Self-Reporting Guide

ITAR Voluntary Disclosure: When and How
to Self-Report (22 CFR 127.12)

By Jared Clark, JD, MBA, PMP, CMQ-OE · Updated July 2026 · ~14 min read

60 Days
Full Disclosure Window
200+
Clients Served
JD, CMQ-OE
Expert Credentials

An ITAR voluntary disclosure is a formal self-report to the State Department's Directorate of Defense Trade Controls (DDTC) under 22 CFR 127.12, informing the government of an actual or suspected ITAR violation before the government discovers it through other means. The process has two parts: an initial notification filed promptly upon discovering the violation, followed by a full disclosure — the complete facts, affected transactions, root cause, and corrective actions — due within 60 days of the initial notification (extensions available on request). DDTC expressly treats voluntary disclosure as a significant mitigating factor in enforcement decisions: companies that self-report consistently receive dramatically better outcomes — frequently no penalty or a warning letter — than companies whose violations surface through investigation. Whether, when, and how to disclose is a legal-judgment decision that should be made with qualified counsel and experienced compliance support.

Why DDTC Treats Disclosure as a Significant Mitigating Factor

The voluntary disclosure mechanism exists because DDTC cannot inspect its way to compliance across the thousands of companies subject to ITAR. The agency's enforcement economics depend on companies policing themselves — and the regulation is engineered to make self-policing rational. 22 CFR 127.12 states the bargain plainly: DDTC strongly encourages disclosure and will consider a voluntary disclosure a mitigating factor in determining administrative penalties.

In practice, the mitigation is real and substantial. Across the modern enforcement record, the companies that absorb the harshest outcomes share a common feature: they knew about violations and stayed silent. The RTX/Raytheon settlement — at $950 million, the largest ITAR enforcement action in history — involved, among other failures, the failure to disclose known violations. Silence converts a compliance problem into an enforcement problem, because the aggravating factor DDTC punishes hardest is concealment.

Conversely, a timely, complete, well-remediated disclosure tells DDTC four things it wants to hear: your company found the problem itself (your compliance program functions), reported it before being caught (good faith), established the full scope (competence), and fixed the root cause (recurrence is unlikely). Each of those points moves the outcome toward the no-action-or-warning-letter end of the spectrum and away from civil charges and consent agreements. For the full penalty landscape that disclosure mitigates, see our guide to ITAR violations and penalties.

The Disclosure Decision: A Legal Judgment, Not a Form-Filling Exercise

Whether a set of facts requires a disclosure — and how to frame it — is a legal analysis of federal regulation applied to imperfect facts, made under time pressure, with civil and potentially criminal consequences attached to the answer. Treat it that way. The framework we walk clients through:

1. Is it actually a violation?

Not every compliance scare is a violation. Before anything is characterized to the government, establish whether the item or data was actually ITAR-controlled (the USML classification question), whether an authorization or exemption actually covered the transaction, and whether the conduct actually constituted an export or retransfer. Companies have disclosed "violations" that a careful classification analysis would have shown were EAR-jurisdiction transactions — and companies have dismissed real violations on wishful reasoning. Both errors are expensive; the analysis must be done rigorously and documented.

2. What is the full scope?

A violation almost never happens once. If a part was misclassified, every shipment of that part is implicated; if a foreign national had unauthorized access, every controlled file they could reach is in scope. Scoping the full population of affected transactions before filing prevents the most damaging pattern in disclosure practice: serial supplemental disclosures that teach DDTC your company does not know what happened inside its own walls.

3. Does an affirmative reporting duty apply?

The general rule is that disclosure is encouraged rather than compelled — but transactions involving countries proscribed under 22 CFR 126.1 carry an affirmative duty to notify DDTC. If your facts touch a proscribed destination, the "whether" question is largely answered for you, and timing becomes the only variable.

4. What is the realistic discovery risk?

Weigh the channels through which the government could learn of the violation independently: prime contractor referrals, freight forwarders, license application review, customs data, former employees. Mitigation credit belongs to whoever brings the matter to DDTC first. In our experience the discovery-risk analysis almost always points toward disclosure — but the timing, scope, and preparation are where judgment operates.

The Moment of Discovery Changes Your Legal Posture

Once your company knows about a violation, continuing the conduct — or sitting on the knowledge while shipments continue — builds a willfulness record that can move the matter from DDTC's civil track toward criminal exposure. Whatever you decide about disclosure, stop the violating activity immediately and preserve the records.

The Two-Part Process Under 22 CFR 127.12

The regulation structures disclosure in two stages, and the structure is your friend: it lets you secure the timeliness benefit quickly while doing the investigation properly.

Part 1: The Initial Notification

The initial notification should be filed promptly after a violation is confirmed — timeliness is the heart of the mitigation value, and a report that arrives after the government has learned of the violation from another source may not be treated as voluntary at all. The notification is deliberately brief: it identifies the disclosing party and describes, in general terms, the nature and extent of the suspected violations. It does not need to resolve every fact — that is what the full disclosure is for. Filing early with an accurate general description is almost always better than waiting until the internal investigation is complete.

Part 2: The Full Disclosure

The complete disclosure is due within 60 days of the initial notification. If a legitimate investigation genuinely needs more time — complex transaction populations, forensic review of data access, multiple business units — DDTC may grant an extension on request; ask before the deadline, not after. The full disclosure is a substantial document: a factual narrative, a transaction-by-transaction accounting, a root cause analysis, and a corrective action plan, certified by a responsible senior officer. Its contents are detailed in the next section.

After Filing

DDTC reviews the disclosure and may request supplemental information, clarification, or documentation. Review timelines vary with the complexity and seriousness of the matter — straightforward disclosures may close in months, while serious matters can remain open considerably longer. During the review period, the company's job is to execute the corrective action plan it described and respond to DDTC completely and promptly. An unfulfilled remediation promise, discovered during review, undoes the credibility the disclosure was meant to build.

What the Full Disclosure Must Include

Under 22 CFR 127.12, the full disclosure must give DDTC a complete, verifiable picture:

  • A precise description of the violations — nature, extent, and the regulatory provisions implicated;
  • The exact circumstances — how the violations occurred, over what period, and how they were discovered;
  • All persons involved — identities and addresses of parties known or suspected to be involved, inside and outside the company;
  • The articles and data at issue — descriptions and USML categories of the hardware, technical data, or defense services involved;
  • The affected transactions — including any license numbers or exemptions that were cited, and the destinations and end users;
  • Root cause analysis — why the compliance system failed, stated honestly rather than cosmetically;
  • Corrective actions — the specific measures taken and planned to prevent recurrence: classification fixes, procedure changes, training, technology controls, personnel actions;
  • A senior officer's certification — a responsible officer of the company must certify the disclosure's accuracy and completeness. This signature carries personal weight; it should never be given to a document the signer has not verified.

Quality matters as much as completeness. A disclosure that is organized, internally consistent, and supported by producible records reads as the product of a functioning compliance culture. A disclosure that is vague, hedged, or contradicted by the documents reads as damage control — and is treated accordingly.

DDTC Review and the Range of Outcomes

A voluntary disclosure can resolve anywhere along a spectrum, and understanding the spectrum helps calibrate both the decision and the preparation:

Outcome What It Means Typical Context
No action / case closed DDTC closes the matter without enforcement Inadvertent violations, timely disclosure, credible remediation
Warning letter Formal caution; no penalty, but on the record for future matters More significant lapses where remediation is convincing
Civil penalty / consent agreement Monetary penalty, possibly with mandated compliance measures Serious, repeated, or systemic violations — mitigated but not excused by disclosure
Referral to DOJ Criminal investigation of willful conduct Evidence of knowing violations, concealment, or proscribed-destination involvement

The distribution across that table is not random — it tracks the quality of the disclosure and the underlying conduct. Timely disclosure of an inadvertent violation with genuine remediation lands, far more often than not, in the top two rows. What a disclosure cannot do is launder willful conduct: DDTC handles civil enforcement, and nothing filed under 127.12 binds the Department of Justice.

Common Voluntary Disclosure Mistakes

The disclosures that go badly tend to fail in predictable ways:

  • Waiting for perfect information. Companies delay the initial notification until the internal investigation is complete — and lose the race to a whistleblower, a prime contractor referral, or a customs flag. File the brief notification early; investigate inside the 60-day window.
  • Disclosing before the facts are nailed down. The opposite error: filing a detailed narrative before scoping the violation, then correcting it repeatedly. Every supplemental correction erodes credibility. The initial notification buys you time precisely so the full disclosure can be right the first time.
  • Minimizing scope. Disclosing the one shipment you were asked about while quietly omitting the other thirty is the single most dangerous choice available — if the omission surfaces, you have converted a mitigating disclosure into evidence of concealment.
  • Treating the disclosure as a confession instead of a remediation story. DDTC weighs corrective action heavily. A disclosure without a serious root cause analysis and a funded corrective plan asks for leniency while demonstrating that recurrence is likely.
  • Continuing the violating activity during review. Shipments that continue under the same defective classification while a disclosure is pending are new violations — committed with documented knowledge.
  • Forgetting the other agencies. A single fact pattern can implicate the EAR (BIS), sanctions (OFAC), and census/customs filing requirements alongside ITAR. Disclosing to DDTC alone, when the conduct also violated another regime, leaves exposure standing. Jurisdictional analysis — see ITAR vs EAR — belongs at the front of the process.
  • Ignoring privilege. Internal investigation materials prepared without counsel's involvement are generally discoverable. Structure the investigation so candid analysis stays protected and the disclosure says exactly what you choose to say.

How Counsel and Consultants Fit

A well-run disclosure is a joint legal-and-compliance project, and the division of labor matters:

Legal counsel owns the judgment calls with legal consequences: whether the facts constitute a violation, whether and when to disclose, how to characterize conduct that could be read as willful, how to structure the internal investigation under privilege, and how to manage any parallel criminal dimension. The disclosure creates a permanent factual record signed by a senior officer — the framing decisions embedded in that record are legal work.

Compliance consultants own the machinery that makes the disclosure credible and prevents the sequel: reconstructing the transaction population, re-validating USML classifications, performing the root cause analysis, designing and implementing the corrective action plan, and rebuilding the compliance program DDTC will evaluate when it weighs your remediation. A disclosure is only as strong as the corrective story behind it — and the corrective story is a systems-building exercise.

This practice sits deliberately at the seam. As a consultant holding a Juris Doctor alongside quality-systems credentials (CMQ-OE) and project management discipline (PMP), Jared Clark builds the investigation record, the classification analysis, and the remediation program with the legal end-state in view — working alongside your counsel rather than leaving a gap between the lawyers and the shop floor. Across 200+ client engagements, that combination is what turns a bad discovery into a defensible disclosure: for example, remediation work in our practice regularly begins exactly this way — a client discovers a misclassified part or an unregistered manufacturing history, and the engagement spans the disclosure support, the re-classification, and the program rebuild that follows. If you are facing that moment now, contact us — and if your company has never registered at all, start by understanding the DDTC registration requirement, because unregistered manufacturing is itself a disclosure-relevant violation.

Frequently Asked Questions About ITAR Voluntary Disclosure

In general, no — 22 CFR 127.12 states that voluntary disclosure is strongly encouraged and is treated as a mitigating factor, but it is not an absolute obligation for every violation. There is one important exception: transactions involving countries proscribed under 22 CFR 126.1 carry an affirmative duty to notify DDTC. As a practical matter, however, the calculus almost always favors disclosure. Violations surface through tips, supply chain referrals, license review, and customs data — and a violation the government discovers first is treated far more severely than one you reported. Whether an exception to that general rule applies in your facts is a legal judgment to make with counsel.
DDTC retains full discretion, but the enforcement record consistently favors disclosers. Many voluntary disclosures close with no enforcement action or a warning letter, particularly where the violation was inadvertent, the disclosure was timely and complete, and the corrective actions were credible. Civil penalties remain possible for serious or repeated violations even when disclosed — but the same conduct discovered through investigation is treated significantly more harshly, and the failure to disclose a known violation is itself an aggravating factor. See our penalties guide →
File the initial notification promptly once a violation is confirmed — timeliness is central to the mitigation value, and a disclosure made after the government learns of the violation from another source may not be treated as voluntary at all. After the initial notification, the full disclosure is due within 60 days; if the internal investigation legitimately needs more time, DDTC may grant an extension on request. The practical rule: notify early with a brief, accurate description, and use the 60-day window (plus any extension) to complete the thorough investigation.
Under 22 CFR 127.12, the full disclosure must include a precise description of the nature and extent of the violations, the exact circumstances surrounding them, the identities and addresses of all persons known or suspected to be involved, the USML category and description of the hardware, technical data, or defense services involved, a description of the affected transactions (including license numbers or exemptions cited), the corrective actions taken to prevent recurrence, and a certification signed by a responsible senior officer attesting that the disclosure is accurate and complete. Supporting documentation — shipment records, correspondence, classification analyses — should be organized and producible.
No. A voluntary disclosure is filed with DDTC, which handles civil and administrative enforcement — it does not bind the Department of Justice, and DDTC may refer willful violations to DOJ regardless of disclosure. That said, a prompt, complete disclosure with genuine remediation is strong practical evidence against willfulness and weighs in the government's charging discretion. Because the disclosure creates a permanent factual record, the decision of what to say and how to characterize conduct with potential criminal dimensions must be made with legal counsel before anything is filed.
JC

About the Author

Jared Clark, JD, MBA, PMP, CMQ-OE

Jared Clark is an ITAR compliance consultant and export control expert with hands-on experience guiding 200+ clients through DDTC registration, compliance program development, USML classification, export licensing, and voluntary disclosure. Holding a Juris Doctor (JD), MBA, Project Management Professional (PMP) certification from PMI, and Certified Manager of Quality/Organizational Excellence (CMQ-OE) designation from ASQ, Jared brings legal, business, project management, and quality systems expertise to every engagement. His clients maintain a 100% first-time audit pass rate.

For broader certification consulting across ISO, GMP, and other regulatory frameworks, visit our parent practice at certify.consulting.

JD MBA PMP CMQ-OE

Discovered a Potential ITAR Violation?

Time matters. Schedule a free, confidential 30-minute consultation — we will help you assess the situation, understand your disclosure options, and plan the corrective actions that make a disclosure credible.

Or email us at [email protected]