Meeting International Traffic in Arms Regulations (ITAR) compliance, with its complex rules, extensive recordkeeping, rigid export controls, and potential for hard penalties, can be a challenge for companies involved in the defense industry.
ITAR is a set of American regulations that ensure the security of defense articles in export and import. These articles can include munitions, defense services, or technical information about either.
ITAR compliance definition
ITAR compliance is the adherence to the rules outlined in the International Traffic in Arms Regulations.
ITAR requirements restrict access to items on the United States Munitions List (USML) to US persons. US-based companies with overseas operations are prohibited from sharing technical information about munitions covered on the USML with locally hired staff or with non-US subcontractors.
Many foreign countries are subject to ITAR prohibitions for sharing or selling defense articles or data. Some countries have a policy of denial, while others have very specific exceptions for ITAR. A handful of countries, including Australia, NATO, Japan, and Sweden, have special authorizations and are exempt.
The specific prohibitions under ITAR include:
- Nations indicated by the US Secretary of State as state sponsors of terrorism
- Countries under existing US arms embargoes
- Individuals subject to exports and sales prohibited by United Nations Security Council sanctions measures
Who needs to comply with ITAR
Any company that does business with the US military or is involved in the export of defense-related articles, services, or technical information covered on the USML is required to comply with ITAR.
Examples of types of businesses that need to become ITAR compliant include:
- Distributors
- Manufacturers
- Wholesalers
- Contractors
- Foreign military sales (FMS) freight forwarders
- Third party suppliers
- Vendors of computer hardware or software
What are the penalties for violating ITAR?
Failure to comply with ITAR regulations can be costly for businesses. ITAR violations include:
- Omitting or misrepresenting facts for any temporary import or export document
- Falsifying registration information
- Exporting defense articles without DDTC registration
- Sharing or selling USML goods, services, or data to prohibited entities
Penalties for these violations can include criminal or civil fines.
One example of an ITAR penalty is the case of RTX Corporation, which settled with the US Department of State in 2024 for $200 million after 750 violations of the Arms Export Control Act (AECA) and International Traffic in Arms Regulations (ITAR). The violations stemmed from unauthorized exports of defense articles, including improper jurisdiction, classification, and non-compliance with authorization terms. RTX has voluntarily disclosed the violations and implemented compliance improvements since the incidents.
Another incident involved Airbus, which faced a $3.9 billion fine for bribery charges. The company was charged in January 2020 with paying bribes to officials in China and other countries to obtain contracts for selling aircraft. The charges under the Arms Export Control Act (AECA) also indicated that Airbus failed to disclose political contributions, as required under ITAR. This steep penalty indicates the seriousness of the charges and the years-long violation from Airbus.
Types of ITAR defense articles
ITAR defense articles in the Code of Federal Regulation (CFR) in § 120.6 are any item or technical data enumerated on the USML that is outlined in § 121.1. Defense articles, services, and data fall into 21 categories on the United States Munitions List. These categories include:
- Firearms, such as fully automatic weapons up to 50 calibers and those using caseless ammunition
- Guns and armament greater than 50 calibers, including flamethrowers with ranges greater than 20 meters
- Ammunition, ordnance, and related handling equipment
- Missiles, bombs, mines, torpedoes, and launch vehicles
- Explosives, incendiary agents, propellants, and related equipment
- Naval equipment and surface vessels, such as combat vessels and warships
- Armored combat ground vehicles
- Aircraft and related equipment
- Military training and related training equipment
- Personal protective equipment, such as body armor
- Military electronics, including electronic warfare equipment
- Fire control systems, lasers, and imaging equipment
- Miscellaneous articles and materials, including cryptographic systems and classified articles
- Chemical, biological, or other toxicological agents and any associated equipment
- Spacecraft, including satellites and vehicles, and related articles
- Nuclear weapons and related articles, including simulation tools and technical data
- Any other classified technical data, defense services, or articles not mentioned elsewhere
- Directed energy weapons, such as those that cause lethal effects or disrupt electronic circuitry
- Gas turbine engines, such as turbojets and turbofans, and associated equipment
- Submersibles and related articles, including military submarines and antisubmarine warfare vehicles
- Technical data, articles, and defense services not otherwise enumerated, including data and services relating to the above categories or future additions to the USML
Understanding defense technical data for ITAR compliance
Defense technical data can also include models, mockups, physical forms, or other means of gleaning plans for articles. Incomplete parts, such as moldings, castings, machined components, extrusions, and other unfinished parts that could allow someone to determine the properties, materials, function, or geometry are also part of the articles prohibited for sharing.
An amendment to ITAR in 2020 further specified the types of articles included in the first three categories on the USML, and indicated that goods not under ITAR compliance still needed to meet Export Administration Regulations (EAR).
This change also included the Encryption Rule, which outlines how companies share and store technical data. Cloud-based information would not be "exported data" subject to ITAR requirements as long as it was:
- Unclassified
- Fully encrypted from end to end
- Not deliberately sent or received from a country on the list of nations under restrictions and outlined in § 126.1 or the Russian Federation
- Not stored in servers in nations listed in § 126.1 or the Russian Federation
Leverage Box to protect your data
The Intelligent Content Management can help you protect ITAR data via FIPS 140-2 certification and AES 256-bit encryption. Box customers can choose their own managed encryption keys, too.
These security and compliance features ensure data stays protected:
- Two-factor authentication (2FA)
- Native verification of ownership for devices
- Classification-based access controls
- End-to-end encryption in transit and at rest
Organizations at the highest levels of government trust Box to keep their data secure. We have received Department of Defense (DoD) Level 4 authorization. This authorization allows for the DoD to store Controlled Unclassified Information (CUI) and securely share it to facilitate logistics, plan acquisitions, protect health information, and provide mobility support for those within the services. Part of this Impact Level 4 authorization includes Export Control data.
Our security also has backing from authorization through the Federal Risk and Authorization Management Program (FedRAMP), which verifies that CCM companies have the elevated security system for data storage and compliance required to manage non-classified information handled by civilian agencies of the federal government.
Contact us to learn more about ITAR compliance.
Note: The information provided in this article is for general informational purposes only and should not be considered legal advice or relied upon to make any legal or compliance decisions. The content of this article is not intended to create an attorney-client relationship, and readers should consult with a qualified attorney or compliance professional for specific legal or compliance advice tailored to their individual circumstances.
