ITAR Compliance Checklist

Pre-Compliance Assessment: Does ITAR Apply?

Before beginning ITAR implementation, determine whether ITAR compliance is required for your organization. This decision is critical and incorrect classification carries severe penalties.

ITAR Applicability Test

Answer "yes" to any of these questions? ITAR applies to you:

• Do you manufacture any items on the U.S. Munitions List (USML)?
• Do you export defense articles or components internationally?
• Do you provide technical data (drawings, specs, source code, performance info) related to USML items?
• Do you have foreign nationals or foreign-owned subsidiaries with access to defense technology data?
• Do you broker, arrange, or facilitate transactions involving USML articles?
• Do you provide defense services (consulting, engineering, training) on military systems?

If yes to any: ITAR applies. Proceed with registration and compliance program development.

If unsure about USML classification: Request a Commodity Jurisdiction (CJ) from DDTC (60-day review period, free). This provides official government classification and protects you from penalties if classification later changes.

Step 1: Determine USML Classification of Your Products

Timeline: Weeks 1–2

USML classification determines whether ITAR applies. This must be done correctly—false classification to avoid licensing is a serious violation.

How to Classify Your Products

• ✓ Review USML: Access 22 CFR Part 121 at pmddtc.state.gov and review all 21 categories
• ✓ Match your products: Does your product fit any USML category description?
• ✓ Document classification decision: Create a formal memo explaining why each product is or is not USML
• ✓ For dual-use items (unclear): Request Commodity Jurisdiction (CJ) from DDTC (Form DS-83) — takes 60 days but provides definitive answer
• ✓ Consult legal: For borderline cases, consult ITAR compliance attorney before proceeding

Key USML categories for defense contractors:

Step 2: Register with the Directorate of Defense Trade Controls

Timeline: Weeks 2–4

If manufacturing or exporting USML items, registration is mandatory. There is no exemption, no grace period.

DDTC Registration Steps

• ✓ Create account: Go to pmddtc.state.gov and register an account with your company email
• ✓ Gather company information: Name, address, phone, website, parent company (if applicable), foreign ownership details
• ✓ Describe USML products: List all items you manufacture or export, USML category numbers
• ✓ Select registration category:
  • Manufacturer: Makes USML items
  • Exporter: Exports USML items made by others
  • Broker: Arranges USML transactions
  • Dealer: Sells used USML items
• ✓ Specify countries of operation: List all countries where you manufacture, export, or have offices
• ✓ Disclose foreign investment: If foreign-owned or foreign-invested (any %, even minority), declare it
• ✓ Submit and pay fee: Annual fee is $2,250 (non-refundable, due by June 30)
• ✓ Receive registration number: DDTC assigns a registration number used for all future licensing

Important: Registration renewal is due every June 30. Late renewal incurs $1,000 penalty. Mark calendar and submit renewal 60 days before deadline.

Step 3: Appoint an Empowered Official

Timeline: Week 2

Designate a senior officer (VP, Director, or equivalent) responsible for ITAR compliance decisions. This person must have authority to make trade control determinations.

Empowered Official responsibilities:

• ✓ Approve or deny export license applications
• ✓ Make USML classification determinations
• ✓ Authorize technical data sharing with foreign persons/entities
• ✓ Report violations to DDTC
• ✓ Oversee compliance audits and training
• ✓ Maintain records of export licensing decisions

Document in writing: Create a memo designating the Empowered Official with their name, title, and responsibilities. File this with your ITAR compliance records.

Step 4: Classify Your Items Against USML (Formally)

Timeline: Weeks 3–6

Conduct formal USML classification for each product, component, and service offering. Document the decision and evidence.

Classification Decision Documentation

For each product, create a memo containing:

• ✓ Product name and description (detailed technical specs)
• ✓ USML category review (which categories were considered, why did they apply or not apply)
• ✓ Final classification decision (USML or non-USML, with category if applicable)
• ✓ Supporting evidence (design docs, performance specs, contract language)
• ✓ Date of classification and signature of Empowered Official

If classification is unclear after USML review: Request Commodity Jurisdiction (CJ) from DDTC. This is safer than guessing.

Step 5: Create a Technology Control Plan (TCP)

Timeline: Weeks 4–8

Develop written procedures for protecting USML technical data and controlling access by foreign persons.

Technology Control Plan Must Include

• ✓ Technical Data Definition: What constitutes USML technical data (engineering drawings, source code, performance specs, manufacturing procedures, training materials)
• ✓ Marking Requirements: All USML technical data must be marked: "This item is subject to the International Traffic in Arms Regulations (ITAR). Unauthorized export, re-export, transfer, or retransfer is prohibited."
• ✓ Access Controls: Only U.S. persons (citizens, permanent residents, authorized aliens) can access USML data; foreign nationals require export license or Technical Assistance Agreement
• ✓ Storage and Security: USML data must be stored in secure locations (locked cabinets, password-protected databases, encrypted drives)
• ✓ Transmission Controls: No email of USML data to foreign addresses; use VPN or secure file transfer for authorized transfers; never use public cloud storage (Dropbox, Google Drive, OneDrive) for USML data without encryption and access controls
• ✓ Deemed Export Controls: Procedures to prevent sharing USML data with foreign nationals in the U.S. (no display on shared screens, no meetings with unvetted foreign persons)
• ✓ Subcontractor Controls: All subs with USML data access must sign ITAR flow-down agreement and follow identical TCP
• ✓ Audit Procedures: Annual compliance audits verifying access controls, marking, and secure storage

Step 6: Screen All Personnel (Foreign Nationals and Foreign Ownership)

Timeline: Weeks 5–10

Implement background checks and maintain a register of all foreign nationals, especially those with USML data access.

Foreign National Screening Procedure

• ✓ Create Foreign National Register: List all foreign nationals employed or contracted, their country of citizenship, visa status
• ✓ Conduct Background Checks: Verify visa status, check U.S. denied parties lists (SDN, BIS Entity List, DDTC Debarred Parties), confirm no export control violations
• ✓ Restrict USML Access: Foreign nationals cannot access USML technical data unless:
  • They hold a valid visa (generally H-1B, L-1, O-1) and have been vetted by facility security
  • A Technical Assistance Agreement (TAA) has been approved by DDTC specifically permitting their access, OR
  • They are working within a Manufacturing License Agreement (MLA)
• ✓ Visitors: All foreign visitors must be vetted before visiting a facility where USML data is stored or discussed; visitors must not be allowed into secure areas unless pre-approved
• ✓ Subcontractors: If foreign-owned companies are subcontractors with USML access, require proof of DDTC approval (TAA or MLA) or request approval from DDTC

Deemed Export Risk: The most common ITAR violation is allowing foreign nationals access to USML data without proper vetting or license. A single email to a foreign engineer, or a video call where an engineer reviews code with a foreign participant, is a violation.

Step 7: Establish Export License Request and Tracking System

Timeline: Weeks 6–12

Before exporting USML items or technical data, you must request and obtain an export license from DDTC. This process takes 30–90 days.

Export License Workflow

• ✓ Trigger: Sales order or contract involving USML items or technical data to foreign entity/person
• ✓ Submit Application: File form via pmddtc.state.gov at least 60 days before intended export date (processing takes 30–90 days)
• ✓ Application contents:
  • Applicant (your company) and DDTC registration number
  • Recipient (foreign purchaser/licensee): company name, address, country
  • Commodity (detailed description of USML item/data)
  • End use and end user certification
  • Technical data flag (if sharing technical data)
  • Quantity and value
• ✓ Interagency Review: DDTC may refer to DoD, State, or other agencies for security review (adds 30–60 days)
• ✓ Approval/Denial: License is approved, denied, or issued with conditions
• ✓ Tracking System: Maintain a log of all applications with submission date, approval date, license number, and shipment confirmation
• ✓ Record Retention: Keep licenses and export documentation for minimum 5 years

Note: Certain countries (Iran, North Korea, Syria, Sudan, and designated terrorist-supporting countries) are prohibited. Licenses will never be issued for those destinations.

Step 8: Train Employees on ITAR Requirements

Timeline: Week 12, then annually

All employees—especially engineers, sales, and those handling USML data—must receive ITAR training.

ITAR Training Topics

• ✓ What is ITAR and why it matters (penalties, criminal liability)
• ✓ USML categories and how to identify USML items/data
• ✓ Technical data markings and secure storage
• ✓ Foreign national restrictions and deemed exports
• ✓ Export licensing process and timelines
• ✓ Consequences of violations (examples of prosecutions)
• ✓ How to report suspected violations

Documentation: Require employees to sign training acknowledgement. Retain sign-off sheets for compliance records.

Step 9: Conduct Compliance Audits and Maintain Records

Timeline: Ongoing (annual minimum)

Audit your ITAR compliance annually. This identifies gaps before DDTC/FBI discovers them.

Annual Compliance Audit Checklist

• Review all USML exports from past 12 months; verify licenses were obtained before shipment
• Check foreign national register; verify all foreign nationals were properly vetted and their data access documented
• Inspect technical data storage (file cabinets, servers, cloud storage); verify ITAR marking and access restrictions
• Review email for any USML technical data sent to foreign recipients; verify license was obtained
• Verify all subcontracts include ITAR flow-down language
• Verify DDTC registration is current (not lapsed) and renewal fee is paid
• Document any compliance gaps found; create remediation plan

Record Retention

Maintain for minimum 5 years:

• DDTC registration certificates
• USML classification decisions (with supporting documentation)
• Export licenses and shipping documentation
• Foreign national register and background check records
• Technical Assistance Agreements (TAAs) and Manufacturing License Agreements (MLAs)
• Employee training records
• Audit reports
• Incident reports (if violations discovered)

Step 10: Report Violations Voluntarily (If Discovered)

Critical: If you discover an ITAR violation, report it to DDTC immediately. Voluntary disclosure significantly reduces penalties.

Voluntary Disclosure Process

• ✓ Document the violation: What was exported, when, to whom, without proper license
• ✓ Notify your legal counsel: Prepare written disclosure with legal guidance
• ✓ Submit disclosure to DDTC: Send certified letter to pmddtc@state.gov with details and supporting docs
• ✓ Cooperate with investigation: DDTC will investigate; provide all records and employee interviews
• ✓ Penalty reduction: Voluntary disclosure typically results in 50–75% penalty reduction vs. DDTC-discovered violations

Example: Company discovers an engineer sent USML drawings to a foreign contractor without license. Voluntary disclosure might result in $25,000 penalty; DDTC discovery could result in $500,000+ penalty.

Complete 10-Step ITAR Compliance Checklist

Cost Estimates and Timeline

Recurring annual costs:

• DDTC registration renewal: $2,250
• Annual audit (internal): $3,000–$5,000
• Consultant support (as needed): $2,000–$5,000
• Total annual: $7,250–$12,250

Frequently Asked Questions

Can we use cloud storage (Google Drive, Dropbox) for USML technical data?

No. Standard cloud storage is not secure enough for USML data. If you must use cloud, require end-to-end encryption with your own encryption keys, limit access to U.S. persons only, and log all access. Consult legal before use.

If we have a foreign subsidiary, can it handle USML products?

Only if you obtain a Manufacturing License Agreement (MLA) or Technical Assistance Agreement (TAA) from DDTC. Foreign subsidiaries cannot access USML data without explicit DDTC approval.

How long must we keep export licenses and shipping records?

Minimum 5 years from date of export. Retain digitally in secure storage with access logs.

What's the penalty for an unlicensed export of USML items?

Civil penalties up to $500,000 per violation. Criminal charges can include up to 20 years imprisonment and $1M fines. Each shipment or transmission can be a separate violation.

Do we need to disclose ITAR violations discovered in the past?

Yes. Voluntary disclosure of past violations significantly reduces penalties. Waiting for DDTC/FBI to discover them results in much harsher penalties.

Can a foreign national with a visa work on USML projects?

Only if they have proper visa status (H-1B, L-1, O-1, etc.) AND a DDTC-approved Technical Assistance Agreement is in place. Standard visa alone is not sufficient.

Need legal guidance on ITAR compliance? Consult an ITAR-specialized attorney or export control compliance firm. Incorrect implementation exposes your company to $500K+ penalties and criminal liability.