ITAR Compliance FAQ — Expert Answers to Common Export Control Questions

ITAR (International Traffic in Arms Regulations) is a set of U.S. federal regulations codified at 22 CFR Parts 120-130 that controls the export and temporary import of defense articles, defense services, and related technical data listed on the United States Munitions List (USML). ITAR is administered by the Directorate of Defense Trade Controls (DDTC) within the U.S. Department of State, under authority of the Arms Export Control Act (AECA). Any U.S. person or entity that manufactures, exports, or brokers defense articles must register with DDTC and comply with ITAR requirements. Read our complete ITAR guide →

Any U.S. person or entity involved in manufacturing, exporting, temporarily importing, or brokering defense articles, defense services, or related technical data must comply with ITAR. This includes: defense contractors and manufacturers, subcontractors in the defense supply chain, exporters of military items, brokers arranging defense trade, freight forwarders handling ITAR shipments, universities conducting defense-related research, and any company whose employees access ITAR-controlled technical data. Even companies that only manufacture defense articles for domestic sale must register with DDTC under 22 CFR 122.1.

No. There is no official “ITAR certification” or “ITAR certified” designation from the U.S. government. Unlike ISO standards that have formal certification audits, ITAR compliance is self-assessed and enforced through DDTC registration, compliance program implementation, and government enforcement actions. Companies register with DDTC (which is a legal requirement, not a certification) and are expected to maintain compliant programs. Any company claiming to be “ITAR certified” is using imprecise language — the correct term is “ITAR compliant” or “DDTC registered.”

The United States Munitions List (USML) is the official list of defense articles, defense services, and related technical data controlled under ITAR. It is codified at 22 CFR 121.1 and contains 21 categories covering items from firearms (Category I) through spacecraft systems (Category XV) to directed energy weapons (Category XVIII). The USML was significantly revised in September 2025, with updates to 15 of 21 categories. Items on the USML require DDTC authorization for export, temporary import, or transfer to foreign persons.

Defense articles are items specifically designed, developed, configured, adapted, or modified for military application that are listed on the USML. This includes weapons systems, military vehicles, aircraft, ammunition, military electronics, guidance systems, and spacecraft. It also includes components, parts, accessories, and attachments specifically designed for defense articles. Importantly, technical data related to defense articles (blueprints, specifications, software) is also controlled as a defense article under ITAR.

DDTC registration requires: (1) creating an account in the DECCS portal, (2) designating an Empowered Official who is a U.S. person and direct employee, (3) preparing required documentation including articles of incorporation, empowered official designation letter, and past violations disclosure, (4) completing the DS-2032 Statement of Registration, (5) paying the applicable fee (Tier 1: $3,000/yr, Tier 2: $4,000/yr, Tier 3: $4,000 + $1,100 per approval over 5), and (6) awaiting DDTC review and approval. The process typically takes approximately 45 days. Read our step-by-step registration guide →

As of January 2025, DDTC registration fees are: Tier 1: $3,000/year (no license approvals in prior year), Tier 2: $4,000/year (1-5 license approvals), Tier 3: $4,000/year plus $1,100 per approval over 5. Small businesses with revenues under $500,000 qualify for a $500 discount on Tier 1 fees. Registration must be renewed annually. Late renewal can result in registration lapse, preventing the company from applying for export licenses or conducting defense trade.

DDTC registration typically takes approximately 45 days from complete submission to approval. The timeline breaks down as: 1-2 weeks for document preparation and DECCS enrollment, 1 week for DS-2032 completion and submission, and 3-4 weeks for DDTC review. Delays occur when documentation is incomplete, the empowered official designation is deficient, or DDTC requests additional information. Using an experienced ITAR consultant can reduce preparation time and minimize the risk of requests for information (RFIs) that extend the timeline.

DECCS (Defense Export Control and Compliance System) is the U.S. State Department’s online portal for managing all ITAR-related transactions. It replaced the older D-Trade system. Through DECCS, companies can submit and manage their DDTC registration, apply for export licenses (DSP-5, DSP-73, DSP-85), submit Technical Assistance Agreements (TAAs) and Manufacturing License Agreements (MLAs), file voluntary disclosures, and manage their compliance records. All ITAR-registered entities must maintain an active DECCS account.

A comprehensive ITAR compliance program includes: management commitment and compliance policy, designated Empowered Official with authority to oversee compliance, risk assessment of ITAR-controlled activities, written compliance procedures and manual, employee training program (initial and annual refresher), technical data access controls and marking procedures, visitor access and foreign person screening procedures, export license tracking and proviso compliance, recordkeeping systems (5-year retention per 22 CFR 122.5), internal audit program, corrective action procedures, and ongoing compliance monitoring including regulatory change tracking.

An Empowered Official (EO) is a U.S. person who is a direct employee of the ITAR-registered entity and has authority to: sign export license applications, oversee the company’s compliance program, ensure employee training compliance, authorize disclosures of technical data, and bind the company in ITAR matters. The EO must be designated in the DDTC registration and must have sufficient seniority and actual authority within the organization. The EO cannot be an outside consultant. Companies should designate at least one backup EO to ensure continuity.

Yes. Subcontractors that handle ITAR-controlled defense articles, defense services, or technical data must comply with ITAR regardless of their tier in the supply chain. If a subcontractor manufactures ITAR-controlled items, they must register with DDTC independently. DFARS clause 252.225-7048 requires prime contractors to ensure subcontractor compliance for export-controlled items. Subcontractors must implement technical data controls, train employees on ITAR requirements, screen for foreign person access, and maintain proper records. The prime contractor’s compliance does not extend to or protect the subcontractor — each entity is independently responsible.

ITAR requires retention of all records related to defense trade activities for a minimum of 5 years per 22 CFR 122.5. This includes: DDTC registration documents, export license applications and approvals, shipping and export documentation, technical data transfer records, training records, visitor logs, compliance audit reports, corrective action records, correspondence with DDTC, voluntary disclosure files, and any records related to ITAR-controlled transactions. Records must be accessible for review by DDTC or other authorized government agencies.

ITAR technical data (defined at 22 CFR 120.33) is information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. This includes: blueprints, drawings, photographs, plans, instructions, and documentation. It also includes classified information relating to defense articles and defense services. Technical data does NOT include: basic marketing information, general scientific, mathematical, or engineering principles taught in universities, or information in the public domain.

A deemed export occurs when ITAR-controlled technical data or defense services are disclosed to a foreign person within the United States. Under ITAR, sharing technical data with a foreign national employee, contractor, or visitor in the U.S. is legally equivalent to exporting that data to the person’s home country. This means companies with foreign national employees who have access to ITAR-controlled information must either obtain an export license or ensure the technical data is properly restricted. Deemed export controls are one of the most commonly violated ITAR provisions, particularly in companies with diverse international workforces.

ITAR-controlled technical data and defense services cannot be shared with foreign nationals without proper authorization. Sharing ITAR data with a foreign person — whether in the U.S. (deemed export) or abroad (export) — requires either: a valid export license (DSP-5 or TAA), an applicable exemption under 22 CFR Part 126 (such as the AUKUS exemption for qualified Australian and UK nationals), or a license exception. Companies must implement access controls to prevent unauthorized disclosure. Unauthorized disclosure to a foreign person constitutes an ITAR violation regardless of intent.

ITAR provides several license types: DSP-5 (permanent export of defense articles or technical data), DSP-73 (temporary export), DSP-85 (temporary import), Technical Assistance Agreement (TAA) for defense services or technical data sharing over time, Manufacturing License Agreement (MLA) for foreign production of defense articles, and Warehouse and Distribution Agreement (WDA) for storage and distribution abroad. Each license type has specific application requirements, review timelines, and proviso conditions. Compare ITAR and EAR licensing →

ITAR violations carry three categories of penalties: Civil penalties up to $1,267,619 per violation (2025 adjusted amount under 22 CFR 127.10), Criminal penalties up to $1,000,000 fine and 20 years imprisonment per violation for willful violations, and Administrative penalties including debarment (prohibition from defense trade) and denial of export privileges. The largest ITAR enforcement action in history was the RTX/Raytheon $950 million settlement in October 2024. Penalties apply to both companies and individuals.

A voluntary disclosure (VD) is a self-report to DDTC when a company discovers it has committed an ITAR violation. The process is governed by 22 CFR 127.12. Companies must submit an initial notification to DDTC promptly upon discovery, followed by a full disclosure within 60 days that includes: a narrative description, timeline, affected transactions, root cause analysis, and corrective actions taken. Voluntary disclosure is strongly encouraged because it demonstrates good faith and typically results in significantly reduced penalties. Failure to disclose known violations results in substantially harsher enforcement if later discovered.

ITAR investigations are conducted by DDTC’s Compliance and Enforcement Division, sometimes in coordination with the Department of Justice. Investigations may be triggered by voluntary disclosures, tips, audit findings, or foreign government reports. During an investigation, DDTC may: request documents and records, conduct on-site inspections, interview company personnel, review export licenses and compliance records, and examine technical data controls. Investigations can take months to years. Outcomes range from no action (for minor, self-disclosed violations) to consent agreements, civil penalties, criminal referrals, and debarment.

Debarment is the most severe administrative penalty under ITAR. A debarred entity or individual is prohibited from participating directly or indirectly in any defense trade transaction — including manufacturing, exporting, brokering, or providing defense services. Debarment effectively bars a company from the defense industry entirely. Debarment can be statutory (automatic upon criminal conviction under AECA) or administrative (imposed by the State Department). Debarment periods vary but can be indefinite. Companies can apply for reinstatement after demonstrating comprehensive compliance reforms.

ITAR itself does not require CMMC (Cybersecurity Maturity Model Certification). However, defense contractors handling ITAR-controlled technical data in electronic form are effectively required to implement NIST SP 800-171 security controls because ITAR technical data qualifies as Controlled Unclassified Information (CUI). Since CMMC Level 2 is based on NIST 800-171, defense contractors with ITAR data face de facto dual compliance: ITAR export control requirements plus CMMC cybersecurity certification (phasing in 2025-2028 under DFARS 252.204-7021). Building one integrated compliance program that satisfies both is the most cost-effective approach.

ITAR requires that technical data transmitted or stored electronically be protected with end-to-end encryption (22 CFR 120.54). Beyond this explicit requirement, DDTC expects reasonable security measures. In practice, this means: NIST SP 800-171 controls, FedRAMP Moderate (minimum) for cloud storage, encryption at rest and in transit, multi-factor authentication, access control based on need-to-know, audit logging, incident response procedures, mobile device management, and foreign national IT access restrictions (deemed export controls).

NIST Special Publication 800-171 is a cybersecurity framework with 110 security practices organized across 14 control families. It is the basis for protecting Controlled Unclassified Information (CUI) in non-federal systems. ITAR technical data qualifies as CUI, so defense contractors handling electronic ITAR data should implement NIST 800-171 controls. This framework covers: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.