Most contractors stumble into export control problems the same way: they assume ITAR applies to everything defense-related, or they assume EAR is the "easier" regime and try to shoehorn their products into it. Both approaches are wrong. The question of ITAR vs EAR isn't about choosing the path of least resistance. It's about correctly characterizing what you make, what technical data you possess, and what services you provide.
I've worked with defense contractors who spent years operating under the wrong classification. Some were treating commercial items as ITAR-controlled defense articles, building expensive security infrastructures they didn't need. Others were treating actual defense articles as EAR-controlled, creating massive compliance exposure. The difference isn't academic—it determines your registration requirements, your facility security posture, your HR practices, and your criminal liability if you get it wrong.
The distinction between ITAR and EAR starts with jurisdiction. ITAR, administered by the State Department's Directorate of Defense Trade Controls (DDTC), controls defense articles, technical data, and services. EAR, administered by the Commerce Department's Bureau of Industry and Security (BIS), controls dual-use items and less sensitive technology. But those descriptions don't tell you how to classify your specific situation.
The U.S. Munitions List Is Your Starting Point
If your product, technical data, or service is described on the U.S. Munitions List (USML), it falls under ITAR. Period. The USML is organized into 21 categories, from firearms to spacecraft. Each category was restructured between 2013 and 2020 to focus on items that provide the United States a critical military or intelligence advantage.
The restructured USML uses positive control language. Items are specifically enumerated, not broadly described. Category VIII, for example, covers aircraft and related articles. But it doesn't control all aircraft—it controls military aircraft specifically designed or modified for military application. A helicopter with a pintle mount designed for a crew-served weapon is ITAR-controlled. The same helicopter model without that military modification may be EAR-controlled or even EAR99 (no license required for most destinations).
The pattern I see most often: companies read the USML category titles, see their product type mentioned, and conclude they're ITAR-controlled without reading the detailed criteria. Category IV covers launch vehicles and missiles. That doesn't mean every rocket or guidance system is ITAR-controlled. You need to read the specific subparagraphs. Is your guidance system specifically designed for a defense article? Does it have performance characteristics that exceed the thresholds listed? These details matter.
The "Catch-All" Problem
Each USML category ends with a paragraph (x) that acts as a catch-all for articles specifically designed or modified for a defense article controlled in that category. This is where confusion multiplies. A fastener specifically designed for an F-35 panel might be ITAR-controlled under the catch-all, even though generic fasteners aren't on the USML. The test is whether the item is specifically designed or modified for a defense article, and whether it has a "predominant civil application" or is "commoditized."
These terms have regulatory definitions that don't match their common usage. An item has a predominant civil application if it was or is being developed with primarily private sector funding for civil applications, is already fielded commercially, and hasn't been modified for military application. Commoditized means the item is sufficiently common that it's treated as a commodity. Both concepts have detailed criteria in the regulations.
I've reviewed classification decisions where companies got this backward. They argued that because an item was "common" in the defense industry, it was commoditized. That's not what the term means. Commoditized refers to commercial market characteristics, not ubiquity in military use.
When the Commerce Control List Takes Over
If your item isn't on the USML, you move to the Commerce Control List (CCL), which is organized into ten categories numbered 0-9. Each category is subdivided by product group (A for equipment, B for test equipment, C for materials, etc.). Items on the CCL are identified by an Export Control Classification Number (ECCN).
The CCL captures dual-use items—technology with both military and commercial applications. Advanced encryption, certain composite materials, high-performance computers, and specialized manufacturing equipment often fall here. The control is based on technical parameters. A milling machine capable of certain tolerances might require an export license to certain countries. The same capability in a less precise machine might not.
Here's where companies make expensive mistakes: they assume EAR is "ITAR-lite" and stop paying attention. EAR has its own registration requirements (for certain commodities jurisdiction requests and for items requiring authorization), its own licensing requirements, and its own criminal penalties. The controls are different, not weaker. An ITAR violation and an EAR violation both get you a federal investigation. The consequences of getting export controls wrong don't depend on which agency runs the regime.
EAR99: The Category That Isn't a Category
If your item isn't on the USML and isn't assigned an ECCN on the CCL, it's designated EAR99. This doesn't mean "uncontrolled." It means controlled under EAR but not listed on the CCL. EAR99 items generally don't require a license for export to most countries, but they're still subject to EAR restrictions. You still can't export to embargoed countries, prohibited end-users, or for prohibited end-uses without a license.
I worked with a manufacturer of industrial cameras. Not on the USML. Not on the CCL. EAR99. They assumed this meant they could sell freely. Then a foreign customer mentioned wanting the cameras for a military installation in a country of concern. That triggered end-use restrictions under EAR. The company needed a license. They didn't know EAR99 items could require licenses based on end-use, and they nearly shipped without one.
Speaking on Export Controls and Defense Compliance
Carl delivers keynotes on ITAR, CMMC, and defense industrial base security for contractor associations, legal conferences, and industry groups. Drawing on hands-on CISO experience, these talks go beyond regulatory checklists to address the operational and strategic challenges of export control compliance.
Book Carl to Speak
The Commodity Jurisdiction Process
When you genuinely can't determine whether your item is ITAR or EAR controlled, you can request a commodity jurisdiction (CJ) determination from DDTC. You submit a detailed description of the item, its specifications, its intended use, and your preliminary classification analysis. DDTC reviews it, often in coordination with BIS, and issues a determination.
The CJ process takes months. DDTC's goal is 60 days, but complex requests take longer. You can request expedited processing if you can demonstrate an urgent need, but "we need to ship soon" isn't urgent. Contract awards, imminent sales, and similar business pressures don't qualify.
Here's what I tell companies: if you're truly uncertain, file the CJ request. But don't use the CJ process as a shortcut to avoid doing your own analysis. DDTC expects you to come to the process with a preliminary determination and supporting rationale. If you submit a CJ request that says "we don't know, you tell us," you're going to get a request for more information that delays the process further.
The other reality: CJ determinations are binding only on the item as described. If you later modify the item's design, specifications, or military application, the original CJ may no longer apply. Companies sometimes treat a CJ determination like a lifetime certification. It's not. It's a determination based on the facts you presented at the time.
When to Operate Without a CJ
You're not required to request a CJ determination. If you perform your own analysis and conclude your item is EAR-controlled, you can operate on that basis. You should document your analysis: why you believe the item doesn't meet USML criteria, which CCL category you reviewed, and what ECCN you assigned (if any). If you're ever challenged, your contemporaneous documentation of a good-faith analysis matters.
The risk is obvious: if you classify yourself as EAR and you're actually ITAR, you've been operating without ITAR registration, without the required security posture, and potentially exporting defense articles without authorization. That's why conservative companies request CJs even when they're fairly confident of an EAR classification. The cost of being wrong is high enough that certainty has value.
Technical Data: A Separate Analysis
Even if your physical product is EAR-controlled, the technical data related to it might be ITAR-controlled. This catches companies by surprise. They classify their hardware as EAR, then share design files, specifications, or manufacturing instructions with a foreign person without realizing they've made an ITAR-controlled export of technical data.
ITAR defines technical data as information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. This includes blueprints, drawings, plans, instructions, computer software, and documentation. If the technical data is directly related to a defense article on the USML or is required for a defense service, it's ITAR-controlled.
The dual-use scenario happens constantly: a company makes a component that ends up in both commercial and military products. The component itself might be commoditized and EAR-controlled. But the technical data package for integrating that component into a specific defense system? That could be ITAR-controlled because it's directly related to the defense article. Managing foreign person access to technical data becomes critical in these situations.
The "In the Public Domain" Exception
Technical data that's been published and made generally available to the public isn't ITAR-controlled. This exception is narrower than companies assume. Posting something on a password-protected customer portal isn't public domain. Presenting at a conference where attendees had to register and pay a fee probably isn't public domain. Publishing in a journal with unrestricted access, obtaining a patent, or posting on a public website without access controls—those might qualify.
Companies sometimes try to create public domain status by "publishing" technical data they want to share with foreign partners. DDTC is aware of this tactic. If you publish technical data with the intent to circumvent ITAR, you've committed a violation. The public domain exception exists for information that was disclosed for legitimate reasons, not as a workaround.
Services: The Hardest Category to Classify
Defense services under ITAR include assistance (including training) to foreign persons in the design, engineering, development, production, processing, manufacture, use, operation, overhaul, repair, maintenance, modification, or demilitarization of defense articles. It also includes military training of foreign forces.
Services are harder to classify than hardware because they're contextual. Engineering support for a commercial aircraft is probably not ITAR-controlled. The same engineering support for the military variant of that aircraft is a defense service. Training foreign personnel to operate manufacturing equipment for commercial products is probably not controlled. Training them to operate the same equipment to manufacture defense articles is a defense service.
The pattern I see: companies focus on hardware classification and treat services as an afterthought. They classify their product correctly, then send an engineer to a foreign customer site to provide installation support without considering whether that's a defense service. If the product is a defense article, the installation support is almost certainly a defense service requiring authorization.
Technical assistance agreements (TAAs) and manufacturing license agreements (MLAs) are the ITAR mechanisms for authorizing ongoing defense services. If you're providing recurring services or transferring technical data over time, you probably need one of these rather than one-time export licenses. Companies sometimes try to string together multiple DSP-5 licenses (for temporary export of unclassified defense articles) to avoid the heavier administrative burden of a TAA. That doesn't work if the activity is actually an ongoing service relationship.
Compliance Program Development for Defense Contractors
Carl speaks on building compliance programs that work in the real world—export controls, CMMC, contractor obligations. Based on implementation experience, not theory. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventReal Examples From Both Regimes
A composite material manufacturer made carbon fiber prepreg used in aerospace applications. The material went into both commercial aircraft and military aircraft. The material itself: EAR-controlled under ECCN 1C010, which covers fibrous and filamentary materials meeting certain technical parameters. No ITAR registration required for the company. However, when they provided engineering services to help a foreign military aircraft manufacturer integrate the material into a specific defense article, that service was ITAR-controlled. Same company, same material, different regulatory regime based on the service activity.
A software company developed simulation tools for training. The commercial version simulated civilian scenarios—commercial flight, industrial processes. EAR-controlled, ECCN 4D994. They created a variant for the military that simulated weapon systems operation. That variant was a defense article under USML Category IV(h). The company needed ITAR registration, export authorizations for any foreign sales, and controls on foreign person access to the technical data. The code base was largely the same. The application determined the classification.
A machine shop made precision components. Most were commercial. Some went into defense systems, but the components themselves were standard fasteners and brackets without specific defense design features. Those components were EAR99—not on the USML because they weren't specifically designed for defense articles, and not on the CCL because they didn't meet technical parameters for control. The shop didn't need ITAR registration based on the hardware. But when the defense contractor customer shared technical data about how those components fit into a classified system, and the shop hired foreign engineers who needed access to that data to do their work, the shop suddenly had an ITAR compliance problem related to the technical data, even though the hardware remained EAR99.
The Gray Area of Spare Parts
Spare parts take on the classification of the system they support. If you manufacture a gear used in both commercial and military transmissions, the gear for the commercial transmission is probably EAR-controlled. The identical gear sold as a spare part for a military system on the USML is ITAR-controlled. This creates supply chain complexity because classification depends on end-use intent at the time of transfer.
I worked with a bearing manufacturer facing this exact situation. They sold bearings to multiple customers. When those bearings were sold for commercial use, EAR applied. When sold as spares for military systems, ITAR applied. The bearings were physically identical. The company had to implement order screening processes to identify defense article sales, maintain separate accounting, and apply appropriate export controls based on customer declarations of end-use.
Building a Classification Program That Holds Up
Classification isn't a one-time exercise. New products, product modifications, new customers, and changes in regulations all trigger reclassification analysis. You need a documented process for initial classification, periodic review, and triggered reviews when changes occur.
The process should identify who makes classification decisions (engineering, compliance, legal—some combination), what documentation supports those decisions, and how classifications are recorded in your systems. Product data management systems, ERP systems, and export control screening tools all need accurate classification data. A classification decision that lives only in someone's email isn't useful.
Training is essential. Engineers need to understand how design choices affect classification. A minor design change—adding a mounting bracket for military-specific equipment—can shift an EAR item to ITAR. Sales teams need to understand that customer use cases affect classification. A customer saying "we might use this in a military application" should trigger a compliance review before the sale proceeds.
External counsel or classification consultants can help with complex determinations, but you can't outsource the entire function. Your internal team needs enough expertise to make routine classification decisions, identify edge cases, and know when to escalate. Companies that rely entirely on outside counsel for every classification question end up with slow processes and expensive bottlenecks.
Documentation Standards
For each product, you should document: the USML categories reviewed, why the item doesn't meet USML criteria (if you conclude EAR applies), the CCL categories reviewed, the ECCN assigned (or the basis for EAR99 classification), any CJ determinations received, and the date of analysis. This documentation demonstrates due diligence if you're ever audited or investigated.
Template-based documentation helps. You don't need to reinvent the analysis format for every product. A standard classification worksheet ensures you're asking the right questions consistently. It also makes it easier to review someone else's classification work. I've reviewed classification programs where every classification decision was documented differently. Some were emails. Some were memos. Some were informal notes. You can't audit that. You can't update it efficiently when regulations change. Standardize the format.
Strategic Implications for Leadership
Classification decisions have business consequences. ITAR registration costs money—not just the registration fee, but the compliance infrastructure. Technology Security Plans or Technology Control Plans (depending on your registration type), training programs, facility security, export authorization processes—these are real costs. If you classify products as ITAR when they're actually EAR-controlled, you're carrying unnecessary cost.
But underclassifying is worse. Operating under EAR when you should be under ITAR creates criminal liability. The Defense Department is increasingly focused on supply chain security. DCSA investigations of cleared contractors now routinely examine export control compliance. If you hold a facility clearance and you're not properly controlling exports of defense articles, you're risking not just export control sanctions but also your clearance status.
The decision tree for ITAR vs EAR isn't actually about choosing between regimes. It's about accurately characterizing what you do and then implementing the controls that apply. Companies that treat this as a checklist exercise—"we looked at the USML and we're not on it, so we're EAR"—are setting themselves up for problems. The analysis requires specificity, documentation, and ongoing attention. There's no autopilot setting for export control compliance.
From a leadership perspective, this is about risk management and resource allocation. You need expertise in-house or on retainer. You need systems that track classification and enforce controls. You need training so your teams understand why this matters. And you need executive attention to classification decisions that affect business strategy—whether you can pursue a foreign customer, what security posture a new product line requires, whether a particular acquisition target brings ITAR obligations you're prepared to handle. These aren't back-office compliance questions. They're strategic decisions about what business you're in and what markets you can serve.