ITAR Compliance Guide: What Every Defense Exporter Needs to Know in 2026

The International Traffic in Arms Regulations (ITAR) remain the single most consequential export control regime for companies dealing in defence articles, services, or technical data. In 2026, with expanded AUKUS trade flows and intensifying enforcement activity from the Directorate of Defense Trade Controls (DDTC), understanding ITAR at the operational level is not optional — it is a condition of doing business.

This guide covers what ITAR regulates, who it applies to, how the licensing regime works, and where companies most commonly fail.

ITAR’s statutory and regulatory scope

ITAR is codified in 22 CFR Parts 120 through 130, implementing the Arms Export Control Act (AECA). It controls the export and temporary import of defence articles and defence services enumerated on the United States Munitions List (USML).

The key distinction from the Export Administration Regulations (EAR), which are administered by the Bureau of Industry and Security, is jurisdictional: items designed, developed, configured, adapted, or modified for a military application are presumptively ITAR-controlled. EAR covers dual-use items. Jurisdiction disputes between the two regimes — commodity jurisdiction (CJ) determinations — consume significant compliance resources for manufacturers operating across both.

ITAR’s reach is broad. It covers:

• Defence articles: any item on the USML, including components, parts, accessories, and attachments
• Defence services: furnishing assistance (including training) to foreign persons in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarisation, destruction, or processing of defence articles
• Technical data: information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defence articles — including blueprints, drawings, specifications, and software source code

The United States Munitions List

The USML is organised into 21 categories:

• Category I–IV: Firearms, artillery, ammunition, launch vehicles
• Category V: Explosives and energetic materials
• Category VI: Surface vessels of war
• Category VII: Ground vehicles
• Category VIII: Aircraft and related articles
• Category IX: Military training equipment and training
• Category X: Personal protective equipment
• Category XI: Military electronics
• Category XII: Fire control, laser, imaging, and guidance equipment
• Category XIII: Materials and miscellaneous articles
• Category XIV: Toxicological agents and equipment
• Category XV: Spacecraft and related articles
• Category XVI: Nuclear weapons-related articles
• Category XVII: Classified articles
• Category XVIII: Directed energy weapons
• Category XIX: Gas turbine engines and associated equipment
• Category XX: Submersible vessels and related articles
• Category XXI: Articles, technical data, and defence services not otherwise enumerated

Each category contains specific sub-categories with enumerated items. A company must determine which USML entries apply to its products and services — and importantly, which entries apply to the technical data it generates about those products.

Registration with DDTC

Any US person engaged in the business of manufacturing or exporting defence articles, or furnishing defence services, must register with DDTC. Registration is mandatory — it is not a licence, and it does not authorize any exports. It is a prerequisite for applying for licences.

Key registration requirements:

• Annual renewal required
• Registration fee applies (tiered based on company size and activity)
• Must disclose all officers, directors, partners, and shareholders with significant interest
• Must disclose any debarred parties affiliated with the registrant
• Failure to register is itself a violation, independent of any export activity

Non-US companies do not register directly with DDTC. However, a non-US company that is a subsidiary of a US registrant may be included on the parent’s registration. And any non-US company that enters into a manufacturing licence agreement (MLA) or technical assistance agreement (TAA) with a US person becomes subject to ITAR obligations through that agreement.

Licensing and agreements

ITAR exports require authorisation. The primary mechanisms are:

Individual licences (DSP-5, DSP-61, DSP-73)

• DSP-5: Permanent export of unclassified defence articles and technical data
• DSP-61: Temporary import of unclassified defence articles
• DSP-73: Temporary export of unclassified defence articles

Each licence application requires a detailed description of the articles, end-user, end-use, and the specific USML category. Processing times vary from weeks to months depending on the sensitivity of the item and the destination country.

Agreements

• Technical Assistance Agreements (TAAs): authorise the furnishing of defence services or disclosure of technical data to foreign persons
• Manufacturing Licence Agreements (MLAs): authorise foreign manufacture of defence articles
• Warehouse and Distribution Agreements (WDAs): authorise foreign storage and distribution

Agreements are typically more complex and time-consuming to negotiate than individual licences. They require Congressional notification for agreements valued above certain thresholds.

Exemptions

ITAR includes exemptions in 22 CFR 125 and 126 that permit certain exports without a licence. The most significant for 2026:

• AUKUS exemption (22 CFR 126.16/17 amendments): licence-free trade with Australia and the UK for most USML items, subject to conditions including nationality restrictions and excluded technology carve-outs
• Canadian exemption (22 CFR 126.5): streamlined trade with Canada for certain USML categories
• NATO exemptions: limited exemptions for classified information sharing under existing bilateral agreements

Exemptions are not blanket authorisations. Each has specific conditions, and failure to meet those conditions converts what you thought was an exempt transfer into an unlicensed export.

Technical data controls

Technical data is where most ITAR violations occur. The definition is broad: any information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of USML articles.

This includes:

• Engineering drawings and CAD files
• Manufacturing process specifications
• Test procedures and results
• Software source code (for USML-controlled systems)
• Integration guides and system architecture documents
• Performance specifications and parameters
• Training materials that reveal technical capabilities

It does not include general scientific, mathematical, or engineering principles taught in universities, or basic marketing materials that describe function without revealing design specifics. But the boundary between controlled technical data and uncontrolled information in the public domain (22 CFR 120.34) is a frequent source of compliance disputes.

The fundamental design information problem

ITAR controls information based on what it relates to, not where it is stored or how it is transmitted. An email containing controlled technical data sent to a foreign person’s inbox is an export. A cloud storage folder accessible to foreign nationals is a potential export. A conversation at an international trade show that discloses controlled performance parameters is an export.

Companies must implement data classification, access controls, and transmission security measures that account for all forms of technical data — not just documents in a classified repository.

Deemed exports and non-US applicability

A “deemed export” occurs when ITAR-controlled technical data or defence services are disclosed to a foreign person within the United States. The foreign person’s nationality determines the destination for export control purposes. Releasing controlled data to a French national working in your US office is deemed an export to France.

This mechanism extends ITAR’s reach well beyond companies that physically ship defence articles overseas:

• US companies with foreign national employees must implement technology control plans (TCPs) that restrict access to ITAR data based on nationality
• US universities and research institutions conducting defence-related research must screen foreign researchers
• Foreign subsidiaries of US companies that receive ITAR technical data through intra-company transfers are subject to ITAR through the governing agreement
• Non-US companies that enter into MLAs or TAAs with US defence primes take on ITAR obligations, including re-export restrictions that follow the data indefinitely

For non-US companies, the practical effect is that any relationship with a US defence prime that involves technical data will carry ITAR obligations. These obligations survive the end of the contract and apply to all downstream recipients of the data.

Penalties for violations

ITAR violations carry severe consequences:

• Civil penalties: up to $1,204,017 per violation (adjusted annually for inflation)
• Criminal penalties: up to $1,000,000 and 20 years imprisonment per violation
• Debarment: the DDTC can debar a company from participating in any defence trade, effectively ending a company’s ability to operate in the defence sector
• Consent agreements: DDTC frequently resolves cases through consent agreements that include both monetary penalties and mandatory compliance remediation — often including appointment of external monitors, system upgrades, and ongoing reporting

Recent enforcement trends show DDTC focusing on:

• Unauthorised deemed exports to foreign nationals
• Failure to report unauthorised disclosures
• Inadequate record-keeping under 22 CFR 122.5
• Brokering activities without proper registration and authorisation
• Re-export violations by foreign licensees

Building an effective ITAR compliance programme

An effective programme must address several core elements:

• Jurisdiction and classification: determine which products, services, and data are ITAR-controlled and identify the specific USML entries
• Organisation and responsibility: designate an empowered official with authority over export control decisions
• Screening: screen all parties — end-users, intermediaries, freight forwarders — against denied parties lists
• Licensing and agreements management: track all active licences and agreements, including conditions and expiry dates
• Technical data controls: implement classification markings, access controls, and transmission security for all ITAR-controlled technical data
• Training: regular, role-specific training for all personnel who handle controlled articles or data
• Record-keeping: maintain records for a minimum of five years as required by 22 CFR 122.5
• Internal monitoring and audit: conduct periodic reviews of compliance activities and self-disclose violations when identified
• Deemed export controls: implement technology control plans for facilities where foreign nationals are present

The challenge is that ITAR’s 177 rules decompose into approximately 1,488 discrete testable obligations when you account for all the conditions, exceptions, and procedural requirements embedded in the regulatory text. A compliance programme that assesses itself at the rule level — “are we compliant with 22 CFR 123.1?” — misses the granularity where violations actually occur.

The 2026 landscape

Several developments are shaping ITAR compliance in 2026:

• AUKUS exemptions: the expanded licence-free environment creates new obligations around eligibility verification, excluded technology screening, and record-keeping
• Cloud and SaaS: DDTC has issued updated guidance on cloud storage of technical data, but questions remain about multi-tenant environments and foreign-owned cloud providers
• AI and autonomous systems: classification of AI models trained on ITAR-controlled data is an emerging area where regulatory guidance is still developing
• Enforcement acceleration: DDTC’s enforcement caseload has increased year-over-year, with a particular focus on cybersecurity failures that result in unauthorised disclosures

Companies that treat ITAR compliance as a documentation exercise rather than an operational discipline will continue to be the ones that appear in consent agreements.

---

AuditDSS decomposes ITAR’s 177 rules into 1,488 testable obligations across all 22 CFR Parts 120-130, enabling obligation-level compliance assessment rather than rule-level approximation. Map your ITAR exposure and identify specific gaps. Start your assessment.