Why DDTC Treats Disclosure as a Significant Mitigating Factor
The voluntary disclosure mechanism exists because DDTC cannot inspect its way to compliance across the thousands of companies subject to ITAR. The agency's enforcement economics depend on companies policing themselves — and the regulation is engineered to make self-policing rational. 22 CFR 127.12 states the bargain plainly: DDTC strongly encourages disclosure and will consider a voluntary disclosure a mitigating factor in determining administrative penalties.
In practice, the mitigation is real and substantial. Across the modern enforcement record, the companies that absorb the harshest outcomes share a common feature: they knew about violations and stayed silent. The RTX/Raytheon settlement — at $950 million, the largest ITAR enforcement action in history — involved, among other failures, the failure to disclose known violations. Silence converts a compliance problem into an enforcement problem, because the aggravating factor DDTC punishes hardest is concealment.
Conversely, a timely, complete, well-remediated disclosure tells DDTC four things it wants to hear: your company found the problem itself (your compliance program functions), reported it before being caught (good faith), established the full scope (competence), and fixed the root cause (recurrence is unlikely). Each of those points moves the outcome toward the no-action-or-warning-letter end of the spectrum and away from civil charges and consent agreements. For the full penalty landscape that disclosure mitigates, see our guide to ITAR violations and penalties.
The Disclosure Decision: A Legal Judgment, Not a Form-Filling Exercise
Whether a set of facts requires a disclosure — and how to frame it — is a legal analysis of federal regulation applied to imperfect facts, made under time pressure, with civil and potentially criminal consequences attached to the answer. Treat it that way. The framework we walk clients through:
1. Is it actually a violation?
Not every compliance scare is a violation. Before anything is characterized to the government, establish whether the item or data was actually ITAR-controlled (the USML classification question), whether an authorization or exemption actually covered the transaction, and whether the conduct actually constituted an export or retransfer. Companies have disclosed "violations" that a careful classification analysis would have shown were EAR-jurisdiction transactions — and companies have dismissed real violations on wishful reasoning. Both errors are expensive; the analysis must be done rigorously and documented.
2. What is the full scope?
A violation almost never happens once. If a part was misclassified, every shipment of that part is implicated; if a foreign national had unauthorized access, every controlled file they could reach is in scope. Scoping the full population of affected transactions before filing prevents the most damaging pattern in disclosure practice: serial supplemental disclosures that teach DDTC your company does not know what happened inside its own walls.
3. Does an affirmative reporting duty apply?
The general rule is that disclosure is encouraged rather than compelled — but transactions involving countries proscribed under 22 CFR 126.1 carry an affirmative duty to notify DDTC. If your facts touch a proscribed destination, the "whether" question is largely answered for you, and timing becomes the only variable.
4. What is the realistic discovery risk?
Weigh the channels through which the government could learn of the violation independently: prime contractor referrals, freight forwarders, license application review, customs data, former employees. Mitigation credit belongs to whoever brings the matter to DDTC first. In our experience the discovery-risk analysis almost always points toward disclosure — but the timing, scope, and preparation are where judgment operates.
The Two-Part Process Under 22 CFR 127.12
The regulation structures disclosure in two stages, and the structure is your friend: it lets you secure the timeliness benefit quickly while doing the investigation properly.
Part 1: The Initial Notification
The initial notification should be filed promptly after a violation is confirmed — timeliness is the heart of the mitigation value, and a report that arrives after the government has learned of the violation from another source may not be treated as voluntary at all. The notification is deliberately brief: it identifies the disclosing party and describes, in general terms, the nature and extent of the suspected violations. It does not need to resolve every fact — that is what the full disclosure is for. Filing early with an accurate general description is almost always better than waiting until the internal investigation is complete.
Part 2: The Full Disclosure
The complete disclosure is due within 60 days of the initial notification. If a legitimate investigation genuinely needs more time — complex transaction populations, forensic review of data access, multiple business units — DDTC may grant an extension on request; ask before the deadline, not after. The full disclosure is a substantial document: a factual narrative, a transaction-by-transaction accounting, a root cause analysis, and a corrective action plan, certified by a responsible senior officer. Its contents are detailed in the next section.
After Filing
DDTC reviews the disclosure and may request supplemental information, clarification, or documentation. Review timelines vary with the complexity and seriousness of the matter — straightforward disclosures may close in months, while serious matters can remain open considerably longer. During the review period, the company's job is to execute the corrective action plan it described and respond to DDTC completely and promptly. An unfulfilled remediation promise, discovered during review, undoes the credibility the disclosure was meant to build.
What the Full Disclosure Must Include
Under 22 CFR 127.12, the full disclosure must give DDTC a complete, verifiable picture:
- A precise description of the violations — nature, extent, and the regulatory provisions implicated;
- The exact circumstances — how the violations occurred, over what period, and how they were discovered;
- All persons involved — identities and addresses of parties known or suspected to be involved, inside and outside the company;
- The articles and data at issue — descriptions and USML categories of the hardware, technical data, or defense services involved;
- The affected transactions — including any license numbers or exemptions that were cited, and the destinations and end users;
- Root cause analysis — why the compliance system failed, stated honestly rather than cosmetically;
- Corrective actions — the specific measures taken and planned to prevent recurrence: classification fixes, procedure changes, training, technology controls, personnel actions;
- A senior officer's certification — a responsible officer of the company must certify the disclosure's accuracy and completeness. This signature carries personal weight; it should never be given to a document the signer has not verified.
Quality matters as much as completeness. A disclosure that is organized, internally consistent, and supported by producible records reads as the product of a functioning compliance culture. A disclosure that is vague, hedged, or contradicted by the documents reads as damage control — and is treated accordingly.
DDTC Review and the Range of Outcomes
A voluntary disclosure can resolve anywhere along a spectrum, and understanding the spectrum helps calibrate both the decision and the preparation:
| Outcome | What It Means | Typical Context |
|---|---|---|
| No action / case closed | DDTC closes the matter without enforcement | Inadvertent violations, timely disclosure, credible remediation |
| Warning letter | Formal caution; no penalty, but on the record for future matters | More significant lapses where remediation is convincing |
| Civil penalty / consent agreement | Monetary penalty, possibly with mandated compliance measures | Serious, repeated, or systemic violations — mitigated but not excused by disclosure |
| Referral to DOJ | Criminal investigation of willful conduct | Evidence of knowing violations, concealment, or proscribed-destination involvement |
The distribution across that table is not random — it tracks the quality of the disclosure and the underlying conduct. Timely disclosure of an inadvertent violation with genuine remediation lands, far more often than not, in the top two rows. What a disclosure cannot do is launder willful conduct: DDTC handles civil enforcement, and nothing filed under 127.12 binds the Department of Justice.
Common Voluntary Disclosure Mistakes
The disclosures that go badly tend to fail in predictable ways:
- Waiting for perfect information. Companies delay the initial notification until the internal investigation is complete — and lose the race to a whistleblower, a prime contractor referral, or a customs flag. File the brief notification early; investigate inside the 60-day window.
- Disclosing before the facts are nailed down. The opposite error: filing a detailed narrative before scoping the violation, then correcting it repeatedly. Every supplemental correction erodes credibility. The initial notification buys you time precisely so the full disclosure can be right the first time.
- Minimizing scope. Disclosing the one shipment you were asked about while quietly omitting the other thirty is the single most dangerous choice available — if the omission surfaces, you have converted a mitigating disclosure into evidence of concealment.
- Treating the disclosure as a confession instead of a remediation story. DDTC weighs corrective action heavily. A disclosure without a serious root cause analysis and a funded corrective plan asks for leniency while demonstrating that recurrence is likely.
- Continuing the violating activity during review. Shipments that continue under the same defective classification while a disclosure is pending are new violations — committed with documented knowledge.
- Forgetting the other agencies. A single fact pattern can implicate the EAR (BIS), sanctions (OFAC), and census/customs filing requirements alongside ITAR. Disclosing to DDTC alone, when the conduct also violated another regime, leaves exposure standing. Jurisdictional analysis — see ITAR vs EAR — belongs at the front of the process.
- Ignoring privilege. Internal investigation materials prepared without counsel's involvement are generally discoverable. Structure the investigation so candid analysis stays protected and the disclosure says exactly what you choose to say.
How Counsel and Consultants Fit
A well-run disclosure is a joint legal-and-compliance project, and the division of labor matters:
Legal counsel owns the judgment calls with legal consequences: whether the facts constitute a violation, whether and when to disclose, how to characterize conduct that could be read as willful, how to structure the internal investigation under privilege, and how to manage any parallel criminal dimension. The disclosure creates a permanent factual record signed by a senior officer — the framing decisions embedded in that record are legal work.
Compliance consultants own the machinery that makes the disclosure credible and prevents the sequel: reconstructing the transaction population, re-validating USML classifications, performing the root cause analysis, designing and implementing the corrective action plan, and rebuilding the compliance program DDTC will evaluate when it weighs your remediation. A disclosure is only as strong as the corrective story behind it — and the corrective story is a systems-building exercise.
This practice sits deliberately at the seam. As a consultant holding a Juris Doctor alongside quality-systems credentials (CMQ-OE) and project management discipline (PMP), Jared Clark builds the investigation record, the classification analysis, and the remediation program with the legal end-state in view — working alongside your counsel rather than leaving a gap between the lawyers and the shop floor. Across 200+ client engagements, that combination is what turns a bad discovery into a defensible disclosure: for example, remediation work in our practice regularly begins exactly this way — a client discovers a misclassified part or an unregistered manufacturing history, and the engagement spans the disclosure support, the re-classification, and the program rebuild that follows. If you are facing that moment now, contact us — and if your company has never registered at all, start by understanding the DDTC registration requirement, because unregistered manufacturing is itself a disclosure-relevant violation.