When choosing to take up government contracts, most businesses face one of the common compliance frameworks for security. They need to climb the mountain to achieve compliance with a framework like CMMC, FedRAMP, or maybe something like HIPAA if they’re in the healthcare space.
Relatively few need to comply with a more esoteric – and higher-intensity – framework known as ITAR. What is ITAR, and what do you need to know if you’re a business that needs to use it? Let’s dig in.
Fact 1: ITAR is the International Traffic in Arms Regulation
ITAR is the International Traffic in Arms Regulation. It’s a codified portion of the overall United States Export Control Laws and primarily affects the manufacturing, sale, and distribution of various technologies, products, services, and software internationally. It’s implemented and enforced by the Directorate of Defense Trade Controls, which is part of the Bureau of Political-Military Affairs, which is itself part of the Department of State.
Despite the name, ITAR is not restricted just to weapons and arms. A common example is a cellphone with encryption; the encryption algorithms may be used for military applications and thus can fall under ITAR jurisdiction.
Fact 2: ITAR Applies to a Wide Range of Businesses
In fact, any business that deals in the manufacture, export, or brokerage of anything on the United States Munitions List is potentially subject to ITAR regulations.
This isn’t just about, for example, companies like Raytheon or Boeing, who work directly with the government for arms-related contracts. It also applies to businesses down the supply line. A component supplier of any goods on the USML is likely required to be ITAR certified.
ITAR is largely self-directed and punitive. What does that mean? It means that companies are required to know whether or not they need to be ITAR compliant and must register with the DDTC if required. Then, if they are found to be non-compliant, ITAR violations levy steep penalties.
Examples of the kinds of companies subject to ITAR include:
- Defense contractors.
- Defense subcontractors.
- Aerospace companies.
- Companies designing military-grade equipment.
- Companies providing defense-related IT services or consulting.
- Cloud service providers with defense-related products, like Amazon Web Services.
- Universities that research defense-related technologies.
As you will see later when you see the scope of what ITAR regulates, this casts a wide net.
Fact 3: Penalties for ITAR Noncompliance are Stiff
If your business is meant to be ITAR compliant, and you aren’t, you can face steep penalties. These can include both civil and criminal penalties.
- Civil fines can be as much as $500,000.
- Criminal fines can be as much as $1,200,000.
- Criminal penalties can include up to ten years in prison.
Note that these are not caps; these are caps per violation. A business can be subject to a huge number of individual violations, depending on the kinds of products they make and the violations of ITAR rules they’ve committed.
As a recent example from early last year, the South Carolina-based 3D printing company 3D Systems reached a settlement with the US Government. These settlements, caused by violations of ITAR, among other things, were levied by three departments: the Department of State, the Department of Commerce, and the Department of Justice. All told, the company settled to pay up to $20 million to the Department of State, $2.7 million to the Department of Commerce, and $4.5 million to the Department of Justice, for a sum total of $27 million.
These fines were not for a single violation. Instead, they stem from allegations of unlawful exports taking place between 2012 and 2019. Moreover, these are not the maximum penalties. The company cooperated with the Department of State in their investigation, took swift corrective actions, and was given relative leeway because of it.
The core issue here is that the company used overseas 3D printing (or Additive Manufacturing) facilities to manufacture items that required sending information about controlled items overseas. Overall, the company faced 19 different violations identified by the Department of Commerce.
This is how simple it is to violate ITAR:
“Between 2012 and 2019, 3D Systems is said to have frequently emailed design documents, blueprints, and technical specifications to its then-subsidiary Quickparts.com, which had an office in Guangzhou City, China. On several occasions, these exports were allegedly sent to generate price quotes and included design drawings for military electronics. Other files relating to the repair, operation, production, and development of US spacecraft are also said to have been sent. Equally, it is claimed that controlled design documents were also sent to Germany, where 3D Systems maintained a mirrored server to store employee emails.”
Having an overseas server mirroring information on domestic servers without the proper controls is a violation.
You can read more about this specific incident here. Know, however, that this is just one of many examples happening every year and is what could be considered a relatively light penalty, all things considered.
To put things into perspective, that’s not even a large fine in the scope of what ITAR governs. Airbus was subject to a high-profile case focusing on foreign bribery and ITAR violations and ended up agreeing to pay nearly $4 billion in 2020.
Fact 4: ITAR Governs a Large List of Subjects
ITAR specifically refers to the United States Munitions List for what it governs. This includes both the actual import and export of items, including a variety of chemicals that may be otherwise innocuous, as well as information about physical items, blueprints, and even software.
You can see the full USML here. The government is not shy about listing what’s on the list.
Primary categories include:
- Firearms and Related Articles
- Guns and Armament
- Ammunition and Ordnance
- Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs, and Mines
- Explosives and Energetic Materials, Propellants, Incendiary Agents, and Their Constituents
- Surface Vessels of War and Special Naval Equipment
- Ground Vehicles
- Aircraft and Related Articles
- Military Training Equipment and Training
- Personal Protective Equipment
- Military Electronics
- Fire Control, Laser, Imaging, and Guidance Equipment
- Materials and Miscellaneous Articles
- Toxicological Agents, Including Chemical Agents, Biological Agents, and Associated Equipment
- Spacecraft and Related Articles
- Nuclear Weapons Related Articles
- Classified Articles, Technical Data, and Defense Services Not Otherwise Enumerated
- Directed Energy Weapons
- Gas Turbine Engines and Associated Equipment
- Submersible Vessels and Related Articles
- Articles, Technical Data, and Defense Services Not Otherwise Enumerated
As you can see, with 21 different categories (many of which have dozens or hundreds of categories of items listed within them), there’s a lot that can fall under ITAR jurisdiction.
Some of these rely not just on the item but on the purpose of the item. You might see, for example, PPE (Personal Protective Equipment) on that list and wonder what it entails. After all, PPE is a huge part of civilian life. Things like welding masks, firefighting gear, or even the N95 masks we’ve all had vast amounts of experience with over the last few years are all types of PPE. Are those governed by ITAR?
The answer is no. This is why the USML enumerates what it means in each category. Military PPE includes things like body armor, radar-reducing face paint, helmets with munition-tracking functions, and other such items.
And, again, ITAR is about international trade. That said, even if your business manufactures any of these items but does so using entirely domestic suppliers, using entirely domestic software and services, and keeping literally every facet of your business within the borders of the country, you still need to at least register with the DDTC.
Fact 5: ITAR Compliance Starts with Registration
The first step to ITAR compliance for any business working with any items or information on the USML is to register. This registration is with the Directorate of Defense Trade Controls, or DDTC. This is the agency responsible for enforcing ITAR, and every business dealing with any element of regulated items or information needs to register. The registration and information can be found here.
Registration comes with a fee. There’s a three-tier fee structure:
- Tier I is for new registrants and costs $2,250 per year.
- Tier II is for businesses with fewer than ten licenses in the last year and is $2,750 per year.
- Tier III is for businesses with more than ten licenses in a year and scales based on the number of licenses required.
Registration is not compliance; it’s just the first step. You then have to go through the review and codify each piece of information or product that constitutes an item on the USML and identify whether or not you’ll need a license to operate with it. From there, you apply for a license for that item.
Fact 6: Licenses are Complex
There are four kinds of licenses your business may need to apply for.
These include:
- Export licenses to export items, software, or technology.
- Temporary import licenses for the import of items, software, or technology for a limited period.
- Technical assistance agreements, to allow you to provide technical assistance or support to foreign entities related to items, software, or technology.
- Manufacturing license agreements, to allow you to manufacture items, software, or technology outside of the United States borders.
The hardest part of ITAR compliance is reviewing everything your business does and whether or not it handles anything on the USML; if it does, submitting all of those items, properly classified, along with what you do with them (manufacture, support, create, distribute, sell, etc.) to apply for the right licenses.
Fact 7: Compliance Includes Partners
ITAR isn’t just limited to you. It also includes two extensions of your business.
The first is your end users. For example, if you’re a service provider and your services involve the use or distribution of information on the USML, you need to screen and make sure that your end users are not also in other countries. You can have both foreign customers and defense-related information in your systems; however, they must be kept separate unless otherwise licensed to provide one to the other. These screening protocols must be documented and recorded.
The second is your suppliers. This can include anything from other service providers to item manufacturers. Common examples might include:
- Software developers in foreign countries working on your product.
- Manufacturing facilities making items for your company.
- Foreign producers selling you raw materials on the USML.
Screening your suppliers is required, and if you need to work with any foreign suppliers, you need the appropriate licenses to do so.
Fact 8: ITAR is a Moving Target
Like all federal security frameworks, ITAR changes from time to time. Amendments may be to specific processes, licensing structures, auditing, or changes to what is included in the USML. Sometimes, these changes are beneficial; for example, in response to COVID, the licensing fees for ITAR licenses were reduced to assist with restoring disrupted supply lines. They can also be related to specific sections of ITAR. In 2022, the maximum penalty for an ITAR violation was raised from $1,000,000 to $1,200,000. Changes can be many and varied, and it’s your responsibility to stay on top of them and make sure you maintain compliance.
While ITAR is one of the frameworks we handle specifically, at Ignyte, we can help with compliance with a wide range of different, multiple standardized frameworks. ITAR is difficult because it’s so flexible and individualized to each business. It really requires a detailed audit of your operations that can’t be done easily with a single piece of software.
That said, if you have a need for other forms of compliance along with ITAR such as CMMC – and there’s a reasonable chance you do if you’re working with the government – we can help. Whether it’s FedRAMP, CMMC, DFARS, or another more specific framework, we’ve got you covered. You can learn more, request a demo, or simply reach out to us to ask if we can help, all quickly and easily. We look forward to hearing from you!
Now, do you have any other questions about anything we discussed in this article? Was there any part that you would like additional clarification on? If you answered yes to either question, please feel free to let us know at any time! We’d be more than happy to answer any questions and clear up any confusion as best we can!
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.
