What is ITAR?
The International Traffic in Arms Regulations (ITAR) is a strict export control regime administered by the U.S. State Department's Directorate of Defense Trade Controls (DDTC). ITAR controls the manufacture, sale, transfer, and export of defense articles and services to foreign countries and foreign persons.
Unlike DFARS (which is a procurement requirement for DoD contracts), ITAR is a trade law that applies independently of contracts. If you manufacture, export, or broker anything on the U.S. Munitions List (USML), ITAR applies—regardless of whether you have a DoD contract. Many defense contractors face ITAR obligations they're unaware of.
ITAR violations carry severe penalties: up to $1M in civil fines per violation, up to $500K per criminal count, 20 years imprisonment, and permanent debarment from federal contracts. The State Department actively enforces ITAR, especially around foreign nationals' access to technical data.
Who's Affected?
Any company that manufactures, exports, or brokers defense articles on the U.S. Munitions List — from major primes to small machine shops making components.
Check Requirements →Who Needs ITAR Compliance?
You need ITAR compliance if any of the following apply:
- You manufacture defense articles or components on the USML
- You export technical data related to USML articles (drawings, source code, specs, performance data)
- You provide defense services (consulting, training, engineering) for USML items
- You have foreign nationals or foreign-owned subsidiaries with access to USML technical data
- You broker or arrange transactions involving USML articles (even if you don't manufacture them)
- You store or transmit USML technical data (including in cloud systems accessible from overseas)
"Export" under ITAR includes not just physical shipment, but also sharing technical data with foreign nationals in the U.S. (deemed export). A single email sending USML drawings to a foreign contractor or a video call with a foreign engineer reviewing source code is an export requiring a license.
The U.S. Munitions List (USML): What's Controlled?
The USML is published in 22 CFR Part 121 and contains 21 categories of defense articles. Key categories relevant to defense contractors:
- Category I: Firearms, ammunition, and related equipment
- Category III: Ordnance (bombs, grenades, mines, rockets, missiles)
- Category IV: Launch vehicles, missiles, rocket systems, and components
- Category VII: Tanks, combat vehicles, and related equipment
- Category IX: Military aircraft and related equipment
- Category XI: Military electronics (radar, sensors, navigation systems)
- Category XIV: Chemical and biological weapons (also military applications)
- Category XV: Spacecraft and related equipment (many have military/dual-use applications)
Check the USML at pmddtc.state.gov to determine if your products are controlled. Classification is often ambiguous for dual-use items (components that have both commercial and military applications). When in doubt, request a Commodity Jurisdiction (CJ) from the State Department—takes 60 days but provides official classification.
ITAR vs. EAR: When Does Each Apply?
Two U.S. export control regimes exist, and confusion between them is common:
| Aspect | ITAR (State Dept.) | EAR (Commerce Dept.) |
|---|---|---|
| Agency | State Department DDTC | Commerce Department BIS |
| Items Controlled | USML (military-specific) | CCL (dual-use, less sensitive) |
| Scope | Stricter; designed for military | Broader but less restrictive |
| Registration | Required (annual fee $2,250) | Not required |
| License Requirement | Generally required for exports | Required for certain countries/items |
| Penalties | Up to $1M + 20 years prison | Up to $300K + 15 years prison |
Rule of thumb: If it's on the USML, ITAR applies and takes priority. Even if an item is also on the Commerce Control List (dual-use), ITAR is the governing regulation.
ITAR Registration: Mandatory for Manufacturers and Exporters
If you manufacture or export USML items, registration is mandatory. There is no exemption.
Registration details:
- Annual fee: $2,250/year (non-refundable)
- Where to register: pmddtc.state.gov (online registration system)
- Required information: Company details, products manufactured/sold, countries of operation, foreign ownership
- Registration categories: Manufacturer, Exporter, Broker, Dealer
- Renewal: Annual, due by June 30 (late renewal incurs $1,000 penalty)
- Amendments: Must notify DDTC within 30 days of changes (facility location, products, foreign investment)
Failure to register is a violation. Even if you only manufacture one USML item, registration is required. The State Department treats non-registration as an act of deception, which increases criminal liability.
Need the full walkthrough? Our ITAR Certification Guide covers the complete DDTC registration process step-by-step, including requirements, costs, timelines, and common mistakes to avoid.
ITAR Compliance Program Elements
An effective ITAR compliance program includes these seven core elements:
- USML Classification: Formally determine which of your products/services are USML-controlled
- Empowered Official (EO): Designate a senior official responsible for ITAR compliance decisions
- Technical Data Control: Establish procedures to mark, store, and protect USML technical data
- Foreign Person Screening: Implement vetting procedures to control foreign nationals' and foreign-owned companies' access to USML data
- Export License Management: Request licenses from DDTC before exporting USML items or technical data
- Record Keeping: Maintain licenses, export documentation, and compliance records for 5 years
- Training and Audits: Train employees on ITAR restrictions and conduct annual compliance audits
Technical Data Control Under ITAR
ITAR's strictest controls apply to technical data—any information that reveals design, performance, specifications, or manufacturing processes of USML items.
What is "technical data"?
- Engineering drawings, schematics, specifications
- Source code for control systems or firmware
- Performance data, test results, or failure analysis
- Manufacturing procedures or process documentation
- Training materials or manuals describing military use
- Email discussions of design or performance details
Technical data control requirements:
- Mark all USML technical data with ITAR notice ("This document contains technical data subject to ITAR")
- Restrict access to authorized U.S. persons only (no foreign nationals, no foreign-owned employees)
- Store technical data in secured locations (locked file cabinets, encrypted servers with access logs)
- Use secure communication channels for transmitting technical data (encrypted email, VPN, not standard cloud storage)
- Prevent "deemed export" (never display USML data on public-facing websites or share in presence of foreign nationals without license)
Secure Your Technical Data
ITAR requires physical and digital controls over all USML technical data. Encryption, access logs, and personnel vetting are non-negotiable.
Assess Your Readiness →Foreign Person Access and Deemed Export
ITAR treats sharing USML technical data with a foreign national in the U.S. the same as exporting it—it's called a "deemed export." This catches many companies off guard.
Deemed export examples that require a license:
- A foreign contractor attends a design review meeting where USML specifications are discussed
- A foreign engineering partner receives drawings via email (even within the U.S.)
- A foreign subsidiary accesses technical data through a shared server
- A foreign national in your U.S. office views USML documentation on a colleague's screen
- A foreign student attends a presentation covering USML-related technology
Foreign national screening requirements:
- Maintain a foreign national register (list all foreign nationals and their access to USML data)
- Implement background checks (visa status, country of citizenship, export control enforcement records)
- Restrict USML data access for foreign nationals unless an export license has been obtained
- Use "Technical Assistance Agreements" (TAAs) or "Manufacturing License Agreements" (MLAs) to formalize foreign person involvement
- Document that any USML technical data sharing was pre-approved by DDTC
Export License Requirements and Process
If you manufacture, sell, or export USML items, you must obtain an export license from DDTC before the transaction occurs.
ITAR license types:
- License for Offense (L): For one-time export of USML articles to a specific country
- Technical Assistance Agreement (TAA): For providing technical data, training, or consulting services related to USML items
- Manufacturing License Agreement (MLA): Allows foreign manufacturers to produce USML items under U.S. control
- Distributing Agreement (DA): Allows foreign distributors to sell USML items
License processing timeline:
- Standard review: 30–45 days
- Interagency review (DoD or other agencies): 60–90 days
- Some countries (Iran, North Korea, Syria, Sudan) are prohibited and licenses are never issued
Denial grounds: DDTC can deny licenses on national security grounds or if the applicant has failed compliance in the past. Repeat violators face permanent denial.
ITAR Penalties and Enforcement
ITAR violations are serious criminal and civil matters, actively investigated by the State Department and FBI.
Civil penalties:
- Up to $500,000 per violation (or twice the value of the transaction)
- Adjusts annually for inflation (2025 penalties higher than 2024)
- Each shipment/email/meeting can be a separate violation (stacking possible)
- Debarment from federal contracts for 3–5 years
Criminal penalties:
- Up to $1M in fines per count
- Up to 20 years imprisonment per count
- Charges typically include conspiracy, export without license, false statements
Enforcement record: The State Department has issued $50M+ in ITAR penalties over the past decade. Recent high-profile cases include penalties against Boeing ($17M, 2015), Raytheon ($12M, 2015), and numerous smaller contractors ($1–5M each).
Common ITAR Violations and Avoidance
- Unlicensed exports: Shipping USML items or technical data without obtaining a license first. Solution: Require licensing review before any export.
- Deemed exports: Sharing USML data with foreign nationals or in a foreign-located facility without approval. Solution: Implement foreign person screening and restrict access.
- False export claims: Declaring non-USML status to avoid licensing (e.g., "this is commercial, not military"). Solution: Accurate USML classification by qualified personnel.
- Failure to register: Not registering as a USML manufacturer/exporter. Solution: Conduct annual audit of USML classification and register if applicable.
- Inaccurate end-use statements: Misrepresenting the intended use of USML items (e.g., claiming commercial use when military is intended). Solution: Verify end-user legitimacy through contract reviews.
- Subcontractor violations: Allowing unvetted subcontractors access to USML technical data. Solution: Include ITAR flow-down in all subcontracts and conduct periodic audits.
How ITAR Relates to CMMC and DFARS
ITAR, DFARS, and CMMC all apply to defense contractors but address different risks:
- ITAR: Prevents unauthorized export of military-controlled items and data (State Department enforcement)
- DFARS: Protects unclassified defense information from cyber attack and unauthorized access (DoD enforcement)
- CMMC: Validates DFARS/NIST 800-171 compliance through third-party assessment
A company can be CMMC-certified (proving cyber security) while still violating ITAR (if they export USML items without a license). Conversely, perfect ITAR compliance doesn't satisfy DFARS cybersecurity requirements.
Overlap: Both ITAR and DFARS require technical data protection, but ITAR focuses on export restrictions while DFARS focuses on cyber defense. Compliance with one does not automatically satisfy the other.
ITAR Compliance Step-by-Step Checklist
- USML Classification: Review all products/services and determine which are USML-controlled (use commodity jurisdiction if uncertain)
- Register with DDTC: If manufacturing/exporting USML items, submit annual registration and pay $2,250 fee
- Appoint Empowered Official: Designate senior officer responsible for export licensing and compliance decisions
- Create written ITAR Policy: Document procedures for technical data control, foreign person screening, and export licensing
- Screen all Personnel: Conduct background checks on foreign nationals; maintain foreign national register
- Secure Technical Data: Mark USML documents, restrict access, implement encryption, use secure communication
- Request Export Licenses: Before any USML export or deemed export, obtain DDTC license (allow 30–90 days)
- Maintain Records: Keep licenses, export documentation, compliance audits for minimum 5 years
- Conduct Annual Audit: Review all exports, foreign person access, licensing compliance
- Report Violations Voluntarily: If a violation is discovered, report to DDTC immediately (reduces penalties significantly)
Unsure if ITAR applies to you? Review the USML at pmddtc.state.gov or consult an ITAR compliance attorney. Misclassification penalties are severe.
Key Resources
- DDTC Official Portal — ITAR regulations, USML, registration, license applications
- 22 CFR Part 121 (USML) — Complete list of controlled items
- ITAR Compliance Checklist — Step-by-step implementation guide
- DFARS Compliance Guide — Related requirements for DoD contractors
Disclosure: Defense Compliance.ai contains affiliate links to compliance software and consulting services. We recommend tools we've independently vetted; affiliate commissions help fund this resource.