What is ITAR?
ITAR is the State Department's export control system for military stuff. It's strict, and it controls how you manufacture, sell, and ship defense articles and related services to foreign countries and foreign nationals.
Here's the key difference from DFARS: ITAR doesn't care if you have a DoD contract. It's a trade law that stands on its own. If you're making anything on the U.S. Munitions List (USML), ITAR applies to you—period. A lot of contractors don't realize this until they've already violated it.
The penalties are no joke either. You're looking at up to $1M in civil fines per violation, $500K per criminal count, 20 years in prison, and permanent debarment from federal work. The State Department actually enforces this, too—especially when foreign nationals get access to stuff they shouldn't.
Who's Affected?
Any company that manufactures, exports, or brokers defense articles on the U.S. Munitions List — from major primes to small machine shops making components.
Check Requirements →Who Needs ITAR Compliance?
Ask yourself: does any of this sound like you?
- You manufacture defense articles or components on the USML
- You export technical data related to USML articles (drawings, source code, specs, performance data)
- You provide defense services (consulting, training, engineering) for USML items
- You have foreign nationals or foreign-owned subsidiaries with access to USML technical data
- You broker or arrange transactions involving USML articles (even if you don't manufacture them)
- You store or transmit USML technical data (including in cloud systems accessible from overseas)
Here's something people miss: "export" doesn't just mean shipping something physically. It includes sharing technical data with a foreign national in the U.S.—that's called a "deemed export." Send an email with USML drawings to a foreign contractor? That's an export. Have a video call where a foreign engineer reviews your source code? Also an export. Both require licenses.
The U.S. Munitions List (USML): What's Controlled?
The USML (22 CFR Part 121) lists 21 categories of military stuff that are off-limits without a license. Here are the ones that typically affect defense contractors:
- Category I: Firearms, ammunition, and related equipment
- Category III: Ordnance (bombs, grenades, mines, rockets, missiles)
- Category IV: Launch vehicles, missiles, rocket systems, and components
- Category VII: Tanks, combat vehicles, and related equipment
- Category IX: Military aircraft and related equipment
- Category XI: Military electronics (radar, sensors, navigation systems)
- Category XIV: Chemical and biological weapons (also military applications)
- Category XV: Spacecraft and related equipment (many have military/dual-use applications)
Go to pmddtc.state.gov and check if your products are on the list. The tricky part: dual-use items (components that work in both commercial and military contexts) can be ambiguous. If you're not sure, request a Commodity Jurisdiction (CJ) from the State Department. It takes 60 days, but you get an official classification that covers you legally.
ITAR vs. EAR: When Does Each Apply?
There are two export control systems in the U.S., and people confuse them all the time:
| Aspect | ITAR (State Dept.) | EAR (Commerce Dept.) |
|---|---|---|
| Agency | State Department DDTC | Commerce Department BIS |
| Items Controlled | USML (military-specific) | CCL (dual-use, less sensitive) |
| Scope | Stricter; designed for military | Broader but less restrictive |
| Registration | Required (annual fee $2,250) | Not required |
| License Requirement | Generally required for exports | Required for certain countries/items |
| Penalties | Up to $1M + 20 years prison | Up to $300K + 15 years prison |
Simple rule: Is it on the USML? Then ITAR applies—end of story. It doesn't matter if it's also on the Commerce Control List. ITAR wins.
ITAR Registration: Mandatory for Manufacturers and Exporters
Making or exporting USML stuff? You have to register. No exceptions, no gray area.
Here's what you need to know:
- Annual fee: $2,250/year (non-refundable)
- Where to register: pmddtc.state.gov (online registration system)
- Required information: Company details, products manufactured/sold, countries of operation, foreign ownership
- Registration categories: Manufacturer, Exporter, Broker, Dealer
- Renewal: Annual, due by June 30 (late renewal incurs $1,000 penalty)
- Amendments: Must notify DDTC within 30 days of changes (facility location, products, foreign investment)
Failing to register is itself a violation. Makes no difference if you only make one USML item—the State Department sees non-registration as intentional deception, and that bumps up the criminal liability.
Need the full walkthrough? Our ITAR Certification Guide covers the complete DDTC registration process step-by-step, including requirements, costs, timelines, and common mistakes to avoid.
ITAR Compliance Program Elements
If you want to actually stay compliant, you need to cover these seven bases:
- USML Classification: Formally determine which of your products/services are USML-controlled
- Empowered Official (EO): Designate a senior official responsible for ITAR compliance decisions
- Technical Data Control: Establish procedures to mark, store, and protect USML technical data
- Foreign Person Screening: Implement vetting procedures to control foreign nationals' and foreign-owned companies' access to USML data
- Export License Management: Request licenses from DDTC before exporting USML items or technical data
- Record Keeping: Maintain licenses, export documentation, and compliance records for 5 years
- Training and Audits: Train employees on ITAR restrictions and conduct annual compliance audits
Technical Data Control Under ITAR
This is where ITAR gets really restrictive. Technical data—anything that shows how a USML item is designed, performs, or gets made—gets the heaviest scrutiny.
What counts as "technical data"?
- Engineering drawings, schematics, specifications
- Source code for control systems or firmware
- Performance data, test results, or failure analysis
- Manufacturing procedures or process documentation
- Training materials or manuals describing military use
- Email discussions of design or performance details
Technical data control requirements:
- Mark all USML technical data with ITAR notice ("This document contains technical data subject to ITAR")
- Restrict access to authorized U.S. persons only (no foreign nationals, no foreign-owned employees)
- Store technical data in secured locations (locked file cabinets, encrypted servers with access logs)
- Use secure communication channels for transmitting technical data (encrypted email, VPN, not standard cloud storage)
- Prevent "deemed export" (never display USML data on public-facing websites or share in presence of foreign nationals without license)
Secure Your Technical Data
ITAR requires physical and digital controls over all USML technical data. Encryption, access logs, and personnel vetting are non-negotiable.
Assess Your Readiness →Foreign Person Access and Deemed Export
Here's where people get into trouble: ITAR says sharing USML data with a foreign national inside the U.S. counts as an export. Literally. It's called a "deemed export," and it catches companies all the time.
Deemed export examples that require a license:
- A foreign contractor attends a design review meeting where USML specifications are discussed
- A foreign engineering partner receives drawings via email (even within the U.S.)
- A foreign subsidiary accesses technical data through a shared server
- A foreign national in your U.S. office views USML documentation on a colleague's screen
- A foreign student attends a presentation covering USML-related technology
Foreign national screening requirements:
- Maintain a foreign national register (list all foreign nationals and their access to USML data)
- Implement background checks (visa status, country of citizenship, export control enforcement records)
- Restrict USML data access for foreign nationals unless an export license has been obtained
- Use "Technical Assistance Agreements" (TAAs) or "Manufacturing License Agreements" (MLAs) to formalize foreign person involvement
- Document that any USML technical data sharing was pre-approved by DDTC
Export License Requirements and Process
Before you ship, sell, or hand off USML items to anyone, you need to get a license from DDTC. Full stop.
ITAR license types:
- License for Offense (L): For one-time export of USML articles to a specific country
- Technical Assistance Agreement (TAA): For providing technical data, training, or consulting services related to USML items
- Manufacturing License Agreement (MLA): Allows foreign manufacturers to produce USML items under U.S. control
- Distributing Agreement (DA): Allows foreign distributors to sell USML items
License processing timeline:
- Standard review: 30–45 days
- Interagency review (DoD or other agencies): 60–90 days
- Some countries (Iran, North Korea, Syria, Sudan) are prohibited and licenses are never issued
Denial grounds: DDTC can deny licenses on national security grounds or if the applicant has failed compliance in the past. Repeat violators face permanent denial.
ITAR Penalties and Enforcement
ITAR violations aren't slap-on-the-wrist stuff. The State Department and FBI actually investigate these, and they prosecute.
Civil penalties:
- Up to $500,000 per violation (or twice the value of the transaction)
- Adjusts annually for inflation (2025 penalties higher than 2024)
- Each shipment/email/meeting can be a separate violation (stacking possible)
- Debarment from federal contracts for 3–5 years
Criminal penalties:
- Up to $1M in fines per count
- Up to 20 years imprisonment per count
- Charges typically include conspiracy, export without license, false statements
Real penalties: The State Department has handed out $50M+ in ITAR fines over the last decade. Look at Boeing ($17M in 2015) or Raytheon ($12M in 2015)—even the big players get hit. Smaller contractors regularly face $1–5M penalties.
Common ITAR Violations and How to Avoid Them
- Unlicensed exports: Shipping USML items or technical data without obtaining a license first. Solution: Require licensing review before any export.
- Deemed exports: Sharing USML data with foreign nationals or in a foreign-located facility without approval. Solution: Implement foreign person screening and restrict access.
- False export claims: Declaring non-USML status to avoid licensing (e.g., "this is commercial, not military"). Solution: Accurate USML classification by qualified personnel.
- Failure to register: Not registering as a USML manufacturer/exporter. Solution: Conduct annual audit of USML classification and register if applicable.
- Inaccurate end-use statements: Misrepresenting the intended use of USML items (e.g., claiming commercial use when military is intended). Solution: Verify end-user legitimacy through contract reviews.
- Subcontractor violations: Allowing unvetted subcontractors access to USML technical data. Solution: Include ITAR flow-down in all subcontracts and conduct periodic audits.
How ITAR Relates to CMMC and DFARS
ITAR, DFARS, and CMMC all land on defense contractors, but they tackle different problems:
- ITAR: Prevents unauthorized export of military-controlled items and data (State Department enforcement)
- DFARS: Protects unclassified defense information from cyber attack and unauthorized access (DoD enforcement)
- CMMC: Validates DFARS/NIST 800-171 compliance through third-party assessment
You can be CMMC-certified (nailed your cybersecurity) but still be violating ITAR (shipped USML stuff without a license). Same deal in reverse—perfect ITAR compliance doesn't cover you on DFARS cybersecurity.
Where they overlap: ITAR and DFARS both care about protecting technical data. But ITAR is all about export restrictions, while DFARS is about cyber defense. One doesn't automatically cover the other.
ITAR Compliance Step-by-Step Checklist
- USML Classification: Review all products/services and determine which are USML-controlled (use commodity jurisdiction if uncertain)
- Register with DDTC: If manufacturing/exporting USML items, submit annual registration and pay $2,250 fee
- Appoint Empowered Official: Designate senior officer responsible for export licensing and compliance decisions
- Create written ITAR Policy: Document procedures for technical data control, foreign person screening, and export licensing
- Screen all Personnel: Conduct background checks on foreign nationals; maintain foreign national register
- Secure Technical Data: Mark USML documents, restrict access, implement encryption, use secure communication
- Request Export Licenses: Before any USML export or deemed export, obtain DDTC license (allow 30–90 days)
- Maintain Records: Keep licenses, export documentation, compliance audits for minimum 5 years
- Conduct Annual Audit: Review all exports, foreign person access, licensing compliance
- Report Violations Voluntarily: If a violation is discovered, report to DDTC immediately (reduces penalties significantly)
Not sure if ITAR applies? Check pmddtc.state.gov or talk to an ITAR attorney. Misclassifying something is its own violation, so get it right.
Key Resources
- DDTC Official Portal — ITAR regulations, USML, registration, license applications
- 22 CFR Part 121 (USML) — Complete list of controlled items
- ITAR Compliance Checklist — Step-by-step implementation guide
- DFARS Compliance Guide — Related requirements for DoD contractors
Disclosure: Defense Compliance.ai contains affiliate links to compliance software and consulting services. We recommend tools we've independently vetted; affiliate commissions help fund this resource.