A small engineering firm in Virginia submitted a proposal to the Defense Logistics Agency. The proposal included technical drawings for a component they manufactured. Nothing classified. Nothing exotic. Just routine technical data about a mechanical part. Three months later, they received a letter from the State Department's Directorate of Defense Trade Controls informing them they had violated the International Traffic in Arms Regulations by exporting defense articles without authorization. The potential fine: $1 million per violation.
The firm had emailed the proposal to a consultant who was reviewing it before submission. The consultant happened to be a dual Canadian-U.S. citizen working from Toronto that week. The technical drawings were controlled under ITAR. The email constituted an export. The company had no ITAR registration, no compliance program, and no idea they were subject to export control laws.
This scenario plays out more often than most defense industry leaders realize. ITAR compliance isn't an edge case or a bureaucratic formality—it's a legal framework with criminal and civil penalties that can destroy a company. If your organization touches any part of the defense supply chain, you need to understand what triggers ITAR jurisdiction, what compliance actually requires, and what happens when you get it wrong.
What ITAR Actually Regulates
The International Traffic in Arms Regulations control the export and temporary import of defense articles and defense services. "Export" under ITAR doesn't just mean shipping hardware overseas. It includes any release of technical data to a foreign person, regardless of location. That email to Toronto was an export. A conference presentation with controlled technical data attended by foreign nationals is an export. Allowing a foreign person to access controlled data on a server is an export.
ITAR is implemented by the Directorate of Defense Trade Controls (DDTC), which operates under the State Department. The regulations derive their authority from the Arms Export Control Act, passed in 1976. The U.S. Munitions List (USML) defines what falls under ITAR jurisdiction. The USML is organized into 21 categories covering everything from firearms and ammunition to military electronics, spacecraft, and nuclear weapons.
The USML underwent significant revision starting in 2013 through the Export Control Reform initiative. The goal was to focus ITAR on items that provide critical military or intelligence advantage rather than items available commercially. Many items moved from the USML to the Commerce Control List, which is governed by the Export Administration Regulations (EAR), a separate regulatory regime with different requirements and generally less restrictive controls.
Despite this reform, the USML still covers a broad range of items and technical data. Category IV covers launch vehicles and missiles. Category VIII covers aircraft and related equipment specifically designed or modified for military application. Category XI covers military electronics. Category XV covers spacecraft and related articles. The categories use specific language about what is included, what is excluded, and whether items are controlled based on their design, modification, or configuration for military use.
Defense Articles vs. Defense Services
ITAR distinguishes between defense articles and defense services. Defense articles are tangible items on the USML—hardware, software, components, accessories, attachments. Defense services include assistance (including training) to foreign persons in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing, or use of defense articles. Providing technical data to foreign persons is also considered furnishing a defense service.
Technical data is information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. This includes blueprints, drawings, photographs, plans, instructions, computer software, and documentation. It also includes information that advances the state of the art or establishes a new capability for a defense article. The pattern I see most often is companies focusing on hardware and missing the technical data entirely. They lock down physical shipments but email controlled drawings without a second thought.
Who Needs to Register and Comply
Any person who engages in the United States in the business of manufacturing or exporting defense articles or furnishing defense services must register with DDTC. "Person" includes individuals, corporations, partnerships—any entity. Registration is required before you manufacture, export, or broker any defense article or service.
There are exemptions. Agencies of the U.S. government don't need to register. Neither do individuals or entities whose pertinent business activity is confined to the production of unclassified technical data only. But these exemptions are narrow and often misunderstood. If you're manufacturing hardware on the USML, you need to register. If you're exporting defense articles or services, you need to register.
Registration costs $2,250 annually and requires submission of a detailed application describing your business activities, your products, and your compliance procedures. DDTC reviews the application and can request additional information or clarification. Once registered, you receive a registration code that you use on export licenses and other communications with DDTC. Registration expires annually and must be renewed.
But registration is just the first step. Compliance requires implementing a comprehensive program that addresses how your organization identifies ITAR-controlled items, manages exports, protects technical data, screens employees and foreign persons, trains staff, maintains records, and reports violations. ITAR Registration: Who Needs It and How to Get It Right covers the registration process in detail, but the compliance program is where most organizations struggle.
Understanding ITAR Jurisdiction: What Triggers Control
Determining whether an item is subject to ITAR is the foundational question. Get this wrong and everything downstream fails. The USML is specific, but interpreting it requires careful attention to category descriptions, notes, and cross-references.
Items are ITAR-controlled if they are specifically enumerated on the USML, specifically designed or modified for military application, or derived from or based on USML items. The phrase "specifically designed" is critical. It doesn't mean the item is only useful for military purposes—it means the item was designed with military specifications or requirements in mind and differs in form or function from comparable commercial items.
The "specifically designed" test changed after Export Control Reform. The current test looks at whether the item has predominantly military or intelligence applicability. Items with both military and non-military applications may not be ITAR-controlled if the commercial applications are substantial and well-established. This is a fact-specific inquiry that often requires detailed technical analysis and sometimes a commodity jurisdiction determination from DDTC or the Bureau of Industry and Security at Commerce.
The Catch-All and Embedded Items
Each USML category includes a catch-all paragraph controlling parts, components, accessories, attachments, and associated equipment specifically designed for the enumerated articles. This means even if your specific part isn't listed, if it's specifically designed for a listed article, it may be controlled. A fastener designed to standard specifications isn't controlled just because it's used on a military aircraft. But a fastener designed to unique military specifications for that aircraft likely is.
Embedded software and firmware present particular challenges. If software is specifically designed to operate defense articles listed on the USML, it may be controlled. If it's general-purpose software with both military and commercial applications, it may fall under EAR or be outside both regimes. The analysis depends on functionality, design intent, and whether the software is inextricably tied to USML hardware.
Export Licenses and Exemptions
Once you've determined an item is ITAR-controlled, you need authorization before exporting. Most exports require a license from DDTC. The license application requires detailed information about the exporter, the consignee, the end-user, the item, the quantity, the value, and the purpose. DDTC reviews the application and may request additional information, impose conditions, or deny the license based on foreign policy, national security, or other considerations.
Processing times vary. DDTC aims to process applications within 60 days, but complex cases or cases involving certain countries can take significantly longer. Expedited processing is available for urgent requests but requires justification. If you're waiting on a license to fulfill a contract, plan accordingly. Missing a delivery date because you didn't submit the license application early enough is not an acceptable excuse to DDTC or your customer.
License Exemptions You Can Actually Use
ITAR includes exemptions that allow certain exports without individual licenses. The most commonly used exemptions are for exports to Canadian commercial end-users (with significant limitations and exclusions), exports of unclassified technical data in furtherance of a manufacturing license agreement or technical assistance agreement already approved by DDTC, and certain temporary exports or re-exports to employees of the exporter or its subsidiary.
The Canadian exemption is frequently misunderstood. It doesn't cover everything, and it doesn't cover exports to Canadian government agencies or defense contractors without additional requirements. It also doesn't cover items in certain USML categories. Before relying on any exemption, read the regulation carefully. Exemptions are strictly construed. If you're not sure, file for a license.
Some companies operate under manufacturing license agreements or technical assistance agreements that authorize specific activities with specific foreign parties. These agreements require prior DDTC approval and impose reporting and compliance obligations. They're useful for ongoing relationships but add administrative overhead.
Need an Expert Perspective on Export Control Compliance?
Carl speaks regularly on ITAR, CMMC, and defense industrial base security challenges facing contractors and government agencies. His keynotes combine regulatory expertise with practical implementation experience.
Book Carl to Speak
Deemed Exports and Technical Data Protection
The deemed export rule catches more companies off-guard than almost any other ITAR provision. A deemed export occurs when you release controlled technical data to a foreign person in the United States. The foreign person's location doesn't matter—they can be sitting in your office in Ohio. If they're not a U.S. citizen or lawful permanent resident, and you give them access to ITAR technical data, you've made an export.
This means hiring decisions become export control decisions. If a position requires access to ITAR technical data, you can't hire a foreign national without export authorization. This is typically handled through a Technical Assistance Agreement or a license specifically for deemed exports. Some companies avoid the issue by restricting access to ITAR data to U.S. persons only. That works if you can segregate the work, but it limits your hiring pool and creates operational complexity.
Protecting technical data requires physical and electronic controls. ITAR data should be marked clearly. Access should be restricted to personnel with a need to know. Electronic systems storing ITAR data should have access controls, audit logging, and encryption for data at rest and in transit. You need policies governing how ITAR data is transmitted, stored, and disposed of.
The pattern I see is companies treating ITAR data like general business information. They store it on shared drives, email it without encryption, and discuss it in open areas where visitors might overhear. When an auditor or investigator shows up, the lack of basic controls is indefensible. You don't need a classified facility for ITAR data, but you do need documented controls and consistent enforcement.
Empowering Employees and Establishing Accountability
ITAR compliance depends on people understanding what's controlled, what's prohibited, and when to ask for help. Training is mandatory under ITAR regulations. Your employees need to know how to identify defense articles and technical data, understand the restrictions on exports and deemed exports, and recognize red flags in transactions.
Training should be tailored to roles. Engineers working with technical data need deeper training on deemed exports and data protection. Shipping and logistics personnel need to know how to identify and handle ITAR-controlled shipments. Sales and business development need to understand when a foreign customer conversation crosses the line into a prohibited export of technical data. One-size-fits-all compliance training rarely works. Role-specific training with real examples from your operations is more effective.
But training alone isn't enough. You need clear policies, documented procedures, and accountability mechanisms. Someone senior should own ITAR compliance—an empowered employee, a compliance officer, or a designated trade compliance manager. This person needs authority, resources, and direct access to leadership. Export compliance can't be an IT side project or an HR checkbox. It needs dedicated ownership.
You also need a reporting mechanism for suspected violations. Employees should know how to escalate concerns without fear of retaliation. Self-disclosure of violations to DDTC can significantly reduce penalties if violations are discovered later. Companies that bury violations or fail to investigate them face far harsher consequences than companies that find problems, fix them, and report them voluntarily.
Recordkeeping and Audit Requirements
ITAR requires you to maintain records related to your ITAR compliance program, including export authorizations, shipping documents, licenses, agreements, and records of all manufacturing, exports, and brokering activities. You must retain these records for five years from the date of the export or other activity. Electronic records are acceptable if they meet specific requirements for accessibility and reliability.
DDTC can audit registered entities to verify compliance. So can other agencies, including Homeland Security Investigations and the Defense Counterintelligence and Security Agency. Audits can be scheduled or unannounced. They typically involve document requests, interviews with employees, and site inspections. If you can't produce records, demonstrate implemented controls, or show that employees understand their obligations, the audit findings will reflect that.
Good recordkeeping isn't just about regulatory requirements. It's about proving what you did and why. If a question arises about whether a particular export was authorized, you need documentation showing how you made the jurisdiction determination, what license or exemption you relied on, and who approved the transaction. If you can't reconstruct the decision-making process, you can't defend it.
Compliance Isn't Just Policy—It's Culture
Carl's keynotes help leadership teams understand how to build compliance programs that work in operational reality, not just on paper. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventWhat Happens When You Get It Wrong
ITAR violations carry both civil and criminal penalties. Civil penalties can reach $1,272,814 per violation. Criminal penalties for willful violations include fines up to $1 million and imprisonment up to 20 years. DDTC also has administrative remedies, including consent agreements that impose corrective actions, external audits, and debarment from exporting.
The consequences extend beyond fines. A company debarred from exporting can't participate in defense contracts that require ITAR-controlled items or data. Debarment effectively ends your defense business. Even consent agreements that stop short of debarment impose significant costs: external audits, remedial training, enhanced compliance measures, and ongoing reporting to DDTC for years.
Criminal prosecutions are real. Individuals have been imprisoned for ITAR violations, particularly when violations involved adversary nations, deliberate circumvention of controls, or false statements to regulators. The Department of Justice treats arms export violations seriously. If you're tempted to cut corners or ignore the rules because "everyone does it," understand that the risk isn't theoretical.
Beyond legal penalties, violations damage business relationships. Prime contractors conducting supply chain assessments don't want to work with subcontractors who have ITAR violations on their record. Government agencies scrutinize companies with compliance failures. Customers care about your compliance posture because your failures create risk for them. ITAR Violation Consequences: What Happens When Defense Contractors Get It Wrong explores this in more detail, but the short version is that ITAR violations don't stay contained—they spread through your business relationships and reputation.
The Intersection With CMMC and Other DoD Requirements
If you're in the defense industrial base, ITAR compliance doesn't exist in isolation. Companies subject to ITAR are often also subject to the Cybersecurity Maturity Model Certification (CMMC), DFARS cybersecurity requirements, and other DoD security obligations. These frameworks overlap in some areas and diverge in others.
CMMC focuses on protecting Controlled Unclassified Information (CUI), which includes some but not all ITAR technical data. ITAR technical data marked as export-controlled may also be CUI if it meets the CUI Registry definitions. But ITAR imposes separate and additional requirements beyond CMMC. You can be CMMC-certified and still violate ITAR if you don't have proper export authorizations, registration, or deemed export controls.
The defense industrial base security requirements are layered. Each framework has its own compliance obligations, audit processes, and enforcement mechanisms. Trying to address them independently creates gaps and inefficiencies. A better approach is an integrated compliance program that maps your controls to all applicable requirements, identifies overlaps, and ensures you're not duplicating effort or missing obligations unique to one framework.
For companies new to defense work, the combination of ITAR, CMMC, and DFARS can feel overwhelming. The tendency is to focus on the most visible requirement—usually CMMC because it's a contract prerequisite—and treat ITAR as secondary. That's a mistake. ITAR violations carry criminal liability. CMMC non-compliance loses you contracts. Both matter, but the legal risk profile differs.
Building a Sustainable ITAR Compliance Program
Sustainable ITAR compliance requires more than checking boxes. It requires embedding export control considerations into business processes: proposal reviews, hiring decisions, IT access controls, shipping procedures, customer conversations, and subcontractor management. If ITAR compliance is something your organization does once a year during registration renewal, you're not compliant—you're lucky.
Start with a risk assessment. Identify where ITAR-controlled items and technical data exist in your organization. Map who has access, how data moves, and where exports or deemed exports might occur. Identify gaps between current practices and regulatory requirements. Prioritize remediations based on risk and feasibility.
Document your policies and procedures. You need written procedures for jurisdiction determinations, export license applications, deemed export authorizations, technical data handling, recordkeeping, training, and violation reporting. These documents should be specific to your operations, not generic templates. They should explain not just what to do but how to do it in your environment.
Implement technical and physical controls. Access to ITAR data should be role-based and logged. Shipments of ITAR-controlled items should be clearly marked and routed through personnel trained on export requirements. Electronic systems should enforce access restrictions and flag prohibited transfers.
Train regularly and measure effectiveness. Annual training is the minimum. New employees should receive training before accessing ITAR data. When regulations change or new products are added, provide updates. Use scenarios and examples relevant to your business. Test comprehension, not just attendance.
Audit yourself before others audit you. Conduct internal reviews of export transactions, technical data handling, and employee access. Identify weaknesses and fix them. Self-identified issues corrected before an external audit or investigation are far less damaging than issues discovered by regulators.
Engage counsel and trade compliance professionals when needed. Commodity jurisdiction determinations can be complex. License applications for sensitive end-users require careful framing. Responding to enforcement actions demands experienced representation. The cost of expert help is trivial compared to the cost of getting it wrong.
Strategic Implications for Defense Industry Leaders
ITAR compliance is not a back-office function—it's a strategic capability that enables or constrains business opportunities. Companies that understand how to navigate ITAR efficiently can pursue international partnerships, respond to global opportunities, and differentiate themselves from competitors who struggle with compliance. Companies that treat ITAR as a nuisance or delay investing in compliance infrastructure find themselves reactive, slow, and vulnerable.
Leadership sets the tone. If executives dismiss compliance as bureaucracy or pressure teams to expedite exports without proper authorization, the organization will reflect that attitude. If leadership invests in compliance infrastructure, empowers compliance personnel, and holds business units accountable for following procedures, the organization builds resilience. This isn't about culture statements or posters on the wall. It's about decisions: whether you hire a trade compliance manager, whether you invest in export management software, whether you walk away from business that can't be executed compliantly.
The defense industrial base is consolidating around companies that can meet layered security and compliance requirements. Primes are trimming supply chains and focusing on suppliers who demonstrate mature compliance programs. Supply Chain Security in the Defense Industrial Base: What Primes Expect From Subs explores what this means operationally, but the bottom line is that ITAR compliance is increasingly a competitive differentiator, not just a regulatory obligation.
For companies entering the defense market, ITAR is often more challenging than anticipated. The rules are detailed, the penalties are severe, and the operational changes required to comply are significant. But the barrier to entry is also a moat once you're inside. Companies that invest early in building strong compliance programs position themselves for sustainable growth. Companies that defer investment or try to avoid compliance eventually hit walls—lost contracts, enforcement actions, or reputational damage that forces costly remediation.
ITAR compliance is ultimately about control: knowing what you have, where it goes, and who accesses it. That's the same discipline required for cybersecurity, for quality management, for counterintelligence. Organizations that master this discipline don't just comply with ITAR—they build capabilities that serve them across every aspect of operating in regulated, high-consequence environments.