What is ITAR Compliance? Regulations, Fines & Challenges

The United States is the top arms exporter in the world, with sales reaching up to $285 billion in 2020. In fact, the US accounts for more than 40% of global arms exports.

As a responsible world power, the US government has instituted The International Traffic in Arms Regulations (ITAR) to ensure that defense-related goods, documentation, and data are not used for any criminal or terrorist activities and to protect U.S. national security and foreign policy objectives.

IITAR requires that data related to defense-related goods is only provided to US citizens, and the US State Department grants special authorization to export the material or information to a foreign person. Non-compliance with ITAR can result in hefty fines and potential criminal prosecution.

Read on as we discuss ITAR, the controllers’ responsibilities related to ITAR data, and how a data governance framework can help ensure ITAR compliance.

What is International Traffic in Arms Regulations (ITAR)?

ITAR is administered and implemented by the Directorate of Defense Trade Controls (DDTC) in the Bureau of Political-Military Affairs at the U.S. Department of State. The US arms traffic regulation controls the manufacturing, sales, distribution, access, use, export, and temporary import of military or defense-related goods, services, software, and related plans or documentation (technical data) covered on the United States Munitions List (USML).

Categories on the United States Munitions List (USML)

USML is a comprehensive list of military articles, services, and data that are considered defense-related and thus are subject to ITAR compliance. Part 121 of ITAR catalogs the 21 categories that are included in USML, namely:

• Category I - Firearms and Related Articles.
• Category II - Guns and Armament.
• Category III - Ammunition and Ordnance.
• Category IV - Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs, and Mines.
• Category V - Explosives and Energetic Materials, Propellants, Incendiary Agents, and Their Constituents.
• Category VI - Surface Vessels of War and Special Naval Equipment.
• Category VII - Ground Vehicles.
• Category VIII - Aircraft and Related Articles.
• Category IX - Military Training Equipment and Training.
• Category X - Personal Protective Equipment.
• Category XI - Military Electronics.
• Category XII - Fire Control, Laser, Imaging, and Guidance Equipment.
• Category XIII - Materials and Miscellaneous Articles.
• Category XIV - Toxicological Agents, Including Chemical Agents, Biological Agents, and Associated Equipment.
• Category XV - Spacecraft and Related Articles.
• Category XVI - Nuclear Weapons Related Articles.
• Category XVII - Classified Articles, Technical Data, and Defense Services Not Otherwise Enumerated.
• Category XVIII - Directed Energy Weapons.
• Category XIX - Gas Turbine Engines and Associated Equipment.
• Category XX - Submersible Vessels and Related Articles.
• Category XXI - Articles, Technical Data, and Defense Services Not Otherwise Enumerated.

To be compliant with ITAR, covered entities must register with the DDTC and obtain a license for the export of USML-listed goods and services, including technical data. Registered entities are further required to keep a comprehensive record of the exported or temporarily imported defense goods, the identity of the recipients (end-user), and the end-use (a specific way the item will be used) of the item or goods.

Covered entities must provide a detailed description of the end-user along with the end-use of the item to the DDTC with the effort to ensure that the defense goods are exported to only authorized entities (individual, country, manufacturer, dealer, supplier, or partner) and is used for authorized purposes only, such as military training or authorized combat purposes.

Who Should Be Compliant with ITAR?

Companies or entities that are either directly or indirectly involved in the export of military goods, services, and data are required to follow ITAR compliance. These entities include consultants, manufacturers, software or hardware vendors, distributors, wholesalers, contractors, and third-party suppliers.

ITAR compliance applies to all participating entities in the supply chain. For example, if an ITAR-covered entity sells a defense article to an authorized entity and the authorized entity sells it to a non-authorized entity, then both the ITAR-covered entity and the authorized entity will be subject to non-compliance and associated penalties.

The DDTC keeps a complete record of all ITAR-registered entities that are authorized to deal in the defense articles, services, and data covered in USML.

The basic eligibility of all the ITAR-covered entities is that they need to be a US person as defined under 22 CFR § 120.62:

“a person who is a lawful permanent resident as defined by 8 U.S.C. 1101(a)(20) or who is a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any corporation, business association, partnership, society, trust, or any other entity, organization, or group that is incorporated to do business in the United States. It also includes any governmental (Federal, state, or local) entity. It does not include any foreign person as defined in § 120.63.”

However, if an entity (manufacturer, dealer, distributor, or wholesaler) deals in defense articles that are not covered in the USML, then the entity may fall under a different regulation, such as the Export Administration Regulations (EAR), which is administered by the U.S. Department of Commerce's Bureau of Industry and Security (BIS).

What Type of Data Elements Are Covered Under ITAR?

Categories XVII and XXI covered on the USML provide a list of data element types that are regulated by ITAR and thus considered defense-related articles or services. For instance:

Technical Data

Section § 120.33 of ITAR defines technical data as any piece of information that is needed for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense-related items. A few examples of such information include photographs, technical blueprints, documentation, or training instructions.

Confidential Data

Confidential data refers to any piece of information that is classified by the US government for national security concerns. Examples include intelligence inputs, military secrets, and sensitive data.

Software Data

Under USML, the software data is defined as any algorithm, logical flow, operating system, or application that is used for the design, production, manufacture, repair, or testing of any defense-related item.

Proprietary Data

Proprietary data is any information covered by an invention secrecy order or used for inventing or creating military weapons or defense-related items or services. Examples include trade secrets, blueprints, or formulas.

Defense Services Data

Section § 120.32 of ITAR outlines defense service data as any piece of information provided to any foreign unit or person, such as for military training, correspondence, or training.

All the aforementioned types of data elements are covered under ITAR and thus require data protection, privacy, governance, and compliance.

What Are the Primary Responsibilities of Controllers Related to ITAR Data?

The first and most crucial part of ITAR compliance requirements is determining whether ITAR regulations apply to your organization. If the organization handles any of the defense-related articles or services listed in UMSL, then it must comply with ITAR.

Once the organization confirms that ITAR is applicable to its business, the next step is to register the organization with the Directorate of Defense Trade Controls (DDTS). The registration fees are non-refundable and registered organizations must renew their registration every 12 months.

Let’s take a summarized look ITAR compliance requirements, starting with the registration process:

Registration with the Directorate of Defense Trade Controls

Part 122 of ITAR compliance lists the complete registration process and requirements. To summarize, the registrants are required to submit a certified Statement of Registration. The registrant must verify that it is based in the US and authorized to manufacture, broker, export, or temporarily import defense-related items, services, and technical data. The details must include the name and contact address of the registrant and the list of defense-related items they handle.

Additionally, a senior officer of the company must certify that no member of the company has ever been involved in any criminal activity, convicted of any activity, or banned from contracting or receiving a license from any agency of the US government for the import or export of any defense-related items. However, if the intended registrant is owned or controlled by a foreign person, i.e., any person who isn’t a well-protected individual as defined under 8 U.S.C. 1324(b)(a)(3), the certification must include the details regarding the foreign person, such as their identity or ownership information.

The registrant also must pay an annual registration fee and renew their registration every 12 months. Moreover, the registrant must forward a notice of expiration to the concerned authority no later than 60 days prior to the expiration date. And in the event of any change in the information provided in the statement of registration or a merger with another company, the registrant must notify DDTC about the changes. The notification must be signed by a senior officer of the company and provided to the DDTC within five days of the event.

Obtaining Export or Temporary Import Licenses From the DDTC

Parts 123 and 125 of ITAR requirements provide detailed guidance on the export or temporary import of any defense-related article or services. Before initiating business, the registrant company must obtain a license from the DDTC to export any defense-related item to any authorized foreign person or country.

The license must include complete details regarding the type of defense-related item to be exported, the recipient country, and the intended end-use of the item. Moreover, licenses are required for the export of any unclassified/classified technical data, patented technical data, or the disclosure of any technical data. Licenses are valid for up to 4 years.

Further details regarding the licensing requirement can be found in parts 123 and 125 of the official text.

Maintaining Detailed Records

Record keeping is one of the core ITAR compliance requirements. The regulation requires authorized companies to keep a detailed record of all the matters related to the export or import of any defense-related items, services, or technical data. Companies are required to keep records of the registration of the controller and the licensing of the export or import of any defense-related articles approved by the DDTC. The record must mention the type of defense-related item subjected to export or import, the recipient country or person, and the intended end-use of the articles.

Record keeping is imperative to demonstrate compliance with ITAR. Moreover, these records further allow the DDTC to proceed with their compliance inspection, reporting, or any other relevant purposes. These records must be kept for at least five years. Since record keeping is a pretty time-consuming and complex process, especially for companies that deal in large volumes of exports or have a multitude of suppliers, companies must have an efficient system in place to ensure the reliability and integrity of the records.

Implementing an Internal Compliance Program

It is crucial for every registered company to have a compliance program customized to their specific business. The compliance program must be created considering the requirements of ITAR regulations and how the company intends to meet them. For instance, the program must include end-user and end-use provisions. Companies must ensure that the defense-related articles aren’t being exported to end-users who are a restricted part or listed in the sanctions list or those who might use the items for any criminal activities.

Similarly, the company must conduct due diligence to ensure that the intended end-use meets the end-use described in the export license. Additionally, the program must also meet the ITAR record-keeping requirements for registration and export licensing.

By establishing a thorough compliance program and ensuring its implementation, companies demonstrate to the DDTC that it is committed to ITAR compliance.

Reporting Violations

Under ITAR compliance, it is crucial for authorized entities to report any violations and non-compliance instances. Companies must report the violations to DDTC in a timely manner, detailing the precise description and nature of the violations, the involved parties, the USML-covered defense-related items or technical data, and the name and address of the reporting person. ITAR regulations further require a certification signed by a senior officer of the company, ensuring that the violation disclosure is true to the best of their knowledge.

What are the Primary Challenges in ITAR Compliance?

ITAR regulations are complex and subject to timely amendments. Several challenges hinder an organization from efficiently meeting ITAR compliance.

1. Discovery and classification

Several items on the USML list have dual-use applications. It can be confusing for entities to determine which regulation out of ITAR or EAR applies to their organization.

2. Monitoring cross-border technical data flow

An organization might be exporting a high volume of ITAR-controlled items or data to multiple recipients and for varying end-use. Mapping those items or data to relevant end-user and end-use provisions can be challenging.

3. Controlling access to sensitive data

A defense-related data might have multiple users accessing it for varying purposes. Keeping track of their privileges, account activity, and required level of access can be a time-consuming, laborious process.

It is, therefore, important for an authorized ITAR-covered entity to implement a robust data governance framework to manage, govern, and protect its ITAR-controlled data effectively.

Importance of a Robust Data Governance Framework for ITAR Compliance

Data Governance is the process of managing, using, and protecting data. The process entails a comprehensive set of policies and standards that instruct the data management teams on enforcing data quality, data management, security, and compliance.

ITAR compliance requires companies to have a compliance framework in place to ensure that the entity maintains accurate records of ITAR-related activities, has cyber security processes in place, and maps data to end-user and end-use provisions associated with relevant defense-related items or technical data. A Data Governance framework can help organizations meet all these compliance requirements efficiently and effectively.

For instance, a robust data governance framework enables an organization to efficiently discover, classify, and catalog sensitive data. By understanding what data they have across their data environment and what classification or labels it has, organizations can better protect their data.

Similarly, the framework helps implement access control policies to ensure that only authorized personnel can access ITAR-controlled sensitive data. Data retention and record keeping is also another important component of the framework to enable organizations to record all their export activities, end-user and end-use details, as well as recipient information.

What are the Penalties For ITAR Violations?

Part 127 of ITAR regulations provides a detailed list of violations that can result in hefty fines or even imprisonment. Some common ITAR violations include counterfeiting registration details, falsifying temporary import or export information, selling or exporting USML-covered defense-related articles, services, or technical data to non-sanctioned countries, or exporting defense-related items without obtaining prior DDTC approval.

Organizations violating ITAR face severe penalties, including civil fines of up to $500,000 per violation, criminal fines of up to $1 million, and potential imprisonment for up to 10 years per offense.

ITAR Data Security Recommendations

ITAR doesn’t specifically require organizations to create and establish any cybersecurity framework to protect technical data. However, organizations cannot overlook the fact that cyber intrusion is an imminent threat to any organization regardless of its size, and the resulting intrusion might lead to unauthorized access to defense-related technical data.

Therefore, the DDTC encourages organizations in its ITAR Compliance Program (ICP) Guidelines to “take steps to protect their technical data from cyber intrusions and theft and consider carefully what cyber security solutions work most effectively for them.”

In its ICP guidelines, DDTC suggests some ITAR data security requirements or best practices for enhancing the cybersecurity of ITAR-controlled data and thus reducing risks of non-compliance, such as:

• Monitoring technical data access by authorized personnel.
• Implementing an intrusion detection system (IDS).
• Reviewing and fixing misconfigurations of cloud infrastructures containing ITAR-controlled data.
• Setting up safe data-sharing policies.
• Record keeping of controlled access to ITAR-related data.

Securiti Data Governance

Securiti Data Command Center enables organizations to build a unified approach to implement their data governance program alongside integrating data security, compliance, and privacy controls. It offers granular insights into sensitive data across your on-premise, cloud, and SaaS environments, including data location, users, access permissions, and mapping of ITAR compliance controls.

To learn how Securiti can help your organization achieve ITAR compliance, request a demo now.