This guide explains what ITAR compliance is, who it applies to, and what government contractors must do to meet its requirements and avoid severe penalties.
Why it matters: ITAR violations carry criminal fines of up to $1 million per violation and up to 10 years imprisonment — making compliance a business-critical obligation for any contractor handling defense articles, services, or technical data.
Key Takeaways
- ITAR restricts defense-related exports to U.S. persons: The International Traffic in Arms Regulations (ITAR) controls access to defense and military articles, services, and technical data — limiting it to U.S. citizens on secure, compliant networks.
- Every supply chain party must be ITAR-compliant: Subcontractors, software vendors, third-party suppliers, and distributors on a covered contract must all have documented compliance plans in place.
- Purpose-built cloud environments reduce ITAR burden: Deltek Costpoint GovCon Cloud Moderate (GCCM) supports ITAR and CUI data protection requirements.
What is ITAR?
The International Traffic in Arms Regulations (ITAR) is a regulation that restricts and controls the export of defense and space-related articles, technologies, and services to safeguard the United States national security and foreign policy objectives.
The Directorate of Defense Trade Controls (DDTC), U.S. Department of State, administers the ITAR, which is outlined in the Electronic Code of Federal Regulations (e-CFR) – 22 CFR parts 120 through 130.
Free Guide
Your Guide to ITAR Compliance
Learn why complying with the International Traffic in Arms Regulation (ITAR) is important for your government contractor business and how to adhere to the requirement.
Who Does ITAR Apply To?
ITAR requires that access to technical data and physical materials related to defense and military technologies be restricted to only U.S. citizens on a secure, compliant network.
U.S.-based companies with overseas operations are prohibited from sharing ITAR technical data with employees in those countries unless State Department authorization is secured.
U.S. companies that work with non-U.S. subcontractors are also subject to this rule.
A few companies have secured exemptions, based on specific purposes, including Canada, the United Kingdom, and Australia.
Government Contractors Need An ITAR Compliance Plan
Because ITAR exists to track sensitive military and defense materials to prevent them from falling into the hands of foreign players, government contractors are required to put a documented ITAR compliance plan in place.
The programs include the tracking, monitoring, and auditing of technical data. Every company in the supply chain for a contract or project – subcontractors, computer software/hardware vendors, third-party suppliers, wholesalers, and distributors – must also be ITAR-compliant and must be factored into the plan.
Free Guide
Your Guide to Government Compliance
Navigating compliance regulations can be difficult for even the most seasoned of government contractors. Get an overview of top priorities and how Costpoint provides a clear path to compliance.
What are ITAR Articles, Services, and Technical Data?
Articles (the current list outlines 21 categories) and services are defined in the United States Munitions List (USML). Technical data outlined by ITAR includes plans, blueprints, photos, diagrams, drawings, instructions, and other documentation.
Categories on the United States Munitions List,
- Guns and armament
- Firearms, close assault weapons and combat shotguns
- Ordnance and ammunition
- Nuclear weapons and related articles
- Directed energy weapons
- Surface vessels of war and special naval equipment
- Ground vehicles
- Aircraft and related articles
- Spacecraft and related articles
- Submersive vessels and related articles
- Launch vehicles, guided missiles, ballistic missiles, rockets, torpedoes, bombs, and mines
- Explosives and energetic materials, propellants, incendiary agents, and their constituents
- Military training equipment and training
- Personal protective equipment
- Military electronics
- Classified articles, technical data, and defense services not otherwise enumerated
- Articles, technical data,, and defense services not otherwise enumerated
- Fire control, range finder, optical and guidance and control equipment, including night-vision goggles
- Materials and miscellaneous articles
- Toxicology agents, including chemical agents, biological agents, and associated equipment
- Gas Turbine engines and related articles
Understanding ITAR Technical Data Compliance
Any company that manufactures, exports, and/or brokers defense articles, services, or is involved with related technical data must comply with ITAR requirements.
This technical data is necessary for the development, design, production, manufacturing, operation, assembly, testing, maintenance, repair, or alteration of an article.
To protect technical data, security strategies should be multi-layered and follow the standards and guidelines within the National Institute of Standards and Technology (NIST) special publication 800-53.
Principles to consider to ensure ITAR technical data compliance:
- Locate, classify, and secure data as defined by business policies
- Identify and map administrators, users, groups, folders, and file permissions
- Manage access controls
- Monitor and audit data, file activity, and user behavior to detect security vulnerabilities and threats for remediation.
ITAR Penalties for Non-Compliance
Penalties for ITAR non-compliance include civil and criminal fines.
- Civil fines: Up to $500,000 per violation
- Criminal fines: Up to $1 million per violation OR 10 years imprisonment per violation
The U.S. government also has the authority to take the additional measure of banning a company from any related future exports and imports.
In a massive global foreign bribery resolution, the United States Department of Justice issued details on an agreement with Airbus SE to pay over $3.9 billion in penalties involving ITAR non-compliance.
A global provider of civilian and military aircraft based in France, their penalties included bribery charges with authorities in the U.S., France, and the United Kingdom. Airbus planned to "use third-party business partners to bribe government officials, as well as non-governmental airline executives, around the world and to resolve the Company's violation of the Arms Export Control Act (""AECA") and its implementing regulations, the International Traffic in Arms Regulations ("ITAR"), in the United States,” according to a statement from the U.S. Department of Justice.
Steps for Achieving ITAR Compliance
Currently, no formal certification process exists to become ITAR Compliant. Certain standards exist within the defense industry, however, that are important for building an ITAR compliance plan.
- Register with the State Department: Specifically, the Directorate of Defense Trade Controls (DDTC).
- Formalize ITAR Compliance Programs within your Business: Having formal programs and defined processes demonstrates a commitment to compliance and a framework for addressing issues.
- Use a Compliant Cloud Storage: To ensure technical data is not accessible to foreign persons or nations, government business seeking ITAR compliance should consider having data centers managed solely by U.S. persons in U.S. locations.
How Deltek Supports Government Contractors with ITAR
In an effort to support government contractors' growing cybersecurity and compliance demands, Deltek offers industry-leading solutions and cloud environments that enhance cybersecurity controls to protect data and meet strict federal compliance requirements.
Deltek has gone to great lengths to ensure our cloud environments meet the security and oversight requirements of government agencies such as the U.S. Department of State and the Department of Defense.
Costpoint GovCon Cloud (GCC) Moderate supports government contractors with meeting compliance requirements for the protection of Controlled Unclassified Information (CUI) and ITAR data in the Deltek Cloud, eliminating the burden of on-premises equipment. Deltek has implemented controls to align with government contracting requirements, such as NIST SP 800-53 and CSNI 1253. Costpoint GCCM has also achieved FedRAMP Moderate Ready status and is listed on the FedRAMP Marketplace.
As a software-as-a-service provider, Deltek covers approximately 75% of the required controls and shares in the responsibility of most of the remaining controls. Costpoint GCC Moderate customers share in the responsibility of meeting the FedRAMP Moderate control requirements beyond Deltek in terms of how they internally define process and procedures to secure technical data.
