These are the most common ITAR questions defense contractors ask — compiled from thousands of conversations with aerospace manufacturers, defense subcontractors, engineering firms, and compliance teams — and answered by PreVeil’s compliance experts.
Questions on ITAR Basics & Who Must Comply
What is ITAR and who needs to comply?
ITAR (International Traffic in Arms Regulations) is a set of U.S. government rules administered by the State Department’s Directorate of Defense Trade Controls (DDTC). ITAR controls exports, temporary imports, reexports, retransfers, defense services, brokering activities, and releases of defense articles and technical data listed on the United States Munitions List (USML).
Any U.S. company that manufactures, exports, or furnishes defense articles or services covered by the USML must register with DDTC and comply with ITAR — even if they’ve never shipped anything overseas. This includes defense prime contractors, subcontractors, aerospace manufacturers, engineering firms, and research organizations. ITAR requirements flow down through the supply chain, meaning a small CNC shop several tiers removed from a prime contractor can still be subject to ITAR if they’re handling controlled technical data.
I’m a subcontractor, not a prime. Does ITAR still apply to me?
Yes. ITAR requirements flow down through the entire supply chain. If you’re receiving, storing, or working with ITAR-controlled technical data — regardless of your position in the supply chain — you’re responsible for handling that data in compliance with ITAR.
Prime contractors are ultimately responsible for ensuring subcontractor compliance, which means many primes will require subs to demonstrate compliant data handling before sharing controlled information. The stakes are significant: violations by a subcontractor can expose the prime to liability, so primes are increasingly vetting subcontractor compliance before awarding work. – If a sub mishandles ITAR data they can be held directly responsible. Ultimately ITAR is focused on the person/entity that violated the ITAR regulations not the prime. The Prime may bare some responsibility under Federal flowdowns rules but whoever violated the ITAR will face the stiffest penalties which can include fines, civil and criminal charges.
Are green card holders considered U.S. persons under ITAR?
Yes. Under ITAR, “U.S. persons” includes U.S. citizens, lawful permanent residents (green card holders), and individuals granted asylum or refugee status. Foreign nationals without permanent residency — including employees on H-1B, L-1, or other work visas — are generally considered “foreign persons” and may not access ITAR-controlled technical data without an export license or applicable exemption.
When in doubt, consult export control counsel before granting access. Accidental disclosure to an unauthorized foreign person is still a violation even if unintentional.
How is ITAR different from CMMC? Do I need both?
Many defense contractors need both, but they regulate different things.
ITAR is an export control framework administered by the State Department. Its core question is who can access defense articles and technical data on the USML — it’s about preventing foreign access. CMMC is a DoD cybersecurity program administered through DoD, focused on how Controlled Unclassified Information (CUI) is protected inside your systems — it’s about how you secure data.
They overlap significantly in practice. ITAR-controlled technical data frequently qualifies as CUI, meaning the same document can trigger both ITAR and CMMC requirements simultaneously. PreVeil addresses both: its VDI solution helps satisfy ITAR’s access control requirements while supporting 102 of the 110 NIST 800-171 controls required for CMMC Level 2.
The short answer: if you have DoD contracts involving CUI, you likely need CMMC. If any of that data relates to items on the USML, you also need ITAR compliance. Talk to your contracting officer if you’re unsure which applies to your contract.
What’s the difference between ITAR and EAR?
Both are U.S. export control frameworks, but they govern different categories of items. ITAR, administered by the State Department, covers military and defense-related items on the USML. EAR (Export Administration Regulations), administered by the Commerce Department, covers “dual-use” items — commercial technologies with potential military applications such as certain electronics, software, and sensors.
ITAR is generally the stricter of the two. If your work involves defense articles or services on the USML, ITAR applies. If you’re working with commercial technology that has potential security implications, EAR may apply instead — or alongside ITAR.
Questions on ITAR Technical Data & Deemed Exports
What counts as ITAR technical data?
ITAR technical data is any information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles on the USML. Examples include:
• Engineering drawings and blueprints
• CAD files
• Manufacturing specifications and processes
• Technical manuals
• Design documentation
Technical data doesn’t have to be labeled “ITAR” to be controlled. If it relates to a USML item, it’s almost certainly controlled. The format doesn’t matter either — technical data in an email, in a shared folder, on a flash drive, or discussed on a video call is subject to the same restrictions.
What is a “deemed export” — and why does it matter?
A deemed export occurs when ITAR-controlled technical data is disclosed to a foreign person within the United States. The physical location of the data is irrelevant. If a foreign national engineer can view a controlled blueprint during a U.S. office meeting, that’s treated as an export under ITAR.
This is why access controls matter as much as geography. A shared drive containing ITAR data that’s accessible to non-U.S. employees — even inside the U.S. — is a compliance risk. The same applies to screen sharing during video calls, granting foreign nationals access to internal systems, or allowing international colleagues to view controlled documents without proper licensing.
Is ITAR technical data the same as CUI?
Often yes, but not always. Controlled Unclassified Information (CUI) is a broad federal category of information requiring protection, administered by NARA. Many types of defense-related technical data qualify as both ITAR-controlled and CUI — but the two frameworks have different agencies, different rules, and different enforcement mechanisms.
The practical way to think about it: ITAR is about who can access the data (preventing foreign access). CUI/CMMC is about how you protect it (cybersecurity controls). If your technical data is both ITAR-controlled and CUI, both sets of requirements apply simultaneously.
Questions on ITAR Registration & Licensing
Do I need to register with DDTC? What does that involve?
Yes, if you manufacture, export, or broker defense articles or services on the USML, you must register with DDTC before engaging in any ITAR-controlled activity — even if you never actually export anything overseas. Registration is annual. Tier 1 is $3,000 for first-time registrants and certain renewals with no favorable determinations; Tier 2 is $4,000 for renewals with five or fewer favorable determinations; Tier 3 applies above that. It must be renewed 30–60 days before expiration.
Registration does not itself authorize you to export. It’s the prerequisite for everything else: obtaining export licenses, building your compliance program, and lawfully engaging in ITAR-controlled activity.
What is an ITAR export license and when do I need one?
An ITAR export license is authorization from DDTC to transfer controlled defense articles, technical data, or services to a foreign person or entity. You need one any time you’re sharing controlled information with a foreign person — including digitally, verbally, or by granting system access.
Common license types:
• DSP-5: Permanent export of unclassified defense articles or data
• DSP-61: Temporary import of defense articles
• DSP-73: Temporary export of defense articles
Some transfers are covered by exemptions rather than licenses — for example, the AUKUS exemption covers certain transfers with Australia and the UK. But you must confirm eligibility before relying on an exemption. Using one without qualifying is itself a violation.
How long does ITAR licensing take and what does it cost?
Most standard unclassified license applications (DSP-5) take 45 to 60 days to review. Applications involving classified data or multiple foreign end users can take several months.
Beyond the $3,000/year DDTC registration fee, budget for the systems and infrastructure required to maintain ongoing compliance: employee training, secure communication tools, documentation, and an internal compliance program. Organizations using PreVeil typically reduce the “secure system” cost substantially compared to alternatives like Microsoft GCC High.
Questions on Storing & Sharing ITAR Data
Can I continue using commercial Office 365 or Gmail if I handle ITAR data?
No. Commercial Microsoft 365 and Google Workspace are not compliant for handling ITAR-controlled technical data. The core problem: these platforms give the cloud provider — and potentially foreign-staffed server administrators — access to your unencrypted content. Under ITAR, that exposure to foreign persons is a potential deemed export.
PreVeil works alongside your existing Office 365 or Gmail environment without replacing it. ITAR data goes through PreVeil’s encrypted enclave; your regular business email continues as normal. You keep the tools your team already knows — you just add a compliant layer for controlled data.
What is the ITAR End-to-End Encryption Carveout (Regulation 120.54)?
This is the most important regulatory development for ITAR data security in the last several years, and the reason modern ITAR compliance no longer requires expensive government cloud infrastructure.
In 2020, the State Department issued ITAR Regulation 120.54, which allows organizations to store and transmit ITAR-controlled technical data using cloud services — without the traditional requirement for U.S.-based servers and U.S.-only server administrators — provided three conditions are met:
1. The data is encrypted end-to-end (no intermediary can read it in transit or at rest)
2. The cloud provider has no access to the decryption keys
3. The encryption uses FIPS 140-2 or FIPS 140-3 validated algorithms
Under 120.54, the physical location of servers and the nationality of cloud provider staff become irrelevant as long as the data stays encrypted and only authorized users hold the keys. This opened the door to affordable, cloud-based ITAR compliance without costly GCC High environments.
PreVeil was built specifically for this carveout: data is encrypted and decrypted only on user devices, the PreVeil server holds no decryption keys, and PreVeil uses FIPS 140-3 validated encryption. It’s a direct implementation of what Regulation 120.54 enables.
Does ITAR require data to physically stay in the United States?
Under the 120.54 end-to-end encryption carveout, ITAR data does not need to be physically located in the U.S. — as long as it’s protected by end-to-end encryption, the cloud provider holds no decryption keys, and FIPS-validated algorithms are used. Server location becomes legally irrelevant when the data is always encrypted and only authorized users can decrypt it.
That said, PreVeil stores all data on AWS GovCloud, which runs on U.S. soil and is operated exclusively by U.S. persons — so you get additional assurance even while relying on the carveout. This also resolves a common question from companies with international teams: a Canadian subsidiary or overseas U.S.-citizen employee can use PreVeil without triggering ITAR exposure, because the encrypted data they access was never “available” to them in an unprotected form — only authorized users holding the keys can decrypt it.
Can I store ITAR data in commercial cloud storage like Dropbox, OneDrive, or Google Drive?
No. Commercial cloud storage platforms are not compliant for ITAR-controlled technical data. These services give the provider access to unencrypted data, and their infrastructure is often managed by non-U.S. persons — both of which create ITAR exposure.
ITAR-compliant cloud options include systems that implement end-to-end encryption under the 120.54 carveout (like PreVeil), or dedicated government cloud environments like AWS GovCloud and Microsoft GCC High. PreVeil is significantly cheaper and faster to deploy than GCC High — which can take months to migrate to and costs $100+/user/month. For most small and mid-sized defense contractors, PreVeil provides equivalent data protection at a fraction of the cost.
Does ITAR require encryption?
ITAR itself doesn’t mandate encryption in every scenario — but in practice, encryption is essential for any modern ITAR compliance program, and it is required if you want to take advantage of the 120.54 cloud storage carveout.
Under 120.54, you must use FIPS 140-2 or 140-3 validated encryption and ensure the provider cannot access your decryption keys. Without end-to-end encryption, you’re limited to traditional approaches: U.S.-based servers with U.S.-only administrator access, which is expensive and increasingly impractical for cloud-based workflows. For almost every defense contractor today, end-to-end encryption is the practical path to ITAR compliance.
Can I email ITAR-controlled technical data?
Yes, if you use an encrypted, ITAR-compliant email system. Standard email platforms — including commercial Office 365, Gmail, and Outlook using standard protocols — are not sufficient because the provider can access message content, and email typically passes through servers in multiple countries.
PreVeil Email integrates directly into your existing Outlook or Gmail client, adding an encrypted second inbox specifically for controlled data. From the user’s perspective, composing a secure email looks identical to composing a regular one — but the content is end-to-end encrypted from your device to the recipient’s device. Recipients who don’t already have PreVeil can create a free PreVeil Express account in about a minute to send and receive securely.
What happens if ITAR technical data lands in my commercial email by mistake?
Treat it as a spillage event and act quickly:
1. Remove the ITAR data from the non-compliant mailbox and transfer it to a compliant environment such as PreVeil.
2. Delete the data from the commercial environment to prevent further exposure.
3. Notify the sender of the mistake and direct them to your compliant channel going forward.
4. Document the incident as part of your internal compliance records.
Depending on the circumstances, a voluntary disclosure to DDTC may be appropriate. Voluntary disclosures can meaningfully reduce penalties in cases of accidental non-compliance and demonstrate good-faith effort. If you have purchased PreVeil’s Compliance Accelerator, you already have a documented process for handling this kind of event.
How do I receive ITAR data from customers or primes who don’t have PreVeil?
PreVeil’s Email Relay solves this. The Gateway gives you a secure email subdomain — for example, secure.yourcompany.com — that any sender can use to transmit encrypted email without needing a PreVeil account themselves. Inbound data arrives encrypted in your PreVeil inbox and never touches your commercial email environment.
This is how many contractors handle inbound ITAR data from DoD primes, government agencies, or Tier 1 contractors who operate their own secure systems. You set up the Gateway once; from then on, the sender addresses controlled data to your secure subdomain and the transmission happens over an encrypted channel automatically. It also works in reverse — sending encrypted email to recipients who don’t have a PreVeil account.
We have international employees and offices. Can they access ITAR data through PreVeil?
The access rights question is separate from the technology question.
On the technology side: under the 120.54 carveout, PreVeil’s encrypted architecture means the data is never “available” to anyone without the decryption keys — so the physical location of a device doesn’t itself create an ITAR export. A U.S. person working from abroad can access ITAR data through PreVeil without triggering an export event (note, we still recommend confirming with legal counsel).
On the access rights side: only U.S. persons, authorized users under an applicable exemption, or properly licensed foreign persons may be granted access to ITAR-controlled data. You must ensure that your PreVeil admin controls reflect who is — and isn’t — authorized. Having the right technology is step one. Correct user provisioning and access management is step two.
Questions on ITAR Violations & Penalties
What are the penalties for ITAR violations?
ITAR violations carry some of the harshest penalties in U.S. regulatory law:
• Civil penalties: Up to $1,271,078 per violation, or twice the value of the transaction — whichever is greater
• Criminal penalties: Up to $1,000,000 per violation and up to 20 years in prison
• Debarment from export activities and government contracting
• Mandatory compliance audits and government oversight
Intent is not required for civil penalties — accidental disclosures still qualify. In October 2024, Raytheon agreed to pay over $950 million to resolve ITAR-related violations including unauthorized export representations and bribery of a foreign official, underscoring how seriously the government treats these violations even for major primes.
What are the most common ITAR violations?
The most frequent ITAR compliance failures:
• Sharing technical data over unsecured email (exposing it to foreign-accessible servers)
• Storing controlled data in non-compliant commercial cloud platforms like Dropbox, OneDrive, or Google Drive
• Granting foreign nationals access to ITAR data without proper licensing — deemed export violations are among the most common
• Failing to register with DDTC before engaging in ITAR activities
• Misclassifying items under the wrong USML category in export documentation
• Relying on exemptions without confirming eligibility
• Failing to flow down ITAR requirements to subcontractors
• Using inadequate encryption — or no encryption — for controlled data in cloud storage or email
Most of these are preventable with the right secure communication platform, a documented compliance program, and regular employee training.
