What is the largest ITAR civil penalty ever imposed?

The largest ITAR civil penalty in DDTC history is the $200 million consent agreement imposed on RTX Corporation in 2024. RTX was charged with 750 violations spanning August 2017 through September 2023. Of the $200 million, $100 million was suspended contingent on spending that amount on compliance remediation.

Does voluntary self-disclosure reduce ITAR penalties?

Yes, significantly. Across major enforcement cases, companies that voluntarily self-disclosed under 22 CFR § 127.12 consistently received penalty suspensions of 35–50% of the headline figure, contingent on investing that amount in compliance remediation. RTX disclosed and cooperated fully, receiving a $100 million suspension on its $200 million penalty. FLIR, L3Harris, and Honeywell all self-disclosed and received similar suspension structures.

What is a deemed export and why is it an enforcement priority?

A deemed export occurs when ITAR-controlled technical data is disclosed to a foreign national inside the United States — such as a foreign-national employee accessing controlled drawings, software, or specifications. DDTC has made deemed exports a primary enforcement focus because most defense contractors employ foreign nationals in engineering and technical roles. FLIR Systems was charged $30 million partly for deemed exports to employees of Iranian, Iraqi, Lebanese, and Cuban nationality.

What happens to a company after an ITAR consent agreement?

A consent agreement typically requires more than just a monetary penalty. Companies must appoint a Special Compliance Officer (internal or external), complete a USML jurisdiction and classification review of all products, implement automated export transaction tracking, enhance cybersecurity controls over technical data, undergo at least one independent external compliance audit, provide mandatory documented ITAR training for all relevant employees, and submit semi-annual or annual compliance reports to DDTC. These obligations typically run 18 months to 4 years.

What triggers a DDTC ITAR investigation?

DDTC investigations are initiated through five primary channels: voluntary self-disclosure by the company under 22 CFR § 127.12; directed disclosures requested by DDTC based on anomalous license patterns; inter-agency referrals from DOJ, FBI, DHS, CBP, or the Defense Security Service; post-shipment anomalies flagged through the Blue Lantern end-use monitoring program; and external tips from competitors, employees, foreign governments, or whistleblowers under the False Claims Act.

ITAR Penalty History: Major Enforcement Actions and Settlement Amounts

The record stands at $200 million. That is what RTX Corporation agreed to pay the State Department's Directorate of Defense Trade Controls in 2024 — the largest civil ITAR penalty ever imposed. It will not hold that record forever. The trajectory of DDTC enforcement over the past 17 years points in one direction.

This article is a structured review of the major ITAR enforcement actions on record: what each company did, what it cost them, and what DDTC's charging decisions reveal about how the agency views risk and cooperation. If you are a General Counsel, VP of Compliance, or Export Control Manager at a defense contractor or government-adjacent manufacturer, this is the enforcement history your ITAR compliance program should be calibrated against.

The numbers in consent agreements are public. The lessons are not always drawn clearly. That is the purpose of this review.

How ITAR Penalties Work

Before walking through the cases, it is worth establishing what DDTC can actually do to a company found in violation of the Arms Export Control Act (AECA).

Civil Penalties

The current civil penalty maximum, as adjusted for inflation under the Federal Civil Penalties Inflation Adjustment Act, is the greater of $1,271,078 per violation or twice the value of the transaction involved. That ceiling matters because DDTC counts violations transactionally: each unauthorized export, each unauthorized retransfer, each false statement, and each recordkeeping failure is a separate, independently chargeable offense. A company that made 500 unlicensed technical data disclosures over three years is not looking at one violation — it is looking at 500.

In practice, DDTC does not mechanically multiply the per-violation maximum by the violation count. Consent agreements are negotiated, and the headline number reflects a blend of violation severity, aggravating factors, cooperation credit, and the existence of a functioning ITAR compliance program at the time of the violations. But the theoretical exposure in large cases is enormous, and DDTC has not been shy about using that leverage.

Criminal Penalties

Criminal prosecution under 22 U.S.C. § 2778(c) is a separate track, typically handled by the Department of Justice's National Security Division. Criminal penalties can reach $1,000,000 per violation and/or 20 years imprisonment per count for individuals. Corporate criminal fines are not capped at the per-violation maximum — prosecutors use the Alternative Fines Act, which ties fines to the gain or loss associated with the offense, and can exceed the statutory per-violation figure in large cases.

Criminal prosecution requires proof of willfulness. That standard is meaningful, but DDTC and DOJ interpret it broadly: deliberate ignorance — the choice to avoid knowing whether something requires a license — satisfies the willfulness requirement under federal case law.

Debarment

Debarment is the sanction that ends defense businesses. A debarred company cannot export, import, receive export licenses, or be a party to any ITAR-regulated transaction. For a prime contractor or a Tier 1 supplier, debarment is an existential threat. Statutory debarment — triggered automatically by a criminal conviction — was imposed in several of the cases reviewed below and later lifted after documented remediation. Discretionary debarment is available to DDTC even in civil-only cases when the agency concludes the company "cannot be relied upon to comply."

The Enforcement Record: Case by Case

The following cases represent the most significant ITAR enforcement actions in the public record. Each is drawn from DDTC charging letters, consent agreements, and DOJ press releases.

ITT Corporation (2007) — ~$100 Million Total

ITT Corporation remains one of the most instructive cases in ITAR enforcement history, not because of its size but because of its structure. ITT exported classified night-vision technology — specifically, the Gen III image intensifier tube — to China, Singapore, and the United Kingdom without the required State Department licenses. The exports were not rogue acts by individual employees; they reflected systemic failures in how ITT managed technical data sharing with foreign manufacturing partners.

The resolution was multi-part. ITT entered a deferred prosecution agreement with DOJ, which imposed a $2 million criminal fine. A $28 million forfeiture was ordered. DDTC imposed a $20 million civil penalty. And in the provision that made this case structurally unusual, ITT agreed to invest $50 million in U.S. military night-vision research and development — a form of national security restitution that satisfied the deferred prosecution's remediation requirement.

The effective total: approximately $100 million. More significantly, this was the first major criminal conviction under the AECA involving a large defense contractor. Statutory debarment was imposed and later lifted following documented remediation. The message DDTC sent was clear: classified technology transferred without authorization, regardless of the commercial rationale, will attract criminal consequences.

BAE Systems (2011) — $79 Million Civil Penalty

BAE Systems entered a consent agreement with DDTC in 2011 covering 2,591 alleged ITAR violations — the highest violation count in DDTC civil enforcement history at the time. The violations spanned a broad range of conduct across multiple business units: unauthorized exports of technical data, failures in license management, and systemic gaps in the company's export compliance infrastructure.

DDTC imposed a $79 million civil penalty — the largest civil penalty in DDTC history at that point. The consent agreement ran four years and imposed extensive compliance remediation requirements. BAE was not debarred. The absence of debarment reflected DDTC's assessment that BAE, as a major defense prime, had the institutional capacity to remediate — and that debarring it would impose collateral harm on DoD programs.

The BAE case established the structural template for large ITAR consent agreements: a substantial monetary penalty, a multi-year agreement term, external compliance oversight, and suspension of a portion of the penalty contingent on compliance spending.

United Technologies / Pratt & Whitney Canada (2012) — $75 Million

The United Technologies Corporation (UTC) / Pratt & Whitney Canada (PWC) case had a criminal dimension that made it more serious than BAE despite a lower headline number. Pratt & Whitney Canada exported U.S.-origin military engine software to China for use in the Z-10 attack helicopter — a program that the U.S. government had specifically identified as a national security concern.

DDTC charged 576 ITAR violations. The resolution involved both DOJ and State Department: $20.7 million in criminal penalties via DOJ and $55 million in civil penalties via DDTC (with $20 million of the civil penalty suspended). PWC was subjected to statutory debarment following the criminal conviction — a significant sanction that complicated its role as a key supplier on U.S. defense programs. UTC's parent-company compliance improvements and full cooperation with the investigation were credited in the final resolution.

The key lesson from this case: the destination matters enormously. Exports connected to Chinese or Russian military programs are treated categorically differently from exports to U.S. allies. The Z-10's national security implications drove the criminal track and the statutory debarment.

FLIR Systems (2018) — $30 Million

The FLIR Systems case introduced two enforcement themes that have become central to DDTC's current approach. First, it established deemed exports — disclosures of controlled technical data to foreign-national employees inside the United States — as a primary enforcement target. FLIR was charged with making controlled disclosures to employees who were nationals of Iran, Iraq, Lebanon, and Cuba: countries subject to U.S. arms embargoes. The disclosures occurred in FLIR's U.S. facilities, not abroad.

Second, FLIR was charged with failure to maintain adequate records and improper Part 130 payment disclosures. The company had submitted 18 voluntary self-disclosures to DDTC between 2008 and 2017 — a remarkable pattern that reflected either an unusually rigorous self-policing program or a systemic compliance failure that kept producing new violations, depending on how you read it.

DDTC covered 347 violations. The penalty was $30 million, with $15 million suspended for compliance remediation. Notably, this was the first DDTC case requiring the appointment of an independent compliance monitor — an external third party with authority to review, assess, and report on the company's compliance program. That requirement has since become standard in significant consent agreements.

L3Harris Technologies (2019) — $13 Million

L3Harris Technologies entered a consent agreement covering 131 violations, the majority of which were self-disclosed under 22 C.F.R. § 127.12. The violations involved unauthorized exports of defense articles and technical data across multiple business units.

The penalty was $13 million, with $6.5 million suspended. DDTC required appointment of an External Special Compliance Officer and two external compliance audits during the agreement term. The 50% suspension reflects the direct credit given for the voluntary self-disclosure and the company's cooperation throughout the DDTC review process.

Honeywell International (2021) — $13 Million

Honeywell International agreed to a consent agreement in 2021 covering unauthorized exports and retransfers of ITAR-controlled technical data. The violations reflected gaps in how Honeywell managed controlled data sharing across its global operations, including transfers to foreign subsidiaries and partners without proper authorization.

The penalty was $13 million, with $5 million suspended and $8 million paid. DDTC required an External Special Compliance Officer for a minimum of 18 months. The case reinforced DDTC's consistent message that technical data retransfer controls — not just initial export licensing — require dedicated compliance infrastructure.

Keysight Technologies (2021) — $6.6 Million

Keysight Technologies was charged with 24 violations involving the unauthorized export of radar simulation software — specifically, Multi Emitter Scenario Generation software — to 17 countries including China and Russia. Eight of the exports occurred while a commodity jurisdiction review was still pending, meaning Keysight had not yet received a determination on whether the software was subject to ITAR at the time it shipped.

That detail is significant. Proceeding with exports while a classification review is open is treated as an aggravating factor by DDTC, not a neutral act. The penalty was $6.6 million, with $2.5 million suspended. DDTC required a comprehensive classification review of all Keysight products — essentially a full USML jurisdiction review conducted under DDTC oversight.

The 2024 Watershed: Boeing and RTX

The two 2024 consent agreements represent a qualitative shift in DDTC enforcement — not just because of the dollar amounts, but because of what the violations involved.

The Boeing Company (2024) — $51 Million

The Boeing Company was charged with 199 ITAR violations arising from a specific failure mode that is increasingly common across the defense industrial base: inadequate access controls on internal digital repositories containing controlled technical data. Boeing maintained an internal digital library — a document management platform — through which foreign-national employees at multiple sites, including sites in China and Russia, downloaded controlled technical data related to the F-18, F-15, F-22, and AH-64 Apache programs.

One Boeing subsidiary employee was found to have fabricated five export licenses — a falsification that DDTC treated as a serious aggravating factor and flagged explicitly in the charging document.

DDTC stated explicitly that the downloads by employees at Chinese and Russian sites "caused harm to U.S. national security." That language is unusual in consent agreements and signals the agency's view that this was not merely a paperwork failure — it was a genuine national security event.

The penalty was $51 million, with $24 million suspended and $27 million paid over three years. DDTC required Boeing to implement a new automated export compliance system and to provide bi-annual compliance reports. The phased payment structure over three years is itself notable — it reflects the scale of Boeing's concurrent financial pressures while ensuring DDTC's long-term visibility into the company's compliance posture.

RTX Corporation (2024) — $200 Million (Current Record)

RTX Corporation — the successor entity to Raytheon Technologies, itself the product of the United Technologies merger — entered a consent agreement in 2024 covering 750 ITAR violations spanning August 2017 through September 2023. The violations involved improper USML jurisdiction and classification determinations, exports of classified items, and hand-carry violations to proscribed destinations.

The $200 million penalty is the largest civil ITAR penalty in DDTC history. Of that amount, $100 million was suspended contingent on spending those funds on compliance remediation — the standard suspension structure, here applied to a nine-figure baseline. RTX voluntarily disclosed the violations and cooperated fully with DDTC throughout the investigation. That cooperation and the VSDs were credited explicitly in the consent agreement as the basis for the suspension.

DDTC's remediation requirements reflect the breadth of the underlying failures: appointment of a Special Compliance Officer; a comprehensive cybersecurity overhaul to protect controlled technical data; a full data management system rebuild; and documented mandatory ITAR training across all relevant personnel. These are not cosmetic requirements — they represent a DDTC-supervised restructuring of RTX's entire export compliance infrastructure.

The RTX case closes the loop on a pattern that started with ITT in 2007: systemic compliance failures at large defense primes, compounded over years, produce nine-figure consequences. Self-disclosure and cooperation matter at the margin, but they do not change the fundamental calculus — the penalty scales with the scope and duration of the violations.

ITAR Major Enforcement Actions: Summary Comparison

Company	Year	Violations	Penalty (Total)	Suspended	Key Issue
ITT Corporation	2007	Classified exports	~$100M (multi-part)	N/A	Night-vision tech to China/UK; first major AECA criminal conviction
BAE Systems	2011	2,591	$79M	None	Systemic multi-unit compliance failures; largest DDTC civil penalty at time
UTC / Pratt & Whitney Canada	2012	576	$75M ($20.7M criminal + $55M civil)	$20M	Military engine software to China for Z-10 attack helicopter; statutory debarment
FLIR Systems	2018	347	$30M	$15M	Deemed exports to sanctioned-country nationals; first independent compliance monitor
L3Harris Technologies	2019	131	$13M	$6.5M	Multi-unit violations; majority self-disclosed
Honeywell International	2021	Undisclosed	$13M	$5M	Unauthorized retransfers of technical data across global operations
Keysight Technologies	2021	24	$6.6M	$2.5M	Radar software to China and Russia; exports during pending CJ review
The Boeing Company	2024	199	$51M	$24M	Digital library access by China/Russia-based foreign nationals; fabricated licenses
RTX Corporation	2024	750	$200M (record)	$100M	USML misclassification, classified exports, proscribed-destination violations; 6-year span

What DDTC Is Really Targeting Now

Enforcement data from 2018 to 2024 reveals four active enforcement priorities that every compliance program must address directly.

Deemed Exports

Deemed exports — the disclosure of ITAR-controlled technical data to foreign nationals inside the United States — have moved from a compliance footnote to a primary enforcement focus. The logic is straightforward: most large defense contractors and aerospace companies employ significant numbers of foreign-national engineers, analysts, and program managers. Virtually all of them have access to internal document systems. Controlling what those employees can access, and documenting that control, has become one of the most operationally demanding ITAR compliance requirements in practice.

FLIR's $30 million penalty was partly driven by disclosures to nationals of Iran, Iraq, Lebanon, and Cuba — all countries subject to U.S. arms embargoes. The nationality of the foreign national matters: an inadvertent disclosure to a Canadian engineer working in a U.S. facility is a different risk profile than a disclosure to an Iranian national, and DDTC treats them differently.

IT and Cybersecurity Failures as ITAR Failures

The Boeing and RTX consent agreements both contain specific cybersecurity remediation requirements — a development that reflects a fundamental shift in how DDTC defines an adequate compliance program. An internal document management system with inadequate access controls is not just an IT problem; it is an ITAR compliance failure. A cloud environment that allows foreign nationals to download controlled technical data is an unauthorized export, regardless of whether anyone in the compliance department was aware of the downloads.

DDTC now expects defense contractors to maintain technical data access controls that align with the sensitivity of the underlying information — which means integrating export compliance requirements into IT architecture, not just documenting them in a policy manual. If your organization's controlled technical data sits in a repository with role-based access controls that have never been audited against your ITAR authorization records, that gap is actionable.

China and Russia Exposure

Across the enforcement record, transactions with Chinese or Russian nexus consistently produce harsher outcomes — more violations charged, larger penalties, more extensive remediation requirements, and explicit national security harm language in consent agreements. DDTC's charging decisions in Boeing (language about harm to national security from Chinese downloads), UTC/PWC (Z-10 helicopter), and Keysight (exports to China and Russia during pending CJ review) all follow this pattern.

This is not a subtle signal. If your company has Chinese or Russian customers, subsidiaries, joint venture partners, or employees with access to controlled technical data, that exposure is under active DDTC scrutiny. The compliance standards applicable to those relationships are materially higher than for relationships with U.S. treaty allies.

The Penalty Escalation Is Not Coincidental

The movement from BAE's $79 million in 2011 to RTX's $200 million in 2024 reflects a deliberate DDTC policy of escalating penalties to maintain deterrence as the defense industrial base has grown. GAO data covering fiscal years 2013 through 2021 shows DDTC received 8,547 voluntary self-disclosures and issued 505 directed disclosure requests — a volume that indicates active, ongoing compliance failures across the industrial base, not isolated incidents at a few large companies.

How ITAR Investigations Start

Understanding how DDTC finds out about violations is directly relevant to your disclosure and compliance strategy. There are five primary channels.

1. Voluntary Self-Disclosure (22 C.F.R. § 127.12) — This is the most common path to enforcement action, and it is the one companies control. A properly submitted VSD, filed before DDTC has independent knowledge of the violation, is the single most powerful mitigating factor in DDTC's penalty calculus. The timing matters: a VSD submitted after DDTC already knows about the violation through another channel does not receive the same credit as a genuinely proactive disclosure.

2. Directed Disclosures — DDTC independently monitors export license transaction data and can identify anomalous patterns: high-volume shipments to unusual destinations, license conditions that appear inconsistent with reported end-use, or gaps between approved and actual transaction records. When DDTC identifies an anomaly, it issues a directed disclosure request requiring the company to explain the discrepancy. Companies that receive a directed disclosure request have already lost the opportunity for full VSD credit.

3. Inter-Agency Referrals — DOJ, FBI, DHS, CBP, and the Defense Security Service all have visibility into defense trade activities and routinely refer potential ITAR violations to DDTC and DOJ's National Security Division. The Blue Lantern program — DDTC's post-shipment end-use monitoring initiative — generates verification visits to foreign end-users and flags anomalies that trigger domestic investigations.

4. External Tips — Competitors, former employees, foreign governments, and whistleblowers under the False Claims Act all represent meaningful investigation triggers. Whistleblower financial incentives under the False Claims Act are substantial, and the mechanism has been used in defense export control matters. An employee who knows about an unreported ITAR violation and believes the company is not going to self-disclose has a financial incentive to report it externally.

The True Cost: Beyond the Headline Number

The monetary penalty in a consent agreement is the visible number. The less visible costs are often larger in aggregate and longer-lasting in operational impact.

A standard consent agreement in a significant ITAR enforcement action now requires:

Special Compliance Officer — Either an external independent officer or a designated internal officer with reporting authority to the board. Typical term: 18 to 36 months. External SCO engagements at large companies cost several hundred thousand dollars per year.
Complete USML jurisdiction and classification review — A systematic audit of every product, software, and technical data package in the company's portfolio to determine ITAR versus EAR classification. For a major defense contractor, this is a multi-year project involving hundreds of engineering hours and outside counsel fees.
Automated export transaction tracking — Implementation of an export compliance software platform capable of flagging and recording every controlled transaction. Integration with ERP systems, document management platforms, and HR systems (for deemed export management) is operationally intensive.
Enhanced cybersecurity over controlled technical data — Access control audits, user provisioning reviews, encryption requirements, and foreign national access segregation. Boeing's consent agreement requires a new automated export compliance system specifically addressing digital library controls.
Independent external compliance audit — At least one, sometimes two, external audits conducted by a qualified third party during the agreement term. Results are reported to DDTC.
Mandatory documented ITAR training — Role-specific, documented, and tracked for all employees with access to controlled technical data, defense articles, or export transactions. Not generic annual training — tailored curricula by function.
Semi-annual or annual DDTC reporting — Ongoing compliance status reports submitted to DDTC throughout the agreement term, documenting progress against remediation milestones.

The total cost of a consent agreement — including suspended penalty reinvestment, SCO fees, legal costs, system implementation, and audit fees — routinely exceeds the monetary penalty by a factor of two or three in large cases. A $13 million penalty with a $6.5 million suspension, combined with three years of SCO oversight, system implementation, and external audits, can cost a mid-sized contractor $30 million or more in total outlay.

What Self-Disclosure Actually Gets You

The enforcement record is consistent on this point: voluntary self-disclosure produces measurable, material penalty reductions. The pattern across cases is a suspension of approximately 35% to 50% of the headline penalty, contingent on reinvesting those funds in compliance remediation.

That is not a trivial benefit. On a $200 million penalty, 50% suspension is $100 million reinvested rather than paid to the government. On a $13 million penalty, 50% suspension is $6.5 million. The suspended amount is not forgiven — it must be spent on compliance, and DDTC monitors that spending. But it stays in the company's compliance infrastructure rather than flowing to the Treasury.

There is a second benefit that does not show up in the headline numbers: companies that self-disclose before DDTC has independent knowledge of a violation are substantially less likely to face criminal referral to DOJ. The criminal track carries consequences — executive imprisonment, statutory debarment, reputational damage that civil consent agreements largely avoid — that dwarf the monetary cost of the civil penalty.

The practical standard for deciding whether to self-disclose is not whether the violation was intentional. It is whether DDTC is more likely to learn about it through another channel before the company has disclosed. Given the scope of DDTC's monitoring activity, the Blue Lantern program, inter-agency information sharing, and the financial incentives for employee whistleblowers, the answer is often yes.

GAO's data on the VSD program makes the volume clear: 8,547 VSDs received between FY2013 and FY2021. That is an average of nearly 950 per year — a substantial number of companies concluding that disclosure was the right call. Most of those disclosures were resolved with warning letters or no action. The cases that become consent agreements are the ones where the violations were systemic, prolonged, or involved sensitive end-users and destinations.

Protecting Your Organization

The enforcement record points to a clear set of priorities for any defense contractor or dual-use manufacturer that handles ITAR-controlled items, services, or technical data.

Get your USML classifications right. Misclassification — treating a USML-controlled item as EAR or as not subject to either regime — is the root cause of more enforcement actions than any other single factor. A formal USML classification review is not a one-time exercise; the USML is revised periodically, and items that moved from ITAR to EAR control in earlier reforms can move back. Classification records must be maintained and updated.

Audit your deemed export controls. Every foreign national with access to your internal document systems, engineering platforms, or controlled specifications is a potential deemed export risk. The compliance question is not whether you have a policy prohibiting unauthorized deemed exports — it is whether your access controls technically enforce that policy. If your foreign-national employees can access controlled data that they are not licensed to receive, you have a gap regardless of what the policy document says.

Build a self-disclosure protocol before you need it. The worst time to think through your VSD process is when a potential violation has just surfaced. A documented internal protocol — who gets notified, who makes the disclosure decision, what the timing requirements are, and what legal resources are engaged — ensures that the first 24 hours after discovery are spent on disclosure preparation rather than internal confusion.

Treat consent agreement requirements as a baseline, not a ceiling. The remediation measures DDTC imposes in consent agreements — automated transaction tracking, cybersecurity controls over technical data, external audits, SCO oversight — represent DDTC's current view of what adequate compliance infrastructure looks like. If your program does not have those elements, you are operating below the baseline DDTC expects to see in a credible compliance program.

Work With an ITAR Compliance Consultant

The enforcement record described in this article is not abstract regulatory history. Every one of these cases involved a real compliance failure that could have been identified and addressed before DDTC did it for them — at a fraction of the cost.

At itarconsultant.us, Jared Clark works with defense manufacturers, aerospace companies, technology exporters, and government contractors to build, audit, and remediate ITAR compliance programs. Services include USML classification reviews, deemed export program assessments, Technology Control Plan development, mock DDTC audits, and post-disclosure remediation support.

If your organization's compliance program has not been stress-tested against the enforcement priorities described in this article — deemed exports, IT access controls, China and Russia exposure, voluntary self-disclosure protocols — that gap is worth closing before DDTC closes it for you.

Request a free consultation at itarconsultant.us. No sales pitch — an honest assessment of where your program stands and what it would take to bring it to current enforcement standards.

Last updated: April 8, 2026

Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC — Principal Consultant, Certify Consulting | certify.consulting

Disclaimer: This article is provided for informational purposes only and does not constitute legal advice. ITAR compliance determinations require case-specific legal and regulatory analysis. Consult qualified export control counsel before making compliance decisions.