Penalties get hefty fast when ITAR (International Traffic in Arms) technical data is mismanaged. In February 2023, the US State Department concluded a $20M settlement of alleged export violations by 3D Systems Corporation. Before that, Honeywell International was fined $13M by the State Department for unauthorized export of dozens of technical drawings.
 
Today, ITAR compliance poses a significant challenge. To avoid steep fines and other penalties—and to help advance US national security goals—organizations that handle ITAR-controlled defense items need to understand the regulations and how to comply with them. We’ve written this blog to help. It covers:

Download our free whitepaper on how to facilitate ITAR compliance

Technological advances in cybersecurity can simplify ITAR compliance without compromising national security goals. Check out our ITAR white paper to learn more.

Download for Free

This blog will inform you about your compliance obligations and how to best meet your compliance responsibilities. We’ll look at:

  1. What is ITAR?
  2. What is ITAR compliance?
  3. Who needs to be ITAR compliant?
  4. How can you be ITAR compliant?
  5. What are the ITAR penalties?
  6. ITAR carveout: Sharing ITAR data using end-to-end encryption
  7. ITAR and CUI overlap
  8. The ITAR compliance checklist: Key considerations

What is ITAR?

International Traffic in Arms Regulations (aka ITAR) govern the export of US defense and military products. ITAR controls implement the Arms Export Control Act (AECA) and are administered by the US State Department. The AECA and ITAR were adopted during the Cold War, when the need for broad export controls to keep US defense items and technology out of the hands of the USSR and the Soviet Bloc countries became evident.
 
ITAR controls apply to military-related items—which includes a far wider realm of products and services than “Arms” in “ITAR” implies. While many items on the USML are clearly arms—such as guns, rockets and bombs—the list wraps up with a catch-all category, “Articles, Technical Data, and Defense Services Not Otherwise Enumerated”. Notably, that encompasses technical data and defense services such as installation, repair, training and consulting related to items on the USML as well.
 
The Department of Defense (DoD), of course, has a strong interest in regulating military products as well, and so DoD works closely with the State Department on ITAR-related matters. Organizations that do work for the DoD need to know about ITAR.

What is ITAR compliance?

To be ITAR compliant, organizations that handle ITAR-controlled defense articles and services, including technical data, must receive prior authorization for any transactions related to those items (or meet exceptions to the rules).
 
Items subject to ITAR controls are listed on the United States Munition List (USML). The USML is organized into 21 major categories of military products, running the gamut from Guns and Armament and Personal Protective Equipment, for example, to Spacecraft and Nuclear Weapons.

 
Categories on the United States Munitions List

  1. Firearms, Close Assault Weapons and Combat Shotguns
  2. Guns and Armament
  3. Ammunition/Ordnance
  4. Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs, and Mines
  5. Explosives and Energetic Materials, Propellants, Incendiary Agents, and Their Constituents
  6. Surface Vessels of War and Special Naval Equipment
  7. Ground Vehicles
  8. Aircraft and Related Articles
  9. Military Training Equipment and Training
  10. Personal Protective Equipment
  11. Military Electronics
  12. Fire Control, Range Finder, Optical and Guidance and Control Equipment,Night vision goggles
  13. Materials and Miscellaneous Articles
  14. Toxicological Agents, Including Chemical Agents, Biological Agents, and Associated Equipment
  15. Spacecraft and Related Articles
  16. Nuclear Weapons Related Articles
  17. Classified Articles, Technical Data, and Defense Services Not Otherwise Enumerated
  18. Directed Energy Weapons
  19. Gas Turbine Engines and Associated Equipment
  20. Submersible Vessels and Related Articles
  21. Articles, Technical Data, and Defense Services Not Otherwise Enumerated

Any organization engaged in the United States in the business of the manufacturing, exporting or brokering of US defense articles or services on the USML is required to register with the State Department’s Directorate of Defense Trade Controls (DDTC). Today, there are approximately 13,000 defense companies, universities and research labs registered with DDTC.
 
After registration with DDTC, the next step is to identify all the ITAR-controlled items that your organization handles. Once you’ve identified those, you’ll need to obtain prior authorization for any related transactions you wish to engage in. Prior authorization is your only possible course of action; there is no after-the-fact approval.

Who needs to be ITAR compliant?

Any U.S. company, research lab or university that engages in either manufacturing or exporting defense articles or furnishing defense services on the USML is required to register with the Directorate of Defense Trade Controls (DDTC) and comply with ITAR regulations.
 
In order to avoid the severe penalties and negative consequences of noncompliance with the State Department’s directorate, take the time to determine which elements of ITAR, if any, need to be addressed in your compliance efforts.
 
The easiest way to know if you are responsible for ITAR compliance is to see if your company’s product or service is on the USML.
 

How can you be ITAR compliant?

There is no formal certification process to become ITAR compliant. Instead, there are certain standards that companies are expected to comply with.
 
Step 1: Register with the DDTC. Again, any organization engaged in the United States in the business of the manufacturing, exporting or brokering of US defense articles or services on the USML is required to register with DDTC. Registration must be renewed every 12 months. Submit your ITAR registration renewal documents at least 60 days before the expiration date of your registration, to ensure your compliance doesn’t lapse.
 
Step 2: Adopt an ITAR Compliance Program A compliance program demonstrates that your company has a formal process for ITAR compliance and projects a sophisticated approach to managing these issues. DDTC strongly advises organizations engaged in the defense trade to establish and maintain an ITAR/export compliance program, and has issued guidelines to help them do so.
 
Step 3:Obtain prior authorization for all ITAR-controlled transactions Identify all the ITAR-controlled defense articles, defense services, and related technical data that your organization handles, and obtain prior authorization from DDTC for any related transactions you wish to engage in.
 
Step 4: Track ITAR-controlled items at all times. Know where those items are located and who has access to them. When items are transferred, keep records of where and to whom they are transferred, as well as details of any retransfers from there.
 
Step 5:Ensure your cloud storage is ITAR compliant. In 2020, the State Department issued a ruling—known as the end-to-end encryption carveout—that allows organizations to share unclassified technical data with their supply chain or with persons outside the US, as long as the data is secured with end-to-end encryption. If the data is end-to-end encrypted (and meets other criteria, as described below) the exchange is not considered an export.
 
Check that your cloud service provider uses end-to-end encryption to support ITAR compliance. This ensures that technical data is not accidentally distributed to foreign persons or foreign nations.

 
What is unclassified technical data?
 
Unclassified technical data is information, other than software as defined in 22 CFR 120.10(4), which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or altering of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation.
 
What is a US person?
 
A U.S. person is someone who is a lawful permanent resident of the US. It also covers any corporation, business association, partnership, society, trust, or any other entity, organization or group that is incorporated to do business in the United States. Governmental (federal, state or local) entities are included.
 
What is an export?
 
An export is the shipment or transmission of ITAR data out of the United States, including sending or taking a defense article out of the United States in any manner.
 
Any release of technical data to a foreign person is considered an export, even if that person is physically located in the United States. Release of data to a foreign person is considered an export to all countries in which the foreign person has held or holds citizenship or holds permanent residency.

What are the ITAR penalties?

There are serious penalties imposed for any ITAR violations, including civil fines of up to $500,000, criminal fines of up to $1,000,000, and jail time of up to 10 years imprisonment per violation. Restrictions may apply to your import/ export activities as an individual or as a company.
 
As recently as August 2022, the State Department banned 10 people from participating directly or indirectly in future ITAR related activities because they conspired to violate ITAR regulations.

Airbus Agrees to Pay Over $3.9 Billion in Global Penalties to Resolve Foreign Bribery and ITAR Case
 
In January 2020, Airbus entered into an agreement to settle the largest corruption enforcement action in history by agreeing to pay nearly $4 billion in penalties for bribes aimed at winning large aircraft contracts, which compromised the US defense industry (among others). The ITAR-related violations of the settlement totaled $233 million.

 
Small contractors have also felt the brunt of ITAR fines. In 2017, Bright Lights USA, Inc a manufacturer of basic spare parts for the DoD (e.g., rubber stoppers and grommets) with approximately 100 employees was penalized with a civil fine of $400,000 for ITAR violations. Bright Lights had shared drawings of export-controlled components with foreign suppliers to get quotes without first obtaining the necessary ITAR export licenses. Bright Lights also failed to keep proper documentation of its ITAR-related transactions.

Sharing ITAR technical data using end-to-end encryption

Prior to March 2020, organizations had to store all ITAR technical data on servers located within the US. The servers had to be managed by US persons, who protected the data through the use of on-premise storage. But in a global economy, these regulations became burdensome.
 
In March 2020 State Department recognized that advances in cybersecurity could be leveraged without compromising national security goals and issued 22 CFR 120.54, aka the ITAR Carveout for Encrypted Technical Data. The carveout permits defense companies to send, store, and share unclassified ITAR technical data without requiring an export license, provided the exchange meets the criteria listed below.

 
According to the Federal Register:
 
“[P]roperly secured (by end-to-end encryption) electronic transmission or storage of unclassified technical data via foreign communications infrastructure does not constitute an export, reexport, retransfer, or temporary import.

  1. The data is unclassified
  2. The data is secured using end-to-end encryption
  3. The cryptographic modules used for end-to-end encryption are compliant with FIPS 140-2 or its successors
  4. The data is not unencrypted at any point between the originator and the recipient
  5. The means of decryption are not provided to any cloud service provider or other third party, i.e., no person or organization has access to keys, network access codes, or passwords that enable decryption other than the recipient
  6. The recipient is a US person, or a person authorized to receive the unclassified technical data per ITAR
  7. The data is not purposely sent to or stored in restricted countries specified by ITAR (e.g, Russia, China, North Korea, and many others)
  8. The data is not purposely sent from restricted countries specified by ITAR.

 
This end-to-end encryption carveout allows organizations to leverage the cloud and streamline their ITAR data handling practices. End-to-end encryption, along with proper key management, provides a less expensive, more user-friendly alternative to traditional on-premise solutions, while maintaining a gold standard of security.

ITAR and CUI overlap

Not all ITAR is CUI (Controlled Unclassified Information), and not all CUI is ITAR. CUI can only be created under a contract to the federal government, whereas ITAR data can be created by a company without any contract. That said, many organizations that handle ITAR data also handle CUI. And organizations that handle CUI could find themselves subject to ITAR due to contract changes or modifications in the USML.
 
In addition to ITAR regulations, organizations handling ITAR data and CUI should be familiar with two DFARS clauses:
 
For CUI, there’s DFARS 252.204-7012. It focuses on the safeguarding of defense information and cyber incident reporting.
 
For ITAR data, there’s DFARS 252.225-7048. It focuses on the safeguarding of information in international collaborations (and refers defense contractors to both ITAR and AECA regulations.
 
Neither clause is optional. Given that organizations are often subject to regulation by both clauses, the best technical solution will satisfy the conditions of each clause simultaneously. PreVeil’s secure file sharing and email platform does exactly that.

ITAR compliance checklist: Key considerations

Some of the key considerations organizations should take into account when developing ITAR compliance programs include:

  1. Check if the defense products, technical data and/or services that that you are exchanging are on the US Munitions List (USML) and are subject to ITAR.
  2. If any items are subject to ITAR, avoid challenging and burdensome export controls by using an end-to-end encrypted file sharing and email platform that meets ITAR standards.
  3. Confirm that your encryption provider uses key management practices that ensure only users has access to their private key and no one else—not even the provider. Manage data access through expirations that rescind access after a limited, pre-designated period of time.
  4. Exert granular control over access to ITAR-controlled data via read-only and view-only capabilities.
  5. Ensure that you have robust log management capabilities so you can readily discover who has accessed ITAR-controlled data.

PreVeil Supports ITAR Compliance

PreVeil understands the challenges that small to mid-size contractors must overcome to comply with ITAR. Its solution simplifies ITAR compliance because it meets each of the technical components of the ITAR carveout:

  • PreVeil Drive and Email are grounded in world-class end-to-end encryption that meets FIPS 140-2 standards.
  • With PreVeil, files, emails and data are only ever encrypted and decrypted on a user’s device. Information is never decrypted on any server anywhere. If attackers breach a server, all they will get is useless gibberish. PreVeil also captures every file sharing and email transaction that contains ITAR data in immutable logs, which support ITAR compliance per DDTC guidelines.
  • PreVeil has no access to keys, network access codes, or passwords that enable decryption. Private keys are stored only on user devices, assuring that no one other than the sender and intended recipients can ever access your sensitive data—not even PreVeil.


 
Moreover, PreVeil is easy to use and cost effective for organizations with limited cybersecurity expertise and compliance resources.

Want to learn more about how to manage your ITAR data and meet compliance? Talk to our compliance experts.