision discussed below.
Common Violation Patterns
Across 200+ client engagements, the violations we encounter cluster into a handful of recurring patterns — almost none of which involve anyone intending to break the law:
1. Unauthorized Exports from Misclassification
The most common root cause. A part is assumed to be commercial (EAR or uncontrolled) when it is in fact a defense article, and it ships without a license — repeatedly. Every shipment is a violation. The cure is disciplined, documented USML classification, re-validated whenever the list changes, as it did in September 2025.
2. Deemed Exports to Foreign National Employees
Releasing ITAR technical data to a foreign person inside the United States is an export to that person's country of nationality. Foreign national engineers with access to controlled drawings, shared network folders without access controls, and undocumented visitor access are the classic fact patterns — and each individual disclosure is a separate violation. See our dedicated guide to deemed exports.
3. Manufacturing Without Registration
Manufacturers of defense articles must register with DDTC even if they never export. Component makers deep in the supply chain frequently miss this entirely — a compliance failure that runs for years and undermines the validity of everything downstream. If this describes your company, start with DDTC registration.
4. Recordkeeping Failures
ITAR requires records of controlled transactions to be maintained and producible. Missing shipment files, unretained license provisos, and untracked technical data transfers are violations in their own right — and they compound every other violation because you cannot demonstrate what actually happened.
5. Unauthorized Retransfers and Proviso Breaches
A license authorizes a specific transaction with specific parties and conditions. When your foreign customer re-sells the article, or your team exceeds a proviso's scope of disclosure, the violation is yours to manage — and to disclose.
Willful vs. Inadvertent Violations
The distinction between willful and inadvertent violations determines which enforcement track you are on. It deserves precision:
| Attribute | Inadvertent Violation | Willful Violation |
|---|---|---|
| State of mind | Good-faith error — misclassification, process failure, ignorance of a requirement | Knowledge that conduct was unlawful, or conscious avoidance of that knowledge |
| Primary track | Civil (DDTC) — penalties, consent agreements | Criminal (DOJ) — fines and imprisonment, plus civil exposure |
| Still a violation? | Yes — civil liability does not require intent | Yes — with personal liability for individuals |
| Best mitigation | Prompt voluntary disclosure + corrective action | Immediate engagement of counsel; disclosure strategy is a legal decision |
Note the trap in the middle: an inadvertent violation becomes evidence of willfulness the moment a company discovers it and keeps shipping. The discovery memo that sits unactioned in a compliance folder is, in a later prosecution, the government's proof that you knew. Discovery of a violation compresses your decision timeline — which is exactly why the disclosure framework matters.
Mitigation: The Voluntary Disclosure Path
ITAR builds in one powerful mitigation mechanism: the voluntary disclosure under 22 CFR 127.12. A timely, complete self-report is expressly treated by DDTC as a significant mitigating factor in enforcement decisions, and the practical difference in outcomes is dramatic — disclosed violations frequently resolve with no penalty or a warning letter, while the same conduct discovered through investigation draws civil charges with the disclosure's absence counted as an aggravating factor.
The mechanics, timelines, decision framework, and common mistakes deserve their own treatment: see our complete guide to ITAR voluntary disclosure. For penalty-exposure purposes, three points matter here:
- Disclosure is a race against other channels. Mitigation credit belongs to the party who brings the violation to DDTC — a tip, referral, or customs flag that arrives first converts your disclosure into damage control.
- Disclosure without remediation is worth little. DDTC weighs the corrective actions — root cause analysis, classification fixes, program improvements — as heavily as the confession itself.
- The disclosure decision is a legal judgment. What to disclose, when, in what scope, and with what privileged preparation is exactly the kind of question that should be made with counsel and experienced compliance support, not by instinct.
How a Compliance Program Reduces Exposure
A functioning ITAR compliance program changes the penalty math at every stage — before, during, and after a violation:
- Before: Disciplined classification, licensing workflows, technology control plans, and screening prevent the routine violations that account for most enforcement. The cheapest violation is the one that never happens.
- During: A program surfaces violations early — through internal audits and empowered-official review — while the count is 3 violations instead of 300, and while voluntary disclosure is still yours to initiate.
- After: DDTC's enforcement decisions expressly weigh the state of the company's compliance program. A documented, functioning program is your best evidence that a violation was an aberration rather than a symptom — the difference between a warning letter and a consent agreement.
The investment comparison is not close. A right-sized compliance program — registration discipline, written procedures, training, data controls, and audit cadence — costs a small fraction of a single civil penalty at the $1,267,619 ceiling, to say nothing of a settlement, a debarment, or a lost prime contract. Our clients maintain a 100% first-time audit pass rate precisely because the program is built before the government asks to see it. Learn what a complete program includes on our ITAR compliance program page, or contact us for a gap assessment.