Defense spending in the United States is projected to reach $886 billion by 2025, making it a high growth industry for manufacturers interested in expanding their clientele. To expand into defense, organizations must meet stringent regulations, including International Traffic in Arms Regulations (ITAR). Failure to do so can result in heavy fines.

This blog will help you understand ITAR regulations and how to achieve ITAR compliance.

  1. What is ITAR compliance
  2. Who needs to be ITAR compliant
  3. ITAR compliance requirements
  4. Penalties for violating ITAR
  5. 2020 ITAR Carveout
  6. The ITAR compliance checklist
  7. How to secure your ITAR Data
  8. Frequently Asked Questions

Download our free whitepaper on how to facilitate ITAR compliance

What is ITAR compliance?

Administered by the Directorate of Defense Trade Controls (DDTC) within the US State Department, ITAR regulates the import and export of defense products found on the United States Munitions List (USML). The USML has three subcomponents: defense articles, defense services and related technical data. All items on the USML are subject to ITAR.

The United States Munitions List

  1. Firearms and Related Articles
  2. Guns and Armament
  3. Ammunition and Ordnance
  4. Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs, and Mines
  5. Explosives and Energetic Materials, Propellants, Incendiary Agents, and Their Constituents
  6. Surface Vessels of War and Special Naval Equipment
  7. Ground Vehicles such as tanks or infantry fighting vehicles
  8. Aircraft and Related Articles
  9. Military Training Equipment and Training
  10. Personal Protective Equipment
  11. Military Electronics
  12. Fire Control, Laser, Imaging, and Guidance Equipment
  13. Materials and Miscellaneous Articles
  14. Toxicological Agents, Including Chemical Agents, Biological Agents, and Associated Equipment
  15. Spacecraft and Related Articles
  16. Nuclear Weapons Related Articles
  17. Classified Articles, Technical Data, and Defense Services Not Otherwise Enumerated
  18. Directed Energy Weapons
  19. Gas Turbine Engines and Associated Equipment
  20. Submersible Vessels and Related Articles
  21. Articles, Technical Data, and Defense Services Not Otherwise Enumerated

Source: Code of Federal Regulations

The goal of ITAR is to control the import and export of technical data, including software, part-drawings, and photos, related to USML items. Organizations are only allowed to share ITAR data with US persons, ITAR protects US national security and foreign policy interests.

Who needs to be ITAR Compliant

Any U.S. company, research lab or university that engages in either manufacturing or exporting defense articles or furnishing defense services on the USML is required to register with the Directorate of Defense Trade Controls (DDTC) and comply with ITAR regulations. This includes registration, maintenance of records required by 22CFR 122.5 and obtaining licenses and approvals exports.

ITAR Compliance Requirements

If your organization is manufacturing, exporting, importing, brokering defense articles including technical data or providing defense services under ITAR then you are required to  meet ITAR compliance requirements. The following list highlights the main requirements:

Step 1: Register with DDTC

Any organization engaged in the United States in the business of the manufacturing, exporting or brokering of US defense articles or services on the USML is required to register with DDTC Registration must be renewed every 12 months. Submit your ITAR registration renewal documents at least 60 days before the expiration date of your registration, to ensure your compliance doesn’t lapse.

Step 2: Maintenance of records
Persons handling ITAR must maintain records concerning the manufacture, acquisition and placement  of defense articles, technical data and defense services. These records must be  available at all times for inspection and copying by the Directorate of Defense Trade Controls.

Step 3: Obtain licenses for all ITAR-controlled transactions

Identify all the ITAR-controlled defense articles, defense services, and related technical data that your organization handles, and obtain licenses from DDTC for any related transactions you wish to engage in.

Step 4: Track ITAR-controlled items at all times

Know where those items are located and who has access to them. When items are transferred, keep records of where and to whom they are transferred, as well as details of any retransfers from there.

Penalties for ITAR violations

There are serious penalties imposed for failing to get the specific licenses and documentation required for ITAR compliance. These penalties can include  civil fines of up to $500,000, criminal fines of up to $1,000,000, and jail time of up to 10 years imprisonment per violation.

  1. Failing to register: Any manufacturing of the items on the USML is illegal without proper registration. 
  2. Lack of Technical Data Licenses: Organizations exporting technical data or defense services related to firearms and ammunition must have approval and licenses. 
  3. Incorrect Documentation: Any error in a document such as a DDTC license application or applications for registration can lead to an ITAR or customs violation
  4. Not Vetting Other Parties: Your organization cannot send ITAR data to a party that is prohibited from handling it. 
  5. Uncontrolled Technical Data: Organizations are prohibited from transferring or disclosing technical data to foreign persons, even in the United States, without the proper licenses.
  6. Willful Failure to Comply: While most ITAR violations can happen as a result of oversights or a lack of diligence, there are also cases where exporters purposefully do not comply with the regulations. These cases may be treated more harshly than others or lead to additional charges, 

2020 ITAR Carveout

Prior to March 2020, organizations had to store all ITAR technical data on servers located within the US. These servers were managed by US persons, who protected the data through the use of on-premise storage.

In March 2020, the State Department recognized that advances in cybersecurity could be leveraged without compromising national security goals and issued 22 CFR 120.54, aka the ITAR Carveout for Encrypted Technical Data. The carveout permits defense companies to leverage end-to-end encryption to send, store, and share unclassified ITAR technical data without requiring an export license, provided the exchange meets the criteria listed below.

  1. The data is unclassified
  2. The data is secured using end-to-end encryption
  3. The cryptographic modules used for end-to-end encryption are compliant with FIPS 140-2 or its successors
  4. The data is not unencrypted at any point between the originator and the recipient
  5. The means of decryption are not provided to any cloud service provider or other third party, i.e., no person or organization has access to keys, network access codes, or passwords that enable decryption other than the recipient
  6. The recipient is a US person, or a person authorized to receive the unclassified technical data per ITAR
  7. The data is not purposely sent to or stored in restricted countries specified by ITAR (e.g, Russia, China, North Korea, and many others)
  8. The data is not purposely sent from restricted countries specified by ITAR.

22 CFR 120.54 allows organizations to streamline their ITAR data handling practices using end-to-end encrypted cloud services. Instead of storing ITAR data on costly on-premise solutions and applying for import/export licenses every time data must be shared, organizations can now use end-to-end encrypted file sharing systems, in compliance with other 22 CFR 120.54 requirements, to store data in the cloud and share files with US persons without licensure.

End-to-end encrypted email and file sharing services, like PreVeil meet these ITAR standards and , can provide a less expensive, more user-friendly alternative to traditional on-premise solutions, while maintaining a gold standard of security.

ITAR Compliance Checklist

The U.S. Department of State leaves it up to manufacturers to develop, implement and maintain their own compliance programs. There is no specific ITAR certification to obtain, only your responsibility of registering with DDTC and being compliant.

Use this compliance checklist to guide your program.

  1. Educate yourself and your employees on ITAR requirements. Understand how ITAR applies to your USML goods, services, or data, and make sure you are meeting ITAR requirements.First, review the USML list. All products and services related to items on the USML list are subject to ITAR. Next, familiarize yourself with all the articles of ITAR, which consist of 11 parts. The regulations are deliberately designed for flexibility, so that you can adjust your security practices to your specific risk profile, as well as evolving technologies and national security threats.
  2. Register with the State Department’s Directorate of Defense Trade Controls (DDTC). All ITAR-covered entities must submit a Statement of Registration to DDTC. This applies whether or not you intend to export products, services, or data. Registration is subject to renewal every 12 months and may be withheld due to criminal prosecution or ban from ITAR work.
  3. Ensure only US citizens can access items on the USML. Only US persons may access items on the USML. Ensure everyone on your team who has access to ITAR data, as well as all parties with whom you intend to do ITAR work, are US citizens.
  4. Comply with reporting and record keeping requirements. Organizations must report any ITAR violations to DDTC. Organizations must also retain records for five years after the completion of the transaction and make these records available to DDTC upon request.
  5. Obtain necessary export/import licenses. In order to export or temporarily import defense-related articles or information, you must first obtain appropriate licensure from DDTC. Export licenses are valid for up to 4 years and must provide all the necessary details regarding the transfer and the items. These include details of the recipient of the item, the end-use and end-user of the item, and the recipient country.
  6. Ensure all organizations in your supply chain are ITAR compliant. It is your duty to ensure that all parties you share ITAR data with, including subcontractors, comply with ITAR. As part of this, you must ensure that you do not share data with any foreign persons without appropriate licensure, and never with anyone on the prohibited countries list.
  7. There is no formal certification process to become ITAR compliant. Instead, there are certain standards that companies are expected to comply with.Unlike CMMC and other regulations, ITAR does not have a formal certification process. It is your responsibility to ensure that your data handling processes are secure and protect national security interests. The hefty penalties leveraged against companies in breach of ITAR in recent years prove companies must take ITAR compliance seriously.
  8. Understand if exemptions apply to your organization. ITAR exemptions are very specific. Types of exemptions include public domain exemptions, technical data exemptions, and temporary importation of defense articles exemptions. Understand if any exemptions apply to your organization to avoid running afoul of ITAR.
  9. Report any ITAR violations that occur. Should an ITAR violation occur, accidentally or intentionally, it is your responsibility to report it immediately to DDTC.

How to secure your ITAR Data

As noted above, the State Department’s ITAR carve out allows for the use of end-to-end encryption to share unclassified technical data with their supply chain or with persons outside the US, as long as the data is secured with end-to-end encryption. If the data is end-to-end encrypted (and meets other criteria, as described below) the exchange is not considered an export.

PreVeil’s Email and Drive platform was built from the ground up to rely on end-to-end encryption to protect all user data. PreVeil Drive lets users encrypt, store and share their files containing ITAR data. All data is protected with end-to-end encryption. Users can easily access these files from their computers or mobile devices and share with others.

PreVeil’s end-to-end encrypted email meets ITAR requirements and enables users to send and receive encrypted emails from their existing Office 365, Gmail or Apple mail using their existing email address just like they are used to.

The PreVeil platform fully meets the requirements listed in the ITAR Carveout and enables users handling ITAR data to do so easily and affordably.

Want to learn more about how to manage your ITAR data and meet compliance? Talk to our compliance experts.

Frequently Asked Questions

What is unclassified technical data?

Unclassified technical data is information, other than software as defined in 22 CFR 120.10(4), which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or altering of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation.

What is a US person under ITAR?

A U.S. person is someone who is a lawful permanent resident of the US. It also covers any corporation, business association, partnership, society, trust, or any other entity, organization or group that is incorporated to do business in the United States. Governmental (federal, state or local) entities are included.

Can a non-US citizen work on ITAR?

Non-US persons may not access ITAR data.

What is an export under ITAR?

An export is the shipment or transmission of ITAR data out of the United States, including sending or taking a defense article out of the United States in any manner.Any release of technical data to a foreign person is considered an export, even if that person is physically located in the United States. Release of data to a foreign person is considered an export to all countries in which the foreign person has held or holds citizenship or holds permanent residency.

What are the most common ITAR violations?

The most common ITAR violations include failing to register with DDTC, lack of technical data licenses, incorrect documentation, and not vetting other parties involved in ITAR-controlled transactions.Organizations can falsely believe they only need to register with DDTC if they plan to export products. That is not true. Any manufacturing of items on the USML, even without intended export, is illegal without first registering with DDTC.If you intend to export technical data or defense services related to items on the USML, it is not sufficient to only register with DDTC. You must also obtain approval and licensure prior to export.Finally, it is your responsibility to know every party involved in an ITAR-controlled transaction. If you engage, knowingly or unknowingly, in an ITAR-controlled transaction with a prohibited party, such as China, North Korea, Russia, or other countries on the prohibited list, you are in violation of ITAR

What are the types of ITAR exemptions?

The types of ITAR exemptions include:

Temporary Importation of Defense Articles: This exemption allows companies to temporarily import defense articles for repair, maintenance, or exhibition without a license.

Technical Data Exemption: This exemption allows companies to share technical data with foreign persons without a license, as long as the data is not related to the development, production, or use of defense articles.<em>Public Domain Exemption</em><br />This exemption allows companies to export defense articles or services that are already in the public domain.