EXECUTIVE BRIEF

The International Traffic in Arms Regulations (ITAR) plays a critical role in regulating the export and import of defense-related materials, ensuring that U.S. defense capabilities remain secure and in trusted hands. Here is what defense contractors need to know:

• Defense contractors must strictly comply with ITAR regulations to avoid civil and criminal penalties, including fines and the loss of contracts
• Regular employee training is critical for identifying and preventing costly and reputation-damaging data breaches
• Implementing strong cybersecurity measures and utilizing ITAR-approved cloud services are necessary for ensuring compliance

Dig deeper and continue learning below!

The International Traffic in Arms Regulations (ITAR) is a set of rules overseen by the U.S. Department of State under the Arms Export Control Act (AECA). ITAR controls the export and import of defense articles, related technical data, and defense services to safeguard U.S. national security and foreign policy interests. The goal is to keep sensitive military technologies out of the wrong hands.

For contractors working within the U.S. Department of Defense (DoD) (also known as the Department of War) ecosystem, understanding ITAR is essential for protecting classified work, avoiding fines, and maintaining your eligibility for government contracts.

Navigating the complex requirements of ITAR can be challenging, particularly for small and medium-sized businesses. This guide will explain ITAR in simple terms, its importance for defense contractors, and how your organization can achieve compliance to avoid severe penalties and maximize your opportunities in the defense industry.

Understanding ITAR

ITAR plays a significant role in protecting U.S. national security. From fiscal years 2013 through 2021, the U.S. Department of State received 8,547 voluntary disclosures of potential ITAR violations from exporters. Any one of those leaks could jeopardize U.S. defense operations and personnel; allow adversaries to replicate, counter, or exploit U.S. capabilities; or simply undermine U.S. credibility and partnerships with allies who rely on tight security controls. 

There are 11 parts for ITAR, including: 

• ITAR Part 120 - Purpose and Definitions

• ITAR Part 121 - The United States Munitions List

• ITAR Part 122 - Registration of Manufacturers and Exporters

• ITAR Part 123 - Licenses for the Export and Temporary Import of Defense Articles

• ITAR Part 124 - Agreements, Off-Shore Procurement, and Other Defense Services

• ITAR Part 125 - Licenses for the Export of Technical Data and Classified Defense Articles

• ITAR Part 126 - General Policies and Provisions

• ITAR Part 127 - Violations and Penalties

• ITAR Part 128 - Administrative Procedures

• ITAR Part 129 - Registration and Licensing of Brokers
• ITAR Part 130 - Political Contributions, Fees, and Commissions
  
  

Why Does ITAR Matter?  

ITAR matters because:

• It prevents unauthorized access to weapons, defense tech, and military know-how
• It keeps adversaries from exploiting our capabilities
• It maintains the U.S.’s technological edge in global defense markets

ITAR plays a vital part in protecting sensitive information, including technical blueprints, classified electronics, weapons systems, and military training equipment. Defense contractors, manufacturers, and exporters working with ITAR-controlled items must strictly comply with ITAR regulations to mitigate risks and maintain DoD contracts.  

Non-compliance with ITAR can lead to severe civil penalties, loss of contracts, and, in cases of willful violations, even criminal prosecution.

Need help getting leadership on board with CMMC?

Use our pre-built conversation guide to get buy-in fast.

Avoid Costly Penalties and Reputational Damage

Secure Future Contracts and Maintain Competitiveness

Streamline Security Processes and Improve Efficiency

Develop a Winning CMMC Strategy

Make the Case CMMC Can't Wait

What Is Controlled Technical Data?  

ITAR technical data refers to information necessary for the design, development, production, manufacture, or maintenance of defense articles. Examples include:

• Engineering designs and blueprints
• User manuals for defense equipment  
• Research studies related to military applications  

The unauthorized export of ITAR data, whether through email, cloud storage, or file sharing, is a violation. That’s why it’s critical to implement secure access controls and safeguard sensitive information if you’re handling ITAR data.

What Is the USML? 

If ITAR is the rulebook for handling various defense-related items and services, the United States Munitions List (USML) is the list of classified inventory ITAR applies to. If something is on the USML, it’s automatically subject to ITAR control. That means:

• You can’t export it without a license
• You can’t share it with foreign nationals, even inside the U.S.
• You must register with the State Department (DDTC) if you make or deal with it

The USML consists of 21 categories of defense articles, including but not limited to:

• Firearms and Related Articles (Category I)  
• Guns and Armament (Category II)
• Ammunition and Ordnance (Category III)
• Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs, and Mines (Category IV)  
• Explosives and Energetic Materials, Propellants, Incendiary Agents, and Their Constituents (Category V)
• Surface Vessels of War and Submersible Vessels (Category VI)  
• Ground Vehicles (Category VII)
• Aircraft and Related Articles (Category VIII)
• Military Training Equipment and Training (Category IX)
• Personal Protective Equipment (Category X)
• Military Electronics and Associated Equipment (Category XI)  
• Fire Control, Laser, Imaging, and Guidance Equipment (Category XII)
• Materials and Miscellaneous Articles (Category XIII)
• Toxicological Agents, Including Chemical Agents, Biological Agents, and Associated Equipment (Category XIV)
• Spacecraft and Related Articles (Category XV)
• Nuclear Weapons, Incendiary Agents, and Toxicological Agents (Category XVI)  
• Classified Articles, Technical Data, and Defense Services Not Otherwise Enumerated (Category XVII)
• Directed Energy Weapons (Category XVIII)
• Gas Turbine Engines and Associated Equipment (Category XIX)
• Submersible Vessels and Related Articles (Categories XX) 
• Articles, Technical Data, and Defense Services Not Otherwise Enumerated (Category XXI)

The 2025-2026 ITAR Enforcement Landscape

DDTC has 14 items on its regulatory agenda—its most ambitious regulatory agenda since 2016—including USML revisions for semiconductors, space technologies, and emerging tech categories, plus updates to deemed export rules and cloud computing provisions. Likewise, civil penalties were adjusted upward to $1,271,078 per violation in 2025.

Enforcement actions in 2024 included the largest ITAR-related settlement in history (with RTX/Raytheon for $950M total—see the full example below). For defense contractors, the compliance environment is tightening, not loosening.

Who Needs To Be ITAR-Compliant?

The following businesses and entities must ensure ITAR compliance:

• Defense contractors working within the DoD supply chain, including hardware, software, and logistics
• Manufacturers of defense articles, ranging from firearms to advanced aerospace systems
• Companies handling related technical data and performing defense services for ITAR-regulated items

ITAR restricts access to controlled data to U.S. persons (citizens and lawful permanent residents) unless an export license is obtained for foreign persons, including certain dual citizens, even if they’re employees or contractors.

ISI INSIGHT: Only U.S. citizens and permanent residents are generally permitted to access or manage ITAR-controlled items unless an appropriate license or exemption has been issued for non-U.S. persons.

What Is a Deemed Export Under ITAR?

A deemed export occurs when ITAR-controlled technical data or defense services are disclosed to a foreign person inside the United States: whether that's showing an engineering drawing to a foreign-national employee, granting a non-U.S. contractor access to a shared drive containing controlled data, or discussing classified specifications in a meeting where a foreign national is present. Under ITAR, this disclosure is legally equivalent to exporting that data to the foreign person's home country, and it carries the same civil and criminal penalties as a physical export without a license.

Deemed exports are one of the most common (and most overlooked) sources of ITAR violations, particularly for contractors with diverse workforces, international teaming arrangements, or university research partnerships. You need documented procedures and access controls (often formalized in a Technology Control Plan) that govern exactly who can access what.

How Contractors Can Achieve ITAR Compliance

Implementing an effective ITAR compliance program is essential. Here are the steps your organization can take to become ITAR-compliant.

1. Develop an ITAR Compliance Plan  

Begin by documenting your compliance program, including detailed policies and procedures for managing controlled data. This plan should include measures to restrict foreign persons’ access to ITAR-controlled data, on-site or remotely, and designate compliance responsibilities within your organization.

2. Conduct Regular Audits  

Periodically review and audit your workflows and systems to identify potential ITAR compliance gaps. These audits should focus on verifying adherence to your documented policies, assessing the security of your data management practices, and rectifying any vulnerabilities.

3. Leverage Technology for Data Security  

Utilize advanced technology solutions to manage and safeguard ITAR-controlled data. Employ data encryption, secure file storage systems, and other tools that align with high cybersecurity standards, such as NIST 800-53.

4. Train Employees  

Comprehensive employee training is a critical component of ITAR compliance. Ensure all ITAR-related personnel are well-versed in ITAR regulations, proper data management protocols, and incident reporting procedures.

5. Work with Compliance Experts  

Working with security and compliance professionals, such as ISI, can provide your organization with tailored guidance and support. Experts can conduct risk assessments, design compliance frameworks, and offer insights into regulatory updates, ensuring your program remains robust and aligned with current and future standards.

How ITAR, CMMC, and NIST 800-171 Work Together

Defense contractors subject to ITAR almost always face overlapping obligations under CMMC and NIST 800-171 because ITAR-controlled technical data qualifies asControlled Unclassified Information (CUI) when used, generated, or required for DoD contract performance.

If you handle CUI, you're required to implement the 110 security controls in NIST SP 800-171—and CMMC exists to verify that you've actually done so. Contractors handling ITAR data on DoD contracts who haven't addressed their NIST 800-171 gaps face non-compliance with DFARS cybersecurity requirements and CMMC standards. Additionally, ITAR-specific export control obligations remain independently enforceable, creating dual regulatory exposure.

This is exactly why ISI takes an integrated approach. Instead of managing ITAR, CMMC, and NIST compliance as separate workstreams with separate vendors, ISI combines compliance consulting, managed IT infrastructure (including ITAR-compliant GCC High environments), and cybersecurity monitoring under a single partner—so you're not coordinating across three or four vendors to meet obligations that all stem from the same underlying data.

What Are the Most Common ITAR Violations?

Examples of common ITAR violations include the following:

Failure to Register with the DDTC (Directorate of Defense Trade Controls)

Companies manufacturing, exporting, or brokering defense-related products or services must register with the DDTC. For instance, imagine a small aerospace supplier that begins selling components used in military applications but neglects to register, assuming their contributions are insignificant. This oversight could result in significant penalties and loss of business opportunities. 

Improper Handling of ITAR-controlled Items in Cloud Storage or Through Unsecure Email 

A common compliance issue is sharing technical data using unsecured email or unauthorized cloud storage. For example, consider an engineer working remotely who uploads ITAR-controlled blueprints to a personal cloud drive for convenience. If this drive lacks sufficient encryption or proper access controls, it could expose sensitive data to unauthorized individuals, including foreign entities. 

Untrained Employees Inadvertently Granting Access to Sensitive ITAR Data

Employees lacking sufficient ITAR training may inadvertently grant access to restricted data. For example, an untrained staff member might forward a presentation containing ITAR-controlled technical details to a foreign client without realizing the potential violation. This is why comprehensive compliance training is necessary for all employees handling sensitive information. 

Exporting Defense Articles to Foreign Persons Without Proper Licenses or Permissions

Defense articles, whether physical hardware or technical details, require proper licensing before being shared with any foreign individuals or entities. Imagine a scenario in which a defense contractor ships an ITAR-controlled navigation system prototype internationally for a demonstration but fails to obtain the required export license. This breach could result in financial penalties and reputational damage.

What Are the Penalties for ITAR Violations?

Penalties for ITAR violations can be severe. They include:

• Civil penalties of up to $1,271,078 per violation (adjusted annually for inflation)
• Criminal penalties of up to $1 million per violation and/or 20 years imprisonment for willful violations
• Debarment from future export privileges, effectively ending a company's ability to participate in the defense supply chain
• Loss of government contracts and reputational damage that can take years to recover

The lesson for contractors: If you discover a potential ITAR violation, how you respond matters as much as what happened. Having a compliance partner who can help you assess the situation, conduct an internal investigation, and execute a disciplined self-disclosure process should be a risk management requirement.

None of these risks are unique to large enterprises. If your organization handles ITAR-controlled data, manufactures items on the USML, or supports defense programs that involve export-controlled technology, you need a compliance program that can prevent these scenarios and respond effectively if one occurs.

ITAR Compliance Requirements: How to Secure Your ITAR Data

Adopting strong data security practices is critical to safeguarding ITAR-controlled materials and meeting compliance requirements. A foundational element of ITAR data security lies in adherence to NIST 800-53, which establishes a comprehensive baseline of security standards and guidelines. This framework provides a structured approach to identifying, implementing, and assessing security controls critical for protecting sensitive information.

By integrating NIST 800-53, organizations ensure that their security measures address risk management, access control, incident response, and system monitoring—core aspects necessary for ITAR compliance.  

Key measures include:  

• Ensuring compliance with NIST 800-53 standards to implement and validate robust security controls aligned with federal requirements  
• Encrypting all communications that involve sensitive ITAR data to prevent unauthorized access or interception
• Restricting access to authorized U.S. persons only to adhere to ITAR regulations on personnel access
• Regularly updating and patching systems to mitigate vulnerabilities and reduce potential risks
• Use ITAR-compliant cloud solutions, such as Microsoft GCC High

By establishing a strong security posture rooted in NIST 800-53, organizations can confidently address ITAR requirements while minimizing operational risks and regulatory exposure. 

How ISI Can Help You Achieve ITAR Compliance

Navigating ITAR requires expertise. At ISI, we bring over a decade of experience working with DoD contractors to simplify compliance challenges. From implementing secure IT infrastructure to developing bespoke compliance programs, we’ll protect your organization. 

Stay ahead of the curve—partner with ISI today to safeguard your business against penalties and position yourself for success. 

FAQs About ITAR Compliance

What Is the Difference Between ITAR and EAR (Export Administration Regulations)?

The Department of State oversees ITAR, which exclusively regulates defense-related articles and technologies. At the same time, the U.S. Government Department of Commerce administers EAR, which governs the export of dual-use items with commercial and military applications.

Does ITAR Apply to Subcontractors and Suppliers?

Yes. ITAR obligations flow down through the entire defense supply chain, which means subcontractors, component manufacturers, and service providers that receive, store, or process ITAR-controlled technical data or defense articles are subject to the same federal regulations as their prime contractor. This is true even if your company never directly exports anything: if you handle items or data listed on the U.S. Munitions List, you must be registered with DDTC and maintain a compliant export control program. Prime contractors are increasingly requiring written ITAR compliance verification from their suppliers before awarding work, so if your organization lacks a documented compliance program, it can cost you contracts before a single violation ever occurs.

Who Enforces ITAR?

The DDTC administers ITAR regulations, while enforcement actions may involve agencies such as the Department of Justice and Homeland Security Investigations.

How Do You Get an ITAR License?

Submit a registration application to the DDTC. Once registered, you can apply for specific export licenses based on your scope of work.

What's the Difference Between ITAR and CMMC?

ITAR and CMMC address different dimensions of the same problem—protecting sensitive defense information—but they operate under separate authorities and enforce different requirements.

• ITAR, codified in 22 CFR Parts 120–130, is administered by the State Department's DDTC and governs the export and handling of defense articles, technical data, and defense services listed on the U.S. Munitions List.
• CMMC, administered by the Department of Defense, verifies that contractors have implemented the cybersecurity controls in NIST SP 800-171 to protect Controlled Unclassified Information (CUI).

Here's where they converge: ITAR-controlled technical data qualifies as CUI when it is used, generated, or required for DoD contract performance, which means contractors handling ITAR data on DoD contracts almost certainly need CMMC Level 2 certification as well. (Note: ITAR-controlled data developed with internal funds that is not part of government contract work remains export-controlled but does not automatically trigger CMMC Level 2 requirements.) The convergence between ITAR and CMMC matters most for contractors performing DoD contracts. If your company manufactures defense articles but doesn't touch CUI on government contracts, ITAR obligations remain independently enforceable under State Department authority, separate from DoD cybersecurity requirements. Treating these as separate compliance workstreams is a common and costly mistake. ISI helps contractors address both through a single, integrated compliance and security program.

How Much Does ITAR Compliance Cost?

There is no fixed price for ITAR compliance because costs vary significantly depending on your company's size, the volume and sensitivity of your export activity, and the current state of your security infrastructure. Common expenses include DDTC registration fees, legal counsel for jurisdiction and classification determinations, secure IT systems that restrict ITAR data to U.S. persons, employee training programs, and ongoing recordkeeping and audit processes. For small and mid-size contractors, the investment can range from tens of thousands to six figures annually. That said, the cost of non-compliance dwarfs the cost of compliance: civil penalties now exceed $1.27 million per violation, criminal violations carry up to $1 million and 20 years imprisonment, and debarment from export privileges can effectively end your ability to participate in the defense market.

What Should I Do If I Discover an ITAR Violation?

Act quickly, document everything, and do not attempt to quietly fix the problem and move on. DDTC strongly encourages—and in practice rewards—voluntary self-disclosure of potential ITAR violations through its established process outlined in 22 CFR § 127.12 (see the 2024 MilliporeSigma example above). Companies that self-disclose promptly and cooperate fully may receive significantly reduced penalties, with DDTC having discretion to consider the voluntary disclosure as a mitigating factor.
The first step is to engage qualified export compliance counsel or a compliance partner who can help you assess the scope of the violation, preserve relevant records, and prepare a disclosure that is thorough and accurate. Incomplete disclosures—where a company fails to submit comprehensive information within the 60-day window after initial notification—may result in DDTC declining to consider the disclosure as a mitigating factor, eliminating the potential for penalty reduction.

Can Remote Employees Access ITAR Data from Home?

Remote access to ITAR data is permitted, but only if your organization has implemented the technical and administrative controls necessary to ensure that access remains restricted to authorized U.S. persons and that the data is protected from unauthorized disclosure. This typically requires an ITAR-compliant cloud environment—such as Microsoft GCC High or AWS GovCloud—end-to-end encryption, multi-factor authentication, and a Technology Control Plan that addresses remote work scenarios.

Standard commercial cloud services like Google Workspace or basic Microsoft 365 do not meet ITAR requirements because the cloud provider's administrators may include foreign persons with potential access to your data. With DDTC actively considering updates to the definition of "regular employee" in ITAR § 120.64 to address post-pandemic work patterns, subcontractors and prime contractors alike should expect increased scrutiny on how remote access is governed. If your remote work infrastructure wasn't built with ITAR in mind, now is the time to fix it.