What Is ITAR?
ITAR — the International Traffic in Arms Regulations — is a U.S. regulatory framework that controls the export, re-export, import, and transfer of defense articles, defense services, and related technical data. It is codified at 22 CFR Parts 120–130 and administered by the Directorate of Defense Trade Controls (DDTC), part of the U.S. Department of State. [VERIFIED: 22 CFR 120.1, pmddtc.state.gov]
ITAR derives its authority from the Arms Export Control Act (AECA), 22 U.S.C. 2778, which authorizes the President to control the import and export of defense articles and services. The ITAR implements that authority with detailed licensing requirements, registration mandates, and prohibited activities.
The central concept in ITAR is the United States Munitions List (USML) — a list of 21 categories of defense articles and services subject to ITAR controls. If your product, component, service, or technical data appears on the USML, ITAR applies to you — regardless of your company size, revenue, or number of employees.
ITAR does not have a small business exemption. A 10-person manufacturer making a USML-controlled bracket or sensor is subject to the same penalties, registration requirements, and licensing obligations as a $10B prime contractor. Size is irrelevant. What matters is whether your item, service, or technical data is on the USML.
CMMC deadline countdown + defense bid alerts
Get the weekly brief defense contractors actually read — deadlines, new contract awards, compliance changes.
No spam. Unsubscribe anytime.
Check Your CMMC Readiness in 5 Minutes
ITAR and CMMC often overlap — manufacturers handling technical data need both, and your gaps may be the same.
Take the Free Assessment →The United States Munitions List (USML)
The USML is organized into 21 categories, each covering a class of defense articles or services. [VERIFIED: 22 CFR 121.1 (USML), pmddtc.state.gov]
Firearms up to .50 caliber, combat shotguns, parts and components
Firearms .51 caliber and above, mortars, artillery, parts and components
Ammunition, bombs, grenades, mines, torpedoes, fuzes, explosive components
Missiles, rockets, torpedoes, bombs, mines, and warheads
Propellants, pyrotechnics, explosives, and related hazardous materials
Warships, naval combat vessels, submarine systems and equipment
Tanks, military vehicles, armored vehicles and related combat systems
Military aircraft, aircraft components, aircraft engines specifically designed for military use
Military simulators, trainers, and training equipment designed for weapons systems
Electronic warfare systems, intelligence systems, electronic countermeasures specifically designed for military use
Night vision, optical systems, and targeting/guidance equipment for military use
Military satellites, spacecraft, re-entry vehicles, and space-qualified subsystems
Categories X, XIII, XIV, XVI–XXI cover protective personnel equipment, auxiliary military equipment, toxicological agents, nuclear weapons, classified articles, directed energy weapons, submarines, and other specialized defense articles. For the complete and authoritative USML, see 22 CFR Part 121. [VERIFIED: 22 CFR 121.1]
Many dual-use items that have both commercial and military applications fall under the Export Administration Regulations (EAR) administered by the Commerce Department — not ITAR. If you're unsure whether your product is USML (ITAR) or Commerce Control List (EAR), you can request a commodity jurisdiction (CJ) determination from DDTC. Never assume EAR without confirming. Manufacturing something that looks commercial but is "specifically designed" for a military application often makes it USML. Request a CJ determination at pmddtc.state.gov.
Who Must Register with DDTC
DDTC registration is required under 22 CFR Part 122 for: [VERIFIED: 22 CFR 122.1, pmddtc.state.gov/registration]
- Manufacturers of defense articles on the USML — even if you never export. Domestic manufacturing alone triggers registration.
- Exporters of defense articles or services — shipping USML items or providing defense services to foreign persons or entities
- Brokers of defense articles — facilitating transfers of USML items between third parties
- Providers of defense services — technical assistance, training, or maintenance on USML items for foreign recipients
Registration is not required for:
- Retail dealers in ordinary firearms (who do not manufacture, export, or provide defense services)
- Persons whose only defense article activities are through a registered manufacturer's license
Registration costs $2,250 per year (as of 2026) and must be renewed annually. There is no fee waiver for small businesses. [VERIFIED: 22 CFR 122.6, pmddtc.state.gov]
DDTC Registration Process
DDTC registration is completed through the D-Trade system at pmddtc.state.gov. The process involves: [AI-GENERATED guidance based on DDTC registration procedures]
- Create a D-Trade account at pmddtc.state.gov/ddtc_public. The account requires a valid business email and will be linked to your organization's EIN.
- Complete the DS-2032 Statement of Registration — this form captures your legal business name, address, type of activity (manufacturer, exporter, broker), categories of defense articles, and designated Empowered Official(s).
- Designate your Empowered Official(s) — at minimum one EO is required. The EO must be a U.S. person with authority to sign export licenses and agreements on behalf of the company.
- Submit with payment — $2,250 registration fee payable via credit card or electronic check.
- Await DDTC review — new registrations typically take 30–60 days for DDTC review and approval. Renewals process faster.
You must complete DDTC registration before you engage in regulated activities. Do not begin manufacturing, exporting, or providing defense services while your registration is pending unless you have legal counsel confirm the specific activity is exempt. Operating without registration while under review is still a violation.
Building a ITAR Compliance Program
DDTC expects registered companies to maintain a written compliance program — a Technology Control Plan (TCP) — even though the ITAR does not prescribe a specific format. [AI-GENERATED guidance based on DDTC voluntary compliance program guidance]
Technology Control Plan (TCP)
A TCP is a written document that describes how your company controls access to ITAR-controlled technical data, hardware, and services. It should cover:
- Scope: What USML categories your company works with, what specific items/data are controlled
- Personnel: Who is a "U.S. person" under ITAR (citizenship/immigration status screening procedures)
- Physical controls: How ITAR hardware and documents are stored and secured
- IT controls: How ITAR technical data is protected on systems, networks, and cloud environments
- Visitor controls: Procedures for foreign national visitors in ITAR-controlled areas
- Export screening: How you screen before transferring data, components, or services to foreign recipients
- Training: Annual ITAR awareness training for all personnel with access to controlled data
- Incident procedures: How to handle suspected violations and voluntary disclosures
The TCP doesn't need to be long — a 10–20 page document tailored to your specific activities is typically sufficient for a small manufacturer. It must be reviewed and updated at least annually.
Empowered Official (EO)
The Empowered Official is a critical ITAR compliance role. Under 22 CFR 120.67: [VERIFIED: 22 CFR 120.67]
- Must be a U.S. person (U.S. citizen or lawful permanent resident)
- Must be a senior employee with actual authority to bind the company (officer, director, or equivalent)
- Must have personal knowledge of the laws governing export of defense articles
- Personally certifies the accuracy and legality of every export license application and agreement
- Cannot delegate EO responsibilities — the EO signs personally
Small manufacturers should designate a primary and backup Empowered Official. If your single EO leaves the company or is unavailable, you cannot sign export license applications until a new EO is registered with DDTC.
Record Keeping Requirements
ITAR mandates a 5-year record retention requirement for all export transactions, licenses, agreements, and supporting documentation. [VERIFIED: 22 CFR 122.5] Required records include:
- All export licenses (DSP-5, DSP-73, DSP-85) and authorization documents
- All Technical Assistance Agreements (TAAs) and Manufacturing License Agreements (MLAs)
- Correspondence with DDTC (commodity jurisdiction requests, advisory opinions)
- Shipping and customs documents for exported defense articles
- Records of technical data disclosures to foreign persons
- Training records demonstrating annual ITAR awareness training completion
Records must be accessible for DDTC audits and Blue Lantern end-use checks. Failure to produce required records is itself a violation.
Common Violations and Penalties
ITAR violations are among the most severely penalized in U.S. export control law. [VERIFIED: 22 U.S.C. 2778(c), 22 CFR 127.10]
| Violation Type | Common Cause | Maximum Penalty |
|---|---|---|
| Unauthorized export | Shipping USML item without DSP-5 license; emailing ITAR drawings to foreign person | $1,308,333/violation civil; 20 years imprisonment criminal |
| Unlicensed deemed export | Allowing foreign national employee to access ITAR technical data without export license | $1,308,333/violation civil |
| Failure to register | Manufacturing USML articles without DDTC registration | $1,308,333/violation civil; criminal referral possible |
| Agreement violations | Activities outside scope of approved TAA or MLA | Penalty per occurrence; agreement revocation |
| Record-keeping failures | Insufficient documentation, records not retained 5 years | Civil penalty per missing record |
| False statements | Inaccurate export license applications | Federal felony; criminal prosecution |
DDTC's Voluntary Disclosure program provides significant penalty mitigation for companies that self-report violations. Companies that voluntarily disclose and cooperate fully typically receive 50–75% penalty reductions and avoid criminal referrals. If you discover a potential ITAR violation, consult export control counsel immediately about whether voluntary disclosure is appropriate.
Export License Types
When you need to transfer ITAR-controlled items, data, or services to foreign recipients, you generally need either a license or an agreement from DDTC. [VERIFIED: 22 CFR Part 123 (licenses), 22 CFR Part 124 (agreements), pmddtc.state.gov]
| Authorization Type | Use Case | Processing Time |
|---|---|---|
| DSP-5 | Permanent export of defense articles (hardware). Most common export license for manufacturers exporting finished goods or components. | 30–60 days typical; can be longer for sensitive items or destinations |
| DSP-73 | Temporary export for items that will return to the U.S. (e.g., demos, repairs, tests abroad) | 30–60 days |
| DSP-85 | Temporary import of foreign defense articles for repair, modification, or other purposes | 30–60 days |
| Technical Assistance Agreement (TAA) | Sharing ITAR technical data or providing defense services to a foreign entity (engineering support, training, maintenance) | 60–120 days; government-to-government review may add time |
| Manufacturing License Agreement (MLA) | Authorizing a foreign company to manufacture defense articles using U.S. technology or know-how | 90–180 days; extensive review required |
| Warehouse and Distribution Agreement (WDA) | Authorizing a foreign entity to warehouse and distribute U.S. defense articles | 60–90 days |
License processing times are estimates and vary significantly based on the item sensitivity, destination country, end-user, and DDTC workload. Apply well in advance of need — there is no rush processing option for most licenses.
License Exemptions
Some transfers are exempt from individual license requirements under 22 CFR Part 126. Common exemptions for small manufacturers include:
- 22 CFR 126.4: Exports to U.S. government departments and agencies
- 22 CFR 126.5: Canadian exemptions for certain defense articles (with significant restrictions)
- 22 CFR 126.6: Transfers to U.S. government-owned contractors overseas for specific government contracts
Exemptions are narrow and frequently misapplied. Relying on an exemption that doesn't actually apply is still a violation. Consult export control counsel before invoking an exemption for the first time. [AI-GENERATED guidance]
Deemed Exports: The Hidden Risk for Manufacturers
A deemed export occurs when ITAR technical data is released to a foreign national within the United States. No physical export occurs — but sharing a drawing, specification, or source code file with a foreign national employee, contractor, or visitor is treated as an export to their country of citizenship. [VERIFIED: 22 CFR 120.54]
This creates significant risks for manufacturers who:
- Employ foreign nationals in engineering or manufacturing roles with access to ITAR drawings
- Use foreign national contractors or consultants on ITAR programs
- Host foreign national visitors in facilities where ITAR hardware or documents are present
- Collaborate with foreign universities or research institutions on ITAR-related projects
The solution is not to refuse to hire foreign nationals — it is to identify which roles require access to ITAR technical data and either restrict access to U.S. persons or obtain an appropriate export license (TAA or employment authorization) for foreign nationals in those roles. [AI-GENERATED guidance]
Under ITAR, you must determine each employee's or contractor's citizenship/immigration status when they will have access to ITAR technical data. This must be documented. ITAR does not permit general "need to know" access controls alone — U.S. person status is a hard requirement. Work with HR and legal counsel to establish compliant screening procedures.
Restricted Parties Screening
Before any transfer of ITAR-controlled articles, services, or technical data, you must screen all parties involved against U.S. government restricted-party lists. Screening is not optional — transferring to a denied or debarred party is a strict-liability violation regardless of intent. [VERIFIED: 22 CFR 127.1, AECA Section 38(g)(4)]
Required Screening Lists
ITAR exporters must screen against multiple government lists. The key lists for defense manufacturers:
| List | Maintained By | What It Covers |
|---|---|---|
| AECA Debarred List | State Dept / DDTC | Parties debarred from defense trade under ITAR — the primary ITAR-specific denial list |
| Specially Designated Nationals (SDN) | Treasury / OFAC | Sanctioned individuals, entities, and countries — covers terrorism, narcotics, weapons proliferation |
| Entity List | Commerce / BIS | Parties subject to specific license requirements due to proliferation or national security concerns |
| Denied Persons List | Commerce / BIS | Individuals and entities denied export privileges under EAR |
| Unverified List | Commerce / BIS | Foreign end users whose bona fides could not be verified in prior transactions |
| Non-SDN Chinese Military-Industrial Complex Companies | Treasury / OFAC | Chinese military-industrial complex companies subject to investment and transaction restrictions |
Screening Best Practices
- Screen every transaction — every new customer, supplier, end-user, freight forwarder, and intermediary before each export. Repeat screening is required; a party cleared last month may be listed today.
- Screen employees and contractors — foreign national employees who will access ITAR technical data must also be screened against restricted-party lists
- Use fuzzy matching — restricted-party names have transliteration variants, aliases, and spelling differences. Screen tools must match against known-also-as (AKA) names.
- Document every screen — retain screening results (date, lists checked, match/no-match) for 5 years as part of your ITAR record-keeping obligation
- Escalate hits — any potential match must be escalated to your Empowered Official and export control counsel before proceeding. Do not self-clear hits without expert review.
The U.S. government offers the free Consolidated Screening List (CSL) search tool at trade.gov, which queries multiple lists simultaneously. For production compliance programs, commercial screening tools (Visual Compliance, Descartes, OCR Services) provide automated batch screening and continuous monitoring. Small manufacturers can start with the free CSL tool and upgrade as volume grows.
DDTC and BIS guidance identifies transaction "red flags" that indicate possible diversion or end-use concerns: the customer is reluctant to identify end-use or end-user; the product's intended use doesn't match the buyer's business; the customer declines normal installation, training, or maintenance; payment comes from a third party with no apparent connection to the transaction; the delivery route is unusual for the destination. Any red flag requires enhanced due diligence before proceeding. [VERIFIED: BIS Red Flag Indicators, 15 CFR 732 Supplement 3]
Technology Transfer Controls
Technology transfer — sharing ITAR technical data with any foreign person, whether abroad or domestically — is the highest-risk area for small defense manufacturers. Most ITAR violations by manufacturers involve unauthorized transfers of technical data, not physical exports of hardware. [AI-GENERATED guidance based on DDTC enforcement actions and compliance guidance]
What Constitutes "Technical Data" Under ITAR
Under 22 CFR 120.33, ITAR technical data includes: [VERIFIED: 22 CFR 120.33]
- Design drawings and specifications — engineering blueprints, CAD files, 3D models, tolerances, and manufacturing specs for USML items
- Manufacturing know-how — process instructions, tooling specifications, quality control procedures, and test methods specific to USML production
- Software source code — source code for firmware, embedded systems, or applications specifically designed for USML defense articles
- Test data and results — performance testing, qualification data, and failure analysis for USML items
- Operational manuals — technical manuals describing operation, maintenance, or repair of USML defense articles
What is NOT technical data: general scientific, mathematical, or engineering principles taught in universities; basic marketing information (catalog descriptions, general performance claims); publicly available information already in the public domain through authorized government release.
Common Technology Transfer Scenarios for Manufacturers
| Scenario | ITAR Implication | Required Authorization |
|---|---|---|
| Emailing a CAD file to a foreign supplier | Export of technical data | TAA or DSP-5 with technical data provisions |
| Foreign national intern viewing engineering drawings on screen | Deemed export to intern's country of citizenship | TAA or individual export license |
| Uploading ITAR specs to a cloud server with foreign admin access | Deemed export to admins' countries of citizenship | Restrict to U.S.-person-only cloud environment |
| Discussing manufacturing processes at a foreign trade show | Defense service or technical data release | TAA covering scope of discussion |
| Foreign-owned subsidiary accessing parent company's ITAR data | Export to foreign entity | TAA or MLA depending on relationship |
| Outsourcing CNC programming to a foreign machinist | Defense service (providing manufacturing know-how) | TAA required before engagement begins |
Technology Transfer Control Measures
- Mark all ITAR documents — every document, drawing, and file containing ITAR technical data should carry a restrictive legend: "This document contains technical data controlled under ITAR (22 CFR Parts 120–130). Distribution is restricted to U.S. persons unless authorized by the U.S. Department of State."
- Segregate ITAR data on IT systems — store ITAR technical data in access-controlled folders/repositories separate from commercial data. Implement role-based access controls that restrict access to verified U.S. persons.
- Control email and file sharing — block or flag outbound emails containing ITAR file attachments to foreign email domains. Disable sharing of ITAR folders to external accounts.
- Lock down physical access — secure ITAR hardware, prototypes, and printed documents in controlled-access areas. Maintain visitor logs for any foreign nationals entering controlled areas.
- Manage portable media — control USB drives, external hard drives, and laptops containing ITAR data. Encrypt all portable media. Prohibit taking ITAR data abroad without an export license.
- Audit and monitor — periodically audit access logs to confirm only authorized U.S. persons accessed ITAR technical data. Investigate and document anomalies.
University-based fundamental research results that are ordinarily published and shared broadly in the scientific community are excluded from ITAR technical data. However, this exclusion is very narrow for manufacturers: if your company sponsors university research with restrictions on publication or foreign national participation, those restrictions may remove the fundamental research exclusion. Research results generated under a government contract with export control clauses are typically not "fundamental research." Never assume this exclusion applies without export control counsel review. [VERIFIED: 22 CFR 120.34]
How ITAR Interacts with CMMC and CUI
ITAR and CMMC are separate regulatory frameworks, but they significantly overlap for defense manufacturers. Understanding the intersection prevents both compliance gaps and redundant controls. [VERIFIED: 22 CFR 120.10, 32 CFR Part 170, DoD CUI Registry]
When ITAR Technical Data Is Also CUI
ITAR technical data — design drawings, specifications, source code, test results for USML items — is frequently designated as CUI (Controlled Unclassified Information) under the DoD's CUI program. When this overlap occurs, both ITAR and CMMC requirements apply simultaneously.
The key differences:
| Control Dimension | ITAR Requirement | CMMC Requirement |
|---|---|---|
| Access control | U.S. persons only (citizenship/immigration check required) | Need-to-know + least privilege (no citizenship requirement) |
| Encryption | Required for electronic transmission of ITAR data | FIPS 140-2 validated encryption required for CUI |
| Cloud storage | U.S. person access only; provider administrators must be U.S. persons | FedRAMP Moderate or equivalent; FIPS encryption |
| Foreign visitor controls | Export license required for access to ITAR data/hardware | Access control policy sufficient; no specific foreign national restriction |
| Third-party assessment | No mandatory third-party assessment (self-managed compliance) | C3PAO assessment required for Level 2 certification |
| Record retention | 5 years (22 CFR 122.5) | 3 years for CUI records (DoD CUI requirements) |
In practice, ITAR's access control requirements (U.S. persons only) are more restrictive than CMMC's access control requirements. Satisfying ITAR access controls for a system generally satisfies CMMC access controls for the same system — but the reverse is not true. A system that meets CMMC access control requirements may still have ITAR violations if foreign nationals have system access.
Cloud and ITAR: The Specific Challenge
Standard commercial cloud services are generally not compliant for ITAR technical data storage because cloud provider administrators — who may be foreign nationals — could potentially access data. [AI-GENERATED guidance based on DDTC cloud guidance]
ITAR-compliant cloud options include:
- AWS GovCloud (US): U.S. citizen-only operators; supports ITAR workloads with appropriate configuration
- Microsoft Azure Government: Similar U.S. person-only operations model
- Google Cloud Government: Supports ITAR with Access Transparency and specific configuration
Using any of these services still requires your own access controls — the cloud provider's U.S.-person operations model is necessary but not sufficient. Your own account administrators and authorized users must also be U.S. persons for ITAR technical data.
ITAR Compliance Program: Minimum Requirements for Small Manufacturers
These are the practical minimums a small manufacturer needs to maintain defensible ITAR compliance. Larger programs and higher-risk activities require more. [AI-GENERATED guidance]
- Active DDTC registration — renewed annually, $2,250/year, all USML categories you work with listed
- Written Technology Control Plan (TCP) — covers physical controls, IT controls, personnel screening, visitor procedures, and incident response
- Designated Empowered Official — U.S. person, senior employee, registered with DDTC; backup EO recommended
- U.S. person screening procedures — documented process to verify citizenship/immigration status for all personnel accessing ITAR technical data
- Annual ITAR training — all personnel with access to ITAR-controlled items, data, or services; training records retained
- Export screening process — country, party, and end-use screening before any transfer of ITAR items or data to foreign recipients
- 5-year record retention — all licenses, agreements, shipping documents, and training records
- Voluntary disclosure procedures — documented process for identifying, escalating, and reporting potential violations
Frequently Asked Questions
Next Steps for ITAR Compliance
If you manufacture or plan to manufacture USML items and haven't established ITAR compliance, this is the action sequence: [AI-GENERATED guidance]
- Determine jurisdiction. Confirm whether your products/data are on the USML (ITAR) or Commerce Control List (EAR). If uncertain, request a commodity jurisdiction determination from DDTC.
- Register with DDTC. Complete your DS-2032 registration at pmddtc.state.gov before beginning regulated activities. Budget $2,250/year and 30–60 days for initial approval.
- Designate your Empowered Official. Identify a senior U.S.-person employee with authority to sign licenses and agreements. Register them with DDTC on your DS-2032.
- Write your Technology Control Plan. Document physical controls, IT controls, personnel screening, visitor procedures, training program, and incident response.
- Audit your IT systems for ITAR data. Identify where ITAR technical data lives. Confirm all users with access are U.S. persons or have appropriate export authorizations. See our defense supply chain requirements guide for related IT controls.
- Assess CMMC overlap. If your ITAR technical data is also CUI, you'll need CMMC Level 2 certification for systems that store or process it. Use our free CMMC readiness tool to baseline your gap.
- Engage export control counsel. ITAR is technically complex and penalty-heavy. Establishing your compliance program with qualified export control counsel is not optional — it is the cheapest insurance against a multimillion-dollar violation. Connect with the DefenseBizStack community for vetted referrals.
Check Your CMMC Readiness in 5 Minutes
ITAR-controlled manufacturers handling CUI need CMMC too — see your readiness score and close both gaps at once.
Take the Free Assessment →