ITAR Compliance: International Traffic in Arms Regulations Guide

Last Reviewed: March 2026

The International Traffic in Arms Regulations (ITAR) is a set of federal regulations that controls the export and import of defense-related articles, services, and technical data listed on the United States Munitions List (USML). Administered by the Directorate of Defense Trade Controls (DDTC) within the U.S. Department of State, ITAR derives its statutory authority from the Arms Export Control Act (AECA), 22 U.S.C. 2778. The regulations are codified at 22 CFR Parts 120 through 130. Any U.S. person or organization that manufactures, exports, or brokers defense articles, defense services, or related technical data must register with the DDTC and comply with ITAR requirements. Violations carry severe penalties: criminal fines up to $1 million per violation with imprisonment up to 20 years, and civil fines up to $500,000 per violation. ITAR compliance is not optional for defense contractors, aerospace manufacturers, and any company that handles USML-controlled items. Petronella Technology Group (PTG) helps defense contractors and their supply chain partners implement the technical controls, data sovereignty infrastructure, and compliance programs that ITAR demands.

Who Must Comply with ITAR?

ITAR applies broadly across the defense industrial base. The regulations affect any person or entity engaged in the business of manufacturing, exporting, or temporarily importing defense articles or furnishing defense services. This includes:

  • Prime defense contractors and their subcontractors at every tier
  • Aerospace manufacturers producing USML-listed components, systems, or subsystems
  • IT companies and managed service providers that store, process, or transmit ITAR-controlled technical data
  • Universities and research institutions performing defense-related research
  • Consultants and engineers providing defense services to foreign persons or governments
  • Cloud service providers hosting ITAR-controlled data

A critical point that many organizations overlook: ITAR compliance obligations extend to any company that touches ITAR-controlled technical data, even if that company never manufactures a physical defense article. An IT firm that manages email servers for a defense contractor may be handling ITAR-controlled technical data without realizing it. PTG has encountered this scenario repeatedly when performing cybersecurity assessments for companies in the defense supply chain.

DDTC Registration: The First Requirement

Before engaging in any manufacturing, exporting, or brokering of defense articles or services, a company must register with the DDTC. Registration is mandatory under 22 CFR Part 122 and must be renewed annually. The registration fee structure was updated in 2024, with the base fee starting at $2,250 for new registrations. DDTC registration does not grant any export authority; it simply establishes the legal prerequisite for applying for export licenses or using exemptions.

Failure to register is itself a violation. The DDTC has pursued enforcement actions against companies that were manufacturing USML items without registration, even when no actual export occurred. Craig Petronella, a CMMC Registered Practitioner with 23+ years in cybersecurity, advises every PTG client in the defense sector to verify their DDTC registration status as the first step in any ITAR compliance engagement.

Understanding the United States Munitions List (USML)

The USML (22 CFR Part 121) defines the categories of defense articles, defense services, and related technical data subject to ITAR control. The USML currently contains 21 categories:

  1. Category I: Firearms, Close Assault Weapons, and Combat Shotguns
  2. Category II: Guns and Armament
  3. Category III: Ammunition and Ordnance
  4. Category IV: Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs, and Mines
  5. Category V: Explosives and Energetic Materials
  6. Category VI: Surface Vessels of War and Special Naval Equipment
  7. Category VII: Ground Vehicles
  8. Category VIII: Aircraft and Related Articles
  9. Category IX: Military Training Equipment and Training
  10. Category X: Personal Protective Equipment
  11. Category XI: Military Electronics
  12. Category XII: Fire Control, Laser, Imaging, and Guidance Equipment
  13. Category XIII: Materials and Miscellaneous Articles
  14. Category XIV: Toxicological Agents
  15. Category XV: Spacecraft and Related Articles
  16. Category XVI: Nuclear Weapons Related Articles
  17. Category XVII: Classified Articles, Technical Data, and Defense Services
  18. Category XVIII: Directed Energy Weapons
  19. Category XIX: Gas Turbine Engines and Associated Equipment
  20. Category XX: Submersible Vessels and Related Articles
  21. Category XXI: Articles, Technical Data, and Defense Services Not Otherwise Enumerated

Commodity jurisdiction (CJ) determinations are sometimes needed to establish whether an item falls under ITAR (State Department) or the Export Administration Regulations (EAR) under the Commerce Department. PTG helps clients navigate this classification process, which is fundamental to determining which regulatory framework applies.

Technical Data and Defense Articles: Key Definitions

ITAR's scope extends beyond physical hardware. Under 22 CFR 120.33, "technical data" includes:

  • Information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles
  • Classified information relating to defense articles and defense services
  • Information covered by an invention secrecy order
  • Software directly related to defense articles

Technical data does NOT include basic marketing materials, general scientific or engineering principles taught in universities, or information in the public domain. However, the line between controlled technical data and public-domain information is often blurry, and organizations regularly err on the side of over-control rather than risk a violation.

"Defense articles" under 22 CFR 120.31 include any item listed on the USML, as well as technical data and defense services. This broad definition means that a CAD file for a USML-listed component is itself a defense article subject to ITAR controls.

The Deemed Export Rule

One of ITAR's most operationally significant provisions is the "deemed export" concept. Under 22 CFR 120.54, releasing or disclosing technical data to a foreign person within the United States is deemed an export to that person's home country. This means:

  • Allowing a foreign national employee to access ITAR-controlled technical data on a company network constitutes an export
  • Sharing ITAR-controlled documents in a meeting with foreign visitors constitutes an export
  • Granting a foreign national contractor access to ITAR-controlled systems constitutes an export
  • Visual inspection of ITAR-controlled hardware by a foreign person may constitute an export

Companies must implement access controls that restrict ITAR-controlled data to U.S. persons only. This requires identity verification, role-based access controls, and network segmentation. PTG's AI-powered compliance platform automates the monitoring of access controls to detect potential deemed export violations before they occur. Using on-premise AI infrastructure, PTG can continuously scan access logs and flag anomalies without sending sensitive data to third-party cloud services.

ITAR Penalties and Enforcement

ITAR violations carry some of the most severe penalties in the regulatory landscape:

Penalty Type Maximum Per Violation Authority
Criminal Fine $1,000,000 22 U.S.C. 2778(c)
Criminal Imprisonment 20 years 22 U.S.C. 2778(c)
Civil Fine $500,000 (adjusted for inflation) 22 CFR 127.10
Debarment Prohibition from future exports 22 CFR 127.7
Seizure/Forfeiture Full value of articles 22 U.S.C. 2778(e)

Recent enforcement actions demonstrate the government's willingness to impose substantial penalties. In 2023 and 2024, multiple defense contractors paid tens of millions of dollars in consent agreements with the DDTC for unauthorized exports, including failures to properly control technical data access. Voluntary self-disclosures (VSDs) under 22 CFR 127.12 are treated as a mitigating factor, and PTG strongly recommends implementing systems that identify potential violations early enough to enable timely self-disclosure.

Craig Petronella holds a Licensed Digital Forensic Examiner credential (#604180), which means PTG can support clients not only with compliance programs but also with forensic investigations when a suspected violation occurs. Preserving evidence properly is critical in ITAR enforcement matters, and most compliance firms lack this forensic capability.

ITAR vs. EAR: Understanding the Distinction

Companies often confuse ITAR with the Export Administration Regulations (EAR). While both regulate exports, they serve different purposes and are administered by different agencies:

Dimension ITAR EAR
Administering Agency State Department (DDTC) Commerce Department (BIS)
Statutory Authority Arms Export Control Act (AECA) Export Control Reform Act (ECRA)
Controlled Items Defense articles (USML) Dual-use items (CCL)
Scope Military/defense items only Commercial items with military potential
License Exceptions Limited exemptions Broad license exceptions available
Criminal Penalty Up to $1M and 20 years Up to $1M and 20 years (ECRA)
Civil Penalty Up to $500K per violation Up to $364,992 per violation (2024 adjusted)
Registration Required (DDTC) Not required
Fundamental Research Excluded if published Excluded if published

The Export Control Reform (ECR) initiative that began in 2013 transferred numerous items from the USML to the Commerce Control List (CCL), making them subject to EAR rather than ITAR. However, the most sensitive defense technologies remain firmly on the USML. Organizations must perform a careful jurisdiction and classification analysis before assuming any item has moved from ITAR to EAR control.

ITAR, DFARS, and CMMC: The Defense Contractor Compliance Stack

Defense contractors face overlapping compliance requirements. ITAR controls what you can export and to whom; the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 mandates how you protect Controlled Unclassified Information (CUI) on contractor systems; and the Cybersecurity Maturity Model Certification (CMMC) verifies that you actually implemented those protections. These three frameworks form an interlocking compliance stack:

  • ITAR establishes what data is controlled and restricts access to U.S. persons
  • DFARS 252.204-7012 requires implementing NIST SP 800-171 to protect CUI, which includes ITAR-controlled technical data when it qualifies as CUI
  • CMMC Level 2 requires third-party assessment of NIST SP 800-171 implementation for contracts involving CUI

Many defense contractors must comply with all three simultaneously. A company manufacturing USML items for a DoD contract will need DDTC registration, ITAR-compliant access controls, NIST SP 800-171 implementation for CUI protection, and eventually CMMC certification. PTG builds integrated compliance programs that address all three requirements in a single engagement, eliminating the inefficiency of treating each framework as a separate project.

Relationship to NIST SP 800-53

ITAR itself does not prescribe specific cybersecurity controls. The regulations focus on what must be controlled (defense articles, technical data, defense services) and who can access it (U.S. persons only, or authorized foreign persons with proper licenses). The how of securing that data falls to other frameworks.

NIST SP 800-53 Rev. 5 serves as the master security control catalog from which other frameworks derive. The practical connection between ITAR and 800-53 flows through DFARS and NIST SP 800-171:

  • NIST SP 800-53 contains over 1,000 controls organized into 20 families
  • NIST SP 800-171 selects 110 controls from the 800-53 Moderate baseline, tailored for non-federal systems handling CUI
  • DFARS 252.204-7012 requires NIST SP 800-171 implementation for CUI, which includes ITAR technical data when marked as CUI
  • CMMC Level 2 maps directly to the 110 NIST SP 800-171 controls

For ITAR compliance specifically, the 800-53 control families most directly relevant are Access Control (AC), Audit and Accountability (AU), Identification and Authentication (IA), Media Protection (MP), Physical and Environmental Protection (PE), Personnel Security (PS), and System and Communications Protection (SC). PTG's AI-powered compliance platform maps ITAR requirements to specific 800-53 controls, creating a unified control framework that satisfies both ITAR access restrictions and NIST security requirements simultaneously.

ITAR vs. DFARS vs. CMMC: Comparison Table

Dimension ITAR DFARS 252.204-7012 CMMC Level 2
Primary Focus Export control of defense items CUI protection on contractor systems Verification of CUI protection
Administering Body State Department (DDTC) Department of Defense DoD / Cyber AB (C3PAOs)
Applicable Standard 22 CFR Parts 120-130 NIST SP 800-171 NIST SP 800-171 (110 controls)
Who Must Comply Any entity handling USML items DoD contractors with CUI DoD contractors per contract requirements
Assessment Type Self-compliance + DDTC audits Self-assessment (SPRS score) Third-party assessment (C3PAO)
Penalties Criminal/civil fines, debarment False Claims Act liability Loss of contract eligibility
Citizenship Requirement U.S. persons only (unless licensed) No citizenship requirement No citizenship requirement
Registration DDTC registration required None beyond contract SPRS score submission
Cloud Requirements U.S.-person access only; data sovereignty FedRAMP Moderate equivalent FedRAMP Moderate equivalent

Cloud Computing and ITAR: Data Sovereignty Requirements

ITAR imposes strict requirements on where and how technical data is stored in cloud environments. Because ITAR restricts access to U.S. persons, cloud providers must demonstrate that:

  • All data remains within the United States (no offshore replication or processing)
  • Only U.S. persons have physical and logical access to the infrastructure
  • Administrative access (including support staff) is limited to U.S. persons
  • Encryption keys are managed by U.S. persons on U.S. soil

Major cloud providers address these requirements through specialized offerings such as AWS GovCloud, Microsoft Azure Government, and Google Cloud Assured Workloads. However, using a government cloud region alone does not guarantee ITAR compliance. Organizations must still implement proper access controls, logging, and data handling procedures within those environments.

PTG offers a fundamentally different approach: on-premise AI and compliance infrastructure that keeps ITAR-controlled data entirely within the client's physical perimeter. PTG's private AI fleet, built on custom GPU clusters and on-premise large language models, allows defense contractors to leverage AI-powered compliance automation without ever sending technical data to an external cloud. This data sovereignty model eliminates the risk of unauthorized foreign access at the infrastructure level. No other firm in the Research Triangle offers this combination of AI capability with physical data sovereignty.

For organizations that do use cloud services for ITAR data, PTG performs architecture reviews to verify that the cloud environment meets ITAR access control requirements, including reviewing FedRAMP authorization documentation and testing boundary controls.

Building an ITAR Compliance Program

An effective ITAR compliance program requires documented policies, trained personnel, and technical controls. The DDTC evaluates compliance programs during enforcement actions and treats the existence (or absence) of a robust program as an aggravating or mitigating factor. Key elements include:

1. Management Commitment and Empowered Compliance Official

Senior leadership must formally commit to ITAR compliance, and the organization must designate an empowered official authorized to oversee ITAR activities. This person needs sufficient authority and resources to enforce compliance across all business units.

2. Jurisdiction and Classification

Every product, technical data set, and service must be evaluated to determine whether it falls under ITAR (USML) or EAR (CCL). Organizations should maintain a product classification matrix and seek formal Commodity Jurisdiction determinations from DDTC when classification is unclear.

3. Screening and Due Diligence

All parties to a transaction must be screened against restricted party lists, including the DDTC Debarred List, the BIS Denied Persons List, the BIS Entity List, the OFAC Specially Designated Nationals list, and others. PTG's patented compliance technology automates screening against these lists and flags matches in real time.

4. Access Controls and Deemed Export Prevention

Physical and logical access controls must restrict ITAR-controlled data to authorized U.S. persons. This includes badge access to facilities, network segmentation, role-based access controls on IT systems, and visitor management procedures. PTG implements these controls using a combination of identity governance platforms and network security architecture.

5. Technology Control Plans (TCPs)

Organizations with foreign national employees or visitors must implement Technology Control Plans that document how ITAR-controlled data will be protected from unauthorized access. TCPs specify physical barriers, IT controls, and procedural safeguards for each area where ITAR data is present.

6. Training

All employees with access to ITAR-controlled items must receive initial and recurring training on ITAR requirements, company policies, and their individual responsibilities. Training records must be maintained and available for audit.

7. Record Keeping

ITAR requires retention of records related to exports, licenses, agreements, and technical data transfers for a minimum of five years under 22 CFR 122.5. PTG helps clients implement automated record-keeping systems that maintain compliance documentation in a searchable, auditable format.

8. Internal Auditing and Monitoring

Regular internal audits verify that compliance controls are functioning as intended. PTG's AI-powered monitoring continuously evaluates access logs, export records, and data flows to identify compliance gaps before they become violations.

ITAR and AI: Emerging Compliance Challenges

Artificial intelligence introduces new compliance complexities for ITAR-regulated organizations. Machine learning models trained on ITAR-controlled technical data may themselves constitute defense articles or technical data. Key considerations include:

  • AI models trained on USML technical data may be ITAR-controlled, requiring export authorization before sharing
  • Cloud-based AI services (including large language models) that process ITAR data must meet the same U.S.-person access requirements as any other cloud service
  • AI-generated designs or analyses derived from ITAR-controlled inputs likely constitute ITAR-controlled technical data
  • Foreign national employees must be excluded from AI projects that involve ITAR-controlled training data

PTG is uniquely positioned to help defense contractors navigate ITAR's intersection with AI. As one of the only firms that combines AI development capabilities (custom AI agents, private LLMs, GPU hosting) with cybersecurity and compliance expertise, PTG understands both the technical capabilities and the regulatory constraints. Craig Petronella holds an MIT Artificial Intelligence Certificate and has built PTG's private AI infrastructure specifically to address data sovereignty requirements like those ITAR imposes.

Common ITAR Compliance Mistakes

Based on PTG's experience with defense contractors and published DDTC enforcement actions, the most frequent ITAR compliance failures include:

  • Failing to register with DDTC: Companies that manufacture USML items or provide defense services sometimes operate for years without registration, creating a per-day violation exposure
  • Ignoring deemed exports: Allowing foreign national employees unrestricted access to ITAR-controlled systems is the most common technical violation PTG encounters during assessments
  • Using non-compliant cloud services: Storing ITAR technical data in standard commercial cloud environments without verifying U.S.-person access controls
  • Inadequate classification: Failing to determine whether items are ITAR or EAR controlled, leading to the wrong regulatory framework being applied
  • Poor record keeping: Not maintaining the required five-year retention of export records and license documentation
  • No Technology Control Plan: Operating facilities with foreign national employees without a documented TCP
  • Delayed voluntary self-disclosure: Discovering a violation but waiting too long to file a VSD, losing the mitigating benefit
  • Treating ITAR as a one-time project: Compliance requires ongoing monitoring, not a one-time assessment

How PTG Supports ITAR Compliance

Petronella Technology Group brings a distinctive set of capabilities to ITAR compliance engagements that most IT firms and compliance consultants cannot match:

AI-Powered Compliance Acceleration: PTG uses its own private AI fleet, including on-premise large language models running on custom GPU infrastructure, to accelerate compliance assessments, automate control mapping between ITAR requirements and NIST frameworks, and continuously monitor security posture. This AI capability reduces the time and cost of achieving compliance by automating documentation review, gap analysis, and policy generation.

Data Sovereignty Infrastructure: PTG's on-premise AI infrastructure (GPU clusters, private cloud, local storage) proves that PTG practices what it preaches about data sovereignty. For ITAR-regulated clients, this means compliance assessments and AI-powered analysis can be performed without ITAR-controlled data ever leaving the client's perimeter or being processed on foreign-accessible cloud infrastructure.

Patented Technology Stack: PTG's proprietary and patented security tools automate compliance tasks that competitors perform manually, including access control monitoring, screening automation, and audit evidence collection. This automation reduces human error and provides continuous compliance verification rather than periodic snapshots.

Forensic Capability: Craig Petronella's Licensed Digital Forensic Examiner credential (#604180) means PTG can support clients through the entire lifecycle of an ITAR compliance matter, from initial assessment through incident investigation. When a potential violation occurs, PTG has the forensic expertise to preserve evidence, analyze data flows, and support legal proceedings. Most compliance firms must refer this work to a separate forensic provider, introducing delays and chain-of-custody risks.

SMB Focus: PTG makes enterprise-grade ITAR compliance accessible to small and mid-size defense contractors. Many ITAR-regulated companies are small machine shops, specialty manufacturers, or niche technology firms that cannot afford the compliance teams that large primes maintain. PTG's compliance service packages are designed for this market segment, delivering the same rigor at a scale and price point that SMBs can sustain.

For a practical starting point, PTG has published an open-source ITAR Compliance Checklist on GitHub that organizations can use to evaluate their current compliance posture.

ITAR Compliance Checklist Summary

Use this checklist as a starting point. A complete ITAR compliance program requires expert guidance tailored to your specific products, services, and business operations. Call PTG at 919-348-4912 to schedule a free compliance assessment.

  • Determine whether your products, services, or technical data are ITAR-controlled (USML jurisdiction)
  • Register with DDTC and maintain current annual registration
  • Designate an empowered official with authority to oversee ITAR compliance
  • Classify all products and technical data against USML categories
  • Implement access controls limiting ITAR data to U.S. persons
  • Develop Technology Control Plans for facilities with foreign national access
  • Screen all parties against restricted party lists before transactions
  • Verify cloud environments meet ITAR data sovereignty and access requirements
  • Implement and document employee training programs
  • Establish record-keeping systems with minimum five-year retention
  • Conduct regular internal audits of ITAR compliance controls
  • Establish a voluntary self-disclosure process for identified violations
  • Integrate ITAR controls with NIST SP 800-171 and CMMC requirements where applicable

Frequently Asked Questions

What is the difference between ITAR and EAR?

ITAR is administered by the State Department and controls defense articles, services, and technical data listed on the United States Munitions List (USML). EAR is administered by the Commerce Department and controls dual-use commercial items with potential military applications, listed on the Commerce Control List (CCL). Items subject to ITAR generally have stricter controls, fewer license exceptions, and more severe penalties than EAR-controlled items. A commodity jurisdiction determination establishes which set of regulations applies to a specific item.

Who needs to register with the DDTC?

Any person or entity in the United States that engages in the business of manufacturing, exporting, or temporarily importing defense articles, or furnishing defense services, must register with the DDTC under 22 CFR Part 122. Registration is required even if no exports are planned. The requirement applies to manufacturers, exporters, brokers, and entities providing defense services.

What is a deemed export under ITAR?

A deemed export occurs when ITAR-controlled technical data or defense services are released to a foreign person within the United States. This release is "deemed" to be an export to the foreign person's home country and requires the same authorization as a physical export. This provision has significant implications for companies employing foreign nationals or hosting foreign visitors at facilities where ITAR data is accessible.

Can ITAR-controlled data be stored in the cloud?

Yes, but only in cloud environments where access is restricted to U.S. persons and data remains within the United States. Government cloud offerings such as AWS GovCloud, Azure Government, and Google Cloud Assured Workloads are designed to meet these requirements. However, using a government cloud region alone is not sufficient; organizations must also verify access controls, encryption key management, and support personnel restrictions. PTG's on-premise infrastructure offers an alternative that eliminates cloud-related ITAR risks entirely.

What are the penalties for ITAR violations?

Criminal penalties include fines up to $1 million per violation and imprisonment up to 20 years. Civil penalties include fines up to $500,000 per violation (adjusted for inflation). The DDTC can also debar violators, prohibiting them from future export activities. Additionally, defense articles involved in violations may be seized and forfeited. Voluntary self-disclosure of violations is treated as a mitigating factor in penalty determinations.

How does ITAR relate to CMMC and DFARS?

ITAR controls exports and restricts access to defense items. DFARS clause 252.204-7012 requires defense contractors to implement NIST SP 800-171 to protect CUI, which can include ITAR-controlled technical data. CMMC provides third-party verification that NIST SP 800-171 controls are properly implemented. Defense contractors manufacturing USML items for DoD contracts typically need compliance with all three frameworks. PTG builds integrated compliance programs that address ITAR, DFARS, and CMMC in a unified approach.

Does ITAR apply to software?

Yes. Software that is specifically designed, developed, configured, adapted, or modified for a defense article is itself classified as technical data or a defense article under ITAR. This includes source code, object code, algorithms, and software documentation related to USML items. Additionally, AI models and machine learning systems trained on ITAR-controlled data may also be subject to ITAR controls.

What is a Technology Control Plan (TCP)?

A TCP is a documented plan that specifies the physical, procedural, and IT security measures an organization uses to prevent unauthorized access to ITAR-controlled items by foreign persons. TCPs are required when foreign nationals have access to facilities where ITAR data is present. The plan must address physical security barriers, IT access controls, visitor procedures, and employee screening measures.

How long must ITAR records be retained?

Under 22 CFR 122.5, records relating to ITAR activities must be maintained for a minimum of five years. This includes records of exports, temporary imports, license applications, agreements, and correspondence with DDTC. PTG recommends maintaining records beyond the minimum period when litigation or enforcement risk exists.

Can PTG help small defense contractors with ITAR compliance?

Yes. PTG specializes in making enterprise-grade compliance accessible to small and mid-size businesses. Many ITAR-regulated companies are small manufacturers or specialty firms that lack dedicated compliance staff. PTG's compliance service packages provide the expertise, technology, and ongoing support that SMBs need to maintain ITAR compliance without building an internal compliance department. Craig Petronella, with credentials including CMMC Registered Practitioner, Cisco CCNA and CWNE certifications, and authorship of 14+ cybersecurity books, personally oversees PTG's defense contractor compliance engagements.

Take the Next Step on ITAR Compliance

ITAR compliance is not a project you complete once and forget. It requires ongoing vigilance, regular training, continuous monitoring, and periodic reassessment as your products, personnel, and business relationships change. Petronella Technology Group, Inc. combines AI-powered compliance automation, patented security tools, forensic expertise, and 23+ years of cybersecurity experience to help defense contractors build and maintain ITAR compliance programs that withstand scrutiny.

Call 919-348-4912 or schedule a free compliance assessment to discuss your ITAR compliance requirements. PTG serves defense contractors, aerospace manufacturers, and their supply chain partners from our offices at 5540 Centerview Dr. Suite 200, Raleigh, NC 27606.