Definitive ITAR Guide

What is ITAR? — The Definitive Guide to
International Traffic in Arms Regulations

By Jared Clark, JD, MBA, PMP, CMQ-OE · Updated February 2026 · ~20 min read

200+
Clients Served
100%
Audit Pass Rate
JD, CMQ-OE
Expert Credentials

ITAR (International Traffic in Arms Regulations) is the set of U.S. federal regulations, codified at 22 CFR Parts 120–130, that controls the export, temporary import, and brokering of defense articles, defense services, and related technical data listed on the United States Munitions List (USML). Administered by the State Department's Directorate of Defense Trade Controls (DDTC) under the authority of the Arms Export Control Act (AECA), ITAR requires all manufacturers, exporters, and brokers of defense articles to register with DDTC and obtain prior authorization before transferring controlled items or information to foreign persons — whether abroad or within the United States. Violations carry civil penalties up to $1,267,619 per violation and criminal penalties including fines up to $1,000,000 and imprisonment up to 20 years.

ITAR Purpose and Scope (22 CFR Parts 120–130)

The International Traffic in Arms Regulations exist for a single, critical purpose: to prevent defense articles, defense services, and related technical data from reaching foreign adversaries, unauthorized end users, or destabilizing regions. ITAR is not a suggestion or a best-practice framework — it is federal law with criminal prosecution exposure.

ITAR derives its authority from the Arms Export Control Act (AECA), 22 U.S.C. § 2778, which grants the President (delegated to the Secretary of State) the authority to control the import and export of defense articles and defense services. The regulations themselves span 22 CFR Parts 120 through 130, each governing a specific aspect of defense trade:

  • Part 120 — Purpose, definitions, and general policies
  • Part 121 — The United States Munitions List (USML)
  • Part 122 — Registration of manufacturers and exporters
  • Part 123 — Licenses for the export of defense articles
  • Part 124 — Agreements, off-shore procurement, and other defense services
  • Part 125 — Licenses for the export of technical data and classified defense articles
  • Part 126 — General policies and provisions (including country-based restrictions)
  • Part 127 — Violations and penalties
  • Part 128 — Administrative procedures
  • Part 129 — Registration and licensing of brokers
  • Part 130 — Political contributions, fees, and commissions

The scope of ITAR is broad by design. The regulations apply not only to finished weapons systems but to every component, part, accessory, and piece of technical data associated with defense articles. ITAR controls follow the item, not the transaction — meaning a defense article remains ITAR-controlled regardless of how many times it changes hands within the United States. The moment it crosses a border or is disclosed to a foreign person, ITAR authorization is required.

Who Must Comply with ITAR

ITAR compliance is not limited to large defense contractors. The regulations apply to any U.S. person or entity involved in the manufacture, export, temporary import, or brokering of defense articles, defense services, or related technical data. The following categories of organizations must maintain ITAR compliance:

Defense Manufacturers

Any company that manufactures defense articles — including components, parts, accessories, or attachments for items listed on the USML — must register with DDTC under 22 CFR 122.1. This applies regardless of whether the company exports. A manufacturer that produces USML-listed items solely for domestic sale is still required to register.

Exporters and Temporary Importers

Companies that export defense articles or defense services, or that temporarily import defense articles into the United States, must be registered and must obtain proper export licenses (DSP-5, TAA, MLA, or applicable exemptions) before any transfer occurs.

Brokers

Under 22 CFR Part 129, any person or entity that acts as an agent for others in negotiating, contracting, or arranging the manufacture, export, import, or transfer of defense articles or defense services must register as a broker with DDTC. This includes commission-based sales representatives, trading companies, and intermediaries in defense transactions.

Freight Forwarders and Logistics Providers

Companies that handle the physical movement of defense articles must ensure compliance with ITAR shipping and documentation requirements. While freight forwarders do not typically need to register with DDTC, they must verify that proper export authorizations exist before moving ITAR-controlled cargo and must maintain accurate shipping records.

Universities and Research Institutions

Universities conducting defense-related research, particularly under DoD contracts, must comply with ITAR when research involves ITAR-controlled technical data. The fundamental research exclusion (22 CFR 120.33) provides some protection for basic research intended for publication, but sponsored research with export restrictions, restricted publication clauses, or access limitations by foreign nationals falls squarely under ITAR control.

Subcontractors and Supply Chain Partners

Tier 2 and Tier 3 subcontractors that receive ITAR-controlled technical data or manufacture ITAR-controlled components must register with DDTC and maintain their own ITAR compliance programs. Prime contractors are responsible for ensuring their subcontractors are compliant, but each entity in the supply chain bears independent legal responsibility for its own ITAR obligations.

Common Compliance Gap

In our experience consulting with 200+ clients, the most common compliance gap involves subcontractors and component manufacturers who do not realize they are handling ITAR-controlled items. If you supply parts or components to a defense prime contractor, your products may be ITAR-controlled even if you do not consider yourself a "defense company." When in doubt, request a written determination from your prime contractor regarding the ITAR status of the items and data you handle.

What ITAR Controls

ITAR controls three distinct categories of items and activities. Understanding these categories is essential because each carries different compliance requirements, licensing procedures, and penalty exposure.

Defense Articles (22 CFR 120.31)

Defense articles include any item or technical data listed on the United States Munitions List (USML) at 22 CFR 121.1. This encompasses:

  • Firearms, close assault weapons, and combat shotguns
  • Ammunition and ordnance
  • Launch vehicles, guided missiles, ballistic missiles, and rockets
  • Military vehicles, aircraft, and vessels
  • Classified articles, technical data, and defense services
  • Military electronics and guidance systems
  • Spacecraft, satellites, and related components
  • Protective equipment (body armor, helmets, shields)
  • Specifically designed or modified components, parts, accessories, and attachments for any of the above

The critical phrase is "specifically designed or modified." A commercial off-the-shelf (COTS) screw used in a defense article is generally not ITAR-controlled. But a screw specifically designed with unique specifications for a missile guidance system is a defense article under ITAR.

Defense Services (22 CFR 120.32)

Defense services include:

  • Furnishing assistance (including training) to foreign persons in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing, or use of defense articles
  • Furnishing technical data to foreign persons
  • Military training of foreign units and forces

Defense services require either a Technical Assistance Agreement (TAA) or Manufacturing License Agreement (MLA) approved by DDTC before they can be provided to foreign persons.

Technical Data (22 CFR 120.33)

Technical data includes information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. This includes:

  • Blueprints, drawings, photographs, plans, and instructions
  • Written or recorded documentation
  • Software directly related to defense articles (source code, object code, algorithms)
  • Oral or visual disclosures of the above

Technical data does not include general scientific, mathematical, or engineering principles commonly taught in schools and available in the public domain, or basic marketing information on function or purpose.

The United States Munitions List (USML) — 21 Categories

The USML at 22 CFR 121.1 organizes defense articles into 21 categories. Each category defines the specific items, components, and technical data that fall under ITAR control. Accurate USML classification is the foundation of ITAR compliance — misclassification can result in unauthorized exports, missed licensing requirements, and significant penalty exposure.

I. Firearms, Close Assault Weapons & Combat Shotguns
II. Guns & Armament
III. Ammunition & Ordnance
IV. Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs & Mines
V. Explosives & Energetic Materials, Propellants, Incendiary Agents & Their Constituents
VI. Surface Vessels of War & Special Naval Equipment
VII. Ground Vehicles
VIII. Aircraft & Related Articles
IX. Military Training Equipment & Training
X. Personal Protective Equipment
XI. Military Electronics
XII. Fire Control, Laser, Imaging & Guidance Equipment
XIII. Materials & Miscellaneous Articles
XIV. Toxicological Agents, Including Chemical Agents, Biological Agents & Associated Equipment
XV. Spacecraft & Related Articles
XVI. Nuclear Weapons Related Articles
XVII. Classified Articles, Technical Data & Defense Services
XVIII. Directed Energy Weapons
XIX. Gas Turbine Engines & Associated Equipment
XX. Submersible Vessels & Related Articles
XXI. Articles, Technical Data & Defense Services Not Otherwise Enumerated

Each USML category contains specific paragraphs (a, b, c, etc.) that enumerate controlled items at increasing levels of specificity. Category XXI serves as a catch-all for items that are inherently military in nature but not specifically enumerated in Categories I through XX.

September 2025 USML Revisions

The State Department finalized revisions to 15 of 21 USML categories effective September 2025 — the most significant restructuring in a decade. Companies must re-evaluate product classifications and update compliance programs to reflect these changes. If you have not reviewed your USML classifications since September 2025, your compliance program may be out of date. Contact us for a classification review.

Key ITAR Definitions

ITAR uses precise legal definitions that differ from their colloquial meanings. Misunderstanding these terms is a common source of compliance failures. The following definitions are taken directly from 22 CFR Part 120:

Technical Data (22 CFR 120.33)
Information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. Includes blueprints, drawings, plans, instructions, software source code, and documentation. Does not include basic marketing materials, general scientific principles, or information in the public domain.
Deemed Export (22 CFR 120.17)
The release or disclosure of ITAR-controlled technical data to a foreign person within the United States is "deemed" to be an export to that person's country of nationality or permanent residence. This means sharing ITAR technical data with a foreign national employee at your U.S. facility requires the same export authorization as shipping the data overseas. Companies must implement Technology Control Plans (TCPs) to manage deemed export risk.
Defense Article (22 CFR 120.31)
Any item or technical data designated on the USML. Includes finished items, components, parts, accessories, attachments, firmware, software, and technical data. A defense article remains ITAR-controlled throughout its lifecycle, from manufacture through eventual destruction or demilitarization.
Defense Service (22 CFR 120.32)
The furnishing of assistance (including training) to foreign persons in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, or use of defense articles; and the furnishing of technical data to foreign persons. Defense services require a Technical Assistance Agreement (TAA) or Manufacturing License Agreement (MLA).
U.S. Person (22 CFR 120.62)
A lawful permanent resident of the United States, a protected individual under 8 U.S.C. 1324b(a)(3), any corporation or business entity organized under U.S. law (including foreign branches), or any U.S. government agency. The distinction between U.S. persons and foreign persons is central to every ITAR compliance decision.
Empowered Official (22 CFR 120.67)
A U.S. person who is a responsible employee, officer, or director of a registered company with independent authority to inquire into and verify the compliance of the company with ITAR, sign export license applications and agreements, and attest to the accuracy of information submitted to DDTC. Every registered company must designate at least one empowered official.

DDTC Registration Requirement

Registration with the Directorate of Defense Trade Controls is the mandatory first step in ITAR compliance. Under 22 CFR 122.1, any person who engages in the United States in the business of manufacturing, exporting, or temporarily importing defense articles, or furnishing defense services, is required to register with DDTC. Registration is required before any export license application can be submitted.

Who Must Register

  • Manufacturers of defense articles (even if they do not export)
  • Exporters of defense articles, defense services, or technical data
  • Companies that temporarily import defense articles
  • Brokers of defense trade transactions (under Part 129)

Registration Process

Registration is completed through the Defense Export Control and Compliance System (DECCS) portal. The process involves:

  1. Creating a DECCS account and company profile
  2. Completing the DS-2032 registration form
  3. Designating an empowered official (22 CFR 120.67)
  4. Paying the applicable registration fee
  5. Submitting supporting documentation (articles of incorporation, organizational chart)

Typical processing time is 45–60 days from submission to approval. We recommend beginning the process at least 90 days before you need to engage in defense trade activity.

Registration Fees (Effective January 2025)

Tier Criteria Annual Fee
Tier 1 Registrants with 0–5 active approvals $3,000/year ($2,500 for qualifying small businesses)
Tier 2 Registrants with more than 5 active approvals $4,000/year
Tier 3 Registrants with more than 5 active approvals (excess) $4,000 + $1,100 per approval over 5

Registration must be renewed annually. Failure to maintain active registration while continuing to manufacture or export defense articles is itself an ITAR violation. For detailed guidance on the registration process, see our DDTC Registration page.

Penalties for ITAR Violations

ITAR penalties are among the most severe in any U.S. regulatory regime. The enforcement landscape has intensified significantly in recent years, with DDTC pursuing both large defense primes and small manufacturers with equal vigor. Understanding the penalty structure is essential for any cost-benefit analysis of compliance investment.

Civil Penalties

Under 22 CFR 127.10, civil penalties for ITAR violations reach $1,267,619 per violation (2025 inflation-adjusted amount). Each unauthorized export, each instance of unauthorized disclosure of technical data, and each failure to obtain required authorization constitutes a separate violation. A single shipment containing multiple defense articles can generate multiple violations.

Criminal Penalties

Under 22 U.S.C. § 2778(c), criminal violations of the AECA carry penalties of up to $1,000,000 per violation and imprisonment up to 20 years. Criminal prosecution requires willful intent, but the Department of Justice has taken an increasingly aggressive posture toward prosecution of ITAR violations, particularly those involving state sponsors of terrorism or sanctioned countries.

Administrative Consequences

  • Debarment — Prohibition from participating in defense trade, effectively disqualifying the company from defense contracts
  • Denial of export privileges — Revocation of existing licenses and prohibition on future license applications
  • Mandatory compliance measures — Required appointment of external compliance monitors, enhanced reporting obligations
  • Consent agreements — Binding agreements with DDTC requiring specific remedial actions and ongoing reporting
Case Study: RTX/Raytheon Settlement (2024)

The $950 million RTX/Raytheon settlement in 2024 stands as the largest ITAR enforcement action in history. The case involved unauthorized exports of defense articles and technical data, failure to disclose known violations, and systemic compliance program deficiencies. The settlement included $200M in civil penalties, $750M in deferred prosecution agreement terms, appointment of an independent compliance monitor, and a three-year remediation plan.

This case underscores a critical reality: the cost of non-compliance consistently exceeds the cost of building and maintaining a robust ITAR compliance program. Our clients' compliance program investments typically range from $50,000–$150,000 in the first year — a fraction of even a single civil penalty.

ITAR vs EAR: High-Level Comparison

The U.S. maintains two parallel export control regimes: ITAR for defense articles and EAR for dual-use and commercial items. Understanding which regime controls your items is the first step in export compliance. Misclassification between the two regimes is one of the most common — and most consequential — compliance errors.

Attribute ITAR EAR
Administering Agency State Department (DDTC) Commerce Department (BIS)
Legal Authority Arms Export Control Act (AECA) Export Control Reform Act (ECRA)
Control List U.S. Munitions List (USML) Commerce Control List (CCL)
Items Controlled Defense articles, services, technical data Dual-use and commercial items
Registration Mandatory DDTC registration No registration required
License Exceptions Limited exemptions (22 CFR 126.4-.17) Broad license exceptions available
Civil Penalties Up to $1,267,619 per violation Up to $364,992 per violation
Criminal Penalties $1M fine + 20 years imprisonment $1M fine + 20 years imprisonment
Restrictiveness More restrictive — presumption of denial Less restrictive — case-by-case review

When an item could fall under either ITAR or EAR, a Commodity Jurisdiction (CJ) determination from DDTC resolves the question definitively. A CJ determination is legally binding and protects the company from subsequent enforcement action based on misclassification. For a comprehensive analysis of the differences between these two regimes, see our dedicated ITAR vs EAR comparison page.

Recent ITAR Changes and Developments

The ITAR regulatory landscape is evolving faster than at any point in the last two decades. Companies that have not reviewed their compliance programs since mid-2025 are operating with potentially outdated classifications, procedures, and risk assessments. The following developments require immediate attention:

USML Category Revisions (September 2025)

The State Department finalized the most sweeping USML restructuring in a decade, affecting 15 of 21 categories. Key changes include:

  • Revised descriptions in Categories I–IV to align with modern weapons technology
  • Updated controls on unmanned systems (UAVs, UGVs) across multiple categories
  • Clarified "specifically designed" criteria to reduce ambiguity in classification decisions
  • New provisions for additive manufacturing (3D printing) of defense articles
  • Revised satellite and space article controls in Category XV reflecting commercial space industry growth

Companies must re-evaluate every product classification against the updated category text. An item that was correctly classified before September 2025 may now fall under a different paragraph or category entirely.

AUKUS Defense Trade Exemption (December 2025)

The AUKUS trilateral security partnership between the United States, United Kingdom, and Australia finalized its defense trade exemption framework in December 2025. The exemption permits license-free transfer of certain ITAR-controlled defense articles and technical data among AUKUS member nations — but only for qualified participants meeting strict eligibility criteria:

  • Both sender and recipient must be approved AUKUS participants
  • Items must fall within the approved AUKUS scope (not all USML categories are covered)
  • End-use must support AUKUS defense cooperation objectives
  • Enhanced security and compliance program requirements apply
  • Record-keeping and reporting obligations specific to AUKUS transfers

The AUKUS exemption is a significant development for defense trade, but it is not a blanket waiver. Companies must carefully evaluate whether their specific transactions qualify before proceeding without a license.

CMMC 2.0 and Dual Compliance

The Cybersecurity Maturity Model Certification (CMMC) 2.0 program, now entering mandatory third-party assessments, creates a dual compliance requirement for companies handling ITAR technical data. ITAR-controlled technical data stored or transmitted on information systems requires NIST 800-171 controls, which aligns with CMMC Level 2. Companies that fail CMMC assessments risk losing defense contracts and face potential ITAR violations for inadequate protection of technical data.

Increased Enforcement Activity

DDTC enforcement actions increased significantly in 2024–2025, with the $950M RTX/Raytheon settlement signaling a new enforcement posture. Smaller companies are not immune — DDTC has pursued enforcement actions against companies with as few as 10 employees. The agency has specifically targeted:

  • Failure to register despite manufacturing defense articles
  • Deemed export violations involving foreign national employees
  • Unauthorized retransfers by foreign recipients
  • Inadequate Technology Control Plans

Frequently Asked Questions About ITAR

Yes. ITAR applies to any defense article listed on the USML, including components, parts, accessories, attachments, and associated technical data. Under 22 CFR 121.1, specifically designed or modified components for defense articles are themselves defense articles — regardless of whether they function independently as weapons. If your component is specifically designed for integration into a USML-listed item, your company must register with DDTC and comply with all ITAR requirements. This is one of the most common compliance gaps we identify during audits.
A deemed export occurs when ITAR-controlled technical data or defense services are disclosed to a foreign person within the United States. Under 22 CFR 120.17, releasing technical data to a foreign national — even an employee at your U.S. facility — constitutes an export to that person's country of nationality. This means companies with foreign national employees must obtain export licenses before sharing ITAR-controlled information with those employees, implement Technology Control Plans (TCPs) to prevent unauthorized access, and screen all personnel with access to ITAR data. Deemed export violations are among the most frequently cited in DDTC enforcement actions.
DDTC registration through the Defense Export Control and Compliance System (DECCS) typically takes 45–60 days from initial application to approval. The process requires a completed DS-2032 form, designation of an empowered official, payment of registration fees ($3,000/year for Tier 1), and supporting documentation including articles of incorporation. Registration must be renewed annually and is a prerequisite for applying for any export license. We recommend beginning the process at least 90 days before you need to engage in any defense trade activity. See our DDTC Registration guide →
Companies can and should perform their own initial USML classification assessment. However, when there is ambiguity about whether an item is ITAR-controlled (USML) or EAR-controlled (CCL), you should submit a Commodity Jurisdiction (CJ) request to DDTC under 22 CFR 120.4. A CJ determination is legally binding and definitively establishes which regulatory regime controls your item. Self-classification carries risk — an incorrect determination that your item is EAR-controlled when it is actually ITAR-controlled constitutes a violation. We recommend CJ requests for dual-use technologies, items near the USML/CCL boundary, and any item where classification is not clear-cut.
If you discover an ITAR violation, you must file a voluntary disclosure with DDTC under 22 CFR 127.12. The process requires an initial notification within 60 days of discovering the violation, followed by a full disclosure within 60 days of the initial notification. The disclosure must include a detailed description of the violation, root cause analysis, affected parties, corrective actions taken, and preventive measures implemented. Voluntary disclosure is treated as a strong mitigating factor in DDTC enforcement decisions — companies that self-report consistently receive lower penalties than those whose violations are discovered through investigation. We strongly recommend engaging legal counsel and a compliance consultant immediately upon discovering a potential violation.
JC

About the Author

Jared Clark, JD, MBA, PMP, CMQ-OE

Jared Clark is an ITAR compliance consultant and export control expert with hands-on experience guiding 200+ clients through DDTC registration, compliance program development, USML classification, export licensing, and voluntary disclosure. Holding a Juris Doctor (JD), MBA, Project Management Professional (PMP) certification from PMI, and Certified Manager of Quality/Organizational Excellence (CMQ-OE) designation from ASQ, Jared brings legal, business, project management, and quality systems expertise to every engagement. His clients maintain a 100% first-time audit pass rate.

For broader certification consulting across ISO, GMP, and other regulatory frameworks, visit our parent practice at certify.consulting.

JD MBA PMP CMQ-OE

Need Help with ITAR Compliance?

Schedule a free 30-minute consultation. We will assess your current ITAR compliance posture, identify gaps, and outline a clear path to full compliance — no obligation, no pressure.

Schedule Free ITAR Consultation Call 858-240-4353

Or email us at support@certify.consulting